Compare commits

..

184 commits
6.8 ... master

Author SHA1 Message Date
37e9e8c2a3 __ipset: do not make use of grep -P flag as it is marked as experimental 2021-01-09 12:54:36 +00:00
fcd3b245e7 __ipset: explorer/content, a better way to find the start of the set membership
Don't count lines, as that seems inconsistant, instead find the start of the membership list by looking for "Members:"
2021-01-09 10:25:53 +00:00
49f62f0965 __ipset: gencode-remote dont use bash, use sh 2021-01-09 10:24:33 +00:00
e5099d32f3 __ipset: ignore ipset errors when non-existing item is removed, or item is added twice.
We might choose to include human readable hostnames, rather than ip addresses.
In these cases, we are unable to correctly detect membership, but ipset will resolve and error on duplicate.

the sets contain ip addresses and not resolvable names, gencode-remote will produce output, but ipset will eventually resolve to ip
addresses/check for real membership.

For example:

    __ipset good-sites --type hash:ip --add cdi.st

or:

    __ipset blocked-sites --type hash:ip --del cdi.st
2021-01-09 09:34:01 +00:00
c43bd0eed5 Add new type: __ipset 2021-01-06 15:40:23 +00:00
Darko Poljak
7cf85c4659 Release 6.9.4 2020-12-21 19:21:51 +01:00
Darko Poljak
4bae2863db ++changelog 2020-12-18 12:54:33 +01:00
3566901e1c Merge branch '__dot_file-dirmode' into 'master'
Added optional dirmode parameter to set the mode of (optional) the directory.

See merge request ungleich-public/cdist!966
2020-12-18 12:50:30 +01:00
Mark Verboom
8dc2c4207c Added optional dirmode parameter to set the mode of (optional) the directory. 2020-12-18 11:16:28 +01:00
Darko Poljak
71f2283117 ++changelog 2020-12-13 16:03:39 +01:00
f87da8150c Merge branch 'type/__debian_backports' into 'master'
__apt_backports type

See merge request ungleich-public/cdist!964
2020-12-13 16:03:31 +01:00
ae747ac021 Merge branch 'os_version-freebsd' into 'master'
[explorer/os_version] Improve FreeBSD support.

See merge request ungleich-public/cdist!965
2020-12-13 16:00:45 +01:00
27aca06fb8 __apt_backports: undo __apt_update_index call
Becuase it is already done by __apt_source.
2020-12-12 17:34:51 +01:00
fca35fc858 __apt_backports: fix explorer call
s/-/_/ because the explorers are following an other convention :-)
2020-12-12 17:29:58 +01:00
645734c629 [explorer/os_version] Improve FreeBSD support.
It looks like uname -r is not the most reliable way to get the target patch
level for the target system.

For more information see:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
2020-12-12 12:15:17 +01:00
fafa3d9ea5 __apt_backports: update index if required
This type now automatically calls the type __apt_update_index to update
the package index if something changed.
2020-12-12 10:00:23 +01:00
49aec0b5e4 __apt_backports: list supported OSes
The manpage now lists all OSes where this type supports backports.
2020-12-12 09:40:47 +01:00
c4d19a2319 __debian_backports -> __apt_backports; add wider os support
As discussed in the chat, this type now supports a broader list of OSes
which it supports backports for. Because of this, it was renamed to
something more generic. "apt" should fit in.
2020-12-12 09:36:17 +01:00
0d96b31b56 __debian_backports: pass shellcheck for sourced file
Because the sourced explorer can't be detected by shellcheck, it will be
completely disabled. Changing the path to /etc/os-release isn't
deterministic either.

The shellcheck wiki page suggests to use `source=/dev/null` instead of
`disable=SC1090`, but it was choosen to completely avoid that check ..
2020-12-11 18:13:44 +01:00
a5169ad858 new type __debian_backports
This new type will setup the backports distribution for the current
Debian release.
2020-12-10 21:24:26 +01:00
Darko Poljak
a58f5ffa7f ++changelog 2020-12-08 19:36:44 +01:00
0546d6e476 Merge branch 'fix/__block/escape' into 'master'
__block: fix escaping in here-doc

Closes #838

See merge request ungleich-public/cdist!962
2020-12-08 19:36:45 +01:00
Darko Poljak
14c81d6c7e ++changelog 2020-12-08 07:16:26 +01:00
a1987fe410 Merge branch 'feature/__iptables_rule/ipv6' into 'master'
__iptables*: add IPv6 support

See merge request ungleich-public/cdist!959
2020-12-08 07:10:29 +01:00
c5ca4cd2e1 __block: securly quote via the quote function
Because the function already exists, it will be used for the file to be
changed, too. Therefor, no quotes are required for that value.

The prefix and suffix match was also improved: There is no regex check
any more (the regex did checked the whole line); instead it will do it
simple.
2020-12-07 19:59:05 +01:00
Darko Poljak
2966296173 ++changelog 2020-12-07 19:47:52 +01:00
226f665fb5 Merge branch 'imp-deprecation' into 'master'
Deal with deprecation of imp module.

See merge request ungleich-public/cdist!963
2020-12-07 19:48:08 +01:00
1c61989c03 Merge branch 'fix/type/__package_pkgng_freebsd/bootstrap' into 'master'
__package_pkgng_freebsd: Fix bootstrapping pkg(7)

See merge request ungleich-public/cdist!961
2020-12-07 19:42:21 +01:00
bed08c2c5c Deal with deprecation of imp module.
importlib has been a thing since Python 3.1, and imp has been deprecated since
3.4.

Insert random complaint here about not being able to use f-strings because they
were introduced in Python 3.6 and apparently we support Python 3.5 >,<.

Output diff before to after for ./bin/cdist-build-helper test (on heavy load):
```
1,2d0
< /usr/home/evilham/s/cdist/cdist/cdist/test/__main__.py:23: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
<   import imp
72c70
< ERROR: cdisttesthost: __file/tmp/foobar requires object __file without object id. Defined at /tmp/tmp.cdist.test.g87lx7c8/tmp.cdist.test.6ramsakx
---
> ERROR: cdisttesthost: __file/tmp/foobar requires object __file without object id. Defined at /tmp/tmp.cdist.test.aqdf6vjz/tmp.cdist.test.jgv3udel
76c74
< test_nonexistent_type_requirement (cdist.test.emulator.EmulatorTestCase) ... ERROR: cdisttesthost: __file/tmp/foobar requires object __does-not-exist/some-id, but type __does-not-exist does not exist. Defined at /tmp/tmp.cdist.test.mma5j8ln/tmp.cdist.test.3zg4by4d
---
> test_nonexistent_type_requirement (cdist.test.emulator.EmulatorTestCase) ... ERROR: cdisttesthost: __file/tmp/foobar requires object __does-not-exist/some-id, but type __does-not-exist does not exist. Defined at /tmp/tmp.cdist.test.t8d6ockr/tmp.cdist.test.uimxurg9
86c84
< test_initial_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running initial manifest /tmp/tmp.cdist.test.uvid60ij/759547ff4356de6e3d9e08522b0d0807/data/conf/manifest/dump_environment
---
> test_initial_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running initial manifest /tmp/tmp.cdist.test._cttcnrj/759547ff4356de6e3d9e08522b0d0807/data/conf/manifest/dump_environment
89c87
< test_type_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running type manifest /tmp/tmp.cdist.test.k1i2onpb/759547ff4356de6e3d9e08522b0d0807/data/conf/type/__dump_environment/manifest for object __dump_environment/whatever
---
> test_type_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running type manifest /tmp/tmp.cdist.test.ukr7lrzd/759547ff4356de6e3d9e08522b0d0807/data/conf/type/__dump_environment/manifest for object __dump_environment/whatever
272c270
< Ran 225 tests in 44.457s
---
> Ran 225 tests in 43.750s
```
2020-12-06 20:24:00 +01:00
3930f69456 __block: fix escaping in here-doc
This changes the here-document to do not interpret any shell-things. It
also single-quotes some more strings that are printed to code-remote.

Fixes #838
2020-12-06 16:45:58 +01:00
087be130fa __iptables_apply: shorten copyright header
Do we need all the copyright header or is this sufficient? The licence
is given for cdist, but not on the target host. But it should be clear
anyway.
2020-12-04 19:23:49 +01:00
Dennis Camera
2d19856840 [type/__package_pkgng_freebsd] Set ASSUME_ALWAYS_YES instead of -y 2020-12-04 18:26:03 +01:00
ba7d16a155 __iptables_*: correct manpage spelling 2020-12-04 17:57:55 +01:00
Darko Poljak
d44b5cfdc9 Release 6.9.3 2020-12-04 15:31:35 +01:00
Darko Poljak
c7fa2efe6b ++changelog 2020-12-04 15:30:08 +01:00
74426a7827 Merge branch 'fix/pip-install' into 'master'
Hotfix: Add cdist.scan to packages

See merge request ungleich-public/cdist!960
2020-12-04 15:30:12 +01:00
Dennis Camera
1055e92545 [setup.py] Add cdist.scan to packages 2020-12-02 19:54:41 +01:00
a1db5c3d0e __iptables*: Update manpages for execution order
To make some thinks clear if someone needs it ..
2020-12-02 18:22:31 +01:00
bee255c1ae __iptables_apply: man updates 2020-12-02 18:04:50 +01:00
f568462e49 __iptables_rule: fix shellcheck SC2235 2020-12-02 17:48:41 +01:00
84172550df __iptables*: add IPv6 support
Because it currently only support IPv4. To implement this, it falls back
to IPv4 for backward compatibilty, but now supports rules for IPv6 and
both protocols at the same time.
2020-11-30 20:35:19 +01:00
Darko Poljak
23e0da521c Release 6.9.2 2020-11-20 19:46:55 +01:00
Darko Poljak
803a9d62a7 ++changelog 2020-11-20 19:46:03 +01:00
a234445e85 Merge branch 'feature/type/__localedef' into 'master'
__localedef: Add new type to replace __locale

See merge request ungleich-public/cdist!951
2020-11-20 19:42:52 +01:00
Darko Poljak
82eadb6994 ++changelog 2020-11-19 19:34:43 +01:00
58b28d2d75 Merge branch 'feature/type/__sshd_config' into 'master'
__sshd config: New type

See merge request ungleich-public/cdist!958
2020-11-19 19:33:49 +01:00
9d4f69250e __sshd config: New type 2020-11-19 19:33:47 +01:00
6c539d67af Merge branch 'fix/type/__hostname/fix-os-version-detection' into 'master'
__hostname: fix guessing of SuSE OS version

See merge request ungleich-public/cdist!953
2020-11-19 19:31:53 +01:00
d30cd5c2b2 Merge branch 'bugfix/in-script-import' into 'master'
Fix importing cdist module

Closes #845

See merge request ungleich-public/cdist!957
2020-11-14 15:09:42 +01:00
Dennis Camera
87faffd875 [type/__localdef] Also check for aliases in state explorer 2020-11-14 11:45:31 +01:00
Dennis Camera
eeb9871919 [type/__localedef] glibc: Also delete aliases when removing a locale 2020-11-14 11:45:31 +01:00
Dennis Camera
575bb62dc5 [type/__localedef] Externalise functions to separate files 2020-11-14 11:45:31 +01:00
Dennis Camera
c1c60e3374 [type/__localedef] Blacklist OpenBSD and NetBSD 2020-11-14 11:45:31 +01:00
Dennis Camera
dcef2c19f5 [type/__localedef] Add support for FreeBSD 2020-11-14 11:45:31 +01:00
Dennis Camera
f44888f192 [type/__localedef] Only install dependencies in manifest. OS checking moved to gencode-remote 2020-11-14 11:45:31 +01:00
Dennis Camera
cc29e54b85 [type/__localedef] Differentiate between OSes and better handling of normalized locale names 2020-11-14 11:45:31 +01:00
Dennis Camera
54e689f7c2 [type/__localedef] Add state explorer 2020-11-14 10:48:18 +01:00
Dennis Camera
f75d477209 Deprecate __locale and replace with __localedef 2020-11-14 10:48:18 +01:00
Darko Poljak
76aa00b12e Fix importing cdist module
Resolve #845.
2020-11-14 10:23:43 +01:00
Darko Poljak
5092752786 Update build helper script in .gitattributes 2020-11-14 09:59:30 +01:00
Darko Poljak
a07a458871 ++changelog 2020-11-13 06:43:01 +01:00
105797ccb4 Merge branch 'feature/type/__hwclock' into 'master'
__hwclock: New type

See merge request ungleich-public/cdist!956
2020-11-13 06:35:58 +01:00
17fb8bb5d5 Merge branch 'feature/tests/keep-going' into 'master'
cdist-build-helper shellcheck* keep going

See merge request ungleich-public/cdist!955
2020-11-13 06:32:31 +01:00
ac31e95ec0 Merge branch 'fix/ci' into 'master'
Make the pipeline green again

See merge request ungleich-public/cdist!954
2020-11-13 06:30:37 +01:00
Dennis Camera
ebf471e8d0 [type/__hwclock] Add new type 2020-11-13 02:32:45 +01:00
Dennis Camera
2f70a8b540 [bin/cdist-build-helper] Keep going in shellcheck targets 2020-11-11 15:25:46 +01:00
Dennis Camera
c39eb1dbce [cdist.emulator] Fix setting of log level (tests OK) 2020-11-11 15:16:33 +01:00
Dennis Camera
0ee3fda94d Fix paths to cdist executable 2020-11-11 15:05:04 +01:00
Dennis Camera
f82e0167aa [.gitlab-ci.yml] Make version before other targets 2020-11-11 14:49:04 +01:00
Dennis Camera
e2d4f8037a [bin/cdist-build-helper] Fix paths to ex scripts/ scripts 2020-11-11 14:45:05 +01:00
Dennis Camera
21dd500c05 Make pycodestyle pipeline happy 2020-11-11 14:44:44 +01:00
Dennis Camera
87a0d91587 [type/__hostname] Fix OS version detection for SuSE
everything should be suse now…
2020-11-11 14:21:35 +01:00
Dennis Camera
702f3eba4f [type/__hostname] Remove opensuse-leap OS string
everything should be suse now…
2020-11-11 14:21:35 +01:00
Dennis Camera
3e48ef9e11 [type/__hostname] Lint
- Error if expected environment variables are unset
- Always wrap variable expansions in {}
2020-11-11 14:21:35 +01:00
Darko Poljak
ba90651052 ++changelog 2020-11-11 07:49:32 +01:00
bf9d70bb8c Merge branch 'reorg' into 'master'
small reorganization

