Using the new update script to keep OpenDSA up to date.

files/opendsa/.ssh/id_rsa

------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1GjnhseuHiZdIpo5vpn8nhX94ZG8PS5LFgyy03VZQigC6NSJ
-G0HeVV5PoiJNsisDh251d/50kALNpNCuiAZqBGw8SuKxIbev8M4hLyy3IMLK9frY
-Ap6cefolxq5d/ZEz46kkrEFCg7oJiqvADtrhPYwz1jcKiTzdL6936POnrKv6Pcq5
-yhCu+cJ9avWUhCuk41tIX0SI7hl0Lm2KtP8jfyBepWc6Lq8E0xVOmwqQtf0flddu
-g8RfuHFTscl8wnyMSGLWa4Ps+Ihu1zsis7bSfGZjdHbxQT382VxemfkzE6FNGTZM
-4CtafhvF3ZuxjIrx658pCA34JSiKe/4Zlm/c3wIDAQABAoIBAES3k3+FBg1299aD
-8n55LsKt9q6NCUr5uQzvGsNSSYgfjaFpcNnCm30ev8CCPISRadjcoWAqj+cvIPxb
-Druu54l6wp6vbAKufFr5NL8gRjZxDlw5xLxEN/c2OBZovruTyCe0xsp7altXSlL0
-cXPc19Wjj/mTYPM5H42XxME2Yl53xUPi8OKrnZzyEJjrcdLeq8a4yusjdJOidW6O
-wXkk/cDvtMeZZWEEu4nBL3vnU7hXvdF90crwNYqScd1lWIriqjfKhEpAvyrlASSW
-tqURkbw0WIYas+jSexLV/bqmgPydsOHJ15TXKtIYUejpPKB5WEdiMECc286fMLCx
-ogVGoZECgYEA/z/bl2/+El3smoEgNv2xpQIyXgKKp19figxm9xJIqbAcN66JAn1R
-EiOFiEy5o33q6Yz1sZ5/n4e3zoj8HiVZHNqkpBtuleZJJ7XBM/NcUH+OUrke+tlV
-q7arNlx9uN6liGp9SfJwKYtUSH13Z3O7sEAt7OX+mzWj527zDROZQHMCgYEA1QjM
-bFkZx83Nj4Qklo+GvgJhq0+Vr4hQd/hLZmgGo3dKZ3McXUmM70A0ETOxyp4zzMep
-Hi5wYa/qdtdVi25S38NExqxFO+JbuXrHoM1XyxzQ3DooV1goaKPybJjoB64zmycx
-D+Ni9MEwMsP1X8kxGQr4A1Nh37sm2hAhWoZCcuUCgYEA7oGG+SyGpjbpfT2nEntf
-4SX6VmndkaPGrEIGfFuzVgvfchA+qfrbJC3Y+pFm7WQde3phokTOUA0LLYxGuQyB
-BjsvmMChRqRWOyrUi2ydGAL4xEeCsTcfnEImHbezKmmxF5UZ2V0WfVtZuBq01hAI
-kxqFT1Vh4TnwG7NKnS9xBg0CgYBouXeMt8xlnXU03PgDj7DkTVVoGqpx7Ofp4gRm
-5jKFP0ozSrIh5dtDbeNqpWf8PAMo4unvLVMPoqP3IeoqreRNnbd8lwk95AvFRWdH
-VEqZTaQa7vgP4AWVUysEWbKOvAMgfYav0c8+lI22FwDTwprBPdQoBmBx1JXH0vAi
-iSe3RQKBgQCPutMegWA+vLupD12XWdde3M5hi4Cd/PxcvJwJrUSjjwlbkHr8EAkZ
-3MXK9o+1Ssj4Ipf1T7VUfdE5uaFJjGLLiPmMAoHbqqPo/0nnsk5JCqJuagmMup0O
-rOQmrvbbDLRXndhb3YeoCtehTiONTMzW+dsdbCrrdnx5AzV4Akwlqw==
------END RSA PRIVATE KEY-----

files/opendsa/.ssh/id_rsa.pub

-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUaOeGx64eJl0imjm+mfyeFf3hkbw9LksWDLLTdVlCKALo1IkbQd5VXk+iIk2yKwOHbnV3/nSQAs2k0K6IBmoEbDxK4rEht6/wziEvLLcgwsr1+tgCnpx5+iXGrl39kTPjqSSsQUKDugmKq8AO2uE9jDPWNwqJPN0vr3fo86esq/o9yrnKEK75wn1q9ZSEK6TjW0hfRIjuGXQubYq0/yN/IF6lZzourwTTFU6bCpC1/R+V126DxF+4cVOxyXzCfIxIYtZrg+z4iG7XOyKzttJ8ZmN0dvFBPfzZXF6Z+TMToU0ZNkzgK1p+G8Xdm7GMivHrnykIDfglKIp7/hmWb9zf opendsa@aes-devel.edu.liu.se

