Puppet Class: profile::aptrepo::staging

Defined in:
modules/profile/manifests/aptrepo/staging.pp

Summary

Provides a staging repository for CI to build and distribute debian packages.

Overview

SPDX-License-Identifier: Apache-2.0

. stored in .gnupg relative to this path.

Parameters:

  • basedir (Stdlib::Unixpath) (defaults to: lookup('profile::aptrepo::staging::basedir'))

    Where reprepro stores config and distribution files

  • homedir (Stdlib::Unixpath) (defaults to: lookup('profile::aptrepo::staging::homedir'))

    Where to store the GPG keys for signing. GPG keys will be

  • gpg_user (String) (defaults to: lookup('profile::aptrepo::staging::gpg_user'))

    Owner of the GPG keys

  • gpg_pubring (Optional[String]) (defaults to: lookup('profile::aptrepo::staging::gpg_pubring'))

    The GPG public keyring for reprepro to use. Will be passed to secret()

  • gpg_secring (Optional[String]) (defaults to: lookup('profile::aptrepo::staging::gpg_secring'))

    The GPG secret keyring for reprepro to use. Will be passed to secret()



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# File 'modules/profile/manifests/aptrepo/staging.pp', line 12

class profile::aptrepo::staging (
  Stdlib::Unixpath $basedir         = lookup('profile::aptrepo::staging::basedir'),
  Stdlib::Unixpath $homedir         = lookup('profile::aptrepo::staging::homedir'),
  String           $gpg_user        = lookup('profile::aptrepo::staging::gpg_user'),
  Optional[String] $gpg_pubring     = lookup('profile::aptrepo::staging::gpg_pubring'),
  Optional[String] $gpg_secring     = lookup('profile::aptrepo::staging::gpg_secring'),
) {
  class { 'aptrepo::common':
    homedir     => $homedir,
    basedir     => $basedir,
    gpg_user    => $gpg_user,
    gpg_secring => $gpg_secring,
    gpg_pubring => $gpg_pubring,
  }

  aptrepo::repo { 'staging_apt_repository':
    basedir            => $basedir,
    incomingdir        => 'incoming',
    distributions_file => 'puppet:///modules/aptrepo/distributions-wikimedia-staging',
  }

  firewall::service { 'apt_staging_http':
    proto    => 'tcp',
    port     => [80,443],
    src_sets => ['DOMAIN_NETWORKS', 'MGMT_NETWORKS'],
  }

  nginx::site { 'apt-staging.wikimedia.org':
    content => template('aptrepo/apt-staging.wikimedia.org.conf.erb'),
  }

  systemd::sysuser { 'apt-uploader': }

  file { '/srv/incoming-packages':
    ensure => directory,
    mode   => '0755',
    owner  => 'apt-uploader',
    group  => 'apt-uploader',
  }

  file { '/etc/rsync-apt-auth-secrets':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0400',
    content => secret('apt-staging/rsync-secrets'),
  }

  class { '::rsync::server': }
  rsync::server::module { 'apt-auth':
      ensure         => present,
      comment        => 'Incoming packages for apt-staging.wm.o, from gitlab runners',
      read_only      => 'no',
      path           => '/srv/incoming-packages',
      uid            => 'apt-uploader',
      gid            => 'apt-uploader',
      incoming_chmod => 'D755,F644',
      hosts_allow    => wmflib::role::hosts('gitlab_runner'),
      auto_firewall  => true,
      auth_users     => ['apt-publisher'],
      secrets_file   => '/etc/rsync-apt-auth-secrets',
  }

  ensure_packages(['python3-gitlab'])

  file { '/usr/local/bin/gitlab-package-puller':
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
    source => 'puppet:///modules/aptrepo/gitlab_package_puller.py',
  }

  file { '/etc/gitlab-puller-auth':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0400',
    content => secret('apt-staging/gitlab-puller-token'),
  }

  systemd::timer::job { 'gitlab-package-puller':
    ensure      => present,
    user        => 'root',
    description => 'Runs the script to pull apt packages from Gitlab CI jobs',
    command     => '/usr/local/bin/gitlab-package-puller',
    interval    => { 'start' => 'OnUnitInactiveSec', 'interval' => '5m' },
  }

  profile::auto_restarts::service { 'nginx': }
  profile::auto_restarts::service { 'envoyproxy': }
  profile::auto_restarts::service { 'rsync': }
}