See merge request ungleich-public/cdist!942
2020-11-11 07:49:08 +01:00
461c287323 Merge branch 'feature/__locale/explorer' into 'master'
__locale: add state explorer

See merge request ungleich-public/cdist!950
2020-11-11 07:42:41 +01:00
304f420072 Merge branch 'docs/cdist-best-practice/24-9' into 'master'
docs: Add missing 'config' command in 24.9. Testing a new type

See merge request ungleich-public/cdist!952
2020-11-11 07:41:53 +01:00
792b4b1076 Add missing 'config' command 2020-11-09 12:08:54 +01:00
a95eab77a5 __locale: add state explorer
.. so it doesn't execute code all the time.
2020-11-08 15:28:14 +01:00
Darko Poljak
d2506ac04e Release 6.9.1 2020-11-08 13:31:57 +01:00
Darko Poljak
fded60bd0f ++changelog 2020-11-08 13:27:01 +01:00
fe8920740f Merge branch 'feature/__package_apt/recommends' into 'master'
__package_apt: add --install-recommends parameter

See merge request ungleich-public/cdist!949
2020-11-08 13:26:39 +01:00
729fdb9c1a Merge branch 'type/__dpkg_architecture' into 'master'
New type __dpkg_architecture

See merge request ungleich-public/cdist!948
2020-11-08 13:24:58 +01:00
1b3e1acd22 Merge branch 'feature/type/__hostname/openwrt-support' into 'master'
__hostname: Add support for OpenWrt

See merge request ungleich-public/cdist!947
2020-11-08 13:23:36 +01:00
77397514ca Merge branch 'fix/type/__file/pre-exists' into 'master'
__file: Fix --state pre-exists (this time for real)

See merge request ungleich-public/cdist!946
2020-11-08 13:22:06 +01:00
9fc6ee0948 __package_apt: add --install-recommends parameter
For a good reason, __package_apt doesn't install recommended packages as
default. But the option --install-recommends comes handy if you want to
install a package where you want to install all recommended packages
(and not to install all of them separately).

Also, the manpage now explains that the type won't install recommended
packages by default.
2020-11-08 13:19:46 +01:00
91bcc2a293 __dpkg_architecture: make type nonparallel
I think it's not good that dpkg or apt is running in parallel.
2020-11-07 21:03:38 +01:00
7777580d8f __dpkg_architecture: add copyright headers 2020-11-07 20:56:17 +01:00
b0f3bb3350 New type __dpkg_architecture
This type handles foreign architectures added to dpkg.
2020-11-07 18:24:27 +01:00
Dennis Camera
10abe514b8 [type/__hostname] Add support for OpenWrt 2020-11-07 12:20:16 +01:00
Darko Poljak
348c6eedc9 Release 6.9.0 2020-11-07 12:12:20 +01:00
Darko Poljak
c7c3075f62 ++changelog 2020-11-07 12:10:14 +01:00
Darko Poljak
0f1df5ef68 Fix shellcheck source directives 2020-11-07 12:07:58 +01:00
bd9b21394f Merge branch 'type/openwrt-uci' into 'master'
Add OpenWrt UCI types

See merge request ungleich-public/cdist!886
2020-11-07 11:59:56 +01:00
Darko Poljak
d28a70a73c ++changelog 2020-11-06 08:32:40 +01:00
67f1475a20 Merge branch 'feature/type/__apt_norecommends/reuse-file' into 'master'
__apt_norecommends: Use 00InstallRecommends file as debian-installer does

See merge request ungleich-public/cdist!945
2020-11-06 08:26:36 +01:00
Dennis Camera
df881c0f98 [type/__file] Fix --state pre-exists also for non-dry-runs 2020-11-04 08:34:17 +01:00
Darko Poljak
2be8c63458 pycodestyle fixes 2020-11-03 06:43:57 +01:00
Dennis Camera
ade69729dd [type/__uci_section] Only generate UCI commands if state differs 2020-11-01 21:36:21 +01:00
Dennis Camera
9d40500570 [type/__uci_section] Apply all commands in a single batch 2020-11-01 21:36:21 +01:00
Dennis Camera
3e5f18d409 [type/__uci] Apply all commands in a single batch 2020-11-01 21:36:21 +01:00
Dennis Camera
ec984f81b5 [type/__uci] Delete --transaction parameter 2020-11-01 21:36:21 +01:00
Dennis Camera
dfe9e08c28 [type/__uci_commit] Delete type 2020-11-01 21:36:21 +01:00
Dennis Camera
e264fb004f [type/__uci] Convert to immediate remote execution 2020-11-01 21:36:21 +01:00
Dennis Camera
c1ae3ccb2f [type/__uci*] Remove public-facing transaction "interface" 2020-11-01 21:36:16 +01:00
Dennis Camera
a6c37095f1 [type/__uci_section] Externalise functions to separate file 2020-11-01 21:35:24 +01:00
Dennis Camera
7b30119504 [type/__uci] Externalise functions to separate file 2020-11-01 21:35:24 +01:00
Dennis Camera
63d41a1053 [type/__uci_section] Improve --match support with existing named sections
Use section if named section exists without --match option (e.g. empty section).
2020-11-01 21:35:24 +01:00
Dennis Camera
4aebb1f127 [type/__uci*] Update man.rst regarding quoting requirements 2020-11-01 21:35:24 +01:00
Dennis Camera
8728817af6 [type/__uci] Unquote UCI reported values
Without unquoting values printed in single quotes by UCI would always lead to
the state explorer reporting "different".
2020-11-01 21:35:24 +01:00
Dennis Camera
b99ca3cbdf [type/__uci_section] Split up --option and --list 2020-11-01 21:35:16 +01:00
Dennis Camera
49e867fab4 [type/__uci_section] Add more parameter checks 2020-11-01 15:49:17 +01:00
Dennis Camera
0840afce03 [type/__uci] Add --type parameter 2020-11-01 15:49:13 +01:00
Dennis Camera
fe26c119b5 [type/__uci*] Update man pages 2020-11-01 13:34:31 +01:00
Dennis Camera
c37253b852 [type/__uci_section] Check __object_id for syntax errors 2020-11-01 13:34:31 +01:00
Dennis Camera
3a6b085145 [type/__uci] Check __object_id for syntax errors 2020-11-01 13:34:31 +01:00
Dennis Camera
f782a5a370 [type/__uci] Refactor to do proper quoting of UCI commands 2020-11-01 13:34:31 +01:00
Dennis Camera
d453d964e1 [type/__uci_section] Fix in section matching 2020-11-01 13:34:31 +01:00
Dennis Camera
179815b5e9 [type/__uci_section] Ignore SC2015 error (notabug) 2020-11-01 13:34:31 +01:00
Dennis Camera
4da3968118 [type/__uci_section] Add type 2020-11-01 13:34:31 +01:00
Dennis Camera
3ef638a611 [type/__uci_commit] Fail when uci(1) reports errors 2020-11-01 13:34:31 +01:00
Dennis Camera
cc599dab15 [type/__uci_commit] Move uncommited changes check from explorer to code-remote
This is done to prevent false positives/negatives (see NOTE in code)
2020-11-01 13:34:22 +01:00
Dennis Camera
e7369a1f99 [type/__uci_commit] Abort if uncommited changes are present on the target 2020-11-01 13:32:00 +01:00
Dennis Camera
3a3be36310 [type/__uci_commit] Send message on commit of a transaction 2020-11-01 11:01:25 +01:00
Dennis Camera
d3574b2d3e [type/__uci] Send messages when options are set to be altered 2020-11-01 11:01:25 +01:00
Dennis Camera
d8f20a6a20 [type/__uci] Implement "real" transactions using batch files 2020-11-01 11:01:25 +01:00
Dennis Camera
a09120977f [type/__uci] Allow omission of --value parameter if --state absent 2020-11-01 11:01:25 +01:00
Dennis Camera
55e7b32449 [type/__uci] Only generate __uci_commit if changes are required 2020-11-01 11:01:25 +01:00
Dennis Camera
e30ecdda53 Add __uci and __uci_commit types 2020-11-01 11:01:25 +01:00
Nico Schottelius
09dfcfe81e [scanner] add to beta commands 2020-10-29 23:16:08 +01:00
Nico Schottelius
91d99bf08a [RFC] scanner documentation 2020-10-29 21:22:36 +01:00
Nico Schottelius
87b46a6224 [scanner] finish prototype
ping @poljakowski - it's your turn now
2020-10-29 18:49:20 +01:00
Nico Schottelius
b9ad22595f [scanner] begin scanner implementation - non invasive 2020-10-29 18:03:27 +01:00
Dennis Camera
82a9aa7902 [type/__apt_norecommends] Use 00InstallRecommends file as debian-installer does
debian-installer can be preseeded with `base-installer/install-recommends` to
disable installation of recommended packages already during OS installation.
d-i will then create the file `/etc/apt/apt.conf.d/00InstallRecommends`
(cf. https://salsa.debian.org/installer-team/base-installer/-/blob/master/library.sh).

__apt_norecommends should use the same file to avoid having two config files
effectively doing the same thing.
2020-10-29 10:45:18 +01:00
Darko Poljak
9277e0ba19 ++changelog 2020-10-29 09:30:58 +01:00
eda96a06a0 Merge branch 'fix/type/__file/pre-exists-dryrun' into 'master'
__file: Fix --state pre-exists

See merge request ungleich-public/cdist!944
2020-10-29 09:29:41 +01:00
Dennis Camera
367da4b77e [type/__file] Fix --state pre-exists 2020-10-28 18:18:24 +01:00
aa5e882fce Merge branch 'master' into reorg 2020-10-21 20:26:51 +03:00
Darko Poljak
687c1d2dd9 ++changelog 2020-10-19 06:57:00 +02:00
b139ba2a5c Merge branch '__update_alternatives_improvements' into 'master'
[__update_alternatives] rewrite and support --install

See merge request ungleich-public/cdist!936
2020-10-19 06:55:35 +02:00
f96f23e970 Merge branch '__acl_remove_deprecated' into 'master'
[__acl] remove deprecated parameters, fix some bugs and improve manual

Closes #823

See merge request ungleich-public/cdist!933
2020-10-19 06:54:13 +02:00
716cd37281 [__update_alternatives] rewrite and support --install 2020-10-18 23:57:25 +03:00
e3d906a85f [__acl] remove deprecated parameters, fix some bugs and improve manual 2020-10-18 23:54:01 +03:00
6964070282 s/build-helper/cdist-build-helper/ 2020-10-18 17:13:22 +03:00
Darko Poljak
955b847276 ++changelog 2020-10-18 15:55:14 +02:00
112fb984c7 Merge branch 'fix/__download/manpage' into 'master'
__download: fix non-existent parameter of __unpack in manpage

See merge request ungleich-public/cdist!943
2020-10-18 15:51:58 +02:00
b2e6afb57e __download: adapt download+unpack example in manpage 2020-10-17 23:01:36 +02:00
d20fb74324 use os.path.realpath instead, because it eliminates any symbolic links encountered in the path 2020-10-17 23:16:42 +03:00
507fa6fa93 __download: fix non-existent parameter of __unpack
Probably happened due to renaming .. guess it's correct now.
2020-10-17 17:09:41 +02:00
54d83a6211 there is no single author anymore, also remove www. 2020-10-16 15:50:50 +03:00
e55db1b427 use check_output for git describe execution and define fallback VERSION earlier 2020-10-16 15:41:38 +03:00
b41d80075a update paths in setup.py 2020-10-16 14:16:04 +03:00
42d5d6c3e2 redundant str() 2020-10-16 14:12:39 +03:00
65c8af4ba3 overengineered version discovery 2020-10-16 14:11:12 +03:00
174aa77280 __file__ already is absolute 2020-10-16 14:11:00 +03:00
1614b62f70 fallback VERSION to "unknown version" 2020-10-16 13:48:28 +03:00
fd04c03613 add parent dir to module search path only when importing fails 2020-10-16 13:42:16 +03:00
86057cef19 don't die if there is no version.py 2020-10-14 02:20:58 +03:00
fdc1ab93e9 move scripts/* to bin/ 2020-10-14 02:20:58 +03:00
3f1939716f enable running scripts/cdist directly and symlinked 2020-10-14 02:20:30 +03:00
45d51c0e15 rename build-helper -> cdist-build-helper 2020-10-14 02:18:25 +03:00
8ecae42199 remove bin/cdist script 2020-10-14 02:18:25 +03:00
Darko Poljak
4df5c91912 ++changelog 2020-10-09 06:52:52 +02:00
1057ceef01 Merge branch 'line-replace' into 'master'
[__line] Add support for '--state replace'

See merge request ungleich-public/cdist!939
2020-10-09 06:51:45 +02:00
c030deea3d [__line] Add support for '--state replace'
It is currently counter-intuitive that something like:

    # File '/thing' contents
    #SomeSetting WrongValue

    # Manifest
    __line '/thing' \
           --line 'SomeSeting GoodValue' \
           --regex '^(#[[:space:]]*)?SomeSetting[[:space:]]'

Produces:

    # Resulting '/thing' contents
    #SomeSetting WrongValue

This makes sense given the implementation, but it masks a very common use-case.

Changing the default behaviour for such a base type is not really an option, so
instead we add a `replace` as a valid value for `--state`, which would result
in:

    # Resulting '/thing' contents with: --state replace
    SomeSetting GoodValue

For compatibility, if the regex is missing, `--state replace` behaves just as
`--state present`.
2020-10-09 06:51:44 +02:00
68a280d51a Merge branch '__service-fix' into 'master'
Fixed calling of __systemd_service type with correct arguments.

