From b76058177d73b2973c29dcfecfabd8fe1ab9a6d2 Mon Sep 17 00:00:00 2001
From: Sam Thursfield <sam.thursfield@codethink.co.uk>
Date: Wed, 30 Aug 2017 17:20:40 +0100
Subject: baserock_ostree: Add 'releases' repo

This is different from the existing 'cache' repo in that we should
be careful what we push to it, and we should never delete things
from it once they have been made public.

Pushing to the releases repo should be done with ostree-push/receive
rather than BuildStream. I've set up the receive hook on the server.
The upstream repo of ostree-push/receive seems abandoned so I have
been using a fork: https://github.com/ssssam/ostree-push

See also:

  https://listmaster.pepperfish.net/pipermail/baserock-dev-baserock.org/2017-September/013811.html
  https://gitlab.com/baserock/definitions/merge_requests/58
---
 .../system/ostree-cache-update-summary.service     | 11 --------
 .../system/ostree-cache-update-summary.timer       |  8 ------
 .../system/ostree-update-summary-cache.service     | 11 ++++++++
 .../system/ostree-update-summary-cache.timer       |  8 ++++++
 .../system/ostree-update-summary-releases.service  | 11 ++++++++
 .../system/ostree-update-summary-releases.timer    |  8 ++++++
 baserock_ostree/image-config.yml                   | 12 ++++++++
 baserock_ostree/instance-config.yml                | 32 +++++++++++++++++++---
 baserock_ostree/ostree-access-config.yml           | 12 +++++++-
 9 files changed, 89 insertions(+), 24 deletions(-)
 delete mode 100644 baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service
 delete mode 100644 baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer
 create mode 100644 baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service
 create mode 100644 baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer
 create mode 100644 baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service
 create mode 100644 baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer

diff --git a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service b/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service
deleted file mode 100644
index d070aec8..00000000
--- a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description = Update OSTree summary file for cache
-
-[Service]
-Type = oneshot
-ExecStart = /usr/bin/ostree --repo=/srv/ostree/cache/ summary -u
-User = ostree
-Group = ostree
-
-[Install]
-WantedBy=default.target
diff --git a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer b/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer
deleted file mode 100644
index 0be7bc51..00000000
--- a/baserock_ostree/etc/systemd/system/ostree-cache-update-summary.timer
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description = Update OSTree summary file for cache
-
-[Timer]
-OnUnitActiveSec = 5min
-
-[Install]
-WantedBy = default.target
diff --git a/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service
new file mode 100644
index 00000000..70f4e708
--- /dev/null
+++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.service
@@ -0,0 +1,11 @@
+[Unit]
+Description = Update OSTree summary files for 'cache' repo
+
+[Service]
+Type = oneshot
+ExecStart = /usr/bin/ostree --repo=/srv/ostree/cache/ summary -u
+User = ostree
+Group = ostree
+
+[Install]
+WantedBy=default.target
diff --git a/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer
new file mode 100644
index 00000000..3696b028
--- /dev/null
+++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-cache.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description = Update OSTree summary files for 'cache' repo
+
+[Timer]
+OnUnitActiveSec = 5min
+
+[Install]
+WantedBy = default.target
diff --git a/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service
new file mode 100644
index 00000000..fdb557f1
--- /dev/null
+++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.service
@@ -0,0 +1,11 @@
+[Unit]
+Description = Update OSTree summary files for 'releases' repo
+
+[Service]
+Type = oneshot
+ExecStart = /usr/bin/ostree --repo=/srv/ostree/releases/ summary -u
+User = ostree-releases
+Group = ostree-releases
+
+[Install]
+WantedBy=default.target
diff --git a/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer
new file mode 100644
index 00000000..eea6dd5a
--- /dev/null
+++ b/baserock_ostree/etc/systemd/system/ostree-update-summary-releases.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description = Update OSTree summary files for 'releases' repo
+
+[Timer]
+OnUnitActiveSec = 5min
+
+[Install]
+WantedBy = default.target
diff --git a/baserock_ostree/image-config.yml b/baserock_ostree/image-config.yml
index 1152d846..1bfb90df 100644
--- a/baserock_ostree/image-config.yml
+++ b/baserock_ostree/image-config.yml
@@ -49,6 +49,18 @@
       chdir: /home/fedora/buildstream
       creates: /usr/bin/bst-artifact-receive
 
+  # We also install ostree-push/receive, which is used for pushing to the
+  # releases/ repo.
+  - name: ostree-push/receive sources
+    git: dest=/home/fedora/ostree-push repo=https://github.com/ssssam/ostree-push version=9aa82b67325786a810653155b952a17b7ccc436a
+    become_user: fedora
+
+  - name: ostree-push/receive installed
+    command: make PREFIX=/usr/ install
+    args:
+      chdir: /home/fedora/ostree-push
+      creates: /usr/bin/ostree-receive
+
   - name: disable SELinux on subsequent boots
     selinux: state=disabled
 
diff --git a/baserock_ostree/instance-config.yml b/baserock_ostree/instance-config.yml
index 768deb1a..1f218fc0 100644
--- a/baserock_ostree/instance-config.yml
+++ b/baserock_ostree/instance-config.yml
@@ -11,9 +11,13 @@
   tasks:
   - import_tasks: ../tasks/create-data-volume.yml lv_name=ostree lv_size=290g mountpoint=/srv
 
+  # This should perhaps have been called ostree-cache
   - name: ostree user
     user: name=ostree
 
+  - name: ostree-releases user
+    user: name=ostree-releases
+
   - name: data directory
     file: mode=0755 owner=ostree group=ostree path=/srv/ostree/ state=directory
 
@@ -23,6 +27,15 @@
     args:
       creates: /srv/ostree/cache/config
 
+  - name: releases directory
+    file: mode=0755 owner=ostree-releases group=ostree-releases path=/srv/ostree/releases state=directory
+
+  - name: releases repository
+    command: ostree init --repo=/srv/ostree/releases --mode=archive-z2
+    become_user: ostree-releases
+    args:
+      creates: /srv/ostree/releases/config
+
   - name: lighttpd configuration
     copy:
       src: lighttpd.conf
@@ -38,17 +51,28 @@
   - name: sshd configuration for ostree user -- disable password auth
     lineinfile: state="present" line="    PasswordAuthentication no" insertafter="Match user ostree" path=/etc/ssh/sshd_config
 
+  - name: sshd configuration for ostree-releases user -- header
+    lineinfile: state="present" line="Match user ostree-releases" path=/etc/ssh/sshd_config
+  - name: sshd configuration for ostree-releases user -- force command
+    lineinfile: state="present" line="    ForceCommand ostree-receive -v --repo /srv/ostree/releases" insertafter="Match user ostree-releases" path=/etc/ssh/sshd_config
+  - name: sshd configuration for ostree-releases user -- disable password auth
+    lineinfile: state="present" line="    PasswordAuthentication no" insertafter="Match user ostree-releases" path=/etc/ssh/sshd_config
+
   - name: restart sshd server
     service: name=sshd enabled=yes state=restarted
 
   - name: install systemd units
     copy: src=./{{item}} dest=/{{item}}
     with_items:
-      - etc/systemd/system/ostree-cache-update-summary.service
-      - etc/systemd/system/ostree-cache-update-summary.timer
+      - etc/systemd/system/ostree-update-summary-cache.service
+      - etc/systemd/system/ostree-update-summary-cache.timer
+      - etc/systemd/system/ostree-update-summary-releases.service
+      - etc/systemd/system/ostree-update-summary-releases.timer
 
   - name: enable systemd units
     systemd: name={{item}} enabled=yes daemon_reload=yes state=started
     with_items:
-      - ostree-cache-update-summary.service
-      - ostree-cache-update-summary.timer
+      - ostree-update-summary-cache.service
+      - ostree-update-summary-cache.timer
+      - ostree-update-summary-releases.service
+      - ostree-update-summary-releases.timer
diff --git a/baserock_ostree/ostree-access-config.yml b/baserock_ostree/ostree-access-config.yml
index ff8c7def..f23cc5f9 100644
--- a/baserock_ostree/ostree-access-config.yml
+++ b/baserock_ostree/ostree-access-config.yml
@@ -4,7 +4,7 @@
   gather_facts: false
   sudo: yes
   tasks:
-  - name: access for Baserock GitLab CI key
+  - name: authorized SSH keys for ostree (cache) user
     authorized_key:
       user: ostree
       key: '{{ lookup("file", "{{item}}") }}'
@@ -14,3 +14,13 @@
     - keys/jonathanmaw.key.pub
     - keys/pedroalvarez.key.pub
     - keys/samthursfield.key.pub
+
+  - name: authorized SSH keys for ostree-releases user
+    authorized_key:
+      user: ostree-releases
+      key: '{{ lookup("file", "{{item}}") }}'
+    with_items:
+    - keys/baserock-gitlab-ci.key.pub
+    - keys/garyperkins.key.pub
+    - keys/pedroalvarez.key.pub
+    - keys/samthursfield.key.pub
-- 
cgit v1.2.1