Add: role for setting up a host with an APT repository

9 files changed, 325 insertions, 0 deletions

diff --git a/roles/apt_repository/files/process-incoming b/roles/apt_repository/files/process-incoming
new file mode 100644
index 0000000..1ae7ff7
--- /dev/null
+++ b/roles/apt_repository/files/process-incoming
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# sleep for a few seconds so that dput has time to chmod the uploaded
+# file.
+sleep 3
+reprepro -b /srv/apt processincoming default
diff --git a/roles/apt_repository/handlers/main.yml b/roles/apt_repository/handlers/main.yml
new file mode 100644
index 0000000..6edd3d3
--- /dev/null
+++ b/roles/apt_repository/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart apache2
+  service:
+    name: apache2
+    state: restarted
\ No newline at end of file
diff --git a/roles/apt_repository/tasks/main.yml b/roles/apt_repository/tasks/main.yml
new file mode 100644
index 0000000..c3c7760
--- /dev/null
+++ b/roles/apt_repository/tasks/main.yml
@@ -0,0 +1,136 @@
+- name: create Unix users for repository, uploaders
+  user:
+    name: "{{ item.username }}"
+    shell: /bin/false
+  with_items:
+    - username: apt
+    - username: incoming
+
+- name: install uploader ssh keys into incoming authorized_keys
+  authorized_key:
+    user: incoming
+    key: "{{ item }}"
+  with_items:
+    - "{{ apt_uploader_ssh_public_keys }}"
+
+- name: install reprepro and related stuff
+  apt:
+    name: "{{ item }}"
+  with_items:
+    - reprepro
+    - incron
+    - apache2
+
+- name: install apache tls module
+  apache2_module:
+    name: ssl
+
+- name: create APT repository directory
+  file:
+    state: directory
+    dest: /srv/apt
+    owner: apt
+    group: apt
+    mode: 0755
+
+- name: configure apache to server repo over http
+  template:
+    src: "{{ item.src }}"
+    dest: "/etc/apache2/sites-available/{{ item.dest }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart apache2
+  with_items:
+    - src: apache-http.conf
+      dest: 000-default.conf
+
+- name: mkdir /src/apt/conf
+  file:
+    path: /srv/apt/conf
+    state: directory
+
+- name: create conf/distributions
+  template:
+    src: distributions.j2
+    dest: /srv/apt/conf/distributions
+
+- name: create conf/uploaders
+  template:
+    src: uploaders
+    dest: /srv/apt/conf/uploaders
+
+- name: create conf/incoming
+  template:
+    src: incoming
+    dest: /srv/apt/conf/incoming
+
+- name: create incoming directory
+  file:
+    state: directory
+    dest: /srv/apt/incoming
+    owner: apt
+    group: incoming
+    mode: 01777
+
+- name: create temp directory
+  file:
+    state: directory
+    dest: /srv/apt/tmp
+    owner: apt
+    group: apt
+    mode: 0755
+
+- name: create .gnupg for apt user
+  file:
+    state: directory
+    dest: /home/apt/.gnupg
+    owner: apt
+    group: apt
+    mode: 0700
+
+- name: copy over gpg keys to apt
+  copy:
+    content: "{{ item.content }}"
+    dest: "/home/apt/{{ item.name }}"
+    owner: apt
+    group: apt
+    mode: 0600
+  with_items:
+    - content: "{{ apt_signing_key }}"
+      name: key
+    - content: "{{ apt_signing_key_pub }}"
+      name: key.pub
+
+- name: import gpg keys for apt
+  become_user: apt
+  shell: |
+    gpg --import key key.pub
+
+- name: delete temp key copies
+  file:
+    dest: "/home/apt/{{ item }}"
+    state: absent
+  with_items:
+    - key
+    - key.pub
+
+- name: allow aptuser use incron
+  lineinfile:
+    dest: /etc/incron.allow
+    line: apt
+
+- name: create process-incoming script
+  copy:
+    src: process-incoming
+    dest: /srv/apt/process-incoming
+    owner: apt
+    group: apt
+    mode: 0755
+
+- name: set up incrontab for processing incoming uploads
+  shell: |
+    incrontab - << EOF
+    /srv/apt/incoming IN_CLOSE_WRITE /srv/apt/process-incoming
+    EOF
+  become_user: apt
diff --git a/roles/apt_repository/templates/apache-http.conf b/roles/apt_repository/templates/apache-http.conf
new file mode 100644
index 0000000..bb2eb2e
--- /dev/null
+++ b/roles/apt_repository/templates/apache-http.conf
@@ -0,0 +1,18 @@
+<VirtualHost _default_:80>
+        ServerAdmin {{ apt_admin_email }}
+
+        DocumentRoot /srv/http
+        Alias "/debian" "/srv/apt"
+
+        <Directory /srv/http>