See merge request ungleich-public/cdist!941
2020-10-09 06:47:54 +02:00
Mark Verboom
5aeed14b1b Fixed calling of __systemd_service type with correct arguments. 2020-10-08 16:15:20 +02:00
Darko Poljak
3fa74b454a Fix typo 2020-09-30 15:43:32 +02:00
Darko Poljak
52b5f05163 ++changelog 2020-09-30 08:56:31 +02:00
34a7d8c280 Merge branch 'pkgng_freebsd-bootstrap' into 'master'
[__package_pkgng_freebsd] Bootstrap pkg if necessary

See merge request ungleich-public/cdist!940
2020-09-30 08:42:43 +02:00
f994226d0e [__package_pkgng_freebsd] Bootstrap pkg if necessary
In a pristine FreeBSD base installation, pkg is really a bootstrapper utility,
in such cases the type used to fail instead of automatically bootstrapping pkg.
2020-09-29 19:47:59 +02:00
Darko Poljak
652c891858 ++changelog 2020-09-29 05:57:54 +02:00
84ade29ca9 Merge branch 'docs/custom-remote-exec-copy-examples' into 'master'
Add custom remote copy/exec examples

See merge request ungleich-public/cdist!938
2020-09-29 05:56:38 +02:00
Darko Poljak
73d6c9d469 Add custom remote copy/exec examples 2020-09-27 10:17:35 +02:00
8ab1b6a03d Merge branch 'fix/docs-makefile' into 'master'
docs: make varaibles environment-aware

See merge request ungleich-public/cdist!937
2020-09-24 06:55:30 +02:00
84a7818121 docs: make varaibles environment-aware
There are all overwriting the environment, even the comment states
otherwise. Fixes it.
2020-09-23 20:29:47 +02:00
Darko Poljak
b6922508b9 Update helper script 2020-09-21 09:17:34 +02:00
Darko Poljak
0fc10749ed Fix shellcheck 2020-09-21 09:11:35 +02:00
Darko Poljak
89a0080e13 ++changelog 2020-09-21 09:09:26 +02:00
139a782c96 Merge branch '__package_pip_detect_pip_bin' into 'master'
[__package_pip] detect pip binary

See merge request ungleich-public/cdist!935
2020-09-21 09:06:44 +02:00
2e6c12c27c Merge branch 'clarify-stdin-input' into 'master'
Clarify stdin input

Closes #836

See merge request ungleich-public/cdist!934
2020-09-21 09:04:06 +02:00
89b6215115 Clarify stdin input
Resolve #836.
2020-09-21 09:04:05 +02:00
decc0ad54d [__package_pip] detect pip binary 2020-09-19 12:38:20 +03:00
152 changed files with 4937 additions and 504 deletions

2
.gitattributes vendored
View file

@ -4,5 +4,5 @@
docs/speeches export-ignore
docs/video export-ignore
docs/src/man7 export-ignore
bin/build-helper export-ignore
bin/cdist-build-helper export-ignore
README-maintainers export-ignore

View file

@ -1,20 +1,23 @@
---
image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
stages:
- test
image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
unit_tests:
stage: test
script:
- ./bin/build-helper version
- ./bin/build-helper test
pycodestyle:
stage: test
script:
- ./bin/build-helper pycodestyle
before_script:
- ./bin/cdist-build-helper version
shellcheck:
stage: test
script:
- ./bin/build-helper shellcheck
- ./bin/cdist-build-helper shellcheck
pycodestyle:
stage: test
script:
- ./bin/cdist-build-helper pycodestyle
unit_tests:
stage: test
script:
- ./bin/cdist-build-helper test

View file

@ -1,4 +1,4 @@
Maintainers should use ./bin/build-helper script.
Maintainers should use ./bin/cdist-build-helper script.
Makefile is intended for end users. It can be used for non-maintaining
targets that can be run from pure source (without git repository).

View file

@ -1,7 +1,8 @@
#!/bin/sh
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# 2012 Nico Schottelius (nico-cdist at schottelius.org)
# 2010-2016 Nico Schottelius (nico-cdist at schottelius.org)
# 2016 Darko Poljak (darko.poljak at gmail.com)
#
# This file is part of cdist.
#
@ -20,14 +21,81 @@
#
#
# Wrapper for real script to allow execution from checkout
dir=${0%/*}
import logging
import os
import sys
# Ensure version is present - the bundled/shipped version contains a static version,
# the git version contains a dynamic version
"$dir/build-helper" version
# See if this file's parent is cdist module
# and if so add it to module search path.
cdist_dir = os.path.realpath(
os.path.join(
os.path.dirname(os.path.realpath(__file__)),
os.pardir))
cdist_init_dir = os.path.join(cdist_dir, 'cdist', '__init__.py')
if os.path.exists(cdist_init_dir):
sys.path.insert(0, cdist_dir)
libdir=$(cd "${dir}/../" && pwd -P)
export PYTHONPATH="${libdir}"
import cdist # noqa 402
import cdist.argparse # noqa 402
import cdist.banner # noqa 402
import cdist.config # noqa 402
import cdist.install # noqa 402
import cdist.shell # noqa 402
import cdist.inventory # noqa 402
"$dir/../scripts/cdist" "$@"
def commandline():
"""Parse command line"""
# preos subcommand hack
if len(sys.argv) > 1 and sys.argv[1] == 'preos':
return cdist.preos.PreOS.commandline(sys.argv[1:])
parser, cfg = cdist.argparse.parse_and_configure(sys.argv[1:])
args = cfg.get_args()
# Work around python 3.3 bug:
# http://bugs.python.org/issue16308
# http://bugs.python.org/issue9253
# FIXME: catching AttributeError also hides
# real problems.. try a different way
# FIXME: we always print main help, not
# the help of the actual parser being used!
try:
getattr(args, "func")
except AttributeError:
parser['main'].print_help()
sys.exit(0)
args.func(args)
if __name__ == "__main__":
if sys.version < cdist.MIN_SUPPORTED_PYTHON_VERSION:
print('Python >= {} is required on the source host.'.format(
cdist.MIN_SUPPORTED_PYTHON_VERSIO), file=sys.stderr)
sys.exit(1)
exit_code = 0
try:
import re
import os
if re.match("__", os.path.basename(sys.argv[0])):
import cdist.emulator
emulator = cdist.emulator.Emulator(sys.argv)
emulator.run()
else:
commandline()
except KeyboardInterrupt:
exit_code = 2
except cdist.Error as e:
log = logging.getLogger("cdist")
log.error(e)
exit_code = 1
sys.exit(exit_code)

View file

@ -45,7 +45,7 @@ usage() {
shellcheck-manifests
shellcheck-local-gencodes
shellcheck-remote-gencodes
shellcheck-scripts
shellcheck-bin
shellcheck-gencodes
shellcheck-types
shellcheck
@ -100,7 +100,7 @@ case "$option" in
if (\$0 ~ /^$end/) {
exit
} else {
print \$0
print \$0
}
}
}" "$basedir/docs/changelog"
@ -135,7 +135,7 @@ case "$option" in
version=$1; shift
(
(
cat << eof
Subject: cdist $version has been released
@ -336,7 +336,7 @@ eof
make docs-clean
make docs
#############################################################
#############################################################
# Everything green, let's do the release
# Tag the current commit
@ -371,7 +371,6 @@ eof
Manual steps post release:
- cdist-web
- send generated mailinglist.tmp mail
- twitter
eof
;;
@ -406,7 +405,7 @@ eof
;;
pycodestyle|pep8)
pycodestyle "${basedir}" "${basedir}/scripts/cdist"
pycodestyle "${basedir}" "${basedir}/bin/cdist"
;;
check-pycodestyle)
@ -461,27 +460,34 @@ eof
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
;;
shellcheck-scripts)
# NOTE: shellcheck-scripts is kept for compatibility
shellcheck-bin|shellcheck-scripts)
# shellcheck disable=SC2086
${SHELLCHECKCMD} scripts/cdist-dump scripts/cdist-new-type > "${SHELLCHECKTMP}"
${SHELLCHECKCMD} bin/cdist-dump bin/cdist-new-type > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
;;
shellcheck-gencodes)
"$0" shellcheck-local-gencodes || exit 1
"$0" shellcheck-remote-gencodes || exit 1
errors=false
"$0" shellcheck-local-gencodes || errors=true
"$0" shellcheck-remote-gencodes || errors=true
! $errors || exit 1
;;
shellcheck-types)
"$0" shellcheck-type-explorers || exit 1
"$0" shellcheck-manifests || exit 1
"$0" shellcheck-gencodes || exit 1
errors=false
"$0" shellcheck-type-explorers || errors=true
"$0" shellcheck-manifests || errors=true
"$0" shellcheck-gencodes || errors=true
! $errors || exit 1
;;
shellcheck)
"$0" shellcheck-global-explorers || exit 1
"$0" shellcheck-types || exit 1
"$0" shellcheck-scripts || exit 1
errors=false
"$0" shellcheck-global-explorers || errors=true
"$0" shellcheck-types || errors=true
"$0" shellcheck-bin || errors=true
! $errors || exit 1
;;
shellcheck-type-files)
@ -491,12 +497,14 @@ eof
;;
shellcheck-with-files)
"$0" shellcheck || exit 1
"$0" shellcheck-type-files || exit 1
errors=false
"$0" shellcheck || errors=true
"$0" shellcheck-type-files || errors=true
! $errors || exit 1
;;
shellcheck-build-helper)
${SHELLCHECKCMD} ./bin/build-helper
${SHELLCHECKCMD} ./bin/cdist-build-helper
;;
check-shellcheck)

View file

@ -22,12 +22,27 @@
import os
import hashlib
import subprocess
import cdist.log
import cdist.version
VERSION = cdist.version.VERSION
VERSION = 'unknown version'
try:
import cdist.version
VERSION = cdist.version.VERSION
except ModuleNotFoundError:
cdist_dir = os.path.abspath(
os.path.join(os.path.dirname(__file__), os.pardir))
if os.path.isdir(os.path.join(cdist_dir, '.git')):
try:
VERSION = subprocess.check_output(
['git', 'describe', '--always'],
cwd=cdist_dir,
universal_newlines=True)
except Exception:
pass
BANNER = """
.. . .x+=:. s

View file

@ -8,10 +8,11 @@ import cdist.configuration
import cdist.log
import cdist.preos
import cdist.info
import cdist.scan.commandline
# set of beta sub-commands
BETA_COMMANDS = set(('install', 'inventory', ))
BETA_COMMANDS = set(('install', 'inventory', 'scan', ))
# set of beta arguments for sub-commands
BETA_ARGS = {
'config': set(('tag', 'all_tagged_hosts', 'use_archiving', )),
@ -273,8 +274,7 @@ def get_parsers():
'-f', '--file',
help=('Read specified file for a list of additional hosts to '
'operate on or if \'-\' is given, read stdin (one host per '
'line). If no host or host file is specified then, by '
'default, read hosts from stdin.'),
'line).'),
dest='hostfile', required=False)
parser['config_args'].add_argument(
'-p', '--parallel', nargs='?', metavar='HOST_MAX',
@ -326,9 +326,7 @@ def get_parsers():
parser['add-host'].add_argument(
'-f', '--file',
help=('Read additional hosts to add from specified file '
'or from stdin if \'-\' (each host on separate line). '
'If no host or host file is specified then, by default, '
'read from stdin.'),
'or from stdin if \'-\' (each host on separate line). '),
dest='hostfile', required=False)
parser['add-tag'] = parser['invsub'].add_parser(
@ -342,20 +340,12 @@ def get_parsers():
parser['add-tag'].add_argument(
'-f', '--file',
help=('Read additional hosts to add tags from specified file '
'or from stdin if \'-\' (each host on separate line). '
'If no host or host file is specified then, by default, '
'read from stdin. If no tags/tagfile nor hosts/hostfile'
' are specified then tags are read from stdin and are'
' added to all hosts.'),
'or from stdin if \'-\' (each host on separate line). '),
dest='hostfile', required=False)
parser['add-tag'].add_argument(
'-T', '--tag-file',
help=('Read additional tags to add from specified file '
'or from stdin if \'-\' (each tag on separate line). '
'If no tag or tag file is specified then, by default, '
'read from stdin. If no tags/tagfile nor hosts/hostfile'
' are specified then tags are read from stdin and are'
' added to all hosts.'),
'or from stdin if \'-\' (each tag on separate line). '),
dest='tagfile', required=False)
parser['add-tag'].add_argument(
'-t', '--taglist',
@ -376,9 +366,7 @@ def get_parsers():
parser['del-host'].add_argument(
'-f', '--file',
help=('Read additional hosts to delete from specified file '
'or from stdin if \'-\' (each host on separate line). '
'If no host or host file is specified then, by default, '
'read from stdin.'),
'or from stdin if \'-\' (each host on separate line). '),
dest='hostfile', required=False)
parser['del-tag'] = parser['invsub'].add_parser(
@ -396,20 +384,13 @@ def get_parsers():
parser['del-tag'].add_argument(
'-f', '--file',
help=('Read additional hosts to delete tags for from specified '
'file or from stdin if \'-\' (each host on separate line). '
'If no host or host file is specified then, by default, '
'read from stdin. If no tags/tagfile nor hosts/hostfile'
' are specified then tags are read from stdin and are'
' deleted from all hosts.'),
'file or from stdin if \'-\' (each host on separate '
'line). '),
dest='hostfile', required=False)
parser['del-tag'].add_argument(
'-T', '--tag-file',
help=('Read additional tags from specified file '
'or from stdin if \'-\' (each tag on separate line). '
'If no tag or tag file is specified then, by default, '
'read from stdin. If no tags/tagfile nor'
' hosts/hostfile are specified then tags are read from'
' stdin and are added to all hosts.'),
'or from stdin if \'-\' (each tag on separate line). '),
dest='tagfile', required=False)
parser['del-tag'].add_argument(
'-t', '--taglist',
@ -490,6 +471,35 @@ def get_parsers():
'pattern', nargs='?', help='Glob pattern.')
parser['info'].set_defaults(func=cdist.info.Info.commandline)
# Scan = config + further
parser['scan'] = parser['sub'].add_parser('scan', add_help=False,
parents=[parser['config']])
parser['scan'] = parser['sub'].add_parser(
'scan', parents=[parser['loglevel'],
parser['beta'],
parser['colored_output'],
parser['common'],
parser['config_main']])
parser['scan'].add_argument(
'-m', '--mode', help='Which modes should run',
action='append', default=[],
choices=['scan', 'trigger'])
parser['scan'].add_argument(
'--config',
action='store_true',
help='Try to configure detected hosts')
parser['scan'].add_argument(
'-I', '--interfaces',
action='append', default=[],
help='On which interfaces to scan/trigger')
parser['scan'].add_argument(
'-d', '--delay',
action='store', default=3600,
help='How long to wait before reconfiguring after last try')
parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
for p in parser:
parser[p].epilog = EPILOG

View file

@ -70,6 +70,11 @@ case "$("$__explorer/os")" in
macosx)
sw_vers -productVersion
;;
freebsd)
# Apparently uname -r is not a reliable way to get the patch level.
# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
freebsd-version
;;
*bsd|solaris)
uname -r
;;

View file

@ -0,0 +1,4 @@
#!/bin/sh -e
getent passwd | awk -F: '{print "user:"$1}'
getent group | awk -F: '{print "group:"$1}'

View file

@ -22,8 +22,8 @@ file_is="$( cat "$__object/explorer/file_is" )"
if [ "$file_is" = 'missing' ] \
&& [ -z "$__cdist_dry_run" ] \
&& \( [ ! -f "$__object/parameter/file" ] \
|| [ ! -f "$__object/parameter/directory" ] \)
&& [ ! -f "$__object/parameter/file" ] \
&& [ ! -f "$__object/parameter/directory" ]
then
exit 0
fi
@ -47,28 +47,26 @@ then
elif [ -f "$__object/parameter/entry" ]
then
acl_should="$( cat "$__object/parameter/entry" )"
elif [ -f "$__object/parameter/acl" ]
then
acl_should="$( cat "$__object/parameter/acl" )"
elif
[ -f "$__object/parameter/user" ] \
|| [ -f "$__object/parameter/group" ] \
|| [ -f "$__object/parameter/mask" ] \
|| [ -f "$__object/parameter/other" ]
then
acl_should="$( for param in user group mask other
do
[ ! -f "$__object/parameter/$param" ] && continue
echo "$param" | grep -Eq 'mask|other' && sep=:: || sep=:
echo "$param$sep$( cat "$__object/parameter/$param" )"
done )"
else
echo 'no parameters set' >&2
exit 1
fi
# instead of setfacl's non-helpful message "Option -m: Invalid argument near character X"
# let's check if target has necessary users and groups, since mistyped or missing
# users/groups in target is most common reason.
echo "$acl_should" \
| grep -Po '(user|group):[^:]+' \
| sort -u \
| while read -r l
do
if ! grep "$l" -Fxq "$__object/explorer/getent"
then
echo "no $l' in target" | sed "s/:/ '/" >&2
exit 1
fi
done
if [ -f "$__object/parameter/default" ]
then
acl_should="$( echo "$acl_should" \

View file

@ -12,11 +12,14 @@ Fully supported and tested on Linux (ext4 filesystem), partial support for FreeB
See ``setfacl`` and ``acl`` manpages for more details.
One of ``--entry`` or ``--source`` must be used.
REQUIRED MULTIPLE PARAMETERS
OPTIONAL MULTIPLE PARAMETERS
----------------------------
entry
Set ACL entry following ``getfacl`` output syntax.
Must be used if ``--source`` is not used.
OPTIONAL PARAMETERS
@ -25,6 +28,7 @@ source
Read ACL entries from stdin or file.
Ordering of entries is not important.
When reading from file, comments and empty lines are ignored.
Must be used if ``--entry`` is not used.
file
Create/change file with ``__file`` using ``user:group:mode`` pattern.
@ -48,12 +52,6 @@ remove
``mask`` and ``other`` entries can't be removed, but only changed.
DEPRECATED PARAMETERS
---------------------
Parameters ``acl``, ``user``, ``group``, ``mask`` and ``other`` are deprecated and they
will be removed in future versions. Please use ``entry`` parameter instead.
EXAMPLES
--------

View file

@ -1 +0,0 @@
see manual for details

View file

@ -1 +0,0 @@
see manual for details

View file

@ -1 +0,0 @@
see manual for details

View file

@ -1 +0,0 @@
see manual for details

View file

@ -1 +0,0 @@
see manual for details

View file

@ -1,5 +1,3 @@
mask
other
source
file
directory

View file

@ -1,4 +1 @@
entry
acl
user
group

View file

@ -0,0 +1,104 @@
cdist-type__debian_backports(7)
===============================
NAME
----
cdist-type__apt_backports - Install backports
DESCRIPTION
-----------
This singleton type installs backports for the current OS release.
It aborts if backports are not supported for the specified OS or
no version codename could be fetched (like Debian unstable).
The package index will be automatically updated if required.
It supports backports from following OSes:
- Debian
- Devuan
- Ubuntu
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
state
Represents the state of the backports repository. ``present`` or
``absent``, defaults to ``present``.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
mirror
The mirror to fetch the backports from. Will defaults to the generic
mirror of the current OS.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
BOOLEAN PARAMETERS
------------------
None.
MESSAGES
--------
None.
EXAMPLES
--------
.. code-block:: sh
# setup the backports
__apt_backports
__apt_backports --state absent
__apt_backports --state present --mirror "http://ftp.de.debian.org/debian/"
# install a backports package
# currently for the buster release backports
require="__apt_backports" __package_apt wireguard \
--target-release buster-backports
ABORTS
------
Aborts if the detected os is not Debian.
Aborts if no distribuition codename could be detected. This is common for the
unstable distribution, but there is no backports repository for it already.
CAVEATS
-------
For Ubuntu, it setup all componenents for the backports repository: ``main``,
``restricted``, ``universe`` and ``multiverse``. The user may not want to
install proprietary packages, which will only be installed if the user
explicitly uses the backports target-release. The user may change this behavior
to install backports packages without the need of explicitly select it.
SEE ALSO
--------
`Official Debian Backports site <https://backports.debian.org/>`_
:strong:`cdist-type__apt_source`\ (7)
AUTHORS
-------
Matthias Stecher <matthiasstecher at gmx.de>
COPYING
-------
Copyright \(C) 2020 Matthias Stecher. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,81 @@
#!/bin/sh -e
# __apt_backports/manifest
#
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Enables/disables backports repository. Utilises __apt_source for it.
#
# Get the distribution codename by /etc/os-release.
# is already executed in a subshell by string substitution
# lsb_release may not be given in all installations
codename_os_release() {
# shellcheck disable=SC1090
. "$__global/explorer/os_release"
printf "%s" "$VERSION_CODENAME"
}
# detect backport distribution
os="$(cat "$__global/explorer/os")"
case "$os" in
debian)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.debian.org/debian/"
;;
devuan)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.devuan.org/merged"
;;
ubuntu)
dist="$( codename_os_release )"
components="main restricted universe multiverse"
mirror="http://archive.ubuntu.com/ubuntu"
;;
*)
printf "Backports for %s are not supported!\n" "$os" >&2
exit 1
;;
esac
# error if no codename given (e.g. on Debian unstable)
if [ -z "$dist" ]; then
printf "No backports for unkown version of distribution %s!\n" "$os" >&2
exit 1
fi
# parameters
state="$(cat "$__object/parameter/state")"
# mirror already set for the os, only override user-values
if [ -f "$__object/parameter/mirror" ]; then
mirror="$(cat "$__object/parameter/mirror")"
fi
# install the given backports repository
__apt_source "${dist}-backports" \
--state "$state" \
--distribution "${dist}-backports" \
--component "$components" \
--uri "$mirror"

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1,2 @@
state
mirror

View file

@ -32,11 +32,12 @@ EXAMPLES
AUTHORS
-------
Steven Armstrong <steven-cdist--@--armstrong.cc>
Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2014 Steven Armstrong. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2014 Steven Armstrong, 2020 Dennis Camera.
You can redistribute it and/or modify it under the terms of the GNU General
Public License as published by the Free Software Foundation, either version 3 of
the License, or (at your option) any later version.

View file

@ -1,6 +1,7 @@
#!/bin/sh -e
#
# 2014 Steven Armstrong (steven-cdist at armstrong.cc)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -19,26 +20,28 @@
#
os=$(cat "$__global/explorer/os")
os=$(cat "${__global:?}/explorer/os")
case "$os" in
ubuntu|debian|devuan)
# No stinking recommends thank you very much.
# If I want something installed I will do so myself.
__file /etc/apt/apt.conf.d/99-no-recommends \
--owner root --group root --mode 644 \
--source - << DONE
APT::Install-Recommends "0";
APT::Install-Suggests "0";
APT::AutoRemove::RecommendsImportant "0";
APT::AutoRemove::SuggestsImportant "0";
DONE
;;
*)
cat >&2 << DONE
case ${os}
in
(ubuntu|debian|devuan)
__file /etc/apt/apt.conf.d/00InstallRecommends --state present \
--owner root --group root --mode 0644 --source - <<-'EOF'
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::AutoRemove::RecommendsImportant "false";
APT::AutoRemove::SuggestsImportant "false";
EOF
# TODO: Remove the following object after some time
require=__file/etc/apt/apt.conf.d/00InstallRecommends \
__file /etc/apt/apt.conf.d/99-no-recommends --state absent
;;
(*)
cat >&2 <<EOF
The developer of this type (${__type##*/}) did not think your operating system
($os) would have any use for it. If you think otherwise please submit a patch.
DONE
exit 1
;;
EOF
exit 1
;;
esac

View file

@ -46,28 +46,29 @@ fi
remove_block() {
cat << DONE
tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
tmpfile=\$(mktemp ${quoted_file}.cdist.XXXXXXXXXX)
# preserve ownership and permissions of existing file
if [ -f "$file" ]; then
cp -p "$file" "\$tmpfile"
if [ -f $quoted_file ]; then
cp -p $quoted_file "\$tmpfile"
fi
awk -v prefix=^$(quote "$prefix")\$ -v suffix=^$(quote "$suffix")\$ '
awk -v prefix=$(quote "$prefix") -v suffix=$(quote "$suffix") '
{
if (match(\$0,prefix)) {
if (\$0 == prefix) {
triggered=1
}
if (triggered) {
if (match(\$0,suffix)) {
if (\$0 == suffix) {
triggered=0
}
} else {
print
}
}' "$file" > "\$tmpfile"
mv -f "\$tmpfile" "$file"
}' $quoted_file > "\$tmpfile"
mv -f "\$tmpfile" $quoted_file
DONE
}
quoted_file="$(quote "$file")"
case "$state_should" in
present)
if [ "$state_is" = "changed" ]; then
@ -77,7 +78,7 @@ case "$state_should" in
echo add >> "$__messages_out"
fi
cat << DONE
cat >> "$file" << ${__type##*/}_DONE
cat >> $quoted_file << '${__type##*/}_DONE'
$(cat "$block")
${__type##*/}_DONE
DONE

View file

@ -25,6 +25,9 @@ user
OPTIONAL PARAMETERS
-------------------
dirmode
forwarded to :strong:`__directory` type as mode
mode
forwarded to :strong:`__file` type

View file

@ -19,6 +19,7 @@ set -eu
user="$(cat "${__object}/parameter/user")"
home="$(cat "${__object}/explorer/home")"
primary_group="$(cat "${__object}/explorer/primary_group")"
dirmode="$(cat "${__object}/parameter/dirmode")"
# Create parent directory. Type __directory has flag 'parents', but it
# will leave us with root-owned directory in user home, which is not
@ -36,6 +37,7 @@ export CDIST_ORDER_DEPENDENCY
for dir ; do
__directory "${home}/${dir}" \
--group "${primary_group}" \
--mode "${dirmode}" \
--owner "${user}"
done

View file

@ -0,0 +1 @@
0700

View file

@ -1,3 +1,4 @@
state
mode
source
dirmode

View file

@ -69,7 +69,8 @@ EXAMPLES
require='__download/opt/cpma/cnq3.zip' \
__unpack /opt/cpma/cnq3.zip \
--move-existing-destination \
--backup-destination \
--preserve-archive \
--destination /opt/cpma/server

View file

@ -0,0 +1,26 @@
#!/bin/sh -e
# __dpkg_architecture/explorer/architecture
#
# 2020 Matthias Stecher <matthiasstecher at gmx.de>
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Get the main architecture of this machine
# print or die in the gencode-remote
dpkg --print-architecture || true

View file

@ -0,0 +1,26 @@
#!/bin/sh -e
# __dpkg_architecture/explorer/foreign-architectures
#
# 2020 Matthias Stecher <matthiasstecher at gmx.de>
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Print all additional architectures
# print or die in the gencode-remote
dpkg --print-foreign-architectures || true

View file

@ -0,0 +1,82 @@
#!/bin/sh -e
# __dpkg_architecture/gencode-remote
#
# 2020 Matthias Stecher <matthiasstecher at gmx.de>
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Get parameter and explorer
state_should="$(cat "$__object/parameter/state")"
arch_wanted="$__object_id"
main_arch="$(cat "$__object/explorer/architecture")"
# Exit here if dpkg do not work (empty explorer)
if [ -z "$main_arch" ]; then
echo "dpkg is not available or unable to detect a architecture!" >&2
exit 1
fi
# Check if requested architecture is the main one
if [ "$arch_wanted" = "$main_arch" ]; then
# higher than present; we can not remove it
state_is="present"
caution="yes"
# Check if the architecture not already used
elif grep -qFx "$arch_wanted" "$__object/explorer/foreign-architectures"; then
state_is="present"
# arch does not exist
else
state_is="absent"
fi
# Check what to do
if [ "$state_is" != "$state_should" ]; then
case "$state_should" in
present)
# print add code
printf "dpkg --add-architecture '%s'\n" "$arch_wanted"
# updating the index to make the new architecture available
echo "apt update"
echo added >> "$__messages_out"
;;
absent)
if [ "$caution" ]; then
printf "can not remove the main arch '%s' of the system!\n" "$main_arch" >&2
exit 1
fi
# removing all existing packages for the architecture
printf "apt purge '.*:%s'\n" "$arch_wanted"
# print remove code
printf "dpkg --remove-architecture '%s'\n" "$arch_wanted"
echo removed >> "$__messages_out"
;;
*)
printf "state '%s' is unknown!\n" "$state_should" >&2
exit 1
;;
esac
fi

