forked from ungleich-public/cdist
Compare commits
269 Commits
mysql-type
...
master
Author | SHA1 | Date |
---|---|---|
|
90488d2e9e | |
|
be6e7fcc08 | |
|
d4bf41ce3b | |
|
7de931829a | |
|
17466452f0 | |
|
7d8fc8a5c3 | |
|
6243165645 | |
|
483f0c1614 | |
|
ff6b2d0abf | |
|
339ca9347b | |
|
5a7542db75 | |
|
0ae37b3445 | |
|
5e6cde1398 | |
|
77d9a757ec | |
|
e5adcf451b | |
|
9839c2d8ec | |
|
1edc4d0a60 | |
|
3d58c9b24f | |
|
6c8c692a22 | |
|
abbc7dfc37 | |
|
8b915b15b5 | |
|
2df2578e36 | |
|
6f8c774cb0 | |
|
54a5cb17b7 | |
|
cb0fa0f2e4 | |
|
af54fe6feb | |
|
22039284f5 | |
|
bd44c023d3 | |
|
e0150e7796 | |
|
15e1ce6450 | |
|
08ff41efde | |
|
c2c5668b70 | |
|
6e3ad11ea0 | |
|
fc6ddac718 | |
|
3a321469a8 | |
|
e2500248f2 | |
|
0b710c6173 | |
|
c33d99ee12 | |
|
560374a686 | |
|
fc9bd40c9a | |
|
5b7cca99f7 | |
|
15c642a9b7 | |
|
bf222d0543 | |
|
433399d4dc | |
|
12c536dbf9 | |
|
67a6965e1d | |
|
398ee1e416 | |
|
b209adcfca | |
|
72ff48154c | |
|
3d7b31cbb4 | |
|
d246e06710 | |
|
12787ffe2c | |
|
7b6789ddeb | |
|
cd4acde67e | |
|
5bf0c71e7a | |
|
aabef7f44a | |
|
b7f392fa37 | |
|
90488fcebc | |
|
0f6e48dbc6 | |
|
d7fdc8006f | |
|
fcd730f905 | |
|
b8eb6e984c | |
|
b762ea0233 | |
|
44741e714b | |
|
0546283d0e | |
|
46ed48d546 | |
|
c683bce66e | |
|
e1e1348998 | |
|
67f85546ec | |
|
05c2a62191 | |
|
5af1317c29 | |
|
4a05669765 | |
|
23fbfaf035 | |
|
2ffa895f57 | |
|
abc6d009b2 | |
|
edcac70b2a | |
|
3ae5a606ca | |
|
841ebb9b88 | |
|
39dcb41349 | |
|
d37772f3ea | |
|
49a9bcdf93 | |
|
f9ce4bc33a | |
|
2a0c073d40 | |
|
bbcc81a984 | |
|
0b3b47396f | |
|
a7d6481a7d | |
|
83fe6e9f5b | |
|
e108cbc205 | |
|
53334fb4eb | |
|
542674dae8 | |
|
b0e00efe64 | |
|
4156fea900 | |
|
cb8695cc88 | |
|
7ce68e3cb7 | |
|
67bcc6cae3 | |
|
71fee1fd6b | |
|
4307e8e7fa | |
|
fed01ded83 | |
|
f730aa7679 | |
|
c7daaabc6c | |
|
fbc9594729 | |
|
bf0c355fe7 | |
|
24c9406ea0 | |
|
de11666161 | |
|
8b160841ad | |
|
5229337611 | |
|
917a5d1aa8 | |
|
46b5c24cd2 | |
|
0e611af2a6 | |
|
65c43d3c1d | |
|
77dab4c5c6 | |
|
3e76d1cd3f | |
|
b8f601ee15 | |
|
cf0032d667 | |
|
7a5896acfa | |
|
485283f2e5 | |
|
166b58aeea | |
|
521241d741 | |
|
be92731c5c | |
|
853e5cf7b4 | |
|
d8da298cdf | |
|
44eeb4bbfc | |
|
30ba796d06 | |
|
243a4b904a | |
|
6528fd1c77 | |
|
99188b4822 | |
|
62ea1d2721 | |
|
a90e642c13 | |
|
60753ddfcc | |
|
d937d53f3d | |
|
2db40d8d70 | |
|
7b3f268df2 | |
|
b726697e07 | |
|
a3102022e1 | |
|
c308a28969 | |
|
02aa88463a | |
|
6ede76b08b | |
|
d596986af8 | |
|
defa3c22ea | |
|
d2ce55ea6e | |
|
e0c52d0e1d | |
|
b8733c65f5 | |
|
ab10b453f2 | |
|
75c71f69c1 | |
|
503a06ed28 | |
|
6210cccb28 | |
|
f14623e45f | |
|
81b426e4e2 | |
|
a696f3cf00 | |
|
0b05a8f5f7 | |
|
c00c8c2012 | |
|
a42ebc7a78 | |
|
3a25b80466 | |
|
3e190c3481 | |
|
9cf19388ab | |
|
a4122882f2 | |
|
2232435c22 | |
|
3a9dd5b166 | |
|
92fff7cb77 | |
|
0f05f38384 | |
|
0d33407b18 | |
|
8296051653 | |
|
3cf93249c3 | |
|
beb8da6d5f | |
|
58b279a8d0 | |
|
6ac8cbf98f | |
|
512e9b23c0 | |
|
71d79ed6ee | |
|
13e2ad175f | |
|
bb24d632d6 | |
|
a4464209b6 | |
|
acf9bf91f1 | |
|
1bb696a410 | |
|
2f05467358 | |
|
1c047353a9 | |
|
19bf37be1a | |
|
686e4f0f2d | |
|
bef1433ba3 | |
|
12c2995494 | |
|
e0416403c4 | |
|
2ccc03fef1 | |
|
92b8942a8c | |
|
9ec01d9f97 | |
|
e27e88512b | |
|
d2eec60668 | |
|
750c71fb5a | |
|
199effb7ef | |
|
ab811ad282 | |
|
ce79a2069c | |
|
c981f654f1 | |
|
87698395b8 | |
|
4c2d273f07 | |
|
f984a918b9 | |
|
1e765fcab7 | |
|
28c13bd29b | |
|
985252585c | |
|
167c2ad7ea | |
|
7a0b697f4c | |
|
10ca1c12fd | |
|
c55397766e | |
|
e47c4dd8a4 | |
|
31cc592aa1 | |
|
2f4a7e1a94 | |
|
fb19f34266 | |
|
ecba284fc8 | |
|
ea0126dd81 | |
|
e7d33891df | |
|
1bc0d912bf | |
|
8ef19d47f6 | |
|
60fd7ba1f3 | |
|
dc66efa690 | |
|
1a74470c4d | |
|
0734288483 | |
|
22f637c15b | |
|
6358885d26 | |
|
5e0572189f | |
|
b3a9c907ad | |
|
e854db096e | |
|
d1f45d3524 | |
|
0835f414a5 | |
|
2ce1fce767 | |
|
951712740f | |
|
a9d7dfb2ed | |
|
7398382890 | |
|
2db0ef7c98 | |
|
8dc6ab9738 | |
|
4717e5ceff | |
|
aa80c09c80 | |
|
b832af5e3b | |
|
e49da474c4 | |
|
bc145bbc27 | |
|
65a6a2ed52 | |
|
c8141d28c3 | |
|
cda17be38a | |
|
73a03d75d7 | |
|
8eccacec59 | |
|
6b18cace75 | |
|
f9ebb4333c | |
|
4967c7ebbb | |
|
3f605c31ac | |
|
0f2ff47738 | |
|
5051d4f40b | |
|
891c98567e | |
|
803367b316 | |
|
1b49fec972 | |
|
b4060720dc | |
|
50bcd95105 | |
|
534d5f6bb5 | |
|
c51d68a737 | |
|
35cde3e666 | |
|
92a50da487 | |
|
6e9b13d949 | |
|
878a65a8b7 | |
|
cce470b556 | |
|
2954347771 | |
|
f0e1b3b849 | |
|
c819548343 | |
|
bd8ab8f26f | |
|
8753b7eedf | |
|
766198912d | |
|
a10d43bc69 | |
|
99d82fd0d5 | |
|
1180f13ed6 | |
|
4859c27900 | |
|
7b7ca4d385 | |
|
c36df82882 | |
|
932e2496ed | |
|
69b8bc9af0 | |
|
bc2948a8a5 |
6
Makefile
6
Makefile
|
@ -35,9 +35,9 @@ DOCS_SRC_DIR=./docs/src
|
||||||
SPEECHDIR=./docs/speeches
|
SPEECHDIR=./docs/speeches
|
||||||
TYPEDIR=./cdist/conf/type
|
TYPEDIR=./cdist/conf/type
|
||||||
|
|
||||||
SPHINXM=make -C $(DOCS_SRC_DIR) man
|
SPHINXM=$(MAKE) -C $(DOCS_SRC_DIR) man
|
||||||
SPHINXH=make -C $(DOCS_SRC_DIR) html
|
SPHINXH=$(MAKE) -C $(DOCS_SRC_DIR) html
|
||||||
SPHINXC=make -C $(DOCS_SRC_DIR) clean
|
SPHINXC=$(MAKE) -C $(DOCS_SRC_DIR) clean
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# Manpages
|
# Manpages
|
||||||
|
|
|
@ -24,8 +24,8 @@ For community-maintained types there is
|
||||||
|
|
||||||
## Participating
|
## Participating
|
||||||
|
|
||||||
IRC: ``#cdist`` @ freenode
|
IRC: ``#cdist`` @ [libera](https://libera.chat)
|
||||||
|
|
||||||
Matrix: ``#cdist:ungleich.ch``
|
Matrix: ``#cdist:ungleich.ch``
|
||||||
|
|
||||||
Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist
|
Matrix and IRC are bridged.
|
||||||
|
|
|
@ -72,9 +72,11 @@ def commandline():
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
if sys.version < cdist.MIN_SUPPORTED_PYTHON_VERSION:
|
if sys.version_info[:3] < cdist.MIN_SUPPORTED_PYTHON_VERSION:
|
||||||
print('Python >= {} is required on the source host.'.format(
|
print(
|
||||||
cdist.MIN_SUPPORTED_PYTHON_VERSIO), file=sys.stderr)
|
'Python >= {} is required on the source host.'.format(
|
||||||
|
".".join(map(str, cdist.MIN_SUPPORTED_PYTHON_VERSION))),
|
||||||
|
file=sys.stderr)
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
exit_code = 0
|
exit_code = 0
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
|
# 2011-2022 Nico Schottelius (nico-cdist at schottelius.org)
|
||||||
# 2016-2019 Darko Poljak (darko.poljak at gmail.com)
|
# 2016-2019 Darko Poljak (darko.poljak at gmail.com)
|
||||||
#
|
#
|
||||||
# This file is part of cdist.
|
# This file is part of cdist.
|
||||||
|
|
|
@ -64,7 +64,7 @@ REMOTE_EXEC = "ssh -o User=root"
|
||||||
REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
|
REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
|
||||||
|
|
||||||
|
|
||||||
MIN_SUPPORTED_PYTHON_VERSION = '3.5'
|
MIN_SUPPORTED_PYTHON_VERSION = (3, 5)
|
||||||
|
|
||||||
|
|
||||||
class Error(Exception):
|
class Error(Exception):
|
||||||
|
|
|
@ -485,19 +485,31 @@ def get_parsers():
|
||||||
parser['scan'].add_argument(
|
parser['scan'].add_argument(
|
||||||
'-m', '--mode', help='Which modes should run',
|
'-m', '--mode', help='Which modes should run',
|
||||||
action='append', default=[],
|
action='append', default=[],
|
||||||
choices=['scan', 'trigger'])
|
choices=['scan', 'trigger', 'config'])
|
||||||
|
parser['scan'].add_argument(
|
||||||
|
'--list',
|
||||||
|
action='store_true',
|
||||||
|
help='List the known hosts and exit')
|
||||||
parser['scan'].add_argument(
|
parser['scan'].add_argument(
|
||||||
'--config',
|
'--config',
|
||||||
action='store_true',
|
action='store_true',
|
||||||
help='Try to configure detected hosts')
|
help='Try to configure detected hosts')
|
||||||
parser['scan'].add_argument(
|
parser['scan'].add_argument(
|
||||||
'-I', '--interfaces',
|
'-I', '--interface',
|
||||||
action='append', default=[],
|
action='append', default=[], required=True,
|
||||||
help='On which interfaces to scan/trigger')
|
help='On which interfaces to scan/trigger')
|
||||||
parser['scan'].add_argument(
|
parser['scan'].add_argument(
|
||||||
'-d', '--delay',
|
'--name-mapper',
|
||||||
action='store', default=3600,
|
action='store', default=None,
|
||||||
help='How long to wait before reconfiguring after last try')
|
help='Map addresses to names, required for config mode')
|
||||||
|
parser['scan'].add_argument(
|
||||||
|
'-d', '--config-delay',
|
||||||
|
action='store', default=3600, type=int,
|
||||||
|
help='How long (seconds) to wait before reconfiguring after last try')
|
||||||
|
parser['scan'].add_argument(
|
||||||
|
'-t', '--trigger-delay',
|
||||||
|
action='store', default=5, type=int,
|
||||||
|
help='How long (seconds) to wait between ICMPv6 echo requests')
|
||||||
parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
|
parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
|
||||||
|
|
||||||
for p in parser:
|
for p in parser:
|
||||||
|
@ -533,10 +545,10 @@ def parse_and_configure(argv, singleton=True):
|
||||||
|
|
||||||
log = logging.getLogger("cdist")
|
log = logging.getLogger("cdist")
|
||||||
|
|
||||||
log.verbose("version %s" % cdist.VERSION)
|
log.verbose("version %s", cdist.VERSION)
|
||||||
log.trace('command line args: {}'.format(cfg.command_line_args))
|
log.trace('command line args: %s', cfg.command_line_args)
|
||||||
log.trace('configuration: {}'.format(cfg.get_config()))
|
log.trace('configuration: %s', cfg.get_config())
|
||||||
log.trace('configured args: {}'.format(args))
|
log.trace('configured args: %s', args)
|
||||||
|
|
||||||
check_beta(vars(args))
|
check_beta(vars(args))
|
||||||
|
|
||||||
|
|
|
@ -21,6 +21,9 @@
|
||||||
|
|
||||||
set +e
|
set +e
|
||||||
case "$("$__explorer/os")" in
|
case "$("$__explorer/os")" in
|
||||||
|
checkpoint)
|
||||||
|
awk '{printf("%s\n", $(NF-1))}' /etc/cp-release
|
||||||
|
;;
|
||||||
openwrt)
|
openwrt)
|
||||||
# shellcheck disable=SC1091
|
# shellcheck disable=SC1091
|
||||||
(. /etc/openwrt_release && echo "$DISTRIB_CODENAME")
|
(. /etc/openwrt_release && echo "$DISTRIB_CODENAME")
|
||||||
|
|
|
@ -21,6 +21,9 @@
|
||||||
|
|
||||||
set +e
|
set +e
|
||||||
case "$("$__explorer/os")" in
|
case "$("$__explorer/os")" in
|
||||||
|
checkpoint)
|
||||||
|
cat /etc/cp-release
|
||||||
|
;;
|
||||||
openwrt)
|
openwrt)
|
||||||
# shellcheck disable=SC1091
|
# shellcheck disable=SC1091
|
||||||
(. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION")
|
(. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION")
|
||||||
|
|
|
@ -21,6 +21,9 @@
|
||||||
|
|
||||||
set +e
|
set +e
|
||||||
case "$("$__explorer/os")" in
|
case "$("$__explorer/os")" in
|
||||||
|
checkpoint)
|
||||||
|
echo "CheckPoint"
|
||||||
|
;;
|
||||||
openwrt)
|
openwrt)
|
||||||
# shellcheck disable=SC1091
|
# shellcheck disable=SC1091
|
||||||
(. /etc/openwrt_release && echo "$DISTRIB_ID")
|
(. /etc/openwrt_release && echo "$DISTRIB_ID")
|
||||||
|
|
|
@ -21,6 +21,9 @@
|
||||||
|
|
||||||
set +e
|
set +e
|
||||||
case "$("$__explorer/os")" in
|
case "$("$__explorer/os")" in
|
||||||
|
checkpoint)
|
||||||
|
sed /etc/cp-release -e 's/.* R\([1-9][0-9]*\)\.[0-9]*$/\1/'
|
||||||
|
;;
|
||||||
openwrt)
|
openwrt)
|
||||||
# shellcheck disable=SC1091
|
# shellcheck disable=SC1091
|
||||||
(. /etc/openwrt_release && echo "$DISTRIB_RELEASE")
|
(. /etc/openwrt_release && echo "$DISTRIB_RELEASE")
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,8 +1,9 @@
|
||||||
#!/bin/sh
|
#!/bin/sh -e
|
||||||
#
|
#
|
||||||
# 2014 Daniel Heule (hda at sfs.biz)
|
# 2014 Daniel Heule (hda at sfs.biz)
|
||||||
# 2014 Thomas Oettli (otho at sfs.biz)
|
# 2014 Thomas Oettli (otho at sfs.biz)
|
||||||
# Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
|
# Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
|
||||||
|
# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
|
||||||
#
|
#
|
||||||
# This file is part of cdist.
|
# This file is part of cdist.
|
||||||
#
|
#
|
||||||
|
@ -19,24 +20,73 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
#
|
# Returns the amount of memory physically installed in the system, or if that
|
||||||
|
# cannot be determined the amount available to the operating system kernel,
|
||||||
|
# in kibibytes (kiB).
|
||||||
|
|
||||||
# FIXME: other system types (not linux ...)
|
str2bytes() {
|
||||||
|
awk -F' ' '
|
||||||
|
$2 == "B" || !$2 { print $1 }
|
||||||
|
$2 == "kB" { printf "%.f\n", ($1 * 1000) }
|
||||||
|
$2 == "MB" { printf "%.f\n", ($1 * 1000 * 1000) }
|
||||||
|
$2 == "GB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000) }
|
||||||
|
$2 == "TB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000 * 1000) }
|
||||||
|
$2 == "kiB" { printf "%.f\n", ($1 * 1024) }
|
||||||
|
$2 == "MiB" { printf "%.f\n", ($1 * 1024 * 1024) }
|
||||||
|
$2 == "GiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024) }
|
||||||
|
$2 == "TiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024 * 1024) }'
|
||||||
|
}
|
||||||
|
|
||||||
os=$("$__explorer/os")
|
bytes2kib() {
|
||||||
case "$os" in
|
awk '$0 > 0 { printf "%.f\n", ($0 / 1024) }'
|
||||||
"macosx")
|
}
|
||||||
echo "$(sysctl -n hw.memsize)/1024" | bc
|
|
||||||
;;
|
|
||||||
|
|
||||||
*"bsd")
|
|
||||||
PATH=$(getconf PATH)
|
|
||||||
echo "$(sysctl -n hw.physmem) / 1048576" | bc
|
|
||||||
;;
|
|
||||||
|
|
||||||
*)
|
case $(uname -s)
|
||||||
if [ -r /proc/meminfo ]; then
|
in
|
||||||
grep "MemTotal:" /proc/meminfo | awk '{print $2}'
|
(Darwin)
|
||||||
fi
|
sysctl -n hw.memsize | bytes2kib
|
||||||
;;
|
;;
|
||||||
|
(FreeBSD)
|
||||||
|
sysctl -n hw.realmem | bytes2kib
|
||||||
|
;;
|
||||||
|
(NetBSD|OpenBSD)
|
||||||
|
# NOTE: This reports "usable" memory, not physically installed memory.
|
||||||
|
command -p sysctl -n hw.physmem | bytes2kib
|
||||||
|
;;
|
||||||
|
(SunOS)
|
||||||
|
# Make sure that awk from xpg4 is used for the scripts to work
|
||||||
|
export PATH="/usr/xpg4/bin:${PATH}"
|
||||||
|
prtconf \
|
||||||
|
| awk -F ': ' '
|
||||||
|
$1 == "Memory size" { sub(/Megabytes/, "MiB", $2); print $2 }
|
||||||
|
/^$/ { exit }' \
|
||||||
|
| str2bytes \
|
||||||
|
| bytes2kib
|
||||||
|
;;
|
||||||
|
(Linux)
|
||||||
|
if test -d /sys/devices/system/memory
|
||||||
|
then
|
||||||
|
# Use memory blocks if the architecture (e.g. x86, PPC64, s390)
|
||||||
|
# supports them (they denote physical memory)
|
||||||
|
num_mem_blocks=$(cat /sys/devices/system/memory/memory[0-9]*/state | grep -cxF online)
|
||||||
|
mem_block_size=$(cat /sys/devices/system/memory/block_size_bytes)
|
||||||
|
|
||||||
|
echo $((num_mem_blocks * 0x$mem_block_size)) | bytes2kib && exit
|
||||||
|
fi
|
||||||
|
if test -r /proc/meminfo
|
||||||
|
then
|
||||||
|
# Fall back to meminfo file on other architectures (e.g. ARM, MIPS,
|
||||||
|
# PowerPC)
|
||||||
|
# NOTE: This is "usable" memory, not physically installed memory.
|
||||||
|
awk -F ': +' '$1 == "MemTotal" { sub(/B$/, "iB", $2); print $2 }' /proc/meminfo \
|
||||||
|
| str2bytes \
|
||||||
|
| bytes2kib
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
(*)
|
||||||
|
printf "Your kernel (%s) is currently not supported by the memory explorer\n" "$(uname -s)" >&2
|
||||||
|
printf "Please contribute an implementation for it if you can.\n" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
|
@ -116,6 +116,13 @@ if [ -f /etc/slackware-version ]; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Appliances
|
||||||
|
|
||||||
|
if grep -q '^Check Point Gaia' /etc/cp-release 2>/dev/null; then
|
||||||
|
echo checkpoint
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
uname_s="$(uname -s)"
|
uname_s="$(uname -s)"
|
||||||
|
|
||||||
# Assume there is no tr on the client -> do lower case ourselves
|
# Assume there is no tr on the client -> do lower case ourselves
|
||||||
|
|
|
@ -34,5 +34,9 @@ elif test -f /var/run/os-release
|
||||||
then
|
then
|
||||||
# FreeBSD (created by os-release service)
|
# FreeBSD (created by os-release service)
|
||||||
cat /var/run/os-release
|
cat /var/run/os-release
|
||||||
|
elif test -f /etc/cp-release
|
||||||
|
then
|
||||||
|
# Checkpoint firewall or management (actually linux based)
|
||||||
|
cat /etc/cp-release
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
#!/bin/sh
|
#!/bin/sh -e
|
||||||
#
|
#
|
||||||
# 2010-2011 Nico Schottelius (nico-cdist at schottelius.org)
|
# 2010-2011 Nico Schottelius (nico-cdist at schottelius.org)
|
||||||
|
# 2020-2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
|
||||||
#
|
#
|
||||||
# This file is part of cdist.
|
# This file is part of cdist.
|
||||||
#
|
#
|
||||||
|
@ -17,12 +18,22 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
#
|
|
||||||
# All os variables are lower case
|
# All os variables are lower case
|
||||||
#
|
#
|
||||||
#
|
|
||||||
|
|
||||||
case "$("$__explorer/os")" in
|
rc_getvar() {
|
||||||
|
awk -F= -v varname="$2" '
|
||||||
|
function unquote(s) {
|
||||||
|
if (s ~ /^".*"$/ || s ~ /^'\''.*'\''$/)
|
||||||
|
return substr(s, 2, length(s) - 2)
|
||||||
|
else
|
||||||
|
return s
|
||||||
|
}
|
||||||
|
$1 == varname { print unquote(substr($0, index($0, "=") + 1)) }' "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
case $("${__explorer:?}/os")
|
||||||
|
in
|
||||||
amazon)
|
amazon)
|
||||||
cat /etc/system-release
|
cat /etc/system-release
|
||||||
;;
|
;;
|
||||||
|
@ -30,6 +41,9 @@ case "$("$__explorer/os")" in
|
||||||
# empty, but well...
|
# empty, but well...
|
||||||
cat /etc/arch-release
|
cat /etc/arch-release
|
||||||
;;
|
;;
|
||||||
|
checkpoint)
|
||||||
|
awk '{version=$NF; printf("%s\n", substr(version, 2))}' /etc/cp-release
|
||||||
|
;;
|
||||||
debian)
|
debian)
|
||||||
debian_version=$(cat /etc/debian_version)
|
debian_version=$(cat /etc/debian_version)
|
||||||
case $debian_version
|
case $debian_version
|
||||||
|
@ -43,6 +57,8 @@ case "$("$__explorer/os")" in
|
||||||
# sid versions don't have a number, so we decode by codename:
|
# sid versions don't have a number, so we decode by codename:
|
||||||
case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
|
case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
|
||||||
in
|
in
|
||||||
|
trixie) echo 12.99 ;;
|
||||||
|
bookworm) echo 11.99 ;;
|
||||||
bullseye) echo 10.99 ;;
|
bullseye) echo 10.99 ;;
|
||||||
buster) echo 9.99 ;;
|
buster) echo 9.99 ;;
|
||||||
stretch) echo 8.99 ;;
|
stretch) echo 8.99 ;;
|
||||||
|
@ -50,7 +66,7 @@ case "$("$__explorer/os")" in
|
||||||
wheezy) echo 6.99 ;;
|
wheezy) echo 6.99 ;;
|
||||||
squeeze) echo 5.99 ;;
|
squeeze) echo 5.99 ;;
|
||||||
lenny) echo 4.99 ;;
|
lenny) echo 4.99 ;;
|
||||||
*) exit 1
|
*) echo 99.99 ;;
|
||||||
esac
|
esac
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
@ -59,7 +75,23 @@ case "$("$__explorer/os")" in
|
||||||
esac
|
esac
|
||||||
;;
|
;;
|
||||||
devuan)
|
devuan)
|
||||||
cat /etc/devuan_version
|
devuan_version=$(cat /etc/devuan_version)
|
||||||
|
case ${devuan_version}
|
||||||
|
in
|
||||||
|
(*/ceres)
|
||||||
|
# ceres versions don't have a number, so we decode by codename:
|
||||||
|
case ${devuan_version}
|
||||||
|
in
|
||||||
|
(chimaera/ceres) echo 3.99 ;;
|
||||||
|
(beowulf/ceres) echo 2.99 ;;
|
||||||
|
(ascii/ceres) echo 1.99 ;;
|
||||||
|
(*) exit 1
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
(*)
|
||||||
|
echo "${devuan_version}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
;;
|
;;
|
||||||
fedora)
|
fedora)
|
||||||
cat /etc/fedora-release
|
cat /etc/fedora-release
|
||||||
|
@ -68,12 +100,20 @@ case "$("$__explorer/os")" in
|
||||||
cat /etc/gentoo-release
|
cat /etc/gentoo-release
|
||||||
;;
|
;;
|
||||||
macosx)
|
macosx)
|
||||||
sw_vers -productVersion
|
# NOTE: Legacy versions (< 10.3) do not support options
|
||||||
|
sw_vers | awk -F ':[ \t]+' '$1 == "ProductVersion" { print $2 }'
|
||||||
;;
|
;;
|
||||||
freebsd)
|
freebsd)
|
||||||
# Apparently uname -r is not a reliable way to get the patch level.
|
# Apparently uname -r is not a reliable way to get the patch level.
|
||||||
# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
|
# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
|
||||||
freebsd-version
|
if command -v freebsd-version >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
# get userland version
|
||||||
|
freebsd-version -u
|
||||||
|
else
|
||||||
|
# fallback to kernel release for FreeBSD < 10.0
|
||||||
|
uname -r
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
*bsd|solaris)
|
*bsd|solaris)
|
||||||
uname -r
|
uname -r
|
||||||
|
@ -98,7 +138,20 @@ case "$("$__explorer/os")" in
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
ubuntu)
|
ubuntu)
|
||||||
lsb_release -sr
|
if command -v lsb_release >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
lsb_release -sr
|
||||||
|
elif test -r /usr/lib/os-release
|
||||||
|
then
|
||||||
|
# fallback to /usr/lib/os-release if lsb_release is not present (like
|
||||||
|
# on minimized Ubuntu installations)
|
||||||
|
rc_getvar /usr/lib/os-release VERSION_ID
|
||||||
|
elif test -r /etc/lsb-release
|
||||||
|
then
|
||||||
|
# extract DISTRIB_RELEASE= variable from /etc/lsb-release on old
|
||||||
|
# versions without /usr/lib/os-release.
|
||||||
|
rc_getvar /etc/lsb-release DISTRIB_RELEASE
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
alpine)
|
alpine)
|
||||||
cat /etc/alpine-release
|
cat /etc/alpine-release
|
||||||
|
|
|
@ -28,6 +28,7 @@
|
||||||
# lsb_release may not be given in all installations
|
# lsb_release may not be given in all installations
|
||||||
codename_os_release() {
|
codename_os_release() {
|
||||||
# shellcheck disable=SC1090
|
# shellcheck disable=SC1090
|
||||||
|
# shellcheck disable=SC1091
|
||||||
. "$__global/explorer/os_release"
|
. "$__global/explorer/os_release"
|
||||||
printf "%s" "$VERSION_CODENAME"
|
printf "%s" "$VERSION_CODENAME"
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,18 +27,25 @@ else
|
||||||
keyid="$__object_id"
|
keyid="$__object_id"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# From apt-key(8):
|
||||||
|
# Use of apt-key is deprecated, except for the use of apt-key del in
|
||||||
|
# maintainer scripts to remove existing keys from the main keyring.
|
||||||
|
# If such usage of apt-key is desired the additional installation of
|
||||||
|
# the GNU Privacy Guard suite (packaged in gnupg) is required.
|
||||||
|
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
|
||||||
|
if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
|
||||||
|
then echo present
|
||||||
|
else echo absent
|
||||||
|
fi
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
keydir="$(cat "$__object/parameter/keydir")"
|
keydir="$(cat "$__object/parameter/keydir")"
|
||||||
keyfile="$keydir/$__object_id.gpg"
|
keyfile="$keydir/$__object_id.gpg"
|
||||||
|
|
||||||
if [ -d "$keydir" ]
|
if [ -f "$keyfile" ]
|
||||||
then
|
then
|
||||||
if [ -f "$keyfile" ]
|
echo present
|
||||||
then echo present
|
exit
|
||||||
else echo absent
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# fallback to deprecated apt-key
|
|
||||||
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
|
|
||||||
&& echo present \
|
|
||||||
|| echo absent
|
|
||||||
fi
|
fi
|
||||||
|
echo absent
|
||||||
|
|
|
@ -25,11 +25,7 @@ else
|
||||||
fi
|
fi
|
||||||
state_should="$(cat "$__object/parameter/state")"
|
state_should="$(cat "$__object/parameter/state")"
|
||||||
state_is="$(cat "$__object/explorer/state")"
|
state_is="$(cat "$__object/explorer/state")"
|
||||||
|
method="$(cat "$__object/key_method")"
|
||||||
if [ "$state_should" = "$state_is" ]; then
|
|
||||||
# nothing to do
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
keydir="$(cat "$__object/parameter/keydir")"
|
keydir="$(cat "$__object/parameter/keydir")"
|
||||||
keyfile="$keydir/$__object_id.gpg"
|
keyfile="$keydir/$__object_id.gpg"
|
||||||
|
@ -37,30 +33,18 @@ keyfile="$keydir/$__object_id.gpg"
|
||||||
case "$state_should" in
|
case "$state_should" in
|
||||||
present)
|
present)
|
||||||
keyserver="$(cat "$__object/parameter/keyserver")"
|
keyserver="$(cat "$__object/parameter/keyserver")"
|
||||||
|
# Using __download or __file as key source
|
||||||
if [ -f "$__object/parameter/uri" ]; then
|
# Propagate messages if needed
|
||||||
uri="$(cat "$__object/parameter/uri")"
|
if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
|
||||||
|
if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
|
||||||
if [ -d "$keydir" ]; then
|
echo "added '$keyid'" >> "$__messages_out"
|
||||||
cat << EOF
|
|
||||||
|
|
||||||
curl -s -L \\
|
|
||||||
-o "$keyfile" \\
|
|
||||||
"$uri"
|
|
||||||
|
|
||||||
key="\$( cat "$keyfile" )"
|
|
||||||
|
|
||||||
if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
|
|
||||||
then
|
|
||||||
echo "\$key" | gpg --dearmor > "$keyfile"
|
|
||||||
fi
|
|
||||||
|
|
||||||
EOF
|
|
||||||
else
|
|
||||||
# fallback to deprecated apt-key
|
|
||||||
echo "curl -s -L '$uri' | apt-key add -"
|
|
||||||
fi
|
fi
|
||||||
elif [ -d "$keydir" ]; then
|
exit 0
|
||||||
|
elif [ "${state_is}" = "present" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
# Using key servers to fetch the key
|
||||||
|
if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
|
||||||
# we need to kill gpg after 30 seconds, because gpg
|
# we need to kill gpg after 30 seconds, because gpg
|
||||||
# can get stuck if keyserver is not responding.
|
# can get stuck if keyserver is not responding.
|
||||||
# exporting env var and not exit 1,
|
# exporting env var and not exit 1,
|
||||||
|
@ -100,13 +84,16 @@ EOF
|
||||||
echo "added '$keyid'" >> "$__messages_out"
|
echo "added '$keyid'" >> "$__messages_out"
|
||||||
;;
|
;;
|
||||||
absent)
|
absent)
|
||||||
if [ -f "$keyfile" ]; then
|
# Removal for keys added from a keyserver without this flag
|
||||||
echo "rm '$keyfile'"
|
# is done in the manifest
|
||||||
else
|
if [ "$state_is" != "absent" ] && \
|
||||||
|
[ -f "$__object/parameter/use-deprecated-apt-key" ]; then
|
||||||
# fallback to deprecated apt-key
|
# fallback to deprecated apt-key
|
||||||
echo "apt-key del \"$keyid\""
|
echo "apt-key del \"$keyid\""
|
||||||
|
echo "removed '$keyid'" >> "$__messages_out"
|
||||||
|
# Propagate messages if needed
|
||||||
|
elif grep -Eq "^__file$keyfile" "$__messages_in"; then
|
||||||
|
echo "removed '$keyid'" >> "$__messages_out"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "removed '$keyid'" >> "$__messages_out"
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
|
@ -10,6 +10,14 @@ DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
Manages the list of keys used by apt to authenticate packages.
|
Manages the list of keys used by apt to authenticate packages.
|
||||||
|
|
||||||
|
This is done by placing the requested key in a file named
|
||||||
|
``$__object_id.gpg`` in the ``keydir`` directory.
|
||||||
|
|
||||||
|
This is supported by modern releases of Debian-based distributions.
|
||||||
|
|
||||||
|
In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
|
||||||
|
must be specified.
|
||||||
|
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
REQUIRED PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
|
@ -18,21 +26,49 @@ None.
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OPTIONAL PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
|
keydir
|
||||||
|
keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
|
||||||
|
enabled system-wide by default.
|
||||||
|
|
||||||
|
source
|
||||||
|
path to a file containing the GPG key of the repository.
|
||||||
|
Using this is recommended as it ensures that the manifest/type manintainer
|
||||||
|
has validated the key.
|
||||||
|
If ``-``, the GPG key is read from the type's stdin.
|
||||||
|
|
||||||
state
|
state
|
||||||
'present' or 'absent'. Defaults to 'present'
|
'present' or 'absent'. Defaults to 'present'
|
||||||
|
|
||||||
|
uri
|
||||||
|
the URI from which to download the key.
|
||||||
|
It is highly recommended that you only use protocols with TLS like HTTPS.
|
||||||
|
This uses ``__download`` but does not use checksums, if you want to ensure
|
||||||
|
that the key doesn't change, you are better off downloading it and using
|
||||||
|
``--source``.
|
||||||
|
|
||||||
|
|
||||||
|
DEPRECATED OPTIONAL PARAMETERS
|
||||||
|
------------------------------
|
||||||
keyid
|
keyid
|
||||||
the id of the key to add. Defaults to __object_id
|
the id of the key to download from the ``keyserver``.
|
||||||
|
This is to be used in absence of ``--source`` and ``--uri`` or together
|
||||||
|
with ``--use-deprecated-apt-key`` for key removal.
|
||||||
|
Defaults to ``$__object_id``.
|
||||||
|
|
||||||
keyserver
|
keyserver
|
||||||
the keyserver from which to fetch the key. If omitted the default set
|
the keyserver from which to fetch the key.
|
||||||
in ./parameter/default/keyserver is used.
|
Defaults to ``pool.sks-keyservers.net``.
|
||||||
|
|
||||||
keydir
|
|
||||||
key save location, defaults to ``/etc/apt/trusted.pgp.d``
|
|
||||||
|
|
||||||
uri
|
DEPRECATED BOOLEAN PARAMETERS
|
||||||
the URI from which to download the key
|
-----------------------------
|
||||||
|
use-deprecated-apt-key
|
||||||
|
``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
|
||||||
|
You can use this parameter to force usage of ``apt-key(8)``.
|
||||||
|
Please only use this parameter to *remove* keys from the keyring,
|
||||||
|
in order to prepare for removal of ``apt-key``.
|
||||||
|
Adding keys should be done without this parameter.
|
||||||
|
This parameter will be removed when Debian 11 stops being supported.
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
|
@ -40,33 +76,39 @@ EXAMPLES
|
||||||
|
|
||||||
.. code-block:: sh
|
.. code-block:: sh
|
||||||
|
|
||||||
# Add Ubuntu Archive Automatic Signing Key
|
# add a key that has been verified by a type maintainer
|
||||||
__apt_key 437D05B5
|
__apt_key jitsi_meet_2021 \
|
||||||
# Same thing
|
--source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
|
||||||
__apt_key 437D05B5 --state present
|
|
||||||
# Get rid of it
|
|
||||||
__apt_key 437D05B5 --state absent
|
|
||||||
|
|
||||||
# same thing with human readable name and explicit keyid
|
# remove an old, deprecated or expired key
|
||||||
__apt_key UbuntuArchiveKey --keyid 437D05B5
|
__apt_key jitsi_meet_2016 --state absent
|
||||||
|
|
||||||
# same thing with other keyserver
|
# Get rid of a key that might have been added to
|
||||||
__apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
|
# /etc/apt/trusted.gpg with apt-key
|
||||||
|
__apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
|
||||||
|
|
||||||
# download key from the internet
|
# add a key that we define in-line
|
||||||
__apt_key rabbitmq \
|
__apt_key jitsi_meet_2021 --source '-' <<EOF
|
||||||
--uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
[...]
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# download or update key from the internet
|
||||||
|
__apt_key rabbitmq_2007 \
|
||||||
|
--uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
Steven Armstrong <steven-cdist--@--armstrong.cc>
|
Steven Armstrong <steven-cdist--@--armstrong.cc>
|
||||||
Ander Punnar <ander-at-kvlt-dot-ee>
|
Ander Punnar <ander-at-kvlt-dot-ee>
|
||||||
|
Evilham <contact~~@~~evilham.com>
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
|
Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
|
||||||
redistribute it and/or modify it under the terms of the GNU General Public
|
redistribute it and/or modify it under the terms of the GNU General Public
|
||||||
License as published by the Free Software Foundation, either version 3 of the
|
License as published by the Free Software Foundation, either version 3 of the
|
||||||
License, or (at your option) any later version.
|
License, or (at your option) any later version.
|
||||||
|
|
|
@ -2,7 +2,105 @@
|
||||||
|
|
||||||
__package gnupg
|
__package gnupg
|
||||||
|
|
||||||
if [ -f "$__object/parameter/uri" ]
|
state_should="$(cat "${__object}/parameter/state")"
|
||||||
then __package curl
|
|
||||||
else __package dirmngr
|
incompatible_args()
|
||||||
|
{
|
||||||
|
cat >> /dev/stderr <<-EOF
|
||||||
|
This type does not support --${1} and --${method} simultaneously.
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ -f "${__object}/parameter/source" ]; then
|
||||||
|
method="source"
|
||||||
|
src="$(cat "${__object}/parameter/source")"
|
||||||
|
if [ "${src}" = "-" ]; then
|
||||||
|
src="${__object}/stdin"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -f "${__object}/parameter/uri" ]; then
|
||||||
|
if [ -n "${method}" ]; then
|
||||||
|
incompatible_args uri
|
||||||
|
fi
|
||||||
|
method="uri"
|
||||||
|
src="$(cat "${__object}/parameter/uri")"
|
||||||
|
fi
|
||||||
|
if [ -f "${__object}/parameter/keyid" ]; then
|
||||||
|
if [ -n "${method}" ]; then
|
||||||
|
incompatible_args keyid
|
||||||
|
fi
|
||||||
|
method="keyid"
|
||||||
|
fi
|
||||||
|
# Keep old default
|
||||||
|
if [ -z "${method}" ]; then
|
||||||
|
method="keyid"
|
||||||
|
fi
|
||||||
|
# Save this for later in gencode-remote
|
||||||
|
echo "${method}" > "${__object}/key_method"
|
||||||
|
|
||||||
|
# Required remotely (most likely already installed)
|
||||||
|
__package dirmngr
|
||||||
|
# We need this in case a key has to be dearmor'd
|
||||||
|
__package gnupg
|
||||||
|
export require="__package/gnupg"
|
||||||
|
|
||||||
|
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
|
||||||
|
# This is required if apt-key(8) is to be used
|
||||||
|
if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
|
||||||
|
incompatible_args use-deprecated-apt-key
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ "${state_should}" = "absent" ] && \
|
||||||
|
[ -f "${__object}/parameter/keyid" ]; then
|
||||||
|
cat >> /dev/stderr <<EOF
|
||||||
|
You can't reliably remove by keyid without --use-deprecated-apt-key.
|
||||||
|
This would very likely do something you do not intend.
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
keydir="$(cat "${__object}/parameter/keydir")"
|
||||||
|
keyfile="${keydir}/${__object_id}.gpg"
|
||||||
|
keyfilecdist="${keyfile}.cdist"
|
||||||
|
if [ "${state_should}" != "absent" ]; then
|
||||||
|
# Ensure keydir exists
|
||||||
|
__directory "${keydir}" --state exists --mode 0755
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${state_should}" = "absent" ]; then
|
||||||
|
__file "${keyfile}" --state "absent"
|
||||||
|
__file "${keyfilecdist}" --state "absent"
|
||||||
|
elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
|
||||||
|
dearmor="$(cat <<-EOF
|
||||||
|
if [ '${state_should}' = 'present' ]; then
|
||||||
|
# Dearmor if necessary
|
||||||
|
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
|
||||||
|
gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
|
||||||
|
else
|
||||||
|
cp '${keyfilecdist}' '${keyfile}'
|
||||||
|
fi
|
||||||
|
# Ensure permissions
|
||||||
|
chown root '${keyfile}'
|
||||||
|
chmod 0444 '${keyfile}'
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
|
||||||
|
if [ "${method}" = "uri" ]; then
|
||||||
|
__download "${keyfilecdist}" \
|
||||||
|
--url "${src}" \
|
||||||
|
--onchange "${dearmor}"
|
||||||
|
require="__download${keyfilecdist}" \
|
||||||
|
__file "${keyfile}" \
|
||||||
|
--owner root \
|
||||||
|
--mode 0444 \
|
||||||
|
--state pre-exists
|
||||||
|
else
|
||||||
|
__file "${keyfilecdist}" --state "${state_should}" \
|
||||||
|
--mode 0444 \
|
||||||
|
--source "${src}" \
|
||||||
|
--onchange "${dearmor}"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
use-deprecated-apt-key
|
|
@ -0,0 +1,3 @@
|
||||||
|
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
|
||||||
|
Use this flag *only* to migrate to placing a keyring directly in the
|
||||||
|
/etc/apt/trusted.gpg.d/ directory with a descriptive name.
|
|
@ -1,5 +1,6 @@
|
||||||
state
|
keydir
|
||||||
keyid
|
keyid
|
||||||
keyserver
|
keyserver
|
||||||
keydir
|
source
|
||||||
|
state
|
||||||
uri
|
uri
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
Please migrate to using __apt_key key_id --uri URI.
|
|
@ -0,0 +1,79 @@
|
||||||
|
cdist-type__apt_pin(7)
|
||||||
|
======================
|
||||||
|
|
||||||
|
NAME
|
||||||
|
----
|
||||||
|
cdist-type__apt_pin - Manage apt pinning rules
|
||||||
|
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
Adds/removes/edits rules to pin some packages to a specific distribution. Useful if using multiple debian repositories at the same time. (Useful, if one wants to use a few specific packages from backports or perhaps Debain testing... or even sid.)
|
||||||
|
|
||||||
|
|
||||||
|
REQUIRED PARAMETERS
|
||||||
|
-------------------
|
||||||
|
distribution
|
||||||
|
Specifies what distribution the package should be pinned to. Accepts both codenames (buster/bullseye/sid) and suite names (stable/testing/...).
|
||||||
|
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
package
|
||||||
|
Package name, glob or regular expression to match (multiple) packages. If not specified `__object_id` is used.
|
||||||
|
|
||||||
|
priority
|
||||||
|
The priority value to assign to matching packages. Deafults to 500. (To match the default target distro's priority)
|
||||||
|
|
||||||
|
state
|
||||||
|
Will be passed to underlying `__file` type; see there for valid values and defaults.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
BOOLEAN PARAMETERS
|
||||||
|
------------------
|
||||||
|
None.
|
||||||
|
|
||||||
|
|
||||||
|
EXAMPLES
|
||||||
|
--------
|
||||||
|
|
||||||
|
.. code-block:: sh
|
||||||
|
|
||||||
|
# Add the bullseye repo to buster, but do not install any packages by default,
|
||||||
|
# only if explicitely asked for (-1 means "never" for apt)
|
||||||
|
__apt_pin bullseye-default \
|
||||||
|
--package "*" \
|
||||||
|
--distribution bullseye \
|
||||||
|
--priority -1
|
||||||
|
|
||||||
|
require="__apt_pin/bullseye-default" __apt_source bullseye \
|
||||||
|
--uri http://deb.debian.org/debian/ \
|
||||||
|
--distribution bullseye \
|
||||||
|
--component main
|
||||||
|
|
||||||
|
__apt_pin foo --package "foo foo-*" --distribution bullseye
|
||||||
|
|
||||||
|
__foo # Assuming, this installs the `foo` package internally
|
||||||
|
|
||||||
|
__package foo-plugin-extras # Assuming we also need some extra stuff
|
||||||
|
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
--------
|
||||||
|
:strong:`apt_preferences`\ (5)
|
||||||
|
:strong:`cdist-type__apt_source`\ (7)
|
||||||
|
:strong:`cdist-type__apt_backports`\ (7)
|
||||||
|
:strong:`cdist-type__file`\ (7)
|
||||||
|
|
||||||
|
AUTHORS
|
||||||
|
-------
|
||||||
|
Daniel Fancsali <fancsali@gmail.com>
|
||||||
|
|
||||||
|
|
||||||
|
COPYING
|
||||||
|
-------
|
||||||
|
Copyright \(C) 2021 Daniel Fancsali. You can redistribute it
|
||||||
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
|
published by the Free Software Foundation, either version 3 of the
|
||||||
|
License, or (at your option) any later version.
|
|
@ -0,0 +1,68 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
#
|
||||||
|
# 2021 Daniel Fancsali (fancsali@gmail.com)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
name="$__object_id"
|
||||||
|
|
||||||
|
os=$(cat "$__global/explorer/os")
|
||||||
|
state="$(cat "$__object/parameter/state")"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/package" ]; then
|
||||||
|
package="$(cat "$__object/parameter/package")"
|
||||||
|
else
|
||||||
|
package=$name
|
||||||
|
fi
|
||||||
|
|
||||||
|
distribution="$(cat "$__object/parameter/distribution")"
|
||||||
|
priority="$(cat "$__object/parameter/priority")"
|
||||||
|
|
||||||
|
|
||||||
|
case "$os" in
|
||||||
|
debian|ubuntu|devuan)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
printf "This type is specific to Debian and it's derivatives" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
case $distribution in
|
||||||
|
stable|testing|unstable|experimental)
|
||||||
|
pin="release a=$distribution"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
pin="release n=$distribution"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
|
||||||
|
__file "/etc/apt/preferences.d/$name" \
|
||||||
|
--owner root --group root --mode 0644 \
|
||||||
|
--state "$state" \
|
||||||
|
--source - << EOF
|
||||||
|
# Created by cdist ${__type##*/}
|
||||||
|
# Do not change. Changes will be overwritten.
|
||||||
|
#
|
||||||
|
|
||||||
|
# $name
|
||||||
|
Package: $package
|
||||||
|
Pin: $pin
|
||||||
|
Pin-Priority: $priority
|
||||||
|
EOF
|
|
@ -0,0 +1 @@
|
||||||
|
500
|
|
@ -0,0 +1 @@
|
||||||
|
present
|
|
@ -0,0 +1,3 @@
|
||||||
|
state
|
||||||
|
package
|
||||||
|
priority
|
|
@ -0,0 +1 @@
|
||||||
|
distribution
|
|
@ -1,55 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
#
|
|
||||||
# Remove the given apt repository.
|
|
||||||
#
|
|
||||||
# Exit with:
|
|
||||||
# 0: if it worked
|
|
||||||
# 1: if not
|
|
||||||
# 2: on other error
|
|
||||||
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
from aptsources import distro, sourceslist
|
|
||||||
from softwareproperties import ppa
|
|
||||||
from softwareproperties.SoftwareProperties import SoftwareProperties
|
|
||||||
|
|
||||||
|
|
||||||
def remove_if_empty(file_name):
|
|
||||||
with open(file_name, 'r') as f:
|
|
||||||
if f.read().strip():
|
|
||||||
return
|
|
||||||
os.unlink(file_name)
|
|
||||||
|
|
||||||
def remove_repository(repository):
|
|
||||||
#print 'repository:', repository
|
|
||||||
codename = distro.get_distro().codename
|
|
||||||
#print 'codename:', codename
|
|
||||||
(line, file) = ppa.expand_ppa_line(repository.strip(), codename)
|
|
||||||
#print 'line:', line
|
|
||||||
#print 'file:', file
|
|
||||||
deb_source_entry = sourceslist.SourceEntry(line, file)
|
|
||||||
src_source_entry = sourceslist.SourceEntry('deb-src{}'.format(line[3:]), file)
|
|
||||||
|
|
||||||
try:
|
|
||||||
sp = SoftwareProperties()
|
|
||||||
sp.remove_source(deb_source_entry)
|
|
||||||
try:
|
|
||||||
# If there's a deb-src entry, remove that too
|
|
||||||
sp.remove_source(src_source_entry)
|
|
||||||
except:
|
|
||||||
pass
|
|
||||||
remove_if_empty(file)
|
|
||||||
return True
|
|
||||||
except ValueError:
|
|
||||||
print >> sys.stderr, "Error: '%s' doesn't exists in a sourcelist file" % line
|
|
||||||
return False
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
if (len(sys.argv) != 2):
|
|
||||||
print >> sys.stderr, 'Error: need a repository as argument'
|
|
||||||
sys.exit(2)
|
|
||||||
repository = sys.argv[1]
|
|
||||||
if remove_repository(repository):
|
|
||||||
sys.exit(0)
|
|
||||||
else:
|
|
||||||
sys.exit(1)
|
|
|
@ -29,9 +29,9 @@ fi
|
||||||
|
|
||||||
case "$state_should" in
|
case "$state_should" in
|
||||||
present)
|
present)
|
||||||
echo "add-apt-repository '$name'"
|
echo "add-apt-repository -y '$name'"
|
||||||
;;
|
;;
|
||||||
absent)
|
absent)
|
||||||
echo "remove-apt-repository '$name'"
|
echo "add-apt-repository -r -y '$name'"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
|
@ -20,9 +20,4 @@
|
||||||
|
|
||||||
__package software-properties-common
|
__package software-properties-common
|
||||||
|
|
||||||
require="__package/software-properties-common" \
|
|
||||||
__file /usr/local/bin/remove-apt-repository \
|
|
||||||
--source "$__type/files/remove-apt-repository" \
|
|
||||||
--mode 0755
|
|
||||||
|
|
||||||
require="$__object_name" __apt_update_index
|
require="$__object_name" __apt_update_index
|
||||||
|
|
|
@ -2,13 +2,14 @@
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
entry="$uri $distribution $component"
|
entry="$uri $distribution $component"
|
||||||
|
|
||||||
cat << DONE
|
cat << DONE
|
||||||
# Created by cdist ${__type##*/}
|
# Created by cdist ${__type##*/}
|
||||||
# Do not change. Changes will be overwritten.
|
# Do not change. Changes will be overwritten.
|
||||||
#
|
#
|
||||||
|
|
||||||
# $name
|
# $name
|
||||||
deb ${forcedarch} $entry
|
deb ${options} $entry
|
||||||
DONE
|
DONE
|
||||||
if [ -f "$__object/parameter/include-src" ]; then
|
if [ -f "$__object/parameter/include-src" ]; then
|
||||||
echo "deb-src $entry"
|
echo "deb-src $entry"
|
||||||
|
|
|
@ -22,7 +22,21 @@
|
||||||
name="$__object_id"
|
name="$__object_id"
|
||||||
destination="/etc/apt/sources.list.d/${name}.list"
|
destination="/etc/apt/sources.list.d/${name}.list"
|
||||||
|
|
||||||
|
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
|
||||||
|
# updated after the 19th April 2021 till the bullseye release. The additional
|
||||||
|
# arguments acknoledge the happend suite change (the apt(8) update does the
|
||||||
|
# same by itself).
|
||||||
|
#
|
||||||
|
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
|
||||||
|
# allows backward compatablility to pre-buster Debian versions.
|
||||||
|
#
|
||||||
|
# See more: ticket #861
|
||||||
|
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
|
||||||
|
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
|
||||||
|
|
||||||
|
# run 'apt-get update' only if something changed with our sources.list file
|
||||||
|
# it will be run a second time on error as a redundancy messure to success
|
||||||
if grep -q "^__file${destination}" "$__messages_in"; then
|
if grep -q "^__file${destination}" "$__messages_in"; then
|
||||||
printf 'apt-get update || apt-get update\n'
|
printf 'apt-get %s update || apt-get %s update\n' "$apt_opts" "$apt_opts"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -23,6 +23,9 @@ OPTIONAL PARAMETERS
|
||||||
arch
|
arch
|
||||||
set this if you need to force and specific arch (ubuntu specific)
|
set this if you need to force and specific arch (ubuntu specific)
|
||||||
|
|
||||||
|
signed-by
|
||||||
|
provide a GPG key fingerprint or keyring path for signature checks
|
||||||
|
|
||||||
state
|
state
|
||||||
'present' or 'absent', defaults to 'present'
|
'present' or 'absent', defaults to 'present'
|
||||||
|
|
||||||
|
@ -56,6 +59,11 @@ EXAMPLES
|
||||||
--uri http://archive.canonical.com/ \
|
--uri http://archive.canonical.com/ \
|
||||||
--component partner --state present
|
--component partner --state present
|
||||||
|
|
||||||
|
__apt_source goaccess \
|
||||||
|
--uri http://deb.goaccess.io/ \
|
||||||
|
--component main \
|
||||||
|
--signed-by C03B48887D5E56B046715D3297BD1A0133449C3D
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
|
|
|
@ -31,9 +31,15 @@ fi
|
||||||
component="$(cat "$__object/parameter/component")"
|
component="$(cat "$__object/parameter/component")"
|
||||||
|
|
||||||
if [ -f "$__object/parameter/arch" ]; then
|
if [ -f "$__object/parameter/arch" ]; then
|
||||||
forcedarch="[arch=$(cat "$__object/parameter/arch")]"
|
options="arch=$(cat "$__object/parameter/arch")"
|
||||||
else
|
fi
|
||||||
forcedarch=""
|
|
||||||
|
if [ -f "$__object/parameter/signed-by" ]; then
|
||||||
|
options="$options signed-by=$(cat "$__object/parameter/signed-by")"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$options" ]; then
|
||||||
|
options="[$options]"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# export variables for use in template
|
# export variables for use in template
|
||||||
|
@ -41,7 +47,7 @@ export name
|
||||||
export uri
|
export uri
|
||||||
export distribution
|
export distribution
|
||||||
export component
|
export component
|
||||||
export forcedarch
|
export options
|
||||||
|
|
||||||
# generate file from template
|
# generate file from template
|
||||||
mkdir "$__object/files"
|
mkdir "$__object/files"
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
state
|
state
|
||||||
distribution
|
distribution
|
||||||
component
|
component
|
||||||
arch
|
arch
|
||||||
|
signed-by
|
||||||
|
|
|
@ -18,9 +18,23 @@
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
|
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
|
||||||
|
# updated after the 19th April 2021 till the bullseye release. The additional
|
||||||
|
# arguments acknoledge the happend suite change (the apt(8) update does the
|
||||||
|
# same by itself).
|
||||||
|
#
|
||||||
|
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
|
||||||
|
# allows backward compatablility to pre-buster Debian versions.
|
||||||
|
#
|
||||||
|
# See more: ticket #861
|
||||||
|
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
|
||||||
|
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
|
||||||
|
|
||||||
# run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists
|
# run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists
|
||||||
|
# it will be run a second time on error as a redundancy messure to success
|
||||||
cat << DONE
|
cat << DONE
|
||||||
if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then
|
if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then
|
||||||
apt-get update || apt-get update
|
apt-get $apt_opts update || apt-get $apt_opts update
|
||||||
fi
|
fi
|
||||||
DONE
|
DONE
|
||||||
|
|
|
@ -0,0 +1,142 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
#
|
||||||
|
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
# Determine current debconf selections' state.
|
||||||
|
# Prints one of:
|
||||||
|
# present: all selections are already set as they should.
|
||||||
|
# different: one or more of the selections have a different value.
|
||||||
|
# absent: one or more of the selections are not (currently) defined.
|
||||||
|
#
|
||||||
|
|
||||||
|
test -x /usr/bin/perl || {
|
||||||
|
# cannot find perl (no perl ~ no debconf)
|
||||||
|
echo 'absent'
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
linesfile="${__object:?}/parameter/line"
|
||||||
|
test -s "${linesfile}" || {
|
||||||
|
if test -s "${__object:?}/parameter/file"
|
||||||
|
then
|
||||||
|
echo absent
|
||||||
|
else
|
||||||
|
echo present
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# assert __type_explorer is set (because it is used by the Perl script)
|
||||||
|
: "${__type_explorer:?}"
|
||||||
|
|
||||||
|
/usr/bin/perl -- - "${linesfile}" <<'EOF'
|
||||||
|
use strict;
|
||||||
|
use warnings "all";
|
||||||
|
|
||||||
|
use Fcntl qw(:DEFAULT :flock);
|
||||||
|
|
||||||
|
use Debconf::Db;
|
||||||
|
use Debconf::Question;
|
||||||
|
|
||||||
|
# Extract @known... arrays from debconf-set-selections
|
||||||
|
# These values are required to distinguish flags and values in the given lines.
|
||||||
|
# DC: I couldn't think of a more ugly solution to the problem…
|
||||||
|
my @knownflags;
|
||||||
|
my @knowntypes;
|
||||||
|
my $debconf_set_selections = '/usr/bin/debconf-set-selections';
|
||||||
|
if (-e $debconf_set_selections) {
|
||||||
|
my $sed_known = 's/^my \(@known\(flags\|types\) = qw([a-z ]*);\).*$/\1/p';
|
||||||
|
eval `sed -n '$sed_known' '$debconf_set_selections'`;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub mungeline ($) {
|
||||||
|
my $line = shift;
|
||||||
|
chomp $line;
|
||||||
|
$line =~ s/\r$//;
|
||||||
|
return $line;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub fatal { printf STDERR @_; exit 1; }
|
||||||
|
|
||||||
|
my $state = 'present';
|
||||||
|
|
||||||
|
sub state {
|
||||||
|
my $new = shift;
|
||||||
|
if ($state eq 'present'
|
||||||
|
or ($state eq 'different' and $new eq 'absent')) {
|
||||||
|
$state = $new;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Load Debconf DB but manually lock on the state explorer script,
|
||||||
|
# because Debconf aborts immediately if executed concurrently.
|
||||||
|
# This is not really an ideal solution because the Debconf DB could be locked by
|
||||||
|
# another process (e.g. apt-get), but no way to achieve this could be found.
|
||||||
|
# If you know how to, please provide a patch.
|
||||||
|
my $lockfile = "%ENV{'__type_explorer'}/state";
|
||||||
|
if (open my $lock_fh, '+<', $lockfile) {
|
||||||
|
flock $lock_fh, LOCK_EX or die "Cannot lock $lockfile";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Debconf::Db->load(readonly => 'true');
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
while (<>) {
|
||||||
|
# Read and process lines (taken from debconf-set-selections)
|
||||||
|
$_ = mungeline($_);
|
||||||
|
while (/\\$/ && ! eof) {
|
||||||
|
s/\\$//;
|
||||||
|
$_ .= mungeline(<>);
|
||||||
|
}
|
||||||
|
next if /^\s*$/ || /^\s*\#/;
|
||||||
|
|
||||||
|
my ($owner, $label, $type, $content) = /^\s*(\S+)\s+(\S+)\s+(\S+)(?:\s(.*))?/
|
||||||
|
or fatal "invalid line: %s\n", $_;
|
||||||
|
$content = '' unless defined $content;
|
||||||
|
|
||||||
|
|
||||||
|
# Compare is and should state
|
||||||
|
my $q = Debconf::Question->get($label);
|
||||||
|
|
||||||
|
unless (defined $q) {
|
||||||
|
# probably a preseed
|
||||||
|
state 'absent';
|
||||||
|
next;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (grep { $_ eq $q->type } @knownflags) {
|
||||||
|
# This line wants to set a flag, presumably.
|
||||||
|
if ($q->flag($q->type) ne $content) {
|
||||||
|
state 'different';
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
# Otherwise, it's probably a value…
|
||||||
|
if ($q->value ne $content) {
|
||||||
|
state 'different';
|
||||||
|
}
|
||||||
|
|
||||||
|
unless (grep { $_ eq $owner } (split /, /, $q->owners)) {
|
||||||
|
state 'different';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf "%s\n", $state;
|
||||||
|
EOF
|
|
@ -1,6 +1,7 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
#
|
#
|
||||||
# 2011-2014 Nico Schottelius (nico-cdist at schottelius.org)
|
# 2011-2014 Nico Schottelius (nico-cdist at schottelius.org)
|
||||||
|
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
|
||||||
#
|
#
|
||||||
# This file is part of cdist.
|
# This file is part of cdist.
|
||||||
#
|
#
|
||||||
|
@ -17,16 +18,37 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
#
|
|
||||||
# Setup selections
|
|
||||||
#
|
|
||||||
|
|
||||||
filename="$(cat "$__object/parameter/file")"
|
if test -f "${__object:?}/parameter/line"
|
||||||
|
then
|
||||||
if [ "$filename" = "-" ]; then
|
filename="${__object:?}/parameter/line"
|
||||||
filename="$__object/stdin"
|
elif test -s "${__object:?}/parameter/file"
|
||||||
|
then
|
||||||
|
filename=$(cat "${__object:?}/parameter/file")
|
||||||
|
if test "${filename}" = '-'
|
||||||
|
then
|
||||||
|
filename="${__object:?}/stdin"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
printf 'Neither --line nor --file set.\n' >&2
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "debconf-set-selections << __file-eof"
|
# setting no lines makes no sense
|
||||||
cat "$filename"
|
test -s "${filename}" || exit 0
|
||||||
echo "__file-eof"
|
|
||||||
|
state_is=$(cat "${__object:?}/explorer/state")
|
||||||
|
|
||||||
|
if test "${state_is}" != 'present'
|
||||||
|
then
|
||||||
|
cat <<-CODE
|
||||||
|
debconf-set-selections <<'EOF'
|
||||||
|
$(cat "${filename}")
|
||||||
|
EOF
|
||||||
|
CODE
|
||||||
|
|
||||||
|
awk '
|
||||||
|
{
|
||||||
|
printf "set %s %s %s %s\n", $1, $2, $3, $4
|
||||||
|
}' "${filename}" >>"${__messages_out:?}"
|
||||||
|
fi
|
||||||
|
|
|
@ -8,15 +8,33 @@ cdist-type__debconf_set_selections - Setup debconf selections
|
||||||
|
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
On Debian and alike systems debconf-set-selections(1) can be used
|
On Debian and alike systems :strong:`debconf-set-selections`\ (1) can be used
|
||||||
to setup configuration parameters.
|
to setup configuration parameters.
|
||||||
|
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
REQUIRED PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
|
cf. ``--line``.
|
||||||
|
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
file
|
file
|
||||||
Use the given filename as input for debconf-set-selections(1)
|
Use the given filename as input for :strong:`debconf-set-selections`\ (1)
|
||||||
If filename is "-", read from stdin.
|
If filename is ``-``, read from stdin.
|
||||||
|
|
||||||
|
**This parameter is deprecated, because it doesn't work with state detection.**
|
||||||
|
line
|
||||||
|
A line in :strong:`debconf-set-selections`\ (1) compatible format.
|
||||||
|
This parameter can be used multiple times to set multiple options.
|
||||||
|
|
||||||
|
(This parameter is actually required, but marked optional because the
|
||||||
|
deprecated ``--file`` is still accepted.)
|
||||||
|
|
||||||
|
|
||||||
|
BOOLEAN PARAMETERS
|
||||||
|
------------------
|
||||||
|
None.
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
|
@ -24,30 +42,29 @@ EXAMPLES
|
||||||
|
|
||||||
.. code-block:: sh
|
.. code-block:: sh
|
||||||
|
|
||||||
# Setup configuration for nslcd
|
# Setup gitolite's gituser
|
||||||
__debconf_set_selections nslcd --file /path/to/file
|
__debconf_set_selections nslcd --line 'gitolite gitolite/gituser string git'
|
||||||
|
|
||||||
# Setup configuration for nslcd from another type
|
# Setup configuration for nslcd from a file.
|
||||||
__debconf_set_selections nslcd --file "$__type/files/preseed/nslcd"
|
# NB: Multiple lines can be passed to --line, although this can be considered a hack.
|
||||||
|
__debconf_set_selections nslcd --line "$(cat "${__files:?}/preseed/nslcd.debconf")"
|
||||||
__debconf_set_selections nslcd --file - << eof
|
|
||||||
gitolite gitolite/gituser string git
|
|
||||||
eof
|
|
||||||
|
|
||||||
|
|
||||||
SEE ALSO
|
SEE ALSO
|
||||||
--------
|
--------
|
||||||
:strong:`debconf-set-selections`\ (1), :strong:`cdist-type__update_alternatives`\ (7)
|
- :strong:`cdist-type__update_alternatives`\ (7)
|
||||||
|
- :strong:`debconf-set-selections`\ (1)
|
||||||
|
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
Nico Schottelius <nico-cdist--@--schottelius.org>
|
| Nico Schottelius <nico-cdist--@--schottelius.org>
|
||||||
|
| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2011-2014 Nico Schottelius. You can redistribute it
|
Copyright \(C) 2011-2014 Nico Schottelius, 2021 Dennis Camera.
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
You can redistribute it and/or modify it under the terms of the GNU General
|
||||||
published by the Free Software Foundation, either version 3 of the
|
Public License as published by the Free Software Foundation, either version 3 of
|
||||||
License, or (at your option) any later version.
|
the License, or (at your option) any later version.
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
#
|
#
|
||||||
# 2015 Dominique Roux (dominique.roux4 at gmail.com)
|
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
|
||||||
#
|
#
|
||||||
# This file is part of cdist.
|
# This file is part of cdist.
|
||||||
#
|
#
|
||||||
|
@ -18,20 +18,4 @@
|
||||||
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
|
|
||||||
if [ -f "$__object/parameter/destination" ]; then
|
__package_apt debconf
|
||||||
destination=$(cat "$__object/parameter/destination")
|
|
||||||
else
|
|
||||||
destination="/$__object_id"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ownergroup=""
|
|
||||||
if [ -f "$__object/parameter/owner" ]; then
|
|
||||||
ownergroup=$(cat "$__object/parameter/owner")
|
|
||||||
fi
|
|
||||||
if [ -f "$__object/parameter/group" ]; then
|
|
||||||
ownergroup="${ownergroup}:$(cat "$__object/parameter/group")"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$ownergroup" ]; then
|
|
||||||
echo chown -R "$ownergroup" "$destination"
|
|
||||||
fi
|
|
|
@ -0,0 +1 @@
|
||||||
|
'file' has been deprecated in favour of 'line' in order to provide idempotency.
|
|
@ -0,0 +1 @@
|
||||||
|
line
|
|
@ -37,6 +37,12 @@ state
|
||||||
source
|
source
|
||||||
forwarded to :strong:`__file` type
|
forwarded to :strong:`__file` type
|
||||||
|
|
||||||
|
file
|
||||||
|
forwarded to :strong:`__file` type
|
||||||
|
This can be used if multiple users need to have a dotfile updated,
|
||||||
|
which will result in duplicate object id errors. When using the
|
||||||
|
file parameter the object id can be some unique value.
|
||||||
|
|
||||||
MESSAGES
|
MESSAGES
|
||||||
--------
|
--------
|
||||||
|
|
||||||
|
@ -61,6 +67,15 @@ EXAMPLES
|
||||||
# Install default xmonad config for user 'eve'. Parent directory is created automatically.
|
# Install default xmonad config for user 'eve'. Parent directory is created automatically.
|
||||||
__dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs"
|
__dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs"
|
||||||
|
|
||||||
|
# install .vimrc for root and some users
|
||||||
|
for user in root userx usery userz; do
|
||||||
|
__dot_file "${user}_dot_vimrc" \
|
||||||
|
--user $user \
|
||||||
|
--file .vimrc \
|
||||||
|
--state exists \
|
||||||
|
--source "$__files/$user/.vimrc"
|
||||||
|
done
|
||||||
|
|
||||||
SEE ALSO
|
SEE ALSO
|
||||||
--------
|
--------
|
||||||
|
|
||||||
|
|
|
@ -20,13 +20,19 @@ user="$(cat "${__object}/parameter/user")"
|
||||||
home="$(cat "${__object}/explorer/home")"
|
home="$(cat "${__object}/explorer/home")"
|
||||||
primary_group="$(cat "${__object}/explorer/primary_group")"
|
primary_group="$(cat "${__object}/explorer/primary_group")"
|
||||||
dirmode="$(cat "${__object}/parameter/dirmode")"
|
dirmode="$(cat "${__object}/parameter/dirmode")"
|
||||||
|
if [ -f "${__object}/parameter/file" ]; then
|
||||||
|
file="$(cat "${__object}/parameter/file")"
|
||||||
|
else
|
||||||
|
file="${__object_id}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Create parent directory. Type __directory has flag 'parents', but it
|
# Create parent directory. Type __directory has flag 'parents', but it
|
||||||
# will leave us with root-owned directory in user home, which is not
|
# will leave us with root-owned directory in user home, which is not
|
||||||
# acceptable. So we create parent directories one-by-one. XXX: maybe
|
# acceptable. So we create parent directories one-by-one. XXX: maybe
|
||||||
# it should be fixed in '__directory'?
|
# it should be fixed in '__directory'?
|
||||||
set --
|
set --
|
||||||
subpath=${__object_id}
|
subpath=${file}
|
||||||
while subpath="$(dirname "${subpath}")" ; do
|
while subpath="$(dirname "${subpath}")" ; do
|
||||||
[ "${subpath}" = . ] && break
|
[ "${subpath}" = . ] && break
|
||||||
set -- "${subpath}" "$@"
|
set -- "${subpath}" "$@"
|
||||||
|
@ -64,4 +70,4 @@ if [ "${source}" = "-" ] ; then
|
||||||
fi
|
fi
|
||||||
unset source
|
unset source
|
||||||
|
|
||||||
__file "${home}/${__object_id}" --owner "$user" --group "$primary_group" "$@"
|
__file "${home}/${file}" --owner "$user" --group "$primary_group" "$@"
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
#!/bin/sh -e
|
|
||||||
|
|
||||||
if [ -f "$__object/parameter/cmd-get" ]
|
|
||||||
then
|
|
||||||
cmd="$( cat "$__object/parameter/cmd-get" )"
|
|
||||||
|
|
||||||
elif command -v curl > /dev/null
|
|
||||||
then
|
|
||||||
cmd="curl -L -o - '%s'"
|
|
||||||
|
|
||||||
elif command -v fetch > /dev/null
|
|
||||||
then
|
|
||||||
cmd="fetch -o - '%s'"
|
|
||||||
|
|
||||||
else
|
|
||||||
cmd="wget -O - '%s'"
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "$cmd"
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/cmd-get" ]
|
||||||
|
then
|
||||||
|
cat "$__object/parameter/cmd-get"
|
||||||
|
elif
|
||||||
|
command -v curl > /dev/null
|
||||||
|
then
|
||||||
|
echo "curl -sSL -o - '%s'"
|
||||||
|
elif
|
||||||
|
command -v fetch > /dev/null
|
||||||
|
then
|
||||||
|
echo "fetch -o - '%s'"
|
||||||
|
else
|
||||||
|
echo "wget -O - '%s'"
|
||||||
|
fi
|
|
@ -0,0 +1,82 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
if [ ! -f "$__object/parameter/sum" ]
|
||||||
|
then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/cmd-sum" ]
|
||||||
|
then
|
||||||
|
cat "$__object/parameter/cmd-sum"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
sum_should="$( cat "$__object/parameter/sum" )"
|
||||||
|
|
||||||
|
if echo "$sum_should" | grep -Fq ':'
|
||||||
|
then
|
||||||
|
sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
|
||||||
|
else
|
||||||
|
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
|
||||||
|
then
|
||||||
|
sum_hash='cksum'
|
||||||
|
elif
|
||||||
|
echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
|
||||||
|
then
|
||||||
|
sum_hash='md5'
|
||||||
|
elif
|
||||||
|
echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
|
||||||
|
then
|
||||||
|
sum_hash='sha1'
|
||||||
|
elif
|
||||||
|
echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
|
||||||
|
then
|
||||||
|
sum_hash='sha256'
|
||||||
|
else
|
||||||
|
echo 'hash format detection failed' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
os="$( "$__explorer/os" )"
|
||||||
|
|
||||||
|
case "$sum_hash" in
|
||||||
|
cksum)
|
||||||
|
echo "cksum %s | awk '{print \$1\" \"\$2}'"
|
||||||
|
;;
|
||||||
|
md5)
|
||||||
|
case "$os" in
|
||||||
|
freebsd)
|
||||||
|
echo "md5 -q %s"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "md5sum %s | awk '{print \$1}'"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
sha1)
|
||||||
|
case "$os" in
|
||||||
|
freebsd)
|
||||||
|
echo "sha1 -q %s"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "sha1sum %s | awk '{print \$1}'"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
sha256)
|
||||||
|
case "$os" in
|
||||||
|
freebsd)
|
||||||
|
echo "sha256 -q %s"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "sha256sum %s | awk '{print \$1}'"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# we arrive here only if --sum is given with unknown format prefix
|
||||||
|
echo "unknown hash format: $sum_hash" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
|
@ -1,6 +1,11 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
|
|
||||||
dst="/$__object_id"
|
if [ -f "$__object/parameter/destination" ]
|
||||||
|
then
|
||||||
|
dst="$( cat "$__object/parameter/destination" )"
|
||||||
|
else
|
||||||
|
dst="/$__object_id"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ ! -f "$dst" ]
|
if [ ! -f "$dst" ]
|
||||||
then
|
then
|
||||||
|
@ -8,59 +13,27 @@ then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "$__object/parameter/sum" ]
|
||||||
|
then
|
||||||
|
echo 'present'
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
sum_should="$( cat "$__object/parameter/sum" )"
|
sum_should="$( cat "$__object/parameter/sum" )"
|
||||||
|
|
||||||
if [ -f "$__object/parameter/cmd-sum" ]
|
if echo "$sum_should" | grep -Fq ':'
|
||||||
then
|
then
|
||||||
# shellcheck disable=SC2059
|
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
|
||||||
sum_is="$( eval "$( printf \
|
|
||||||
"$( cat "$__object/parameter/cmd-sum" )" \
|
|
||||||
"$dst" )" )"
|
|
||||||
else
|
|
||||||
os="$( "$__explorer/os" )"
|
|
||||||
|
|
||||||
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
|
|
||||||
then
|
|
||||||
sum_is="$( cksum "$dst" | awk '{print $1" "$2}' )"
|
|
||||||
|
|
||||||
elif echo "$sum_should" | grep -Eiq '^md5:[a-f0-9]{32}$'
|
|
||||||
then
|
|
||||||
case "$os" in
|
|
||||||
freebsd)
|
|
||||||
sum_is="md5:$( md5 -q "$dst" )"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
sum_is="md5:$( md5sum "$dst" | awk '{print $1}' )"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
elif echo "$sum_should" | grep -Eiq '^sha1:[a-f0-9]{40}$'
|
|
||||||
then
|
|
||||||
case "$os" in
|
|
||||||
freebsd)
|
|
||||||
sum_is="sha1:$( sha1 -q "$dst" )"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
sum_is="sha1:$( sha1sum "$dst" | awk '{print $1}' )"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
elif echo "$sum_should" | grep -Eiq '^sha256:[a-f0-9]{64}$'
|
|
||||||
then
|
|
||||||
case "$os" in
|
|
||||||
freebsd)
|
|
||||||
sum_is="sha256:$( sha256 -q "$dst" )"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
sum_is="sha256:$( sha256sum "$dst" | awk '{print $1}' )"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
sum_cmd="$( "$__type_explorer/remote_cmd_sum" )"
|
||||||
|
|
||||||
|
# shellcheck disable=SC2059
|
||||||
|
sum_is="$( eval "$( printf "$sum_cmd" "'$dst'" )" )"
|
||||||
|
|
||||||
if [ -z "$sum_is" ]
|
if [ -z "$sum_is" ]
|
||||||
then
|
then
|
||||||
echo 'no checksum from target' >&2
|
echo 'existing destination checksum failed' >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -11,34 +11,133 @@ fi
|
||||||
|
|
||||||
url="$( cat "$__object/parameter/url" )"
|
url="$( cat "$__object/parameter/url" )"
|
||||||
|
|
||||||
tmp="$( mktemp )"
|
if [ -f "$__object/parameter/destination" ]
|
||||||
|
then
|
||||||
dst="/$__object_id"
|
dst="$( cat "$__object/parameter/destination" )"
|
||||||
|
else
|
||||||
|
dst="/$__object_id"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/cmd-get" ]
|
if [ -f "$__object/parameter/cmd-get" ]
|
||||||
then
|
then
|
||||||
cmd="$( cat "$__object/parameter/cmd-get" )"
|
cmd="$( cat "$__object/parameter/cmd-get" )"
|
||||||
|
|
||||||
elif command -v wget > /dev/null
|
|
||||||
then
|
|
||||||
cmd="wget -O - '%s'"
|
|
||||||
|
|
||||||
elif command -v curl > /dev/null
|
elif command -v curl > /dev/null
|
||||||
then
|
then
|
||||||
cmd="curl -L -o - '%s'"
|
cmd="curl -sSL -o - '%s'"
|
||||||
|
|
||||||
elif command -v fetch > /dev/null
|
elif command -v fetch > /dev/null
|
||||||
then
|
then
|
||||||
cmd="fetch -o - '%s'"
|
cmd="fetch -o - '%s'"
|
||||||
|
|
||||||
|
elif command -v wget > /dev/null
|
||||||
|
then
|
||||||
|
cmd="wget -O - '%s'"
|
||||||
|
|
||||||
else
|
else
|
||||||
echo 'no usable locally installed utility for downloading' >&2
|
echo 'local download failed, no usable utility' >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "$cmd > %s\n" \
|
echo "download_tmp=\"\$( mktemp )\""
|
||||||
"$url" \
|
|
||||||
"$tmp"
|
# shellcheck disable=SC2059
|
||||||
|
printf "$cmd > \"\$download_tmp\"\n" "$url"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/sum" ]
|
||||||
|
then
|
||||||
|
sum_should="$( cat "$__object/parameter/sum" )"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/cmd-sum" ]
|
||||||
|
then
|
||||||
|
local_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
|
||||||
|
else
|
||||||
|
if echo "$sum_should" | grep -Fq ':'
|
||||||
|
then
|
||||||
|
sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
|
||||||
|
|
||||||
|
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
|
||||||
|
else
|
||||||
|
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
|
||||||
|
then
|
||||||
|
sum_hash='cksum'
|
||||||
|
elif
|
||||||
|
echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
|
||||||
|
then
|
||||||
|
sum_hash='md5'
|
||||||
|
elif
|
||||||
|
echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
|
||||||
|
then
|
||||||
|
sum_hash='sha1'
|
||||||
|
elif
|
||||||
|
echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
|
||||||
|
then
|
||||||
|
sum_hash='sha256'
|
||||||
|
else
|
||||||
|
echo 'hash format detection failed' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$sum_hash" in
|
||||||
|
cksum)
|
||||||
|
local_cmd_sum="cksum %s | awk '{print \$1\" \"\$2}'"
|
||||||
|
;;
|
||||||
|
md5)
|
||||||
|
if command -v md5 > /dev/null
|
||||||
|
then
|
||||||
|
local_cmd_sum="md5 -q %s"
|
||||||
|
elif
|
||||||
|
command -v md5sum > /dev/null
|
||||||
|
then
|
||||||
|
local_cmd_sum="md5sum %s | awk '{print \$1}'"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
sha1)
|
||||||
|
if command -v sha1 > /dev/null
|
||||||
|
then
|
||||||
|
local_cmd_sum="sha1 -q %s"
|
||||||
|
elif
|
||||||
|
command -v sha1sum > /dev/null
|
||||||
|
then
|
||||||
|
local_cmd_sum="sha1sum %s | awk '{print \$1}'"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
sha256)
|
||||||
|
if command -v sha256 > /dev/null
|
||||||
|
then
|
||||||
|
local_cmd_sum="sha256 -q %s"
|
||||||
|
elif
|
||||||
|
command -v sha256sum > /dev/null
|
||||||
|
then
|
||||||
|
local_cmd_sum="sha256sum %s | awk '{print \$1}'"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# we arrive here only if --sum is given with unknown format prefix
|
||||||
|
echo "unknown hash format: $sum_hash" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [ -z "$local_cmd_sum" ]
|
||||||
|
then
|
||||||
|
echo 'local checksum verification failed, no usable utility' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# shellcheck disable=SC2059
|
||||||
|
echo "sum_is=\"\$( $( printf "$local_cmd_sum" "\"\$download_tmp\"" ) )\""
|
||||||
|
|
||||||
|
echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
|
||||||
|
|
||||||
|
echo "echo 'local download checksum mismatch' >&2"
|
||||||
|
|
||||||
|
echo "rm -f \"\$download_tmp\""
|
||||||
|
|
||||||
|
echo 'exit 1; fi'
|
||||||
|
fi
|
||||||
|
|
||||||
if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
|
if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
|
||||||
then
|
then
|
||||||
|
@ -47,12 +146,10 @@ else
|
||||||
target_host="$__target_host"
|
target_host="$__target_host"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf '%s %s %s:%s\n' \
|
# shellcheck disable=SC2016
|
||||||
|
printf '%s "$download_tmp" %s:%s\n' \
|
||||||
"$__remote_copy" \
|
"$__remote_copy" \
|
||||||
"$tmp" \
|
|
||||||
"$target_host" \
|
"$target_host" \
|
||||||
"$dst"
|
"$dst"
|
||||||
|
|
||||||
echo "rm -f '$tmp'"
|
echo "rm -f \"\$download_tmp\""
|
||||||
|
|
||||||
echo 'downloaded' > "$__messages_out"
|
|
||||||
|
|
|
@ -6,17 +6,51 @@ state_is="$( cat "$__object/explorer/state" )"
|
||||||
|
|
||||||
if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
|
if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
|
||||||
then
|
then
|
||||||
cmd="$( cat "$__object/explorer/remote_cmd" )"
|
cmd_get="$( cat "$__object/explorer/remote_cmd_get" )"
|
||||||
|
|
||||||
url="$( cat "$__object/parameter/url" )"
|
url="$( cat "$__object/parameter/url" )"
|
||||||
|
|
||||||
dst="/$__object_id"
|
if [ -f "$__object/parameter/destination" ]
|
||||||
|
then
|
||||||
|
dst="$( cat "$__object/parameter/destination" )"
|
||||||
|
else
|
||||||
|
dst="/$__object_id"
|
||||||
|
fi
|
||||||
|
|
||||||
printf "$cmd > %s\n" \
|
echo "download_tmp=\"\$( mktemp )\""
|
||||||
"$url" \
|
|
||||||
"$dst"
|
|
||||||
|
|
||||||
echo 'downloaded' > "$__messages_out"
|
# shellcheck disable=SC2059
|
||||||
|
printf "$cmd_get > \"\$download_tmp\"\n" "$url"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/sum" ]
|
||||||
|
then
|
||||||
|
sum_should="$( cat "$__object/parameter/sum" )"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/cmd-sum" ]
|
||||||
|
then
|
||||||
|
remote_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
|
||||||
|
else
|
||||||
|
remote_cmd_sum="$( cat "$__object/explorer/remote_cmd_sum" )"
|
||||||
|
|
||||||
|
if echo "$sum_should" | grep -Fq ':'
|
||||||
|
then
|
||||||
|
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# shellcheck disable=SC2059
|
||||||
|
echo "sum_is=\"\$( $( printf "$remote_cmd_sum" "\"\$download_tmp\"" ) )\""
|
||||||
|
|
||||||
|
echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
|
||||||
|
|
||||||
|
echo "echo 'remote download checksum mismatch' >&2"
|
||||||
|
|
||||||
|
echo "rm -f \"\$download_tmp\""
|
||||||
|
|
||||||
|
echo 'exit 1; fi'
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "mv \"\$download_tmp\" '$dst'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]
|
if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]
|
||||||
|
|
|
@ -8,10 +8,7 @@ cdist-type__download - Download a file
|
||||||
|
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
Destination (``$__object_id``) in target host must be persistent storage
|
By default type will try to use ``curl``, ``fetch`` or ``wget``.
|
||||||
in order to calculate checksum and decide if file must be (re-)downloaded.
|
|
||||||
|
|
||||||
By default type will try to use ``wget``, ``curl`` or ``fetch``.
|
|
||||||
If download happens in target (see ``--download``) then type will
|
If download happens in target (see ``--download``) then type will
|
||||||
fallback to (and install) ``wget``.
|
fallback to (and install) ``wget``.
|
||||||
|
|
||||||
|
@ -19,23 +16,40 @@ If download happens in local machine, then environment variables like
|
||||||
``{http,https,ftp}_proxy`` etc can be used on cdist execution
|
``{http,https,ftp}_proxy`` etc can be used on cdist execution
|
||||||
(``http_proxy=foo cdist config ...``).
|
(``http_proxy=foo cdist config ...``).
|
||||||
|
|
||||||
|
To change downloaded file's owner, group or permissions, use ``require='__download/path/to/file' __file ...``.
|
||||||
|
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
REQUIRED PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
url
|
url
|
||||||
File's URL.
|
File's URL.
|
||||||
|
|
||||||
sum
|
|
||||||
Checksum of file going to be downloaded.
|
|
||||||
By default output of ``cksum`` without filename is expected.
|
|
||||||
Other hash formats supported with prefixes: ``md5:``, ``sha1:`` and ``sha256:``.
|
|
||||||
|
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OPTIONAL PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
|
destination
|
||||||
|
Downloaded file's destination in target. If unset, ``$__object_id`` is used.
|
||||||
|
|
||||||
|
sum
|
||||||
|
Supported formats: ``cksum`` output without file name, MD5, SHA1 and SHA256.
|
||||||
|
|
||||||
|
Type tries to detect hash format with regexes, but prefixes
|
||||||
|
``cksum:``, ``md5:``, ``sha1:`` and ``sha256:`` are also supported.
|
||||||
|
|
||||||
|
Checksum have two purposes - state check and post-download verification.
|
||||||
|
In state check, if destination checksum mismatches, then content of URL
|
||||||
|
will be downloaded to temporary file. If downloaded temporary file's
|
||||||
|
checksum matches, then it will be moved to destination (overwritten).
|
||||||
|
|
||||||
|
For local downloads it is expected that usable utilities for checksum
|
||||||
|
calculation exist in the system.
|
||||||
|
|
||||||
download
|
download
|
||||||
If ``local`` (default), then download file to local storage and copy
|
If ``local`` (default), then file is downloaded to local storage and copied
|
||||||
it to target host. If ``remote``, then download happens in target.
|
to target host. If ``remote``, then download happens in target.
|
||||||
|
|
||||||
|
For local downloads it is expected that usable utilities for downloading
|
||||||
|
exist in the system. Type will try to use ``curl``, ``fetch`` or ``wget``.
|
||||||
|
|
||||||
cmd-get
|
cmd-get
|
||||||
Command used for downloading.
|
Command used for downloading.
|
||||||
|
@ -65,7 +79,7 @@ EXAMPLES
|
||||||
require='__directory/opt/cpma' \
|
require='__directory/opt/cpma' \
|
||||||
__download /opt/cpma/cnq3.zip \
|
__download /opt/cpma/cnq3.zip \
|
||||||
--url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
|
--url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
|
||||||
--sum md5:46da3021ca9eace277115ec9106c5b46
|
--sum 46da3021ca9eace277115ec9106c5b46
|
||||||
|
|
||||||
require='__download/opt/cpma/cnq3.zip' \
|
require='__download/opt/cpma/cnq3.zip' \
|
||||||
__unpack /opt/cpma/cnq3.zip \
|
__unpack /opt/cpma/cnq3.zip \
|
||||||
|
@ -81,7 +95,7 @@ Ander Punnar <ander-at-kvlt-dot-ee>
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2020 Ander Punnar. You can redistribute it
|
Copyright \(C) 2021 Ander Punnar. You can redistribute it
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
published by the Free Software Foundation, either version 3 of the
|
published by the Free Software Foundation, either version 3 of the
|
||||||
License, or (at your option) any later version.
|
License, or (at your option) any later version.
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
|
|
||||||
if grep -Eq '^wget' "$__object/explorer/remote_cmd"
|
if grep -Eq '^wget' "$__object/explorer/remote_cmd_get"
|
||||||
then
|
then
|
||||||
__package wget
|
__package wget
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
cmd-get
|
cmd-get
|
||||||
cmd-sum
|
cmd-sum
|
||||||
|
destination
|
||||||
download
|
download
|
||||||
onchange
|
onchange
|
||||||
|
sum
|
||||||
|
|
|
@ -1,2 +1 @@
|
||||||
url
|
url
|
||||||
sum
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
#
|
#
|
||||||
# 2011-2012 Nico Schottelius (nico-cdist at schottelius.org)
|
# 2011-2012 Nico Schottelius (nico-cdist at schottelius.org)
|
||||||
# 2013 Steven Armstrong (steven-cdist armstrong.cc)
|
# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
|
||||||
#
|
#
|
||||||
# This file is part of cdist.
|
# This file is part of cdist.
|
||||||
#
|
#
|
||||||
|
@ -72,6 +72,7 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
|
||||||
if [ "$type" != "file" ]; then
|
if [ "$type" != "file" ]; then
|
||||||
# destination is not a regular file, upload source to replace it
|
# destination is not a regular file, upload source to replace it
|
||||||
upload_file=1
|
upload_file=1
|
||||||
|
echo upload >> "$__messages_out"
|
||||||
else
|
else
|
||||||
local_cksum="$(cksum < "$source")"
|
local_cksum="$(cksum < "$source")"
|
||||||
remote_cksum="$(cat "$__object/explorer/cksum")"
|
remote_cksum="$(cat "$__object/explorer/cksum")"
|
||||||
|
@ -88,27 +89,39 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
|
||||||
mkdir "$__object/files"
|
mkdir "$__object/files"
|
||||||
touch "$__object/files/set-attributes"
|
touch "$__object/files/set-attributes"
|
||||||
|
|
||||||
# upload file to temp location
|
if [ "$create_file" ]; then
|
||||||
tempfile_template="${destination}.cdist.XXXXXXXXXX"
|
# When creating an empty file we create it locally and then
|
||||||
cat << DONE
|
# upload it so that permissions can be set before moving the file
|
||||||
destination_upload="\$($__remote_exec $__target_host "mktemp $tempfile_template")"
|
# into place.
|
||||||
DONE
|
source="$__object/files/empty"
|
||||||
if [ "$upload_file" ]; then
|
touch "$source"
|
||||||
echo upload >> "$__messages_out"
|
|
||||||
# IPv6 fix
|
|
||||||
if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
|
|
||||||
then
|
|
||||||
my_target_host="[${__target_host}]"
|
|
||||||
else
|
|
||||||
my_target_host="${__target_host}"
|
|
||||||
fi
|
|
||||||
cat << DONE
|
|
||||||
$__remote_copy "$source" "${my_target_host}:\$destination_upload"
|
|
||||||
DONE
|
|
||||||
fi
|
fi
|
||||||
# move uploaded file into place
|
|
||||||
cat << DONE
|
# upload file to temp location
|
||||||
$__remote_exec $__target_host "rm -rf \"$destination\"; mv \"\$destination_upload\" \"$destination\""
|
upload_destination="${destination}.cdist.${__cdist_object_marker}.$$"
|
||||||
|
# Yes, we are aware that this is a race condition.
|
||||||
|
# However:
|
||||||
|
# a) cdist usually writes to directories that are not user writable
|
||||||
|
# (probably > 99.9%)
|
||||||
|
# b) if they are user owned, the user / attacker always wins
|
||||||
|
# (probably < 0.1%)
|
||||||
|
# c) the only case which we could improve are tmp directories and we
|
||||||
|
# don't think managing tmp directories with cdist is a typical case
|
||||||
|
# ("the rest %)"
|
||||||
|
|
||||||
|
# Tell gencode-remote to where we uploaded the file so it can move
|
||||||
|
# it to its final destination.
|
||||||
|
echo "$upload_destination" > "$__object/files/upload-destination"
|
||||||
|
|
||||||
|
# IPv6 fix
|
||||||
|
if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
|
||||||
|
then
|
||||||
|
my_target_host="[${__target_host}]"
|
||||||
|
else
|
||||||
|
my_target_host="${__target_host}"
|
||||||
|
fi
|
||||||
|
cat << DONE
|
||||||
|
$__remote_copy "$source" "${my_target_host}:${upload_destination}"
|
||||||
DONE
|
DONE
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
#
|
#
|
||||||
# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
|
# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
|
||||||
# 2013 Steven Armstrong (steven-cdist armstrong.cc)
|
# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
|
||||||
#
|
#
|
||||||
# This file is part of cdist.
|
# This file is part of cdist.
|
||||||
#
|
#
|
||||||
|
@ -62,6 +62,13 @@ set_mode() {
|
||||||
|
|
||||||
case "$state_should" in
|
case "$state_should" in
|
||||||
present|exists)
|
present|exists)
|
||||||
|
if [ -f "$__object/files/upload-destination" ]; then
|
||||||
|
final_destination="$destination"
|
||||||
|
# We change the 'global' $destination variable here so we can
|
||||||
|
# change attributes of the new/uploaded file before moving it
|
||||||
|
# to it's final destination.
|
||||||
|
destination="$(cat "$__object/files/upload-destination")"
|
||||||
|
fi
|
||||||
# Note: Mode - needs to happen last as a chown/chgrp can alter mode by
|
# Note: Mode - needs to happen last as a chown/chgrp can alter mode by
|
||||||
# clearing S_ISUID and S_ISGID bits (see chown(2))
|
# clearing S_ISUID and S_ISGID bits (see chown(2))
|
||||||
for attribute in group owner mode; do
|
for attribute in group owner mode; do
|
||||||
|
@ -81,6 +88,11 @@ case "$state_should" in
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
if [ -f "$__object/files/upload-destination" ]; then
|
||||||
|
# move uploaded file into place
|
||||||
|
printf 'rm -rf "%s"\n' "$final_destination"
|
||||||
|
printf 'mv "%s" "%s"\n' "$destination" "$final_destination"
|
||||||
|
fi
|
||||||
if [ -f "$__object/files/set-attributes" ]; then
|
if [ -f "$__object/files/set-attributes" ]; then
|
||||||
# set-attributes is created if file is created or uploaded in gencode-local
|
# set-attributes is created if file is created or uploaded in gencode-local
|
||||||
fire_onchange=1
|
fire_onchange=1
|
||||||
|
|
|
@ -27,7 +27,7 @@ else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$os" in
|
case "$os" in
|
||||||
alpine|centos|fedora|redhat|suse|gentoo)
|
alpine|centos|fedora|gentoo|redhat|suse|ubuntu)
|
||||||
if [ ! -x "$(command -v lsblk)" ]; then
|
if [ ! -x "$(command -v lsblk)" ]; then
|
||||||
echo "lsblk is required for __filesystem type" >&2
|
echo "lsblk is required for __filesystem type" >&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
|
@ -1,5 +1,24 @@
|
||||||
#!/bin/sh
|
#!/bin/sh -e
|
||||||
|
|
||||||
destination="/$__object_id/.git"
|
destination="/${__object_id:?}/.git"
|
||||||
|
|
||||||
stat --print "%G" "${destination}" 2>/dev/null || exit 0
|
# shellcheck disable=SC2012
|
||||||
|
group_gid=$(ls -ldn "${destination}" | awk '{ print $4 }')
|
||||||
|
|
||||||
|
# NOTE: +1 because $((notanum)) prints 0.
|
||||||
|
if test $((group_gid + 1)) -ge 0
|
||||||
|
then
|
||||||
|
group_should=$(cat "${__object:?}/parameter/group")
|
||||||
|
|
||||||
|
if expr "${group_should}" : '[0-9]*$' >/dev/null
|
||||||
|
then
|
||||||
|
printf '%u\n' "${group_gid}"
|
||||||
|
else
|
||||||
|
if command -v getent > /dev/null
|
||||||
|
then
|
||||||
|
getent group "${group_gid}" | cut -d : -f 1
|
||||||
|
else
|
||||||
|
awk -F: -v gid="${group_gid}" '$3 == gid { print $1 }' /etc/group
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
|
@ -1,5 +1,19 @@
|
||||||
#!/bin/sh
|
#!/bin/sh -e
|
||||||
|
|
||||||
destination="/$__object_id/.git"
|
destination="/${__object_id:?}/.git"
|
||||||
|
|
||||||
stat --print "%U" "${destination}" 2>/dev/null || exit 0
|
# shellcheck disable=SC2012
|
||||||
|
owner_uid=$(ls -ldn "${destination}" | awk '{ print $3 }')
|
||||||
|
|
||||||
|
# NOTE: +1 because $((notanum)) prints 0.
|
||||||
|
if test $((owner_uid + 1)) -ge 0
|
||||||
|
then
|
||||||
|
owner_should=$(cat "${__object:?}/parameter/owner")
|
||||||
|
|
||||||
|
if expr "${owner_should}" : '[0-9]*$' >/dev/null
|
||||||
|
then
|
||||||
|
printf '%u\n' "${owner_uid}"
|
||||||
|
else
|
||||||
|
printf '%s\n' "$(id -u -n "${owner_uid}")"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
|
@ -15,7 +15,7 @@ case $os in
|
||||||
# Differntation not needed anymore
|
# Differntation not needed anymore
|
||||||
apt_source_distribution=stable
|
apt_source_distribution=stable
|
||||||
;;
|
;;
|
||||||
10*)
|
10*|11*)
|
||||||
# Differntation not needed anymore
|
# Differntation not needed anymore
|
||||||
apt_source_distribution=stable
|
apt_source_distribution=stable
|
||||||
;;
|
;;
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
frontend http
|
||||||
|
bind BIND@:80
|
||||||
|
mode http
|
||||||
|
option httplog
|
||||||
|
default_backend http
|
||||||
|
|
||||||
|
backend http
|
||||||
|
mode http
|
|
@ -0,0 +1,10 @@
|
||||||
|
frontend https
|
||||||
|
bind BIND@:443
|
||||||
|
mode tcp
|
||||||
|
option tcplog
|
||||||
|
tcp-request inspect-delay 5s
|
||||||
|
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||||
|
default_backend https
|
||||||
|
|
||||||
|
backend https
|
||||||
|
mode tcp
|
|
@ -0,0 +1,12 @@
|
||||||
|
frontend imaps
|
||||||
|
bind BIND@:143
|
||||||
|
bind BIND@:993
|
||||||
|
|
||||||
|
mode tcp
|
||||||
|
option tcplog
|
||||||
|
tcp-request inspect-delay 5s
|
||||||
|
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||||
|
default_backend imaps
|
||||||
|
|
||||||
|
backend imaps
|
||||||
|
mode tcp
|
|
@ -0,0 +1,12 @@
|
||||||
|
frontend smtps
|
||||||
|
bind BIND@:25
|
||||||
|
bind BIND@:465
|
||||||
|
|
||||||
|
mode tcp
|
||||||
|
option tcplog
|
||||||
|
tcp-request inspect-delay 5s
|
||||||
|
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||||
|
default_backend smtps
|
||||||
|
|
||||||
|
backend smtps
|
||||||
|
mode tcp
|
|
@ -0,0 +1,121 @@
|
||||||
|
cdist-type__haproxy_dualstack(7)
|
||||||
|
================================
|
||||||
|
|
||||||
|
|
||||||
|
NAME
|
||||||
|
----
|
||||||
|
cdist-type__haproxy_dualstack - Proxy services from a dual-stack server
|
||||||
|
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
This (singleton) type installs and configures haproxy to act as a dual-stack
|
||||||
|
proxy for single-stack services.
|
||||||
|
|
||||||
|
This can be useful to add IPv4 support to IPv6-only services while only using
|
||||||
|
one IPv4 for many such services.
|
||||||
|
|
||||||
|
By default this type uses the plain TCP proxy mode, which means that there is no
|
||||||
|
need for TLS termination on this host when SNI is supported.
|
||||||
|
This also means that proxied services will not receive the client's IP address,
|
||||||
|
but will see the proxy's IP address instead (that of `$__target_host`).
|
||||||
|
|
||||||
|
This can be solved by using the PROXY protocol, but do take into account that,
|
||||||
|
e.g. nginx cannot serve both regular HTTP(S) and PROXY protocols on the same
|
||||||
|
port, so you will need to use other ports for that.
|
||||||
|
|
||||||
|
As a recommendation in this type: use TCP ports 8080 and 591 respectively to
|
||||||
|
serve HTTP and HTTPS using the PROXY protocol.
|
||||||
|
|
||||||
|
See the EXAMPLES for more details.
|
||||||
|
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
v4proxy
|
||||||
|
Proxy incoming IPv4 connections to the equivalent IPv6 endpoint.
|
||||||
|
In its simplest use, it must be a NAME with an `AAAA` DNS entry, which is
|
||||||
|
the IP address actually providing the proxied services.
|
||||||
|
The full format of this argument is:
|
||||||
|
`[proxy:]NAME[[:PROTOCOL_1=PORT_1]...[:PROTOCOL_N=PORT_N]]`
|
||||||
|
Where starting with `proxy:` determines that the PROXY protocol must be
|
||||||
|
used and each `:PROTOCOL=PORT` (e.g. `:http=8080` or `:https=591`) is a PORT
|
||||||
|
override for the given PROTOCOL (see `--protocol`), if not present the
|
||||||
|
PROTOCOL's default port will be used.
|
||||||
|
|
||||||
|
|
||||||
|
v6proxy
|
||||||
|
Proxy incoming IPv6 connections to the equivalent IPv4 endpoint.
|
||||||
|
In its simplest use, it must be a NAME with an `A` DNS entry, which is
|
||||||
|
the IP address actually providing the proxied services.
|
||||||
|
See `--v4proxy` for more options and details.
|
||||||
|
|
||||||
|
protocol
|
||||||
|
Can be passed multiple times or as a space-separated list of protocols.
|
||||||
|
Currently supported protocols are: `http`, `https`, `imaps`, `smtps`.
|
||||||
|
This defaults to: `http https imaps smtps`.
|
||||||
|
|
||||||
|
|
||||||
|
EXAMPLES
|
||||||
|
--------
|
||||||
|
|
||||||
|
.. code-block:: sh
|
||||||
|
|
||||||
|
# Proxy the IPv6-only services so IPv4-only clients can access them
|
||||||
|
# This uses HAProxy's TCP mode for http, https, imaps and smtps
|
||||||
|
__haproxy_dualstack \
|
||||||
|
--v4proxy ipv6.chat \
|
||||||
|
--v4proxy matrix.ungleich.ch
|
||||||
|
|
||||||
|
# Proxy the IPv6-only HTTP(S) services so IPv4-only clients can access them
|
||||||
|
# Note this means that the backend IPv6-only server will only see
|
||||||
|
# the IPv6 address of the haproxy host managed by cdist, which can be
|
||||||
|
# troublesome if this information is relevant for analytics/security/...
|
||||||
|
# See the PROXY example below
|
||||||
|
__haproxy_dualstack \
|
||||||
|
--protocol http --protocol https \
|
||||||
|
--v4proxy ipv6.chat \
|
||||||
|
--v4proxy matrix.ungleich.ch
|
||||||
|
|
||||||
|
# Use the PROXY protocol to proxy the IPv6-only HTTP(S) services enabling
|
||||||
|
# IPv4-only clients to access them while maintaining the client's IP address
|
||||||
|
__haproxy_dualstack \
|
||||||
|
--protocol http --protocol https \
|
||||||
|
--v4proxy proxy:ipv6.chat:http=8080:https=591 \
|
||||||
|
--v4proxy proxy:matrix.ungleich.ch:http=8080:https=591
|
||||||
|
# Note however that the PROXY protocol is not compatible with regular
|
||||||
|
# HTTP(S) protocols, so your nginx will have to listen on different ports
|
||||||
|
# with the PROXY settings.
|
||||||
|
# Note that you will need to restrict access to the 8080 port to prevent
|
||||||
|
# Client IP spoofing.
|
||||||
|
# This can be something like:
|
||||||
|
# server {
|
||||||
|
# # listen for regular HTTP connections
|
||||||
|
# listen [::]:80 default_server;
|
||||||
|
# listen 80 default_server;
|
||||||
|
# # listen for PROXY HTTP connections
|
||||||
|
# listen [::]:8080 proxy_protocol;
|
||||||
|
# # Accept the Client's IP from the PROXY protocol
|
||||||
|
# real_ip_header proxy_protocol;
|
||||||
|
# }
|
||||||
|
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
--------
|
||||||
|
- https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
|
||||||
|
- https://www.haproxy.com/blog/haproxy/proxy-protocol/
|
||||||
|
- https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
|
||||||
|
|
||||||
|
|
||||||
|
AUTHORS
|
||||||
|
-------
|
||||||
|
ungleich <foss--@--ungleich.ch>
|
||||||
|
Evilham <cvs--@--evilham.com>
|
||||||
|
|
||||||
|
|
||||||
|
COPYING
|
||||||
|
-------
|
||||||
|
Copyright \(C) 2021 ungleich glarus ag. You can redistribute it
|
||||||
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
|
published by the Free Software Foundation, either version 3 of the
|
||||||
|
License, or (at your option) any later version.
|
|
@ -0,0 +1,155 @@
|
||||||
|
#!/bin/sh -eu
|
||||||
|
|
||||||
|
__package haproxy
|
||||||
|
require="__package/haproxy" __start_on_boot haproxy
|
||||||
|
|
||||||
|
tmpdir="$__object/files"
|
||||||
|
mkdir "$tmpdir"
|
||||||
|
configtmp="$__object/files/haproxy.cfg"
|
||||||
|
|
||||||
|
os=$(cat "$__global/explorer/os")
|
||||||
|
case $os in
|
||||||
|
freebsd)
|
||||||
|
CONFIG_FILE="/usr/local/etc/haproxy.conf"
|
||||||
|
cat <<EOF > "$configtmp"
|
||||||
|
global
|
||||||
|
maxconn 4000
|
||||||
|
user nobody
|
||||||
|
group nogroup
|
||||||
|
daemon
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
CONFIG_FILE="/etc/haproxy/haproxy.cfg"
|
||||||
|
cat <<EOF > "$configtmp"
|
||||||
|
global
|
||||||
|
log [::1] local2
|
||||||
|
chroot /var/lib/haproxy
|
||||||
|
pidfile /var/run/haproxy.pid
|
||||||
|
maxconn 4000
|
||||||
|
user haproxy
|
||||||
|
group haproxy
|
||||||
|
daemon
|
||||||
|
|
||||||
|
# turn on stats unix socket
|
||||||
|
stats socket /var/lib/haproxy/stats
|
||||||
|
|
||||||
|
EOF
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
cat <<EOF >> "$configtmp"
|
||||||
|
defaults
|
||||||
|
retries 3
|
||||||
|
log global
|
||||||
|
timeout http-request 10s
|
||||||
|
timeout queue 1m
|
||||||
|
timeout connect 10s
|
||||||
|
timeout client 1m
|
||||||
|
timeout server 1m
|
||||||
|
timeout http-keep-alive 10s
|
||||||
|
timeout check 10s
|
||||||
|
EOF
|
||||||
|
|
||||||
|
dig_cmd="$(command -v dig || true)"
|
||||||
|
get_ip() {
|
||||||
|
# Usage: get_ip (ipv4|ipv6) NAME
|
||||||
|
# uses "dig" if available, else fallback to "host"
|
||||||
|
case $1 in
|
||||||
|
ipv4)
|
||||||
|
if [ -n "${dig_cmd}" ]; then
|
||||||
|
${dig_cmd} +short A "$2"
|
||||||
|
else
|
||||||
|
host -t A "$2" | cut -d ' ' -f 4 | grep -v 'found:'
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
ipv6)
|
||||||
|
if [ -n "${dig_cmd}" ]; then
|
||||||
|
${dig_cmd} +short AAAA "$2"
|
||||||
|
else
|
||||||
|
host -t AAAA "$2" | cut -d ' ' -f 5 | grep -v 'NXDOMAIN'
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
PROTOCOLS="$(cat "$__object/parameter/protocol")"
|
||||||
|
|
||||||
|
for proxy in v4proxy v6proxy; do
|
||||||
|
param=$__object/parameter/$proxy
|
||||||
|
# no backend? skip generating code
|
||||||
|
if [ ! -f "$param" ]; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
# turn backend name into bind parameter: v4backend -> ipv4@
|
||||||
|
bind=$(echo $proxy | sed -e 's/^/ip/' -e 's/proxy//')
|
||||||
|
|
||||||
|
case $bind in
|
||||||
|
ipv4)
|
||||||
|
backendproto=ipv6
|
||||||
|
;;
|
||||||
|
ipv6)
|
||||||
|
backendproto=ipv4
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
for proto in ${PROTOCOLS}; do
|
||||||
|
# Add protocol "header"
|
||||||
|
printf "\n# %s %s \n" "${bind}" "${proto}" >> "$configtmp"
|
||||||
|
|
||||||
|
sed -e "s/BIND/$bind/" \
|
||||||
|
-e "s/\(frontend[[:space:]].*\)/\1$bind/" \
|
||||||
|
-e "s/\(backend[[:space:]].*\)/\\1$bind/" \
|
||||||
|
"$__type/files/$proto" >> "$configtmp"
|
||||||
|
|
||||||
|
while read -r hostdefinition; do
|
||||||
|
if echo "$hostdefinition" | grep -qE '^proxy:'; then
|
||||||
|
# Proxy protocol was requested
|
||||||
|
host="$(echo "$hostdefinition" | sed -E 's/^proxy:([^:]+).*$/\1/')"
|
||||||
|
send_proxy=" send-proxy"
|
||||||
|
else
|
||||||
|
# Just use tcp proxy mode
|
||||||
|
host="$hostdefinition"
|
||||||
|
send_proxy=""
|
||||||
|
fi
|
||||||
|
if echo "$hostdefinition" | grep -qE ":${proto}="; then
|
||||||
|
# Use custom port definition if requested
|
||||||
|
port="$(echo "$hostdefinition" | sed -E "s/^(.*:)?${proto}=([0-9]+).*$/:\2/")"
|
||||||
|
else
|
||||||
|
# Else use the default
|
||||||
|
port=""
|
||||||
|
fi
|
||||||
|
servername=$host
|
||||||
|
|
||||||
|
res=$(get_ip "$bind" "$servername")
|
||||||
|
|
||||||
|
if [ -z "$res" ]; then
|
||||||
|
echo "$servername does not resolve - aborting config" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Treat protocols without TLS+SNI specially
|
||||||
|
if [ "$proto" = http ]; then
|
||||||
|
echo " use-server $servername if { hdr(host) -i $host }" >> "$configtmp"
|
||||||
|
else
|
||||||
|
echo " use-server $servername if { req_ssl_sni -i $host }" >> "$configtmp"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create the "server" itself.
