summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2016-05-11 16:15:02 +0000
committerintrigeri <intrigeri@boum.org>2016-05-11 16:35:43 +0000
commit21801798753a05e2078be9b9540050ea291d7e41 (patch)
tree2c68b22ed5f841383241106f33ea7710070afece
parent325759e6267fd9dcc5dbfbcd06c64550dca9f5bd (diff)
Add draft script to publish a tagged APT snapshot, and allow reprepro-time-based-snapshots to run it as root.
-rwxr-xr-xfiles/reprepro/snapshots/time_based/tails-publish-tagged-apt-snashot44
-rw-r--r--manifests/reprepro/snapshots/time_based.pp16
2 files changed, 60 insertions, 0 deletions
diff --git a/files/reprepro/snapshots/time_based/tails-publish-tagged-apt-snashot b/files/reprepro/snapshots/time_based/tails-publish-tagged-apt-snashot
new file mode 100755
index 0000000..e6cb3e0
--- /dev/null
+++ b/files/reprepro/snapshots/time_based/tails-publish-tagged-apt-snashot
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# Usage: tails-publish-tagged-apt-snashot SNAPSHOTS_DIRECTORY TAG
+#
+# Publishes a tagged APT snapshot: gives it the right ownership and permissions,
+# and moves it to the directory where it's served over HTTP.
+#
+# Beware: this script is run as root, via sudo, by an unprivileged user.
+
+set -e
+set -u
+set -o pipefail
+
+TIME_BASED_SNAPSHOTS_USER='reprepro-time-based-snapshots'
+TIME_BASED_SNAPSHOTS_GROUP='reprepro-time-based-snapshots'
+TAGGED_SNAPSHOTS_USER='reprepro-tagged-snapshots'
+TAGGED_SNAPSHOTS_GROUP='reprepro-tagged-snapshots'
+TAGGED_SNAPSHOTS_HOME=$(getent passwd "$TAGGED_SNAPSHOTS_USER" | cut -d':' -f6)
+TAGGED_SNAPSHOTS_REPOSITORIES="${TAGGED_SNAPSHOTS_HOME}/repositories"
+
+error() {
+ echo "$@" >&2
+ exit 1
+}
+
+[ $# -eq 2 ] || exit 1
+
+SNAPSHOT_DIRECTORY="$1"
+TAG="$2"
+
+[ -d "$SNAPSHOT_DIRECTORY" ] || error "'$SNAPSHOT_DIRECTORY' is not a directory"
+[ "$(stat --format='%U' "$SNAPSHOT_DIRECTORY")" = "$TIME_BASED_SNAPSHOTS_USER" ] \
+ || error "'$SNAPSHOT_DIRECTORY' is not owned by user '$TIME_BASED_SNAPSHOTS_USER'"
+[ "$(stat --format='%G' "$SNAPSHOT_DIRECTORY")" = "$TIME_BASED_SNAPSHOTS_GROUP" ] \
+ || error "'$SNAPSHOT_DIRECTORY' is not owned by group '$TIME_BASED_SNAPSHOTS_GROUP'"
+echo "$TAG" | grep -E --line-regexp '[0-9a-z.-]+' \
+ || error "'$TAG' is not a valid tag name"
+[ ! -e "${TAGGED_SNAPSHOTS_REPOSITORIES}/${TAG}" ] \
+ error "A tagged snapshot already exists in '${TAGGED_SNAPSHOTS_REPOSITORIES}/${TAG}'"
+
+chown -R "${TAGGED_SNAPSHOTS_USER}:${TAGGED_SNAPSHOTS_GROUP}" \
+ "$SNAPSHOT_DIRECTORY"
+chmod -R go+rX "$SNAPSHOT_DIRECTORY"
+mv "$SNAPSHOT_DIRECTORY" "${TAGGED_SNAPSHOTS_REPOSITORIES}/${TAG}"
diff --git a/manifests/reprepro/snapshots/time_based.pp b/manifests/reprepro/snapshots/time_based.pp
index bf040a3..6612d5e 100644
--- a/manifests/reprepro/snapshots/time_based.pp
+++ b/manifests/reprepro/snapshots/time_based.pp
@@ -156,6 +156,22 @@ class tails::reprepro::snapshots::time_based (
require => Package[$tails_compact_reprepro_db_pkg_deps],
}
+ file { '/usr/local/sbin/tails-publish-tagged-apt-snapshot':
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0755',
+ source => 'puppet:///modules/tails/reprepro/snapshots/time_based/tails-publish-tagged-apt-snapshot',
+ }
+
+ file { '/etc/sudoers.d/tails-publish-tagged-apt-snapshot':
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0440',
+ content => "${user} ALL = NOPASSWD: /usr/local/sbin/tails-publish-tagged-apt-snapshot\n",
+ }
+
# To avoid having to maintain them in yet another place, let's reuse
# the keys we give to APT on our systems:
tails::reprepro::snapshots::time_based::import_upstream_keys {