View file

@ -0,0 +1,103 @@
cdist-type__dpkg_architecture(7)
================================
NAME
----
cdist-type__dpkg_architecture - Handles foreign architectures on debian-like
systems managed by `dpkg`
DESCRIPTION
-----------
This type handles foreign architectures on systems managed by
:strong:`dpkg`\ (1). The object id is the name of the architecture accepted by
`dpkg`, which should be added or removed.
If the architecture is not setup on the system, it adds a new architecture as a
new foreign architecture in `dpkg`. Then, it updates the apt package index to
make packages from the new architecture available.
If the architecture should be removed, it will remove it if it is not the base
architecture on where the system was installed on. Before it, it will purge
every package based on the "to be removed" architecture via `apt` to be able to
remove the selected architecture.
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
state
``present`` or ``absent``. Defaults to ``present``.
MESSAGES
--------
added
Added the specified architecture
removed
Removed the specified architecture
ABORTS
------
Aborts in the following cases:
If :strong:`dpkg`\ (1) is not available. It will abort with a proper error
message.
If the architecture is the same as the base architecture the system is build
upon it (returned by ``dpkg --print-architecture``) and it should be removed.
It will fail if it can not execute :strong:`apt`\ (8). It is assumed that it is
already installed.
EXAMPLES
--------
.. code-block:: sh
# add i386 (32 bit) architecture
__dpkg_architecture i386
# remove it again :)
__dpkg_architecture i386 --state absent
SEE ALSO
--------
`Multiarch on Debian systems <https://wiki.debian.org/Multiarch>`_
`How to setup multiarch on Debian <https://wiki.debian.org/Multiarch/HOWTO>`_
:strong:`dpkg`\ (1)
:strong:`cdist-type__package_dpkg`\ (7)
:strong:`cdist-type__package_apt`\ (7)
Useful commands:
.. code-block:: sh
# base architecture installed on this system
dpkg --print-architecture
# extra architectures added
dpkg --print-foreign-architectures
AUTHORS
-------
Matthias Stecher <matthiasstecher at gmx.de>
COPYING
-------
Copyright \(C) 2020 Matthias Stecher. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
ublished by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1 @@
state

View file

@ -87,11 +87,6 @@ case "$state_should" in
fi
;;
pre-exists)
# pre-exists should never reach gencode-remote…
exit 1
;;
absent)
if [ "$type" = "file" ]; then
echo "rm -f '$destination'"
@ -100,6 +95,10 @@ case "$state_should" in
fi
;;
pre-exists)
:
;;
*)
echo "Unknown state: $state_should" >&2
exit 1

View file

@ -20,26 +20,27 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "$__global/explorer/os")
name_running=$(cat "$__global/explorer/hostname")
has_hostnamectl=$(cat "$__object/explorer/has_hostnamectl")
os=$(cat "${__global:?}/explorer/os")
name_running=$(cat "${__global:?}/explorer/hostname")
has_hostnamectl=$(cat "${__object:?}/explorer/has_hostnamectl")
if test -s "$__object/parameter/name"
if test -s "${__object:?}/parameter/name"
then
name_should=$(cat "$__object/parameter/name")
name_should=$(cat "${__object:?}/parameter/name")
else
case $os
case ${os}
in
# RedHat-derivatives and BSDs
centos|fedora|redhat|scientific|freebsd|macosx|netbsd|openbsd)
(centos|fedora|redhat|scientific|freebsd|macosx|netbsd|openbsd)
# Hostname is FQDN
name_should="${__target_host}"
;;
*)
name_should=${__target_host:?}
;;
(*)
# Hostname is only first component of FQDN
name_should="${__target_host%%.*}"
;;
name_should=${__target_host:?}
name_should=${name_should%%.*}
;;
esac
fi
@ -47,43 +48,46 @@ fi
################################################################################
# Check if the (running) hostname is already correct
#
test "$name_running" != "$name_should" || exit 0
test "${name_running}" != "${name_should}" || exit 0
################################################################################
# Setup hostname
#
echo 'changed' >>"$__messages_out"
echo 'changed' >>"${__messages_out:?}"
# Use the good old way to set the hostname.
case $os
case ${os}
in
alpine|debian|devuan|ubuntu)
(alpine|debian|devuan|ubuntu)
echo 'hostname -F /etc/hostname'
;;
archlinux)
;;
(archlinux)
echo 'command -v hostnamectl >/dev/null 2>&1' \
"&& hostnamectl set-hostname '$name_should'" \
"|| hostname '$name_should'"
;;
centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|gentoo|void)
echo "hostname '$name_should'"
;;
macosx)
echo "scutil --set HostName '$name_should'"
;;
solaris)
echo "uname -S '$name_should'"
;;
slackware|suse|opensuse-leap)
"&& hostnamectl set-hostname '${name_should}'" \
"|| hostname '${name_should}'"
;;
(centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|gentoo|void)
echo "hostname '${name_should}'"
;;
(openwrt)
echo "echo '${name_should}' >/proc/sys/kernel/hostname"
;;
(macosx)
echo "scutil --set HostName '${name_should}'"
;;
(solaris)
echo "uname -S '${name_should}'"
;;
(slackware|suse)
# We do not read from /etc/HOSTNAME, because the running
# hostname is the first component only while the file contains
# the FQDN.
echo "hostname '$name_should'"
;;
*)
echo "hostname '${name_should}'"
;;
(*)
# Fall back to set the hostname using hostnamectl, if available.
if test -n "$has_hostnamectl"
if test -n "${has_hostnamectl}"
then
# Don't use hostnamectl as the primary means to set the hostname for
# systemd systems, because it cannot be trusted to work reliably and
@ -94,7 +98,8 @@ in
echo "test \"\$(hostname)\" = \"\$(cat /etc/hostname)\"" \
" || hostname -F /etc/hostname"
else
printf "echo 'Unsupported OS: %s' >&2\nexit 1\n" "$os"
printf "echo 'Unsupported OS: %s' >&2\n" "${os}"
printf 'exit 1\n'
fi
;;
;;
esac

View file

@ -20,69 +20,49 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
not_supported() {
echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
echo "Please contribute an implementation for it if you can." >&2
exit 1
}
set_hostname_systemd() {
echo "$1" | __file /etc/hostname --source -
}
os=$(cat "$__global/explorer/os")
os_version=$(cat "$__global/explorer/os_version")
os_major=$(echo "$os_version" | grep -o '^[0-9][0-9]*' || true)
os=$(cat "${__global:?}/explorer/os")
max_len=$(cat "$__object/explorer/max_len")
has_hostnamectl=$(cat "$__object/explorer/has_hostnamectl")
max_len=$(cat "${__object:?}/explorer/max_len")
has_hostnamectl=$(cat "${__object:?}/explorer/has_hostnamectl")
if test -s "$__object/parameter/name"
if test -s "${__object:?}/parameter/name"
then
name_should=$(cat "$__object/parameter/name")
name_should=$(cat "${__object:?}/parameter/name")
else
case $os
case ${os}
in
# RedHat-derivatives and BSDs
centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|slackware)
(centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|slackware|suse)
# Hostname is FQDN
name_should="${__target_host}"
;;
suse|opensuse-leap)
# Classic SuSE stores the FQDN in /etc/HOSTNAME, while
# systemd does not. The running hostname is the first
# component in both cases.
# In versions before 15.x, the FQDN is stored in /etc/hostname.
if test -n "$has_hostnamectl" && test "$os_major" -ge 15 \
&& test "$os_major" -ne 42
then
name_should="${__target_host%%.*}"
else
name_should="${__target_host}"
fi
;;
name_should=${__target_host:?}
;;
*)
# Hostname is only first component of FQDN on all other systems.
name_should="${__target_host%%.*}"
;;
name_should=${__target_host:?}
name_should=${name_should%%.*}
;;
esac
fi
if test -n "$max_len" && test "$(printf '%s' "$name_should" | wc -c)" -gt "$max_len"
if test -n "${max_len}" && test "$(printf '%s' "${name_should}" | wc -c)" -gt "${max_len}"
then
printf "Host name too long. Up to %u characters allowed.\n" "${max_len}" >&2
exit 1
fi
case $os
case ${os}
in
alpine|debian|devuan|ubuntu|void)
echo "$name_should" | __file /etc/hostname --source -
;;
archlinux)
if test -n "$has_hostnamectl"
(alpine|debian|devuan|ubuntu|void)
echo "${name_should}" | __file /etc/hostname --source -
;;
(archlinux)
if test -n "${has_hostnamectl}"
then
set_hostname_systemd "$name_should"
set_hostname_systemd "${name_should}"
else
echo 'Ancient ArchLinux variants without hostnamectl are not supported.' >&2
exit 1
@ -97,8 +77,8 @@ in
# --value "\"$name_should\""
fi
;;
centos|fedora|redhat|scientific)
if test -z "$has_hostnamectl"
(centos|fedora|redhat|scientific)
if test -z "${has_hostnamectl}"
then
# Only write to /etc/sysconfig/network on non-systemd versions.
# On systemd-based versions this entry is ignored.
@ -106,59 +86,83 @@ in
--file /etc/sysconfig/network \
--delimiter '=' --exact_delimiter \
--key HOSTNAME \
--value "\"$name_should\""
--value "\"${name_should}\""
else
set_hostname_systemd "$name_should"
set_hostname_systemd "${name_should}"
fi
;;
gentoo)
;;
(gentoo)
# Only write to /etc/conf.d/hostname on OpenRC-based installations.
# On systemd use hostnamectl(1) in gencode-remote.
if test -z "$has_hostnamectl"
if test -z "${has_hostnamectl}"
then
__key_value '/etc/conf.d/hostname:hostname' \
--file /etc/conf.d/hostname \
--delimiter '=' --exact_delimiter \
--key 'hostname' \
--value "\"$name_should\""
--value "\"${name_should}\""
else
set_hostname_systemd "$name_should"
fi
;;
freebsd)
;;
(freebsd)
__key_value '/etc/rc.conf:hostname' \
--file /etc/rc.conf \
--delimiter '=' --exact_delimiter \
--key 'hostname' \
--value "\"$name_should\""
;;
macosx)
--value "\"${name_should}\""
;;
(macosx)
# handled in gencode-remote
:
;;
netbsd)
;;
(netbsd)
__key_value '/etc/rc.conf:hostname' \
--file /etc/rc.conf \
--delimiter '=' --exact_delimiter \
--key 'hostname' \
--value "\"$name_should\""
--value "\"${name_should}\""
# To avoid confusion, ensure that the hostname is only stored once.
__file /etc/myname --state absent
;;
openbsd)
echo "$name_should" | __file /etc/myname --source -
;;
slackware)
;;
(openbsd)
echo "${name_should}" | __file /etc/myname --source -
;;
(openwrt)
__uci system.@system[0].hostname --value "${name_should}"
# --transaction hostname
;;
(slackware)
# We write the FQDN into /etc/HOSTNAME. But /etc/rc.d/rc.M will only
# read the first component from this file and set it as the running
# hostname on boot.
echo "$name_should" | __file /etc/HOSTNAME --source -
;;
solaris)
echo "$name_should" | __file /etc/nodename --source -
;;
suse|opensuse-leap)
echo "${name_should}" | __file /etc/HOSTNAME --source -
;;
(solaris)
echo "${name_should}" | __file /etc/nodename --source -
;;
(suse)
if test -s "${__global:?}/explorer/os_release"
then
# shellcheck source=/dev/null
os_version=$(. "${__global:?}/explorer/os_release" && echo "${VERSION}")
else
os_version=$(sed -n 's/^VERSION\ *=\ *//p' "${__global:?}/explorer/os_version")
fi
os_major=$(expr "${os_version}" : '\([0-9]\{1,\}\)')
# Classic SuSE stores the FQDN in /etc/HOSTNAME, while
# systemd does not. The running hostname is the first
# component in both cases.
# In versions before 15.x, the FQDN is stored in /etc/hostname.
if test -n "${has_hostnamectl}" \
&& test "${os_major}" -ge 15 \
&& test "${os_major}" -ne 42
then
# strip away everything but the first part from $name_should
name_should=${name_should%%.*}
fi
# Modern SuSE provides /etc/HOSTNAME as a symlink for
# backwards-compatibility. Unfortunately it cannot be used
# here as __file does not follow the symlink.
@ -167,23 +171,25 @@ in
# not work correctly on openSUSE 12.x which provides
# hostnamectl but not /etc/hostname.
if test -n "$has_hostnamectl" -a "$os_major" -gt 12
if test -n "${has_hostnamectl}" -a "${os_major}" -gt 12
then
hostname_file='/etc/hostname'
hostname_file=/etc/hostname
else
hostname_file='/etc/HOSTNAME'
hostname_file=/etc/HOSTNAME
fi
echo "$name_should" | __file "$hostname_file" --source -
;;
*)
echo "${name_should}" | __file "${hostname_file}" --source -
;;
(*)
# On other operating systems we fall back to systemd's
# hostnamectl if available…
if test -n "$has_hostnamectl"
if test -n "${has_hostnamectl}"
then
set_hostname_systemd "$name_should"
set_hostname_systemd "${name_should}"
else
not_supported
echo "Your operating system (${os}) is currently not supported by this type (${__type##*/})." >&2
echo "Please contribute an implementation for it if you can." >&2
exit 1
fi
;;
;;
esac

View file

@ -0,0 +1,28 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Prints the clock mode read from the /etc/adjtime file, if present.
#
# not all operating systems use an adjfile
test -f /etc/adjtime || exit 0
# 3rd line is clock mode
# adjtime(5) https://man7.org/linux/man-pages/man5/adjtime.5.html
sed -n 3p /etc/adjtime

View file

@ -0,0 +1,27 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Prints the LocalRTC property using timedatectl on systemd-based systems.
#
command -v timedatectl >/dev/null 2>&1 || exit 0
# NOTE: Older versions of timedatectl do not support `timedatectl show'
timedatectl --no-pager status \
| awk -F': ' '$1 ~ "RTC in local TZ$" { sub(/[ \t]*$/, "", $2); print $2 }'

View file

@ -0,0 +1,62 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
mode=$(cat "${__object:?}/parameter/mode")
timedatectl_localrtc=$(cat "${__object:?}/explorer/timedatectl_localrtc")
adjtime_mode=$(cat "${__object:?}/explorer/adjtime_mode")
case ${mode}
in
(localtime)
adjtime_str=LOCAL
local_rtc_str=yes
;;
(UTC|utc)
adjtime_str=UTC
local_rtc_str=no
;;
(*)
printf 'Invalid value for --mode: %s\n' "${mode}" >&2
printf 'Acceptable values are: localtime, utc.\n' >&2
exit 1
esac
if test -n "${timedatectl_localrtc}"
then
# systemd
timedatectl_should=${local_rtc_str}
if test "${timedatectl_localrtc}" != "${timedatectl_should}"
then
printf 'timedatectl set-local-rtc %s\n' "${timedatectl_should}"
fi
elif test -n "${adjtime_mode}"
then
# others (update /etc/adjtime if present)
if test "${adjtime_mode}" != "${adjtime_str}"
then
# Update /etc/adjtime (3rd line is clock mode)
# adjtime(5) https://man7.org/linux/man-pages/man5/adjtime.5.html
# FIXME: Should maybe add third line if adjfile only contains two lines
printf "sed -i '3c\\\\\\n%s\\n' /etc/adjtime\\n" "${adjtime_str}"
fi
fi

View file

@ -0,0 +1,63 @@
cdist-type__hwclock(7)
======================
NAME
----
cdist-type__hwclock - Manage the hardware real time clock.
DESCRIPTION
-----------
This type can be used to control how the hardware clock is used by the operating
system.
REQUIRED PARAMETERS
-------------------
mode
What mode the hardware clock is in.
Acceptable values:
localtime
The hardware clock is set to local time (common for systems also running
Windows.)
UTC
The hardware clock is set to UTC (common on UNIX systems.)
OPTIONAL PARAMETERS
-------------------
None.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Make the operating system treat the time read from the hwclock as UTC.
__hwclock --mode UTC
SEE ALSO
--------
:strong:`hwclock`\ (8)
AUTHORS
-------
Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2020 Dennis Camera. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,222 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera@ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# TODO: Consider supporting BADYEAR
os=$(cat "${__global:?}/explorer/os")
mode=$(cat "${__object:?}/parameter/mode")
has_systemd_timedatectl=$(test -s "${__object:?}/explorer/timedatectl_localrtc" && echo true || echo false)
case ${mode}
in
(localtime)
local_clock=true
;;
(UTC|utc)
local_clock=false
;;
(*)
printf 'Invalid value for --mode: %s\n' "${mode}" >&2
printf 'Acceptable values are: UTC, localtime.\n' >&2
exit 1
esac
case ${os}
in
(alpine|gentoo)
if ! $has_systemd_timedatectl
then
# NOTE: Gentoo also supports systemd, in which case /etc/conf.d is
# not used. So we check for systemd presence here and only
# update /etc/conf.d if systemd is not installed.
# https://wiki.gentoo.org/wiki/System_time#Hardware_clock
export CDIST_ORDER_DEPENDENCY=true
__file /etc/conf.d/hwclock --state present \
--owner root --group root --mode 0644
__key_value /etc/conf.d/hwclock:clock \
--file /etc/conf.d/hwclock \
--key clock \
--delimiter '=' --exact_delimiter \
--value "\"$($local_clock && echo local || echo UTC)\""
unset CDIST_ORDER_DEPENDENCY
fi
;;
(centos|fedora|redhat|scientific)
os_version=$(cat "${__global:?}/explorer/os_version")
os_major=$(expr "${os_version}" : '.* release \([0-9]*\)')
case ${os}
in
(centos|scientific)
update_sysconfig=$(test "${os_major}" -lt 6 && echo true || echo false)
;;
(fedora)
update_sysconfig=$(test "${os_major}" -lt 10 && echo true || echo false)
;;
(redhat|*)
case ${os_version}
in
('Red Hat Enterprise Linux'*)
update_sysconfig=$(test "${os_major}" -lt 6 && echo true || echo false)
;;
('Red Hat Linux'*)
update_sysconfig=true
;;
(*)
printf 'Could not determine Red Hat distribution.\n' >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac
;;
esac
if ${update_sysconfig:?}
then
export CDIST_ORDER_DEPENDENCY=true
__file /etc/sysconfig/clock --state present \
--owner root --group root --mode 0644
__key_value /etc/sysconfig/clock:UTC \
--file /etc/sysconfig/clock \
--key UTC \
--delimiter '=' --exact_delimiter \
--value "$($local_clock && echo false || echo true)"
unset CDIST_ORDER_DEPENDENCY
fi
;;
(debian|devuan|ubuntu)
os_major=$(sed 's/[^0-9].*$//' "${__global:?}/explorer/os_version")
case ${os}
in
(debian)
if test "${os_major}" -ge 7
then
update_rcS=false
elif test "${os_major}" -ge 3
then
update_rcS=true
else
# Debian 2.2 should be supportable using rcS.
# Debian 2.1 uses the ancient GMT key.
# Debian 1.3 does not have rcS.
printf "Your operating system (Debian %s) is currently not supported by this type (%s)\n" \
"$(cat "${__global:?}/explorer/os_version")" "${__type##*/}" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
fi
;;
(devuan)
update_rcS=false
;;
(ubuntu)
update_rcS=$(test "${os_major}" -lt 16 && echo true || echo false)
;;
esac
if ${update_rcS}
then
export CDIST_ORDER_DEPENDENCY=true
__file /etc/default/rcS --state present \
--owner root --group root --mode 0644
__key_value /etc/default/rcS:UTC \
--file /etc/default/rcS \
--key UTC \
--delimiter '=' --exact_delimiter \
--value "$($local_clock && echo no || echo yes)"
unset CDIST_ORDER_DEPENDENCY
fi
;;
(freebsd)
# cf. adjkerntz(8)
__file /etc/wall_cmos_clock \
--state "$($local_clock && echo present || echo absent)" \
--owner root --group wheel --mode 0444
;;
(netbsd)
# https://wiki.netbsd.org/guide/boot/#index9h2
__key_value /etc/rc.conf:rtclocaltime \
--file /etc/rc.conf \
--key rtclocaltime \
--delimiter '=' --exact_delimiter \
--value "$($local_clock && echo YES || echo NO)"
;;
(slackware)
__file /etc/hardwareclock --owner root --group root --mode 0644 \
--source - <<-EOF
# /etc/hardwareclock
#
# Tells how the hardware clock time is stored.
# This file is managed by cdist.
$($local_clock && echo localtime || echo UTC)
EOF
;;
(suse)
if test -s "${__global:?}/explorer/os_release"
then
# shellcheck source=/dev/null
os_version=$(. "${__global:?}/explorer/os_release" && echo "${VERSION}")
else
os_version=$(sed -n 's/^VERSION\ *=\ *//p' "${__global:?}/explorer/os_version")
fi
os_major=$(expr "${os_version}" : '\([0-9]\{1,\}\)')
# TODO: Consider using `yast2 timezone set hwclock' instead
if expr "${os_major}" \< 12
then
# Starting with SuSE 12 (first systemd-based version)
# /etc/sysconfig/clock does not contain the HWCLOCK line
# anymore.
# With SuSE 13, it has been reduced to TIMEZONE configuration.
__key_value /etc/sysconfig/clock:HWCLOCK \
--file /etc/sysconfig/clock \
--delimiter '=' --exact_delimiter \
--key HWCLOCK \
--value "$($local_clock && echo '"--localtime"' || echo '"-u"')"
fi
;;
(void)
export CDIST_ORDER_DEPENDENCY=true
__file /etc/rc.conf \
--owner root --group root --mode 0644 \
--state present
__key_value /etc/rc.conf:HARDWARECLOCK \
--file /etc/rc.conf \
--delimiter '=' --exact_delimiter \
--key HARDWARECLOCK \
--value "\"$($local_clock && echo localtime || echo UTC)\""
unset CDIST_ORDER_DEPENDENCY
;;
(*)
if ! $has_systemd_timedatectl
then
printf "Your operating system (%s) is currently not supported by this type (%s)\n" "$os" "${__type##*/}" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
fi
;;
esac
# NOTE: timedatectl set-local-rtc for systemd is in gencode-remote
# NOTE: /etc/adjtime is also updated in gencode-remote

View file

@ -0,0 +1 @@
mode

View file

View file

@ -0,0 +1,26 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
name="$__object_id"
if ipset -t list | grep -qFx "Name: $name"; then
ipset list "$name" | sed '0,/^Members:/d'
else
echo "x_missing_x"
fi

View file

@ -0,0 +1,26 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
name="$__object_id"
if ipset -t list "$name" >/dev/null; then
echo "present"
else
echo "absent"
fi

View file

@ -0,0 +1,26 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
name="$__object_id"
if ipset -t list | grep -qFx "Name: $name"; then
ipset -t list "$name" | grep "^Type: " | awk '{print $2}'
else
echo "x_missing_x"
fi

View file

@ -0,0 +1,48 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
### BEGIN INIT INFO
# Provides: ipset
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# X-Start-Before: iptables
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Create ipset lists before iptables rules require them
# Description: Applies lists found in /etc/ipset.d/*.saved
# and saves/restores previous status
### END INIT INFO
case $1 in
start)
# Restore previous state:
/usr/local/bin/ipsets-restore
;;
stop)
# Save current state before exiting:
/usr/local/bin/ipsets-save
;;
restart)
"$0" stop && "$0" start
;;
reset)
ipset flush
;;
esac

View file

@ -0,0 +1,28 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
mkdir -p /etc/ipset.d/
if [ -n "$1" ]; then
ipset -! restore < "/etc/ipset.d/$1"
else
find /etc/ipset.d/ -iname "*.saved" | while read s; do
ipset -! restore <$s
done
fi

View file

@ -0,0 +1,28 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
mkdir -p /etc/ipset.d/
if [ -n "$1" ]; then
ipset save "$1" > "/etc/ipset.d/${1}.saved"
else
ipset -t list | grep "^Name:" | awk '{print $2}' | while read s; do
ipset save $s > /etc/ipset.d/$s.saved
done
fi

View file

@ -0,0 +1,79 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
e="$__object/explorer"
p="$__object/parameter"
name="$__object_id"
type_is="$(cat "$e/type")"
type_should="$(cat "$p/type")"
state_is="$(cat "$e/state")"
state_should="$(cat "$p/state")"
needToSave=0
case $state_should in
present)
if [ "$state_is" = "absent" ]; then
echo ipset create "$name" "$type_should"
needToSave=1
elif [ "$state_is" = "present" ] && [ "$type_is" != "$type_should" ]; then
echo ipset destroy "$name"
echo "rm \"/etc/ipset.d/${name}.saved\" || true"
echo ipset create "$name" "$type_should"
needToSave=1
fi
;;
absent)
if [ "$state_is" = "present" ]; then
echo ipset destroy "$name"
echo "rm \"/etc/ipset.d/${name}.saved\" || true"
fi
;;
*)
echo "Unknown state: $state_should" >&2
exit 1
;;
esac
if [ "$state_should" = "present" ]; then
if [ -f "$p/add" ]; then
while read -r value; do
if ! grep -qFx "$value" "$e/content"; then
echo "ipset -! add $name $value"
needToSave=1
fi
done < "$p/add"
fi
if [ -f "$p/del" ]; then
while read -r value; do
if grep -qFx "$value" "$e/content"; then
echo "ipset -! del $name $value"
needToSave=1
fi
done < "$p/del"
fi
elif [ "$state_should" = "absent" ] && \( [ -f "$p/add" ] || [ -f "$p/del" ] \); then
echo "Error: ipset state absent is incompatible with --add or --del" >&2
exit 1
fi
if [ $needToSave -ne 0 ]; then
echo /usr/local/bin/ipsets-save "$name"
fi

View file

@ -0,0 +1,69 @@
cdist-type__ipset(7)
====================
NAME
----
cdist-type__ipset - Manage ipset sets
DESCRIPTION
-----------
Making use of ipset sets in iptable rules can make your rules more expressive, maintainable and efficient.
REQUIRED PARAMETERS
-------------------
type
One of the supported ipset set types, for a full list see:
``ipset help``
OPTIONAL PARAMETERS
-------------------
add
The entry that must exist in the given set.
Can be used multiple times.
del
The entry that must not exist in the given set.
Can be used multiple times.
state
Can be:
- ``present``: ensure that the given set exists.
- ``absent``: ensure the given set doesn't exist.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Make sure a set with the given name/type exists:
__ipset testset1 --type hash:ip
# Ensure allowed_ssh_clients contains private range:
__ipset allowed_ssh_hosts --type hash:net \
--add 192.168.0.0/24 --add 10.0.0.0/8
# Make sure host is not on the blocked list:
__ipset blocked_hosts --type hash:ip \
--del 1.2.3.4
SEE ALSO
--------
:strong:`cdist-type__iptables_rule`\ (7), :strong:`iptables`\ (8)
AUTHORS
-------
Mesar Hameed <mesar.hameed--@--gmail.com>
COPYING
-------
Copyright \(C) 2021 Mesar Hameed. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,45 @@
#!/bin/sh -e
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "$__global/explorer/os")
case "$os" in
debian)
:
;;
ubuntu)
:
;;
*)
echo "OS $os currently not supported" >&2
exit 1
;;
esac
export CDIST_ORDER_DEPENDENCY=on
# install packages
__package ipset
__file /etc/init.d/ipset-persistent --mode 0755 --source "${__type}/files/ipset-persistent"
__file /usr/local/bin/ipsets-restore --mode 0755 --source "${__type}/files/ipsets-restore"
__file /usr/local/bin/ipsets-save --mode 0755 --source "${__type}/files/ipsets-save"
__systemd_unit ipset-persistent --enablement-state enabled --restart
unset CDIST_ORDER_DEPENDENCY

