Merge remote-tracking branch 'shared/key' into tmp
This commit is contained in:
commit
1e81ba185e
3 changed files with 61 additions and 0 deletions
40
README
40
README
|
@ -478,6 +478,46 @@ Example:
|
||||||
'puppet:///modules/site_apt/company_internals.list' ],
|
'puppet:///modules/site_apt/company_internals.list' ],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
apt::key
|
||||||
|
--------
|
||||||
|
|
||||||
|
Deploys a secure apt OpenPGP key. This usually accompanies the
|
||||||
|
sources.list snippets above for third party repositories. For example,
|
||||||
|
you would do:
|
||||||
|
|
||||||
|
apt::key { 'neurodebian.gpg':
|
||||||
|
ensure => present,
|
||||||
|
source => 'puppet:///modules/site_apt/neurodebian.gpg',
|
||||||
|
}
|
||||||
|
|
||||||
|
This deploys the key in the `/etc/apt/trusted.gpg.d` directory, which
|
||||||
|
is assumed by secure apt to be binary OpenPGP keys and *not*
|
||||||
|
"ascii-armored" or "plain text" OpenPGP key material. For the latter,
|
||||||
|
use `apt::key::plain`.
|
||||||
|
|
||||||
|
The `.gpg` extension is compulsory for `apt` to pickup the key properly.
|
||||||
|
|
||||||
|
apt::key::plain
|
||||||
|
---------------
|
||||||
|
|
||||||
|
Deploys a secure apt OpenPGP key. This usually accompanies the
|
||||||
|
sources.list snippets above for third party repositories. For example,
|
||||||
|
you would do:
|
||||||
|
|
||||||
|
apt::key::plain { 'neurodebian.asc':
|
||||||
|
source => 'puppet:///modules/site_apt/neurodebian.asc',
|
||||||
|
}
|
||||||
|
|
||||||
|
This deploys the key in the `${apt_base_dir}/keys` directory (as
|
||||||
|
opposed to `$custom_key_dir` which deploys it in `keys.d`). The reason
|
||||||
|
this exists on top of `$custom_key_dir` is to allow a more
|
||||||
|
decentralised distribution of those keys, without having all modules
|
||||||
|
throw their keys in the same directory in the manifests.
|
||||||
|
|
||||||
|
Note that this model does *not* currently allow keys to be removed!
|
||||||
|
Use `apt::key` instead for a more practical, revokable approach, but
|
||||||
|
that needs binary keys.
|
||||||
|
|
||||||
apt::upgrade_package
|
apt::upgrade_package
|
||||||
--------------------
|
--------------------
|
||||||
|
|
||||||
|
|
8
manifests/key.pp
Normal file
8
manifests/key.pp
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
define apt::key ($ensure = 'present', $source) {
|
||||||
|
file {
|
||||||
|
"/etc/apt/trusted.gpg.d/$name":
|
||||||
|
source => $source,
|
||||||
|
ensure => $ensure,
|
||||||
|
notify => Exec['refresh_apt'],
|
||||||
|
}
|
||||||
|
}
|
13
manifests/key/plain.pp
Normal file
13
manifests/key/plain.pp
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
define apt::key::plain ($source) {
|
||||||
|
file {
|
||||||
|
"${apt::apt_base_dir}/keys/${name}":
|
||||||
|
source => $source;
|
||||||
|
"${apt::apt_base_dir}/keys":
|
||||||
|
ensure => directory;
|
||||||
|
}
|
||||||
|
exec { "apt-key add ${apt::apt_base_dir}/keys/${name}":
|
||||||
|
subscribe => File["${apt::apt_base_dir}/keys/${name}"],
|
||||||
|
refreshonly => true,
|
||||||
|
notify => Exec['refresh_apt'],
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue