summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ansible/aptrepo.yml44
-rw-r--r--ansible/roles/apt-repository/files/process-incoming12
-rw-r--r--ansible/roles/apt-repository/handlers/main.yml4
-rw-r--r--ansible/roles/apt-repository/tasks/main.yml124
-rw-r--r--ansible/roles/apt-repository/templates/000-default.conf18
-rw-r--r--ansible/roles/apt-repository/templates/distributions.j212
-rw-r--r--ansible/roles/apt-repository/templates/incoming.j25
-rw-r--r--ansible/roles/apt-repository/templates/uploaders.j21
8 files changed, 220 insertions, 0 deletions
diff --git a/ansible/aptrepo.yml b/ansible/aptrepo.yml
new file mode 100644
index 0000000..c671752
--- /dev/null
+++ b/ansible/aptrepo.yml
@@ -0,0 +1,44 @@
+- hosts: aptrepo
+ remote_user: debian
+ become: yes
+ roles:
+ - role: sane_debian_system
+ - role: sshd
+ - role: unix_users
+ - role: apt-repository
+ vars:
+ ansible_python_interpreter: python3
+
+ sane_debian_system_version: 2
+ sane_debian_system_hostname: "{{ inventory_hostname }}"
+ sane_debian_system_codename: bookworm
+
+ timezone: Europe/Helsinki
+
+ unix_users_version: 2
+ unix_users:
+ - username: apt
+ comment: Owner of APT repository
+ - username: incoming
+ comment: APT incoming packages
+ authorized_keys: |
+ {{ apt_uploader_ssh_pub_keys }}
+ - username: liw
+ comment: Lars Wirzenius
+ sudo: yes
+
+ sshd_version: 1
+
+ apt_uploader_ssh_pub_keys: |
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP
+ apt_admin_email: liw@liw.fi
+ apt_domain: aptrepo
+ apt_distributions:
+ - codename: unstable
+ description: Release packages for unstable
+ - codename: unstable-ci
+ description: CI builds for unstable
+ apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}"
+ apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}"
+ apt_signing_key_fingerprint: |
+ {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --show-keys --with-colons | grep "^fpr:" | cut -d: -f10') }}
diff --git a/ansible/roles/apt-repository/files/process-incoming b/ansible/roles/apt-repository/files/process-incoming
new file mode 100644
index 0000000..d18b151
--- /dev/null
+++ b/ansible/roles/apt-repository/files/process-incoming
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+(
+ # sleep for a few seconds so that dput has time to chmod the uploaded
+ # file.
+ sleep 10
+ date
+ echo "Processing incoming"
+ reprepro -v -b /srv/apt processincoming default
+ reprepro -v -b /srv/apt export
+ echo "Finished processing incoming"
+) 2>&1 >>/srv/apt/reprepro.log
diff --git a/ansible/roles/apt-repository/handlers/main.yml b/ansible/roles/apt-repository/handlers/main.yml
new file mode 100644
index 0000000..a7ec2ee
--- /dev/null
+++ b/ansible/roles/apt-repository/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart apache2
+ service:
+ name: apache2
+ state: restarted
diff --git a/ansible/roles/apt-repository/tasks/main.yml b/ansible/roles/apt-repository/tasks/main.yml
new file mode 100644
index 0000000..d9c2ac2
--- /dev/null
+++ b/ansible/roles/apt-repository/tasks/main.yml
@@ -0,0 +1,124 @@
+- name: "install software needed for APT repository management"
+ apt:
+ name:
+ - apache2
+ - incron
+ - reprepro
+
+- name: "create root directory for APT repository"
+ file:
+ state: directory
+ path: /srv/apt
+ owner: apt
+ group: apt
+ mode: 0755
+
+- name: "create incoming directory for APT repository"
+ file:
+ state: directory
+ path: /srv/apt/incoming
+ owner: apt
+ group: incoming
+ mode: 0775
+
+- name: "create .gnupg for apt user"
+ file:
+ state: directory
+ dest: /home/apt/.gnupg
+ owner: apt
+ group: apt
+ mode: 0700
+
+- name: "install temporary copies of gpg keys for repository signing"
+ copy:
+ content: "{{ item.content }}"
+ dest: "/home/apt/{{ item.name }}"
+ owner: apt