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1 @@
state

View file

@ -0,0 +1,2 @@
add
del

View file

@ -0,0 +1 @@
type

View file

@ -1,7 +1,4 @@
#!/bin/sh
# Nico Schottelius
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs $remote_fs
@ -14,34 +11,72 @@
# and saves/restores previous status
### END INIT INFO
# Originally written by:
# Nico Schottelius
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
#
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is distributed with cdist and licenced under the
# GNU GPLv3+ WITHOUT ANY WARRANTY.
# Read files and execute the content with the given commands
#
# Arguments:
# 1: Directory
# 2..n: Commands which should be used to execute the file content
gothrough() {
cd "$1" || return
shift
# iterate through all rules and continue if it's not a file
for rule in *; do
[ -f "$rule" ] || continue
echo "Appling iptables rule $rule ..."
# execute it with all commands specificed
ruleparam="$(cat "$rule")"
for cmd in "$@"; do
# Command and Rule should be split.
# shellcheck disable=SC2046
command $cmd $ruleparam
done
done
}
# Shortcut for iptables command to do IPv4 and v6
# only applies to the "reset" target
iptables() {
command iptables "$@"
command ip6tables "$@"
}
basedir=/etc/iptables.d
status="${basedir}/.pre-start"
status4="${basedir}/.pre-start"
status6="${basedir}/.pre-start6"
case $1 in
start)
# Save status
iptables-save > "$status"
iptables-save > "$status4"
ip6tables-save > "$status6"
# Apply our ruleset
cd "$basedir" || exit
count="$(find . ! -name . -prune | wc -l)"
# Only do something if there are rules
if [ "$count" -ge 1 ]; then
for rule in *; do
echo "Applying iptables rule $rule ..."
# Rule should be split.
# shellcheck disable=SC2046
iptables $(cat "$rule")
done
fi
gothrough "$basedir" iptables
#gothrough "$basedir/v4" iptables # conflicts with $basedir
gothrough "$basedir/v6" ip6tables
gothrough "$basedir/all" iptables ip6tables
;;
stop)
# Restore from status before, if there is something to restore
if [ -f "$status" ]; then
iptables-restore < "$status"
if [ -f "$status4" ]; then
iptables-restore < "$status4"
fi
if [ -f "$status6" ]; then
ip6tables-restore < "$status6"
fi
;;
restart)

View file

@ -10,7 +10,24 @@ DESCRIPTION
-----------
This cdist type deploys an init script that triggers
the configured rules and also re-applies them on
configuration.
configuration. Rules are written from __iptables_rule
into the folder ``/etc/iptables.d/``.
It reads all rules from the base folder as rules for IPv4.
Rules in the subfolder ``v6/`` are IPv6 rules. Rules in
the subfolder ``all/`` are applied to both rule tables. All
files contain the arguments for a single ``iptables`` and/or
``ip6tables`` command.
Rules are applied in the following order:
1. All IPv4 rules
2. All IPv6 rules
2. All rules that should be applied to both tables
The order of the rules that will be applied are definite
from the result the shell glob returns, which should be
alphabetical. If rules must be applied in a special order,
prefix them with a number like ``02-some-rule``.
REQUIRED PARAMETERS
@ -24,7 +41,7 @@ None
EXAMPLES
--------
None (__iptables_apply is used by __iptables_rule)
None (__iptables_apply is used by __iptables_rule automatically)
SEE ALSO
@ -35,11 +52,13 @@ SEE ALSO
AUTHORS
-------
Nico Schottelius <nico-cdist--@--schottelius.org>
Matthias Stecher <matthiasstecher--@--gmx.de>
COPYING
-------
Copyright \(C) 2013 Nico Schottelius. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2013 Nico Schottelius.
Copyright \(C) 2020 Matthias Stecher.
You can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.

View file

@ -11,6 +11,10 @@ DESCRIPTION
This cdist type allows you to manage iptable rules
in a distribution independent manner.
See :strong:`cdist-type__iptables_apply`\ (7) for the
execution order of these rules. It will be executed
automaticly to apply all rules non-volaite.
REQUIRED PARAMETERS
-------------------
@ -25,6 +29,24 @@ state
'present' or 'absent', defaults to 'present'
BOOLEAN PARAMETERS
------------------
All rules without any of these parameters will be treated like ``--v4`` because
of backward compatibility.
v4
Explicitly set it as rule for IPv4. If IPv6 is set, too, it will be
threaten like ``--all``. Will be the default if nothing else is set.
v6
Explicitly set it as rule for IPv6. If IPv4 is set, too, it will be
threaten like ``--all``.
all
Set the rule for both IPv4 and IPv6. It will be saved separately from the
other rules.
EXAMPLES
--------
@ -48,6 +70,16 @@ EXAMPLES
--state absent
# IPv4-only rule for ICMPv4
__iptables_rule icmp-v4 --v4 --rule "-A INPUT -p icmp -j ACCEPT"
# IPv6-only rule for ICMPv6
__iptables_rule icmp-v6 --v6 --rule "-A INPUT -p icmpv6 -j ACCEPT"
# doing something for the dual stack
__iptables_rule fwd-eth0-eth1 --v4 --v6 --rule "-A INPUT -i eth0 -o eth1 -j ACCEPT"
__iptables_rule fwd-eth1-eth0 --all --rule "-A -o eth1 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
SEE ALSO
--------
:strong:`cdist-type__iptables_apply`\ (7), :strong:`iptables`\ (8)
@ -56,11 +88,13 @@ SEE ALSO
AUTHORS
-------
Nico Schottelius <nico-cdist--@--schottelius.org>
Matthias Stecher <matthiasstecher--@--gmx.de>
COPYING
-------
Copyright \(C) 2013 Nico Schottelius. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2013 Nico Schottelius.
Copyright \(C) 2020 Matthias Stecher.
You can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.

View file

@ -1,6 +1,7 @@
#!/bin/sh -e
#
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
@ -24,12 +25,36 @@ base_dir=/etc/iptables.d
name="$__object_id"
state="$(cat "$__object/parameter/state")"
if [ -f "$__object/parameter/v4" ]; then
only_v4="yes"
# $specific_dir is $base_dir
fi
if [ -f "$__object/parameter/v6" ]; then
only_v6="yes"
specific_dir="$base_dir/v6"
fi
# If rules should be set for both protocols
if { [ "$only_v4" = "yes" ] && [ "$only_v6" = "yes" ]; } ||
[ -f "$__object/parameter/all" ]; then
# all to a specific directory
specific_dir="$base_dir/all"
fi
# set rule directory based on if it's the base or subdirectory
rule_dir="${specific_dir:-$base_dir}"
################################################################################
# Basic setup
#
__directory "$base_dir" --state present
# sub-directory if required
if [ "$specific_dir" ]; then
require="__directory/$base_dir" __directory "$specific_dir" --state present
fi
# Have apply do the real job
require="$__object_name" __iptables_apply
@ -37,6 +62,15 @@ require="$__object_name" __iptables_apply
# The rule
#
require="__directory/$base_dir" __file "$base_dir/${name}" \
--source "$__object/parameter/rule" \
--state "$state"
for dir in "$base_dir" "$base_dir/v6" "$base_dir/all"; do
# defaults to absent except the directory that should contain the file
if [ "$rule_dir" = "$dir" ]; then
curr_state="$state"
else
curr_state="absent"
fi
require="__directory/$rule_dir" __file "$dir/$name" \
--source "$__object/parameter/rule" \
--state "$curr_state"
done

View file

@ -0,0 +1,3 @@
all
v4
v6

View file

@ -53,8 +53,10 @@ function _find(_text, _pattern) {
BEGIN {
getline anchor < (ENVIRON["__object"] "/parameter/" position)
getline pattern < (ENVIRON["__object"] "/parameter/" needle)
getline line < (ENVIRON["__object"] "/parameter/line")
found_line = 0
correct_line = 0
correct_pos = (position != "after" && position != "before")
}
{
@ -63,15 +65,18 @@ BEGIN {
getline
if (_find($0, pattern)) {
found_line++
if (index($0, line) == 1) { correct_line++ }
correct_pos = 1
exit 0
}
} else if (_find($0, pattern)) {
found_line++
if (index($0, line) == 1) { correct_line++ }
}
} else if (position == "before") {
if (_find($0, pattern)) {
found_line++
if (index($0, line) == 1) { correct_line++ }
getline
if (match($0, anchor)) {
correct_pos = 1
@ -81,13 +86,18 @@ BEGIN {
} else {
if (_find($0, pattern)) {
found_line++
if (index($0, line) == 1) { correct_line++ }
exit 0
}
}
}
END {
if (found_line && correct_pos) {
print "present"
if (correct_line) {
print "present"
} else {
print "matching"
}
} else if (found_line) {
print "wrongposition"
} else {

View file

@ -38,7 +38,11 @@ if [ -z "$state_is" ]; then
exit 1
fi
if [ "$state_should" = "$state_is" ]; then
if [ "$state_should" = "$state_is" ] || \
{ [ "$state_should" = "present" ] && [ "$state_is" = "matching" ] ;} || \
{ [ "$state_should" = "replace" ] && [ "$state_is" = "present" ] ;} ; then
# If state matches already, or 'present' is used and regex matches
# or 'replace' is used and the exact line is present, then there is
# nothing to do
exit 0
fi
@ -61,8 +65,8 @@ fi
add=0
remove=0
case "$state_should" in
present)
if [ "$state_is" = "wrongposition" ]; then
present|replace)
if [ "$state_is" = "wrongposition" ] || [ "$state_is" = "matching" ]; then
echo updated >> "$__messages_out"
remove=1
else

View file

@ -31,7 +31,7 @@ file
line
Specifies the line which should be absent or present.
Must be present, if state is 'present'.
Must be present, if state is 'present' or 'replace'.
Ignored if regex is given and state is 'absent'.
regex
@ -41,10 +41,13 @@ regex
If state is 'absent', ensure all lines matching the regular expression
are absent.
If state is 'replace', ensure all lines matching the regular expression
are exactly 'line'.
The regular expression is interpreted by awk's match function.
state
'present' or 'absent', defaults to 'present'
'present', 'absent' or 'replace', defaults to 'present'.
onchange
The code to run if line is added, removed or updated.
@ -99,6 +102,12 @@ EXAMPLES
--line '-session required pam_exec.so debug log=/tmp/classify.log /usr/local/libexec/classify' \
--after '^session[[:space:]]+include[[:space:]]+password-auth-ac$'
# Uncomment as needed and set a value in a configuration file.
__line /etc/example.conf \
--line 'SomeSetting SomeValue' \
--regex '^(#[[:space:]]*)?SomeSetting[[:space:]]' \
--state replace
SEE ALSO
--------

View file

@ -0,0 +1 @@
This type is deprecated. Please use __localedef instead.

View file

@ -1,6 +1,7 @@
#!/bin/sh -e
# __locale/explorer/state
#
# 2019 Ander Punnar (ander-at-kvlt-dot-ee)
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
@ -17,23 +18,19 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Check if the locale is already installed on the system.
# Outputs 'present' or 'absent' depending if the locale exists.
#
# TODO check if filesystem has ACL turned on etc
if [ -f "$__object/parameter/acl" ]
then
grep -E '^(default:)?(user|group):' "$__object/parameter/acl" \
| while read -r acl
do
param="$( echo "$acl" | awk -F: '{print $(NF-2)}' )"
check="$( echo "$acl" | awk -F: '{print $(NF-1)}' )"
# Get user-defined locale
# locale name is echoed differently than the user propably set it (for UTF-8)
locale="$(echo "$__object_id" | sed 's/UTF-8/utf8/')"
[ "$param" = 'user' ] && db=passwd || db="$param"
if ! getent "$db" "$check" > /dev/null
then
echo "missing $param '$check'" >&2
exit 1
fi
done
# Check if the given locale exists on the system
if localedef --list-archive | grep -qFx "$locale"; then
echo present
else
echo absent
fi

View file

@ -23,6 +23,15 @@
locale="$__object_id"
state_is=$(cat "$__object/explorer/state")
state_should=$(cat "$__object/parameter/state")
# short circuit if there is nothing to do
if [ "$state_is" = "$state_should" ]; then
exit 0
fi
# Hardcoded, create a pull request with
# branching on $os in case it is at another location
alias=/usr/share/locale/locale.alias
@ -35,8 +44,6 @@ charmap=$(echo "$locale" | cut -d . -f 2)
# W-T-F!
locale_remove=$(echo "$locale" | sed 's/UTF-8/utf8/')
state=$(cat "$__object/parameter/state")
os=$(cat "$__global/explorer/os")
# Nothing to be done on alpine
@ -46,7 +53,7 @@ case "$os" in
;;
esac
case "$state" in
case "$state_should" in
present)
echo localedef -A "$alias" -f "$charmap" -i "$input" "$locale"
;;
@ -54,7 +61,7 @@ case "$state" in
echo localedef --delete-from-archive "$locale_remove"
;;
*)
echo "Unsupported state: $state" >&2
echo "Unsupported state: $state_should" >&2
exit 1
;;
esac

