Compare commits

..

7 commits

Author SHA1 Message Date
Darko Poljak
654637c9dd debug 2019-12-02 12:31:46 +01:00
Darko Poljak
20ccb3ec06 debug 2019-12-02 11:33:53 +01:00
Darko Poljak
399828545f debug 2019-12-02 09:35:18 +01:00
Darko Poljak
f259c93796 debug 2019-12-02 09:33:41 +01:00
Darko Poljak
936019b699 debug 2019-12-02 09:31:20 +01:00
Darko Poljak
75b2f521d9 debug runner :) 2019-12-02 09:25:48 +01:00
Darko Poljak
553c11ca95 gitlab CI runner should have necessary tools 2019-12-02 09:22:31 +01:00
124 changed files with 619 additions and 3361 deletions

2
.gitignore vendored
View file

@ -24,8 +24,6 @@ docs/src/man1/*.1
docs/src/man7/*.7
docs/src/man7/cdist-type__*.rst
docs/src/cdist-reference.rst
docs/src/cdist-types.rst
docs/src/cdist.cfg.skeleton
# Ignore cdist cache for version control
/cache/

View file

@ -63,18 +63,6 @@ DOCSREFSH=$(DOCS_SRC_DIR)/cdist-reference.rst.sh
$(DOCSREF): $(DOCSREFSH)
$(DOCSREFSH)
# Html types list with references
DOCSTYPESREF=$(MAN7DSTDIR)/cdist-types.rst
DOCSTYPESREFSH=$(DOCS_SRC_DIR)/cdist-types.rst.sh
$(DOCSTYPESREF): $(DOCSTYPESREFSH)
$(DOCSTYPESREFSH)
DOCSCFGSKEL=./configuration/cdist.cfg.skeleton
configskel: $(DOCSCFGSKEL)
cp -f "$(DOCSCFGSKEL)" "$(DOCS_SRC_DIR)/"
version:
@[ -f "cdist/version.py" ] || { \
printf "Missing 'cdist/version.py', please generate it first.\n" && exit 1; \
@ -84,7 +72,7 @@ version:
man: version $(MANTYPES) $(DOCSREF)
$(SPHINXM)
html: version configskel $(MANTYPES) $(DOCSREF) $(DOCSTYPESREF)
html: version $(MANTYPES) $(DOCSREF)
$(SPHINXH)
docs: man html
@ -126,8 +114,6 @@ speeches: $(SPEECHES)
#
clean: docs-clean
rm -f $(DOCS_SRC_DIR)/cdist-reference.rst
rm -f $(DOCS_SRC_DIR)/cdist-types.rst
rm -f $(DOCS_SRC_DIR)/cdist.cfg.skeleton
find "$(DOCS_SRC_DIR)" -mindepth 2 -type l \
| xargs rm -f

View file

@ -74,7 +74,6 @@ SHELLCHECKCMD="shellcheck -s sh -f gcc -x"
# Skip SC2154 for variables starting with __ since such variables are cdist
# environment variables.
SHELLCHECK_SKIP=': __.*is referenced but not assigned.*\[SC2154\]'
SHELLCHECKTMP=".shellcheck.tmp"
# Change to checkout directory
basedir="${0%/*}/../"
@ -370,7 +369,7 @@ eof
cat << eof
Manual steps post release:
- cdist-web
- send generated mailinglist.tmp mail
- send mail body generated in mailinglist.tmp and inform Dmitry for deb
- twitter
eof
;;
@ -432,67 +431,53 @@ eof
;;
shellcheck-global-explorers)
# shellcheck disable=SC2086
find cdist/conf/explorer -type f -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
find cdist/conf/explorer -type f -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
;;
shellcheck-type-explorers)
# shellcheck disable=SC2086
find cdist/conf/type -type f -path "*/explorer/*" -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
find cdist/conf/type -type f -path "*/explorer/*" -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
;;
shellcheck-manifests)
# shellcheck disable=SC2086
find cdist/conf/type -type f -name manifest -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
find cdist/conf/type -type f -name manifest -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
;;
shellcheck-local-gencodes)
# shellcheck disable=SC2086
find cdist/conf/type -type f -name gencode-local -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
find cdist/conf/type -type f -name gencode-local -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
;;
shellcheck-remote-gencodes)
# shellcheck disable=SC2086
find cdist/conf/type -type f -name gencode-remote -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
find cdist/conf/type -type f -name gencode-remote -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
;;
shellcheck-scripts)
# shellcheck disable=SC2086
${SHELLCHECKCMD} scripts/cdist-dump scripts/cdist-new-type > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
${SHELLCHECKCMD} scripts/cdist-dump scripts/cdist-new-type || exit 0
;;
shellcheck-gencodes)
"$0" shellcheck-local-gencodes || exit 1
"$0" shellcheck-remote-gencodes || exit 1
"$0" shellcheck-local-gencodes
"$0" shellcheck-remote-gencodes
;;
shellcheck-types)
"$0" shellcheck-type-explorers || exit 1
"$0" shellcheck-manifests || exit 1
"$0" shellcheck-gencodes || exit 1
"$0" shellcheck-type-explorers
"$0" shellcheck-manifests
"$0" shellcheck-gencodes
;;
shellcheck)
"$0" shellcheck-global-explorers || exit 1
"$0" shellcheck-types || exit 1
"$0" shellcheck-scripts || exit 1
"$0" shellcheck-global-explorers
"$0" shellcheck-types
"$0" shellcheck-scripts
;;
shellcheck-type-files)
# shellcheck disable=SC2086
find cdist/conf/type -type f -path "*/files/*" -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
find cdist/conf/type -type f -path "*/files/*" -exec ${SHELLCHECKCMD} {} + | grep -v "${SHELLCHECK_SKIP}" || exit 0
;;
shellcheck-with-files)
"$0" shellcheck || exit 1
"$0" shellcheck-type-files || exit 1
"$0" shellcheck
"$0" shellcheck-type-files
;;
shellcheck-build-helper)
@ -550,7 +535,6 @@ eof
# Temp files
rm -f ./*.tmp
rm -f ./.*.tmp
;;
distclean)

View file

@ -6,7 +6,6 @@ import collections
import functools
import cdist.configuration
import cdist.preos
import cdist.info
# set of beta sub-commands
@ -104,7 +103,7 @@ def get_parsers():
name="log level"),
help=('Set the specified verbosity level. '
'The levels, in order from the lowest to the highest, are: '
'ERROR (-1), WARNING (0), INFO (1), VERBOSE (2), DEBUG (3), '
'ERROR (-1), WARNING (0), INFO (1), VERBOSE (2), DEBUG (3) '
'TRACE (4 or higher). If used along with -v then -v '
'increases last set value and -l overwrites last set '
'value.'),
@ -425,7 +424,7 @@ def get_parsers():
parser['inventory'].set_defaults(
func=cdist.inventory.Inventory.commandline)
# PreOS
# PreOs
parser['preos'] = parser['sub'].add_parser('preos', add_help=False)
# Shell
@ -437,37 +436,6 @@ def get_parsers():
' should be POSIX compatible shell.'))
parser['shell'].set_defaults(func=cdist.shell.Shell.commandline)
# Info
parser['info'] = parser['sub'].add_parser('info')
parser['info'].add_argument(
'-a', '--all', help='Display all info. This is the default.',
action='store_true', default=False)
parser['info'].add_argument(
'-c', '--conf-dir',
help='Add configuration directory (can be repeated).',
action='append')
parser['info'].add_argument(
'-e', '--global-explorers',
help='Display info for global explorers.', action='store_true',
default=False)
parser['info'].add_argument(
'-F', '--fixed-string',
help='Interpret pattern as a fixed string.', action='store_true',
default=False)
parser['info'].add_argument(
'-f', '--full', help='Display full details.',
action='store_true', default=False)
parser['info'].add_argument(
'-g', '--config-file',
help='Use specified custom configuration file.',
dest="config_file", required=False)
parser['info'].add_argument(
'-t', '--types', help='Display info for types.',
action='store_true', default=False)
parser['info'].add_argument(
'pattern', nargs='?', help='Glob pattern.')
parser['info'].set_defaults(func=cdist.info.Info.commandline)
for p in parser:
parser[p].epilog = EPILOG

View file

@ -1,67 +1,27 @@
#!/bin/sh -e
#
# based on previous work by other people, modified by:
# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Finds disks of the system (excl. ram disks, floppy, cdrom)
#!/bin/sh
uname_s="$(uname -s)"
case $uname_s in
case "${uname_s}" in
FreeBSD)
sysctl -n kern.disks
;;
OpenBSD)
sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+'
;;
NetBSD)
PATH="${PATH}:/usr/local/sbin:/usr/sbin:/sbin"
sysctl -n hw.disknames \
| awk 'BEGIN { RS = " " } /^[lsw]d[0-9]+/'
OpenBSD|NetBSD)
sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+' | xargs
;;
Linux)
# list of major device numbers toexclude:
# ram disks, floppies, cdroms
# https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
ign_majors='1 2 11'
if command -v lsblk >/dev/null 2>&1
if command -v lsblk > /dev/null
then
lsblk -e "$(echo "$ign_majors" | tr ' ' ',')" -dno name
elif test -d /sys/block/
then
# shellcheck disable=SC2012
ls -1 /sys/block/ \
| awk -v ign_majors="$(echo "$ign_majors" | tr ' ' '|')" '
{
devfile = "/sys/block/" $0 "/dev"
getline devno < devfile
close(devfile)
if (devno !~ "^(" ign_majors "):") print
}'
# exclude ram disks, floppies and cdroms
# https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
lsblk -e 1,2,11 -dno name | xargs
else
echo "Don't know how to list disks on Linux without lsblk and sysfs." >&2
echo 'If you can, please submit a patch.'>&2
printf "Don't know how to list disks for %s operating system without lsblk, if you can please submit a patch\n" "${uname_s}" >&2
fi
;;
*)
printf "Don't know how to list disks for %s operating system.\n" "${uname_s}" >&2
printf 'If you can please submit a patch\n' >&2
printf "Don't know how to list disks for %s operating system, if you can please submit a patch\n" "${uname_s}" >&2
;;
esac \
| xargs
esac
exit 0

View file

@ -1,8 +1,7 @@
#!/bin/sh -e
#!/bin/sh
#
# 2016 Daniel Heule (hda at sfs.biz)
# Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -20,422 +19,21 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Returns the name of the init system (PID 1)
# Expected values:
# Linux:
# Adélie Linux:
# sysvinit+openrc
# Alpine Linux:
# busybox-init+openrc
# ArchLinux:
# systemd, sysvinit
# CRUX:
# sysvinit
# Debian:
# systemd, upstart, sysvinit, openrc, ???
# Devuan:
# sysvinit, sysvinit+openrc
# Gentoo:
# sysvinit+openrc, openrc-init, systemd
# OpenBMC:
# systemd
# OpenWrt:
# procd, init???
# RedHat (RHEL, CentOS, Fedora, RedHat Linux, ...):
# systemd, upstart, upstart-legacy, sysvinit
# Slackware:
# sysvinit
# SuSE:
# systemd, sysvinit
# Ubuntu:
# systemd, upstart, upstart-legacy, sysvinit
# VoidLinux:
# runit
# Returns the process name of pid 1 ( normaly the init system )
# for example at linux this value is "init" or "systemd" in most cases
#
# GNU:
# Debian:
# sysvinit, hurd-init
#
# BSD:
# {Free,Open,Net}BSD:
# init
#
# Mac OS X:
# launchd, init+SystemStarter
#
# Solaris/Illumos:
# smf, init???
# NOTE: init systems can be stacked. This is popular to run OpenRC on top of
# sysvinit (Gentoo) or busybox-init (Alpine), but can also be used to run runit
# as a systemd service. This makes init system detection very complicated
# (which result is expected?) This script tries to untangle some combinations,
# OpenRC on top of sysv or busybox (X+openrc), but will ignore others (runit as
# a systemd service)
uname_s="$(uname -s)"
# NOTE: When we have no idea, nothing will be printed!
# NOTE:
# When trying to gather information about the init system make sure to do so
# without calling the binary! On some systems this triggers a reinitialisation
# of the system which we don't want (e.g. embedded systems).
set -e
KERNEL_NAME=$(uname -s)
KNOWN_INIT_SYSTEMS=$(cat <<EOF
systemd
sysvinit
upstart
runit
procd
smf
launchd
init
hurd_init
systemstarter
EOF
)
common_candidates_by_kernel() {
case $KERNEL_NAME
in
FreeBSD|NetBSD|OpenBSD)
echo init
;;
Linux)
echo systemd
echo sysvinit
echo upstart
;;
GNU)
echo sysvinit
echo hurd-init
;;
Darwin)
echo launchd
echo systemstarter
;;
SunOS)
echo smf
;;
esac
}
## Helpers
trim() {
sed -e 's/^[[:blank:]]*//' -e 's/[[:blank:]]*$//' -e '/^[[:blank:]]*$/d'
}
unique() {
# Delete duplicate lines (keeping input order)
# NOTE: Solaris AWK breaks without if/print construct.
awk '{ if (!x[$0]++) print }'
}
## Check functions
# These functions are used to verify if a guess is correct by checking some
# common property of a running system (presence of a directory in /run etc.)
check_busybox_init() (
busybox_path=${1:-/bin/busybox}
test -x "${busybox_path}" || return 1
grep -q 'BusyBox v[0-9]' "${busybox_path}" || return 1
# It is quite common to use Busybox init to stack other init systemd
# (like OpenRC) on top of it. So we check for that, too.
if stacked=$(check_openrc)
then
echo "busybox-init+${stacked}"
else
echo busybox-init
fi
)
check_hurd_init() (
init_exe=${1:-/hurd/init}
test -x "${init_exe}" || return 1
grep -q 'GNU Hurd' "${init_exe}" || return 1
echo hurd-init
)
check_init() {
# Checks for various BSD inits...
test -x /sbin/init || return 1
if grep -q -E '(Free|Net|Open)BSD' /sbin/init
then
echo init
return 0
fi
}
check_launchd() {
command -v launchctl >/dev/null 2>&1 || return 1
launchctl getenv PATH >/dev/null || return 1
echo launchd
}
check_openrc() {
test -f /run/openrc/softlevel || return 1
echo openrc
}
check_procd() (
procd_path=${1:-/sbin/procd}
test -x "${procd_path}" || return 1
grep -q 'procd' "${procd_path}" || return 1
echo procd
)
check_runit() {
test -d /run/runit || return 1
echo runit
}
check_smf() {
# XXX: Is this the correct way??
test -f /etc/svc/volatile/svc_nonpersist.db || return 1
echo smf
}
check_systemd() {
# NOTE: sd_booted(3)
test -d /run/systemd/system/ || return 1
# systemctl --version | sed -e '/^systemd/!d;s/^systemd //'
echo systemd
}
check_systemstarter() {
test -d /System/Library/StartupItems/ || return 1
test -f /System/Library/StartupItems/LoginWindow/StartupParameters.plist || return 1
echo init+SystemStarter
}
check_sysvinit() (
init_path=${1:-/sbin/init}
grep -q 'INIT_VERSION=sysvinit-[0-9.]*' "${init_path}" || return 1
# It is quite common to use SysVinit to stack other init systemd
# (like OpenRC) on top of it. So we check for that, too.
if stacked=$(check_openrc)
then
echo "sysvinit+${stacked}"
else
echo sysvinit
fi
unset stacked
)
check_upstart() {
test -x "$(command -v initctl)" || return 1
case $(initctl version)
in
*'(upstart '*')')
if test -d /etc/init
then
# modern (DBus-based?) upstart >= 0.5
echo upstart
elif test -d /etc/event.d
then
# ancient upstart
echo upstart-legacy
else
# whatever...
echo upstart
fi
;;
*)
return 1
;;
esac
}
find_init_procfs() (
# First, check if the required file in procfs exists...
test -h /proc/1/exe || return 1
# Find init executable
init_exe=$(ls -l /proc/1/exe 2>/dev/null) || return 1
init_exe=${init_exe#* -> }
if ! test -x "$init_exe"
then
# On some rare occasions it can happen that the
# running init's binary has been replaced. In this
# case Linux adjusts the symlink to "X (deleted)"
# [root@fedora-12 ~]# readlink /proc/1/exe
# /sbin/init (deleted)
# [root@fedora-12 ~]# ls -l /proc/1/exe
# lrwxrwxrwx. 1 root root 0 2020-01-30 23:00 /proc/1/exe -> /sbin/init (deleted)
init_exe=${init_exe% (deleted)}
test -x "$init_exe" || return 1
fi
echo "${init_exe}"
)
guess_by_path() {
case $1
in
/bin/busybox)
check_busybox_init "$1" && return
;;
/lib/systemd/systemd)
check_systemd "$1" && return
;;
/hurd/init)
check_hurd_init "$1" && return
;;
/sbin/launchd)
check_launchd "$1" && return
;;
/usr/bin/runit|/sbin/runit)
check_runit "$1" && return
;;
/sbin/openrc-init)
if check_openrc "$1" >/dev/null
then
echo openrc-init
return
fi
;;
/sbin/procd)
check_procd "$1" && return
;;
/sbin/init|*/init)
# init: it could be anything -> (explicit) no match
return 1
;;
esac
# No match
return 1
}
guess_by_comm_name() {
case $1
in
busybox)
check_busybox_init && return
;;
openrc-init)
if check_openrc >/dev/null
then
echo openrc-init
return 0
fi
;;
init)
# init could be anything -> no match
return 1
;;
*)
# Run check function by comm name if available.
# Fall back to comm name if either it does not exist or
# returns non-zero.
if type "check_$1" >/dev/null
then
"check_$1" && return
else
echo "$1" ; return 0
fi
esac
return 1
}
check_list() (
# List must be a multi-line input on stdin (one name per line)
while read -r init
do
"check_${init}" || continue
return 0
done
return 1
)
# BusyBox's versions of ps and pgrep do not support some options
# depending on which compile-time options have been used.
find_init_pgrep() {
pgrep -P0 -fl 2>/dev/null | awk -F '[[:blank:]]' '$1 == 1 { print $2 }'
}
find_init_ps() {
case $KERNEL_NAME
in
Darwin)
ps -o command -p 1 2>/dev/null | tail -n +2
;;
FreeBSD)
ps -o args= -p 1 2>/dev/null | cut -d ' ' -f 1
;;
Linux)
ps -o comm= -p 1 2>/dev/null
;;
NetBSD)
ps -o comm= -p 1 2>/dev/null
;;
OpenBSD)
ps -o args -p 1 2>/dev/null | tail -n +2 | cut -d ' ' -f 1
;;
*)
ps -o args= -p 1 2>/dev/null
;;
esac | trim # trim trailing whitespace (some ps like Darwin add it)
}
find_init() {
case $KERNEL_NAME
in
Linux|GNU|NetBSD)
find_init_procfs || find_init_pgrep || find_init_ps
;;
FreeBSD)
find_init_procfs || find_init_ps
;;
OpenBSD)
find_init_pgrep || find_init_ps
;;
Darwin|SunOS)
find_init_ps
;;
*)
echo "Don't know how to determine init." >&2
echo 'Please send a patch.' >&2
exit 1
esac
}
# -----
init=$(find_init)
# If we got a path, guess by the path first (fall back to file name if no match)
# else guess by file name directly.
# shellcheck disable=SC2015
{
test -x "${init}" \
&& guess_by_path "${init}" \
|| guess_by_comm_name "$(basename "${init}")"
} && exit 0 || true
# Guessing based on the file path and name didnt lead to a definitive result.
#
# We go through all of the checks until we find a match. To speed up the
# process, common cases will be checked first based on the underlying kernel.
{ common_candidates_by_kernel; echo "${KNOWN_INIT_SYSTEMS}"; } \
| unique | check_list
case "$uname_s" in
Linux)
(pgrep -P0 -l | awk '/^1[ \t]/ {print $2;}') || true
;;
FreeBSD|OpenBSD)
ps -o comm= -p 1 || true
;;
*)
# return a empty string as unknown value
echo ""
;;
esac

View file

@ -1,7 +1,6 @@
#!/bin/sh
#
# 2018 Adam Dej (dejko.a at gmail.com)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -22,17 +21,6 @@
# See os-release(5) and http://0pointer.de/blog/projects/os-release
if test -f /etc/os-release
then
# Linux and FreeBSD (usually a symlink)
cat /etc/os-release
elif test -f /usr/lib/os-release
then
# systemd
cat /usr/lib/os-release
elif test -f /var/run/os-release
then
# FreeBSD (created by os-release service)
cat /var/run/os-release
fi
set +e
cat /etc/os-release || cat /usr/lib/os-release || true

View file

@ -70,7 +70,4 @@ case "$("$__explorer/os")" in
ubuntu)
lsb_release -sr
;;
alpine)
cat /etc/alpine-release
;;
esac
esac

View file

@ -20,13 +20,7 @@
file_is="$( cat "$__object/explorer/file_is" )"
if [ "$file_is" = 'missing' ] \
&& [ -z "$__cdist_dry_run" ] \
&& \( [ ! -f "$__object/parameter/file" ] \
|| [ ! -f "$__object/parameter/directory" ] \)
then
exit 0
fi
[ "$file_is" = 'missing' ] && [ -z "$__cdist_dry_run" ] && exit 0
os="$( cat "$__global/explorer/os" )"
@ -34,20 +28,7 @@ acl_path="/$__object_id"
acl_is="$( cat "$__object/explorer/acl_is" )"
if [ -f "$__object/parameter/source" ]
then
acl_source="$( cat "$__object/parameter/source" )"
if [ "$acl_source" = '-' ]
then
acl_should="$( cat "$__object/stdin" )"
else
acl_should="$( grep -Ev '^#|^$' "$acl_source" )"
fi
elif [ -f "$__object/parameter/entry" ]
then
acl_should="$( cat "$__object/parameter/entry" )"
elif [ -f "$__object/parameter/acl" ]
if [ -f "$__object/parameter/acl" ]
then
acl_should="$( cat "$__object/parameter/acl" )"
elif

View file

@ -15,24 +15,10 @@ See ``setfacl`` and ``acl`` manpages for more details.
REQUIRED MULTIPLE PARAMETERS
----------------------------
entry
acl
Set ACL entry following ``getfacl`` output syntax.
OPTIONAL PARAMETERS
-------------------
source
Read ACL entries from stdin or file.
Ordering of entries is not important.
When reading from file, comments and empty lines are ignored.
file
Create/change file with ``__file`` using ``user:group:mode`` pattern.
directory
Create/change directory with ``__directory`` using ``user:group:mode`` pattern.
BOOLEAN PARAMETERS
------------------
default
@ -50,8 +36,8 @@ remove
DEPRECATED PARAMETERS
---------------------
Parameters ``acl``, ``user``, ``group``, ``mask`` and ``other`` are deprecated and they
will be removed in future versions. Please use ``entry`` parameter instead.
Parameters ``user``, ``group``, ``mask`` and ``other`` are deprecated and they
will be removed in future versions. Please use ``acl`` parameter instead.
EXAMPLES
@ -63,38 +49,27 @@ EXAMPLES
--default \
--recursive \
--remove \
--entry user:alice:rwx \
--entry user:bob:r-x \
--entry group:project-group:rwx \
--entry group:some-other-group:r-x \
--entry mask::r-x \
--entry other::r-x
--acl user:alice:rwx \
--acl user:bob:r-x \
--acl group:project-group:rwx \
--acl group:some-other-group:r-x \
--acl mask::r-x \
--acl other::r-x
# give Alice read-only access to subdir,
# but don't allow her to see parent content.
__acl /srv/project2 \
--remove \
--entry default:group:secret-project:rwx \
--entry group:secret-project:rwx \
--entry user:alice:--x
--acl default:group:secret-project:rwx \
--acl group:secret-project:rwx \
--acl user:alice:--x
__acl /srv/project2/subdir \
--default \
--remove \
--entry group:secret-project:rwx \
--entry user:alice:r-x
# read acl from stdin
echo 'user:alice:rwx' \
| __acl /path/to/directory --source -
# create/change directory too
__acl /path/to/directory \
--default \
--remove \
--directory root:root:770 \
--entry user:nobody:rwx
--acl group:secret-project:rwx \
--acl user:alice:r-x
AUTHORS

View file

@ -1,11 +0,0 @@
#!/bin/sh -e
for p in file directory
do
[ ! -f "$__object/parameter/$p" ] && continue
"__$p" "/$__object_id" \
--owner "$( awk -F: '{print $1}' "$__object/parameter/$p" )" \
--group "$( awk -F: '{print $2}' "$__object/parameter/$p" )" \
--mode "$( awk -F: '{print $3}' "$__object/parameter/$p" )"
done

View file

@ -1 +0,0 @@
see manual for details

View file

@ -1,5 +1,2 @@
mask
other
source
file
directory

View file

@ -1,4 +1,3 @@
entry
acl
user
group

View file

@ -1,68 +0,0 @@
cdist-type__apt_unattended_upgrades(7)
======================================
NAME
----
cdist-type__apt_unattended_upgrades - automatic installation of updates
DESCRIPTION
-----------
Install and configure unattended-upgrades package.
For more information see https://wiki.debian.org/UnattendedUpgrades.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
option
Set options for unattended-upgrades. See examples.
Supported options with default values (as of 2020-01-17) are:
- AutoFixInterruptedDpkg, default is "true"
- MinimalSteps, default is "true"
- InstallOnShutdown, default is "false"
- Mail, default is "" (empty)
- MailOnlyOnError, default is "false"
- Remove-Unused-Kernel-Packages, default is "true"
- Remove-New-Unused-Dependencies, default is "true"
- Remove-Unused-Dependencies, default is "false"
- Automatic-Reboot, default is "false"
- Automatic-Reboot-WithUsers, default is "true"
- Automatic-Reboot-Time, default is "02:00"
- SyslogEnable, default is "false"
- SyslogFacility, default is "daemon"
- OnlyOnACPower, default is "true"
- Skip-Updates-On-Metered-Connections, default is "true"
- Verbose, default is "false"
- Debug, default is "false"
blacklist
Python regular expressions, matching packages to exclude from upgrading.
EXAMPLES
--------
.. code-block:: sh
__apt_unattended_upgrades \
--option Mail=root \
--option MailOnlyOnError=true \
--blacklist multipath-tools \
--blacklist open-iscsi
AUTHORS
-------
Ander Punnar <ander-at-kvlt-dot-ee>
COPYING
-------
Copyright \(C) 2020 Ander Punnar. You can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your option) any
later version.

View file

@ -1,80 +0,0 @@
#!/bin/sh -e
#
# 2020 Ander Punnar (ander-at-kvlt-dot-ee)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
__package unattended-upgrades
export require='__package/unattended-upgrades'
# in normal circumstances 20auto-upgrades is managed
# by debconf and it can only contain these lines
__file /etc/apt/apt.conf.d/20auto-upgrades \
--owner root \
--group root \
--mode 644 \
--source - << EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
EOF
# lets not write into upstream 50unattended-upgrades file,
# but use our own config file to avoid clashes
conf_file='/etc/apt/apt.conf.d/51unattended-upgrades-cdist'
conf='# this file is managed by cdist'
if [ -f "$__object/parameter/option" ]
then
o=''
while read -r l
do
o="$( printf '%s\nUnattended-Upgrade::%s "%s";\n' "$o" "${l%%=*}" "${l#*=}" )"
done \
< "$__object/parameter/option"
conf="$( printf '%s\n%s\n' "$conf" "$o" )"
fi
if [ -f "$__object/parameter/blacklist" ]
then
b='Unattended-Upgrade::Package-Blacklist {'
while read -r l
do
b="$( printf '%s\n"%s";\n' "$b" "$l" )"
done \
< "$__object/parameter/blacklist"
conf="$( printf '%s\n%s\n}\n' "$conf" "$b" )"
fi
if [ "$( echo "$conf" | wc -l )" -gt 1 ]
then
echo "$conf" \
| __file "$conf_file" \
--owner root \
--group root \
--mode 644 \
--source -
else
__file "$conf_file" --state absent
fi

View file

@ -1,2 +0,0 @@
option
blacklist

View file

@ -116,9 +116,6 @@ verify-incoming
verify-outgoing
enforce the use of TLS and verify the peers authenticity on outgoing connections
use-distribution-package
uses distribution package instead of upstream binary
EXAMPLES
--------

View file

@ -2,7 +2,6 @@
#
# 2015 Steven Armstrong (steven-cdist at armstrong.cc)
# 2015-2019 Nico Schottelius (nico-cdist at schottelius.org)
# 2019 Timothée Floure (timothee.floure at ungleich.ch)
#
# This file is part of cdist.
#
@ -20,75 +19,133 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "$__global/explorer/os")
###
# Type parameters.
case "$os" in
alpine|scientific|centos|debian|devuan|redhat|ubuntu)
# whitelist safeguard
:
;;
*)
echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
echo "Please contribute an implementation for it if you can." >&2
exit 1
;;
esac
state="$(cat "$__object/parameter/state")"
user="$(cat "$__object/parameter/user")"
group="$(cat "$__object/parameter/group")"
release=$(cat "$__global/explorer/lsb_release")
if [ -f "$__object/parameter/use-distribution-package" ]; then
use_distribution_package=1
fi
###
# Those are default that might be overriden by os-specific logic.
data_dir="/var/lib/consul"
conf_dir="/etc/consul/conf.d"
conf_file="config.json"
tls_dir="$conf_dir/tls"
###
# Sane deployment, based on distribution package when available.
# FIXME: there has got to be a better way to handle the dependencies in this case
case "$state" in
present)
__group "$group" --system --state "$state"
require="__group/$group" \
__user "$user" --system --gid "$group" \
--home "$data_dir" --state "$state"
export require="__user/consul"
;;
absent)
echo "Sorry, state=absent currently not supported :-(" >&2
exit 1
require="$__object_name" \
__user "$user" --system --gid "$group" --state "$state"
require="__user/$user" \
__group "$group" --system --state "$state"
;;
esac
distribution_setup () {
case "$os" in
debian)
# consul is only available starting Debian 10 (buster).
# See https://packages.debian.org/buster/consul
if [ "$release" -lt 10 ]; then
echo "Consul is not available for your debian release." >&2
echo "Please use the 'manual' (i.e. non-package) installation or \
upgrade the target system." >&2
exit 1
fi
__directory /etc/consul \
--owner root --group "$group" --mode 750 --state "$state"
require="__directory/etc/consul" \
__directory "$conf_dir" \
--owner root --group "$group" --mode 750 --state "$state"
# Override previously defined environment to match debian packaging.
conf_dir='/etc/consul.d'
user='consul'
group='consul'
;;
alpine)
# consul is only available starting Alpine 3.12 (= edge during the 3.11 cycle).
# See https://pkgs.alpinelinux.org/packages?name=consul&branch=edge
if [ -f "$__object/parameter/ca-file-source" ] || [ -f "$__object/parameter/cert-file-source" ] || [ -f "$__object/parameter/key-file-source" ]; then
# create directory for ssl certs
require="__directory/etc/consul" \
__directory /etc/consul/ssl \
--owner root --group "$group" --mode 750 --state "$state"
fi
# Override previously defined environment to match alpine packaging.
conf_dir='/etc/consul'
conf_file='server.json'
data_dir='/var/consul'
user='consul'
group='consul'
;;
*)
echo "Your operating system ($os) is currently not supported with the \
--use-distribution-package flag (${__type##*/})." >&2
echo "Please use non-package installation or contribute an \
implementation for if you can." >&2
exit 1
;;
esac
__directory "$data_dir" \
--owner "$user" --group "$group" --mode 770 --state "$state"
# Install consul package.
__package consul --state "$state"
export config_deployment_requires="__package/consul"
}
# Generate json config file
(
echo "{"
###
# LEGACY manual deployment, kept for compatibility reasons.
# parameters we define ourself
printf ' "data_dir": "%s"\n' "$data_dir"
cd "$__object/parameter/"
for param in *; do
case "$param" in
state|user|group|json-config) continue ;;
ca-file-source|cert-file-source|key-file-source)
source="$(cat "$__object/parameter/$param")"
destination="/etc/consul/ssl/${source##*/}"
require="__directory/etc/consul/ssl" \
__file "$destination" \
--owner root --group consul --mode 640 \
--source "$source" \
--state "$state"
key="$(echo "${param%-*}" | tr '-' '_')"
printf ' ,"%s": "%s"\n' "$key" "$destination"
;;
disable-remote-exec|disable-update-check|leave-on-terminate|rejoin-after-leave|server|enable-syslog|verify-incoming|verify-outgoing)
# handle boolean parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": true\n' "$key"
;;
retry-join)
# join multiple parameters into json array
retry_join="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join")"
# remove trailing ,
printf ' ,"retry_join": [%s]\n' "${retry_join%*,}"
;;
retry-join-wan)
# join multiple parameters into json array over wan
retry_join_wan="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join-wan")"
# remove trailing ,
printf ' ,"retry_join_wan": [%s]\n' "${retry_join_wan%*,}"
;;
bootstrap-expect)
# integer key=value parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": %s\n' "$key" "$(cat "$__object/parameter/$param")"
;;
*)
# string key=value parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": "%s"\n' "$key" "$(cat "$__object/parameter/$param")"
;;
esac
done
if [ -f "$__object/parameter/json-config" ]; then
json_config="$(cat "$__object/parameter/json-config")"
if [ "$json_config" = "-" ]; then
json_config="$__object/stdin"
fi
# remove leading and trailing whitespace and commas from first and last line
# indent each line with 3 spaces for consistency
json=$(sed -e 's/^[ \t]*/ /' -e '1s/^[ \t,]*//' -e '$s/[ \t,]*$//' "$json_config")
printf ' ,%s\n' "$json"
fi
echo "}"
) | \
require="__directory${conf_dir}" \
__config_file "${conf_dir}/${conf_file}" \
--owner root --group "$group" --mode 640 \
--state "$state" \
--onchange 'service consul status >/dev/null && service consul reload || true' \
--source -
init_sysvinit()
{
@ -122,186 +179,47 @@ init_upstart()
require="__file/etc/init/consul.conf" __start_on_boot consul
}
manual_setup () {
case "$os" in
alpine|scientific|centos|debian|devuan|redhat|ubuntu)
# whitelist safeguard
:
;;
*)
echo "Your operating system ($os) is currently not supported by this \
type (${__type##*/})." >&2
echo "Please contribute an implementation for it if you can." >&2
exit 1
;;
esac
# FIXME: there has got to be a better way to handle the dependencies in this case
case "$state" in
present)
__group "$group" --system --state "$state"
require="__group/$group" __user "$user" \
--system --gid "$group" --home "$data_dir" --state "$state"
;;
*)
echo "The $state state is not (yet?) supported by this type." >&2
exit 1
;;
esac
# Create data directory.
require="__user/consul" __directory "$data_dir" \
--owner "$user" --group "$group" --mode 770 --state "$state"
# Create config directory.
require="__user/consul" __directory "$conf_dir" \
--parents --owner root --group "$group" --mode 750 --state "$state"
# Install init script to start on boot
case "$os" in
devuan)
init_sysvinit debian
;;
centos|redhat)
os_version="$(sed 's/[^0-9.]//g' "$__global/explorer/os_version")"
major_version="${os_version%%.*}"
case "$major_version" in
[456])
init_sysvinit redhat
;;
7)
init_systemd
;;
*)
echo "Unsupported CentOS/Redhat version: $os_version" >&2
exit 1
;;
esac
;;
debian)
os_version=$(cat "$__global/explorer/os_version")
major_version="${os_version%%.*}"
case "$major_version" in
[567])
init_sysvinit debian
;;
[89]|10)
init_systemd
;;
*)
echo "Unsupported Debian version $os_version" >&2
exit 1
;;
esac
;;
ubuntu)
init_upstart
;;
esac
config_deployment_requires="__user/consul __directory/$conf_dir"
}
###
# Trigger requested installation method.
if [ $use_distribution_package ]; then
distribution_setup
else
manual_setup
fi
###
# Install TLS certificates.
if [ -f "$__object/parameter/ca-file-source" ] || \
[ -f "$__object/parameter/cert-file-source" ] || \
[ -f "$__object/parameter/key-file-source" ]; then
requires="$config_deployment_requires" __directory $tls_dir \
--owner root --group "$group" --mode 750 --state "$state"
# Append to service restart requirements.
restart_requires="$restart_requires __directory/$conf_dir/tls"
fi
###
# Generate and deploy configuration.
json_configuration=$(
echo "{"
# parameters we define ourself
printf ' "data_dir": "%s"\n' "$data_dir"
cd "$__object/parameter/"
for param in *; do
case "$param" in
state|user|group|json-config|use-distribution-package) continue ;;
ca-file-source|cert-file-source|key-file-source)
source="$(cat "$__object/parameter/$param")"
destination="$tls_dir/${source##*/}"
require="__directory/$tls_dir" \
__file "$destination" \
--owner root --group consul --mode 640 \
--source "$source" \
--state "$state"
key="$(echo "${param%-*}" | tr '-' '_')"
printf ' ,"%s": "%s"\n' "$key" "$destination"
# Install init script to start on boot
case "$os" in
alpine|devuan)
init_sysvinit debian
;;
disable-remote-exec|disable-update-check|leave-on-terminate\
|rejoin-after-leave|server|enable-syslog|verify-incoming|verify-outgoing)
# handle boolean parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": true\n' "$key"
centos|redhat)
os_version="$(sed 's/[^0-9.]//g' "$__global/explorer/os_version")"
major_version="${os_version%%.*}"
case "$major_version" in
[456])
init_sysvinit redhat
;;
7)
init_systemd
;;
*)
echo "Unsupported CentOS/Redhat version: $os_version" >&2
exit 1
;;
esac
;;
retry-join)
# join multiple parameters into json array
retry_join="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join")"
# remove trailing ,
printf ' ,"retry_join": [%s]\n' "${retry_join%*,}"
;;
retry-join-wan)
# join multiple parameters into json array over wan
retry_join_wan="$(awk '{printf "\""$1"\","}' "$__object/parameter/retry-join-wan")"
# remove trailing ,
printf ' ,"retry_join_wan": [%s]\n' "${retry_join_wan%*,}"
;;
bootstrap-expect)
# integer key=value parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": %s\n' "$key" "$(cat "$__object/parameter/$param")"
;;
*)
# string key=value parameters
key="$(echo "$param" | tr '-' '_')"
printf ' ,"%s": "%s"\n' "$key" "$(cat "$__object/parameter/$param")"
;;
esac
done
if [ -f "$__object/parameter/json-config" ]; then
json_config="$(cat "$__object/parameter/json-config")"
if [ "$json_config" = "-" ]; then
json_config="$__object/stdin"
fi
# remove leading and trailing whitespace and commas from first and last line
# indent each line with 3 spaces for consistency
json=$(sed -e 's/^[ \t]*/ /' -e '1s/^[ \t,]*//' -e '$s/[ \t,]*$//' "$json_config")
printf ' ,%s\n' "$json"
fi
echo "}"
)
echo "$json_configuration" | require="$config_deployment_requires" \
__file "$conf_dir/$conf_file" \
--owner root --group "$group" --mode 640 \
--state "$state" \
--source -
# Set configuration deployment as requirement for service restart.
restart_requires="__file/$conf_dir/$conf_file"
debian)
os_version=$(cat "$__global/explorer/os_version")
major_version="${os_version%%.*}"
###
# Restart consul agent after everything else.
require="$restart_requires" __service consul --action restart
case "$major_version" in
[567])
init_sysvinit debian
;;
[89])
init_systemd
;;
*)
echo "Unsupported Debian version $os_version" >&2
exit 1
;;
esac
;;
ubuntu)
init_upstart
;;
esac

