auto_clientcerts_dir: '/srv/puppet.debian.org/ca/RESULT/clientcerts'
apt::sources::debian::location: 'https://deb.debian.org/debian/'
+staticsync::user: 'staticsync'
+staticsync::basedir: '/srv/static.debian.org'
+
# all of these should be retired in favour of including the class role
# with the host. weasel, 2019-09
roles:
--- /dev/null
+#
+class roles::static_master(
+) {
+ include staticsync::static_master
+}
--- /dev/null
+# a static mirror. It will get content for all components that it servers
+# from each component's master.
+class roles::static_mirror () {
+ include staticsync::static_mirror
+}
--- /dev/null
+class roles::static_source(
+) {
+ include staticsync::static_source
+}
# the base class defining things common for all three static classes (master, mirror, source)
-class roles::static::base {
- $query = 'nodes[certname] { resources { type = "Class" and title = "Roles::Static_mirror" } }'
+class staticsync::base inherits staticsync {
+
+ # fetch the list of static mirrors from PuppetDB
+ #
+ # This list is necessary so we can both do "include only these
+ # mirrors" but also "exclude these mirrors and include all others"
+ # in the config.
+ $query = 'nodes[certname] { resources { type = "Class" and title = "Staticsync::Static_mirror" } }'
$static_mirrors = sort(puppetdb_query($query).map |$value| { $value["certname"] })
file { '/etc/static-components.conf':
- content => template('roles/static-mirroring/static-components.conf.erb'),
+ content => template('staticsync/static-components.conf.erb'),
}
file { '/usr/local/bin/staticsync-ssh-wrap':
- source => 'puppet:///modules/roles/static-mirroring/staticsync-ssh-wrap',
+ source => 'puppet:///modules/staticsync/staticsync-ssh-wrap',
mode => '0555',
}
file { '/usr/local/bin/static-update-component':
- source => 'puppet:///modules/roles/static-mirroring/static-update-component',
- mode => '0555',
+ source => 'puppet:///modules/staticsync/static-update-component',
+ mode => '0555',
}
file { '/etc/staticsync.conf':
content => @("EOF"),
- # This file is sourced by bash
- # and parsed by python
- # - empty lines and lines starting with a # are ignored.
- # - other lines are key=value. No extra spaces anywhere. No quoting.
- base=/srv/static.debian.org
- masterbase=/home/staticsync/static-master/master
- staticuser=staticsync
- | EOF
+ # This file is sourced by bash
+ # and parsed by python
+ # - empty lines and lines starting with a # are ignored.
+ # - other lines are key=value. No extra spaces anywhere. No quoting.
+ base=${staticsync::basedir}
+ masterbase=${staticsync::basedir}/master
+ staticuser=${staticsync::user}
+ | EOF
}
}
--- /dev/null
+# A base class for staticsync. This owns the configuration variables, which
+# should be set by hiera.
+class staticsync (
+ String $user,
+ String $basedir,
+ # for ssh/firewalling purposes
+ Array[Stdlib::IP::Address] $public_addresses = $base::public_addresses,
+) {
+ if ! $user {
+ fail('Variable $user is not set. Please provide a value (for instance via hiera).')
+ }
+ if ! $basedir {
+ fail('Variable $basedir is not set. Please provider a value (for instance via hiera).')
+ }
+}
# create the directory on static hosts and disable backups
-class roles::static::srvdir {
- file { '/srv/static.debian.org':
+class staticsync::srvdir (
+) {
+ file { $staticsync::basedir:
ensure => directory,
mode => '0755',
- owner => 'staticsync',
- group => 'staticsync',
+ owner => $staticsync::user,
+ group => $staticsync::user,
}
- file { '/srv/static.debian.org/.nobackup':
+ file { "${staticsync::basedir}/.nobackup":
content => '',
}
}
# wrapper for ssh setup for statichosts
-class roles::static::ssh(
+class staticsync::ssh (
Variant[Array[String], String] $add_tag,
String $collect_tag,
- )
-{
- ssh::keygen {'staticsync': }
+) {
+ ssh::keygen { $staticsync::user : }
- ssh::authorized_key_add { 'staticsync':
- target_user => 'staticsync',
+ ssh::authorized_key_add { "staticsync-${staticsync::user}":
+ target_user => $staticsync::user,
+ key => dig($facts, 'ssh_keys_users', $staticsync::user, 'id_rsa.pub', 'line'),
command => "/usr/local/bin/staticsync-ssh-wrap ${::fqdn}",
- key => $facts['staticsync_key'],
- options => ['restrict', 'pty'],
+ options => ['restrict','pty'],
+ from => $staticsync::public_addresses,
collect_tag => $add_tag,
}
- ssh::authorized_key_collect { 'staticsync':
- target_user => 'staticsync',
+ ssh::authorized_key_collect { "staticsync-${staticsync::user}":
