/ansible-mini-dinstall

Ansible role to install and configure mini-dinstall

Primary LanguagePythonMIT LicenseMIT

Mini-dinstall

Build Status Ansible Galaxy

Install and configure mini-dinstall APT repository tool.

Requirements

  • Debian based host

Role Variables

Variable Description Type Default
minidinstall_user System user String "mini-dinstall"
minidinstall_user_home User home directory path String "/data/mini-dinstall"
minidinstall_basedir Apt repository base directory String "{{ minidinstall_user_home }}/debpkg"
minidinstall_conf Configuration file path String /etc/mini-dinstall/mini-dinstall.conf
minidinstall_sshkeys SSH authorized keys list to allow repository access List []
minidinstall_config mini-dinstall "[DEFAULT]" configuration section Dict see config
minidinstall_repositories mini-dinstall repositories configuration section Dict see repositories

Role Mechanism

config

Set [DEFAULT] configuration options through a Dict variable. See man mini-dinstall for option list and explanation.

The YAML key: value will correspond to key = vale into the mini-dinstall.conf file.

Default:

minidinstall_config:
  archivedir: "{{ minidinstall_basedir }}"
  archive_style: flat
  generate_release: 1
  incoming_permissions: "0750"

repositories

Set different repositories configuration with this Dict variable.

The first key will be the repository name, then all the sub key/value pair will correspond to the specific options for that repository.

Default:

minidinstall_repositories:
  unstable:
    release_codename: sid

Dependencies

None.

Example Playbook

Playbook to use this role and allow charlie to push package:

- hosts: aptserver
  roles:
    - mini-dinstall
  vars:
    minidinstall_sshkeys:
      - https://github.com/charlie.keys
      - "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}"

Usage

Signing the Release file

The 2 main options are:

  1. to use a GPG key created for the occasion, store that key (including the private part) on the apt server and use the mini-dinstall contrib script sign-release.sh by adding something like the following to your mini-dinstall.conf:
    release_signscript = ~/bin/sign-release.sh

  2. to use some script to sign the Release file remotely and send the resulting deatched signature back to the apt server just after the mini-dinstall pulse; that way you can sign with your own private key.
    example: zack sign-remote script

Importing the apt repository pgp key into local apt keychain

To fetch the signed apt repositories Release, the public key have to be added to the apt-key store using apt-key add.

Add the repo urls in your apt sources.list

To be able to use the apt repository a http server must be set properly

The mini-dinstall syntax to use the repo, for flat architecture are deb http://fqdn/ repository/.

example: deb http://apt.example.repo/ unstable/

Dput

Example of ~/.dput.cf file:

[unstable]
fqdn = apt.example.repo
login = mini-dinstall
incoming = /data/mini-dinstall/debpkg/mini-dinstall/incoming
method = scp
run_dinstall = 0
post_upload_command = ssh -l mini-dinstall apt.example.repo \
  "mini-dinstall -c /etc/mini-dinstall/mini-dinstall.conf -b" \
  && sign-remote mini-dinstall@apt.example.repo:~/debpkg/unstable/Release

Todo

  • Add HTTP config management
  • Add GPG host key management for use case 1.
  • Handle mini-dinstall server mode