5 files changed, 152 insertions, 12 deletions

diff --git a/global/overlay/etc/cosmos/keys/leifj-0AD478D6.pub b/global/overlay/etc/cosmos/keys/leifj-0AD478D6.pub
new file mode 100644
index 0000000..de47bd1
--- /dev/null
+++ b/global/overlay/etc/cosmos/keys/leifj-0AD478D6.pub
@@ -0,0 +1,57 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.14 (GNU/Linux)
+
+mQENBFJK9qIBCACypED81H1N4YmhMJrb4uOtTDzo+lFZDVVOcK11+NhTFl+AZZFn
+WH/7UPn+q5ZZBd/IhONfb5QGw5FzTyBWHsbAteXgCvHAIyumwhQzhZnow6myyC6/
+MwDhomT5rb3MkCKCyQMNfj/yMgL6ZRsXVhlGOLMmOekRfKe2wiC5BhRaQQwPZPwg
+FS5D0Tro8Xfxjk98u8rNpQXi9walRAffRY+byhkPiBj0sVA2RXK9Dx2DL3EY0xx0
+7r6Qhs2XkbXNDDCHRuChhHSHwWC16VS9x7Nhfg2EwKqmMGRNREikjwzDl/aHKz+F
+XTLONdmc83sRyklqgH90f3na6s/RT5XTb08xABEBAAG0H0xlaWYgSm9oYW5zc29u
+IDxsZWlmakBzdW5ldC5zZT6JAT4EEwECACgFAlJK9qICGwMFCQHhM4AGCwkIBwMC
+BhUIAgkKCwQWAgMBAh4BAheAAAoJENc61kMK1HjW90oH/2nDzWNZruMFnRSOf95D
+TBBiZ8u82nl9weMQhS2ZxRa1V5bBGctv6XBlRFEhjms2bHcjCJAvROAfDfLvYHIN
+7f83o7iXK1IqlYDWu19L/wS9zojlYS+h3fDpww7W8/Go2NRkILaAu9unr0tQsWsw
+3tNQFMjHWqZNPh15ntRdSDf9Gx6naU9A8vYbPYmnAf9yRPRY+U+hOnX58qWgMjGx
+NxYzejDbV/HZhC5ddM631mMQNL42JR5Gs0SYqL24fIyg54hl9buLcvQ2SeVdsCLJ
+ythVObWvT+5JBKvjqMGNrueoxVuvQ5rACDPDMGZYMg0ZDJ3Qj3MVH8VaYlHGbtPc
+Z6S0IExlaWYgSm9oYW5zc29uIDxsZWlmakBub3JkdS5uZXQ+iQE9BBMBAgAoBQJS
+SvdGAhsDBQkB4TOABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDXOtZDCtR4
+1swpB/Yj2OSeX7xA7f5oR0AiM8QVGqL6KK2sQ+w7jDM2AdVKyT4sNkpnZwrei2iN
+twUIomunsAeAE+/Ryywag6gTWN3Y2fKadL+qx7G/Ydw3PGvqP0XZXZiCpquvdVep
+0JYTva0W0Zq6VtmZM50bQ0nI2tQvYH1S43/noImlQ4YqqE3wG8+SQ1F7mwwEZUda
+Q7ixR43m42U/pL3tGQ+U1iYSNXEodcBEBrUodd0BVzvfJXoDg5cGA5ORRbmafjbD
+4Aj+2wbdSQXvQ0qz6uji9g2crofnJbd91KKgdpq+gyi59iSYKsFDqO/I9x6y0ZDb
+XT56plOWHko8GlsGa1/W6yXW/UG0HUxlaWYgSm9oYW5zc29uIDxsZWlmakBtbnQu
+c2U+iQE+BBMBAgAoBQJSSvdSAhsDBQkB4TOABgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRDXOtZDCtR41qzhB/0QievHhsE3U9ZVdahQvpvQ52c7w9AuKBrMT49O
+fz4IJSryycYRgl0k0YRP2W1YbFCevKhLUhUFPLpYORmsaxb7POnZY1sJWIC9e1ZZ
+hsVrHTjVK1l0Zw63DQSQhzG7NVSt6XfvFF02HNi4/tNCPR3Qa6p1MsHNr8wKan0B
+iHihriYlhmMZMBcbLhw9BHQP30GgLPwEEKP8t6msppZw0BpT38/CFg/8Bjy6hqLN
