opuppet/module-apt
4
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge remote-tracking branch 'shared/key' into shared-master (!17)

Browse source
This commit is contained in:
intrigeri 2015-09-14 22:51:07 +00:00
commit cf4726e845
3 changed files with 67 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
README
View file

@ -99,6 +99,7 @@ This module needs:
- the lsb module: git://labs.riseup.net/shared-lsb - the lsb module: git://labs.riseup.net/shared-lsb
- the common module: git://labs.riseup.net/shared-common - the common module: git://labs.riseup.net/shared-common
- the stdlib module: https://forge.puppetlabs.com/puppetlabs/stdlib
By default, on normal hosts, this module sets the configuration option By default, on normal hosts, this module sets the configuration option
DSelect::Clean to 'auto'. On virtual servers, the value is set by default to DSelect::Clean to 'auto'. On virtual servers, the value is set by default to
@ -478,6 +479,46 @@ Example:
'puppet:///modules/site_apt/company_internals.list' ], 'puppet:///modules/site_apt/company_internals.list' ],
} }
apt::key
--------
Deploys a secure apt OpenPGP key. This usually accompanies the
sources.list snippets above for third party repositories. For example,
you would do:
apt::key { 'neurodebian.gpg':
ensure => present,
source => 'puppet:///modules/site_apt/neurodebian.gpg',
}
This deploys the key in the `/etc/apt/trusted.gpg.d` directory, which
is assumed by secure apt to be binary OpenPGP keys and *not*
"ascii-armored" or "plain text" OpenPGP key material. For the latter,
use `apt::key::plain`.
The `.gpg` extension is compulsory for `apt` to pickup the key properly.
apt::key::plain
---------------
Deploys a secure apt OpenPGP key. This usually accompanies the
sources.list snippets above for third party repositories. For example,
you would do:
apt::key::plain { 'neurodebian.asc':
source => 'puppet:///modules/site_apt/neurodebian.asc',
}
This deploys the key in the `${apt_base_dir}/keys` directory (as
opposed to `$custom_key_dir` which deploys it in `keys.d`). The reason
this exists on top of `$custom_key_dir` is to allow a more
decentralised distribution of those keys, without having all modules
throw their keys in the same directory in the manifests.
Note that this model does *not* currently allow keys to be removed!
Use `apt::key` instead for a more practical, revokable approach, but
that needs binary keys.
apt::upgrade_package apt::upgrade_package
-------------------- --------------------

13
manifests/key.pp Normal file
View file

@ -0,0 +1,13 @@
define apt::key ($source, $ensure = 'present') {
validate_re(
$name, '\.gpg$',
'An apt::key resource name must have the .gpg extension',
)
file {
"/etc/apt/trusted.gpg.d/${name}":
ensure => $ensure,
source => $source,
notify => Exec['refresh_apt'],
}
}

13
manifests/key/plain.pp Normal file
View file

@ -0,0 +1,13 @@
define apt::key::plain ($source) {
file {
"${apt::apt_base_dir}/keys/${name}":
source => $source;
"${apt::apt_base_dir}/keys":
ensure => directory;
}
exec { "apt-key add '${apt::apt_base_dir}/keys/${name}'":
subscribe => File["${apt::apt_base_dir}/keys/${name}"],
refreshonly => true,
notify => Exec['refresh_apt'],
}
}