diff --git a/README b/README deleted file mode 100644 index caf2dac8..00000000 --- a/README +++ /dev/null @@ -1,7 +0,0 @@ -cdist ------ - -cdist is a usable configuration management system. - -For the web documentation have a look at https://www.cdi.st/ -or at docs/src for reStructuredText manual. diff --git a/README.md b/README.md new file mode 100644 index 00000000..de6901c7 --- /dev/null +++ b/README.md @@ -0,0 +1,31 @@ +# cdist + +**cdist** is a usable configuration management system. + +It adheres to the [**KISS principle**](https://en.wikipedia.org/wiki/KISS_principle) +and is being used in small up to enterprise grade environments. + +For more information have a look at [**homepage**](https://cdi.st) +or at **``docs/src``** for manual in **reStructuredText** format. + +## Contributing + +Merge/Pull requests can be made in both +[upstream **GitLab**](https://code.ungleich.ch/ungleich-public/cdist/merge_requests) +(managed by [**ungleich**](https://ungleich.ch)) +and [**GitHub** project](https://github.com/ungleich/cdist/pulls). + +Issues can be made and other project management activites happen +[**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist) +(needs [**ungleich** account](https://account.ungleich.ch)). + +For community-maintained types there is +[**cdist-contrib** project](https://code.ungleich.ch/ungleich-public/cdist-contrib). + +## Participating + +IRC: ``#cdist`` @ freenode + +Matrix: ``#cdist:ungleich.ch`` + +Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist diff --git a/cdist/conf/explorer/cpu_cores b/cdist/conf/explorer/cpu_cores index a52bddac..c6744142 100755 --- a/cdist/conf/explorer/cpu_cores +++ b/cdist/conf/explorer/cpu_cores @@ -32,6 +32,10 @@ case "$os" in sysctl -n hw.ncpuonline ;; + "freebsd"|"netbsd") + sysctl -n hw.ncpu + ;; + *) if [ -r /proc/cpuinfo ]; then cores="$(grep "core id" /proc/cpuinfo | sort | uniq | wc -l)" diff --git a/cdist/conf/explorer/memory b/cdist/conf/explorer/memory index 4e3efff8..302b4cda 100755 --- a/cdist/conf/explorer/memory +++ b/cdist/conf/explorer/memory @@ -29,7 +29,7 @@ case "$os" in echo "$(sysctl -n hw.memsize)/1024" | bc ;; - "openbsd") + *"bsd") echo "$(sysctl -n hw.physmem) / 1048576" | bc ;; diff --git a/cdist/conf/type/__daemontools_service/man.rst b/cdist/conf/type/__daemontools_service/man.rst index 9bbbe2f8..ec1d20ff 100644 --- a/cdist/conf/type/__daemontools_service/man.rst +++ b/cdist/conf/type/__daemontools_service/man.rst @@ -40,12 +40,6 @@ run-file log-run Command to run for log consumption. Default: `multilog t ./main` -owner - User to chown to. - -group - User to chgrp to. - servicedir Directory to install into. Default: `/service` diff --git a/cdist/conf/type/__daemontools_service/manifest b/cdist/conf/type/__daemontools_service/manifest index 8a81b5f5..78bae285 100755 --- a/cdist/conf/type/__daemontools_service/manifest +++ b/cdist/conf/type/__daemontools_service/manifest @@ -9,8 +9,6 @@ servicedir=$(cat "$__object/parameter/servicedir") run=$(cat "$__object/parameter/run") runfile=$(cat "$__object/parameter/run-file") logrun=$(cat "$__object/parameter/log-run") -owner=$(cat "$__object/parameter/owner") -group=$(cat "$__object/parameter/group") svc=$(cat "$__type/explorer/svc") @@ -27,22 +25,14 @@ badusage() { [ -z "$run$runfile" ] && badusage [ -n "$run" ] && [ -n "$runfile" ] && badusage -flags="" -if [ -n "$owner" ]; then - flags="$flags --owner $owner" -fi -if [ -n "$group" ]; then - flags="$flags --group $group" -fi - -__directory "$servicedir/$name/log/main" --parents $flags +__directory "$servicedir/$name/log/main" --parents echo "$RUN_PREFIX$run" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/run" \ --onchange "svc -t '$servicedir/$name' 2>/dev/null" \ - --mode 755 $flags \ + --mode 755 \ --source "${runfile:--}" echo "$RUN_PREFIX$logrun" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/log/run" \ --onchange "svc -t '$servicedir/$name/log' 2>/dev/null" \ - --mode 755 $flags \ + --mode 755 \ --source "-" diff --git a/cdist/conf/type/__daemontools_service/parameter/default/group b/cdist/conf/type/__daemontools_service/parameter/default/group deleted file mode 100644 index e69de29b..00000000 diff --git a/cdist/conf/type/__daemontools_service/parameter/default/owner b/cdist/conf/type/__daemontools_service/parameter/default/owner deleted file mode 100644 index e69de29b..00000000 diff --git a/cdist/conf/type/__daemontools_service/parameter/optional b/cdist/conf/type/__daemontools_service/parameter/optional index 7c66b514..7e54985f 100644 --- a/cdist/conf/type/__daemontools_service/parameter/optional +++ b/cdist/conf/type/__daemontools_service/parameter/optional @@ -1,6 +1,4 @@ -group log-run -owner run run-file servicedir diff --git a/cdist/conf/type/__iocage_clone/gencode-remote b/cdist/conf/type/__iocage_clone/gencode-remote deleted file mode 100755 index 30d77099..00000000 --- a/cdist/conf/type/__iocage_clone/gencode-remote +++ /dev/null @@ -1,152 +0,0 @@ -#!/bin/sh - -state="$(cat $__object/parameter/state)" -template="$(cat $__object/parameter/template)" -ip4_addr="$(cat $__object/parameter/bridge)|$(cat $__object/parameter/ip)" -interfaces="none:none" -defaultrouter="none" -vnet="off" -jail_zfs_dataset="$(cat $__object/parameter/jail_zfs_dataset)" -devfs_ruleset="$(cat $__object/parameter/devfs_ruleset)" -allow_socket_af="$(cat $__object/parameter/allow_socket_af)" -mount_procfs="$(cat $__object/parameter/mount_procfs)" -mount_linprocfs="$(cat $__object/parameter/mount_linprocfs)" - -if [ "X$state" = "Xabsent" ]; then - cat <&2 - create_new=1 - fi -fi - -if [ \$create_new -eq 0 ]; then - if [ "off" == "\$(get_property_iocage jail_zfs "$__object_id")" ]; then - current_jail_zfs_dataset="" - else - current_jail_zfs_dataset="\$(get_property_iocage jail_zfs_dataset "$__object_id")" - fi -fi - -configure=0 -if [ \$create_new -eq 1 ]; then - configure=1 -elif [ "X$vnet" != "X\$(get_property_iocage vnet "$__object_id")" ]; then - configure=1 -elif [ "X$ip4_addr" != "X\$(get_property_iocage ip4_addr "$__object_id")" ]; then - configure=1 -elif [ "X$interfaces" != "X\$(get_property_iocage interfaces "$__object_id")" ]; then - configure=1 -elif [ "X$defaultrouter" != "X\$(get_property_iocage defaultrouter "$__object_id")" ]; then - configure=1 -elif [ "X$mount_procfs" != "X\$(get_property_iocage mount_procfs "$__object_id")" ]; then - configure=1 -elif [ "X$devfs_ruleset" != "X\$(get_property_iocage devfs_ruleset "$__object_id")" ]; then - configure=1 -elif [ "X$allow_socket_af" != "X\$(get_property_iocage allow_socket_af "$__object_id")" ]; then - configure=1 -elif [ "X$jail_zfs_dataset" != "X\$current_jail_zfs_dataset" ]; then - configure=1 -fi - -if [ \$create_new -eq 1 ]; then - echo "Creating jail $__object_id" >&2 - - iocage stop $__object_id || true - iocage destroy -f $__object_id || true - # Without VNETs, we should not need this. - # TODO(riso): Use nicer path - # /root/cdist/ioc deconfigure $__object_id - - rm -f /iocage/jails/$__object_id - - iocage clone $template tag=$__object_id - iocage set boot=on $__object_id - UUID=\$(iocage list | grep " $__object_id " | awk "{ print \\\$2; }") - rm -f /iocage/jails/$__object_id - ln -s /iocage/jails/\$UUID /iocage/jails/$__object_id -else - UUID=\$(iocage list | grep " $__object_id " | awk "{ print \\\$2; }") - echo "Jail $__object_id already exists, UUID=\$UUID" >&2 -fi - -ROOT="/iocage/jails/\$UUID/root" -FSTAB="/iocage/jails/\$UUID/fstab" -rm -f \$FSTAB.new -touch \$FSTAB.new -cat $__object/parameter/mount 2>/dev/null | \\ -while read mount; do - src=\$(echo \$mount | awk -F: "{ print \\\$1; }") - dst_rel=\$(echo \$mount | awk -F: "{ print \\\$2; }") - dst="/iocage/jails/\$UUID/root/\$dst_rel" - mkdir -p "\$dst" - echo "\$src \$dst nullfs rw 0 0" >>\$FSTAB.new -done -if [ $mount_linprocfs -eq 1 ]; then - echo "linproc /iocage/jails/\$UUID/root/compat/linux/proc linprocfs rw 0 0" >>\$FSTAB.new -fi - -fstab_changed=0 -if diff -q \$FSTAB \$FSTAB.new >/dev/null; then - # pass -else - configure=1 - fstab_changed=1 -fi - -if [ \$configure -eq 1 ]; then - echo "Configuring jail $__object_id." >&2 - iocage stop $__object_id || true - - iocage set vnet="$vnet" $__object_id - iocage set interfaces="$interfaces" $__object_id - iocage set hostname="$__object_id" $__object_id - iocage set ip4_addr="$ip4_addr" $__object_id - iocage set defaultrouter="$defaultrouter" $__object_id - iocage set mount_procfs="$mount_procfs" $__object_id - iocage set devfs_ruleset="$devfs_ruleset" $__object_id - iocage set allow_socket_af="$allow_socket_af" $__object_id - if [ -n "$jail_zfs_dataset" ]; then - iocage set jail_zfs=on $__object_id - iocage set jail_zfs_dataset="$jail_zfs_dataset" $__object_id - else - iocage set jail_zfs=off $__object_id - fi - - if [ \$fstab_changed -eq 1 ]; then - umount -afF \$FSTAB || true - mv \$FSTAB.new \$FSTAB - fi - - iocage start $__object_id || true - - # Iocage creates new mac address, but arp can have an old mac cached. - # TODO(riso): Is this true without VNETs? - arp -d -a -else - echo "Jail $__object_id is already configured." >&2 -fi -rm -f \$FSTAB.new -EOF -fi diff --git a/cdist/conf/type/__iocage_clone/manifest b/cdist/conf/type/__iocage_clone/manifest deleted file mode 100644 index 0684fce8..00000000 --- a/cdist/conf/type/__iocage_clone/manifest +++ /dev/null @@ -1 +0,0 @@ -__package iocage diff --git a/cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af b/cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af deleted file mode 100644 index 573541ac..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af +++ /dev/null @@ -1 +0,0 @@ -0 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/bridge b/cdist/conf/type/__iocage_clone/parameter/default/bridge deleted file mode 100644 index 092f51c8..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/default/bridge +++ /dev/null @@ -1 +0,0 @@ -bridge0 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset b/cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset deleted file mode 100644 index b8626c4c..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset +++ /dev/null @@ -1 +0,0 @@ -4 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/jail_zfs_dataset b/cdist/conf/type/__iocage_clone/parameter/default/jail_zfs_dataset deleted file mode 100644 index e69de29b..00000000 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs b/cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs deleted file mode 100644 index 573541ac..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs +++ /dev/null @@ -1 +0,0 @@ -0 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/mount_procfs b/cdist/conf/type/__iocage_clone/parameter/default/mount_procfs deleted file mode 100644 index 573541ac..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/default/mount_procfs +++ /dev/null @@ -1 +0,0 @@ -0 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/net b/cdist/conf/type/__iocage_clone/parameter/default/net deleted file mode 100644 index a45fd52c..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/default/net +++ /dev/null @@ -1 +0,0 @@ -24 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/state b/cdist/conf/type/__iocage_clone/parameter/default/state deleted file mode 100644 index e7f6134f..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/default/state +++ /dev/null @@ -1 +0,0 @@ -present diff --git a/cdist/conf/type/__iocage_clone/parameter/optional b/cdist/conf/type/__iocage_clone/parameter/optional deleted file mode 100644 index 8ca73ed9..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/optional +++ /dev/null @@ -1,7 +0,0 @@ -state -bridge -jail_zfs_dataset -mount_procfs -mount_linprocfs -devfs_ruleset -allow_socket_af diff --git a/cdist/conf/type/__iocage_clone/parameter/optional_multiple b/cdist/conf/type/__iocage_clone/parameter/optional_multiple deleted file mode 100644 index fde64773..