files/opendsa/.ssh/known_hosts

-gitlab.ida.liu.se,130.236.180.82 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAYihlTjGKAun+fT/4v1c7zW0+HmsniwuuxWMmHM+/Y1RK/31DyxV+oLpiACP+2cR/FJ5Ab2wGai4sgnrZqY+yDHHZFbTAThqXylJmIvm57U1J8yL1ayOJe7wQNwan13rmEfzBjrNCxn/aFcvwLutZx+sRsYYfFnGhLeULbaoIeysXm+qufL2TQib+GJzanL6uksiccJ9RiWVg7YewzsdP23DzBSZBJobggaX5bIGzVp2omwe0F4X0YgMZvUHBNWJRjbit56c92jirmLaHJNvl3J+xSIty1XaCp/0kg5Ws8jRV9iGDXRafPPcWn2T8p1S4vIYsAD6QH9Ec6hAKT9qn

files/opendsa/on_update.sh

+#!/bin/bash
+
+# This file is called whenever the OpenDSA repo was updated. This means we should re-check
+# the requirements.txt file and restart the service.
+
+# Note: This file is executed as root, so we drop back to the opendsa user before starting pip.
+
+function update_pip() {
+    cd
+    python3 -m pip install --user -r OpenDSA/server/requirements.txt
+}
+
+export -f update_pip
+
+# Run PIP as OpenDSA.
+sudo --user opendsa --group opendsa --set-home --preserve-env=update_pip -- bash -c update_pip
+
+# Then, we can restart the service.
+systemctl service restart opendsa.service

manifests/aes_broker.pp

-class aes::broker {
+class aes::aes_broker {
 
   $broker_user = broker
-  $broker_group "${broker_user}"
+  $broker_group = "${broker_user}"
   $broker_home = "/srv/${broker_user}"
   $broker_service = "${broker_user}"
 

manifests/init.pp

@@ -4,7 +4,7 @@ class aes {
   include aes::opendsa
   include aes::squid_filter
   include aes::latex
-  include aes::broker
+  include aes::aes_broker
   include ::liurepo::centos_sclo_rh
 
   package {

manifests/opendsa.pp

@@ -22,40 +22,22 @@ class aes::opendsa {
     mode => '0755',
   }
 
-  file { "${opendsa_home}/.ssh":
-    ensure => directory,
-    recurse => true,
-  # Is modes copied correctly by "recurse" option above? NO, but works
-  # chmod 0700 .ssh/id_rsa
-  # chmod 0744 .ssh/id_rsa.pub .ssh/known_hosts
-    purge => true,
-    force => true,
-    owner  => "${opendsa_user}",
-    group  => "${opendsa_group}",
-    mode => '0700',
-    source => "puppet:///modules/${module_name}/opendsa/.ssh",
-  }
-
-  exec { '/usr/bin/git clone --single-branch --branch exam git@gitlab.ida.liu.se:filst04/OpenDSA.git' : 
-    cwd => "${opendsa_home}",
-    creates => "${opendsa_home}/OpenDSA",
-    user => "${opendsa_user}",
-    group => "${opendsa_group}",
+  # This file will be executed as root, which is why we don't let anyone but root examine it.
+  file { "${opendsa_home}/on_update.sh":
+    ensure => present,
+    owner => root,
+    group => root,
+    mode  => '0600',
+    source => "puppet:///modules/${module_name}/opendsa/on_update.sh",
   }
 
- # Will this work? DANGEROUS, need service restart! Not needed.
-  # exec { '/usr/bin/git pull' : 
-  #   cwd => "${opendsa_home}/OpenDSA",
-  #   onlyif => "/bin/test -d ${opendsa_home}/OpenDSA/.git",
-  #   user => "${opendsa_user}",
-  #   group => "${opendsa_group}",
-  # }
-
- # Install python packets. Can this be run several times safely? (Idempotent?) YES
-  exec { '/usr/bin/python3 -m pip install --user -r OpenDSA/server/requirements.txt' : 
+  exec { 'update-repo':
+    command => "/opt/utils/update_repo.sh ${opendsa_home}/OpenDSA https://oauth2:taNPRZid9Hv6jJtdW_T8@gitlab.liu.se:opendsa/OpenDSA.git exam",
+    environment => [ "REPO_USER=${opendsa_user}", "REPO_GROUP=${opendsa_group}", "REPO_ON_UPDATE=${opendsa_home}/on_update.sh" ],
+    # This command will need to run "on_update" as root in order to restart the service.
+    user => root,
+    group => root,
     cwd => "${opendsa_home}",
-    user => "${opendsa_user}",
-    group => "${opendsa_group}",
   }
 
   file { "${opendsa_home}/manage.sh":