From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 15 Sep 2019 20:21:28 +0000 (+0200)
Subject: handle sync ssh keys for dgit
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=58c7800d8ae435a2dbcabaabacddb0882c87307f;p=mirror%2Fdsa-puppet.git

handle sync ssh keys for dgit

The dgit master host (gideon) is available only via ssh to DDs.
it syncs its data to a publicly accessible host (cgi-grnet-01) over
ssh.  Until now the authkeys file was maintained by hand, but
Ian Jackson asked if we could do that in puppet so updates in IP
addresses etc. get automatically handled.
---

diff --git a/hieradata/nodes/gideon.debian.org.yaml b/hieradata/nodes/gideon.debian.org.yaml
new file mode 100644
index 000000000..abf809a37
--- /dev/null
+++ b/hieradata/nodes/gideon.debian.org.yaml
@@ -0,0 +1,3 @@
+---
+classes:
+  - roles::dgit
diff --git a/modules/roles/manifests/dgit.pp b/modules/roles/manifests/dgit.pp
new file mode 100644
index 000000000..9afcf9fb4
--- /dev/null
+++ b/modules/roles/manifests/dgit.pp
@@ -0,0 +1,12 @@
+# the dgit role
+#
+# stores the sync command to be collected by sync clients (browse and public git)
+class roles::dgit() {
+  ssh::authorized_key_add { 'dgit-sync':
+    target_user => 'dgit-unpriv',
+    key         => dig($facts, 'ssh_keys_users', 'dgit', 'id_rsa.pub', 'line'),
+    command     => '/srv/dgit.debian.org/dgit-live/infra/dgit-mirror-ssh-wrap /srv/dgit.debian.org/unpriv/repos/ .git --',
+    from        => $base::public_addresses,
+    collect_tag => 'roles::dgit::sync',
+  }
+}
diff --git a/modules/roles/manifests/dgit_browse.pp b/modules/roles/manifests/dgit_browse.pp
index 190e53515..ab29f0401 100644
--- a/modules/roles/manifests/dgit_browse.pp
+++ b/modules/roles/manifests/dgit_browse.pp
@@ -1,5 +1,6 @@
 class roles::dgit_browse {
   include apache2
+  include roles::dgit_sync_target
 
   ssl::service { 'browse.dgit.debian.org':
     notify => Exec['service apache2 reload'],
diff --git a/modules/roles/manifests/dgit_git.pp b/modules/roles/manifests/dgit_git.pp
index 61df36d97..7ddf0ed98 100644
--- a/modules/roles/manifests/dgit_git.pp
+++ b/modules/roles/manifests/dgit_git.pp
@@ -1,5 +1,6 @@
 class roles::dgit_git {
   include apache2
+  include roles::dgit_sync_target
 
   ssl::service { 'git.dgit.debian.org':
     notify => Exec['service apache2 reload'],
diff --git a/modules/roles/manifests/dgit_sync_target.pp b/modules/roles/manifests/dgit_sync_target.pp
new file mode 100644
index 000000000..47daf91da
--- /dev/null
+++ b/modules/roles/manifests/dgit_sync_target.pp
@@ -0,0 +1,8 @@
+# class to collect the ssh keys sent by the dgit host on the browse and
+# (public) git host
+class roles::dgit_sync_target {
+  ssh::authorized_key_collect { 'dgit-sync':
+    target_user => 'dgit-unpriv',
+    collect_tag => 'roles::dgit::sync'
+  }
+}