summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2015-09-14 22:51:07 +0000
committerintrigeri <intrigeri@boum.org>2015-09-14 22:51:07 +0000
commitcf4726e8452bf27498e15900cfde437314ecef67 (patch)
treead179382d82d8f15174b2ebad1cd6f3c1c35bef7
parent58cfaa32f9de6c38157b2680fbf59da400b8f940 (diff)
parent5f7232b420e02eaa38c14a7be75034d9b3cdd64b (diff)
Merge remote-tracking branch 'shared/key' into shared-master (!17)
-rw-r--r--README41
-rw-r--r--manifests/key.pp13
-rw-r--r--manifests/key/plain.pp13
3 files changed, 67 insertions, 0 deletions
diff --git a/README b/README
index 8333be2..1a83ac9 100644
--- a/README
+++ b/README
@@ -99,6 +99,7 @@ This module needs:
- the lsb module: git://labs.riseup.net/shared-lsb
- the common module: git://labs.riseup.net/shared-common
+- the stdlib module: https://forge.puppetlabs.com/puppetlabs/stdlib
By default, on normal hosts, this module sets the configuration option
DSelect::Clean to 'auto'. On virtual servers, the value is set by default to
@@ -478,6 +479,46 @@ Example:
'puppet:///modules/site_apt/company_internals.list' ],
}
+apt::key
+--------
+
+Deploys a secure apt OpenPGP key. This usually accompanies the
+sources.list snippets above for third party repositories. For example,
+you would do:
+
+ apt::key { 'neurodebian.gpg':
+ ensure => present,
+ source => 'puppet:///modules/site_apt/neurodebian.gpg',
+ }
+
+This deploys the key in the `/etc/apt/trusted.gpg.d` directory, which
+is assumed by secure apt to be binary OpenPGP keys and *not*
+"ascii-armored" or "plain text" OpenPGP key material. For the latter,
+use `apt::key::plain`.
+
+The `.gpg` extension is compulsory for `apt` to pickup the key properly.
+
+apt::key::plain
+---------------
+
+Deploys a secure apt OpenPGP key. This usually accompanies the
+sources.list snippets above for third party repositories. For example,
+you would do:
+
+ apt::key::plain { 'neurodebian.asc':
+ source => 'puppet:///modules/site_apt/neurodebian.asc',
+ }
+
+This deploys the key in the `${apt_base_dir}/keys` directory (as
+opposed to `$custom_key_dir` which deploys it in `keys.d`). The reason
+this exists on top of `$custom_key_dir` is to allow a more
+decentralised distribution of those keys, without having all modules
+throw their keys in the same directory in the manifests.
+
+Note that this model does *not* currently allow keys to be removed!
+Use `apt::key` instead for a more practical, revokable approach, but
+that needs binary keys.
+
apt::upgrade_package
--------------------
diff --git a/manifests/key.pp b/manifests/key.pp
new file mode 100644
index 0000000..65b62e9
--- /dev/null
+++ b/manifests/key.pp
@@ -0,0 +1,13 @@
+define apt::key ($source, $ensure = 'present') {
+ validate_re(
+ $name, '\.gpg$',
+ 'An apt::key resource name must have the .gpg extension',
+ )
+
+ file {
+ "/etc/apt/trusted.gpg.d/${name}":
+ ensure => $ensure,
+ source => $source,
+ notify => Exec['refresh_apt'],
+ }
+}
diff --git a/manifests/key/plain.pp b/manifests/key/plain.pp
new file mode 100644
index 0000000..e4a2f89
--- /dev/null
+++ b/manifests/key/plain.pp
@@ -0,0 +1,13 @@
+define apt::key::plain ($source) {
+ file {
+ "${apt::apt_base_dir}/keys/${name}":
+ source => $source;
+ "${apt::apt_base_dir}/keys":
+ ensure => directory;
+ }
+ exec { "apt-key add '${apt::apt_base_dir}/keys/${name}'":
+ subscribe => File["${apt::apt_base_dir}/keys/${name}"],
+ refreshonly => true,
+ notify => Exec['refresh_apt'],
+ }
+}