[MediaWiki-commits] [Gerrit] add mini-dinstall to releases.wikimedia.org - change (operations/puppet)

[Filippo Giunchedi (Code Review)]

Filippo Giunchedi has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/136128

Change subject: add mini-dinstall to releases.wikimedia.org
......................................................................

add mini-dinstall to releases.wikimedia.org

create a new module mini_dinstall with basic functionality and related setup in
releases::mini_dinstall.
the module is supposed to be called from the role::releases once a gpg keyring
is setup in the private repo.

Change-Id: I3cc515a8371b69789d2e37058a4c55342b7e72de
---
A modules/mini_dinstall/manifests/init.pp
A modules/mini_dinstall/templates/mini-dinstall.conf.erb
A modules/mini_dinstall/templates/sign-release.erb
A modules/releases/manifests/mini_dinstall.pp
A modules/releases/templates/dput.cf.erb
5 files changed, 193 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/28/136128/1

diff --git a/modules/mini_dinstall/manifests/init.pp 
b/modules/mini_dinstall/manifests/init.pp
new file mode 100644
index 0000000..5af29a2
--- /dev/null
+++ b/modules/mini_dinstall/manifests/init.pp
@@ -0,0 +1,77 @@
+# == Class: mini_dinstall
+#
+# This module configures mini-dinstall, a debian repository manager.
+#
+# === Parameters
+#
+# [*root_dir*]
+#   The root directory where to install repository-related files.
+#
+# [*keyid*]
+#   What gpg key ID to use to sign Release files
+#
+# [*archive_dir*]
+#   Where to store archive files themselves (indices, .deb files, etc)
+#
+# [*gnupg_home*]
+#   Where to find gpg keyring
+#
+# [*owner*]
+#   User owning the archive (including incoming/ directory)
+#
+# [*group*]
+#   Group owning the archive (including incoming/ directory)
+
+class mini_dinstall(
+    $root_dir,
+    $keyid,
+    $archive_dir = "${root_dir}/debian",
+    $gnupghome = "${root_dir}/.gnupg",
+    $owner = 'root',
+    $group = 'wikidev',
+) {
+    $md_config_path = "${root_dir}/mini-dinstall.conf"
+    $sign_release_path = "${root_dir}/sign-release"
+
+    package { ['mini-dinstall', 'gnupg']:
+        ensure => 'present',
+    }
+
+    file { [$root_dir, $archive_dir]:
+        ensure => 'directory',
+        owner  => $owner,
+        group  => $group,
+        mode   => '0755',
+    }
+
+    file { $gnupghome:
+        ensure => 'directory',
+        owner  => $owner,
+        group  => $group,
+        mode   => '0700',
+    }
+
+    file { ["${archive_dir}/mini-dinstall",
+            "${archive_dir}/mini-dinstall/incoming"]:
+        ensure => 'directory',
+        owner  => $owner,
+        group  => $group,
+        mode   => '0770',
+    }
+
+    file { $md_config_path:
+        ensure  => 'present',
+        content => template('mini_dinstall/mini-dinstall.conf.erb'),
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0444',
+    }
+
+    file { $sign_release_path:
+        ensure  => 'present',
+        content => template('mini_dinstall/sign-release.erb'),
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0555',
+    }
+}
diff --git a/modules/mini_dinstall/templates/mini-dinstall.conf.erb 
b/modules/mini_dinstall/templates/mini-dinstall.conf.erb
new file mode 100644
index 0000000..afda448
--- /dev/null
+++ b/modules/mini_dinstall/templates/mini-dinstall.conf.erb
@@ -0,0 +1,18 @@
+[DEFAULT]
+mail_to = root
+verify_sigs = 0
+incoming_permissions = 0000
+architectures = all, i386, amd64
+archive_style = simple-subdir
+dynamic_reindex = 0
+archivedir = <%= @archive_dir %>
+keep_old = 1
+generate_release = 1
+release_origin = wmf
+release_label = wmf
+release_description = MediaWiki software packages from Wikimedia Foundation
+release_signscript = <%= @sign_release_path %>
+
+[wmf-production]
+release_suite = wmf-production
+release_codename = wmf-production
diff --git a/modules/mini_dinstall/templates/sign-release.erb 
b/modules/mini_dinstall/templates/sign-release.erb
new file mode 100644
index 0000000..1b3a5a7
--- /dev/null
+++ b/modules/mini_dinstall/templates/sign-release.erb
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+set -u
+
+GNUPGHOME=${GNUPGHOME:-<%= @gnupghome %>}
+KEYID=${KEYID:-<%= @keyid %>}
+
+export KEYID
+export GNUPGHOME
+
+# init gpg
+gpg --help 1>/dev/null 2>&1 || true
+
+rm -f Release.gpg.tmp InRelease.tmp
+gpg --no-tty --batch --default-key "$KEYID" --detach-sign -o Release.gpg.tmp 
"$1"
+mv Release.gpg.tmp Release.gpg
+gpg --no-tty --batch --default-key "$KEYID" --clearsign -o InRelease.tmp "$1"
+mv InRelease.tmp InRelease
diff --git a/modules/releases/manifests/mini_dinstall.pp 
b/modules/releases/manifests/mini_dinstall.pp
new file mode 100644
index 0000000..5653451
--- /dev/null
+++ b/modules/releases/manifests/mini_dinstall.pp
@@ -0,0 +1,73 @@
+# == Class: releases::mini_dinstall
+#
+# This module adds mini-dinstall capabilities to releases module.
+# GPG signing of Release file is supported via an external script, to protect
+# access to the key material mini-dinstall should be invoked via sudo by
+# members of $group.
+#
+# === Parameters
+#
+# [*keyid*]
+#   What gpg key ID to use to sign Release files
+#
+# [*root_dir*]
+#   The root directory where to install repository-related files.
+#
+# [*archive_dir*]
+#   Where to store archive files themselves (indices, .deb files, etc)
+#
+# [*owner*]
+#   The owner of archive directory and related files
+#
+# [*group*]
+#   Group owning the archive (including incoming/ directory)
+
+class releases::mini_dinstall (
+    $keyid,
+    $root_dir = '/srv/org/wikimedia/mini-dinstall',
+    $archive_dir = '/srv/org/wikimedia/releases/debian',
+    $owner = 'mini-dinstall',
+    $group = 'releasers-mediawiki',
+) {
+    generic::systemuser { $owner:
+        name => $owner,
+        home => $root_dir,
+    }
+
+    sudo_group { 'mini-dinstall_sudo':
+        privileges => ["ALL = (${owner}) NOPASSWD: /usr/bin/mini-dinstall"],
+        group      => $group,
+    }
+
+    file { "${root_dir}/.gnupg/secring.gpg":
+        ensure => 'present',
+        source => 'puppet:///private/gpg/releases/secring.gpg',
+        owner  => $owner,
+        group  => $group,
+        mode   => '0600',
+    }
+
+    file { "${root_dir}/.gnupg/pubring.gpg":
+        ensure => 'present',
+        source => 'puppet:///private/gpg/releases/pubring.gpg',
+        owner  => $owner,
+        group  => $group,
+        mode   => '0600',
+    }
+
+    file { "${root_dir}/dput.cf":
+        ensure  => 'present',
+        content => template('releases/dput.cf.erb'),
+        owner   => $owner,
+        group   => $group,
+        mode    => '0644',
+    }
+
+    class { '::mini_dinstall':
+        root_dir    => $root_dir,
+        archive_dir => $archive_dir,
+        owner       => $owner,
+        group       => $group,
+        keyid       => $keyid,
+    }
+}
diff --git a/modules/releases/templates/dput.cf.erb 
b/modules/releases/templates/dput.cf.erb
new file mode 100644
index 0000000..2d11de8
--- /dev/null
+++ b/modules/releases/templates/dput.cf.erb
@@ -0,0 +1,6 @@
+[releases.wikimedia.org]
+fqdn = releases.wikimedia.org
+method = scp
+login = *
+incoming = <%= "#{@archive_dir}/mini-dinstall/incoming" %>
+post_upload_command = ssh releases.wikimedia.org "sudo -u mini-dinstall 
mini-dinstall -b"

-- 
To view, visit https://gerrit.wikimedia.org/r/136128
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3cc515a8371b69789d2e37058a4c55342b7e72de
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi <fgiunch...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits