First working version

.kitchen.yml

@@ -2,10 +2,6 @@
 driver:
   name: vagrant
   box_check_update: true
-  # network:
-  #   - ["forwarded_port", {guest: 80, host: 8977}]
-  # synced_folders:
-  #   - ["data/%{instance_name}", "/tmp/data", "type: :rsync"]
 
 provisioner:
   require_chef_omnibus: false
@@ -42,3 +38,12 @@ suites:
     run_list:
       - recipe[debmirror]
     attributes:
+      debmirror:
+        mirrors:
+          cvmfs:
+            server: cvmrepo.web.cern.ch
+            path: /cvmrepo/apt
+            release:
+              - buster-prod
+            key: "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQGiBEuGP6YRBADV89cbF4uoEX89Q8uxOklIDVJhOJAFKZ33LSdzHv3iObnjo5w4\nwbb8FiSir4oWgarAco4u0kR1yKjHJ33oVB2xmPOzW3NWoHI7aPF7tCgo7FY9hNoC\n4NEkNycvbfSoCScsv2yY5qz2q2sY1LWGZGbUXjBvKbmASe9sJFKJV7NsmwCg76W/\naMazleHyDtooD8tk3ZWvpKcD/Rg51Oad+ZLc7h45wDMHpaDvOBeGoyp+k7JgQd87\nHfXiJtg/Q6zyTwrV3vCQvMpw3GRjRkZBcPgRWb6rUk68dL8fa2cTxhISX5/DIQzc\nmmuDa0EgCGGAKUZ4bHqaexFFnp/B+VKBPvJuxLa0cBDd6eewxNwtHJ90EaMeBzGd\n6zU2BADO9YbXiEMqRkfVLnuvD5G31/WJZvffXCxspnSfg923DbILWa4vNW9MLMsK\nIVHvyVr0mZF8xdyQNVPUX3/4uahKM4hwuFqdbyjuLGEIF3U73aIJ0+YDep/+I6yU\nJGHnxy8Ex+a1XIhJ1hSI7+oalSdt+w/pE3+2MQyUfSDPSXVA3LQ+Q2VyblZNIEFk\nbWluaXN0cmF0b3IgKGN2bWFkbWluKSA8Y2VybnZtLmFkbWluaXN0cmF0b3JAY2Vy\nbi5jaD6IXgQTEQIAHgIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAUCVwOYkgAKCRAj\nDTidiuRc50E1AJ9AYvH/cydD7029jxGcs8K87lo3jACdEhbCj3cjPsp2U/WfpgK1\nBQOMiwe5Ag0ES4Y/qBAIAL3sWKXQKpbIOpwX+mNX2IV2XxNBM3KYjYOEii66i9ap\nPo3BA39a9Wm9vh1kYIHTkh9Qqb8w53hc4ANkVT+cYzxXythGBjWoLtwCzKCPrIb7\nRQJRc956Ot0q4qmlcUEGi5zefSIoJZR5jyR7rZS+1PNJYI05xY2+Eah1u9UxrlzB\nH5DCsvUqTNK12WrPIibmLo8u+yIDJjwgh9O5YITC+et/g47NLfZdiAGPLEjvJFRi\n7Ju+8ywO32dSVBPJQDktr5BC950DKZHA9n+sJ63iF3lP/aCTECpxxUqXVVqioobw\ng5ytl60hw9I9sfwBP6z9PR90RcyT1l4giiBz9LV+KpcAAwUIAKeAxArGaJxzWziK\ns7D8TTuE50Nw+S3RGhVzwSKy7183Z11iOEMqbm2/zwp65wFkntCKmLKDnGsTgFNp\nstIyFwJmj34Axp7N3KGqXnTI+SIQd6VmzQ1phxfCOw8IGueOR6YI7S1GYWt7Dose\nZKz4EWdvXCOkQAhbxq/HT2c3ihxsuxrErxz7QtNaYOFXiuLj3mYH9XaMeEe8Pkl+\nyyRTvyUNlMIu/i79qf+QUlsi10nCUm88cSXQiKWOJ4GiUoT+jD7pN4ohdALRVl0t\nl/EyPTw+asG3lQhPZ+solvJXp+i7KF7nwnyXDB63WNH15S1pQLMnqCuGCFyegf6j\nnOJU0AqISQQYEQIACQIbDAUCVwOYgwAKCRAjDTidiuRc534jAKDu/9BZU3rirEMr\nDuGbmN3ulUM+UgCfe7lg5qrGXUzZlJFTnTaTgS3Z0Rg=\n=fspm\n-----END PGP PUBLIC KEY BLOCK-----\n"
+            rsync_extra: none