View file

@ -6,4 +6,3 @@ server
enable-syslog
verify-incoming
verify-outgoing
use-distribution-package

View file

@ -1 +0,0 @@
../../__consul_service/explorer/conf-dir

View file

@ -19,7 +19,7 @@
#
name="$(cat "$__object/parameter/name" 2>/dev/null || echo "$__object_id")"
conf_dir=$(cat "$__object/explorer/conf-dir")
conf_dir="/etc/consul/conf.d"
conf_file="check_${name}.json"
state="$(cat "$__object/parameter/state")"

View file

@ -1,15 +0,0 @@
# Determine the configuration directory used by consul.
check_dir () {
if [ -d "$1" ]; then
printf '%s' "$1"
exit
fi
}
check_dir '/etc/consul/conf.d'
check_dir '/etc/consul.d'
check_dir '/etc/consul'
echo 'Could not determine consul configuration dir. Exiting.' >&2
exit 1

View file

@ -19,7 +19,7 @@
#
name="$(cat "$__object/parameter/name" 2>/dev/null || echo "$__object_id")"
conf_dir=$(cat "$__object/explorer/conf-dir")
conf_dir="/etc/consul/conf.d"
conf_file="service_${name}.json"
state="$(cat "$__object/parameter/state")"
@ -45,7 +45,7 @@ printf ' "name": "%s"\n' "$name"
cd "$__object/parameter/"
for param in *; do
case "$param" in
state|name|check-interval|conf-dir) continue ;;
state|name|check-interval) continue ;;
check-script)
printf ' ,"check": {\n'
printf ' "script": "%s"\n' "$(cat "$__object/parameter/check-script")"
@ -86,6 +86,7 @@ echo " }"
# end json file
echo "}"
) | \
require="__directory${conf_dir}" \
__config_file "${conf_dir}/${conf_file}" \
--owner root --group consul --mode 640 \
--state "$state" \

View file

@ -1 +0,0 @@
../../__consul_service/explorer/conf-dir

View file

@ -20,7 +20,7 @@
cdist_type="${__type##*/}"
watch_type="${cdist_type##*_}"
conf_dir=$(cat "$__object/explorer/conf-dir")
conf_dir="/etc/consul/conf.d"
conf_file="watch_${watch_type}_${__object_id}.json"
state="$(cat "$__object/parameter/state")"

View file

@ -1 +0,0 @@
../../__consul_service/explorer/conf-dir

View file

@ -20,7 +20,7 @@
cdist_type="${__type##*/}"
watch_type="${cdist_type##*_}"
conf_dir=$(cat "$__object/explorer/conf-dir")
conf_dir="/etc/consul/conf.d"
conf_file="watch_${watch_type}_${__object_id}.json"
state="$(cat "$__object/parameter/state")"

View file

@ -1 +0,0 @@
../../__consul_service/explorer/conf-dir

View file

@ -20,7 +20,7 @@
cdist_type="${__type##*/}"
watch_type="${cdist_type##*_}"
conf_dir=$(cat "$__object/explorer/conf-dir")
conf_dir="/etc/consul/conf.d"
conf_file="watch_${watch_type}_${__object_id}.json"
state="$(cat "$__object/parameter/state")"

View file

@ -1 +0,0 @@
../../__consul_service/explorer/conf-dir

View file

@ -20,7 +20,7 @@
cdist_type="${__type##*/}"
watch_type="${cdist_type##*_}"
conf_dir=$(cat "$__object/explorer/conf-dir")
conf_dir="/etc/consul/conf.d"
conf_file="watch_${watch_type}_${__object_id}.json"
state="$(cat "$__object/parameter/state")"

View file

@ -1 +0,0 @@
../../__consul_service/explorer/conf-dir

View file

@ -20,7 +20,7 @@
cdist_type="${__type##*/}"
watch_type="${cdist_type##*_}"
conf_dir=$(cat "$__object/explorer/conf-dir")
conf_dir="/etc/consul/conf.d"
conf_file="watch_${watch_type}_${__object_id}.json"
state="$(cat "$__object/parameter/state")"

View file

@ -1 +0,0 @@
../../__consul_service/explorer/conf-dir

View file

@ -20,7 +20,7 @@
cdist_type="${__type##*/}"
watch_type="${cdist_type##*_}"
conf_dir=$(cat "$__object/explorer/conf-dir")
conf_dir="/etc/consul/conf.d"
conf_file="watch_${watch_type}_${__object_id}.json"
state="$(cat "$__object/parameter/state")"

View file

@ -1 +0,0 @@
../../__consul_service/explorer/conf-dir

View file

@ -20,7 +20,7 @@
cdist_type="${__type##*/}"
watch_type="${cdist_type##*_}"
conf_dir=$(cat "$__object/explorer/conf-dir")
conf_dir="/etc/consul/conf.d"
conf_file="watch_${watch_type}_${__object_id}.json"
state="$(cat "$__object/parameter/state")"

View file

@ -31,28 +31,24 @@ if [ -f "$__object/parameter/raw" ]; then
elif [ -f "$__object/parameter/raw_command" ]; then
entry="$command"
else
minute="$(cat "$__object/parameter/minute")"
hour="$(cat "$__object/parameter/hour")"
day_of_month="$(cat "$__object/parameter/day_of_month")"
month="$(cat "$__object/parameter/month")"
day_of_week="$(cat "$__object/parameter/day_of_week")"
minute="$(cat "$__object/parameter/minute" 2>/dev/null || echo "*")"
hour="$(cat "$__object/parameter/hour" 2>/dev/null || echo "*")"
day_of_month="$(cat "$__object/parameter/day_of_month" 2>/dev/null || echo "*")"
month="$(cat "$__object/parameter/month" 2>/dev/null || echo "*")"
day_of_week="$(cat "$__object/parameter/day_of_week" 2>/dev/null || echo "*")"
entry="$minute $hour $day_of_month $month $day_of_week $command # $name"
fi
mkdir "$__object/files"
echo "$entry" > "$__object/files/entry"
if [ -s "$__object/explorer/entry" ]; then
if diff -q "$__object/files/entry" "$__object/explorer/entry" >/dev/null; then
state_is=present
else
state_is=modified
fi
if diff -q "$__object/files/entry" "$__object/explorer/entry" >/dev/null; then
state_is=present
else
state_is=absent
fi
state_should="$(cat "$__object/parameter/state")"
state_should="$(cat "$__object/parameter/state" 2>/dev/null || echo "present")"
[ "$state_is" = "$state_should" ] && exit 0

View file

@ -22,12 +22,3 @@ if [ -f "$__object/parameter/raw" ] && [ -f "$__object/parameter/raw_command" ];
echo "ERROR: both raw and raw_command specified" >&2
exit 1
fi
case "$(cat "$__object/parameter/state")" in
present) ;;
absent) ;;
*)
echo "ERROR: unkown cron state" >&2
exit 2
esac

View file

@ -1 +0,0 @@
*

View file

@ -1 +0,0 @@
present

View file

@ -1,7 +1,6 @@
#!/bin/sh
#
# 2013 Steven Armstrong (steven-cdist armstrong.cc)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -21,43 +20,24 @@
destination="/$__object_id"
fallback() {
# Patch the output together, manually
ls_line=$(ls -ldn "$destination")
uid=$(echo "$ls_line" | awk '{ print $3 }')
gid=$(echo "$ls_line" | awk '{ print $4 }')
owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
mode_text=$(echo "$ls_line" | awk '{ print $1 }')
mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
printf 'type: %s\nowner: %d %s\ngroup: %d %s\nmode: %s %s\n' \
"$("$__type_explorer/type")" \
"$uid" "$owner" \
"$gid" "$group" \
"$mode" "$mode_text"
}
# nothing to work with, nothing we could do
[ -e "$destination" ] || exit 0
if ! command -v stat >/dev/null
then
fallback
exit
fi
case $("$__explorer/os") in
os=$("$__explorer/os")
case "$os" in
"freebsd"|"netbsd"|"openbsd"|"macosx")
stat -f "type: %HT
owner: %Du %Su
group: %Dg %Sg
mode: %Lp %Sp
" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
" "$destination" | awk '/^type/ { print tolower($0); next; } { print; }'
;;
alpine)
stat -c "type: %F
owner: %u %U
group: %g %G
mode: %a %A
" "$destination"
;;
solaris)
ls1="$( ls -ld "$destination" )"
@ -89,12 +69,10 @@ mode: %Lp %Sp
echo "mode: $octets $( echo "$ls1" | awk '{print $1}' )"
;;
*)
# NOTE: Do not use --printf here as it is not supported by BusyBox stat.
# NOTE: BusyBox's stat might not support the "-c" option, in which case
# we fall through to the shell fallback.
stat -c "type: %F
stat --printf="type: %F
owner: %u %U
group: %g %G
mode: %a %A" "$destination" 2>/dev/null || fallback
mode: %a %A
" "$destination"
;;
esac

View file

@ -3,7 +3,6 @@
# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2013 Steven Armstrong (steven-cdist armstrong.cc)
# 2014 Daniel Heule (hda at sfs.biz)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -22,8 +21,8 @@
#
destination="/$__object_id"
state_should=$(cat "$__object/parameter/state")
type=$(cat "$__object/explorer/type")
state_should="$(cat "$__object/parameter/state")"
type="$(cat "$__object/explorer/type")"
stat_file="$__object/explorer/stat"
# variable to keep track if we have to set directory attributes
@ -73,7 +72,7 @@ set_mode() {
}
case "$state_should" in
present|exists)
present)
if [ "$type" != "directory" ]; then
set_attributes=1
if [ "$type" != "none" ]; then
@ -84,10 +83,6 @@ case "$state_should" in
fi
echo "mkdir $mkdiropt '$destination'"
echo "create" >> "$__messages_out"
elif [ "$state_should" = 'exists' ]; then
# The type is directory and --state exists. We are done and do not
# check or set the attributes.
exit 0
fi
# Note: Mode - needs to happen last as a chown/chgrp can alter mode by
@ -108,26 +103,6 @@ case "$state_should" in
fi
done
;;
pre-exists)
case $type in
directory)
# all good
exit 0
;;
none)
printf 'Directory "%s" does not exist\n' "$destination" >&2
exit 1
;;
file|symlink)
printf 'File "%s" exists and is a %s, but should be a directory\n' "$destination" "$type" >&2
exit 1
;;
*)
printf 'File or directory "%s" is in an unknown state\n' "$destination" >&2
exit 1
;;
esac
;;
absent)
if [ "$type" = "directory" ]; then
echo "rm -rf '$destination'"

View file

@ -19,18 +19,7 @@ None.
OPTIONAL PARAMETERS
-------------------
state
'present', 'absent', 'exists' or 'pre-exists', defaults to 'present' where:
present
the directory exists and the given attributes are set.
absent
the directory does not exist.
exists
the directory exists, but its attributes are not altered if it already
existed.
pre-exists
check that the directory exists and is indeed a directory, but do not
create or modify it.
'present' or 'absent', defaults to 'present'
group
Group to chgrp to.
@ -47,7 +36,7 @@ BOOLEAN PARAMETERS
parents
Whether to create parents as well (mkdir -p behaviour).
Warning: all intermediate directory permissions default
to whatever mkdir -p does.
to whatever mkdir -p does.
Usually this means root:root, 0700.

View file

@ -2,7 +2,6 @@
#
# 2013 Steven Armstrong (steven-cdist armstrong.cc)
# 2019 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -22,54 +21,29 @@
destination="/$__object_id"
fallback() {
# Fallback: Patch the output together, manually.
ls_line=$(ls -ldn "$destination")
uid=$(echo "$ls_line" | awk '{ print $3 }')
gid=$(echo "$ls_line" | awk '{ print $4 }')
owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
mode_text=$(echo "$ls_line" | awk '{ print $1 }')
mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
size=$(echo "$ls_line" | awk '{ print $5 }')
links=$(echo "$ls_line" | awk '{ print $2 }')
printf 'type: %s\nowner: %d %s\ngroup: %d %s\nmode: %s %s\nsize: %d\nlinks: %d\n' \
"$("$__type_explorer/type")" \
"$uid" "$owner" \
"$gid" "$group" \
"$mode" "$mode_text" \
"$size" \
"$links"
}
# nothing to work with, nothing we could do
[ -e "$destination" ] || exit 0
if ! command -v stat >/dev/null
then
fallback
exit
fi
case $("$__explorer/os")
in
freebsd|netbsd|openbsd|macosx)
os=$("$__explorer/os")
case "$os" in
"freebsd"|"netbsd"|"openbsd"|"macosx")
stat -f "type: %HT
owner: %Du %Su
group: %Dg %Sg
mode: %Lp %Sp
size: %Dz
links: %Dl
" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
" "$destination" | awk '/^type/ { print tolower($0); next; } { print; }'
;;
alpine)
# busybox stat
stat -c "type: %F
owner: %u %U
group: %g %G
mode: %a %A
size: %s
links: %h
" "$destination"
;;
solaris)
ls1="$( ls -ld "$destination" )"
@ -103,14 +77,12 @@ links: %Dl
echo "links: $( echo "$ls1" | awk '{print $2}' )"
;;
*)
# NOTE: Do not use --printf here as it is not supported by BusyBox stat.
# NOTE: BusyBox's stat might not support the "-c" option, in which case
# we fall through to the shell fallback.
stat -c "type: %F
stat --printf="type: %F
owner: %u %U
group: %g %G
mode: %a %A
size: %s
links: %h" "$destination" 2>/dev/null || fallback
;;
links: %h
" "$destination"
;;
esac

View file

@ -31,24 +31,12 @@ if [ "$state_should" = "pre-exists" ]; then
exit 1
fi
case $type in
file)
# nothing to do
exit 0
;;
none)
printf 'File "%s" does not exist\n' "$destination" >&2
exit 1
;;
directory|symlink)
printf 'File "%s" exists and is a %s, but should be a regular file\n' "$destination" "$type" >&2
exit 1
;;
*)
printf 'File or directory "%s" is in an unknown state\n' "$destination" >&2
exit 1
;;
esac
if [ "$type" = "file" ]; then
exit 0 # nothing to do
else
echo "File \"$destination\" does not exist"
exit 1
fi
fi
upload_file=

View file

@ -55,40 +55,36 @@ set_owner() {
}
set_mode() {
echo "chmod '$1' '$destination'"
echo "chmod '$1'" >> "$__messages_out"
fire_onchange=1
echo "chmod '$1' '$destination'"
echo "chmod '$1'" >> "$__messages_out"
fire_onchange=1
}
case "$state_should" in
present|exists)
# Note: Mode - needs to happen last as a chown/chgrp can alter mode by
# clearing S_ISUID and S_ISGID bits (see chown(2))
for attribute in group owner mode; do
if [ -f "$__object/parameter/$attribute" ]; then
value_should="$(cat "$__object/parameter/$attribute")"
present|exists|pre-exists)
# Note: Mode - needs to happen last as a chown/chgrp can alter mode by
# clearing S_ISUID and S_ISGID bits (see chown(2))
for attribute in group owner mode; do
if [ -f "$__object/parameter/$attribute" ]; then
value_should="$(cat "$__object/parameter/$attribute")"
# change 0xxx format to xxx format => same as stat returns
if [ "$attribute" = mode ]; then
value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
fi
value_is="$(get_current_value "$attribute" "$value_should")"
if [ -f "$__object/files/set-attributes" ] || [ "$value_should" != "$value_is" ]; then
"set_$attribute" "$value_should"
fi
# change 0xxx format to xxx format => same as stat returns
if [ "$attribute" = mode ]; then
value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
fi
value_is="$(get_current_value "$attribute" "$value_should")"
if [ -f "$__object/files/set-attributes" ] || [ "$value_should" != "$value_is" ]; then
"set_$attribute" "$value_should"
fi
done
if [ -f "$__object/files/set-attributes" ]; then
# set-attributes is created if file is created or uploaded in gencode-local
fire_onchange=1
fi
;;
done
if [ -f "$__object/files/set-attributes" ]; then
# set-attributes is created if file is created or uploaded in gencode-local
fire_onchange=1
fi
pre-exists)
# pre-exists should never reach gencode-remote…
exit 1
;;
;;
absent)
if [ "$type" = "file" ]; then
@ -105,7 +101,7 @@ case "$state_should" in
esac
if [ -f "$__object/parameter/onchange" ]; then
if [ -n "$fire_onchange" ]; then
cat "$__object/parameter/onchange"
fi
if [ -n "$fire_onchange" ]; then
cat "$__object/parameter/onchange"
fi
fi

View file

@ -1 +0,0 @@
../__chroot_umount/manifest

View file

@ -1,101 +0,0 @@
cdist-type__install_directory(7)
================================
NAME
----
cdist-type__install_directory - Manage a directory with install command
DESCRIPTION
-----------
This cdist type allows you to create or remove directories on the target.
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
state
'present' or 'absent', defaults to 'present'
group
Group to chgrp to.
mode
Unix permissions, suitable for chmod.
owner
User to chown to.
BOOLEAN PARAMETERS
------------------
parents
Whether to create parents as well (mkdir -p behaviour).
Warning: all intermediate directory permissions default
to whatever mkdir -p does.
Usually this means root:root, 0700.
recursive
If supplied the chgrp and chown call will run recursively.
This does *not* influence the behaviour of chmod.
MESSAGES
--------
chgrp <group>
Changed group membership
chown <owner>
Changed owner
chmod <mode>
Changed mode
create
Empty directory was created
remove
Directory exists, but state is absent, directory will be removed by generated code.
remove non directory
Something other than a directory with the same name exists and was removed prior to create.
EXAMPLES
--------
.. code-block:: sh
# A silly example
__install_directory /tmp/foobar
# Remove a directory
__install_directory /tmp/foobar --state absent
# Ensure /etc exists correctly
__install_directory /etc --owner root --group root --mode 0755
# Create nfs service directory, including parents
__install_directory /home/services/nfs --parents
# Change permissions recursively
__install_directory /home/services --recursive --owner root --group root
# Setup a temp directory
__install_directory /local --mode 1777
# Take it all
__install_directory /home/services/kvm --recursive --parents \
--owner root --group root --mode 0755 --state present
AUTHORS
-------
Nico Schottelius <nico-cdist--@--schottelius.org>
COPYING
-------
Copyright \(C) 2011 Nico Schottelius. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1 @@
../__directory/man.rst

View file

@ -23,10 +23,6 @@ symlink
directory
replace it with the source file
One exception is that when state is pre-exists, an error is raised if
the file would have been created otherwise (e.g. it is not present or
not a regular file).
In any case, make sure that the file attributes are as specified.
@ -37,7 +33,7 @@ None.
OPTIONAL PARAMETERS
-------------------
state
'present', 'absent', 'exists' or 'pre-exists', defaults to 'present' where:
'present', 'absent' or 'exists', defaults to 'present' where:
present
the file is exactly the one from source
@ -45,9 +41,6 @@ state
the file does not exist
exists
the file from source but only if it doesn't already exist
pre-exists
check that the file exists and is a regular file, but do not
create or modify it
group
Group to chgrp to.
@ -63,9 +56,6 @@ source
If not supplied, an empty file or directory will be created.
If source is '-' (dash), take what was written to stdin as the file content.
onchange
The code to run if file is modified.
MESSAGES
--------
chgrp <group>
@ -103,8 +93,6 @@ EXAMPLES
__install_file /home/frodo/.bashrc --source "/etc/skel/.bashrc" \
--state exists \
--owner frodo --mode 0600
# Check that the file is present, show an error when it is not
__install_file /etc/somefile --state pre-exists
# Take file content from stdin
__install_file /tmp/whatever --owner root --group root --mode 644 --source - << DONE
Here goes the content for /tmp/whatever

View file

@ -59,13 +59,13 @@ MESSAGES
--------
change
Certificate was changed.
Certificte was changed.
create
Certificate was created.
Certificte was created.
remove
Certificate was removed.
Certificte was removed.
EXAMPLES
--------

View file

@ -1,7 +1,6 @@
#!/bin/sh -e
#
# 2018 Steven Armstrong (steven-cdist at armstrong.cc)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -19,14 +18,6 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
if [ -f "$__object/parameter/file" ]; then
file=$(cat "$__object/parameter/file")
else
file="/$__object_id"
fi
[ -f "$file" ] || exit 0
if [ -f "$__object/parameter/before" ]; then
position="before"
elif [ -f "$__object/parameter/after" ]; then
@ -42,56 +33,63 @@ else
needle="line"
fi
if [ -f "$__object/parameter/file" ]; then
file="$(cat "$__object/parameter/file")"
else
file="/$__object_id"
fi
if [ ! -f "$file" ]; then
echo "file_missing"
exit 0
fi
awk -v position="$position" -v needle="$needle" '
function _find(_text, _pattern) {
if (needle == "regex") {
return match(_text, _pattern)
} else {
return index(_text, _pattern) == 1
return index(_text, _pattern)
}
}
BEGIN {
getline anchor < (ENVIRON["__object"] "/parameter/" position)
getline pattern < (ENVIRON["__object"] "/parameter/" needle)
found_line = 0
correct_pos = (position != "after" && position != "before")
state = "absent"
}
{
if (position == "after") {
if (match($0, anchor)) {
getline
if (_find($0, pattern)) {
found_line++
correct_pos = 1
exit 0
state = "present"
}
} else if (_find($0, pattern)) {
found_line++
else {
state = "wrongposition"
}
exit 0
}
} else if (position == "before") {
}
else if (position == "before") {
if (_find($0, pattern)) {
found_line++
getline
if (match($0, anchor)) {
correct_pos = 1
exit 0
state = "present"
}
else {
state = "wrongposition"
}
exit 0
}
} else {
}
else {
if (_find($0, pattern)) {
found_line++
state = "present"
exit 0
}
}
}
END {
if (found_line && correct_pos) {
print "present"
} else if (found_line) {
print "wrongposition"
} else {
print "absent"
}
print state
}
' "$file"

View file

@ -1,7 +1,6 @@
#!/bin/sh -e
#
# 2018 Steven Armstrong (steven-cdist at armstrong.cc)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -24,20 +23,9 @@ if [ -f "$__object/parameter/before" ] && [ -f "$__object/parameter/after" ]; th
exit 1
fi
if [ -f "$__object/parameter/file" ]; then
file="$(cat "$__object/parameter/file")"
else
file="/$__object_id"
fi
state_should="$(cat "$__object/parameter/state")"
state_is="$(cat "$__object/explorer/state")"
if [ -z "$state_is" ]; then
printf 'The file "%s" is missing. Please create it before using %s on it.\n' "$file" "${__type##*/}" >&2
exit 1
fi
if [ "$state_should" = "$state_is" ]; then
# nothing to do
exit 0
@ -58,6 +46,12 @@ else
needle="line"
fi
if [ -f "$__object/parameter/file" ]; then
file="$(cat "$__object/parameter/file")"
else
file="/$__object_id"
fi
add=0
remove=0
case "$state_should" in
@ -110,12 +104,10 @@ BEGIN {
if (anchor && match(\$0, anchor)) {
if (position == "before") {
print line
add = 0
print
} else if (position == "after") {
print
print line
add = 0
}
next
}
@ -123,7 +115,7 @@ BEGIN {
print
}
END {
if (add) {
if (add && position == "end") {
print line
}
}

View file

@ -1,33 +0,0 @@
#!/bin/sh -e
#
# 2020 Ander Punnar (ander-at-kvlt-dot-ee)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
if [ -f "$__object/parameter/name" ]
then
name="$( cat "$__object/parameter/name" )"
else
name="$__object_id"
fi
if [ -n "$( mysql -B -N -e "show databases like '$name'" )" ]
then
echo 'present'
else
echo 'absent'
fi

View file

@ -1,6 +1,6 @@
#!/bin/sh -e
#
# 2020 Ander Punnar (ander-at-kvlt-dot-ee)
# 2012 Benedikt Koeppel (code@benediktkoeppel.ch)
#
# This file is part of cdist.
#
@ -17,30 +17,38 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
state_is="$( cat "$__object/explorer/state" )"
state_should="$( cat "$__object/parameter/state" )"
if [ "$state_is" = "$state_should" ]
then
exit 0
# if --database was specified
if [ -f "$__object/parameter/name" ]; then
database="$(cat "$__object/parameter/name")"
else # otherwise use the object id as database name
database="$__object_id"
fi
if [ -f "$__object/parameter/name" ]
then
name="$( cat "$__object/parameter/name" )"
else
name="$__object_id"
fi
cat <<-EOFF
mysql -u root <<-EOF
CREATE DATABASE IF NOT EXISTS $database
EOF
EOFF
case "$state_should" in
present)
echo "mysql -e 'create database \`$name\`'"
echo "create database $name" >> "$__messages_out"
;;
absent)
echo "mysql -e 'drop database \`$name\`'"
echo "drop database $name" >> "$__messages_out"
;;
esac
# if --user was specified
if [ -f "$__object/parameter/user" ]; then
user="$(cat "$__object/parameter/user")"
# if --password was specified
if [ -f "$__object/parameter/password" ]; then
password="$(cat "$__object/parameter/password")"
cat <<-EOFF
mysql -u root <<-EOF
GRANT ALL PRIVILEGES ON $database.* to '$user'@'localhost' IDENTIFIED BY '$password';
EOF
EOFF
else
cat <<-EOFF
mysql -u root <<-EOF
GRANT ALL PRIVILEGES ON $database.* to '$user'@'localhost';
EOF
EOFF
fi
fi

View file

@ -8,24 +8,24 @@ cdist-type__mysql_database - Manage a MySQL database
DESCRIPTION
-----------
This cdist type allows you to install a MySQL database.
Create MySQL database and optionally user with all privileges.
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
name
Name of database. Defaults to object id.
The name of the database to install
defaults to the object id
user
Create user and give all privileges to database.
A user that should have access to the database
password
Password for user.
state
Defaults to present.
If absent and user is also set, both will be removed (with privileges).
The password for the user who manages the database
EXAMPLES
@ -33,23 +33,17 @@ EXAMPLES
.. code-block:: sh
# just create database
__mysql_database foo
# create database with respective user with all privileges to database
__mysql_database bar \
--user name \
--password secret
__mysql_database "cdist" --name "cdist" --user "myuser" --password "mypwd"
AUTHORS
-------
Ander Punnar <ander-at-kvlt-dot-ee>
Benedikt Koeppel <code@benediktkoeppel.ch>
COPYING
-------
Copyright \(C) 2020 Ander Punnar. You can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your option) any
later version.
Copyright \(C) 2012 Benedikt Koeppel. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,52 +0,0 @@
#!/bin/sh -e
#
# 2020 Ander Punnar (ander-at-kvlt-dot-ee)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
if [ -f "$__object/parameter/user" ]
then
user="$( cat "$__object/parameter/user" )"
fi
if [ -f "$__object/parameter/password" ]
then
password="$( cat "$__object/parameter/password" )"
fi
if [ -n "$user" ] && [ -n "$password" ]
then
if [ -f "$__object/parameter/name" ]
then
database="$( cat "$__object/parameter/name" )"
else
database="$__object_id"
fi
state_should="$( cat "$__object/parameter/state" )"
__mysql_user "$user" \
--password "$password" \
--state "$state_should"
# removing user should remove all user's privileges
require="__mysql_user/$user" \
__mysql_privileges "$database/$user" \
--database "$database" \
--user "$user" \
--state "$state_should"
fi

View file

@ -1,4 +1,3 @@
name
user
password
state

View file

@ -1,40 +0,0 @@
#!/bin/sh -e
#
# 2020 Ander Punnar (ander-at-kvlt-dot-ee)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
privileges="$( cat "$__object/parameter/privileges" )"
database="$( cat "$__object/parameter/database" )"
table="$( cat "$__object/parameter/table" )"
user="$( cat "$__object/parameter/user" )"
host="$( cat "$__object/parameter/host" )"
check_privileges="$(
mysql -B -N -e "show grants for '$user'@'$host'" \
| grep -Ei "^grant $privileges on .$database.\..?$table.? to " || true )"
if [ -n "$check_privileges" ]
then
echo 'present'
else
echo 'absent'
fi

View file

@ -1,55 +0,0 @@
#!/bin/sh -e
#
# 2020 Ander Punnar (ander-at-kvlt-dot-ee)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
state_is="$( cat "$__object/explorer/state" )"
state_should="$( cat "$__object/parameter/state" )"
if [ "$state_is" = "$state_should" ]
then
exit 0
fi
privileges="$( cat "$__object/parameter/privileges" )"
database="$( cat "$__object/parameter/database" )"
table="$( cat "$__object/parameter/table" )"
user="$( cat "$__object/parameter/user" )"
host="$( cat "$__object/parameter/host" )"
if [ "$table" != '*' ]
then
# shellcheck disable=SC2016
table="$( printf '`%s`' "$table" )"
fi
case "$state_should" in
present)
echo "mysql -e 'grant $privileges on \`$database\`.$table to \`$user\`@\`$host\`'"
echo "grant $privileges on $database.$table to $user@$host" >> "$__messages_out"
;;
absent)
echo "mysql -e 'revoke $privileges on \`$database\`.$table from \`$user\`@\`$host\`'"
echo "revoke $privileges on $database.$table from $user@$host" >> "$__messages_out"
;;
esac

View file

@ -1,57 +0,0 @@
cdist-type__mysql_privileges(7)
===============================
NAME
----
cdist-type__mysql_privileges - Manage MySQL privileges
DESCRIPTION
-----------
Grant and revoke privileges of MySQL user.
REQUIRED PARAMETERS
-------------------
database
Name of database.
user
Name of user.
OPTIONAL PARAMETERS
-------------------
privileges
Defaults to "all".
table
Defaults to "*".
host
Defaults to localhost.
state
"present" grants and "absent" revokes. Defaults to present.
EXAMPLES
--------
.. code-block:: sh
__mysql_privileges user-to-db --database db --user user
AUTHORS
-------
Ander Punnar <ander-at-kvlt-dot-ee>
COPYING
-------
Copyright \(C) 2020 Ander Punnar. You can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your option) any
later version.

View file

@ -1 +0,0 @@
localhost

View file

@ -1 +0,0 @@
all privileges

View file

@ -1,4 +0,0 @@
privileges
table
host
state

View file

@ -1,2 +0,0 @@
database
user

View file

@ -1,54 +0,0 @@
#!/bin/sh -e
#
# 2020 Ander Punnar (ander-at-kvlt-dot-ee)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
if [ -f "$__object/parameter/name" ]
then
name="$( cat "$__object/parameter/name" )"
else
name="$__object_id"
fi
if [ -f "$__object/parameter/password" ]
then
password="$( cat "$__object/parameter/password" )"
else
password=''
fi
host="$( cat "$__object/parameter/host" )"
check_user="$( mysql -B -N -e "select user from mysql.user where user = '$name' and host = '$host'" )"
if [ -n "$check_user" ]
then
if [ -n "$password" ]
then
check_password="$( mysql -B -N -e "select user from mysql.user where user = '$name' and host = '$host' and password = password( '$password' )" )"
fi
if [ -n "$password" ] && [ -z "$check_password" ]
then
echo 'change-password'
else
echo 'present'
fi
else
echo 'absent'
fi

View file

@ -1,68 +0,0 @@
#!/bin/sh -e
#
# 2020 Ander Punnar (ander-at-kvlt-dot-ee)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
state_is="$( cat "$__object/explorer/state" )"
state_should="$( cat "$__object/parameter/state" )"
if [ "$state_is" = "$state_should" ]
then
exit 0
fi
if [ -f "$__object/parameter/name" ]
then
name="$( cat "$__object/parameter/name" )"
else
name="$__object_id"
fi
host="$( cat "$__object/parameter/host" )"
if [ -f "$__object/parameter/password" ]
then
password="$( cat "$__object/parameter/password" )"
else
if [ "$state_should" = 'present' ]
then
echo '--password needed' >&2
exit 1
else
password=''
fi
fi
if [ "$state_is" = 'absent' ] && [ "$state_should" = 'present' ]
then
echo "mysql -e 'create user \`$name\`@\`$host\` identified by \"$password\"'"
echo "create user $name@$host" >> "$__messages_out"
elif [ "$state_is" != 'absent' ] && [ "$state_should" = 'absent' ]
then
echo "mysql -e 'drop user \`$name\`@\`$host\`'"
echo "drop user $name@$host" >> "$__messages_out"
elif [ "$state_is" = 'change-password' ]
then
# this only works with MySQL 5.7.6 and later or MariaDB 10.1.20 and later
echo "mysql -e 'alter user \`$name\`@\`$host\` identified by \"$password\"'"
echo "mysql -e 'flush privileges'"
echo "change password $name@$host" >> "$__messages_out"
fi

View file

@ -1,48 +0,0 @@
cdist-type__mysql_user(7)
=========================
NAME
----
cdist-type__mysql_user - Manage a MySQL user
DESCRIPTION
-----------
Create MySQL user or change password for the user.
OPTIONAL PARAMETERS
-------------------
name
Name of user. Defaults to object id.
host
Host of user. Defaults to localhost.
password
Password of user.
state
Defaults to present.
EXAMPLES
--------
.. code-block:: sh
__mysql_user user --password secret
AUTHORS
-------
Ander Punnar <ander-at-kvlt-dot-ee>
COPYING
-------
Copyright \(C) 2020 Ander Punnar. You can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your option) any
later version.

View file

@ -1 +0,0 @@
localhost

View file

@ -1 +0,0 @@
present

View file

@ -1,4 +0,0 @@
name
host
password
state

View file

@ -1,44 +0,0 @@
#!/bin/sh
manager_dn=$(cat "${__object}/parameter/manager-dn")
manager_password=$(cat "${__object}/parameter/manager-password")
description=$(cat "${__object}/parameter/description")
suffix=$(cat "${__object}/parameter/suffix")
suffix_dc=$(printf "%s" "${suffix}" | awk -F',' '{print $1}' | awk -F'=' '{print $2}')
SLAPD_IPC=$(tr '\n' ' ' < "${__object}/parameter/slapd-url" | awk '{ print $1}')
cat <<DONE # | tee /dev/stderr
# Restart service
service slapd restart
# It can sometimes take a tiny bit to bind
sleep 1
# Create or update base object
if ldapsearch -xZ -D "${manager_dn}" -w "${manager_password}" -H '${SLAPD_IPC}' -b '${suffix}' -s base 2>&1 > /dev/null; then
# Already exists, use ldapmodify
ldapmodify -xZ -D "${manager_dn}" -w "${manager_password}" -H '${SLAPD_IPC}' <<EOF
dn: ${suffix}
changetype: modify
replace: objectClass
objectClass: top
objectClass: dcObject
objectClass: organization
-
replace: o
o: ${description}
-
replace: dc
dc: ${suffix_dc}
EOF
else
# Does not exist, use ldapadd
ldapadd -xZ -D "${manager_dn}" -w "${manager_password}" -H '${SLAPD_IPC}' <<EOF
dn: ${suffix}
objectClass: top
objectClass: dcObject
objectClass: organization
o: ${description}
dc: ${suffix_dc}
EOF
fi
DONE

View file

@ -1,212 +0,0 @@
cdist-type__openldap_server(7)
==============================
NAME
----
cdist-type__openldap_server - Setup an openldap(4) server instance
DESCRIPTION
-----------
This type can be used to bootstrap an LDAP environment using openldap as slapd.
It bootstraps the LDAP server with sane defaults and creates and manages the
base DN defined by `suffix`.
REQUIRED PARAMETERS
-------------------
manager-dn
The rootdn to set up in the directory.
E.g. `cn=manager,dc=ungleich,dc=ch`. See `slapd.conf(5)`.
manager-password
The password for `manager-dn` in the directory.
This will be used to connect to the LDAP server on the first `slapd-url`
with the given `manager-dn`.
manager-password-hash
The password for `manager-dn` in the directory.
This should be valid for `slapd.conf` like `{SSHA}qV+mCs3u8Q2sCmUXT4Ybw7MebHTASMyr`.
Generate e.g. with: `slappasswd -s weneedgoodsecurity`.
See `slappasswd(8C)`, `slapd.conf(5)`.
TODO: implement this: http://blog.adamsbros.org/2015/06/09/openldap-ssha-salted-hashes-by-hand/
to derive from the manager-password parameter and ensure idempotency (care with salts).
At that point, manager-password-hash should be deprecated and ignored.
serverid
The server for the directory.
E.g. `dc=ungleich,dc=ch`. See `slapd.conf(5)`.
suffix
The suffix for the directory.
E.g. `dc=ungleich,dc=ch`. See `slapd.conf(5)`.
REQUIRED MULTIPLE PARAMETERS
----------------------------
slapd-url
A URL for slapd to listen on.
Pass once for each URL you want to support,
e.g.: `--slapd-url ldaps://my.fqdn/ --slapd-url ldap://my.fqdn/`.
The first instance that is passed will be used as the main URL to
connect to this LDAP server
See the `-h` flag in `slapd(8C)`.
OPTIONAL PARAMETERS
-------------------
syncrepl-credentials
Only has an effect if `replicate` is set; required in that case.
This secret is shared amongst the hosts that will replicate the directory.
Note that each replication server needs this secret and it is saved in
plain text in the directory.
syncrepl-searchbase
Only has an effect if `replicate` is set; required in that case.
The searchbase to use for replication.
E.g. `dc=ungleich,dc=ch`. See `slapd.conf(5)`.
admin-email
Passed to `cdist-type__letsencrypt_cert`; has otherwise no use.
Required if using `__letsencrypt_cert`.
Where to send Let's Encrypt emails like "certificate needs renewal".
tls-cipher-suite
Setting for TLSCipherSuite.
Defaults to `NORMAL` in a Debian-like OS and `HIGH:MEDIUM:+SSLv2` on FreeBSD.
See `slapd.conf(5)`.
tls-cert
If defined, `__letsencrypt_cert` is not used and this must be the path in
the remote hosts to the PEM-encoded TLS certificate.
Requires: `tls-privkey` and `tls-ca`.
Permissions, existence and renewal of these files are left up to the
type's user.
tls-privkey
Required if `tls-cert` is defined.
Path in the remote hosts to the PEM-encoded private key file.
tls-ca
Required if `tls-cert` is defined.
Path in the remote hosts to the PEM-encoded CA certificate file.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
syncrepl-host
Only has an effect if `replicate` is set; required in that case.
Set once per host that will replicate the directory.
module
LDAP module to load. See `slapd.conf(5)`.
Default value is OS-dependent, see manifest.
schema
Name of LDAP schema to load. Must be the name without extension of a
`.schema` file in slapd's schema directory (usually `/etc/slapd/schema` or
`/usr/local/etc/openldap/schema`).
Example value: `inetorgperson`
The type user must ensure that the schema file is deployed.
This defaults to a sensible subset, for details see the type definition.
description
The description of the base DN passed in the `suffix` parameter.
Defaults to `Managed by cdist, do not edit manually.`
BOOLEAN PARAMETERS
------------------
staging
Passed to `cdist-type__letsencrypt_cert`; has otherwise no use.
Obtain a test certificate from a staging server.
replicate
Whether to setup replication or not.
If present `syncrepl-credentials` and `syncrepl-host` are also required.
EXAMPLES
--------
.. code-block:: sh
# Example of a simple server with manual certificate management.
pki_prefix="/usr/local/etc/pki/realms/ldap.camilion.cloud"
__openldap_server \
--manager-dn 'cn=manager,dc=camilion,dc=cloud' \
--manager-password "foo" \
--manager-password-hash '{SSHA}foo' \
--serverid 0 \
--suffix 'dc=camilion,dc=cloud' \
--slapd-url 'ldaps://ldap.camilion.cloud' \
--tls-cert "${pki_prefix}/default.crt" \
--tls-privkey "${pki_prefix}/default.key" \
--tls-ca "${pki_prefix}/CA.crt"
# The created basedn looks as follows:
#
# dn: dc=camilion,dc=cloud
# objectClass: top
# objectClass: dcObject
# objectClass: organization
# o: Managed by cdist, do not edit manually.
# dc: camilion
#
# Do not change it manually, the type will overwrite your changes.
#
# Changing to a replicated setup is a simple change to something like:
#
# Example for multiple servers with replication and automatic
# Let's Encrypt certificate management through certbot.
id=1
for host in ldap-test1.ungleich.ch ldap-test2.ungleich.ch; do
echo "__ungleich_ldap \
--manager-dn 'cn=manager,dc=ungleich,dc=ch' \
--manager-psasword 'foo' \
--manager-password-hash '{SSHA}fooo' \
--serverid '${id}' \
--suffix 'dc=ungleich,dc=ch' \
--slapd-url ldap://${host} \
--searchbase 'dc=ungleich,dc=ch' \
--syncrepl-credentials 'fooo' \
--syncrepl-host 'ldap-test1.ungleich.ch' \
--syncrepl-host 'ldap-test2.ungleich.ch' \
--description 'Ungleich LDAP server'" \
--staging \
| cdist config -i - -v ${host}
id=$((id + 1))
done
# The created basedn looks as follows:
#
# dn: dc=ungleich,dc=ch
# objectClass: top
# objectClass: dcObject
# objectClass: organization
# o: Ungleich LDAP server
# dc: ungleich
#
# Do not change it manually, the type will overwrite your changes.
SEE ALSO
--------
:strong:`cdist-type__letsencrypt_cert`\ (7)
AUTHORS
-------
ungleich <foss--@--ungleich.ch>
Evilham <contact--@--evilham.com>
COPYING
-------
Copyright \(C) 2020 ungleich glarus ag. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,263 +0,0 @@
#!/bin/sh
name="${__target_host}"
manager_dn=$(cat "${__object}/parameter/manager-dn")
manager_password_hash=$(cat "${__object}/parameter/manager-password-hash")
serverid=$(cat "${__object}/parameter/serverid")
suffix=$(cat "${__object}/parameter/suffix")
slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true)
schemas=$(cat "${__object}/parameter/schema")
slapd_urls=$(tr '\n' ' ' < "${__object}/parameter/slapd-url")
tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true)
os="$(cat "${__global}/explorer/os")"
# Setup OS-dependent vars
CONF_OWNER="root"
CONF_GROUP="root"
case "${os}" in
freebsd)
PKGS="openldap-server"
ETC="/usr/local/etc"
SLAPD_DIR="/usr/local/etc/openldap"
SLAPD_DATA_DIR="/var/db/openldap-data"
SLAPD_RUN_DIR="/var/run/openldap"
SLAPD_MODULE_PATH="/usr/local/libexec/openldap"
if [ -z "${slapd_modules}" ]; then
# It looks like ppolicy and syncprov must be compiled
slapd_modules="back_mdb back_monitor"
fi
CONF_OWNER="ldap"
CONF_GROUP="ldap"
if [ -z "${tls_cipher_suite}" ]; then
# TODO: research default for FreeBSD. 'NORMAL' appears to not work
tls_cipher_suite="HIGH:MEDIUM:+SSLv2"
fi
;;
debian|ubuntu|devuan)
PKGS="slapd ldap-utils"
ETC="/etc"
SLAPD_DIR="/etc/ldap"
SLAPD_DATA_DIR="/var/lib/ldap"
SLAPD_RUN_DIR="/var/run/slapd"
SLAPD_MODULE_PATH="/usr/lib/ldap"
if [ -z "${slapd_modules}" ]; then
slapd_modules="back_mdb ppolicy syncprov back_monitor"
fi
if [ -z "${tls_cipher_suite}" ]; then
tls_cipher_suite="NORMAL"
fi
;;
*)
echo "Don't know the openldap defaults for: $os" >&2
exit 1
;;
esac
PKG_MAIN=$(echo "${PKGS}" | awk '{print $1;}')
# Determine if __letsencrypt_cert is to be used and setup vars accordingly
if [ -f "${__object}/parameter/tls-cert" ]; then
tls_cert=$(cat "${__object}/parameter/tls-cert")
if [ ! -f "${__object}/parameter/tls-privkey" ]; then
echo "When tls-cert is defined, tls-privkey is also required." >&2
exit 1
fi
tls_privkey=$(cat "${__object}/parameter/tls-privkey")
if [ ! -f "${__object}/parameter/tls-ca" ]; then
echo "When tls-cert is defined, tls-ca is also required." >&2
exit 1
fi
tls_ca=$(cat "${__object}/parameter/tls-ca")
_skip_letsencrypt_cert="YES"
else
if [ ! -f "${__object}/parameter/admin-email" ]; then
echo "When using __letsencrypt_cert, admin-email is also required." >&2
exit 1
fi
admin_email=$(cat "${__object}/parameter/admin-email")
tls_cert="${SLAPD_DIR}/sasl2/cert.pem"
tls_privkey="${SLAPD_DIR}/sasl2/privkey.pem"
tls_ca="${SLAPD_DIR}/sasl2/chain.pem"
fi
mkdir "${__object}/files"
ldapconf="${__object}/files/ldapconf"
replication=""
if [ -f "${__object}/parameter/replicate" ]; then
replication=yes
if [ ! -f "${__object}/parameter/syncrepl-searchbase" ]; then
echo "Requiring the searchbase for replication" >&2
exit 1
fi
syncrepl_searchbase=$(cat "${__object}/parameter/syncrepl-searchbase")
if [ ! -f "${__object}/parameter/syncrepl-credentials" ]; then
echo "Requiring credentials for replication" >&2
exit 1
fi
syncrepl_credentials=$(cat "${__object}/parameter/syncrepl-credentials")
if [ ! -f "${__object}/parameter/syncrepl-host" ]; then
echo "Requiring host(s) for replication" >&2
exit 1
fi
syncrepl_hosts=$(cat "${__object}/parameter/syncrepl-host")
fi
# Install required packages
for pkg in ${PKGS}; do
__package "${pkg}"
done
require="__package/${PKG_MAIN}" __start_on_boot slapd
# Setup -h flag for the listeners. See man slapd (-h flag).
case "${os}" in
freebsd)
require="__start_on_boot/slapd" __key_value \
--file "/etc/rc.conf" \
--key "slapd_flags" \
--value "\"-h '${slapd_urls}'\"" \
--delimiter "=" \
--comment "# LDAP Listener URLs" \
"${__target_host}__slapd_flags"
;;
debian|ubuntu|devuan)
require="__package/${PKG_MAIN}" __line rm_slapd_conf \
--file ${ETC}/default/slapd \
--regex 'SLAPD_CONF=.*' \
--state absent
require="__package/${PKG_MAIN}" __line rm_slapd_services \
--file ${ETC}/default/slapd \
--regex 'SLAPD_SERVICES=.*' \
--state absent
require="__line/rm_slapd_conf" __line add_slapd_conf \
--file ${ETC}/default/slapd \
--line "SLAPD_CONF=${SLAPD_DIR}/slapd.conf" \
--state present
require="__line/rm_slapd_services" __line add_slapd_services \
--file ${ETC}/default/slapd \
--line "SLAPD_SERVICES=\"${slapd_urls}\"" \
--state present
;;
*)
# Nothing to do here, move on.
;;
esac
if [ -z "${_skip_letsencrypt_cert}" ]; then
if [ -f "${__object}/parameter/staging" ]; then
staging="--staging"
else
staging=""
fi
__letsencrypt_cert "${name}" --admin-email "${admin_email}" \
--renew-hook "cp ${ETC}/letsencrypt/live/${name}/*.pem ${SLAPD_DIR}/sasl2 && chown -R openldap:openldap ${SLAPD_DIR}/sasl2 && service slapd restart" \
--automatic-renewal ${staging}
fi
require="__package/${PKG_MAIN}" __directory ${SLAPD_DIR}/slapd.d --state absent
if [ -z "${_skip_letsencrypt_cert}" ]; then
require="__package/${PKG_MAIN} __letsencrypt_cert/${name}" \
__file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
--source "${ldapconf}"
else
require="__package/${PKG_MAIN}" \
__file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
--source "${ldapconf}"
fi
# Start slapd.conf
cat << EOF > "${ldapconf}"
pidfile ${SLAPD_RUN_DIR}/slapd.pid
argsfile ${SLAPD_RUN_DIR}/slapd.args
TLSCipherSuite ${tls_cipher_suite}
TLSCertificateFile ${tls_cert}
TLSCertificateKeyFile ${tls_privkey}
TLSCACertificateFile ${tls_ca}
disallow bind_anon
require bind
security tls=1
EOF
# Add specified schemas
for schema in ${schemas}; do
echo "include ${SLAPD_DIR}/schema/${schema}.schema" >> "${ldapconf}"
done
# Add specified modules
echo "modulepath ${SLAPD_MODULE_PATH}" >> "${ldapconf}"
for module in ${slapd_modules}; do
echo "moduleload ${module}.la" >> "${ldapconf}"
done
# Rest of the config
cat << EOF >> "${ldapconf}"
loglevel 1024
database mdb
maxsize 1073741824
suffix "${suffix}"
directory ${SLAPD_DATA_DIR}
rootdn "${manager_dn}"
rootpw "${manager_password_hash}"
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
serverid ${serverid}
EOF
# Setup replication
if [ "${replication}" ]; then
rid=1;
for syncrepl in ${syncrepl_hosts}; do
cat <<EOF >> "${ldapconf}"
syncrepl rid=${rid}
provider=ldap://${syncrepl}
bindmethod=simple
starttls=yes
binddn="${manager_dn}"
credentials=${syncrepl_credentials}
searchbase="${syncrepl_searchbase}"
type=refreshAndPersist
retry="5 + 5 +"
interval=00:00:00:05
EOF
rid=$((rid + 1))
done
cat <<EOF >> "${ldapconf}"
mirrormode true
overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 100
database monitor
limits dn.exact="${manager_dn}" time=unlimited size=unlimited
EOF
fi

View file

@ -1,2 +0,0 @@
staging
replicate

View file

@ -1 +0,0 @@
Managed by cdist, do not edit manually.

View file

@ -1,12 +0,0 @@
corba
core
cosine
duaconf
dyngroup
inetorgperson
java
misc
nis
openldap
ppolicy
collective

View file

@ -1,8 +0,0 @@
description
syncrepl-credentials
syncrepl-searchbase
admin-email
tls-cipher-suite
tls-cert
tls-privkey
tls-ca

View file

@ -1,3 +0,0 @@
syncrepl-host
module
schema

View file

@ -1,5 +0,0 @@
manager-dn
manager-password
manager-password-hash
serverid
suffix

View file

@ -74,14 +74,6 @@ fi
case "$state_should" in
present)
# following is bit ugly, but important hack.
# due to how cdist config run works, there isn't
# currently better way to do it :(
cat << EOF
if [ ! -f /var/cache/apt/pkgcache.bin ] || [ "\$( stat --format %Y /var/cache/apt/pkgcache.bin )" -lt "\$( date +%s -d '-1 day' )" ]
then echo apt-get update > /dev/null 2>&1 || true
fi
EOF
if [ -n "$version" ]; then
name="${name}=${version}"
fi

View file

@ -11,9 +11,6 @@ DESCRIPTION
apt-get is usually used on Debian and variants (like Ubuntu) to
manage packages.
This type will also update package index, if it is older
than one day, to avoid missing package error messages.
REQUIRED PARAMETERS
-------------------

View file

@ -47,9 +47,9 @@ case "$type" in
echo "pacman --noprogressbar --sync --refresh"
echo "pacman package database synced (age was: $currage)" >> "$__messages_out"
;;
apk)
alpine)
echo "apk update"
echo "apk package database updated." >>"$__messages_out"
echo "apk package database updated."
;;
*)
echo "Don't know how to manage packages for type: $type" >&2

View file

@ -41,16 +41,12 @@ if [ "$state_should" != "$state_is" ]; then
present)
owner=""
if [ -f "$__object/parameter/owner" ]; then
owner="-O \"$(cat "$__object/parameter/owner")\""
owner="-O '$(cat "$__object/parameter/owner")'"
fi
cat << EOF
su - '$postgres_user' -c "createdb $owner \"$name\""
EOF
echo "su - '$postgres_user' -c \"createdb $owner '$name'\""
;;
absent)
cat << EOF
su - '$postgres_user' -c "dropdb \"$name\""
EOF
echo "su - '$postgres_user' -c \"dropdb '$name'\""
;;
esac
fi

View file

@ -53,13 +53,11 @@ case "$state_should" in
done
[ -n "$password" ] && password="PASSWORD '$password'"
cat << EOF
su - '$postgres_user' -c "psql postgres -wc \"CREATE ROLE \\\\\"$name\\\\\" WITH $password $booleans;\""
EOF
cmd="CREATE ROLE $name WITH $password $booleans"
echo "su - '$postgres_user' -c \"psql postgres -wc \\\"$cmd\\\"\""
;;
absent)
cat << EOF
su - '$postgres_user' -c "dropuser \"$name\""
EOF
echo "su - '$postgres_user' -c \"dropuser \\\"$name\\\"\""
;;
esac

View file

@ -1,8 +0,0 @@
#!/bin/sh
# Assume systemd if systemctl is in PATH.
if [ "$(command -v systemctl)" ]; then
printf "systemd"
else
printf "unknown"
fi

View file

@ -1,9 +0,0 @@
#!/bin/sh
manager="$(cat "$__object/explorer/service-manager")"
name=$__object_id
action="$(cat "$__object/parameter/action")"
if [ "$manager" = "unknown" ]; then
echo "service '$name' '$action'"
fi

View file

@ -1,51 +0,0 @@
cdist-type__service(7)
======================
NAME
----
cdist-type__service - Run action on a system service
DESCRIPTION
-----------
This type allows you to run an action against a system service.
REQUIRED PARAMETERS
-------------------
action
Arbitrary parameter passed as action. Usually 'start', 'stop', 'reload' or 'restart'.
OPTIONAL PARAMETERS
-------------------
None.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Restart nginx service.
__service nginx --action restart
# Stop postfix service.
__service postfix --action stop
AUTHORS
-------
Timothée Floure <timothee.floure@ungleich.ch>
COPYING
-------
Copyright \(C) 2019 Timothée Floure. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

Some files were not shown because too many files have changed in this diff Show more