handle sync ssh keys for dgit

The dgit master host (gideon) is available only via ssh to DDs.
it syncs its data to a publicly accessible host (cgi-grnet-01) over
ssh.  Until now the authkeys file was maintained by hand, but
Ian Jackson asked if we could do that in puppet so updates in IP
addresses etc. get automatically handled.

diff --git a/hieradata/nodes/gideon.debian.org.yaml b/hieradata/nodes/gideon.debian.org.yaml
new file mode 100644 (file)
index 0000000..abf809a
--- /dev/null
+++ b/hieradata/nodes/gideon.debian.org.yaml
@@ -0,0 +1,3 @@
+---
+classes:
+  - roles::dgit

diff --git a/modules/roles/manifests/dgit.pp b/modules/roles/manifests/dgit.pp
new file mode 100644 (file)
index 0000000..9afcf9f
--- /dev/null
+++ b/modules/roles/manifests/dgit.pp
@@ -0,0 +1,12 @@
+# the dgit role
+#
+# stores the sync command to be collected by sync clients (browse and public git)
+class roles::dgit() {
+  ssh::authorized_key_add { 'dgit-sync':
+    target_user => 'dgit-unpriv',
+    key         => dig($facts, 'ssh_keys_users', 'dgit', 'id_rsa.pub', 'line'),
+    command     => '/srv/dgit.debian.org/dgit-live/infra/dgit-mirror-ssh-wrap /srv/dgit.debian.org/unpriv/repos/ .git --',
+    from        => $base::public_addresses,
+    collect_tag => 'roles::dgit::sync',
+  }
+}

diff --git a/modules/roles/manifests/dgit_browse.pp b/modules/roles/manifests/dgit_browse.pp
index 190e535..ab29f04 100644 (file)
--- a/modules/roles/manifests/dgit_browse.pp
+++ b/modules/roles/manifests/dgit_browse.pp
@@ -1,5 +1,6 @@
 class roles::dgit_browse {
   include apache2
+  include roles::dgit_sync_target
 
   ssl::service { 'browse.dgit.debian.org':
     notify => Exec['service apache2 reload'],

diff --git a/modules/roles/manifests/dgit_git.pp b/modules/roles/manifests/dgit_git.pp
index 61df36d..7ddf0ed 100644 (file)
--- a/modules/roles/manifests/dgit_git.pp
+++ b/modules/roles/manifests/dgit_git.pp
@@ -1,5 +1,6 @@
 class roles::dgit_git {
   include apache2
+  include roles::dgit_sync_target
 
   ssl::service { 'git.dgit.debian.org':
     notify => Exec['service apache2 reload'],

diff --git a/modules/roles/manifests/dgit_sync_target.pp b/modules/roles/manifests/dgit_sync_target.pp
new file mode 100644 (file)
index 0000000..47daf91
--- /dev/null
+++ b/modules/roles/manifests/dgit_sync_target.pp
@@ -0,0 +1,8 @@
+# class to collect the ssh keys sent by the dgit host on the browse and
+# (public) git host
+class roles::dgit_sync_target {
+  ssh::authorized_key_collect { 'dgit-sync':
+    target_user => 'dgit-unpriv',
+    collect_tag => 'roles::dgit::sync'
+  }
+}