attributes/default.rb

+# defaulf basedir for mirrored repositories
+default_unless['debmirror']['base_dir'] = '/srv/debmirror'
+
+# keyring where debmirror looks for repository keys
+default_unless['debmirror']['keyring'] = node['debmirror']['base_dir'] + "/.gnupg/trustedkeys.gpg"
+
+# the user that runs the scripts:
+default_unless['debmirror']['mirrors'] = {}
+
+# the directory the generated debmirror scripts are placed into:
+default_unless['debmirror']['script_dir'] = '/etc/debmirror.d'
+
+# the user that runs the scripts:
+default_unless['debmirror']['user'] = 'nobody'
+
+default_unless['debmirror']['cron'] = {
+  day: '*',
+  hour: 2,
+  minute: 42
+}

recipes/default.rb

-#
 # Cookbook Name:: debmirror
 # Recipe:: default
 #
-# Copyright 2020, GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
+# Copyright 2013-2021 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
+#
+# Authors:
+#  Christopher Huhn   <C.Huhn@gsi.de>
+#  Dennis Klein       <d.klein@gsi.de>
+#  Victor Penso       <v.penso@gsi.de>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -15,5 +19,41 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #
+
+package 'debmirror'
+
+# Holds the script to sync with package archives
+directory node['debmirror']['script_dir']
+
+# Holds the mirrored repositories:
+directory node['debmirror']['base_dir']
+
+# Configure all mirrors defined by attributes
+node['debmirror']['mirrors'].each do |name, conf|
+  debmirror_repository name do
+    server       conf['server']
+    proto        conf['method']  if conf['method']
+    path         conf['path']
+    distribution conf['release'] if conf['release']
+    components   conf['section'] if conf['section']
+    deb_src      conf['deb_src'] if conf['deb_src']
+    arch         conf['arch']    if conf['arch']
+    key          conf['key']
+    rsync_extra  conf['rsync_extra']
+  end
+end
+
+# FIXME: cron_d instead
+cron 'debmirror_update' do
+  user   node['debmirror']['user']
+  minute node['debmirror']['cron']['minute']
+  hour   node['debmirror']['cron']['hour']
+  day    node['debmirror']['cron']['day']
+  mailto node['debmirror']['notify'] if node['debmirror']['notify']
+  home   node['debmirror']['base_dir']
+  # we cannot prevent this error message:
+  #  therefore we don't `run-parts --report`
+  command "run-parts --regex=.sh$ #{node['debmirror']['script_dir']}"
+end

resources/repository.rb

+#
+# Copyright 2013-2021 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
+#
+# Authors:
+#  Christopher Huhn   <c.huhn@gsi.de>
+#  Dennis Klein       <d.klein@gsi.de>
+#  Victor Penso       <v.penso@gsi.de>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+property :arch,         Array,  default: ['amd64']
+property :components,   Array,  default: %w[main]
+property :deb_src,      [true, false], default: false
+property :distribution, Array,  default: [ node['lsb']['codename'] ]
+property :user,         String, default: node['debmirror']['user']
+property :key,          [String, nil]
+property :keyring,      [String, nil], default: node['debmirror']['keyring']
+property :server,       String, default: 'deb.debian.org'
+property :proto,        String, default: 'http'
+property :path,         String, default: "/"
+property :mirror_dir,   [String, nil]
+property :options,      Array,  default: []
+property :script_dir,   String, default: node['debmirror']['script_dir']
+property :rsync_extra,  [Array, String, nil],
+         # turn strings into an array, default to ['trace']
+         coerce: proc { |x| x.is_a?(String) ? Array[x] : x.nil? ? %w[trace] : x }
+
+default_action :add
+
+action :add do
+
+  # TODO: use ruby-gpgme for key management
+  if new_resource.key
+
+    package 'gnupg'
+
+    home = node['debmirror']['base_dir']
+    keyring = new_resource.keyring
+
+    directory ::File.dirname(keyring) do
+      owner new_resource.user
+    end
+
+    # fingerprint = `gpg --with-colons --with-fingerprint <<<"#{new_resource.key}" | grep ...`
+
+    # TODO: avoid re-runs
+    execute "Adding repository key for #{new_resource.name}" do
+      command "gpg --no-default-keyring --keyring #{keyring}" \
+              " --import <<-EOD\n#{new_resource.key}\nEOD"
+      user user
+      # without $HOME gpg tries to create /root/.gnupg :(
+      environment( 'HOME' => home )
+      # not_if { `gpg --no-default-keyring --keyring #{keyring} --with-colons --fingerprint`match %r{^fpr:+#{fingerpring}:$} }
+    end
+  end
+
+  storage = new_resource.mirror_dir ||
+            "#{node['debmirror']['base_dir']}/#{new_resource.name}"
+
+  # Make sure the archive directory exists
+  directory storage do
+    owner new_resource.user
+    recursive true
+  end
+
+  # Generate the mirror script
+  template "#{new_resource.script_dir}/#{new_resource.name}.sh" do
+    source 'debmirror.sh.erb'
+    mode '0755'
+    variables(
+      release: new_resource.distribution,
+      arch:    new_resource.arch,
+      section: new_resource.components,
+      server:  new_resource.server,
+      proto:   new_resource.proto,
+      path:    new_resource.path,
+      storage: storage,
+      keyring: new_resource.keyring,
+      options: new_resource.options,
+      rsync_extra: new_resource.rsync_extra
+    )
+  end
+end
+
+action :remove do
+  file "#{script_dir}/#{name}.sh" do
+    action :remove
+  end
+
+  # TODO: Remove key from keyring?
+end

