modules/updateserver/manifests/init.pp - Issue 5071748311547904: Issue 1094 - Generate update manifests on the update server

Side by Side Diff: modules/updateserver/manifests/init.pp

Issue 5071748311547904: Issue 1094 - Generate update manifests on the update server (Closed)

Patch Set: Reduced duplication Created July 25, 2014, 7:17 a.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

« modules/updateserver/files/sitescripts ('K') | « modules/updateserver/files/sitescripts ('k') | modules/updateserver/templates/update_update_manifests.erb » ('j') | modules/updateserver/templates/update_update_manifests.erb » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 class updateserver(	1 class updateserver(

2 $domain,	2 $domain,

3 $certificate,	3 $certificate,

4 $private_key,	4 $private_key,

5 $is_default=false	5 $is_default=false

6 ) {	6 ) {

7 class {'nginx':	7 class {'nginx':

8 worker_processes => 2,	8 worker_processes => 2,

9 worker_connections => 4000,	9 worker_connections => 4000,

10 ssl_session_cache => off,	10 ssl_session_cache => off,

11 }	11 }

12	12

13 File {	13 File {

14 owner => root,	14 owner => root,

15 group => root	15 group => root

16 }	16 }

17	17

18 file {'/var/www':	18 file {'/var/www':

19 ensure => directory,	19 ensure => directory,

20 mode => 0755,	20 mode => 0755,

21 require => Package['nginx']	21 require => Package['nginx']

22 }	22 }

23	23

24 file {'/var/www/update':	24 $update_dir = '/var/www/update'

	25

	26 file {"${update_dir}":
	Wladimir Palant 2014/07/25 09:50:11 Why put it into quotation marks here? file {$upda Why put it into quotation marks here? file {$update_dir: Felix Dahlke 2014/07/25 10:31:15 Done. Show quoted text On 2014/07/25 09:50:11, Wladimir Palant wrote: > Why put it into quotation marks here? > > file {$update_dir: Done.
25 ensure => directory,	27 ensure => directory,

26 mode => 0755	28 mode => 0755

27 }	29 }

28	30

29 file {'/var/www/update/adblockplusie':	31 $update_manifest_dirs = ["${update_dir}/adblockplus",

	32 "${update_dir}/adblockplusandroid",

	33 "${update_dir}/adblockplussafari"]

	34

	35 file {$update_manifest_dirs:

30 ensure => directory,	36 ensure => directory,

31 mode => 0755	37 mode => 0755

32 }	38 }

33	39

34 file {'/var/www/update/adblockplusie/update.json':	40 file {"${update_dir}/adblockplusie":

	41 ensure => directory,

	42 mode => 0755

	43 }

	44

	45 file {"${update_dir}/adblockplusie/update.json":

35 ensure => file,	46 ensure => file,

36 source => 'puppet:///modules/updateserver/adblockplusie/update.json',	47 source => 'puppet:///modules/updateserver/adblockplusie/update.json',

37 mode => 0644	48 mode => 0644

38 }	49 }

39	50

40 nginx::hostconfig{$domain:	51 nginx::hostconfig{$domain:

41 source => 'puppet:///modules/updateserver/site.conf',	52 source => 'puppet:///modules/updateserver/site.conf',

42 is_default => $is_default,	53 is_default => $is_default,

43 certificate => $certificate,	54 certificate => $certificate,

44 private_key => $private_key,	55 private_key => $private_key,

45 log => 'access_log_update'	56 log => 'access_log_update'

46 }	57 }

	58

	59 class {'sitescripts':

	60 sitescriptsini_source => 'puppet:///modules/updateserver/sitescripts'

	61 }

	62

	63 $base_dir = '/var/lib/adblockplus'

	64

	65 file {$base_dir:

	66 ensure => directory,

	67 mode => 0755

	68 }

	69

	70 $safari_certificate_path = "${base_dir}/adblockplussafari.pem"

	71

	72 file {$safari_certificate_path:

	73 source => 'puppet:///modules/private/adblockplussafari.pem'

