summaryrefslogtreecommitdiffstats
path: root/manifests/reprepro/snapshots/secret_keys.pp
blob: 339c36bfbb301f1f8541cd27afb63c5d7d9c9e6f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Manage GnuPG secret keys used by reprepro snapshot classes
define tails::reprepro::snapshots::secret_keys (
  Stdlib::Absolutepath $basedir,
  Stdlib::Absolutepath $homedir,
  String $user,
) {

  ### Sanity checks

  if !defined(Class['::tails_secrets_apt']) {
    fail('Depends on the tails_secrets_apt class')
  }

  ### Resources

  $keys_src_file = "${homedir}/private-keys.asc"

  exec { "tails-reprepro-import-private-keys_${name}":
    user        => $user,
    group       => $user,
    command     => "gpg --batch --quiet --import '${keys_src_file}'",
    subscribe   => File[$keys_src_file],
    refreshonly => true,
  }

  # Make sure the imported keys are up-to-date (works around the fact
  # that if one uses this define multiple times on the same system,
  # then only one of the corresponding Exec's is run, due to refreshonly)
  cron { "tails-reprepro-import-private-keys_${name}":
    user    => $user,
    minute  => 47,
    command => "gpg --batch --quiet --import '${keys_src_file}' >/dev/null 2>&1 || true",
  }

}