Merge remote-tracking branch 'shared/key' into tmp

2015-08-31 09:51:45 +00:00 · 2015-08-31 09:51:45 +00:00 · 1e81ba185e
commit 1e81ba185e
parent 58cfaa32f9 544796e050
3 changed files with 61 additions and 0 deletions
--- a/40
+++ b/40
@ -478,6 +478,46 @@ Example:
                'puppet:///modules/site_apt/company_internals.list' ],
  }

+apt::key
+--------
+
+Deploys a secure apt OpenPGP key. This usually accompanies the
+sources.list snippets above for third party repositories. For example,
+you would do:
+
+  apt::key { 'neurodebian.gpg':
+    ensure => present,
+    source => 'puppet:///modules/site_apt/neurodebian.gpg',
+  }
+
+This deploys the key in the `/etc/apt/trusted.gpg.d` directory, which
+is assumed by secure apt to be binary OpenPGP keys and *not*
+"ascii-armored" or "plain text" OpenPGP key material. For the latter,
+use `apt::key::plain`.
+
+The `.gpg` extension is compulsory for `apt` to pickup the key properly.
+
+apt::key::plain
+---------------
+
+Deploys a secure apt OpenPGP key. This usually accompanies the
+sources.list snippets above for third party repositories. For example,
+you would do:
+
+  apt::key::plain { 'neurodebian.asc':
+    source => 'puppet:///modules/site_apt/neurodebian.asc',
+  }
+
+This deploys the key in the `${apt_base_dir}/keys` directory (as
+opposed to `$custom_key_dir` which deploys it in `keys.d`). The reason
+this exists on top of `$custom_key_dir` is to allow a more
+decentralised distribution of those keys, without having all modules
+throw their keys in the same directory in the manifests.
+
+Note that this model does *not* currently allow keys to be removed!
+Use `apt::key` instead for a more practical, revokable approach, but
+that needs binary keys.
+
 apt::upgrade_package
 --------------------

--- a/manifests/key.pp
+++ b/manifests/key.pp
@ -0,0 +1,8 @@
+define apt::key ($ensure = 'present', $source) {
+  file {
+    "/etc/apt/trusted.gpg.d/$name":
+      source => $source,
+      ensure => $ensure,
+      notify => Exec['refresh_apt'],
+  }
+}
--- a/manifests/key/plain.pp
+++ b/manifests/key/plain.pp
@ -0,0 +1,13 @@
+define apt::key::plain ($source) {
+  file {
+    "${apt::apt_base_dir}/keys/${name}":
+      source  => $source;
+    "${apt::apt_base_dir}/keys":
+      ensure  => directory;
+  }
+  exec { "apt-key add ${apt::apt_base_dir}/keys/${name}":
+    subscribe   => File["${apt::apt_base_dir}/keys/${name}"],
+    refreshonly => true,
+    notify      => Exec['refresh_apt'],
+  }
+}