From 1bd19d6dee1799e0ed472941a6ff3f47dc01e4d6 Mon Sep 17 00:00:00 2001 From: Evilham Date: Mon, 23 Mar 2020 12:26:59 +0100 Subject: [PATCH 01/12] [__letsencrypt_acmetiny] Simpler alternative to certbot. This is inspired heavily by `debops.pki` in the https://debops.org project. However there are several simplifications to their way of doing it. --- .../__letsencrypt_acmetiny/gencode-remote | 109 ++++++++++ .../conf/type/__letsencrypt_acmetiny/manifest | 1 + .../type/__letsencrypt_acmetiny/nonparallel | 0 .../parameter/optional_multiple | 1 + .../gencode-remote | 12 ++ .../type/__letsencrypt_acmetiny_base/manifest | 202 ++++++++++++++++++ .../parameter/optional | 1 + .../__letsencrypt_acmetiny_base/singleton | 0 8 files changed, 326 insertions(+) create mode 100644 cdist/conf/type/__letsencrypt_acmetiny/gencode-remote create mode 100644 cdist/conf/type/__letsencrypt_acmetiny/manifest create mode 100644 cdist/conf/type/__letsencrypt_acmetiny/nonparallel create mode 100644 cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple create mode 100644 cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote create mode 100644 cdist/conf/type/__letsencrypt_acmetiny_base/manifest create mode 100644 cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional create mode 100644 cdist/conf/type/__letsencrypt_acmetiny_base/singleton diff --git a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote new file mode 100644 index 00000000..466b889d --- /dev/null +++ b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote @@ -0,0 +1,109 @@ +#!/bin/sh -e + +ACME_TINY_CERT_REQUEST_DIR="/var/acme-tiny/cert-requests" +ACME_TINY_ACCOUNT_KEY="/var/acme-tiny/account.key" +ACME_CHALLENGE_DIR="/srv/www/sites/acme/public/.well-known/acme-challenge" + +REALM="${__object_id}" +EXTRA_DOMAINS="" +if [ -f "${__object}/parameter/extra-domain" ]; then + EXTRA_DOMAINS="$(cat "${__object}/parameter/extra-domain")" +fi + +#TODO: support linux too +REALM_DIR="/usr/local/etc/pki/realms/${REALM}" +REALM_CERT="${REALM_DIR}/default.crt" +REALM_KEY="${REALM_DIR}/default.key" +REALM_CERT_REQUEST="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.csr" +REALM_CERT_REQUEST_CNF="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.cnf" + +CSR_ALT_NAMES="" +REALM_CERT_REQUEST_CNF_LINE="" +if [ -n "${EXTRA_DOMAINS}" ]; then + CSR_ALT_NAMES="DNS:${REALM}" + for domain in ${EXTRA_DOMAINS}; do + CSR_ALT_NAMES="${CSR_ALT_NAMES},DNS:${domain}" + done + # CSR requests are executed always against .new, only after succeeding .new replaces the .cnf + REALM_CERT_REQUEST_CNF_LINE="-reqexts SAN -config '${REALM_CERT_REQUEST_CNF}.new'" +fi + +cat << EOF +if [ ! -d '${REALM_DIR}' ]; then + mkdir -p '${REALM_DIR}' +fi +if [ ! -f '${REALM_KEY}' ]; then + openssl genrsa 4096 > '${REALM_KEY}' +fi + +if [ ! -d '${ACME_TINY_CERT_REQUEST_DIR}' ]; then + mkdir '${ACME_TINY_CERT_REQUEST_DIR}' +fi + +FORCE_CSR_REGEN="" +if [ -n '${CSR_ALT_NAMES}' ]; then + # Generate new config + cat /etc/ssl/openssl.cnf > '${REALM_CERT_REQUEST_CNF}.new' + printf '[SAN]\nsubjectAltName=${CSR_ALT_NAMES}' >> '${REALM_CERT_REQUEST_CNF}.new' + # Compare to previous config if necessary + if [ -f '${REALM_CERT_REQUEST_CNF}' ]; then + CNF_DIFF=\$(diff -q '${REALM_CERT_REQUEST_CNF}' '${REALM_CERT_REQUEST_CNF}.new' || true) + if [ -n "\${CNF_DIFF}" ]; then + # Options have changed + FORCE_CSR_REGEN="YES" + else + # Since they match, we won't be using this, clean it + rm '${REALM_CERT_REQUEST_CNF}.new' + fi + else + # We never used SAN here, CSR regen needed. + FORCE_CSR_REGEN="YES" + fi +else + # We used SAN at some point, not any more + if [ -f '${REALM_CERT_REQUEST_CNF}' ]; then + rm '${REALM_CERT_REQUEST_CNF}' + FORCE_CSR_REGEN="YES" + fi +fi + +# Create or re-create when params have changed +if [ ! -f '${REALM_CERT_REQUEST}' -o -n "\${FORCE_CSR_REGEN}" ]; then + openssl req -new -sha256 -key '${REALM_KEY}' -subj '/CN=${REALM}' -out '${REALM_CERT_REQUEST}' ${REALM_CERT_REQUEST_CNF_LINE} +fi + +# Check if cert exists, and if so whether or not it's older than a month +if [ -f '${REALM_CERT}' ]; then + MODIFIED_IN_30d="\$(find '${REALM_CERT}' -mtime -30d)" + if [ -z "\${MODIFIED_IN_30d}" ]; then + # Cert is over a month old, it's fine to regenerate + FORCE_CRT_REGEN="YES" + fi +else + # This cert doesn't exist + FORCE_CRT_REGEN="YES" +fi + + +# Only request certificate when needed +# TODO: support linux too +if [ -n "\${FORCE_CSR_REGEN}" -o -n "\${FORCE_CRT_REGEN}" ]; then + doas -u acme-tiny -- acme_tiny \ + --account '${ACME_TINY_ACCOUNT_KEY}' \ + --csr '${REALM_CERT_REQUEST}' \ + --acme-dir '${ACME_CHALLENGE_DIR}' > '${REALM_CERT}.new' + + if [ -s '${REALM_CERT}.new' ]; then + mv '${REALM_CERT}.new' '${REALM_CERT}' + else + echo "Failed to generate cert for realm '${REALM}'." + exit 1 + fi +fi + +if [ -n '${REALM_CERT_REQUEST_CNF_LINE}' -a -f '${REALM_CERT_REQUEST_CNF}.new' ]; then + # CSR and cert generation succeded with a new config, put new config in-place. + # This is the last thing we do, so we try again next time if sth fails. + mv '${REALM_CERT_REQUEST_CNF}.new' '${REALM_CERT_REQUEST_CNF}' +fi +EOF diff --git a/cdist/conf/type/__letsencrypt_acmetiny/manifest b/cdist/conf/type/__letsencrypt_acmetiny/manifest new file mode 100644 index 00000000..48438abb --- /dev/null +++ b/cdist/conf/type/__letsencrypt_acmetiny/manifest @@ -0,0 +1 @@ +#__letsencrypt_acmetiny_base diff --git a/cdist/conf/type/__letsencrypt_acmetiny/nonparallel b/cdist/conf/type/__letsencrypt_acmetiny/nonparallel new file mode 100644 index 00000000..e69de29b diff --git a/cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple b/cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple new file mode 100644 index 00000000..7bfb11da --- /dev/null +++ b/cdist/conf/type/__letsencrypt_acmetiny/parameter/optional_multiple @@ -0,0 +1 @@ +extra-domain diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote b/cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote new file mode 100644 index 00000000..1e4174a4 --- /dev/null +++ b/cdist/conf/type/__letsencrypt_acmetiny_base/gencode-remote @@ -0,0 +1,12 @@ +#!