theforeman · ehelms · Sep 13, 2024 · Aug 16, 2024 · ekohl · Sep 13, 2024
diff --git a/Vagrantfile b/Vagrantfile
@@ -134,4 +134,15 @@ Vagrant.configure("2") do |config|
       provider.vm.box_url = CENTOS_9_BOX_URL
     end
   end
+
+  config.vm.define "repo-rpm" do |override|
+    override.vm.hostname = "repo-rpm"
+    override.vm.box = "centos/stream9"
+
+    override.vm.provider "libvirt" do |libvirt, provider|
+      libvirt.memory = "2048"
+      libvirt.machine_virtual_size = 40
+      provider.vm.box_url = CENTOS_9_BOX_URL
+    end
+  end
 end
diff --git a/puppet/data/common.yaml b/puppet/data/common.yaml
@@ -2,6 +2,7 @@
 stable_release: '3.11'
 profiles::web::stable: '%{alias("stable_release")}'
 profiles::repo::deb::stable: '%{alias("stable_release")}'
+profiles::repo::rpm::stable_foreman: '%{alias("stable_release")}'
 
 backup_servicename: 'backups.theforeman.org'
 backup_username: 'backup-%{facts.networking.hostname}'
@@ -241,3 +242,13 @@ sudo::wheel_config: password
 redmine::https: true
 
 apache::default_vhost: false
+
+rsync_usernames:
+  - 'ehelms'
+  - 'ekohl'
+  - 'evgeni'
+  - 'Odilhao'
+  - 'pcreech'
+  - 'zhunting'
+
+web::vhost::stagingrpm::usernames: '%{alias("rsync_usernames")}'
diff --git a/puppet/data/vagrant.yaml b/puppet/data/vagrant.yaml
@@ -23,5 +23,6 @@ profiles::jenkins::node::swap_size_mb: 0
 profiles::web::https: false
 
 profiles::repo::deb::https: false
+profiles::repo::rpm::https: false
 
 redmine::https: false
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
@@ -46,3 +46,8 @@
   include profiles::base
   include profiles::repo::deb
 }
+
+node /^repo-rpm\d+\.[a-z]+\.theforeman\.org$/ {
+  include profiles::base
+  include profiles::repo::rpm
+}
diff --git a/puppet/modules/profiles/manifests/repo/rpm.pp b/puppet/modules/profiles/manifests/repo/rpm.pp
@@ -0,0 +1,25 @@
+# @summary A profile for the rpm repo machines
+#
+# @param stable_foreman
+#   Latest Foreman release that users expect
+#
+# @param https
+#   Whether to enable HTTPS. This is typically wanted but can only be enabled
+#   in a 2 pass setup. First Apache needs to run for Letsencrypt to function.
+#   Then Letsencrypt can be enabled. Also useful to turn off in test setups.
+class profiles::repo::rpm (
+  String[1] $stable_foreman,
+  Boolean $https = true,
+) {
+  class { 'web':
+    https => $https,
+  }
+  contain web
+
+  class { 'web::vhost::rpm':
+    stable_foreman => $stable_foreman,
+  }
+  contain web::vhost::rpm
+
+  contain web::vhost::stagingrpm
+}
diff --git a/puppet/modules/web/files/rpm/pulpcore-HEADER.html b/puppet/modules/web/files/rpm/pulpcore-HEADER.html
@@ -0,0 +1,3 @@
+<h1>Pulpcore packages</h1>
+
+These are RPM builds for <a href="https://pulpproject.org">Pulp 3</a> and various plugins for use by <a href="https://theforeman.org/plugins/katello/">Katello</a>. They are only intended to be used by Katello. Only branches used by Katello are maintained. No explicit end of life announcements will be made.
diff --git a/puppet/modules/web/files/rpm/robots.txt b/puppet/modules/web/files/rpm/robots.txt
@@ -0,0 +1,3 @@
+User-agent: *
+Disallow: /foreman/nightly/
+Disallow: /pulpcore/nightly/
diff --git a/puppet/modules/web/files/stagingrpm/robots.txt b/puppet/modules/web/files/stagingrpm/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
diff --git a/puppet/modules/web/manifests/vhost/rpm.pp b/puppet/modules/web/manifests/vhost/rpm.pp
@@ -0,0 +1,106 @@
+# @summary Set up the rpm vhost
+# @api private
+class web::vhost::rpm (
+  String[1] $stable_foreman,
+  Stdlib::Fqdn $servername = 'rpm.theforeman.org',
+  Stdlib::Absolutepath $rpm_directory = '/var/www/vhosts/rpm/htdocs',
+  Stdlib::Absolutepath $rpm_staging_directory = '/var/www/vhosts/stagingrpm/htdocs/',
+  String $user = 'rpmrepo',
+) {
+  $rpm_directory_config = [
+    {
+      path            => $rpm_directory,
+      options         => ['+Indexes', '+FollowSymLinks'],
+      expires_active  => 'on',
+      expires_default => 'access plus 2 minutes',
+    },
+    {
+      path            => '.+\.(bz2|gz|rpm|xz)$',
+      provider        => 'filesmatch',
+      expires_active  => 'on',
+      expires_default => 'access plus 30 days',
+    },
+    {
+      path            => 'repomd.xml',
+      provider        => 'files',
+      expires_active  => 'on',
+      expires_default => 'access plus 2 minutes',
+    },
+  ]
+
+  $deploy_rpmrepo_context = {
+    'servername'           => $servername,
+    'rpm_directory'        => $rpm_directory,
+    'rpm_staging_directory' => $rpm_staging_directory,
+  }
+
+  secure_ssh::receiver_setup { $user:
+    user           => $user,
+    foreman_search => 'host ~ node*.jenkins.osuosl.theforeman.org and (name = external_ip4 or name = external_ip6)',
+    script_content => epp('web/deploy-rpmrepo.sh.epp', $deploy_rpmrepo_context),
+  }
+
+  include apache::mod::expires
+  include apache::mod::dir
+  include apache::mod::autoindex
+  include apache::mod::alias
+  include apache::mod::mime
+
+  web::vhost { 'rpm':
+    servername    => $servername,
+    docroot       => $rpm_directory,
+    docroot_owner => $user,
+    docroot_group => $user,
+    docroot_mode  => '0755',
+    directories   => $rpm_directory_config,
+  }
+
+  if $facts['os']['family'] == 'RedHat' {
+    package { 'createrepo_c':
+      ensure => present,
+    }
+  }
+
+  file { "${rpm_directory}/robots.txt":
+    ensure  => file,
+    owner   => $user,
+    group   => $user,
+    mode    => '0644',
+    content => file('web/rpm/robots.txt'),
+  }
+
+  file { "${rpm_directory}/HEADER.html":
+    ensure  => file,
+    owner   => $user,
+    group   => $user,
+    mode    => '0644',
+    content => epp("${module_name}/rpm/HEADER.html.epp", {
+        'stable_foreman' => $stable_foreman,
+        'servername'     => $servername,
+    }),
+  }
+
+  ['candlepin', 'foreman', 'pulpcore'].each |$directory| {
+    file { ["${rpm_directory}/${directory}"]:
+      ensure => directory,
+      owner  => $user,
+      group  => $user,
+      mode   => '0755',
+    }
+
+    exec { "fastly-purge-${directory}-latest":
+      command     => "fastly-purge-find 'https://${servername}' ${rpm_directory} ${directory}/latest/",
+      path        => '/bin:/usr/bin:/usr/local/bin',
+      require     => File['/usr/local/bin/fastly-purge-find'],
+      refreshonly => true,
+    }
+  }
+
+  file { "${rpm_directory}/pulpcore/HEADER.html":
+    ensure  => file,