templates/default/debmirror.sh.erb

+#!/bin/bash
+#
+# generated by Chef from the debmirror cookbook
+#
+
+# Architecture (i386, powerpc, amd64, etc.)
+arch=<%= @arch.join(',') %>
+
+# Section (main,contrib,non-free)
+section=<%= @section.join(',') %>
+
+# Release of the system (squeeze,lenny,stable,testing,etc)
+release=<%= @release.join(',') %>
+
+# Server name, minus the protocol and the path at the end
+server=<%= @server %>
+
+# Path from the main server, so http://my.web.server/$dir, Server dependant
+path=<%= @path %>
+
+# Protocol to use for transfer (http, ftp, hftp, rsync)
+proto=<%= @proto %>
+
+# Directory to store the mirror in
+storage=<%= @storage %>
+
+# Start script
+
+<%- if @rsync_extra == ['none'] -%>
+# filter out trace warning assuming we know what we are doing:
+error_filter() {
+  "$@" 2> >(sed -e '/Warning: --rsync-extra is not configured to mirror the trace files\.$/{N;/ *This configuration is not recommended\./d}' >&2)
+}
+
+error_filter <%- end -%>debmirror \
+            --dist $release \
+            --arch $arch \
+         --section $section \
+          --method $proto \
+            --host $server \
+            --root $path \
+         --keyring <%= @keyring %> \
+<%- if @rsync_extra -%>
+     --rsync-extra <%= @rsync_extra.join(',') %> \
+<%- end -%>
+<% @options.each do |option| %>
+<%= option %> \
+<% end -%>
+                   $storage "$@"

test/integration/debmirror/serverspec/localhost/default_spec.rb

+#
+# Copyright 2021 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
+#
+# Authors:
+#  Christopher Huhn   <c.huhn@gsi.de>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'spec_helper'
+
+describe file '/etc/debmirror.d/cvmfs.sh' do
+  it { should exist }
+end
+
+describe command 'gpg --no-default-keyring --list-keys --keyring /srv/debmirror/.gnupg/trustedkeys.gpg' do
+  its(:exit_status) { should be_zero }
+  its(:stdout) { should contain "CernVM Administrator" }
+  # its(:stderr) { should be_empty } # complains about "unsafe ownership on /home/vagrant/.gnupg"
+end
+
+describe command 'sudo -u nobody LC_ALL=C /etc/debmirror.d/cvmfs.sh --dry-run' do
+  its(:exit_status) { should be_zero }
+  its(:stdout) { should be_empty }
+  its(:stderr) { should be_empty }
+end
+
+describe command 'sudo -u nobody /etc/debmirror.d/cvmfs.sh --verbose --dry-run' do
+  its(:exit_status) { should be_zero }
+  its(:stdout) { should contain 'gpgv: Good signature from "CernVM Administrator' }
+  its(:stdout) { should contain 'All done.' }
+end
+
+describe file '/srv/debmirror/cvmfs' do
+  it { should exist }
+  it { should be_directory }
+end