	74 }

	75

	76 $repositories_to_sync = ['downloads', 'adblockplus', 'adblockplusandroid',

	77 'adblockpluschrome', 'elemhidehelper', 'abpwatcher',

	78 'abpcustomization', 'urlfixer']

	79

	80 define fetch_repository() {

	81 $repository_path = "${updateserver::base_dir}/${title}"

	82 exec {"fetch_repository_${title}":

	83 command => "hg clone https://hg.adblockplus.org/${title} ${repository_path }",

	84 path => '/usr/bin',

	85 timeout => 0,

	86 onlyif => "test ! -d ${repository_path}",

	87 require => [Package['mercurial'], File[$updateserver::base_dir]]

	88 }

	89 }

	90

	91 fetch_repository {$repositories_to_sync: }

	92

	93 $update_update_manifests_script = '/usr/local/bin/update_update_manifests'

	94

	95 file {$update_update_manifests_script:

	96 mode => '0755',

	97 content => template('updateserver/update_update_manifests.erb')

	98 }

	99

	100 $update_update_manifests_dependencies = ['python-m2crypto', 'python-jinja2']

	101

	102 package {$update_update_manifests_dependencies:}

	103

	104 exec {'update_update_manifests':

	105 command => $update_update_manifests_script,

	106 timeout => 0,

	107 require => [Exec['fetch_sitescripts'],

	108 Fetch_repository[$repositories_to_sync],

	109 File[$update_update_manifests_script],

	110 File[$update_manifest_dirs], File[$safari_certificate_path],

	111 Package[$update_update_manifests_dependencies]]

	112 }

	113

	114 cron {'update_update_manifests':

	115 ensure => present,

	116 environment => ['MAILTO=admins@adblockplus.org'],

	117 command => $update_update_manifests_script,
	Wladimir Palant 2014/07/25 09:50:11 I'd rather not have anything from sitescripts run I'd rather not have anything from sitescripts run as root unless there is a very good reason for that. Please have some user that will own the manifest directories and run sitescripts. Felix Dahlke 2014/07/25 10:31:15 I actually started out having a dedicated user for Show quoted text On 2014/07/25 09:50:11, Wladimir Palant wrote: > I'd rather not have anything from sitescripts run as root unless there is a very > good reason for that. Please have some user that will own the manifest > directories and run sitescripts. I actually started out having a dedicated user for this, but it's more hassle, and I didn't really see any reason why it shouldn't run as root, we're not running any externally available services here. We can go with a dedicated user if you really think it's an issue though. One problem I had was that I couldn't think of a good name for one, suggestions? Wladimir Palant 2014/07/25 11:11:02 The reason is that we have less reason to worry ab Show quoted text On 2014/07/25 10:31:15, Felix H. Dahlke wrote: > I actually started out having a dedicated user for this, but it's more hassle, > and I didn't really see any reason why it shouldn't run as root, we're not > running any externally available services here. The reason is that we have less reason to worry about the quality of our sitescripts contents (security-wise and otherwise). Show quoted text > We can go with a dedicated user if you really think it's an issue though. Yes, please. Show quoted text > One > problem I had was that I couldn't think of a good name for one, suggestions? sitescripts? Felix Dahlke 2014/07/25 14:17:56 Done. Show quoted text On 2014/07/25 11:11:02, Wladimir Palant wrote: > On 2014/07/25 10:31:15, Felix H. Dahlke wrote: > > I actually started out having a dedicated user for this, but it's more hassle, > > and I didn't really see any reason why it shouldn't run as root, we're not > > running any externally available services here. > > The reason is that we have less reason to worry about the quality of our > sitescripts contents (security-wise and otherwise). > > > We can go with a dedicated user if you really think it's an issue though. > > Yes, please. > > > One > > problem I had was that I couldn't think of a good name for one, suggestions? > > sitescripts? Done.
	118 minute => '*/10',

	119 require => Exec['update_update_manifests']

	120 }

47 }	121 }

OLD	NEW