From 4d08363a3afd346e5715e4c411e4c939025ae966 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Mon, 9 Apr 2018 17:40:29 +0300 Subject: Add: role for setting up a host with an APT repository --- roles/apt_repository/files/process-incoming | 6 + roles/apt_repository/handlers/main.yml | 4 + roles/apt_repository/tasks/main.yml | 136 +++++++++++++++++++++++ roles/apt_repository/templates/apache-http.conf | 18 +++ roles/apt_repository/templates/apache-https.conf | 26 +++++ roles/apt_repository/templates/apache.conf | 118 ++++++++++++++++++++ roles/apt_repository/templates/distributions.j2 | 12 ++ roles/apt_repository/templates/incoming | 4 + roles/apt_repository/templates/uploaders | 1 + 9 files changed, 325 insertions(+) create mode 100644 roles/apt_repository/files/process-incoming create mode 100644 roles/apt_repository/handlers/main.yml create mode 100644 roles/apt_repository/tasks/main.yml create mode 100644 roles/apt_repository/templates/apache-http.conf create mode 100644 roles/apt_repository/templates/apache-https.conf create mode 100644 roles/apt_repository/templates/apache.conf create mode 100644 roles/apt_repository/templates/distributions.j2 create mode 100644 roles/apt_repository/templates/incoming create mode 100644 roles/apt_repository/templates/uploaders (limited to 'roles') diff --git a/roles/apt_repository/files/process-incoming b/roles/apt_repository/files/process-incoming new file mode 100644 index 0000000..1ae7ff7 --- /dev/null +++ b/roles/apt_repository/files/process-incoming @@ -0,0 +1,6 @@ +#!/bin/sh + +# sleep for a few seconds so that dput has time to chmod the uploaded +# file. +sleep 3 +reprepro -b /srv/apt processincoming default diff --git a/roles/apt_repository/handlers/main.yml b/roles/apt_repository/handlers/main.yml new file mode 100644 index 0000000..6edd3d3 --- /dev/null +++ b/roles/apt_repository/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart apache2 + service: + name: apache2 + state: restarted \ No newline at end of file diff --git a/roles/apt_repository/tasks/main.yml b/roles/apt_repository/tasks/main.yml new file mode 100644 index 0000000..c3c7760 --- /dev/null +++ b/roles/apt_repository/tasks/main.yml @@ -0,0 +1,136 @@ +- name: create Unix users for repository, uploaders + user: + name: "{{ item.username }}" + shell: /bin/false + with_items: + - username: apt + - username: incoming + +- name: install uploader ssh keys into incoming authorized_keys + authorized_key: + user: incoming + key: "{{ item }}" + with_items: + - "{{ apt_uploader_ssh_public_keys }}" + +- name: install reprepro and related stuff + apt: + name: "{{ item }}" + with_items: + - reprepro + - incron + - apache2 + +- name: install apache tls module + apache2_module: + name: ssl + +- name: create APT repository directory + file: + state: directory + dest: /srv/apt + owner: apt + group: apt + mode: 0755 + +- name: configure apache to server repo over http + template: + src: "{{ item.src }}" + dest: "/etc/apache2/sites-available/{{ item.dest }}" + owner: root + group: root + mode: 0644 + notify: restart apache2 + with_items: + - src: apache-http.conf + dest: 000-default.conf + +- name: mkdir /src/apt/conf + file: + path: /srv/apt/conf + state: directory + +- name: create conf/distributions + template: + src: distributions.j2 + dest: /srv/apt/conf/distributions + +- name: create conf/uploaders + template: + src: uploaders + dest: /srv/apt/conf/uploaders + +- name: create conf/incoming + template: + src: incoming + dest: /srv/apt/conf/incoming + +- name: create incoming directory + file: + state: directory + dest: /srv/apt/incoming + owner: apt + group: incoming + mode: 01777 + +- name: create temp directory + file: + state: directory + dest: /srv/apt/tmp + owner: apt + group: apt + mode: 0755 + +- name: create .gnupg for apt user + file: + state: directory + dest: /home/apt/.gnupg + owner: apt + group: apt + mode: 0700 + +- name: copy over gpg keys to apt + copy: + content: "{{ item.content }}" + dest: "/home/apt/{{ item.name }}" + owner: apt + group: apt + mode: 0600 + with_items: + - content: "{{ apt_signing_key }}" + name: key + - content: "{{ apt_signing_key_pub }}" + name: key.pub + +- name: import gpg keys for apt + become_user: apt + shell: | + gpg --import key key.pub + +- name: delete temp key copies + file: + dest: "/home/apt/{{ item }}" + state: absent + with_items: + - key + - key.pub + +- name: allow aptuser use incron + lineinfile: + dest: /etc/incron.allow + line: apt + +- name: create process-incoming script + copy: + src: process-incoming + dest: /srv/apt/process-incoming + owner: apt + group: apt + mode: 0755 + +- name: set up incrontab for processing incoming uploads + shell: | + incrontab - << EOF + /srv/apt/incoming IN_CLOSE_WRITE /srv/apt/process-incoming + EOF + become_user: apt diff --git a/roles/apt_repository/templates/apache-http.conf b/roles/apt_repository/templates/apache-http.conf new file mode 100644 index 0000000..bb2eb2e --- /dev/null +++ b/roles/apt_repository/templates/apache-http.conf @@ -0,0 +1,18 @@ + + ServerAdmin {{ apt_admin_email }} + + DocumentRoot /srv/http + Alias "/debian" "/srv/apt" + + + Require all granted + + + + Options +Indexes + Require all granted + + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + diff --git a/roles/apt_repository/templates/apache-https.conf b/roles/apt_repository/templates/apache-https.conf new file mode 100644 index 0000000..dd0b490 --- /dev/null +++ b/roles/apt_repository/templates/apache-https.conf @@ -0,0 +1,26 @@ + + ServerAdmin {{ apt_admin_email }} + + ServerName {{ letsencrypt_domain }} + + DocumentRoot /srv/http + Alias "/debian" "/srv/apt" + + + Require all granted + + + + Options +Indexes + Require all granted + + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + + SSLCertificateFile /etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem + + diff --git a/roles/apt_repository/templates/apache.conf b/roles/apt_repository/templates/apache.conf new file mode 100644 index 0000000..ec3c3c3 --- /dev/null +++ b/roles/apt_repository/templates/apache.conf @@ -0,0 +1,118 @@ + + ServerAdmin {{ apt_admin_email }} + ServerName {{ apt_domain }} + + DocumentRoot /srv/http + Alias "/debian" "/srv/apt" + + + Require all granted + + + + Options +Indexes + Require all granted + + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # SSLEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + # SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded CA certificates which form the + # certificate chain for the server certificate. Alternatively + # the referenced file can be the same as SSLCertificateFile + # when the CA certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/ssl/certs/ + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl/ + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + + # SSL Engine Options: + # Set various options for the SSL engine. + # o FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that + # the standard Auth/DBMAuth methods can be used for access control. The + # user name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + # o ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the + # server (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates + # into CGI scripts. + # o StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the + # exportation for CGI and SSI requests only. + # o OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + # + # SSLOptions +StdEnvVars + # + # + # SSLOptions +StdEnvVars + # + + # SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait for + # the close notify alert from client. When you need a different shutdown + # approach you can use one of the following variables: + # o ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates + # the SSL/TLS standard but is needed for some brain-dead browsers. Use + # this when you receive I/O errors because of the standard approach where + # mod_ssl sends the close notify alert. + # o ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation + # works correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + # BrowserMatch "MSIE [2-6]" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 + + diff --git a/roles/apt_repository/templates/distributions.j2 b/roles/apt_repository/templates/distributions.j2 new file mode 100644 index 0000000..ab3f861 --- /dev/null +++ b/roles/apt_repository/templates/distributions.j2 @@ -0,0 +1,12 @@ +{% for dist in apt_distributions %} + +Codename: {{ dist.codename }} +Suite: {{ dist.codename }} +Origin: {{ apt_domain }} +Description: {{ dist.description }} +Architectures: source {{ dist.architectures|default('amd64') }} +Components: {{ dist.components|default('main') }} +Uploaders: uploaders +Tracking: keep +SignWith: {{ apt_signing_key_fingerprint }} +{% endfor %} diff --git a/roles/apt_repository/templates/incoming b/roles/apt_repository/templates/incoming new file mode 100644 index 0000000..75ad722 --- /dev/null +++ b/roles/apt_repository/templates/incoming @@ -0,0 +1,4 @@ +Name: default +IncomingDir: incoming +TempDir: tmp +Allow: {% for dist in apt_distributions %} {{ dist.codename }} {% endfor %} diff --git a/roles/apt_repository/templates/uploaders b/roles/apt_repository/templates/uploaders new file mode 100644 index 0000000..0891e6d --- /dev/null +++ b/roles/apt_repository/templates/uploaders @@ -0,0 +1 @@ +allow * by unsigned -- cgit v1.2.1