/bin/sh -e + +ACME_HOME="/var/acme-tiny" +ACME_ACCOUNT_KEY="${ACME_HOME}/account.key" + +cat << EOF +if [ ! -f '${ACME_ACCOUNT_KEY}' ]; then + openssl genrsa 4096 > '${ACME_ACCOUNT_KEY}' + chown acme-tiny:acme-tiny '${ACME_ACCOUNT_KEY}' + chmod 640 '${ACME_ACCOUNT_KEY}' +fi +EOF diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest new file mode 100644 index 00000000..fd6961fa --- /dev/null +++ b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest @@ -0,0 +1,202 @@ +# Arguments +ACME_DOMAIN="$(cat $__object/parameter/acme_domain || true)" + +if [ -z "${ACME_DOMAIN}" ]; then + ACME_DOMAIN="${__target_host}" +fi + + +# Install needed stuffz + +## TODO: consider not depending on nginx? It is... practical though. +## TODO: Maybe just move this out to a sepecial type? +__package "nginx" + +NGINX_ETC="/usr/local/etc/nginx" + +# Setup the acme-challenge snippet +require="__package/nginx" __directory "${NGINX_ETC}/snippets" --state present +require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \ + --mode 644 \ + --source - << EOF +# This file is managed remotely, all changes will be lost + +# This was heavily inspired by debops.org. + +# Automatic Certificate Management Environment (ACME) support. +# https://tools.ietf.org/html/draft-ietf-acme-acme-01 +# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment + + +# Return the ACME challenge present in the server public root. +# If not found, switch to global web server root. +location ^~ /.well-known/acme-challenge/ { + default_type "text/plain"; + try_files \$uri @well-known-acme-challenge; +} + +# Return the ACME challenge present in the global server public root. +# If not present, redirect request to a specified domain. +location @well-known-acme-challenge { + root /srv/www/sites/acme/public; + default_type "text/plain"; + try_files \$uri @redirect-acme-challenge; +} + +# Redirect the ACME challenge to a different host. If a redirect loop is +# detected, return 404. +location @redirect-acme-challenge { + if (\$arg_redirect) { + return 404; + } + return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes; +} + +# Return 404 if ACME challenge well known path is accessed directly. +location = /.well-known/acme-challenge/ { + return 404; +} +EOF + +require="__package/nginx" __directory "${NGINX_ETC}/sites-enabled" --state present +require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/nginx.conf" \ + --mode 644 \ + --source - << EOF +# This file is managed remotely, all changes will be lost + +worker_processes 1; + +# This default error log path is compiled-in to make sure configuration parsing +# errors are logged somewhere, especially during unattended boot when stderr +# isn't normally logged anywhere. This path will be touched on every nginx +# start regardless of error log location configured here. See +# https://trac.nginx.org/nginx/ticket/147 for more info. +# +#error_log /var/log/nginx/error.log; +# + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + + include mime.types; + default_type application/octet-stream; + + server_tokens off; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + types_hash_max_size 2048; + gzip on; + gzip_disable "msie6"; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied any; + gzip_vary on; + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + + # Logging + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + #add_header X-Clacks-Overhead "GNU Terry Pratchett"; + + # Virtual Hosts Configs + include ${NGINX_ETC}/sites-enabled/*.conf; +} +EOF + +require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/sites-enabled/welcome.conf" \ + --mode 644 \ + --source - << EOF +# This file is managed remotely, all changes will be lost + +# nginx server configuration for: +# - https://welcome/ + +server { + + listen [::]:80; + + server_name welcome; + + root /srv/www/sites/welcome/public; + + include snippets/acme-challenge.conf; + + location / { + return 301 https://$host$request_uri; + } +} +EOF + +## TODO: this is kinda bad, don't restart every time. +## Otherwise this isn't idempotent. +require="__package/nginx" __service nginx --action onerestart +require="__package/nginx" __start_on_boot nginx + + +__package "acme-tiny" + +# Create acme-tiny user and secure home dir +ACME_TINY_HOME="/var/acme-tiny" +require="__package/acme-tiny" __user acme-tiny --system --home ${ACME_TINY_HOME} --comment "acme-tiny client" +require="__user/acme-tiny" __directory "${ACME_TINY_HOME}" --state present --mode 0750 --owner acme-tiny --group acme-tiny + +# Create ACME challenge dirs to be served by nginx +ACME_PUBLIC_DIR="/srv/www/sites/acme/public" +ACME_WELLKNOWN_DIR="${ACME_PUBLIC_DIR}/.well-known" +ACME_CHALLENGE_DIR="${ACME_WELLKNOWN_DIR}/acme-challenge" +__directory "${ACME_PUBLIC_DIR}" \ + --parents \ + --state present \ + --owner acme-tiny --group www \ + --mode 2750 # TODO: check whether this does require gid? +require="__directory${ACME_PUBLIC_DIR}" __directory "${ACME_WELLKNOWN_DIR}" \ + --state present \ + --owner acme-tiny --group www \ + --mode 0750 +require="__directory${ACME_WELLKNOWN_DIR}" __directory "${ACME_CHALLENGE_DIR}" \ + --state present \ + --owner acme-tiny --group www \ + --mode 0750 + +__package doas +DOAS_CONF="/usr/local/etc/doas.conf" +require="__package/doas" __file "${DOAS_CONF}" --mode 0640 +require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \ + --regex 'root as acme-tiny' \ + --line 'permit nopass root as acme-tiny' diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional b/cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional new file mode 100644 index 00000000..fb20814d --- /dev/null +++ b/cdist/conf/type/__letsencrypt_acmetiny_base/parameter/optional @@ -0,0 +1 @@ +acme_domain diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/singleton b/cdist/conf/type/__letsencrypt_acmetiny_base/singleton new file mode 100644 index 00000000..e69de29b From 9fdc9082f4fd48cdc369d7d8b61b7c17912fe31a Mon Sep 17 00:00:00 2001 From: Evilham Date: Mon, 23 Mar 2020 12:35:54 +0100 Subject: [PATCH 02/12] [__letsencrypt_acmetiny] fix spellcheck warnings (bugs!) --- cdist/conf/type/__letsencrypt_acmetiny_base/manifest | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest index fd6961fa..7bce9a63 100644 --- a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest +++ b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest @@ -1,5 +1,5 @@ # Arguments -ACME_DOMAIN="$(cat $__object/parameter/acme_domain || true)" +ACME_DOMAIN="$(cat "${__object}/parameter/acme_domain" || true)" if [ -z "${ACME_DOMAIN}" ]; then ACME_DOMAIN="${__target_host}" @@ -158,7 +158,7 @@ server { include snippets/acme-challenge.conf; location / { - return 301 https://$host$request_uri; + return 301 https://\$host\$request_uri; } } EOF From 6cb0afdb9fb6c0edae0e39f4479facbb24b2c289 Mon Sep 17 00:00:00 2001 From: Evilham Date: Fri, 24 Apr 2020 13:29:43 +0200 Subject: [PATCH 03/12] Changes changes --- .../__letsencrypt_acmetiny/gencode-remote | 5 +- .../type/__letsencrypt_acmetiny_base/manifest | 25 ++++++ cdist/conf/type/__openldap_server/manifest | 3 + .../type/__openldap_server/parameter/optional | 3 +- .../gencode-remote} | 21 +++-- .../type/__pf_apply_anchor/parameter/optional | 1 + cdist/conf/type/__pf_rdr/manifest | 20 +++++ .../type/__pf_rdr/parameter/default/proto | 1 + .../type/__pf_rdr/parameter/default/state | 1 + cdist/conf/type/__pf_rdr/parameter/optional | 2 + cdist/conf/type/__pf_rdr/parameter/required | 2 + cdist/conf/type/__pf_ruleset/gencode-local | 81 ------------------- .../__pf_ruleset/{gencode-remote => manifest} | 44 +++++----- cdist/conf/type/__postfix/manifest | 14 +--- 14 files changed, 96 insertions(+), 127 deletions(-) rename cdist/conf/type/{__pf_ruleset/explorer/cksum => __pf_apply_anchor/gencode-remote} (62%) create mode 100644 cdist/conf/type/__pf_apply_anchor/parameter/optional create mode 100644 cdist/conf/type/__pf_rdr/manifest create mode 100644 cdist/conf/type/__pf_rdr/parameter/default/proto create mode 100644 cdist/conf/type/__pf_rdr/parameter/default/state create mode 100644 cdist/conf/type/__pf_rdr/parameter/optional create mode 100644 cdist/conf/type/__pf_rdr/parameter/required delete mode 100755 cdist/conf/type/__pf_ruleset/gencode-local rename cdist/conf/type/__pf_ruleset/{gencode-remote => manifest} (58%) diff --git a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote index 466b889d..9243acc9 100644 --- a/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote +++ b/cdist/conf/type/__letsencrypt_acmetiny/gencode-remote @@ -11,7 +11,8 @@ if [ -f "${__object}/parameter/extra-domain" ]; then fi #TODO: support linux too -REALM_DIR="/usr/local/etc/pki/realms/${REALM}" +REALMS_DIR="/usr/local/etc/pki/realms" +REALM_DIR="${REALMS_DIR}/${REALM}" REALM_CERT="${REALM_DIR}/default.crt" REALM_KEY="${REALM_DIR}/default.key" REALM_CERT_REQUEST="${ACME_TINY_CERT_REQUEST_DIR}/${REALM}.csr" @@ -101,6 +102,8 @@ if [ -n "\${FORCE_CSR_REGEN}" -o -n "\${FORCE_CRT_REGEN}" ]; then fi fi +cat "${REALM_CERT}" "${REALMS_DIR}/chain.pem" > ${REALM_DIR}/fullchain.pem + if [ -n '${REALM_CERT_REQUEST_CNF_LINE}' -a -f '${REALM_CERT_REQUEST_CNF}.new' ]; then # CSR and cert generation succeded with a new config, put new config in-place. # This is the last thing we do, so we try again next time if sth fails. diff --git a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest index 7bce9a63..cbedcdff 100644 --- a/cdist/conf/type/__letsencrypt_acmetiny_base/manifest +++ b/cdist/conf/type/__letsencrypt_acmetiny_base/manifest @@ -200,3 +200,28 @@ require="__package/doas" __file "${DOAS_CONF}" --mode 0640 require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \ --regex 'root as acme-tiny' \ --line 'permit nopass root as acme-tiny' + +# Setup CA +REALMS_DIR="/usr/local/etc/pki/realms" +__directory "${REALMS_DIR}" \ + --parents \ + --state present \ + --mode 0755 + +require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/intermediate.pem \ + --mode 0644 \ + --source - << EOF +$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt) +EOF +require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/root.pem \ + --mode 0644 \ + --source - << EOF +$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt) +EOF +require="__directory${REALMS_DIR}" __file ${REALMS_DIR}/chain.pem \ + --mode 0644 \ + --source - << EOF +$(curl -s https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt) +$(curl -s https://letsencrypt.org/certs/trustid-x3-root.pem.txt) +EOF + diff --git a/cdist/conf/type/__openldap_server/manifest b/cdist/conf/type/__openldap_server/manifest index dadc9f20..88fdbafa 100644 --- a/cdist/conf/type/__openldap_server/manifest +++ b/cdist/conf/type/__openldap_server/manifest @@ -9,6 +9,7 @@ slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true) schemas=$(cat "${__object}/parameter/schema") slapd_urls=$(tr '\n' ' ' < "${__object}/parameter/slapd-url") tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true) +extra_config=$(cat "${__object}/parameter/extra-config" || true) os="$(cat "${__global}/explorer/os")" @@ -230,6 +231,8 @@ index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq +${extra_config} + serverid ${serverid} EOF diff --git a/cdist/conf/type/__openldap_server/parameter/optional b/cdist/conf/type/__openldap_server/parameter/optional index a92b9c6e..71c64659 100644 --- a/cdist/conf/type/__openldap_server/parameter/optional +++ b/cdist/conf/type/__openldap_server/parameter/optional @@ -5,4 +5,5 @@ admin-email tls-cipher-suite tls-cert tls-privkey -tls-ca \ No newline at end of file +tls-ca +extra-config diff --git a/cdist/conf/type/__pf_ruleset/explorer/cksum b/cdist/conf/type/__pf_apply_anchor/gencode-remote similarity index 62% rename from cdist/conf/type/__pf_ruleset/explorer/cksum rename to cdist/conf/type/__pf_apply_anchor/gencode-remote index 9be6c901..3d259aca 100755 --- a/cdist/conf/type/__pf_ruleset/explorer/cksum +++ b/cdist/conf/type/__pf_apply_anchor/gencode-remote @@ -18,24 +18,23 @@ # along with cdist. If not, see . # # -# Get the 256 bit SHA2 checksum of the pf ruleset on the target host. +# Apply pf(4) ruleset on *BSD # # Debug -#exec >&2 +# exec >&2 #set -x -# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf -# See if file exists and if so, get checksum +ANCHORS_DIR="/etc/pf.d" -RC="/etc/rc.conf" -TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')" -PFCONF="${TMP:-"/etc/pf.conf"}" - -if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum. - cksum -o 1 "${PFCONF}" | cut -d= -f2 | awk '{print $1}' +if [ -f "${__object}/parameter/anchor_name" ]; then + anchor_name="$(cat "${__object}/parameter/anchor_name")" +else + anchor_name="${__object_id}" fi +anchor_file="${ANCHORS_DIR}/${anchor_name}" + +echo "pfctl -a \"${anchor_name}\" -f \"${anchor_file}\"" # Debug #set +x - diff --git a/cdist/conf/type/__pf_apply_anchor/parameter/optional b/cdist/conf/type/__pf_apply_anchor/parameter/optional new file mode 100644 index 00000000..b9f61e28 --- /dev/null +++ b/cdist/conf/type/__pf_apply_anchor/parameter/optional @@ -0,0 +1 @@ +anchor_name diff --git a/cdist/conf/type/__pf_rdr/manifest b/cdist/conf/type/__pf_rdr/manifest new file mode 100644 index 00000000..83bf2ed8 --- /dev/null +++ b/cdist/conf/type/__pf_rdr/manifest @@ -0,0 +1,20 @@ +# TODO header :D +# TODO it would be cool to print a warning if a generated anchor is unused in pf.conf + +DESTDIR=/etc/pf.d + +proto="$(cat "$__object/parameter/proto")" +from="$(cat "$__object/parameter/from")" +to="$(cat "$__object/parameter/to")" +state="$(cat "$__object/parameter/state")" + +from="$(echo $from | sed 's/:/ port /')" +to="$(echo $to | sed 's/:/ port /')" + +anchorname="$(echo $__object_id | cut -d/ -f1)" +rule="rdr pass log proto $proto from any to $from -> $to" + +__directory "$DESTDIR" --parents + +require="__directory/$DESTDIR" \ +__line __pf_rdr/$__object_id --state $state --line "$rule" --file $DESTDIR/$anchorname diff --git a/cdist/conf/type/__pf_rdr/parameter/default/proto b/cdist/conf/type/__pf_rdr/parameter/default/proto new file mode 100644 index 00000000..28a29e6f --- /dev/null +++ b/cdist/conf/type/__pf_rdr/parameter/default/proto @@ -0,0 +1 @@ +tcp diff --git a/cdist/conf/type/__pf_rdr/parameter/default/state b/cdist/conf/type/__pf_rdr/parameter/default/state new file mode 100644 index 00000000..e7f6134f --- /dev/null +++ b/cdist/conf/type/__pf_rdr/parameter/default/state @@ -0,0 +1 @@ +present diff --git a/cdist/conf/type/__pf_rdr/parameter/optional b/cdist/conf/type/__pf_rdr/parameter/optional new file mode 100644 index 00000000..09ec92ca --- /dev/null +++ b/cdist/conf/type/__pf_rdr/parameter/optional @@ -0,0 +1,2 @@ +proto +state diff --git a/cdist/conf/type/__pf_rdr/parameter/required b/cdist/conf/type/__pf_rdr/parameter/required new file mode 100644 index 00000000..4a568482 --- /dev/null +++ b/cdist/conf/type/__pf_rdr/parameter/required @@ -0,0 +1,2 @@ +from +to diff --git a/cdist/conf/type/__pf_ruleset/gencode-local b/cdist/conf/type/__pf_ruleset/gencode-local deleted file mode 100755 index 11bfb0b1..00000000 --- a/cdist/conf/type/__pf_ruleset/gencode-local +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/sh -e -# -# 2012 Jake Guffey (jake.guffey at eprotex.com) -# -# This file is part of cdist. -# -# cdist is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# cdist is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with cdist. If not, see . -# -# -# Manage pf(4) on *BSD -# - -# Debug -#exec >&2 -#set -x - -# Send files to $__target_host via $__remote_copy - -uname=$(uname) # Need to know what the cdist host is running so we know how to compute the ruleset's checksum -state=$(cat "$__object/parameter/state") - -if [ "$state" = "absent" ]; then # There is nothing more for a *local* script to do - exit 0 -fi - -if [ -f "$__object/parameter/source" ]; then - source=$(cat "$__object/parameter/source") -fi - -rcvar=$(cat "$__object/explorer/rcvar") -cksum=$(cat "$__object/explorer/cksum") - - -cat <&2 - exit 1 - ;; -esac - -# IPv6 fix -if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$') -then - my_target_host="[${__target_host}]" -else - my_target_host="${__target_host}" -fi - -if [ -n "${cksum}" ]; then - if [ ! "\${currentSum}" = "${cksum}" ]; then - $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new" - fi -else # File just doesn't exist yet - $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new" -fi -EOF - -# Debug -#exec +x - diff --git a/cdist/conf/type/__pf_ruleset/gencode-remote b/cdist/conf/type/__pf_ruleset/manifest similarity index 58% rename from cdist/conf/type/__pf_ruleset/gencode-remote rename to cdist/conf/type/__pf_ruleset/manifest index 12760fdf..25206add 100755 --- a/cdist/conf/type/__pf_ruleset/gencode-remote +++ b/cdist/conf/type/__pf_ruleset/manifest @@ -1,6 +1,6 @@ #!/bin/sh -e # -# 2012 Jake Guffey (jake.guffey at eprotex.com) +# 2016 Kamila Součková (kamila at ksp.sk) # # This file is part of cdist. # @@ -25,25 +25,29 @@ #exec >&2 #set -x -# Remove ${rcvar} in the case of --state absent - -state=$(cat "$__object/parameter/state") rcvar=$(cat "$__object/explorer/rcvar") - -if [ "$state" = "present" ]; then # There is nothing more for a *remote* script to do - exit 0 -elif [ "$state" = "absent" ]; then - # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old - cat <&2 - exit 1 +state=$(cat "$__object/parameter/state") +if [ -f "$__object/parameter/source" ]; then + source=$(cat "$__object/parameter/source") fi +if [ "$state" = "absent" ]; then + action="/etc/rc.d/pf stop" +else + action="/etc/rc.d/pf reload || /etc/rc.d/pf start" +fi + +__key_value __pf_ruleset/rcvar \ + --state "$state" \ + --file /etc/rc.conf \ + --delimiter "=" \ + --key "pf_enable" \ + --value "YES" + +require="${require} __key_value/__pf_ruleset/rcvar" __config_file $rcvar \ + --source "$source" \ + --state "$state" \ + --onchange "$action" + +# Debug +#exec +x diff --git a/cdist/conf/type/__postfix/manifest b/cdist/conf/type/__postfix/manifest index f3616979..121bba96 100755 --- a/cdist/conf/type/__postfix/manifest +++ b/cdist/conf/type/__postfix/manifest @@ -19,16 +19,4 @@ # along with cdist. If not, see . # - -os=$(cat "$__global/explorer/os") - -case "$os" in - alpine|ubuntu|debian|archlinux|suse|scientific|centos|devuan) - __package postfix --state present - ;; - *) - echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2 - echo "Please contribute an implementation for it if you can." >&2 - exit 1 - ;; -esac +__package postfix --state present From cd6c02d16cf1a24d8370ed993d7b67beef2ed516 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sat, 25 Apr 2020 01:29:17 +0200 Subject: [PATCH 04/12] Add copyright notice and make consistent with other types --- cdist/conf/type/__pf_rdr/manifest | 46 ++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 13 deletions(-) diff --git a/cdist/conf/type/__pf_rdr/manifest b/cdist/conf/type/__pf_rdr/manifest index 83bf2ed8..39ab4470 100644 --- a/cdist/conf/type/__pf_rdr/manifest +++ b/cdist/conf/type/__pf_rdr/manifest @@ -1,20 +1,40 @@ -# TODO header :D +#!