From 58c7800d8ae435a2dbcabaabacddb0882c87307f Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 15 Sep 2019 22:21:28 +0200
Subject: [PATCH] handle sync ssh keys for dgit

The dgit master host (gideon) is available only via ssh to DDs.
it syncs its data to a publicly accessible host (cgi-grnet-01) over
ssh.  Until now the authkeys file was maintained by hand, but
Ian Jackson asked if we could do that in puppet so updates in IP
addresses etc. get automatically handled.
---
 hieradata/nodes/gideon.debian.org.yaml      |  3 +++
 modules/roles/manifests/dgit.pp             | 12 ++++++++++++
 modules/roles/manifests/dgit_browse.pp      |  1 +
 modules/roles/manifests/dgit_git.pp         |  1 +
 modules/roles/manifests/dgit_sync_target.pp |  8 ++++++++
 5 files changed, 25 insertions(+)
 create mode 100644 hieradata/nodes/gideon.debian.org.yaml
 create mode 100644 modules/roles/manifests/dgit.pp
 create mode 100644 modules/roles/manifests/dgit_sync_target.pp

diff --git a/hieradata/nodes/gideon.debian.org.yaml b/hieradata/nodes/gideon.debian.org.yaml
new file mode 100644
index 000000000..abf809a37
--- /dev/null
+++ b/hieradata/nodes/gideon.debian.org.yaml
@@ -0,0 +1,3 @@
+---
+classes:
+  - roles::dgit
diff --git a/modules/roles/manifests/dgit.pp b/modules/roles/manifests/dgit.pp
new file mode 100644
index 000000000..9afcf9fb4
--- /dev/null
+++ b/modules/roles/manifests/dgit.pp
@@ -0,0 +1,12 @@
+# the dgit role
+#
+# stores the sync command to be collected by sync clients (browse and public git)
+class roles::dgit() {
+  ssh::authorized_key_add { 'dgit-sync':
+    target_user => 'dgit-unpriv',
+    key         => dig($facts, 'ssh_keys_users', 'dgit', 'id_rsa.pub', 'line'),
+    command     => '/srv/dgit.debian.org/dgit-live/infra/dgit-mirror-ssh-wrap /srv/dgit.debian.org/unpriv/repos/ .git --',
+    from        => $base::public_addresses,
+    collect_tag => 'roles::dgit::sync',
+  }
+}
diff --git a/modules/roles/manifests/dgit_browse.pp b/modules/roles/manifests/dgit_browse.pp
index 190e53515..ab29f0401 100644
--- a/modules/roles/manifests/dgit_browse.pp
+++ b/modules/roles/manifests/dgit_browse.pp
@@ -1,5 +1,6 @@
 class roles::dgit_browse {
   include apache2
+  include roles::dgit_sync_target
 
   ssl::service { 'browse.dgit.debian.org':
     notify => Exec['service apache2 reload'],
diff --git a/modules/roles/manifests/dgit_git.pp b/modules/roles/manifests/dgit_git.pp
index 61df36d97..7ddf0ed98 100644
--- a/modules/roles/manifests/dgit_git.pp
+++ b/modules/roles/manifests/dgit_git.pp
@@ -1,5 +1,6 @@
 class roles::dgit_git {
   include apache2
+  include roles::dgit_sync_target
 
   ssl::service { 'git.dgit.debian.org':
     notify => Exec['service apache2 reload'],
diff --git a/modules/roles/manifests/dgit_sync_target.pp b/modules/roles/manifests/dgit_sync_target.pp
new file mode 100644
index 000000000..47daf91da
--- /dev/null
+++ b/modules/roles/manifests/dgit_sync_target.pp
@@ -0,0 +1,8 @@
+# class to collect the ssh keys sent by the dgit host on the browse and
+# (public) git host
+class roles::dgit_sync_target {
+  ssh::authorized_key_collect { 'dgit-sync':
+    target_user => 'dgit-unpriv',
+    collect_tag => 'roles::dgit::sync'
+  }
+}
-- 
2.20.1