Puppet Class: profile::aptrepo::staging
- Defined in:
- modules/profile/manifests/aptrepo/staging.pp
Summary
Provides a staging repository for CI to build and distribute debian packages.Overview
SPDX-License-Identifier: Apache-2.0
. stored in .gnupg relative to this path.
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
# File 'modules/profile/manifests/aptrepo/staging.pp', line 12
class profile::aptrepo::staging (
Stdlib::Unixpath $basedir = lookup('profile::aptrepo::staging::basedir'),
Stdlib::Unixpath $homedir = lookup('profile::aptrepo::staging::homedir'),
String $gpg_user = lookup('profile::aptrepo::staging::gpg_user'),
Optional[String] $gpg_pubring = lookup('profile::aptrepo::staging::gpg_pubring'),
Optional[String] $gpg_secring = lookup('profile::aptrepo::staging::gpg_secring'),
) {
class { 'aptrepo::common':
homedir => $homedir,
basedir => $basedir,
gpg_user => $gpg_user,
gpg_secring => $gpg_secring,
gpg_pubring => $gpg_pubring,
}
aptrepo::repo { 'staging_apt_repository':
basedir => $basedir,
incomingdir => 'incoming',
support_external_updates => false,
distributions_file => 'puppet:///modules/aptrepo/distributions-wikimedia-staging',
}
firewall::service { 'apt_staging_http':
proto => 'tcp',
port => [80,443],
src_sets => ['DOMAIN_NETWORKS', 'MGMT_NETWORKS'],
}
nginx::site { 'apt-staging.wikimedia.org':
content => template('aptrepo/apt-staging.wikimedia.org.conf.erb'),
}
systemd::sysuser { 'apt-uploader': }
file { '/srv/incoming-packages':
ensure => directory,
mode => '0755',
owner => 'apt-uploader',
group => 'apt-uploader',
}
file { '/etc/rsync-apt-auth-secrets':
ensure => file,
owner => 'root',
group => 'root',
mode => '0400',
content => secret('apt-staging/rsync-secrets'),
}
class { '::rsync::server': }
rsync::server::module { 'apt-auth':
ensure => present,
comment => 'Incoming packages for apt-staging.wm.o, from gitlab runners',
read_only => 'no',
path => '/srv/incoming-packages',
uid => 'apt-uploader',
gid => 'apt-uploader',
incoming_chmod => 'D755,F644',
hosts_allow => wmflib::role::hosts('gitlab_runner'),
auto_firewall => true,
auth_users => ['apt-publisher'],
secrets_file => '/etc/rsync-apt-auth-secrets',
}
ensure_packages(['python3-gitlab'])
file { '/usr/local/bin/gitlab-package-puller':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
source => 'puppet:///modules/aptrepo/gitlab_package_puller.py',
}
file { '/etc/gitlab-puller-auth':
ensure => file,
owner => 'root',
group => 'root',
mode => '0400',
content => secret('apt-staging/gitlab-puller-token'),
}
systemd::timer::job { 'gitlab-package-puller':
ensure => present,
user => 'root',
description => 'Runs the script to pull apt packages from Gitlab CI jobs',
command => '/usr/local/bin/gitlab-package-puller -i -l info',
interval => { 'start' => 'OnUnitInactiveSec', 'interval' => '5m' },
}
# clean up incoming regularly (T408527)
systemd::tmpfile { 'apt-incoming':
content => "e ${basedir}/incoming - - - 7d",
}
profile::auto_restarts::service { 'nginx': }
profile::auto_restarts::service { 'envoyproxy': }
profile::auto_restarts::service { 'rsync': }
}
|