/bin/sh -e +# +# 2016 Kamila Součková (coding at kamila.is) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + # TODO it would be cool to print a warning if a generated anchor is unused in pf.conf -DESTDIR=/etc/pf.d +ANCHORS_DIR=/etc/pf.d -proto="$(cat "$__object/parameter/proto")" -from="$(cat "$__object/parameter/from")" -to="$(cat "$__object/parameter/to")" -state="$(cat "$__object/parameter/state")" +proto="$(cat "${__object}/parameter/proto")" +from="$(cat "${__object}/parameter/from")" +to="$(cat "${__object}/parameter/to")" +state="$(cat "${__object}/parameter/state")" -from="$(echo $from | sed 's/:/ port /')" -to="$(echo $to | sed 's/:/ port /')" +# This breaks utterly with IPv6 +from="$(echo ${from} | sed 's/:/ port /')" +to="$(echo ${to} | sed 's/:/ port /')" -anchorname="$(echo $__object_id | cut -d/ -f1)" -rule="rdr pass log proto $proto from any to $from -> $to" +anchor_name="$(echo ${__object_id} | cut -d/ -f1)" +rule="rdr pass log proto ${proto} from any to ${from} -> ${to}" -__directory "$DESTDIR" --parents +__directory "${ANCHORS_DIR}" --parents -require="__directory/$DESTDIR" \ -__line __pf_rdr/$__object_id --state $state --line "$rule" --file $DESTDIR/$anchorname +require="__directory/${ANCHORS_DIR}" \ +__line __pf_rdr/${__object_id} --state ${state} --line "${rule}" --file ${ANCHORS_DIR}/${anchor_name} From 3ee742f0abdb27d41267c967c5a45448db891009 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sun, 26 Apr 2020 17:54:36 +0200 Subject: [PATCH 05/12] Kamila's changes +iocage_cone + tinydns* ~ __daemontools_service Consider at some point whether or not they are worth upstreaming. (also __pf_rdr belongs to this batch) --- cdist/conf/type/__daemontools_service/man.rst | 6 + .../conf/type/__daemontools_service/manifest | 16 +- .../parameter/default/group | 0 .../parameter/default/owner | 0 .../__daemontools_service/parameter/optional | 2 + cdist/conf/type/__iocage_clone/gencode-remote | 152 ++++++++++++++++++ cdist/conf/type/__iocage_clone/manifest | 1 + .../parameter/default/allow_socket_af | 1 + .../__iocage_clone/parameter/default/bridge | 1 + .../parameter/default/devfs_ruleset | 1 + .../parameter/default/jail_zfs_dataset | 0 .../parameter/default/mount_linprocfs | 1 + .../parameter/default/mount_procfs | 1 + .../type/__iocage_clone/parameter/default/net | 1 + .../__iocage_clone/parameter/default/state | 1 + .../type/__iocage_clone/parameter/optional | 7 + .../parameter/optional_multiple | 1 + .../type/__iocage_clone/parameter/required | 2 + cdist/conf/type/__tinydns/gencode-remote | 7 + cdist/conf/type/__tinydns/manifest | 8 + cdist/conf/type/__tinydns/parameter/required | 2 + cdist/conf/type/__tinydns_host/gencode-remote | 9 ++ cdist/conf/type/__tinydns_host/manifest | 0 .../type/__tinydns_host/parameter/required | 1 + cdist/conf/type/__tinydns_ns/gencode-remote | 13 ++ .../conf/type/__tinydns_ns/parameter/required | 1 + 26 files changed, 232 insertions(+), 3 deletions(-) create mode 100644 cdist/conf/type/__daemontools_service/parameter/default/group create mode 100644 cdist/conf/type/__daemontools_service/parameter/default/owner create mode 100755 cdist/conf/type/__iocage_clone/gencode-remote create mode 100644 cdist/conf/type/__iocage_clone/manifest create mode 100644 cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af create mode 100644 cdist/conf/type/__iocage_clone/parameter/default/bridge create mode 100644 cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset create mode 100644 cdist/conf/type/__iocage_clone/parameter/default/jail_zfs_dataset create mode 100644 cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs create mode 100644 cdist/conf/type/__iocage_clone/parameter/default/mount_procfs create mode 100644 cdist/conf/type/__iocage_clone/parameter/default/net create mode 100644 cdist/conf/type/__iocage_clone/parameter/default/state create mode 100644 cdist/conf/type/__iocage_clone/parameter/optional create mode 100644 cdist/conf/type/__iocage_clone/parameter/optional_multiple create mode 100644 cdist/conf/type/__iocage_clone/parameter/required create mode 100644 cdist/conf/type/__tinydns/gencode-remote create mode 100644 cdist/conf/type/__tinydns/manifest create mode 100644 cdist/conf/type/__tinydns/parameter/required create mode 100644 cdist/conf/type/__tinydns_host/gencode-remote create mode 100644 cdist/conf/type/__tinydns_host/manifest create mode 100644 cdist/conf/type/__tinydns_host/parameter/required create mode 100644 cdist/conf/type/__tinydns_ns/gencode-remote create mode 100644 cdist/conf/type/__tinydns_ns/parameter/required diff --git a/cdist/conf/type/__daemontools_service/man.rst b/cdist/conf/type/__daemontools_service/man.rst index ec1d20ff..9bbbe2f8 100644 --- a/cdist/conf/type/__daemontools_service/man.rst +++ b/cdist/conf/type/__daemontools_service/man.rst @@ -40,6 +40,12 @@ run-file log-run Command to run for log consumption. Default: `multilog t ./main` +owner + User to chown to. + +group + User to chgrp to. + servicedir Directory to install into. Default: `/service` diff --git a/cdist/conf/type/__daemontools_service/manifest b/cdist/conf/type/__daemontools_service/manifest index 78bae285..8a81b5f5 100755 --- a/cdist/conf/type/__daemontools_service/manifest +++ b/cdist/conf/type/__daemontools_service/manifest @@ -9,6 +9,8 @@ servicedir=$(cat "$__object/parameter/servicedir") run=$(cat "$__object/parameter/run") runfile=$(cat "$__object/parameter/run-file") logrun=$(cat "$__object/parameter/log-run") +owner=$(cat "$__object/parameter/owner") +group=$(cat "$__object/parameter/group") svc=$(cat "$__type/explorer/svc") @@ -25,14 +27,22 @@ badusage() { [ -z "$run$runfile" ] && badusage [ -n "$run" ] && [ -n "$runfile" ] && badusage -__directory "$servicedir/$name/log/main" --parents +flags="" +if [ -n "$owner" ]; then + flags="$flags --owner $owner" +fi +if [ -n "$group" ]; then + flags="$flags --group $group" +fi + +__directory "$servicedir/$name/log/main" --parents $flags echo "$RUN_PREFIX$run" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/run" \ --onchange "svc -t '$servicedir/$name' 2>/dev/null" \ - --mode 755 \ + --mode 755 $flags \ --source "${runfile:--}" echo "$RUN_PREFIX$logrun" | require="__directory/$servicedir/$name/log/main" __config_file "$servicedir/$name/log/run" \ --onchange "svc -t '$servicedir/$name/log' 2>/dev/null" \ - --mode 755 \ + --mode 755 $flags \ --source "-" diff --git a/cdist/conf/type/__daemontools_service/parameter/default/group b/cdist/conf/type/__daemontools_service/parameter/default/group new file mode 100644 index 00000000..e69de29b diff --git a/cdist/conf/type/__daemontools_service/parameter/default/owner b/cdist/conf/type/__daemontools_service/parameter/default/owner new file mode 100644 index 00000000..e69de29b diff --git a/cdist/conf/type/__daemontools_service/parameter/optional b/cdist/conf/type/__daemontools_service/parameter/optional index 7e54985f..7c66b514 100644 --- a/cdist/conf/type/__daemontools_service/parameter/optional +++ b/cdist/conf/type/__daemontools_service/parameter/optional @@ -1,4 +1,6 @@ +group log-run +owner run run-file servicedir diff --git a/cdist/conf/type/__iocage_clone/gencode-remote b/cdist/conf/type/__iocage_clone/gencode-remote new file mode 100755 index 00000000..30d77099 --- /dev/null +++ b/cdist/conf/type/__iocage_clone/gencode-remote @@ -0,0 +1,152 @@ +#!/bin/sh + +state="$(cat $__object/parameter/state)" +template="$(cat $__object/parameter/template)" +ip4_addr="$(cat $__object/parameter/bridge)|$(cat $__object/parameter/ip)" +interfaces="none:none" +defaultrouter="none" +vnet="off" +jail_zfs_dataset="$(cat $__object/parameter/jail_zfs_dataset)" +devfs_ruleset="$(cat $__object/parameter/devfs_ruleset)" +allow_socket_af="$(cat $__object/parameter/allow_socket_af)" +mount_procfs="$(cat $__object/parameter/mount_procfs)" +mount_linprocfs="$(cat $__object/parameter/mount_linprocfs)" + +if [ "X$state" = "Xabsent" ]; then + cat <&2 + create_new=1 + fi +fi + +if [ \$create_new -eq 0 ]; then + if [ "off" == "\$(get_property_iocage jail_zfs "$__object_id")" ]; then + current_jail_zfs_dataset="" + else + current_jail_zfs_dataset="\$(get_property_iocage jail_zfs_dataset "$__object_id")" + fi +fi + +configure=0 +if [ \$create_new -eq 1 ]; then + configure=1 +elif [ "X$vnet" != "X\$(get_property_iocage vnet "$__object_id")" ]; then + configure=1 +elif [ "X$ip4_addr" != "X\$(get_property_iocage ip4_addr "$__object_id")" ]; then + configure=1 +elif [ "X$interfaces" != "X\$(get_property_iocage interfaces "$__object_id")" ]; then + configure=1 +elif [ "X$defaultrouter" != "X\$(get_property_iocage defaultrouter "$__object_id")" ]; then + configure=1 +elif [ "X$mount_procfs" != "X\$(get_property_iocage mount_procfs "$__object_id")" ]; then + configure=1 +elif [ "X$devfs_ruleset" != "X\$(get_property_iocage devfs_ruleset "$__object_id")" ]; then + configure=1 +elif [ "X$allow_socket_af" != "X\$(get_property_iocage allow_socket_af "$__object_id")" ]; then + configure=1 +elif [ "X$jail_zfs_dataset" != "X\$current_jail_zfs_dataset" ]; then + configure=1 +fi + +if [ \$create_new -eq 1 ]; then + echo "Creating jail $__object_id" >&2 + + iocage stop $__object_id || true + iocage destroy -f $__object_id || true + # Without VNETs, we should not need this. + # TODO(riso): Use nicer path + # /root/cdist/ioc deconfigure $__object_id + + rm -f /iocage/jails/$__object_id + + iocage clone $template tag=$__object_id + iocage set boot=on $__object_id + UUID=\$(iocage list | grep " $__object_id " | awk "{ print \\\$2; }") + rm -f /iocage/jails/$__object_id + ln -s /iocage/jails/\$UUID /iocage/jails/$__object_id +else + UUID=\$(iocage list | grep " $__object_id " | awk "{ print \\\$2; }") + echo "Jail $__object_id already exists, UUID=\$UUID" >&2 +fi + +ROOT="/iocage/jails/\$UUID/root" +FSTAB="/iocage/jails/\$UUID/fstab" +rm -f \$FSTAB.new +touch \$FSTAB.new +cat $__object/parameter/mount 2>/dev/null | \\ +while read mount; do + src=\$(echo \$mount | awk -F: "{ print \\\$1; }") + dst_rel=\$(echo \$mount | awk -F: "{ print \\\$2; }") + dst="/iocage/jails/\$UUID/root/\$dst_rel" + mkdir -p "\$dst" + echo "\$src \$dst nullfs rw 0 0" >>\$FSTAB.new +done +if [ $mount_linprocfs -eq 1 ]; then + echo "linproc /iocage/jails/\$UUID/root/compat/linux/proc linprocfs rw 0 0" >>\$FSTAB.new +fi + +fstab_changed=0 +if diff -q \$FSTAB \$FSTAB.new >/dev/null; then + # pass +else + configure=1 + fstab_changed=1 +fi + +if [ \$configure -eq 1 ]; then + echo "Configuring jail $__object_id." >&2 + iocage stop $__object_id || true + + iocage set vnet="$vnet" $__object_id + iocage set interfaces="$interfaces" $__object_id + iocage set hostname="$__object_id" $__object_id + iocage set ip4_addr="$ip4_addr" $__object_id + iocage set defaultrouter="$defaultrouter" $__object_id + iocage set mount_procfs="$mount_procfs" $__object_id + iocage set devfs_ruleset="$devfs_ruleset" $__object_id + iocage set allow_socket_af="$allow_socket_af" $__object_id + if [ -n "$jail_zfs_dataset" ]; then + iocage set jail_zfs=on $__object_id + iocage set jail_zfs_dataset="$jail_zfs_dataset" $__object_id + else + iocage set jail_zfs=off $__object_id + fi + + if [ \$fstab_changed -eq 1 ]; then + umount -afF \$FSTAB || true + mv \$FSTAB.new \$FSTAB + fi + + iocage start $__object_id || true + + # Iocage creates new mac address, but arp can have an old mac cached. + # TODO(riso): Is this true without VNETs? + arp -d -a +else + echo "Jail $__object_id is already configured." >&2 +fi +rm -f \$FSTAB.new +EOF +fi diff --git a/cdist/conf/type/__iocage_clone/manifest b/cdist/conf/type/__iocage_clone/manifest new file mode 100644 index 00000000..0684fce8 --- /dev/null +++ b/cdist/conf/type/__iocage_clone/manifest @@ -0,0 +1 @@ +__package iocage diff --git a/cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af b/cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af new file mode 100644 index 00000000..573541ac --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/default/allow_socket_af @@ -0,0 +1 @@ +0 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/bridge b/cdist/conf/type/__iocage_clone/parameter/default/bridge new file mode 100644 index 00000000..092f51c8 --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/default/bridge @@ -0,0 +1 @@ +bridge0 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset b/cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset new file mode 100644 index 00000000..b8626c4c --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/default/devfs_ruleset @@ -0,0 +1 @@ +4 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/jail_zfs_dataset b/cdist/conf/type/__iocage_clone/parameter/default/jail_zfs_dataset new file mode 100644 index 00000000..e69de29b diff --git a/cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs b/cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs new file mode 100644 index 00000000..573541ac --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/default/mount_linprocfs @@ -0,0 +1 @@ +0 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/mount_procfs b/cdist/conf/type/__iocage_clone/parameter/default/mount_procfs new file mode 100644 index 00000000..573541ac --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/default/mount_procfs @@ -0,0 +1 @@ +0 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/net b/cdist/conf/type/__iocage_clone/parameter/default/net new file mode 100644 index 00000000..a45fd52c --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/default/net @@ -0,0 +1 @@ +24 diff --git a/cdist/conf/type/__iocage_clone/parameter/default/state b/cdist/conf/type/__iocage_clone/parameter/default/state new file mode 100644 index 00000000..e7f6134f --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/default/state @@ -0,0 +1 @@ +present diff --git a/cdist/conf/type/__iocage_clone/parameter/optional b/cdist/conf/type/__iocage_clone/parameter/optional new file mode 100644 index 00000000..8ca73ed9 --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/optional @@ -0,0 +1,7 @@ +state +bridge +jail_zfs_dataset +mount_procfs +mount_linprocfs +devfs_ruleset +allow_socket_af diff --git a/cdist/conf/type/__iocage_clone/parameter/optional_multiple b/cdist/conf/type/__iocage_clone/parameter/optional_multiple new file mode 100644 index 00000000..fde64773 --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/optional_multiple @@ -0,0 +1 @@ +mount diff --git a/cdist/conf/type/__iocage_clone/parameter/required b/cdist/conf/type/__iocage_clone/parameter/required new file mode 100644 index 00000000..209d1544 --- /dev/null +++ b/cdist/conf/type/__iocage_clone/parameter/required @@ -0,0 +1,2 @@ +ip +template diff --git a/cdist/conf/type/__tinydns/gencode-remote b/cdist/conf/type/__tinydns/gencode-remote new file mode 100644 index 00000000..824479b6 --- /dev/null +++ b/cdist/conf/type/__tinydns/gencode-remote @@ -0,0 +1,7 @@ +servicename=$__object_id +user="$(cat "$__object/parameter/user")" +server_ip="$(cat "$__object/parameter/server-ip")" + +cat</dev/null || ./add-host $name $ip +make +EOF diff --git a/cdist/conf/type/__tinydns_host/manifest b/cdist/conf/type/__tinydns_host/manifest new file mode 100644 index 00000000..e69de29b diff --git a/cdist/conf/type/__tinydns_host/parameter/required b/cdist/conf/type/__tinydns_host/parameter/required new file mode 100644 index 00000000..93d111b2 --- /dev/null +++ b/cdist/conf/type/__tinydns_host/parameter/required @@ -0,0 +1 @@ +ip diff --git a/cdist/conf/type/__tinydns_ns/gencode-remote b/cdist/conf/type/__tinydns_ns/gencode-remote new file mode 100644 index 00000000..7305e605 --- /dev/null +++ b/cdist/conf/type/__tinydns_ns/gencode-remote @@ -0,0 +1,13 @@ +set -x + +servicename=$(echo $__object_id | cut -d/ -f1) +name=$(echo $__object_id | cut -d/ -f2-) +ip="$(cat "$__object/parameter/ip")" + +cat</dev/null || ./add-ns $name $ip +make +EOF + +set +x diff --git a/cdist/conf/type/__tinydns_ns/parameter/required b/cdist/conf/type/__tinydns_ns/parameter/required new file mode 100644 index 00000000..93d111b2 --- /dev/null +++ b/cdist/conf/type/__tinydns_ns/parameter/required @@ -0,0 +1 @@ +ip From fefc828780bc76c4245fa96ef517a66ec3eda3fa Mon Sep 17 00:00:00 2001 From: Evilham Date: Sun, 26 Apr 2020 19:06:42 +0200 Subject: [PATCH 06/12] [docs] Improve cdist.cfg.skeleton --- configuration/cdist.cfg.skeleton | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configuration/cdist.cfg.skeleton b/configuration/cdist.cfg.skeleton index 22c1ccaf..bfac9f5c 100644 --- a/configuration/cdist.cfg.skeleton +++ b/configuration/cdist.cfg.skeleton @@ -19,6 +19,9 @@ # such as ':' for POSIX or ';' for Windows. # If also specified at command line then values from command line are # appended to this value. +# Notice that this works in a "last one wins" fashion, so if a type is redefined +# in multiple conf_dirs, the last one in which it is defined will be used. +# Consider using a unique prefix for your own roles if this can be an issue. # conf_dir = : # # init_manifest From 678df1ec8a24b4c3884554b1931445435e098787 Mon Sep 17 00:00:00 2001 From: Evilham Date: Mon, 27 Apr 2020 01:23:48 +0200 Subject: [PATCH 07/12] [explorers] Improve *BSD support. cpu_cores and memory did lacked support for other BSDs. --- cdist/conf/explorer/cpu_cores | 4 ++++ cdist/conf/explorer/memory | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/cdist/conf/explorer/cpu_cores b/cdist/conf/explorer/cpu_cores index a52bddac..c6744142 100755 --- a/cdist/conf/explorer/cpu_cores +++ b/cdist/conf/explorer/cpu_cores @@ -32,6 +32,10 @@ case "$os" in sysctl -n hw.ncpuonline ;; + "freebsd"|"netbsd") + sysctl -n hw.ncpu + ;; + *) if [ -r /proc/cpuinfo ]; then cores="$(grep "core id" /proc/cpuinfo | sort | uniq | wc -l)" diff --git a/cdist/conf/explorer/memory b/cdist/conf/explorer/memory index 4e3efff8..302b4cda 100755 --- a/cdist/conf/explorer/memory +++ b/cdist/conf/explorer/memory @@ -29,7 +29,7 @@ case "$os" in echo "$(sysctl -n hw.memsize)/1024" | bc ;; - "openbsd") + *"bsd") echo "$(sysctl -n hw.physmem) / 1048576" | bc ;; From 0b3c417aef13eceb51195bb42e9a17205a9afc6c Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Mon, 27 Apr 2020 14:00:39 +0300 Subject: [PATCH 08/12] update README --- README | 7 ------- README.md | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 7 deletions(-) delete mode 100644 README create mode 100644 README.md diff --git a/README b/README deleted file mode 100644 index caf2dac8..00000000 --- a/README +++ /dev/null @@ -1,7 +0,0 @@ -cdist ------ - -cdist is a usable configuration management system. - -For the web documentation have a look at https://www.cdi.st/ -or at docs/src for reStructuredText manual. diff --git a/README.md b/README.md new file mode 100644 index 00000000..9e49b053 --- /dev/null +++ b/README.md @@ -0,0 +1,20 @@ +# cdist + +**cdist** is a usable configuration management system. + +It adheres to the [**KISS principle**](https://en.wikipedia.org/wiki/KISS_principle) +and is being used in small up to enterprise grade environments. + +For more information have a look at [**homepage**](https://cdi.st) +or at **``docs/src``** for manual in **reStructuredText** format. + +## Contributing + +Merge/Pull requests can be made in both +[upstream **GitLab**](https://code.ungleich.ch/ungleich-public/cdist/merge_requests) +(managed by [**ungleich**](https://ungleich.ch)) +and [**GitHub** project](https://github.com/ungleich/cdist/pulls). + +Issues can be made and other project management activites happen +[**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist) +(needs [**ungleich** account](https://account.ungleich.ch)). From 56a65518ab6171d0f19152642fccb94038a3c5ad Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Mon, 27 Apr 2020 15:25:43 +0300 Subject: [PATCH 09/12] README: add participating section --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 9e49b053..0a0d6e6d 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,11 @@ and [**GitHub** project](https://github.com/ungleich/cdist/pulls). Issues can be made and other project management activites happen [**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist) (needs [**ungleich** account](https://account.ungleich.ch)). + +## Participating + +IRC: ``#cdist`` @ freenode + +Matrix: ``#cdist:ungleich.ch`` + +Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist From b31e13eacf2cb23e6a7bdadc33741026ae88553a Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Mon, 27 Apr 2020 16:30:52 +0300 Subject: [PATCH 10/12] README: add bits about cdist-contrib --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 0a0d6e6d..de6901c7 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,9 @@ Issues can be made and other project management activites happen [**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist) (needs [**ungleich** account](https://account.ungleich.ch)). +For community-maintained types there is +[**cdist-contrib** project](https://code.ungleich.ch/ungleich-public/cdist-contrib). + ## Participating IRC: ``#cdist`` @ freenode From 515992249de513492a725dbf4072a6c3f376668a Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Mon, 27 Apr 2020 22:55:57 +0200 Subject: [PATCH 11/12] ++changelog --- docs/changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/changelog b/docs/changelog index 7cacf3cf..1e213187 100644 --- a/docs/changelog +++ b/docs/changelog @@ -10,6 +10,8 @@ next: * New type: __pf_apply_anchor (Kamila Součková, Evil Ham) * Type __pf_ruleset: Refactor (Kamila Součková, Evil Ham) * Type __pf_apply: Deprecate type (Kamila Součková, Evil Ham) + * Configuration: Add notes to cdist.cfg.skeleton (Evil Ham) + * Explorers cpu_cores, memory: Improve *BSD support (Evil Ham) 6.5.4: 2020-04-11 * Explorer init: Do not grep on non-existent init (Steven Armstrong) From ef44d44288db75821fd195f1ff286fa20a2412c2 Mon Sep 17 00:00:00 2001 From: Evilham Date: Tue, 28 Apr 2020 13:35:48 +0200 Subject: [PATCH 12/12] [logging] Mute return_output warning for explorers. This adds a `warn_return_output` flag to `cdist.exec.remote.Remote.(run_script|run|_run_command)`. It defaults to `True` keeping current behaviour except when called from `cdist.core.explorer.Explorer`. This way debug logging is significantly cleaner. Fixes #806 --- cdist/core/explorer.py | 6 ++++-- cdist/exec/remote.py | 15 +++++++++------ 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/cdist/core/explorer.py b/cdist/core/explorer.py index 353d7681..c93f8958 100644 --- a/cdist/core/explorer.py +++ b/cdist/core/explorer.py @@ -167,7 +167,8 @@ class Explorer(object): def run_global_explorer(self, explorer): """Run the given global explorer and return it's output.""" script = os.path.join(self.remote.global_explorer_path, explorer) - return self.remote.run_script(script, env=self.env, return_output=True) + return self.remote.run_script(script, env=self.env, return_output=True, + warn_return_output=False) # type @@ -229,7 +230,8 @@ class Explorer(object): }) script = os.path.join(self.remote.type_path, cdist_type.explorer_path, explorer) - return self.remote.run_script(script, env=env, return_output=True) + return self.remote.run_script(script, env=env, return_output=True, + warn_return_output=False) def transfer_type_explorers(self, cdist_type): """Transfer the type explorers for the given type to the diff --git a/cdist/exec/remote.py b/cdist/exec/remote.py index e0ef66ec..c53f2efa 100644 --- a/cdist/exec/remote.py +++ b/cdist/exec/remote.py @@ -219,7 +219,7 @@ class Remote(object): self._run_command(command) def run_script(self, script, env=None, return_output=False, stdout=None, - stderr=None): + stderr=None, warn_return_output=True): """Run the given script with the given environment on the remote side. Return the output as a string. @@ -232,10 +232,11 @@ class Remote(object): command.append(script) return self.run(command, env=env, return_output=return_output, - stdout=stdout, stderr=stderr) + stdout=stdout, stderr=stderr, + warn_return_output=warn_return_output) def run(self, command, env=None, return_output=False, stdout=None, - stderr=None): + stderr=None, warn_return_output=True): """Run the given command with the given environment on the remote side. Return the output as a string. @@ -269,10 +270,11 @@ class Remote(object): else: cmd.extend(command) return self._run_command(cmd, env=env, return_output=return_output, - stdout=stdout, stderr=stderr) + stdout=stdout, stderr=stderr, + warn_return_output=warn_return_output) def _run_command(self, command, env=None, return_output=False, stdout=None, - stderr=None): + stderr=None, warn_return_output=True): """Run the given command with the given environment. Return the output as a string. @@ -280,7 +282,8 @@ class Remote(object): assert isinstance(command, (list, tuple)), ( "list or tuple argument expected, got: %s" % command) - if return_output and stdout is not subprocess.PIPE: + warn_return_output_applies = warn_return_output and return_output + if warn_return_output_applies and stdout is not subprocess.PIPE: self.log.debug("return_output is True, ignoring stdout") close_stdout = False