|
||||||
|
# Note that port and send_proxy will be empty unless
|
||||||
|
# they were requested by the type user
|
||||||
|
echo " server $servername ${backendproto}@${host}${port}${send_proxy}" >> "$configtmp"
|
||||||
|
|
||||||
|
done < "$param"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# Create config file
|
||||||
|
require="__package/haproxy" __file ${CONFIG_FILE} --source "$configtmp" --mode 0644
|
||||||
|
|
||||||
|
require="__file${CONFIG_FILE}" __check_messages "haproxy_reload" \
|
||||||
|
--pattern "^__file${CONFIG_FILE}" \
|
||||||
|
--execute "service haproxy reload || service haproxy restart"
|
|
@ -0,0 +1 @@
|
||||||
|
http https imaps smtps
|
|
@ -0,0 +1,3 @@
|
||||||
|
protocol
|
||||||
|
v4proxy
|
||||||
|
v6proxy
|
|
@ -1,3 +0,0 @@
|
||||||
#!/bin/sh -e
|
|
||||||
|
|
||||||
command -v certbot 2>/dev/null || true
|
|
|
@ -0,0 +1,78 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
certbot_path="$(command -v certbot 2>/dev/null || true)"
|
||||||
|
# Defaults
|
||||||
|
certificate_exists="no"
|
||||||
|
certificate_is_test="no"
|
||||||
|
|
||||||
|
if [ -n "${certbot_path}" ]; then
|
||||||
|
# Find python executable that has access to certbot's module
|
||||||
|
python_path=$(sed -n '1s/^#! *//p' "${certbot_path}")
|
||||||
|
|
||||||
|
# Use a lock for cdist due to certbot not exiting with failure
|
||||||
|
# or having any flags for concurrent use.
|
||||||
|
_certbot() {
|
||||||
|
${python_path} - 2>/dev/null <<EOF
|
||||||
|
from certbot.main import main
|
||||||
|
import fcntl
|
||||||
|
lock_file = "/tmp/certbot.cdist.lock"
|
||||||
|
timeout=60
|
||||||
|
with open(lock_file, 'w') as fd:
|
||||||
|
for i in range(timeout):
|
||||||
|
try:
|
||||||
|
# Get exclusive lock
|
||||||
|
fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
|
||||||
|
break
|
||||||
|
except:
|
||||||
|
# Wait if that fails
|
||||||
|
import time
|
||||||
|
time.sleep(1)
|
||||||
|
else:
|
||||||
|
# Timed out, exit with failure
|
||||||
|
import sys
|
||||||
|
sys.exit(1)
|
||||||
|
# Do list certificates
|
||||||
|
main(["certificates", "--cert-name", "${__object_id:?}"])
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
_certificate_exists() {
|
||||||
|
if grep -q " Certificate Name: ${__object_id:?}$"; then
|
||||||
|
echo yes
|
||||||
|
else
|
||||||
|
echo no
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
_certificate_is_test() {
|
||||||
|
if grep -q 'INVALID: TEST_CERT'; then
|
||||||
|
echo yes
|
||||||
|
else
|
||||||
|
echo no
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
_certificate_domains() {
|
||||||
|
grep ' Domains: ' | cut -d ' ' -f 6- | tr ' ' '\n'
|
||||||
|
}
|
||||||
|
|
||||||
|
# Get data about all available certificates
|
||||||
|
certificates="$(_certbot)"
|
||||||
|
|
||||||
|
# Check whether or not the certificate exists
|
||||||
|
certificate_exists="$(echo "${certificates}" | _certificate_exists)"
|
||||||
|
|
||||||
|
# Check whether or not the certificate is for testing
|
||||||
|
certificate_is_test="$(echo "${certificates}" | _certificate_is_test)"
|
||||||
|
|
||||||
|
# Get domains for certificate
|
||||||
|
certificate_domains="$(echo "${certificates}" | _certificate_domains)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Return received data
|
||||||
|
cat <<EOF
|
||||||
|
certbot_path:${certbot_path}
|
||||||
|
certificate_exists:${certificate_exists}
|
||||||
|
certificate_is_test:${certificate_is_test}
|
||||||
|
${certificate_domains}
|
||||||
|
EOF
|
|
@ -1,8 +0,0 @@
|
||||||
#!/bin/sh -e
|
|
||||||
|
|
||||||
certbot_path=$("${__type_explorer}/certbot-path")
|
|
||||||
if [ -n "${certbot_path}" ]
|
|
||||||
then
|
|
||||||
certbot certificates --cert-name "${__object_id:?}" | grep ' Domains: ' | \
|
|
||||||
cut -d ' ' -f 6- | tr ' ' '\n'
|
|
||||||
fi
|
|
|
@ -1,13 +0,0 @@
|
||||||
#!/bin/sh -e
|
|
||||||
|
|
||||||
certbot_path=$("${__type_explorer}/certbot-path")
|
|
||||||
if [ -n "${certbot_path}" ]
|
|
||||||
then
|
|
||||||
if certbot certificates | grep -q " Certificate Name: ${__object_id:?}$"; then
|
|
||||||
echo yes
|
|
||||||
else
|
|
||||||
echo no
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo no
|
|
||||||
fi
|
|
|
@ -1,14 +0,0 @@
|
||||||
#!/bin/sh -e
|
|
||||||
|
|
||||||
certbot_path=$("${__type_explorer}/certbot-path")
|
|
||||||
if [ -n "${certbot_path}" ]
|
|
||||||
then
|
|
||||||
if certbot certificates --cert-name "${__object_id:?}" | \
|
|
||||||
grep -q 'INVALID: TEST_CERT'; then
|
|
||||||
echo yes
|
|
||||||
else
|
|
||||||
echo no
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo no
|
|
||||||
fi
|
|
|
@ -0,0 +1,84 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# It is expected that this defines hook_contents
|
||||||
|
|
||||||
|
# Reasonable defaults
|
||||||
|
hook_source="${__object}/parameter/${hook}-hook"
|
||||||
|
hook_state="absent"
|
||||||
|
hook_contents_head="#!/bin/sh -e"
|
||||||
|
hook_contents_logic=""
|
||||||
|
hook_contents_tail=""
|
||||||
|
|
||||||
|
# Backwards compatibility
|
||||||
|
# Remove this when renew-hook is removed
|
||||||
|
# Falling back to renew-hook if deploy-hook is not passed
|
||||||
|
if [ "${hook}" = "deploy" ] && [ ! -f "${hook_source}" ]; then
|
||||||
|
hook_source="${__object}/parameter/renew-hook"
|
||||||
|
fi
|
||||||
|
if [ "${state}" = "present" ] && \
|
||||||
|
[ -f "${hook_source}" ]; then
|
||||||
|
# This hook is to be installed, let's generate it with some
|
||||||
|
# safety boilerplate
|
||||||
|
# Since certbot runs all hooks for all renewal processes
|
||||||
|
# (at each state for deploy, pre, post), it is up to us to
|
||||||
|
# differentiate whether or not the hook must run
|
||||||
|
hook_state="present"
|
||||||
|
hook_contents_head="$(cat <<EOF
|
||||||
|
#!/bin/sh -e
|
||||||
|
#
|
||||||
|
# Managed remotely with https://cdi.st
|
||||||
|
#
|
||||||
|
# Domains for which this hook is supposed to apply
|
||||||
|
lineage="${LE_DIR}/live/${__object_id}"
|
||||||
|
domains="\$(cat <<eof
|
||||||
|
${domains}
|
||||||
|
eof
|
||||||
|
)"
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
case "${hook}" in
|
||||||
|
pre|post)
|
||||||
|
# Certbot is kind of terrible, we have
|
||||||
|
# no way of knowing what domain/lineage the
|
||||||
|
# hook is running for
|
||||||
|
hook_contents_logic="$(cat <<EOF
|
||||||
|
# pre/post-hooks apply always due to a certbot limitation
|
||||||
|
APPLY_HOOK="YES"
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
;;
|
||||||
|
deploy)
|
||||||
|
hook_contents_logic="$(cat <<EOF
|
||||||
|
# certbot defines these environment variables:
|
||||||
|
# RENEWED_DOMAINS="DOMAIN1 DOMAIN2"
|
||||||
|
# RENEWED_LINEAGE="/etc/letsencrypt/live/__object_id"
|
||||||
|
# It feels more stable to use RENEWED_LINEAGE
|
||||||
|
if [ "\${lineage}" = "\${RENEWED_LINEAGE}" ]; then
|
||||||
|
APPLY_HOOK="YES"
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Unknown hook '${hook}'" >> /dev/stderr
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
hook_contents_tail="$(cat <<EOF
|
||||||
|
if [ -n "\${APPLY_HOOK}" ]; then
|
||||||
|
# Messing with indentation can eff up the users' scripts, let's not
|
||||||
|
$(cat "${hook_source}")
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
hook_contents="$(cat <<EOF
|
||||||
|
${hook_contents_head}
|
||||||
|
|
||||||
|
${hook_contents_logic}
|
||||||
|
|
||||||
|
${hook_contents_tail}
|
||||||
|
EOF
|
||||||
|
)"
|
|
@ -1,6 +1,10 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
|
|
||||||
certificate_exists=$(cat "${__object:?}/explorer/certificate-exists")
|
_explorer_var() {
|
||||||
|
grep "^$1:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-
|
||||||
|
}
|
||||||
|
|
||||||
|
certificate_exists="$(_explorer_var certificate_exists)"
|
||||||
name="${__object_id:?}"
|
name="${__object_id:?}"
|
||||||
state=$(cat "${__object}/parameter/state")
|
state=$(cat "${__object}/parameter/state")
|
||||||
|
|
||||||
|
@ -29,8 +33,9 @@ case "${state}" in
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${certificate_exists}" = "yes" ]; then
|
if [ "${certificate_exists}" = "yes" ]; then
|
||||||
existing_domains="${__object}/explorer/certificate-domains"
|
existing_domains=$(mktemp "${TMPDIR:-/tmp}/existing_domains.cdist.XXXXXXXXXX")
|
||||||
certificate_is_test=$(cat "${__object}/explorer/certificate-is-test")
|
tail -n +4 "${__object:?}/explorer/certificate-data" | grep -v '^$' > "${existing_domains}"
|
||||||
|
certificate_is_test="$(_explorer_var certificate_is_test)"
|
||||||
|
|
||||||
sort -uo "${requested_domains}" "${requested_domains}"
|
sort -uo "${requested_domains}" "${requested_domains}"
|
||||||
sort -uo "${existing_domains}" "${existing_domains}"
|
sort -uo "${existing_domains}" "${existing_domains}"
|
||||||
|
|
|
@ -1,16 +1,33 @@
|
||||||
cdist-type__letsencrypt_cert(7)
|
cdist-type__letsencrypt_cert(7)
|
||||||
===============================
|
===============================
|
||||||
|
|
||||||
|
|
||||||
NAME
|
NAME
|
||||||
----
|
----
|
||||||
|
|
||||||
cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt
|
cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt
|
||||||
|
|
||||||
|
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
|
|
||||||
Automatically obtain a Let's Encrypt SSL certificate using Certbot.
|
Automatically obtain a Let's Encrypt SSL certificate using Certbot.
|
||||||
|
|
||||||
|
This type attempts to setup automatic renewals always. In many Linux
|
||||||
|
distributions, that is the case out of the box, see:
|
||||||
|
https://certbot.eff.org/docs/using.html#automated-renewals
|
||||||
|
|
||||||
|
For Alpine Linux and Arch Linux, we setup a system-wide cronjob that
|
||||||
|
attempts to renew certificates daily.
|
||||||
|
|
||||||
|
If you are using FreeBSD, we configure periodic(8) as recommended by
|
||||||
|
the port mantainer, so there will be a weekly attempt at renewal.
|
||||||
|
|
||||||
|
If your OS is not mentioned here or on Certbot's docs as having
|
||||||
|
support for automated renewals, please make sure you check your OS
|
||||||
|
and possibly patch this type so the system-wide cronjob is installed.
|
||||||
|
|
||||||
|
|
||||||
REQUIRED PARAMETERS
|
REQUIRED PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
|
|
||||||
|
@ -21,6 +38,7 @@ object id
|
||||||
admin-email
|
admin-email
|
||||||
Where to send Let's Encrypt emails like "certificate needs renewal".
|
Where to send Let's Encrypt emails like "certificate needs renewal".
|
||||||
|
|
||||||
|
|
||||||
OPTIONAL PARAMETERS
|
OPTIONAL PARAMETERS
|
||||||
-------------------
|
-------------------
|
||||||
|
|
||||||
|
@ -36,25 +54,68 @@ webroot
|
||||||
The path to your webroot, as set up in your webserver config. If this
|
The path to your webroot, as set up in your webserver config. If this
|
||||||
parameter is not present, Certbot will be run in standalone mode.
|
parameter is not present, Certbot will be run in standalone mode.
|
||||||
|
|
||||||
|
|
||||||
OPTIONAL MULTIPLE PARAMETERS
|
OPTIONAL MULTIPLE PARAMETERS
|
||||||
----------------------------
|
----------------------------
|
||||||
|
|
||||||
renew-hook
|
|
||||||
Renew hook command directly passed to Certbot in cron job.
|
|
||||||
|
|
||||||
domain
|
domain
|
||||||
Domains to be included in the certificate. When specified then object id
|
Domains to be included in the certificate. When specified then object id
|
||||||
is not used as a domain.
|
is not used as a domain.
|
||||||
|
|
||||||
|
deploy-hook
|
||||||
|
Command to be executed only when the certificate associated with this
|
||||||
|
``$__object_id`` is issued or renewed.
|
||||||
|
You can specify it multiple times, but any failure will prevent further
|
||||||
|
commands from being executed.
|
||||||
|
|
||||||
|
For this command, the
|
||||||
|
shell variable ``$RENEWED_LINEAGE`` will point to the
|
||||||
|
config live subdirectory (for example,
|
||||||
|
``/etc/letsencrypt/live/${__object_id}``) containing the
|
||||||
|
new certificates and keys; the shell variable
|
||||||
|
``$RENEWED_DOMAINS`` will contain a space-delimited list
|
||||||
|
of renewed certificate domains (for example,
|
||||||
|
``example.com www.example.com``)
|
||||||
|
|
||||||
|
pre-hook
|
||||||
|
Command to be run in a shell before obtaining any
|
||||||
|
certificates.
|
||||||
|
You can specify it multiple times, but any failure will prevent further
|
||||||
|
commands from being executed.
|
||||||
|
|
||||||
|
Note these run regardless of which certificate is attempted, you may want to
|
||||||
|
manage these system-wide hooks with ``__file`` in
|
||||||
|
``/etc/letsencrypt/renewal-hooks/pre/``.
|
||||||
|
|
||||||
|
Intended primarily for renewal, where it
|
||||||
|
can be used to temporarily shut down a webserver that
|
||||||
|
might conflict with the standalone plugin. This will
|
||||||
|
only be called if a certificate is actually to be
|
||||||
|
obtained/renewed.
|
||||||
|
|
||||||
|
post-hook
|
||||||
|
Command to be run in a shell after attempting to
|
||||||
|
obtain/renew certificates.
|
||||||
|
You can specify it multiple times, but any failure will prevent further
|
||||||
|
commands from being executed.
|
||||||
|
|
||||||
|
Note these run regardless of which certificate was attempted, you may want to
|
||||||
|
manage these system-wide hooks with ``__file`` in
|
||||||
|
``/etc/letsencrypt/renewal-hooks/post/``.
|
||||||
|
|
||||||
|
Can be used to deploy
|
||||||
|
renewed certificates, or to restart any servers that
|
||||||
|
were stopped by --pre-hook. This is only run if an
|
||||||
|
attempt was made to obtain/renew a certificate.
|
||||||
|
|
||||||
|
|
||||||
BOOLEAN PARAMETERS
|
BOOLEAN PARAMETERS
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
automatic-renewal
|
|
||||||
Install a cron job, which attempts to renew certificates daily.
|
|
||||||
|
|
||||||
staging
|
staging
|
||||||
Obtain a test certificate from a staging server.
|
Obtain a test certificate from a staging server.
|
||||||
|
|
||||||
|
|
||||||
MESSAGES
|
MESSAGES
|
||||||
--------
|
--------
|
||||||
|
|
||||||
|
@ -67,6 +128,7 @@ create
|
||||||
remove
|
remove
|
||||||
Certificate was removed.
|
Certificate was removed.
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
--------
|
--------
|
||||||
|
|
||||||
|
@ -75,8 +137,7 @@ EXAMPLES
|
||||||
# use object id as domain
|
# use object id as domain
|
||||||
__letsencrypt_cert example.com \
|
__letsencrypt_cert example.com \
|
||||||
--admin-email root@example.com \
|
--admin-email root@example.com \
|
||||||
--automatic-renewal \
|
--deploy-hook "service nginx reload" \
|
||||||
--renew-hook "service nginx reload" \
|
|
||||||
--webroot /data/letsencrypt/root
|
--webroot /data/letsencrypt/root
|
||||||
|
|
||||||
.. code-block:: sh
|
.. code-block:: sh
|
||||||
|
@ -85,11 +146,10 @@ EXAMPLES
|
||||||
# and example.com needs to be included again with domain parameter
|
# and example.com needs to be included again with domain parameter
|
||||||
__letsencrypt_cert example.com \
|
__letsencrypt_cert example.com \
|
||||||
--admin-email root@example.com \
|
--admin-email root@example.com \
|
||||||
--automatic-renewal \
|
|
||||||
--domain example.com \
|
--domain example.com \
|
||||||
--domain foo.example.com \
|
--domain foo.example.com \
|
||||||
--domain bar.example.com \
|
--domain bar.example.com \
|
||||||
--renew-hook "service nginx reload" \
|
--deploy-hook "service nginx reload" \
|
||||||
--webroot /data/letsencrypt/root
|
--webroot /data/letsencrypt/root
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
|
@ -99,11 +159,13 @@ AUTHORS
|
||||||
| Kamila Součková <kamila--@--ksp.sk>
|
| Kamila Součková <kamila--@--ksp.sk>
|
||||||
| Darko Poljak <darko.poljak--@--gmail.com>
|
| Darko Poljak <darko.poljak--@--gmail.com>
|
||||||
| Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
|
| Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
|
||||||
|
| Evilham <contact@evilham.com>
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
|
|
||||||
Copyright \(C) 2017-2018 Nico Schottelius, Kamila Součková, Darko Poljak and
|
Copyright \(C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak and
|
||||||
Ľubomír Kučera. You can redistribute it and/or modify it under the terms of
|
Ľubomír Kučera. You can redistribute it and/or modify it under the terms of
|
||||||
the GNU General Public License as published by the Free Software Foundation,
|
the GNU General Public License as published by the Free Software Foundation,
|
||||||
either version 3 of the License, or (at your option) any later version.
|
either version 3 of the License, or (at your option) any later version.
|
||||||
|
|
|
@ -1,18 +1,20 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
certbot_fullpath="$(cat "${__object:?}/explorer/certbot-path")"
|
certbot_fullpath="$(grep "^certbot_path:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-)"
|
||||||
|
state=$(cat "${__object}/parameter/state")
|
||||||
|
os="$(cat "${__global:?}/explorer/os")"
|
||||||
|
|
||||||
if [ -z "${certbot_fullpath}" ]; then
|
if [ -z "${certbot_fullpath}" ]; then
|
||||||
os="$(cat "${__global:?}/explorer/os")"
|
|
||||||
os_version="$(cat "${__global}/explorer/os_version")"
|
os_version="$(cat "${__global}/explorer/os_version")"
|
||||||
|
# Use this, very common value, as a default. It is OS-dependent
|
||||||
|
certbot_fullpath="/usr/bin/certbot"
|
||||||
case "$os" in
|
case "$os" in
|
||||||
archlinux)
|
archlinux)
|
||||||
__package certbot
|
__package certbot
|
||||||
;;
|
;;
|
||||||
alpine)
|
alpine)
|
||||||
__package certbot
|
__package certbot
|
||||||
;;
|
;;
|
||||||
debian)
|
debian)
|
||||||
case "$os_version" in
|
case "$os_version" in
|
||||||
8*)
|
8*)
|
||||||
|
@ -39,7 +41,7 @@ if [ -z "${certbot_fullpath}" ]; then
|
||||||
require="__apt_source/stretch-backports" __package_apt certbot \
|
require="__apt_source/stretch-backports" __package_apt certbot \
|
||||||
--target-release stretch-backports
|
--target-release stretch-backports
|
||||||
;;
|
;;
|
||||||
10*)
|
10*|11*)
|
||||||
__package_apt certbot
|
__package_apt certbot
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
@ -48,9 +50,7 @@ if [ -z "${certbot_fullpath}" ]; then
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
;;
|
||||||
certbot_fullpath=/usr/bin/certbot
|
|
||||||
;;
|
|
||||||
devuan)
|
devuan)
|
||||||
case "$os_version" in
|
case "$os_version" in
|
||||||
jessie)
|
jessie)
|
||||||
|
@ -83,17 +83,14 @@ if [ -z "${certbot_fullpath}" ]; then
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
certbot_fullpath=/usr/bin/certbot
|
|
||||||
;;
|
;;
|
||||||
freebsd)
|
freebsd)
|
||||||
__package py27-certbot
|
__package py37-certbot
|
||||||
|
certbot_fullpath="/usr/local/bin/certbot"
|
||||||
certbot_fullpath=/usr/local/bin/certbot
|
|
||||||
;;
|
;;
|
||||||
ubuntu)
|
ubuntu)
|
||||||
__package certbot
|
__package certbot
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo "Unsupported os: $os" >&2
|
echo "Unsupported os: $os" >&2
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -101,18 +98,61 @@ if [ -z "${certbot_fullpath}" ]; then
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "${__object}/parameter/automatic-renewal" ]; then
|
# Other OS-dependent values that we want to set every time
|
||||||
renew_hook_param="${__object}/parameter/renew-hook"
|
LE_DIR="/etc/letsencrypt"
|
||||||
renew_hook=""
|
certbot_cronjob_state="absent"
|
||||||
if [ -f "${renew_hook_param}" ]; then
|
case "$os" in
|
||||||
while read -r hook; do
|
archlinux|alpine)
|
||||||
renew_hook="${renew_hook} --renew-hook \"${hook}\""
|
certbot_cronjob_state="present"
|
||||||
done < "${renew_hook_param}"
|
;;
|
||||||
fi
|
freebsd)
|
||||||
|
LE_DIR="/usr/local/etc/letsencrypt"
|
||||||
|
# FreeBSD uses periodic(8) instead of crontabs for this
|
||||||
|
__line "periodic.conf_weekly_certbot" \
|
||||||
|
--file "/etc/periodic.conf" \
|
||||||
|
--regex "^(#[[:space:]]*)?weekly_certbot_enable=.*" \
|
||||||
|
--state "replace" \
|
||||||
|
--line 'weekly_certbot_enable="YES"'
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
__cron letsencrypt-certbot \
|
# This is only necessary in certain OS
|
||||||
--user root \
|
__cron letsencrypt-certbot \
|
||||||
--command "${certbot_fullpath} renew -q ${renew_hook}" \
|
--user root \
|
||||||
--hour 0 \
|
--command "${certbot_fullpath} renew -q" \
|
||||||
--minute 47
|
--hour 0 \
|
||||||
|
--minute 47 \
|
||||||
|
--state "${certbot_cronjob_state}"
|
||||||
|
|
||||||
|
# Ensure hook directories
|
||||||
|
HOOKS_DIR="${LE_DIR}/renewal-hooks"
|
||||||
|
__directory "${LE_DIR}" --mode 0755
|
||||||
|
require="__directory/${LE_DIR}" __directory "${HOOKS_DIR}" --mode 0755
|
||||||
|
|
||||||
|
if [ -f "${__object}/parameter/domain" ]; then
|
||||||
|
domains="$(sort "${__object}/parameter/domain")"
|
||||||
|
else
|
||||||
|
domains="${__object_id}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Install hooks as needed
|
||||||
|
for hook in deploy pre post; do
|
||||||
|
# Using something unique and specific to this object
|
||||||
|
hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh"
|
||||||
|
|
||||||
|
# This defines hook_contents
|
||||||
|
# shellcheck source=cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
|
||||||
|
. "${__type}/files/gen_hook.sh"
|
||||||
|
|
||||||
|
# Ensure hook directory exists
|
||||||
|
require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \
|
||||||
|
--mode 0755
|
||||||
|
require="__directory/${HOOKS_DIR}/${hook}" __file "${hook_file}" \
|
||||||
|
--mode 0555 \
|
||||||
|
--source '-' \
|
||||||
|
--state "${hook_state}" <<EOF
|
||||||
|
${hook_contents}
|
||||||
|
EOF
|
||||||
|
done
|
||||||
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
Deprecated in favour of consistent behaviour. It has no effect, see:
|
||||||
|
https://code.ungleich.ch/ungleich-public/cdist/-/issues/853
|
|
@ -0,0 +1,2 @@
|
||||||
|
This parameter has been deprecated in favour of --deploy-hook.