+    owner   => $user,
+    group   => $user,
+    mode    => '0644',
+    content => file('web/rpm/pulpcore-HEADER.html'),
+  }
+}
diff --git a/puppet/modules/web/manifests/vhost/stagingrpm.pp b/puppet/modules/web/manifests/vhost/stagingrpm.pp
@@ -0,0 +1,88 @@
+# @summary Set up the rpm staging vhost
+# @api private
+class web::vhost::stagingrpm (
+  Array[String[1]] $usernames,
+  Stdlib::Fqdn $servername = 'stagingrpm.theforeman.org',
+  Stdlib::Absolutepath $rpm_staging_directory = '/var/www/vhosts/stagingrpm/htdocs',
+  String $user = 'rpmrepostage',
+  Stdlib::Absolutepath $home = "/home/${user}",
+) {
+  $rpm_staging_directory_config = [
+    {
+      path            => $rpm_staging_directory,
+      options         => ['Indexes', 'FollowSymLinks'],
+      expires_active  => 'on',
+      expires_default => 'access plus 2 minutes',
+    },
+    {
+      path            => '.+\.(bz2|gz|rpm|xz)$',
+      provider        => 'filesmatch',
+      expires_active  => 'on',
+      expires_default => 'access plus 30 days',
+    },
+    {
+      path            => 'repomd.xml',
+      provider        => 'files',
+      expires_active  => 'on',
+      expires_default => 'access plus 2 minutes',
+    },
+  ]
+
+  include apache::mod::expires
+  include apache::mod::dir
+  include apache::mod::autoindex
+  include apache::mod::alias
+  include apache::mod::mime
+
+  $authorized_keys = flatten($usernames.map |$name| {
+      split(file("users/${name}-authorized_keys"), "\n")
+  })
+
+  secure_ssh::rsync::receiver_setup { $user:
+    user            => $user,
+    homedir         => $home,
+    homedir_mode    => '0750',
+    foreman_search  => 'host ~ node*.jenkins.*.theforeman.org and (name = external_ip4 or name = external_ip6)',
+    authorized_keys => $authorized_keys,
+    script_content  => epp("${module_name}/deploy-stagingrpm.sh.epp", {
+        'home'                  => $home,
+        'rpm_staging_directory' => $rpm_staging_directory,
+    }),
+  }
+
+  web::vhost { 'stagingrpm':
+    servername    => $servername,
+    docroot       => $rpm_staging_directory,
+    docroot_owner => $user,
+    docroot_group => $user,
+    docroot_mode  => '0755',
+    directories   => $rpm_staging_directory_config,
+  }
+
+  file { "${rpm_staging_directory}/robots.txt":
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => file('web/stagingrpm/robots.txt'),
+  }
+
+  file { "${rpm_staging_directory}/HEADER.html":
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => epp("${module_name}/stagingrpm/HEADER.html.epp", {
+        'servername' => $servername,
+    }),
+  }
+
+  ['candlepin', 'foreman', 'pulpcore'].each |$directory| {
+    file { ["${rpm_staging_directory}/${directory}"]:
+      ensure => directory,
+      owner  => $user,
+      group  => $user,
+      mode   => '0755',
+    }
+  }
+}
diff --git a/puppet/modules/web/manifests/vhost/stagingyum.pp b/puppet/modules/web/manifests/vhost/stagingyum.pp
@@ -1,11 +1,11 @@
 # @summary Set up the yum vhost
 # @api private
 class web::vhost::stagingyum (
+  Array[String[1]] $usernames,
   Stdlib::Fqdn $servername = 'stagingyum.theforeman.org',
   Stdlib::Absolutepath $yum_directory = '/var/www/vhosts/stagingyum/htdocs',
   String $user = 'yumrepostage',
   Stdlib::Absolutepath $home = "/home/${user}",
-  Array[String[1]] $usernames = ['ehelms', 'evgeni', 'ekohl', 'Odilhao', 'pcreech', 'zhunting'],
 ) {
   $yum_directory_config = [
     {