+ target_user => $staticsync::user,
collect_tag => $collect_tag,
}
}
# each component defines exactly one static master. Content is copied from the source host
# to the master, and from there to all the mirrors.
#
-class roles::static_master {
- include roles::static::base
- include roles::static::srvdir
+class staticsync::static_master (
+) {
+ include staticsync::base
+ include staticsync::srvdir
# masters need to talk to mirrors and sources and themselves
- class { 'roles::static::ssh':
+ class { 'staticsync::ssh':
add_tag => [ 'staticsync-mirror', 'staticsync-source', 'staticsync-master' ],
collect_tag => 'staticsync-master',
}
file { '/usr/local/bin/static-master-run':
- source => 'puppet:///modules/roles/static-mirroring/static-master-run',
+ source => 'puppet:///modules/staticsync/static-master-run',
mode => '0555',
}
file { '/usr/local/bin/static-master-update-component':
- source => 'puppet:///modules/roles/static-mirroring/static-master-update-component',
+ source => 'puppet:///modules/staticsync/static-master-update-component',
mode => '0555',
}
file { '/etc/static-clients.conf':
- content => template('roles/static-mirroring/static-clients.conf.erb'),
+ content => template('staticsync/static-clients.conf.erb'),
}
+# concat { '/etc/static-clients.conf':
+# ensure_newline => true,
+# warn => @(EOF),
+# ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+# | EOF
+# }
+# Concat::Fragment <<| tag == 'staticsync::static-mirrors-to-trigger' |>>
- file { '/home/staticsync/static-master':
+ file { "/home/${staticsync::user}/static-master":
ensure => link,
- target => '/srv/static.debian.org',
+ target => $staticsync::basedir,
}
- file { '/srv/static.debian.org/master':
+ file { "${staticsync::basedir}/master":
ensure => directory,
mode => '0755',
- owner => 'staticsync',
- group => 'staticsync',
+ owner => $staticsync::user,
+ group => $staticsync::user,
}
}
-# a static mirror
+# a static mirror. It will get content for all components that it servers
+# from each component's master.
#
-# this receives pushes from the master and then usually serves the content to the public
-class roles::static_mirror {
- include roles::static::base
- include roles::static::srvdir
+# Static mirrors register themselves via a stored-conf /etc/static-clients.conf
+# that the masters collect. Mirrors can always pull, but they only get
+# triggered if they are in /etc/static-clients.conf. So during initial
+# setup it might make sense to not get triggered and thus block updates of
+# components until all mirrors are in sync; set $get_triggered = false for that.
+#
+class staticsync::static_mirror (
+ Boolean $get_triggered = true,
+) {
+ include staticsync::base
+ include staticsync::srvdir
# mirrors talk only to masters
- class { 'roles::static::ssh':
+ class { 'staticsync::ssh':
add_tag => 'staticsync-master',
collect_tag => 'staticsync-mirror',
}
file { '/usr/local/bin/static-mirror-run':
- source => 'puppet:///modules/roles/static-mirroring/static-mirror-run',
+ source => 'puppet:///modules/staticsync/static-mirror-run',
mode => '0555',
}
-
file { '/usr/local/bin/static-mirror-run-all':
- source => 'puppet:///modules/roles/static-mirroring/static-mirror-run-all',
+ source => 'puppet:///modules/staticsync/static-mirror-run-all',
mode => '0555',
}
-
file { '/etc/cron.d/puppet-static-mirror': ensure => absent, }
concat::fragment { 'puppet-crontab--static-mirror':
target => '/etc/cron.d/puppet-crontab',
- content => @(EOF)
- @reboot staticsync sleep 60; chronic static-mirror-run-all
- | EOF
+ content => @("EOF"),
+ MAILTO=root
+ PATH=/usr/local/bin:/usr/bin:/bin
+ @reboot ${staticsync::user} sleep 60; chronic static-mirror-run-all
+ | EOF
+ }
+
+ if $get_triggered {
+ @@concat::fragment { "static-client-${::fqdn}":
+ tag => 'staticsync::static-mirrors-to-trigger',
+ content => $::fqdn,
+ target => '/etc/static-clients.conf',
+ }
}
}
-# a static source
+# Sources are systems that produce content that is then shipped to masters (which ship it to mirrors).
+# Source can trigger these mirror pulses.
#
-# origin of static content. From here it goes to the static master before that one pushes it to the mirrors
-class roles::static_source {
- include roles::static::base
+# the class doesn't need anything beyond what is in the common base set for now.
+class staticsync::static_source (
+) {
+ include staticsync::base
- if ! defined(Class["roles::static_master"]) {
+ if ! defined(Class["staticsync::static_master"]) {
# sources talk only to masters, but only set this up if we are not
- # *also* a static master since we cannot have two meaningful roles::static:ssh
+ # *also* a static master since we cannot have two meaningful staticsync:ssh
# instances in the current setup.
#
- # this adds the limitation that the master of any component whose source is also a
- # master node needs to have that same host as its master and not some other one.
- class { 'roles::static::ssh':
+ # this adds the limitation that if a system is both master and source, then
+ # any components which have this system as a source need to also use the same
+ # system as their master.
+ class { 'staticsync::ssh':
add_tag => 'staticsync-master',
collect_tag => 'staticsync-source',
}
##
## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
<%=
projects / mirror / dsa-puppet.git / commitdiff