Filippo Giunchedi has uploaded a new change for review. https://gerrit.wikimedia.org/r/136128
Change subject: add mini-dinstall to releases.wikimedia.org ...................................................................... add mini-dinstall to releases.wikimedia.org create a new module mini_dinstall with basic functionality and related setup in releases::mini_dinstall. the module is supposed to be called from the role::releases once a gpg keyring is setup in the private repo. Change-Id: I3cc515a8371b69789d2e37058a4c55342b7e72de --- A modules/mini_dinstall/manifests/init.pp A modules/mini_dinstall/templates/mini-dinstall.conf.erb A modules/mini_dinstall/templates/sign-release.erb A modules/releases/manifests/mini_dinstall.pp A modules/releases/templates/dput.cf.erb 5 files changed, 193 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/28/136128/1 diff --git a/modules/mini_dinstall/manifests/init.pp b/modules/mini_dinstall/manifests/init.pp new file mode 100644 index 0000000..5af29a2 --- /dev/null +++ b/modules/mini_dinstall/manifests/init.pp @@ -0,0 +1,77 @@ +# == Class: mini_dinstall +# +# This module configures mini-dinstall, a debian repository manager. +# +# === Parameters +# +# [*root_dir*] +# The root directory where to install repository-related files. +# +# [*keyid*] +# What gpg key ID to use to sign Release files +# +# [*archive_dir*] +# Where to store archive files themselves (indices, .deb files, etc) +# +# [*gnupg_home*] +# Where to find gpg keyring +# +# [*owner*] +# User owning the archive (including incoming/ directory) +# +# [*group*] +# Group owning the archive (including incoming/ directory) + +class mini_dinstall( + $root_dir, + $keyid, + $archive_dir = "${root_dir}/debian", + $gnupghome = "${root_dir}/.gnupg", + $owner = 'root', + $group = 'wikidev', +) { + $md_config_path = "${root_dir}/mini-dinstall.conf" + $sign_release_path = "${root_dir}/sign-release" + + package { ['mini-dinstall', 'gnupg']: + ensure => 'present', + } + + file { [$root_dir, $archive_dir]: + ensure => 'directory', + owner => $owner, + group => $group, + mode => '0755', + } + + file { $gnupghome: + ensure => 'directory', + owner => $owner, + group => $group, + mode => '0700', + } + + file { ["${archive_dir}/mini-dinstall", + "${archive_dir}/mini-dinstall/incoming"]: + ensure => 'directory', + owner => $owner, + group => $group, + mode => '0770', + } + + file { $md_config_path: + ensure => 'present', + content => template('mini_dinstall/mini-dinstall.conf.erb'), + owner => 'root', + group => 'root', + mode => '0444', + } + + file { $sign_release_path: + ensure => 'present', + content => template('mini_dinstall/sign-release.erb'), + owner => 'root', + group => 'root', + mode => '0555', + } +} diff --git a/modules/mini_dinstall/templates/mini-dinstall.conf.erb b/modules/mini_dinstall/templates/mini-dinstall.conf.erb new file mode 100644 index 0000000..afda448 --- /dev/null +++ b/modules/mini_dinstall/templates/mini-dinstall.conf.erb @@ -0,0 +1,18 @@ +[DEFAULT] +mail_to = root +verify_sigs = 0 +incoming_permissions = 0000 +architectures = all, i386, amd64 +archive_style = simple-subdir +dynamic_reindex = 0 +archivedir = <%= @archive_dir %> +keep_old = 1 +generate_release = 1 +release_origin = wmf +release_label = wmf +release_description = MediaWiki software packages from Wikimedia Foundation +release_signscript = <%= @sign_release_path %> + +[wmf-production] +release_suite = wmf-production +release_codename = wmf-production diff --git a/modules/mini_dinstall/templates/sign-release.erb b/modules/mini_dinstall/templates/sign-release.erb new file mode 100644 index 0000000..1b3a5a7 --- /dev/null +++ b/modules/mini_dinstall/templates/sign-release.erb @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e +set -u + +GNUPGHOME=${GNUPGHOME:-<%= @gnupghome %>} +KEYID=${KEYID:-<%= @keyid %>} + +export KEYID +export GNUPGHOME + +# init gpg +gpg --help 1>/dev/null 2>&1 || true + +rm -f Release.gpg.tmp InRelease.tmp +gpg --no-tty --batch --default-key "$KEYID" --detach-sign -o Release.gpg.tmp "$1" +mv Release.gpg.tmp Release.gpg +gpg --no-tty --batch --default-key "$KEYID" --clearsign -o InRelease.tmp "$1" +mv InRelease.tmp InRelease diff --git a/modules/releases/manifests/mini_dinstall.pp b/modules/releases/manifests/mini_dinstall.pp new file mode 100644 index 0000000..5653451 --- /dev/null +++ b/modules/releases/manifests/mini_dinstall.pp @@ -0,0 +1,73 @@ +# == Class: releases::mini_dinstall +# +# This module adds mini-dinstall capabilities to releases module. +# GPG signing of Release file is supported via an external script, to protect +# access to the key material mini-dinstall should be invoked via sudo by +# members of $group. +# +# === Parameters +# +# [*keyid*] +# What gpg key ID to use to sign Release files +# +# [*root_dir*] +# The root directory where to install repository-related files. +# +# [*archive_dir*] +# Where to store archive files themselves (indices, .deb files, etc) +# +# [*owner*] +# The owner of archive directory and related files +# +# [*group*] +# Group owning the archive (including incoming/ directory) + +class releases::mini_dinstall ( + $keyid, + $root_dir = '/srv/org/wikimedia/mini-dinstall', + $archive_dir = '/srv/org/wikimedia/releases/debian', + $owner = 'mini-dinstall', + $group = 'releasers-mediawiki', +) { + generic::systemuser { $owner: + name => $owner, + home => $root_dir, + } + + sudo_group { 'mini-dinstall_sudo': + privileges => ["ALL = (${owner}) NOPASSWD: /usr/bin/mini-dinstall"], + group => $group, + } + + file { "${root_dir}/.gnupg/secring.gpg": + ensure => 'present', + source => 'puppet:///private/gpg/releases/secring.gpg', + owner => $owner, + group => $group, + mode => '0600', + } + + file { "${root_dir}/.gnupg/pubring.gpg": + ensure => 'present', + source => 'puppet:///private/gpg/releases/pubring.gpg', + owner => $owner, + group => $group, + mode => '0600', + } + + file { "${root_dir}/dput.cf": + ensure => 'present', + content => template('releases/dput.cf.erb'), + owner => $owner, + group => $group, + mode => '0644', + } + + class { '::mini_dinstall': + root_dir => $root_dir, + archive_dir => $archive_dir, + owner => $owner, + group => $group, + keyid => $keyid, + } +} diff --git a/modules/releases/templates/dput.cf.erb b/modules/releases/templates/dput.cf.erb new file mode 100644 index 0000000..2d11de8 --- /dev/null +++ b/modules/releases/templates/dput.cf.erb @@ -0,0 +1,6 @@ +[releases.wikimedia.org] +fqdn = releases.wikimedia.org +method = scp +login = * +incoming = <%= "#{@archive_dir}/mini-dinstall/incoming" %> +post_upload_command = ssh releases.wikimedia.org "sudo -u mini-dinstall mini-dinstall -b" -- To view, visit https://gerrit.wikimedia.org/r/136128 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3cc515a8371b69789d2e37058a4c55342b7e72de Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Filippo Giunchedi <fgiunch...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits