From 4e71b980e9e7576a533613658d69a886ee620741 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sun, 8 Oct 2023 18:51:58 +0300
Subject: apt-repository: role to set up an APT repository

Sponsored-by: author
---
 .../roles/apt-repository/files/process-incoming    |  12 ++
 ansible/roles/apt-repository/handlers/main.yml     |   4 +
 ansible/roles/apt-repository/tasks/main.yml        | 124 +++++++++++++++++++++
 .../apt-repository/templates/000-default.conf      |  18 +++
 .../apt-repository/templates/distributions.j2      |  12 ++
 ansible/roles/apt-repository/templates/incoming.j2 |   5 +
 .../roles/apt-repository/templates/uploaders.j2    |   1 +
 7 files changed, 176 insertions(+)
 create mode 100644 ansible/roles/apt-repository/files/process-incoming
 create mode 100644 ansible/roles/apt-repository/handlers/main.yml
 create mode 100644 ansible/roles/apt-repository/tasks/main.yml
 create mode 100644 ansible/roles/apt-repository/templates/000-default.conf
 create mode 100644 ansible/roles/apt-repository/templates/distributions.j2
 create mode 100644 ansible/roles/apt-repository/templates/incoming.j2
 create mode 100644 ansible/roles/apt-repository/templates/uploaders.j2

(limited to 'ansible/roles')

diff --git a/ansible/roles/apt-repository/files/process-incoming b/ansible/roles/apt-repository/files/process-incoming
new file mode 100644
index 0000000..d18b151
--- /dev/null
+++ b/ansible/roles/apt-repository/files/process-incoming
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+(
+	# sleep for a few seconds so that dput has time to chmod the uploaded
+	# file.
+	sleep 10
+	date
+	echo "Processing incoming"
+	reprepro -v -b /srv/apt processincoming default
+	reprepro -v -b /srv/apt export
+	echo "Finished processing incoming"
+) 2>&1 >>/srv/apt/reprepro.log
diff --git a/ansible/roles/apt-repository/handlers/main.yml b/ansible/roles/apt-repository/handlers/main.yml
new file mode 100644
index 0000000..a7ec2ee
--- /dev/null
+++ b/ansible/roles/apt-repository/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart apache2
+  service:
+    name: apache2
+    state: restarted
diff --git a/ansible/roles/apt-repository/tasks/main.yml b/ansible/roles/apt-repository/tasks/main.yml
new file mode 100644
index 0000000..d9c2ac2
--- /dev/null
+++ b/ansible/roles/apt-repository/tasks/main.yml
@@ -0,0 +1,124 @@
+- name: "install software needed for APT repository management"
+  apt:
+    name:
+      - apache2
+      - incron
+      - reprepro
+
+- name: "create root directory for APT repository"
+  file:
+    state: directory
+    path: /srv/apt
+    owner: apt
+    group: apt
+    mode: 0755
+
+- name: "create incoming directory for APT repository"
+  file:
+    state: directory
+    path: /srv/apt/incoming
+    owner: apt
+    group: incoming
+    mode: 0775
+
+- name: "create .gnupg for apt user"
+  file:
+    state: directory
+    dest: /home/apt/.gnupg
+    owner: apt
+    group: apt
+    mode: 0700
+
+- name: "install temporary copies of gpg keys for repository signing"
+  copy:
+    content: "{{ item.content }}"
+    dest: "/home/apt/{{ item.name }}"
+    owner: apt
+    group: apt
+    mode: 0600
+  with_items:
+    - content: "{{ apt_signing_key }}"
+      name: key
+    - content: "{{ apt_signing_key_pub }}"
+      name: key.pub
+
+- name: "import gpg keys for apt"
+  shell: |
+    cd /home/apt
+    sudo -u apt gpg --import key key.pub
+
+- name: "delete temporary copies of keys"
+  file:
+    dest: "/home/apt/{{ item }}"
+    state: absent
+  with_items:
+    - key
+    - key.pub
+
+- name: "allow apt user to use incron"
+  lineinfile:
+    dest: /etc/incron.allow
+    line: apt
+
+- name: "crate reprepro configuration directory"
+  file:
+    path: /srv/apt/conf
+    state: directory
+
+- name: "create reprepro temp directory"
+  file:
+    state: directory
+    dest: /srv/apt/tmp
+    owner: apt
+    group: apt
+    mode: 0755
+
+- name: "configure reprepro distributions"
+  template:
+    src: distributions.j2
+    dest: /srv/apt/conf/distributions
+
+- name: "configure reprepro uploaders"
+  template:
+    src: uploaders.j2
+    dest: /srv/apt/conf/uploaders
+
+- name: "configure reprepro incoming"
+  template:
+    src: incoming.j2
+    dest: /srv/apt/conf/incoming
+    owner: apt
+    group: incoming
+    mode: 01777
+
+- name: "create web root directory"
+  file:
+    state: directory
+    path: /srv/http
+
+- name: "configure apache to server APT repository over http"
+  template:
+    src: 000-default.conf
+    dest: /etc/apache2/sites-enabled/000-default.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart apache2
+
+- name: "install script to process uploads to APT"
+  copy:
+    src: process-incoming
+    dest: /srv/apt/process-incoming
+    owner: apt
+    group: apt
+    mode: 0755
+
+- name: "create incrontab for apt"
+  copy:
+    content: |
+      /srv/apt/incoming IN_CLOSE_WRITE /srv/apt/process-incoming
+    dest: /srv/apt/incrontab
+
+# - name: "set up incrontab for processing incoming uploads"
+#   shell: |
+#     sudo -u apt incrontab /srv/apt/incrontab
diff --git a/ansible/roles/apt-repository/templates/000-default.conf b/ansible/roles/apt-repository/templates/000-default.conf
new file mode 100644
index 0000000..b62e1fd
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/000-default.conf
@@ -0,0 +1,18 @@
+<VirtualHost _default_>
+        ServerAdmin {{ apt_admin_email }}
+
+        DocumentRoot /srv/http
+        Alias "/debian" "/srv/apt"
+
+        <Directory /srv/http>
+            Require all granted
+        </Directory>
+
+        <Directory /srv/apt>
+            Options +Indexes
+            Require all granted
+        </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
diff --git a/ansible/roles/apt-repository/templates/distributions.j2 b/ansible/roles/apt-repository/templates/distributions.j2
new file mode 100644
index 0000000..ab3f861
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/distributions.j2
@@ -0,0 +1,12 @@
+{% for dist in apt_distributions %}
+
+Codename: {{ dist.codename }}
+Suite: {{ dist.codename }}
+Origin: {{ apt_domain }}
+Description: {{ dist.description }}
+Architectures: source {{ dist.architectures|default('amd64') }}
+Components: {{ dist.components|default('main') }}
+Uploaders: uploaders
+Tracking: keep
+SignWith: {{ apt_signing_key_fingerprint }}
+{% endfor %}
diff --git a/ansible/roles/apt-repository/templates/incoming.j2 b/ansible/roles/apt-repository/templates/incoming.j2
new file mode 100644
index 0000000..548c44b
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/incoming.j2
@@ -0,0 +1,5 @@
+Name: default
+IncomingDir: incoming
+TempDir: tmp
+Cleanup: on_error
+Allow: {% for dist in apt_distributions %} {{ dist.codename }} {% endfor %}
diff --git a/ansible/roles/apt-repository/templates/uploaders.j2 b/ansible/roles/apt-repository/templates/uploaders.j2
new file mode 100644
index 0000000..0891e6d
--- /dev/null
+++ b/ansible/roles/apt-repository/templates/uploaders.j2
@@ -0,0 +1 @@
+allow * by unsigned
-- 
cgit v1.2.1