From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 22 Sep 2019 19:12:20 +0000 (+0200)
Subject: Set up ssh between snapshot nodes
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=64c1545f242396ff122e1af0ce35cf952a01c58c

Set up ssh between snapshot nodes
---

diff --git a/data/nodes/lw01.debian.org.yaml b/data/nodes/lw01.debian.org.yaml
index 137033653..2a3edab1c 100644
--- a/data/nodes/lw01.debian.org.yaml
+++ b/data/nodes/lw01.debian.org.yaml
@@ -1,3 +1,3 @@
 ---
 classes:
-  - roles::snapshot_base
+  - roles::snapshot_farmsync_target
diff --git a/data/nodes/lw02.debian.org.yaml b/data/nodes/lw02.debian.org.yaml
index 137033653..2a3edab1c 100644
--- a/data/nodes/lw02.debian.org.yaml
+++ b/data/nodes/lw02.debian.org.yaml
@@ -1,3 +1,3 @@
 ---
 classes:
-  - roles::snapshot_base
+  - roles::snapshot_farmsync_target
diff --git a/data/nodes/lw03.debian.org.yaml b/data/nodes/lw03.debian.org.yaml
index 137033653..2a3edab1c 100644
--- a/data/nodes/lw03.debian.org.yaml
+++ b/data/nodes/lw03.debian.org.yaml
@@ -1,3 +1,3 @@
 ---
 classes:
-  - roles::snapshot_base
+  - roles::snapshot_farmsync_target
diff --git a/data/nodes/lw04.debian.org.yaml b/data/nodes/lw04.debian.org.yaml
index 137033653..2a3edab1c 100644
--- a/data/nodes/lw04.debian.org.yaml
+++ b/data/nodes/lw04.debian.org.yaml
@@ -1,3 +1,3 @@
 ---
 classes:
-  - roles::snapshot_base
+  - roles::snapshot_farmsync_target
diff --git a/data/nodes/lw09.debian.org.yaml b/data/nodes/lw09.debian.org.yaml
index 137033653..2a3edab1c 100644
--- a/data/nodes/lw09.debian.org.yaml
+++ b/data/nodes/lw09.debian.org.yaml
@@ -1,3 +1,3 @@
 ---
 classes:
-  - roles::snapshot_base
+  - roles::snapshot_farmsync_target
diff --git a/data/nodes/lw10.debian.org.yaml b/data/nodes/lw10.debian.org.yaml
index 137033653..2a3edab1c 100644
--- a/data/nodes/lw10.debian.org.yaml
+++ b/data/nodes/lw10.debian.org.yaml
@@ -1,3 +1,3 @@
 ---
 classes:
-  - roles::snapshot_base
+  - roles::snapshot_farmsync_target
diff --git a/data/nodes/sallinen.debian.org.yaml b/data/nodes/sallinen.debian.org.yaml
index 1244b0c76..96aadc5eb 100644
--- a/data/nodes/sallinen.debian.org.yaml
+++ b/data/nodes/sallinen.debian.org.yaml
@@ -1,3 +1,4 @@
 ---
 classes:
+  - roles::snapshot_master
   - roles::snapshot_web
diff --git a/modules/roles/manifests/snapshot_base.pp b/modules/roles/manifests/snapshot_base.pp
index 49aa0f784..cb0bc4b88 100644
--- a/modules/roles/manifests/snapshot_base.pp
+++ b/modules/roles/manifests/snapshot_base.pp
@@ -1,3 +1,4 @@
+# just a base class for snapshot things
 class roles::snapshot_base {
   ensure_packages ( [
     'build-essential',
diff --git a/modules/roles/manifests/snapshot_farmsync_target.pp b/modules/roles/manifests/snapshot_farmsync_target.pp
new file mode 100644
index 000000000..ad153c60f
--- /dev/null
+++ b/modules/roles/manifests/snapshot_farmsync_target.pp
@@ -0,0 +1,9 @@
+# snapshot farm sync target
+class roles::snapshot_farmsync_target {
+  include roles::snapshot_secondary
+
+  ssh::authorized_key_collect { 'snapshot':
+    target_user => 'snapshot',
+    collect_tag => 'roles::snapshot_master::to::farmsync_target',
+  }
+}
diff --git a/modules/roles/manifests/snapshot_master.pp b/modules/roles/manifests/snapshot_master.pp
new file mode 100644
index 000000000..eeb74f7d9
--- /dev/null
+++ b/modules/roles/manifests/snapshot_master.pp
@@ -0,0 +1,17 @@
+# snapshot master
+class roles::snapshot_master {
+  include roles::snapshot_base
+
+  ssh::keygen {'snapshot': }
+  ssh::authorized_key_add { 'roles::snapshot_master::to::farmsync_target':
+    target_user => 'snapshot',
+    key         => dig($facts, 'ssh_keys_users', 'snapshot', 'id_rsa.pub', 'line'),
+    command     => '~/bin/run-sync',
+    collect_tag => 'roles::snapshot::to::farmsync_target',
+  }
+
+  ssh::authorized_key_collect { 'snapshot':
+    target_user => 'snapshot',
+    collect_tag => 'roles::snapshot::to::master',
+  }
+}
diff --git a/modules/roles/manifests/snapshot_secondary.pp b/modules/roles/manifests/snapshot_secondary.pp
new file mode 100644
index 000000000..f4ef77da0
--- /dev/null
+++ b/modules/roles/manifests/snapshot_secondary.pp
@@ -0,0 +1,16 @@
+# snapshot secondary
+#
+# That is any node that requires ssh access to the master,
+# like sync targets or web mirrors.
+class roles::snapshot_secondary {
+  include roles::snapshot_base
+
+  ssh::keygen {'snapshot': }
+
+  ssh::authorized_key_add { "roles::snapshot_master::from::farmsync_target::${::fqdn}":
+    target_user => 'snapshot',
+    key         => dig($facts, 'ssh_keys_users', 'snapshot', 'id_rsa.pub', 'line'),
+    command     => '~/code/mirror/ssh-wrap master',
+    collect_tag => 'roles::snapshot::to::master',
+  }
+}
diff --git a/modules/roles/manifests/snapshot_shell.pp b/modules/roles/manifests/snapshot_shell.pp
index 20152136d..4ffc08a3b 100644
--- a/modules/roles/manifests/snapshot_shell.pp
+++ b/modules/roles/manifests/snapshot_shell.pp
@@ -1,3 +1,4 @@
+# the shell host for users/roles to access the snapshot service
 class roles::snapshot_shell {
   include roles::snapshot_base
 
diff --git a/modules/roles/manifests/snapshot_web.pp b/modules/roles/manifests/snapshot_web.pp
index b8b5408be..cee2b9466 100644
--- a/modules/roles/manifests/snapshot_web.pp
+++ b/modules/roles/manifests/snapshot_web.pp
@@ -1,5 +1,7 @@
+# web service for snapshot.debian.org
+#
 class roles::snapshot_web {
-  include roles::snapshot_base
+  include roles::snapshot_secondary
 
   include apache2
   include apache2::rewrite