+ group: apt
+ mode: 0600
+ with_items:
+ - content: "{{ apt_signing_key }}"
+ name: key
+ - content: "{{ apt_signing_key_pub }}"
+ name: key.pub
+
+- name: "import gpg keys for apt"
+ shell: |
+ cd /home/apt
+ sudo -u apt gpg --import key key.pub
+
+- name: "delete temporary copies of keys"
+ file:
+ dest: "/home/apt/{{ item }}"
+ state: absent
+ with_items:
+ - key
+ - key.pub
+
+- name: "allow apt user to use incron"
+ lineinfile:
+ dest: /etc/incron.allow
+ line: apt
+
+- name: "crate reprepro configuration directory"
+ file:
+ path: /srv/apt/conf
+ state: directory
+
+- name: "create reprepro temp directory"
+ file:
+ state: directory
+ dest: /srv/apt/tmp
+ owner: apt
+ group: apt
+ mode: 0755
+
+- name: "configure reprepro distributions"
+ template:
+ src: distributions.j2
+ dest: /srv/apt/conf/distributions
+
+- name: "configure reprepro uploaders"
+ template:
+ src: uploaders.j2
+ dest: /srv/apt/conf/uploaders
+
+- name: "configure reprepro incoming"
+ template:
+ src: incoming.j2
+ dest: /srv/apt/conf/incoming
+ owner: apt
+ group: incoming
+ mode: 01777
+
+- name: "create web root directory"
+ file:
+ state: directory
+ path: /srv/http
+
+- name: "configure apache to server APT repository over http"
+ template:
+ src: 000-default.conf
+ dest: /etc/apache2/sites-enabled/000-default.conf
+ owner: root
+ group: root
+ mode: 0644
+ notify: restart apache2
+
+- name: "install script to process uploads to APT"
+ copy:
+ src: process-incoming
+ dest: /srv/apt/process-incoming
+ owner: apt
+ group: apt
+ mode: 0755
+
+- name: "create incrontab for apt"
+ copy:
+ content: |
+ /srv/apt/incoming IN_CLOSE_WRITE /srv/apt/process-incoming
+ dest: /srv/apt/incrontab
+
+# - name: "set up incrontab for processing incoming uploads"
+# shell: |
+# sudo -u apt incrontab /srv/apt/incrontab
diff --git a/ansible/roles/apt-repository/templates/000-default.conf b/ansible/roles/apt-repository/templates/000-default.conf
new file mode 100644
index 0000000..b62e1fd
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/000-default.conf
@@ -0,0 +1,18 @@
+<VirtualHost _default_>
+ ServerAdmin {{ apt_admin_email }}
+
+ DocumentRoot /srv/http
+ Alias "/debian" "/srv/apt"
+
+ <Directory /srv/http>
+ Require all granted
+ </Directory>
+
+ <Directory /srv/apt>
+ Options +Indexes
+ Require all granted
+ </Directory>
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
diff --git a/ansible/roles/apt-repository/templates/distributions.j2 b/ansible/roles/apt-repository/templates/distributions.j2
new file mode 100644
index 0000000..ab3f861
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/distributions.j2
@@ -0,0 +1,12 @@
+{% for dist in apt_distributions %}
+
+Codename: {{ dist.codename }}
+Suite: {{ dist.codename }}
+Origin: {{ apt_domain }}
+Description: {{ dist.description }}
+Architectures: source {{ dist.architectures|default('amd64') }}
+Components: {{ dist.components|default('main') }}
+Uploaders: uploaders
+Tracking: keep
+SignWith: {{ apt_signing_key_fingerprint }}
+{% endfor %}
diff --git a/ansible/roles/apt-repository/templates/incoming.j2 b/ansible/roles/apt-repository/templates/incoming.j2
new file mode 100644
index 0000000..548c44b
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/incoming.j2
@@ -0,0 +1,5 @@
+Name: default
+IncomingDir: incoming
+TempDir: tmp
+Cleanup: on_error
+Allow: {% for dist in apt_distributions %} {{ dist.codename }} {% endfor %}
diff --git a/ansible/roles/apt-repository/templates/uploaders.j2 b/ansible/roles/apt-repository/templates/uploaders.j2
new file mode 100644
index 0000000..0891e6d
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/uploaders.j2
@@ -0,0 +1 @@
+allow * by unsigned
generated by cgit v1.2.1 (git 2.18.0) at 2024-05-15 08:32:31 +0000