|
||||||
|
See: https://code.ungleich.ch/ungleich-public/cdist/-/issues/853
|
|
@ -1,2 +1,5 @@
|
||||||
|
deploy-hook
|
||||||
domain
|
domain
|
||||||
|
post-hook
|
||||||
|
pre-hook
|
||||||
renew-hook
|
renew-hook
|
||||||
|
|
|
@ -81,12 +81,24 @@ aptget="DEBIAN_FRONTEND=noninteractive apt-get --quiet --yes -o Dpkg::Options::=
|
||||||
|
|
||||||
case "$state_should" in
|
case "$state_should" in
|
||||||
present)
|
present)
|
||||||
|
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
|
||||||
|
# updated after the 19th April 2021 till the bullseye release. The additional
|
||||||
|
# arguments acknoledge the happend suite change (the apt(8) update does the
|
||||||
|
# same by itself).
|
||||||
|
#
|
||||||
|
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
|
||||||
|
# allows backward compatablility to pre-buster Debian versions.
|
||||||
|
#
|
||||||
|
# See more: ticket #861
|
||||||
|
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
|
||||||
|
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
|
||||||
|
|
||||||
# following is bit ugly, but important hack.
|
# following is bit ugly, but important hack.
|
||||||
# due to how cdist config run works, there isn't
|
# due to how cdist config run works, there isn't
|
||||||
# currently better way to do it :(
|
# currently better way to do it :(
|
||||||
cat << EOF
|
cat << EOF
|
||||||
if [ ! -f /var/cache/apt/pkgcache.bin ] || [ "\$( stat --format %Y /var/cache/apt/pkgcache.bin )" -lt "\$( date +%s -d '-1 day' )" ]
|
if [ ! -f /var/cache/apt/pkgcache.bin ] || [ "\$( stat --format %Y /var/cache/apt/pkgcache.bin )" -lt "\$( date +%s -d '-1 day' )" ]
|
||||||
then echo apt-get update > /dev/null 2>&1 || true
|
then echo apt-get $apt_opts update > /dev/null 2>&1 || true
|
||||||
fi
|
fi
|
||||||
EOF
|
EOF
|
||||||
if [ -n "$version" ]; then
|
if [ -n "$version" ]; then
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# 2021 Matthias Stecher (matthiasstecher at gmx.de)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
nameparam="$__object/parameter/name"
|
||||||
|
if [ -f "$nameparam" ]; then
|
||||||
|
name=$(cat "$nameparam")
|
||||||
|
else
|
||||||
|
name="$__object_id"
|
||||||
|
fi
|
||||||
|
|
||||||
|
pipparam="$__object/parameter/pip"
|
||||||
|
if [ -f "$pipparam" ]; then
|
||||||
|
pip=$(cat "$pipparam")
|
||||||
|
else
|
||||||
|
pip="$( "$__type_explorer/pip" )"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if command -v "$pip" >/dev/null 2>&1; then
|
||||||
|
# assemble the path where pip stores all pip package info
|
||||||
|
"$pip" show "$name" \
|
||||||
|
| awk -F': ' '
|
||||||
|
$1 == "Name" {name=$2; gsub(/-/,"_",name); next}
|
||||||
|
$1 == "Version" {version=$2; next}
|
||||||
|
$1 == "Location" {location=$2; next}
|
||||||
|
END {if (version != "") printf "%s/%s-%s.dist-info", location, name, version}'
|
||||||
|
fi
|
|
@ -0,0 +1,66 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# 2021 Matthias Stecher (matthiasstecher at gmx.de)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Checks if the given extras are really installed or not. It will be
|
||||||
|
# done by querring all dependencies for that extra and return it as
|
||||||
|
# "to be installed" if no dependency was found.
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
distinfo_dir="$("$__type_explorer/distinfo-dir")"
|
||||||
|
|
||||||
|
# check if we have something to check
|
||||||
|
if [ "$distinfo_dir" ] && [ -s "$__object/parameter/extra" ]
|
||||||
|
then
|
||||||
|
# save cause freezing is slow
|
||||||
|
mkdir "$__object/files"
|
||||||
|
pip_freeze="$__object/files/pip-freeze.tmp"
|
||||||
|
pip3 freeze > "$pip_freeze"
|
||||||
|
|
||||||
|
# If all is set, it searches all available extras to separatly check them.
|
||||||
|
# It would work with just 'all' (cause dependencies are specified for
|
||||||
|
# 'all'), but will not update if one extra is already present. Side effect
|
||||||
|
# is that it will not use [all] but instead name all extras seperatly.
|
||||||
|
for extra in $(if grep -qFx all "$__object/parameter/extra";
|
||||||
|
then awk -F': ' '$1 == "Provides-Extra" && $2 != "all"{print $2}' "$distinfo_dir/METADATA";
|
||||||
|
else tr ',' '\n' < "$__object/parameter/extra";
|
||||||
|
fi)
|
||||||
|
do
|
||||||
|
# create a grep BRE pattern to search all packages
|
||||||
|
# maybe a file full of patterns for -F could be written
|
||||||
|
grep_pattern="$(
|
||||||
|
awk -F'(: | ; )' -v check="$extra" '
|
||||||
|
$1 == "Requires-Dist" {
|
||||||
|
split($2, r, " ");
|
||||||
|
sub("extra == ", "", $3); gsub("'"'"'", "", $3);
|
||||||
|
if($3 == check) print r[1]
|
||||||
|
}' "$distinfo_dir/METADATA" \
|
||||||
|
| sed ':a; $!N; s/\n/\\|/; ta'
|
||||||
|
)"
|
||||||
|
|
||||||
|
# echo the extra if no packages where found for it
|
||||||
|
# if there is no pattern, we don't need to search ;-)
|
||||||
|
# pip matches packages case-insensetive, we need to do that, too
|
||||||
|
if [ "$grep_pattern" ] && ! grep -qi "$grep_pattern" "$pip_freeze"
|
||||||
|
then
|
||||||
|
echo "$extra"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
|
@ -2,6 +2,7 @@
|
||||||
#
|
#
|
||||||
# 2012 Nico Schottelius (nico-cdist at schottelius.org)
|
# 2012 Nico Schottelius (nico-cdist at schottelius.org)
|
||||||
# 2016 Darko Poljak (darko.poljak at gmail.com)
|
# 2016 Darko Poljak (darko.poljak at gmail.com)
|
||||||
|
# 2021 Matthias Stecher (matthiasstecher at gmx.de)
|
||||||
#
|
#
|
||||||
# This file is part of cdist.
|
# This file is part of cdist.
|
||||||
#
|
#
|
||||||
|
@ -25,7 +26,10 @@
|
||||||
state_is=$(cat "$__object/explorer/state")
|
state_is=$(cat "$__object/explorer/state")
|
||||||
state_should="$(cat "$__object/parameter/state")"
|
state_should="$(cat "$__object/parameter/state")"
|
||||||
|
|
||||||
[ "$state_is" = "$state_should" ] && exit 0
|
# short circuit if state is the same and no extras to install
|
||||||
|
[ "$state_is" = "$state_should" ] && ! [ -s "$__object/explorer/extras" ] \
|
||||||
|
&& exit 0
|
||||||
|
|
||||||
|
|
||||||
nameparam="$__object/parameter/name"
|
nameparam="$__object/parameter/name"
|
||||||
if [ -f "$nameparam" ]; then
|
if [ -f "$nameparam" ]; then
|
||||||
|
@ -56,6 +60,14 @@ fi
|
||||||
|
|
||||||
case "$state_should" in
|
case "$state_should" in
|
||||||
present)
|
present)
|
||||||
|
if [ -s "$__object/explorer/extras" ]
|
||||||
|
then
|
||||||
|
# all extras are passed to pip in a comma-separated list in the name
|
||||||
|
# sed loops through all input lines and add commas between them
|
||||||
|
extras="$(sed ':a; $!N; s/\n/,/; ta' "$__object/explorer/extras")"
|
||||||
|
name="${name}[${extras}]"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$runas" ]
|
if [ "$runas" ]
|
||||||
then
|
then
|
||||||
echo "su -c '$pip install -q $name' $runas"
|
echo "su -c '$pip install -q $name' $runas"
|
||||||
|
|
|
@ -22,6 +22,16 @@ OPTIONAL PARAMETERS
|
||||||
name
|
name
|
||||||
If supplied, use the name and not the object id as the package name.
|
If supplied, use the name and not the object id as the package name.
|
||||||
|
|
||||||
|
extra
|
||||||
|
Extra optional dependencies which should be installed along the selected
|
||||||
|
package. Can be specified multiple times. Multiple extras can be passed
|
||||||
|
in one `--extra` as a comma-separated list.
|
||||||
|
|
||||||
|
Extra optional dependencies will be installed even when the base package
|
||||||
|
is already installed. Notice that the type will not remove installed extras
|
||||||
|
that are not explicitly named for the type because pip does not offer a
|
||||||
|
management for orphaned packages and they may be used by other packages.
|
||||||
|
|
||||||
pip
|
pip
|
||||||
Instead of using pip from PATH, use the specific pip path.
|
Instead of using pip from PATH, use the specific pip path.
|
||||||
|
|
||||||
|
@ -46,6 +56,14 @@ EXAMPLES
|
||||||
# Use pip in a virtualenv located at /foo/shinken_virtualenv as user foo
|
# Use pip in a virtualenv located at /foo/shinken_virtualenv as user foo
|
||||||
__package_pip pyro --state present --pip /foo/shinken_virtualenv/bin/pip --runas foo
|
__package_pip pyro --state present --pip /foo/shinken_virtualenv/bin/pip --runas foo
|
||||||
|
|
||||||
|
# Install package with optional dependencies
|
||||||
|
__package_pip mautrix-telegram --extra speedups --extra webp_convert --extra hq_thumbnails
|
||||||
|
# the extras can also be specified comma-separated
|
||||||
|
__package_pip mautrix-telegram --extra speedups,webp_convert,hq_thumbnails --extra postgres
|
||||||
|
|
||||||
|
# or take all extras
|
||||||
|
__package_pip mautrix-telegram --extra all
|
||||||
|
|
||||||
|
|
||||||
SEE ALSO
|
SEE ALSO
|
||||||
--------
|
--------
|
||||||
|
@ -54,12 +72,13 @@ SEE ALSO
|
||||||
|
|
||||||
AUTHORS
|
AUTHORS
|
||||||
-------
|
-------
|
||||||
Nico Schottelius <nico-cdist--@--schottelius.org>
|
| Nico Schottelius <nico-cdist--@--schottelius.org>
|
||||||
|
| Matthias Stecher <matthiasstecher--@--gmx.de>
|
||||||
|
|
||||||
|
|
||||||
COPYING
|
COPYING
|
||||||
-------
|
-------
|
||||||
Copyright \(C) 2012 Nico Schottelius. You can redistribute it
|
Copyright \(C) 2012 Nico Schottelius, 2021 Matthias Stecher. You can
|
||||||
and/or modify it under the terms of the GNU General Public License as
|
redistribute it and/or modify it under the terms of the GNU General
|
||||||
published by the Free Software Foundation, either version 3 of the
|
Public License as published by the Free Software Foundation, either
|
||||||
License, or (at your option) any later version.
|
version 3 of the License, or (at your option) any later version.
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
extra
|
|
@ -37,6 +37,7 @@ assert () # If condition false,
|
||||||
then
|
then
|
||||||
echo "Assertion failed: \"$1\""
|
echo "Assertion failed: \"$1\""
|
||||||
# shellcheck disable=SC2039
|
# shellcheck disable=SC2039
|
||||||
|
# shellcheck disable=SC3044
|
||||||
echo "File \"$0\", line $lineno, called by $(caller 0)"
|
echo "File \"$0\", line $lineno, called by $(caller 0)"
|
||||||
exit $E_ASSERT_FAILED
|
exit $E_ASSERT_FAILED
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -41,7 +41,19 @@ fi
|
||||||
case "$type" in
|
case "$type" in
|
||||||
yum) ;;
|
yum) ;;
|
||||||
apt)
|
apt)
|
||||||
echo "apt-get --quiet update"
|
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
|
||||||
|
# updated after the 19th April 2021 till the bullseye release. The additional
|
||||||
|
# arguments acknoledge the happend suite change (the apt(8) update does the
|
||||||
|
# same by itself).
|
||||||
|
#
|
||||||
|
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
|
||||||
|
# allows backward compatablility to pre-buster Debian versions.
|
||||||
|
#
|
||||||
|
# See more: ticket #861
|
||||||
|
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
|
||||||
|
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
|
||||||
|
|
||||||
|
echo "apt-get --quiet $apt_opts update"
|
||||||
echo "apt-cache updated (age was: $currage)" >> "$__messages_out"
|
echo "apt-cache updated (age was: $currage)" >> "$__messages_out"
|
||||||
;;
|
;;
|
||||||
pacman)
|
pacman)
|
||||||
|
|
|
@ -28,6 +28,10 @@ apt_clean="$__object/parameter/apt-clean"
|
||||||
|
|
||||||
apt_dist_upgrade="$__object/parameter/apt-dist-upgrade"
|
apt_dist_upgrade="$__object/parameter/apt-dist-upgrade"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/apt-with-new-pkgs" ]; then
|
||||||
|
apt_with_new_pkgs="--with-new-pkgs"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -f "$type" ]; then
|
if [ -f "$type" ]; then
|
||||||
type="$(cat "$type")"
|
type="$(cat "$type")"
|
||||||
else
|
else
|
||||||
|
@ -54,7 +58,7 @@ case "$type" in
|
||||||
apt)
|
apt)
|
||||||
if [ -f "$apt_dist_upgrade" ]
|
if [ -f "$apt_dist_upgrade" ]
|
||||||
then echo "$aptget dist-upgrade"
|
then echo "$aptget dist-upgrade"
|
||||||
else echo "$aptget upgrade"
|
else echo "$aptget $apt_with_new_pkgs upgrade"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$apt_clean" ]
|
if [ -f "$apt_clean" ]
|
||||||
|
|
|
@ -33,6 +33,14 @@ BOOLEAN PARAMETERS
|
||||||
apt-dist-upgrade
|
apt-dist-upgrade
|
||||||
Do dist-upgrade instead of upgrade.
|
Do dist-upgrade instead of upgrade.
|
||||||
|
|
||||||
|
apt-with-new-pkg
|
||||||
|
Allow installing new packages when used in conjunction with
|
||||||
|
upgrade. This is useful if the update of an installed package
|
||||||
|
requires new dependencies to be installed. Instead of holding the
|
||||||
|
package back upgrade will upgrade the package and install the new
|
||||||
|
dependencies. Note that upgrade with this option will never remove
|
||||||
|
packages, only allow adding new ones.
|
||||||
|
|
||||||
apt-clean
|
apt-clean
|
||||||
Clean out the local repository of retrieved package files.
|
Clean out the local repository of retrieved package files.
|
||||||
|
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
apt-clean
|
apt-clean
|
||||||
apt-dist-upgrade
|
apt-dist-upgrade
|
||||||
|
apt-with-new-pkgs
|
||||||
|
|
|
@ -0,0 +1,64 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
# -*- mode: sh; indent-tabs-mode: t -*-
|
||||||
|
#
|
||||||
|
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
os=$("${__explorer:?}/os")
|
||||||
|
|
||||||
|
case ${os}
|
||||||
|
in
|
||||||
|
(alpine)
|
||||||
|
echo 'postgres'
|
||||||
|
;;
|
||||||
|
(centos|rhel|scientific)
|
||||||
|
echo 'postgres'
|
||||||
|
;;
|
||||||
|
(debian|devuan|ubuntu)
|
||||||
|
echo 'postgres'
|
||||||
|
;;
|
||||||
|
(freebsd)
|
||||||
|
test -x /usr/local/etc/rc.d/postgresql || {
|
||||||
|
printf 'could not find postgresql rc script./n' >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
pg_status=$(/usr/local/etc/rc.d/postgresql onestatus) || {
|
||||||
|
printf 'postgresql daemon is not running.\n' >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
pg_pid=$(printf '%s\n' "${pg_status}" \
|
||||||
|
| sed -n 's/^pg_ctl:.*(PID: *\([0-9]*\))$/\1/p')
|
||||||
|
|
||||||
|
# PostgreSQL < 9.6: pgsql
|
||||||
|
# PostgreSQL >= 9.6: postgres
|
||||||
|
ps -o user -p "${pg_pid}" | sed -n '2p'
|
||||||
|
;;
|
||||||
|
(netbsd)
|
||||||
|
echo 'pgsql'
|
||||||
|
;;
|
||||||
|
(openbsd)
|
||||||
|
echo '_postgresql'
|
||||||
|
;;
|
||||||
|
(suse)
|
||||||
|
echo 'postgres'
|
||||||
|
;;
|
||||||
|
(*)
|
||||||
|
echo "Unsupported OS: ${os}" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue