diff options
author | intrigeri <intrigeri@boum.org> | 2015-09-14 22:51:07 +0000 |
---|---|---|
committer | intrigeri <intrigeri@boum.org> | 2015-09-14 22:51:07 +0000 |
commit | cf4726e8452bf27498e15900cfde437314ecef67 (patch) | |
tree | ad179382d82d8f15174b2ebad1cd6f3c1c35bef7 | |
parent | 58cfaa32f9de6c38157b2680fbf59da400b8f940 (diff) | |
parent | 5f7232b420e02eaa38c14a7be75034d9b3cdd64b (diff) |
Merge remote-tracking branch 'shared/key' into shared-master (!17)
-rw-r--r-- | README | 41 | ||||
-rw-r--r-- | manifests/key.pp | 13 | ||||
-rw-r--r-- | manifests/key/plain.pp | 13 |
3 files changed, 67 insertions, 0 deletions
@@ -99,6 +99,7 @@ This module needs: - the lsb module: git://labs.riseup.net/shared-lsb - the common module: git://labs.riseup.net/shared-common +- the stdlib module: https://forge.puppetlabs.com/puppetlabs/stdlib By default, on normal hosts, this module sets the configuration option DSelect::Clean to 'auto'. On virtual servers, the value is set by default to @@ -478,6 +479,46 @@ Example: 'puppet:///modules/site_apt/company_internals.list' ], } +apt::key +-------- + +Deploys a secure apt OpenPGP key. This usually accompanies the +sources.list snippets above for third party repositories. For example, +you would do: + + apt::key { 'neurodebian.gpg': + ensure => present, + source => 'puppet:///modules/site_apt/neurodebian.gpg', + } + +This deploys the key in the `/etc/apt/trusted.gpg.d` directory, which +is assumed by secure apt to be binary OpenPGP keys and *not* +"ascii-armored" or "plain text" OpenPGP key material. For the latter, +use `apt::key::plain`. + +The `.gpg` extension is compulsory for `apt` to pickup the key properly. + +apt::key::plain +--------------- + +Deploys a secure apt OpenPGP key. This usually accompanies the +sources.list snippets above for third party repositories. For example, +you would do: + + apt::key::plain { 'neurodebian.asc': + source => 'puppet:///modules/site_apt/neurodebian.asc', + } + +This deploys the key in the `${apt_base_dir}/keys` directory (as +opposed to `$custom_key_dir` which deploys it in `keys.d`). The reason +this exists on top of `$custom_key_dir` is to allow a more +decentralised distribution of those keys, without having all modules +throw their keys in the same directory in the manifests. + +Note that this model does *not* currently allow keys to be removed! +Use `apt::key` instead for a more practical, revokable approach, but +that needs binary keys. + apt::upgrade_package -------------------- diff --git a/manifests/key.pp b/manifests/key.pp new file mode 100644 index 0000000..65b62e9 --- /dev/null +++ b/manifests/key.pp @@ -0,0 +1,13 @@ +define apt::key ($source, $ensure = 'present') { + validate_re( + $name, '\.gpg$', + 'An apt::key resource name must have the .gpg extension', + ) + + file { + "/etc/apt/trusted.gpg.d/${name}": + ensure => $ensure, + source => $source, + notify => Exec['refresh_apt'], + } +} diff --git a/manifests/key/plain.pp b/manifests/key/plain.pp new file mode 100644 index 0000000..e4a2f89 --- /dev/null +++ b/manifests/key/plain.pp @@ -0,0 +1,13 @@ +define apt::key::plain ($source) { + file { + "${apt::apt_base_dir}/keys/${name}": + source => $source; + "${apt::apt_base_dir}/keys": + ensure => directory; + } + exec { "apt-key add '${apt::apt_base_dir}/keys/${name}'": + subscribe => File["${apt::apt_base_dir}/keys/${name}"], + refreshonly => true, + notify => Exec['refresh_apt'], + } +} |