feat: split reposync into two roles (#307)

- reposync and packagerepo web service
- change backing datastore to be cephfs /shared/app/packagerepo

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/307

hieradata/roles/infra/reposync/repo.yaml

@@ -0,0 +1,41 @@
+---
+hiera_include:
+  - profiles::reposync::webserver
+
+profiles::ssh::sign::principals:
+  - packagerepo.service.consul
+  - packagerepo.query.consul
+  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - packagerepo.main.unkin.net
+  - packagerepo.service.consul
+  - packagerepo.query.consul
+  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"
+
+# configure consul service
+consul::services:
+  jupyterhub:
+    service_name: 'packagerepo'
+    tags:
+      - 'packagerepo'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'packagerepo_http_check'
+        name: 'packagerepo HTTP Check'
+        http: "https://%{facts.networking.fqdn}"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: packagerepo
+    disposition: write
+
+profiles::reposync::webserver::nginx_listen_mode: both
+profiles::reposync::webserver::nginx_cert_type: vault
+profiles::reposync::webserver::www_root: /shared/apps/packagerepo/snap
+profiles::reposync::webserver::cache_root: /data/repos/cache

hieradata/roles/infra/reposync/syncer.yaml

@@ -2,41 +2,6 @@
 profiles::packages::include:
   createrepo: {}
 
-profiles::ssh::sign::principals:
-  - packagerepo.service.consul
-  - packagerepo.query.consul
-  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"
-
-# additional altnames
-profiles::pki::vault::alt_names:
-  - packagerepo.main.unkin.net
-  - packagerepo.service.consul
-  - packagerepo.query.consul
-  - "packagerepo.service.%{facts.country}-%{facts.region}.consul"
-
-# configure consul service
-consul::services:
-  jupyterhub:
-    service_name: 'packagerepo'
-    tags:
-      - 'packagerepo'
-    address: "%{facts.networking.ip}"
-    port: 443
-    checks:
-      - id: 'packagerepo_http_check'
-        name: 'packagerepo HTTP Check'
-        http: "https://%{facts.networking.fqdn}"
-        method: 'GET'
-        tls_skip_verify: true
-        interval: '10s'
-        timeout: '1s'
-profiles::consul::client::node_rules:
-  - resource: service
-    segment: packagerepo
-    disposition: write
-
-profiles::reposync::webserver::nginx_listen_mode: both
-profiles::reposync::webserver::nginx_cert_type: vault
 profiles::reposync::repos_list:
   almalinux_9_5_baseos:
     repository: 'baseos'

site/profiles/manifests/reposync/autosyncer.pp

@@ -1,6 +1,6 @@
 # setup the autosyncer
 class profiles::reposync::autosyncer (
-  Stdlib::Absolutepath $basepath = '/data/repos',
+  Stdlib::Absolutepath $basepath = '/shared/apps/packagerepo',
 ) {
 
   # Ensure the autosyncer script is present and executable

site/profiles/manifests/reposync/repos.pp

@@ -8,7 +8,7 @@ define profiles::reposync::repos (
   String          $arch = 'x86_64',
   String          $repo_owner = 'root',
   String          $repo_group = 'root',
-  Stdlib::Absolutepath $basepath = '/data/repos',
+  Stdlib::Absolutepath $basepath = '/shared/apps/packagerepo',
   Optional[Stdlib::HTTPUrl] $baseurl = undef,
   Optional[Stdlib::HTTPUrl] $mirrorlist = undef,
 ){

site/profiles/manifests/reposync/syncer.pp

@@ -3,7 +3,6 @@ class profiles::reposync::syncer {
 
   include profiles::reposync::autosyncer
   include profiles::reposync::autopromoter
-  include profiles::reposync::webserver
 
   # Ensure the reposync config path exists
   file { '/etc/reposync':

site/profiles/manifests/reposync/webserver.pp

@@ -92,6 +92,10 @@ class profiles::reposync::webserver (
     proxy_cache_max_size  => '30000m',
     proxy_cache_inactive  => '60d',
     proxy_temp_path       => "${cache_root}/tmp",
+    require               => [
+      Mkdir::P[$cache_root],
+      Mkdir::P[$www_root]
+    ]
   }
 
   # create the nginx vhost with the merged parameters
@@ -131,15 +135,6 @@ class profiles::reposync::webserver (
     }
   }
 
-  # export cnames for webserver
-  profiles::dns::record { "${::facts['networking']['fqdn']}_repos.main.unkin.net_CNAME":
-    value  => $::facts['networking']['hostname'],
-    type   => 'CNAME',
-    record => 'repos.main.unkin.net.',
-    zone   => $::facts['networking']['domain'],
-    order  => 10,
-  }
-
   if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
 
     # set httpd_sys_content_t to all files under the www_root

site/profiles/templates/reposync/autosyncer.erb

@@ -29,6 +29,9 @@ download_gpg_key() {
   curl -s --create-dirs -o "${basepath}/live/${reponame}/${filename}" "$gpgkeyurl" || {
     echo "Failed to download GPG key from $gpgkeyurl"
   }
+
+  # import the gpg key
+  rpm --import "${basepath}/live/${reponame}/${filename}" || echo "Failed to import gpg key ${basepath}/live/${reponame}/${filename}"
 }
 
 # Function to perform rsync with hard links

site/roles/manifests/infra/reposync/repo.pp

@@ -0,0 +1,11 @@
+# a role to deploy the webserver for packagerepo
+class roles::infra::reposync::repo {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::base::datavol
+  }
+}

site/roles/manifests/infra/reposync/syncer.pp

@@ -1,4 +1,4 @@
-# a role to deploy a packagerepo
+# a role to deploy the syncer/promoter for packagerepo
 class roles::infra::reposync::syncer {
   if $facts['firstrun'] {
     include profiles::defaults