+            Require all granted
+        </Directory>
+
+        <Directory /srv/apt>
+            Options +Indexes
+            Require all granted
+        </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>
diff --git a/roles/apt_repository/templates/apache-https.conf b/roles/apt_repository/templates/apache-https.conf
new file mode 100644
index 0000000..dd0b490
--- /dev/null
+++ b/roles/apt_repository/templates/apache-https.conf
@@ -0,0 +1,26 @@
+<VirtualHost _default_:443>
+        ServerAdmin {{ apt_admin_email }}
+
+        ServerName {{ letsencrypt_domain }}
+
+        DocumentRoot /srv/http
+        Alias "/debian" "/srv/apt"
+
+        <Directory /srv/http>
+            Require all granted
+        </Directory>
+
+        <Directory /srv/apt>
+            Options +Indexes
+            Require all granted
+        </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+        SSLEngine on
+
+        SSLCertificateFile    /etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem
+        SSLCertificateKeyFile /etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem
+
+</VirtualHost>
diff --git a/roles/apt_repository/templates/apache.conf b/roles/apt_repository/templates/apache.conf
new file mode 100644
index 0000000..ec3c3c3
--- /dev/null
+++ b/roles/apt_repository/templates/apache.conf
@@ -0,0 +1,118 @@
+<VirtualHost *:80>
+        ServerAdmin {{ apt_admin_email }}
+        ServerName {{ apt_domain }}
+
+        DocumentRoot /srv/http
+        Alias "/debian" "/srv/apt"
+
+        <Directory /srv/http>
+            Require all granted
+        </Directory>
+
+        <Directory /srv/apt>
+            Options +Indexes
+            Require all granted
+        </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+        # SSLEngine on
+
+        #   A self-signed (snakeoil) certificate can be created by installing
+        #   the ssl-cert package. See
+        #   /usr/share/doc/apache2/README.Debian.gz for more info.
+        #   If both key and certificate are stored in the same file, only the
+        #   SSLCertificateFile directive is needed.
+        # SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
+        # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+        #   Server Certificate Chain:
+        #   Point SSLCertificateChainFile at a file containing the
+        #   concatenation of PEM encoded CA certificates which form the
+        #   certificate chain for the server certificate. Alternatively
+        #   the referenced file can be the same as SSLCertificateFile
+        #   when the CA certificates are directly appended to the server
+        #   certificate for convinience.
+        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+        #   Certificate Authority (CA):
+        #   Set the CA certificate verification path where to find CA
+        #   certificates for client authentication or alternatively one
+        #   huge file containing all of them (file must be PEM encoded)
+        #   Note: Inside SSLCACertificatePath you need hash symlinks
+        #                to point to the certificate files. Use the provided
+        #                Makefile to update the hash symlinks after changes.
+        #SSLCACertificatePath /etc/ssl/certs/
+        #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+        #   Certificate Revocation Lists (CRL):
+        #   Set the CA revocation path where to find CA CRLs for client
+        #   authentication or alternatively one huge file containing all
+        #   of them (file must be PEM encoded)
+        #   Note: Inside SSLCARevocationPath you need hash symlinks
+        #                to point to the certificate files. Use the provided
+        #                Makefile to update the hash symlinks after changes.
+        #SSLCARevocationPath /etc/apache2/ssl.crl/
+        #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+        #   SSL Engine Options:
+        #   Set various options for the SSL engine.
+        #   o FakeBasicAuth:
+        #        Translate the client X.509 into a Basic Authorisation.  This means that
+        #        the standard Auth/DBMAuth methods can be used for access control.  The
+        #        user name is the `one line' version of the client's X.509 certificate.
+        #        Note that no password is obtained from the user. Every entry in the user
+        #        file needs this password: `xxj31ZMTZzkVA'.
+        #   o ExportCertData:
+        #        This exports two additional environment variables: SSL_CLIENT_CERT and
+        #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+        #        server (always existing) and the client (only existing when client
+        #        authentication is used). This can be used to import the certificates
+        #        into CGI scripts.
+        #   o StdEnvVars:
+        #        This exports the standard SSL/TLS related `SSL_*' environment variables.
+        #        Per default this exportation is switched off for performance reasons,
+        #        because the extraction step is an expensive operation and is usually
+        #        useless for serving static content. So one usually enables the
+        #        exportation for CGI and SSI requests only.
+        #   o OptRenegotiate:
+        #        This enables optimized SSL connection renegotiation handling when SSL
+        #        directives are used in per-directory context.
+        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+        # <FilesMatch "\.(cgi|shtml|phtml|php)$">
+        #                 SSLOptions +StdEnvVars
+        # </FilesMatch>
+        # <Directory /usr/lib/cgi-bin>
+        #                 SSLOptions +StdEnvVars
+        # </Directory>
+
+        #   SSL Protocol Adjustments:
+        #   The safe and default but still SSL/TLS standard compliant shutdown
+        #   approach is that mod_ssl sends the close notify alert but doesn't wait for
+        #   the close notify alert from client. When you need a different shutdown
+        #   approach you can use one of the following variables:
+        #   o ssl-unclean-shutdown:
+        #        This forces an unclean shutdown when the connection is closed, i.e. no
+        #        SSL close notify alert is send or allowed to received.  This violates
+        #        the SSL/TLS standard but is needed for some brain-dead browsers. Use
+        #        this when you receive I/O errors because of the standard approach where
+        #        mod_ssl sends the close notify alert.
+        #   o ssl-accurate-shutdown:
+        #        This forces an accurate shutdown when the connection is closed, i.e. a
+        #        SSL close notify alert is send and mod_ssl waits for the close notify
+        #        alert of the client. This is 100% SSL/TLS standard compliant, but in
+        #        practice often causes hanging connections with brain-dead browsers. Use
+        #        this only for browsers where you know that their SSL implementation
+        #        works correctly.
+        #   Notice: Most problems of broken clients are also related to the HTTP
+        #   keep-alive facility, so you usually additionally want to disable
+        #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+        #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+        #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+        #   "force-response-1.0" for this.
+        # BrowserMatch "MSIE [2-6]" \
+        #               nokeepalive ssl-unclean-shutdown \
+        #               downgrade-1.0 force-response-1.0
+
+</VirtualHost>
diff --git a/roles/apt_repository/templates/distributions.j2 b/roles/apt_repository/templates/distributions.j2
new file mode 100644
index 0000000..ab3f861
--- /dev/null
+++ b/roles/apt_repository/templates/distributions.j2
@@ -0,0 +1,12 @@
+{% for dist in apt_distributions %}
+
+Codename: {{ dist.codename }}
+Suite: {{ dist.codename }}
+Origin: {{ apt_domain }}
+Description: {{ dist.description }}
+Architectures: source {{ dist.architectures|default('amd64') }}
+Components: {{ dist.components|default('main') }}
+Uploaders: uploaders
+Tracking: keep
+SignWith: {{ apt_signing_key_fingerprint }}
+{% endfor %}
diff --git a/roles/apt_repository/templates/incoming b/roles/apt_repository/templates/incoming
new file mode 100644
index 0000000..75ad722
--- /dev/null
+++ b/roles/apt_repository/templates/incoming
@@ -0,0 +1,4 @@
+Name: default
+IncomingDir: incoming
+TempDir: tmp
+Allow: {% for dist in apt_distributions %} {{ dist.codename }} {% endfor %}
diff --git a/roles/apt_repository/templates/uploaders b/roles/apt_repository/templates/uploaders
new file mode 100644
index 0000000..0891e6d
--- /dev/null
+++ b/roles/apt_repository/templates/uploaders
@@ -0,0 +1 @@
+allow * by unsigned