+LPAN80dMH7ZremLzkdSenFgv8MhfH6Bchx5VCIUY+RNkCWr6Pbll9h5TmbwR7dge
+gFtphOErGjIdNmE3f2WI0yI4ojqRo9YsmZid62ZIGqTBFfh8uQENBFJK9qIBCAC+
+k1tFOeDS4gMxEgRkfiVLHFemwJWQiGZHYhtDgjh6w6mB8G3WZ+/gD2CMp5DgHFRC
+1sW2iMj3gOzrfyxzd9AmWbhXYceR6EFkTc6OVsaIb+eHH/Zo3DKyB1Dq9CA5fjjn
+EQzti+KKSZYWzB0Fkt7qrfOS6YM1zMjEUxUUwsl1qirx5DuByWLDX7ULU7H/xmPV
+hHUVZO8XEaFV2m+ICx8Y6B98KMeJ0Qz8b8wp2g7vWEkwS2R6IjF0kMrRxnxUvwA6
+EUiZuFphhuY/lWCJusLl1olgOE+BKMEUStJWEi0s+pd8FL1vOLeNKbIUFro0+oZr
+9byABpkPNjMxKV36uj1dABEBAAGJASUEGAECAA8FAlJK9qICGwwFCQHhM4AACgkQ
+1zrWQwrUeNbxiAgAjE7DGYlxtgPKCgcbkAs/ogoSTTXeXGu+rv/HAbRV8oOpzuMo
+NjiPjZ+kDNoGAed2aay9Qfa1/VN+eBHap3zMEMDGEWpVl0SC+TwqpO/iPIG2dQBa
+mf7kDUaH4WNJB2pPKh6dXivmTOFb4My+Xj964Rpi3BbD65YEpM1uex8YFAsB/E00
+3BRFEmtNVsuTf2s1qMDhAOjGei6O6sygbl3W9OCNMU749AnwK8wTmoTENSsO1SfM
+ZisdUwnLTv4rTQ73Ps0vdNz37VLThem1fDmLOwDwTVaDJeHDbFwoyWlqUFXRl0BA
+oaICnSL53b5u4IgPE44qdzecLqk8zLvLQ/MaY7kBDQRSSvdtAQgA1bweIHSehFkZ
+sfMVEsa4aFDZ1sRH/GcAKocwtfu1wWP4Unf3GxKLSwfYMYKrdAi1uelVOBTy08PL
+Jw/LYLMmTeih9Q2u1F56PKDJPLSXcC0DNBoMd2lrs7SLZA3wXNy376uU9O2H6Yai
+Tu63Ehm0uEEHX5V7jjPSS4ujUrVWqNImuGhOk4+vKVVW9/vl2L6r21OjbRCAr5E8
+RGPd2KZ0Un3gIuuIbG2qkkzeJKXpbc6Eg9UYpM9mkBbRVxNN2QuPB7RhoXTBQPwH
+XuilgQ2l8RxgEVUPf1HHH4Wkdl0o1cUmfBQTTszbB+JPXECG9p3ZBDl2V54xeWY3
+SOGVNBfrewARAQABiQElBBgBAgAPBQJSSvdtAhsgBQkB4TOAAAoJENc61kMK1HjW
+dF0H/1LeKrJKrshMoGhFJcS7MRuFZ0IpiX4jQfQO1OZs3EqO4RNc5E0kM0SVRJOL
+RRtEfFLxCiKbalL7od9vx+MMhgEc7u9GEG3Y8zSDyXVw1tN+g81XmVPJBcPhvkYp
+gRLNz5kGPouXkP2H4Ychrmuh0WsvyUz79dQLm+HApQjdXNT4E1iE7DSUk1RPX2+g
+dwQZJMSZWK75MJOacXyXaOY3VMXdcktd5+b8qJpGPIALW4FcCYxQ2OMGZLqzOcvn
+KYujFdpbqYn7d+K0sBqWff7vV+sBvtpkt1mmU4sqlKEMDyUmFGkeVXV2JQgKO3xw
+AgNCtRmgSc3HQWINbIE2pLpurfU=
+=P2xq
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 2244c7a..137bd28 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -4,3 +4,5 @@
 '^cdr\d+\.sunet\.se$':
    sunet-cdr:
    sunet:
+'\.swamid\.se$':
+   swamid:
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 1e4e857..8b161a2 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -13,7 +13,7 @@ Exec {
 #include cosmos::preseed
 include ufw
 include apt
-include cosmos
+#include cosmos
 
 # you need a default node
 
@@ -275,3 +275,7 @@ class sunet-cdr {
    class { 'sunet-dhcp-hosts': }
 
 }
+
+class swamid {
+   sunet::server { 'sunet_server': }
+}
diff --git a/global/overlay/etc/puppet/puppet.conf b/global/overlay/etc/puppet/puppet.conf
index 0ba85f4..a269892 100644
--- a/global/overlay/etc/puppet/puppet.conf
+++ b/global/overlay/etc/puppet/puppet.conf
@@ -7,6 +7,7 @@ factpath=$vardir/lib/facter
 templatedir=$confdir/templates
 node_terminus = exec
 external_nodes = /etc/puppet/cosmos_enc.py
+modulepath = /etc/puppet/modules:/etc/puppet/cosmos-modules:/usr/share/puppet/modules
 
 [master]
 # These are needed when the puppetmaster is run by passenger
diff --git a/global/post-tasks.d/018packages b/global/post-tasks.d/018packages
index 9e25e69..57dff1a 100755
--- a/global/post-tasks.d/018packages
+++ b/global/post-tasks.d/018packages
@@ -1,16 +1,92 @@
-#!/bin/sh
+#!/bin/bash
+
+CONFIG=${CONFIG:=/etc/puppet/cosmos-modules.conf}
+CACHE_DIR=/var/cache/puppet-modules
+MODULES_DIR=${MODULES_DIR:=/etc/puppet/cosmos-modules}
+GIT_TAG_PATTERN=${COSMOS_UPDATE_VERIFY_GIT_TAG_PATTERN:-multiverse*}
+export GNUPGHOME=/etc/cosmos/gnupg
 
 python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml
 
-if [ -f /etc/puppet/cosmos-modules.conf ]; then
-   grep -E -v "^#" /etc/puppet/cosmos-modules.conf | (
-   cd /etc/puppet/modules && while read module src update; do
-       if [ ! -d /etc/puppet/modules/$module ]; then
-          echo $src | grep -q "://" && git clone $src $module || puppet module install $src
-       else
-          if [ "x$update" = "xyes" ]; then
-             echo $src | grep -q "://" && (cd /etc/puppet/modules/$module && git pull -q) || puppet module upgrade $src
+
+stage_module() {
+  rm -rf $CACHE_DIR/staging/$1
+  git archive --format=tar --prefix=$1/ $2 | (cd $CACHE_DIR/staging/ && tar xf -)
+}
+
+if [ -f $CONFIG ]; then
+  if [ ! -d $MODULES_DIR ]; then
+    mkdir -p $MODULES_DIR
+  fi
+  if [ ! -d $CACHE_DIR ]; then
+    mkdir -p $CACHE_DIR/{scm,staging}
+  fi
+
+  # First pass to clone any new modules, and update those marked for updating.
+  grep -E -v "^#" $CONFIG | (
+    while read module src update; do
+      # We only support git:// urls atm
+      if [ "${src:0:6}" = "git://" ]; then
+        if [ ! -d $CACHE_DIR/scm/$module ]; then
+          git clone -q $src $CACHE_DIR/scm/$module
+        elif [ -d $CACHE_DIR/scm/$module/.git ]; then
+          if [ "$update" = "yes" ]; then
+            cd $CACHE_DIR/scm/$module
+            git pull -q
+          else
+            continue
           fi
-       fi
-   done)
+        else
+          echo "ERROR: Ignoring non-git repository"
+          continue
+        fi
+      fi
+    done
+  )
+
+  # Second pass to verify the signatures on all modules and stage those that
+  # have good signatures.
+  grep -E -v "^#" $CONFIG | (
+    while read module src update; do
+      # We only support git:// urls atm
+      if [ "${src:0:6}" = "git://" ]; then
+        # Verify git tag
+        cd $CACHE_DIR/scm/$module
+        TAG=$(git tag -l $GIT_TAG_PATTERN | sort | tail -1)
+        if [ "$COSMOS_VERBOSE" = "y" ]; then
+          echo ""
+          echo "Checking signature on tag ${TAG} for puppet-module $module"
+        fi
+        if [ -z "$TAG" ]; then
+          echo "ERROR: No git tag found for pattern '$GIT_TAG_PATTERN' on puppet-module $module"
+          continue
+        fi
+        fail=1
+        git tag -v $TAG > /dev/null 2>&1 && fail=0
+        if [ $fail == 0 ]; then
+          if [ "$COSMOS_VERBOSE" = "y" ]; then
+            # short output on good signature
+            git tag -v $TAG 2>&1 | grep "gpg: Good signature"
+          fi
+          # Put archive in staging since tag verified OK
+          stage_module $module $TAG
+        else
+          echo "################################################################"
+          echo "FAILED signature check on puppet-module $module"
+          echo "################################################################"
+          git tag -v $TAG
+        fi
+      fi
+    done
+  )
+
+  # Cleanup removed puppet modules from CACHE_DIR
+  for MODULE in $(ls -1 $CACHE_DIR/staging/); do
+    if ! grep -E -q "^$MODULE\s+" $CONFIG; then
+      rm -rf $CACHE_DIR/{scm,staging}/$MODULE
+    fi
+  done
+
+  # Installing verified puppet modules
+  rsync --archive --delete $CACHE_DIR/staging/ $MODULES_DIR/
 fi