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/optional_multiple +++ /dev/null @@ -1 +0,0 @@ -mount diff --git a/cdist/conf/type/__iocage_clone/parameter/required b/cdist/conf/type/__iocage_clone/parameter/required deleted file mode 100644 index 209d1544..00000000 --- a/cdist/conf/type/__iocage_clone/parameter/required +++ /dev/null @@ -1,2 +0,0 @@ -ip -template diff --git a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote deleted file mode 100644 index 9243acc9..00000000 --- a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote +++ /dev/null @@ -1,112 +0,0 @@ -#!/bin/sh -e - -ACME_TINY_CERT_REQUEST_DIR="/var/acme-tiny/cert-requests" -ACME_TINY_ACCOUNT_KEY="/var/acme-tiny/account.key" -ACME_CHALLENGE_DIR="/srv/www/sites/acme/public/.well-known/acme-challenge" - -REALM="${__object_id}" -EXTRA_DOMAINS="" -if [ -f "${__object}/parameter/extra-domain" ]; then - EXTRA_DOMAINS="$(cat "${__object}/parameter/extra-domain")" -fi - -#TODO: support linux too -REALMS_DIR="/usr/local/etc/pki/realms" -REALM_DIR="${REALMS_DIR}/${REALM}" -REALM_CERT="${REALM_DIR}/default.crt" -REALM_KEY="${REALM_DIR}/default.key" -REALM_CERT_REQUEST="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.csr" -REALM_CERT_REQUEST_CNF="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.cnf" - -CSR_ALT_NAMES="" -REALM_CERT_REQUEST_CNF_LINE="" -if [ -n "${EXTRA_DOMAINS}" ]; then - CSR_ALT_NAMES="DNS:${REALM}" - for domain in ${EXTRA_DOMAINS}; do - CSR_ALT_NAMES="${CSR_ALT_NAMES},DNS:${domain}" - done - # CSR requests are executed always against .new, only after succeeding .new replaces the .cnf - REALM_CERT_REQUEST_CNF_LINE="-reqexts SAN -config '${REALM_CERT_REQUEST_CNF}.new'" -fi - -cat << EOF -if [ ! -d '${REALM_DIR}' ]; then - mkdir -p '${REALM_DIR}' -fi -if [ ! -f '${REALM_KEY}' ]; then - openssl genrsa 4096 > '${REALM_KEY}' -fi - -if [ ! -d '${ACME_TINY_CERT_REQUEST_DIR}' ]; then - mkdir '${ACME_TINY_CERT_REQUEST_DIR}' -fi - -FORCE_CSR_REGEN="" -if [ -n '${CSR_ALT_NAMES}' ]; then - # Generate new config - cat /etc/ssl/openssl.cnf > '${REALM_CERT_REQUEST_CNF}.new' - printf '[SAN]\nsubjectAltName=${CSR_ALT_NAMES}' >> '${REALM_CERT_REQUEST_CNF}.new' - # Compare to previous config if necessary - if [ -f '${REALM_CERT_REQUEST_CNF}' ]; then - CNF_DIFF=\$(diff -q '${REALM_CERT_REQUEST_CNF}' '${REALM_CERT_REQUEST_CNF}.new' || true) - if [ -n "\${CNF_DIFF}" ]; then - # Options have changed - FORCE_CSR_REGEN="YES" - else - # Since they match, we won't be using this, clean it - rm '${REALM_CERT_REQUEST_CNF}.new' - fi - else - # We never used SAN here, CSR regen needed. - FORCE_CSR_REGEN="YES" - fi -else - # We used SAN at some point, not any more - if [ -f '${REALM_CERT_REQUEST_CNF}' ]; then - rm '${REALM_CERT_REQUEST_CNF}' - FORCE_CSR_REGEN="YES" - fi -fi - -# Create or re-create when params have changed -if [ ! -f '${REALM_CERT_REQUEST}' -o -n "\${FORCE_CSR_REGEN}" ]; then - openssl req -new -sha256 -key '${REALM_KEY}' -subj '/CN=${REALM}' -out '${REALM_CERT_REQUEST}' ${REALM_CERT_REQUEST_CNF_LINE} -fi - -# Check if cert exists, and if so whether or not it's older than a month -if [ -f '${REALM_CERT}' ]; then - MODIFIED_IN_30d="\$(find '${REALM_CERT}' -mtime -30d)" - if [ -z "\${MODIFIED_IN_30d}" ]; then - # Cert is over a month old, it's fine to regenerate - FORCE_CRT_REGEN="YES" - fi -else - # This cert doesn't exist - FORCE_CRT_REGEN="YES" -fi - - -# Only request certificate when needed -# TODO: support linux too -if [ -n "\${FORCE_CSR_REGEN}" -o -n "\${FORCE_CRT_REGEN}" ]; then - doas -u acme-tiny -- acme_tiny \ - --account '${ACME_TINY_ACCOUNT_KEY}' \ - --csr '${REALM_CERT_REQUEST}' \ - --acme-dir '${ACME_CHALLENGE_DIR}' > '${REALM_CERT}.new' - - if [ -s '${REALM_CERT}.new' ]; then - mv '${REALM_CERT}.new' '${REALM_CERT}' - else - echo "Failed to generate cert for realm '${REALM}'." - exit 1 - fi -fi - -cat "${REALM_CERT}" "${REALMS_DIR}/chain.pem" > ${REALM_DIR}/fullchain.pem - -if [ -n '${REALM_CERT_REQUEST_CNF_LINE}' -a -f '${REALM_CERT_REQUEST_CNF}.new' ]; then - # CSR and cert generation succeded with a new config, put new config in-place. - # This is the last thing we do, so we try again next time if sth fails. - mv '${REALM_CERT_REQUEST_CNF}.new' '${REALM_CERT_REQUEST_CNF}' -fi -EOF diff --git a/cdist/conf/type/__letsencrypt_acmetiny/manifest b/cdist/conf/type/__letsencrypt_acmetiny/manifest deleted file mode 100644 index 48438abb..00000000 --- a/cdist/conf/type/__letsencrypt_acmetiny/manifest +++ /dev/null @@ -1 +0,0 @@ -#__letsencrypt_acmetiny_base diff --git a/cdist/conf/type/__letsencrypt_acmetiny/nonparallel b/cdist/conf/type/__letsencrypt_acmetiny/nonparallel deleted file mode 100644 index e69de29b..00000000 diff --git a/cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple b/cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple deleted file mode 100644 index 7bfb11da..00000000 --- a/cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple +++ /dev/null @@ -1 +0,0 @@ -extra-domain diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote b/cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote deleted file mode 100644 index 1e4174a4..00000000 --- a/cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -e - -ACME_HOME="/var/acme-tiny" -ACME_ACCOUNT_KEY="${ACME_HOME}/account.key" - -cat << EOF -if [ ! -f '${ACME_ACCOUNT_KEY}' ]; then - openssl genrsa 4096 > '${ACME_ACCOUNT_KEY}' - chown acme-tiny:acme-tiny '${ACME_ACCOUNT_KEY}' - chmod 640 '${ACME_ACCOUNT_KEY}' -fi -EOF diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest deleted file mode 100644 index cbedcdff..00000000 --- a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest +++ /dev/null @@ -1,227 +0,0 @@ -# Arguments -ACME_DOMAIN="$(cat "${__object}/parameter/acme_domain" || true)" - -if [ -z "${ACME_DOMAIN}" ]; then - ACME_DOMAIN="${__target_host}" -fi - - -# Install needed stuffz - -## TODO: consider not depending on nginx? It is... practical though. -## TODO: Maybe just move this out to a sepecial type? -__package "nginx" - -NGINX_ETC="/usr/local/etc/nginx" - -# Setup the acme-challenge snippet -require="__package/nginx" __directory "${NGINX_ETC}/snippets" --state present -require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \ - --mode 644 \ - --source - << EOF -# This file is managed remotely, all changes will be lost - -# This was heavily inspired by debops.org. - -# Automatic Certificate Management Environment (ACME) support. -# https://tools.ietf.org/html/draft-ietf-acme-acme-01 -# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment - - -# Return the ACME challenge present in the server public root. -# If not found, switch to global web server root. -location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - try_files \$uri @well-known-acme-challenge; -} - -# Return the ACME challenge present in the global server public root. -# If not present, redirect request to a specified domain. -location @well-known-acme-challenge { - root /srv/www/sites/acme/public; - default_type "text/plain"; - try_files \$uri @redirect-acme-challenge; -} - -# Redirect the ACME challenge to a different host. If a redirect loop is -# detected, return 404. -location @redirect-acme-challenge { - if (\$arg_redirect) { - return 404; - } - return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes; -} - -# Return 404 if ACME challenge well known path is accessed directly. -location = /.well-known/acme-challenge/ { - return 404; -} -EOF - -require="__package/nginx" __directory "${NGINX_ETC}/sites-enabled" --state present -require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/nginx.conf" \ - --mode 644 \ - --source - << EOF -# This file is managed remotely, all changes will be lost - -worker_processes 1; - -# This default error log path is compiled-in to make sure configuration parsing -# errors are logged somewhere, especially during unattended boot when stderr -# isn't normally logged anywhere. This path will be touched on every nginx -# start regardless of error log location configured here. See -# https://trac.nginx.org/nginx/ticket/147 for more info. -# -#error_log /var/log/nginx/error.log; -# - -#pid logs/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - - include mime.types; - default_type application/octet-stream; - - server_tokens off; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 5m; - sendfile on; - tcp_nopush on; - tcp_nodelay on; - types_hash_max_size 2048; - gzip on; - gzip_disable "msie6"; - gzip_comp_level 5; - gzip_min_length 256; - gzip_proxied any; - gzip_vary on; - gzip_types - application/atom+xml - application/javascript - application/json - application/ld+json - application/manifest+json - application/rss+xml - application/vnd.geo+json - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/bmp - image/svg+xml - image/x-icon - text/cache-manifest - text/css - text/plain - text/vcard - text/vnd.rim.location.xloc - text/vtt - text/x-component - text/x-cross-domain-policy; - - # Logging - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - #add_header X-Clacks-Overhead "GNU Terry Pratchett"; - - # Virtual Hosts Configs - include ${NGINX_ETC}/sites-enabled/*.conf; -} -EOF - -require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/sites-enabled/welcome.conf" \ - --mode 644 \ - --source - << EOF -# This file is managed remotely, all changes will be lost - -# nginx server configuration for: -# - https://welcome/ - -server { - - listen [::]:80; - - server_name welcome; - - root /srv/www/sites/welcome/public; - - include snippets/acme-challenge.conf; - - location / { - return 301 https://\$host\$request_uri; - } -} -EOF - -## TODO: this is kinda bad, don't restart every time. -## Otherwise this isn't idempotent. -require="__package/nginx" __service nginx --action onerestart -require="__package/nginx" __start_on_boot nginx - - -__package "acme-tiny" - -# Create acme-tiny user and secure home dir -ACME_TINY_HOME="/var/acme-tiny" -require="__package/acme-tiny" __user acme-tiny --system --home ${ACME_TINY_HOME} --comment "acme-tiny client" -require="__user/acme-tiny" __directory "${ACME_TINY_HOME}" --state present --mode 0750 --owner acme-tiny --group acme-tiny - -# Create ACME challenge dirs to be served by nginx -ACME_PUBLIC_DIR="/srv/www/sites/acme/public" -ACME_WELLKNOWN_DIR="${ACME_PUBLIC_DIR}/.well-known" -ACME_CHALLENGE_DIR="${ACME_WELLKNOWN_DIR}/acme-challenge" -__directory "${ACME_PUBLIC_DIR}" \ - --parents \ - --state present \ - --owner acme-tiny --group www \ - --mode 2750 # TODO: check whether this does require gid? -require="__directory${ACME_PUBLIC_DIR}" __directory "${ACME_WELLKNOWN_DIR}" \ - --state present \ - --owner acme-tiny --group www \ - --mode 0750 -require="__directory${ACME_WELLKNOWN_DIR}" __directory "${ACME_CHALLENGE_DIR}" \ - --state present \ - --owner acme-tiny --group www \ - --mode 0750 - -__package doas -DOAS_CONF="/usr/local/etc/doas.conf" -require="__package/doas" __file "${DOAS_CONF}" --mode 0640 -require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \ - --regex 'root as acme-tiny' \ - --line 'permit nopass root as acme-tiny' - -# Setup CA -REALMS_DIR="/usr/local/etc/pki/realms" -__directory "${REALMS_DIR}" \ - --parents \ - --state present \ - --mode 0755 - -require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/intermediate.pem \ - --mode 0644 \ - --source - << EOF -$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt) -EOF -require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/root.pem \ - --mode 0644 \ - --source - << EOF -$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt) -EOF -require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/chain.pem \ - --mode 0644 \ - --source - << EOF -$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt) -$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt) -EOF - diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional b/cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional deleted file mode 100644 index fb20814d..00000000 --- a/cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional +++ /dev/null @@ -1 +0,0 @@ -acme_domain diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/singleton b/cdist/conf/type/__letsencrypt_acmetiny_base/singleton deleted file mode 100644 index e69de29b..00000000 diff --git a/cdist/conf/type/__pf_rdr/manifest b/cdist/conf/type/__pf_rdr/manifest deleted file mode 100644 index 39ab4470..00000000 --- a/cdist/conf/type/__pf_rdr/manifest +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh -e -# -# 2016 Kamila Součková (coding at kamila.is) -# -# This file is part of cdist. -# -# cdist is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# cdist is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with cdist. If not, see . -# - -# TODO it would be cool to print a warning if a generated anchor is unused in pf.conf - -ANCHORS_DIR=/etc/pf.d - -proto="$(cat "${__object}/parameter/proto")" -from="$(cat "${__object}/parameter/from")" -to="$(cat "${__object}/parameter/to")" -state="$(cat "${__object}/parameter/state")" - -# This breaks utterly with IPv6 -from="$(echo ${from} | sed 's/:/ port /')" -to="$(echo ${to} | sed 's/:/ port /')" - -anchor_name="$(echo ${__object_id} | cut -d/ -f1)" -rule="rdr pass log proto ${proto} from any to ${from} -> ${to}" - -__directory "${ANCHORS_DIR}" --parents - -require="__directory/${ANCHORS_DIR}" \ -__line __pf_rdr/${__object_id} --state ${state} --line "${rule}" --file ${ANCHORS_DIR}/${anchor_name} diff --git a/cdist/conf/type/__pf_rdr/parameter/default/proto b/cdist/conf/type/__pf_rdr/parameter/default/proto deleted file mode 100644 index 28a29e6f..00000000 --- a/cdist/conf/type/__pf_rdr/parameter/default/proto +++ /dev/null @@ -1 +0,0 @@ -tcp diff --git a/cdist/conf/type/__pf_rdr/parameter/default/state b/cdist/conf/type/__pf_rdr/parameter/default/state deleted file mode 100644 index e7f6134f..00000000 --- a/cdist/conf/type/__pf_rdr/parameter/default/state +++ /dev/null @@ -1 +0,0 @@ -present diff --git a/cdist/conf/type/__pf_rdr/parameter/optional b/cdist/conf/type/__pf_rdr/parameter/optional deleted file mode 100644 index 09ec92ca..00000000 --- a/cdist/conf/type/__pf_rdr/parameter/optional +++ /dev/null @@ -1,2 +0,0 @@ -proto -state diff --git a/cdist/conf/type/__pf_rdr/parameter/required b/cdist/conf/type/__pf_rdr/parameter/required deleted file mode 100644 index 4a568482..00000000 --- a/cdist/conf/type/__pf_rdr/parameter/required +++ /dev/null @@ -1,2 +0,0 @@ -from -to diff --git a/cdist/conf/type/__tinydns/gencode-remote b/cdist/conf/type/__tinydns/gencode-remote deleted file mode 100644 index 824479b6..00000000 --- a/cdist/conf/type/__tinydns/gencode-remote +++ /dev/null @@ -1,7 +0,0 @@ -servicename=$__object_id -user="$(cat "$__object/parameter/user")" -server_ip="$(cat "$__object/parameter/server-ip")" - -cat</dev/null || ./add-host $name $ip -make -EOF diff --git a/cdist/conf/type/__tinydns_host/manifest b/cdist/conf/type/__tinydns_host/manifest deleted file mode 100644 index e69de29b..00000000 diff --git a/cdist/conf/type/__tinydns_host/parameter/required b/cdist/conf/type/__tinydns_host/parameter/required deleted file mode 100644 index 93d111b2..00000000 --- a/cdist/conf/type/__tinydns_host/parameter/required +++ /dev/null @@ -1 +0,0 @@ -ip diff --git a/cdist/conf/type/__tinydns_ns/gencode-remote b/cdist/conf/type/__tinydns_ns/gencode-remote deleted file mode 100644 index 7305e605..00000000 --- a/cdist/conf/type/__tinydns_ns/gencode-remote +++ /dev/null @@ -1,13 +0,0 @@ -set -x - -servicename=$(echo $__object_id | cut -d/ -f1) -name=$(echo $__object_id | cut -d/ -f2-) -ip="$(cat "$__object/parameter/ip")" - -cat</dev/null || ./add-ns $name $ip -make -EOF - -set +x diff --git a/cdist/conf/type/__tinydns_ns/parameter/required b/cdist/conf/type/__tinydns_ns/parameter/required deleted file mode 100644 index 93d111b2..00000000 --- a/cdist/conf/type/__tinydns_ns/parameter/required +++ /dev/null @@ -1 +0,0 @@ -ip diff --git a/cdist/core/explorer.py b/cdist/core/explorer.py index 353d7681..c93f8958 100644 --- a/cdist/core/explorer.py +++ b/cdist/core/explorer.py @@ -167,7 +167,8 @@ class Explorer(object): def run_global_explorer(self, explorer): """Run the given global explorer and return it's output.""" script = os.path.join(self.remote.global_explorer_path, explorer) - return self.remote.run_script(script, env=self.env, return_output=True) + return self.remote.run_script(script, env=self.env, return_output=True, + warn_return_output=False) # type @@ -229,7 +230,8 @@ class Explorer(object): }) script = os.path.join(self.remote.type_path, cdist_type.explorer_path, explorer) - return self.remote.run_script(script, env=env, return_output=True) + return self.remote.run_script(script, env=env, return_output=True, + warn_return_output=False) def transfer_type_explorers(self, cdist_type): """Transfer the type explorers for the given type to the diff --git a/cdist/exec/remote.py b/cdist/exec/remote.py index e0ef66ec..c53f2efa 100644 --- a/cdist/exec/remote.py +++ b/cdist/exec/remote.py @@ -219,7 +219,7 @@ class Remote(object): self._run_command(command) def run_script(self, script, env=None, return_output=False, stdout=None, - stderr=None): + stderr=None, warn_return_output=True): """Run the given script with the given environment on the remote side. Return the output as a string. @@ -232,10 +232,11 @@ class Remote(object): command.append(script) return self.run(command, env=env, return_output=return_output, - stdout=stdout, stderr=stderr) + stdout=stdout, stderr=stderr, + warn_return_output=warn_return_output) def run(self, command, env=None, return_output=False, stdout=None, - stderr=None): + stderr=None, warn_return_output=True): """Run the given command with the given environment on the remote side. Return the output as a string. @@ -269,10 +270,11 @@ class Remote(object): else: cmd.extend(command) return self._run_command(cmd, env=env, return_output=return_output, - stdout=stdout, stderr=stderr) + stdout=stdout, stderr=stderr, + warn_return_output=warn_return_output) def _run_command(self, command, env=None, return_output=False, stdout=None, - stderr=None): + stderr=None, warn_return_output=True): """Run the given command with the given environment. Return the output as a string. @@ -280,7 +282,8 @@ class Remote(object): assert isinstance(command, (list, tuple)), ( "list or tuple argument expected, got: %s" % command) - if return_output and stdout is not subprocess.PIPE: + warn_return_output_applies = warn_return_output and return_output + if warn_return_output_applies and stdout is not subprocess.PIPE: self.log.debug("return_output is True, ignoring stdout") close_stdout = False diff --git a/configuration/cdist.cfg.skeleton b/configuration/cdist.cfg.skeleton index 22c1ccaf..bfac9f5c 100644 --- a/configuration/cdist.cfg.skeleton +++ b/configuration/cdist.cfg.skeleton @@ -19,6 +19,9 @@ # such as ':' for POSIX or ';' for Windows. # If also specified at command line then values from command line are # appended to this value. +# Notice that this works in a "last one wins" fashion, so if a type is redefined +# in multiple conf_dirs, the last one in which it is defined will be used. +# Consider using a unique prefix for your own roles if this can be an issue. # conf_dir = : # # init_manifest diff --git a/docs/changelog b/docs/changelog index 7cacf3cf..1e213187 100644 --- a/docs/changelog +++ b/docs/changelog @@ -10,6 +10,8 @@ next: * New type: __pf_apply_anchor (Kamila Součková, Evil Ham) * Type __pf_ruleset: Refactor (Kamila Součková, Evil Ham) * Type __pf_apply: Deprecate type (Kamila Součková, Evil Ham) + * Configuration: Add notes to cdist.cfg.skeleton (Evil Ham) + * Explorers cpu_cores, memory: Improve *BSD support (Evil Ham) 6.5.4: 2020-04-11 * Explorer init: Do not grep on non-existent init (Steven Armstrong)