From: Tom Hughes Date: Sun, 4 Aug 2024 18:44:46 +0000 (+0100) Subject: Add apt::repository recipe X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/ed4958d01f094f96766531dbb4b685656a52ab29 Add apt::repository recipe --- diff --git a/.github/workflows/test-kitchen.yml b/.github/workflows/test-kitchen.yml index ef0b6cbb5..e36f92849 100644 --- a/.github/workflows/test-kitchen.yml +++ b/.github/workflows/test-kitchen.yml @@ -21,6 +21,7 @@ jobs: - accounts - apache - apt + - apt-repository - backup - bind - blog @@ -121,6 +122,8 @@ jobs: suite: mailman - os: ubuntu-2004 suite: osqa + - os: debian-12 + suite: apt-repository - os: debian-12 suite: dns - os: debian-12 @@ -138,6 +141,8 @@ jobs: - os: debian-12 suite: supybot exclude: + - suite: apt-repository + os: ubuntu-2204 - suite: dns os: ubuntu-2204 - suite: git-server diff --git a/.kitchen.yml b/.kitchen.yml index 37cd3556a..db9664940 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -71,6 +71,9 @@ suites: - name: apt run_list: - recipe[apt::default] + - name: apt-repository + run_list: + - recipe[apt::repository] - name: awscli run_list: - recipe[awscli::default] diff --git a/cookbooks/apt/metadata.rb b/cookbooks/apt/metadata.rb index ace54bdbb..f19f01468 100644 --- a/cookbooks/apt/metadata.rb +++ b/cookbooks/apt/metadata.rb @@ -7,3 +7,5 @@ description "Installs/Configures apt" version "0.1" supports "debian" supports "ubuntu" +depends "apache" +depends "ssl" diff --git a/cookbooks/apt/recipes/repository.rb b/cookbooks/apt/recipes/repository.rb new file mode 100644 index 000000000..2af2a055a --- /dev/null +++ b/cookbooks/apt/recipes/repository.rb @@ -0,0 +1,114 @@ +# +# Cookbook:: apt +# Recipe:: repository +# +# Copyright:: 2024, Tom Hughes +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +node.default[:accounts][:users][:apt][:status] = :role + +include_recipe "accounts" +include_recipe "apache" + +package "aptly" + +repository_keys = data_bag_item("apt", "repository") + +gpg_passphrase = repository_keys["gpg_passphrase"] + +template "/etc/aptly.conf" do + source "aptly.conf.erb" + owner "root" + group "root" + mode "644" +end + +directory "/srv/apt.openstreetmap.org" do + owner "apt" + group "apt" + mode "2775" +end + +execute "apt-generate-key" do + command "gpg --no-tty --batch --passphrase=#{gpg_passphrase} --generate-key" + cwd "/srv/apt.openstreetmap.org" + user "apt" + group "apt" + environment "HOME" => "/srv/apt.openstreetmap.org" + input <<~EOS + Key-Type: RSA + Key-Length: 4096 + Key-Usage: sign + Subkey-Type: RSA + Subkey-Length: 4096 + Subkey-Usage: sign + Name-Real: OpenStreetMap Admins + Name-Email: admins@openstreetmap.org + Expire-Date: 0 + Passphrase: #{gpg_passphrase} + EOS + not_if { ::Dir.exist?("/srv/apt.openstreetmap.org/.gnupg") } +end + +%w[focal jammy bookworm].each do |distribution| + repository = "openstreetmap-#{distribution}" + + execute "aptly-repo-create-#{distribution}" do + command "aptly repo create -comment='Packages used on OpenStreetMap Servers' -distribution=#{distribution} #{repository}" + cwd "/srv/apt.openstreetmap.org" + user "apt" + group "apt" + environment "HOME" => "/srv/apt.openstreetmap.org" + not_if "aptly repo show #{repository}" + end + + execute "aptly-publish-repo-#{distribution}" do + action :nothing + command "aptly publish repo -batch -passphrase=#{gpg_passphrase} #{repository}" + cwd "/srv/apt.openstreetmap.org" + user "apt" + group "apt" + environment "HOME" => "/srv/apt.openstreetmap.org" + subscribes :run, "execute[aptly-repo-create-#{distribution}]", :immediately + end + + execute "aptly-publish-update-#{distribution}" do + command "aptly publish update -batch -passphrase=#{gpg_passphrase} #{distribution}" + cwd "/srv/apt.openstreetmap.org" + user "apt" + group "apt" + environment "HOME" => "/srv/apt.openstreetmap.org" + end +end + +execute "gpg-export-key" do + command "gpg --no-tty --batch --passphrase=#{gpg_passphrase} --armor --output=/srv/apt.openstreetmap.org/public/gpg.key --export admins@openstreetmap.org" + cwd "/srv/apt.openstreetmap.org" + user "apt" + group "apt" + environment "HOME" => "/srv/apt.openstreetmap.org" + not_if { ::File.exist?("/srv/apt.openstreetmap.org/public/gpg.key") } +end + +ssl_certificate "apt.openstreetmap.org" do + domains ["apt.openstreetmap.org", "apt.osm.org"] + notifies :reload, "service[apache2]" +end + +apache_site "apt.openstreetmap.org" do + template "apache.erb" + directory "/srv/apt.openstreetmap.org" + variables :aliases => ["apt.osm.org"] +end diff --git a/cookbooks/apt/templates/default/apache.erb b/cookbooks/apt/templates/default/apache.erb new file mode 100644 index 000000000..befca9429 --- /dev/null +++ b/cookbooks/apt/templates/default/apache.erb @@ -0,0 +1,52 @@ +# DO NOT EDIT - This file is being maintained by Chef + + + ServerName <%= @name %> +<% @aliases.each do |alias_name| -%> + ServerAlias <%= alias_name %> +<% end -%> + ServerAdmin webmaster@openstreetmap.org + + CustomLog /var/log/apache2/<%= @name %>-access.log combined_extended + ErrorLog /var/log/apache2/<%= @name %>-error.log + + RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/ + RedirectPermanent / https://<%= @name %>/ + +<% unless @aliases.empty? -%> + + + ServerName <%= @aliases.first %> +<% @aliases.drop(1).each do |alias_name| -%> + ServerAlias <%= alias_name %> +<% end -%> + ServerAdmin webmaster@openstreetmap.org + + SSLEngine on + SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem + SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key + + CustomLog /var/log/apache2/<%= @name %>-access.log combined_extended + ErrorLog /var/log/apache2/<%= @name %>-error.log + + RedirectPermanent / https://<%= @name %>/ + +<% end -%> + + + ServerName <%= @name %> + ServerAdmin webmaster@openstreetmap.org + + SSLEngine on + SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem + SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key + + CustomLog /var/log/apache2/<%= @name %>-access.log combined_extended + ErrorLog /var/log/apache2/<%= @name %>-error.log + + DocumentRoot <%= @directory %>/public + + +/public> + Require all granted + diff --git a/cookbooks/apt/templates/default/aptly.conf.erb b/cookbooks/apt/templates/default/aptly.conf.erb new file mode 100644 index 000000000..e083becc9 --- /dev/null +++ b/cookbooks/apt/templates/default/aptly.conf.erb @@ -0,0 +1,4 @@ +{ + "rootDir": "/srv/apt.openstreetmap.org", + "architectures": [ "amd64", "arm64" ] +} diff --git a/test/data_bags/accounts/apt.json b/test/data_bags/accounts/apt.json new file mode 100644 index 000000000..2803c2266 --- /dev/null +++ b/test/data_bags/accounts/apt.json @@ -0,0 +1,6 @@ +{ + "id": "apt", + "uid": "530", + "comment": "apt.openstreetmap.org", + "home": "/srv/apt.openstreetmap.org" +} diff --git a/test/data_bags/apt/repository.json b/test/data_bags/apt/repository.json new file mode 100644 index 000000000..ea4594bf8 --- /dev/null +++ b/test/data_bags/apt/repository.json @@ -0,0 +1,4 @@ +{ + "id": "repository", + "gpg_passphrase": "gpg_passphrase" +} diff --git a/test/integration/apt-repository/inspec/apache_spec.rb b/test/integration/apt-repository/inspec/apache_spec.rb new file mode 100644 index 000000000..8006330b4 --- /dev/null +++ b/test/integration/apt-repository/inspec/apache_spec.rb @@ -0,0 +1,18 @@ +describe package("apache2") do + it { should be_installed } +end + +describe service("apache2") do + it { should be_enabled } + it { should be_running } +end + +describe port(80) do + it { should be_listening } + its("protocols") { should cmp "tcp" } +end + +describe port(443) do + it { should be_listening } + its("protocols") { should cmp "tcp" } +end diff --git a/test/integration/apt-repository/inspec/aptly_spec.rb b/test/integration/apt-repository/inspec/aptly_spec.rb new file mode 100644 index 000000000..1eca19c13 --- /dev/null +++ b/test/integration/apt-repository/inspec/aptly_spec.rb @@ -0,0 +1,3 @@ +describe package("aptly") do + it { should be_installed } +end