View file

@ -0,0 +1,100 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# This explorer determines if the locale is defined on the target system.
# Will print nothing on error.
#
# Possible output:
# present:
# the main locale (and possibly aliases) is present
# absent:
# neither the main locale nor any aliases are present
# alias-present:
# the main locale is absent, but at least one of its aliases is present
#
# Hardcoded, create a pull request in case it is at another location for
# some other distro. (cf. gencode-remote)
aliasfile='/usr/share/locale/locale.alias'
command -v locale >/dev/null 2>&1 || exit 0
locales=$(locale -a)
parse_locale() {
# This function will split locales into their parts. Locale strings are
# usually of the form: [language[_territory][.codeset][@modifier]]
# For simplicity, language and territory are not separated by this function.
# Old Linux systems were also using "english" or "german" as locale strings.
# Usage: parse_locale locale_str lang_var codeset_var modifier_var
eval "${2:?}"="$(expr "$1" : '\([^.@]*\)')"
eval "${3:?}"="$(expr "$1" : '[^.]*\.\([^@]*\)')"
eval "${4:?}"="$(expr "$1" : '.*@\(.*\)$')"
}
format_locale() {
# Usage: format_locale language codeset modifier
printf '%s' "$1"
test -z "$2" || printf '.%s' "$2"
test -z "$3" || printf '@%s' "$3"
printf '\n'
}
gnu_normalize_codeset() {
# reimplementation of glibc/locale/programs/localedef.c normalize_codeset()
echo "$*" | tr '[:upper:]' '[:lower:]' | tr -cd '[:alnum:]'
}
locale_available() (
echo "${locales}" | grep -qxF "$1" || {
# glibc uses "normalized" locale names in archives.
# If a locale is stored in an archive, the normalized name will be
# printed by locale, so that needs to be checked, too.
localename=$(
parse_locale "$1" _lang _codeset _modifier \
&& format_locale "${_lang:?}" "$(gnu_normalize_codeset "${_codeset?}")" \
"${_modifier?}")
echo "${locales}" | grep -qxF "${localename}"
}
)
if locale_available "${__object_id:?}"
then
echo present
else
# NOTE: locale.alias can be symlinked.
if test -e "${aliasfile}"
then
# Check if one of the aliases of the locale is defined
baselocale=$(
parse_locale "${__object_id:?}" _lang _codeset _modifiers \
&& format_locale "${_lang}" "${_codeset}")
while read -r _alias _localename
do
if test "${_localename}" = "${baselocale}" \
&& echo "${locales}" | grep -qxF "${_alias}"
then
echo alias-present
exit 0
fi
done <"${aliasfile}"
fi
echo absent
fi

View file

@ -0,0 +1,5 @@
# -*- mode: sh; indent-tabs-mode: t -*-
gnu_normalize_codeset() {
echo "$*" | tr -cd '[:alnum:]' | tr '[:upper:]' '[:lower:]'
}

View file

@ -0,0 +1,20 @@
# -*- mode: sh; indent-tabs-mode:t -*-
parse_locale() {
# This function will split locales into their parts. Locale strings are
# usually of the form: [language[_territory][.codeset][@modifier]]
# For simplicity, language and territory are not separated by this function.
# Old Linux systems were also using "english" or "german" as locale strings.
# Usage: parse_locale locale_str lang_var codeset_var modifier_var
eval "${2:?}"="$(expr "$1" : '\([^.@]*\)')"
eval "${3:?}"="$(expr "$1" : '[^.]*\.\([^@]*\)')"
eval "${4:?}"="$(expr "$1" : '.*@\(.*\)$')"
}
format_locale() {
# Usage: format_locale language codeset modifier
printf '%s' "$1"
test -z "$2" || printf '.%s' "$2"
test -z "$3" || printf '@%s' "$3"
printf '\n'
}

View file

@ -0,0 +1,136 @@
#!/bin/sh -e
#
# 2013-2019 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Manage system locales using localedef(1).
#
# shellcheck source=cdist/conf/type/__localedef/files/lib/locale.sh
. "${__type:?}/files/lib/locale.sh"
# shellcheck source=cdist/conf/type/__localedef/files/lib/glibc.sh
. "${__type:?}/files/lib/glibc.sh"
state_is=$(cat "${__object:?}/explorer/state")
state_should=$(cat "${__object:?}/parameter/state")
test "${state_should}" = 'present' -o "${state_should}" = 'absent' || {
printf 'Invalid state: %s\n' "${state_should}" >&2
exit 1
}
# NOTE: If state explorer fails (e.g. locale(1) missing), the following check
# will always fail and let definition/removal run.
if test "${state_is}" = "${state_should}"
then
exit 0
fi
locale=${__object_id:?}
os=$(cat "${__global:?}/explorer/os")
if expr "${locale}" : '.*/' >/dev/null
then
printf 'Paths as locales are not supported.\n' >&2
printf '__object_id is: %s\n' "${locale}" >&2
exit 1
fi
: "${lang=}" "${codeset=}" "${modifier=}" # declare variables for shellcheck
parse_locale "${locale}" lang codeset modifier
case ${os}
in
(alpine|openwrt)
printf '%s does not support locales.\n' "${os}" >&2
exit 1
;;
(archlinux|debian|devuan|ubuntu|suse|centos|fedora|redhat|scientific)
# FIXME: The code below only works for glibc-based installations.
# NOTE: Hardcoded, create a pull request in case it is at another
# location for some opther distro.
# NOTE: locale.alias can be symlinked (e.g. Debian)
aliasfile='/usr/share/locale/locale.alias'
case ${state_should}
in
(present)
input=$(format_locale "${lang}" '' "${modifier}")
cat <<-EOF
set --
if test -e '${aliasfile}'
then
set -- -A '${aliasfile}'
fi
localedef -i '${input}' -f '${codeset}' "\$@" '${locale}'
EOF
;;
(absent)
main_localename=$(format_locale "${lang}" "$(gnu_normalize_codeset "${codeset}")" "${modifier}")
cat <<-EOF
while read -r _alias _localename
do
if test "\${_localename}" = '$(format_locale "${lang}" "${codeset}")'
then
localedef --delete-from-archive "\${_alias}"
fi
done <'${aliasfile}'
EOF
if test "${state_is}" = present
then
printf "localedef --delete-from-archive '%s'\n" "${main_localename}"
fi
;;
esac
;;
(freebsd)
case ${state_should}
in
(present)
if expr "$(grep -oe '^[0-9]*' "${__global:?}/explorer/os_version")" '>=' 11 >/dev/null
then
# localedef(1) is available with FreeBSD >= 11
printf "localedef -i '%s' -f '%s' '%s'\n" "${input}" "${codeset}" "${locale}"
else
printf 'localedef(1) was added to FreeBSD starting with version 11.\n' >&2
printf 'Please upgrade your FreeBSD installation to use %s.\n' "${__type##*/}" >&2
exit 1
fi
;;
(absent)
printf "rm -R '/usr/share/locale/%s'\n" "${locale}"
;;
esac
;;
(netbsd|openbsd)
# NetBSD/OpenBSD are missing localedef(1).
# We also do not delete defined locales because they can't be recreated.
echo "${os} is lacking localedef(1). Locale management unavailable." >&2
exit 1
;;
(*)
echo "Your operating system (${os}) is currently not supported by this type (${__type##*/})." >&2
echo "Please contribute an implementation for it if you can." >&2
exit 1
;;
esac

View file

@ -0,0 +1,60 @@
cdist-type__localedef(7)
========================
NAME
----
cdist-type__localedef - Define and remove system locales
DESCRIPTION
-----------
This cdist type allows you to define locales on the system using
:strong:`localedef`\ (1) or remove them.
On systems that don't support definition of new locales, the type will raise an
error.
**NB:** This type respects the glibc ``locale.alias`` file,
i.e. it defines alias locales or deletes aliases of a locale when it is removed.
It is not possible, however, to use alias names to define locales or only remove
certain aliases of a locale.
OPTIONAL PARAMETERS
-------------------
state
``present`` or ``absent``. Defaults to ``present``.
EXAMPLES
--------
.. code-block:: sh
# Add locale de_CH.UTF-8
__localedef de_CH.UTF-8
# Same as above, but more explicit
__localedef de_CH.UTF-8 --state present
# Remove colourful British English
__localedef en_GB.UTF-8 --state absent
SEE ALSO
--------
:strong:`locale`\ (1),
:strong:`localedef`\ (1),
:strong:`cdist-type__locale_system`\ (7)
AUTHORS
-------
| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
| Nico Schottelius <nico-cdist--@--schottelius.org>
COPYING
-------
Copyright \(C) 2013-2019 Nico Schottelius, 2020 Dennis Camera. Free use of this
software is granted under the terms of the GNU General Public License version 3
or later (GPLv3+).

View file

@ -0,0 +1,30 @@
#!/bin/sh -e
#
# 2013-2019 Nico Schottelius (nico-cdist at schottelius.org)
# 2015 David Hürlimann (david at ungleich.ch)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Install required packages.
#
case $(cat "${__global:?}/explorer/os")
in
(debian|devuan)
__package_apt locales --state present
;;
esac

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1 @@
state

View file

@ -42,6 +42,13 @@ else
target_release=""
fi
if [ -f "$__object/parameter/install-recommends" ]; then
# required if __apt_norecommends is used
recommendsparam="-o APT::Install-Recommends=1"
else
recommendsparam="-o APT::Install-Recommends=0"
fi
if [ -f "$__object/parameter/purge-if-absent" ]; then
purgeparam="--purge"
else
@ -62,16 +69,16 @@ case "$state_is" in
;;
esac
# Hint if we need to avoid questions at some point:
# DEBIAN_PRIORITY=critical can reduce the number of questions
aptget="DEBIAN_FRONTEND=noninteractive apt-get --quiet --yes -o APT::Install-Recommends=0 -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\""
if [ "$state_is" = "$state_should" ]; then
if [ -z "$version" ] || [ "$version" = "$version_is" ]; then
exit 0;
fi
fi
# Hint if we need to avoid questions at some point:
# DEBIAN_PRIORITY=critical can reduce the number of questions
aptget="DEBIAN_FRONTEND=noninteractive apt-get --quiet --yes -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\""
case "$state_should" in
present)
# following is bit ugly, but important hack.
@ -85,7 +92,7 @@ EOF
if [ -n "$version" ]; then
name="${name}=${version}"
fi
echo "$aptget install $target_release '$name'"
echo "$aptget $recommendsparam install $target_release '$name'"
echo "installed" >> "$__messages_out"
;;
absent)

View file

@ -9,7 +9,9 @@ cdist-type__package_apt - Manage packages with apt-get
DESCRIPTION
-----------
apt-get is usually used on Debian and variants (like Ubuntu) to
manage packages.
manage packages. The package will be installed without recommended
or suggested packages. If such packages are required, install them
separatly or use the parameter ``--install-recommends``.
This type will also update package index, if it is older
than one day, to avoid missing package error messages.
@ -23,7 +25,7 @@ None
OPTIONAL PARAMETERS
-------------------
name
If supplied, use the name and not the object id as the package name.
If supplied, use the name and not the object id as the package name.
state
Either "present" or "absent", defaults to "present"
@ -39,6 +41,15 @@ version
BOOLEAN PARAMETERS
------------------
install-recommends
If the package will be installed, it also installs recommended packages
with it. It will not install recommended packages if the original package
is already installed.
In most cases, it is recommended to install recommended packages separatly
to control which additional packages will be installed to avoid useless
installed packages.
purge-if-absent
If this parameter is given when state is `absent`, the package is
purged from the system (using `--purge`).

View file

@ -1 +1,2 @@
install-recommends
purge-if-absent

View file

@ -0,0 +1,10 @@
#!/bin/sh -e
for bin in pip3 pip
do
if check="$( command -v "$bin" )"
then
echo "$check"
break
fi
done

View file

@ -32,7 +32,7 @@ pipparam="$__object/parameter/pip"
if [ -f "$pipparam" ]; then
pip=$(cat "$pipparam")
else
pip="pip"
pip="$( "$__type_explorer/pip" )"
fi
# If there is no pip, it may get created from somebody else.

View file

@ -38,7 +38,12 @@ pipparam="$__object/parameter/pip"
if [ -f "$pipparam" ]; then
pip=$(cat "$pipparam")
else
pip="pip"
pip="$( cat "$__object/explorer/pip" )"
if [ -z "$pip" ]
then
echo 'pip not found in path' >&2
exit 1
fi
fi
runasparam="$__object/parameter/runas"
@ -55,7 +60,7 @@ case "$state_should" in
then
echo "su -c '$pip install -q $name' $runas"
else
echo $pip install -q "$name"
echo "$pip" install -q "$name"
fi
echo "installed" >> "$__messages_out"
;;
@ -64,7 +69,7 @@ case "$state_should" in
then
echo "su -c '$pip uninstall -q -y $name' $runas"
else
echo $pip uninstall -q -y "$name"
echo "$pip" uninstall -q -y "$name"
fi
echo "removed" >> "$__messages_out"
;;

View file

@ -0,0 +1,4 @@
#!/bin/sh -e
if pkg -N >/dev/null 2>&1; then
echo "YES"
fi

View file

@ -18,9 +18,14 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Retrieve the status of a package - parsed dpkg output
# Retrieve the status of a package - parsed pkgng output
#
if ! pkg -N >/dev/null 2>&1; then
# Nothing to do if pkg is not bootstrapped
exit
fi
if [ -f "$__object/parameter/name" ]; then
name="$(cat "$__object/parameter/name")"
else

View file

@ -43,6 +43,7 @@ fi
repo="$(cat "$__object/parameter/repo")"
state="$(cat "$__object/parameter/state")"
curr_version="$(cat "$__object/explorer/pkg_version")"
pkg_bootstrapped="$(cat "$__object/explorer/pkg_bootstrapped")"
add_cmd="pkg install -y"
rm_cmd="pkg delete -y"
upg_cmd="pkg upgrade -y"
@ -73,6 +74,10 @@ execcmd(){
;;
esac
if [ -z "${pkg_bootstrapped}" ]; then
echo "ASSUME_ALWAYS_YES=yes pkg bootstrap >/dev/null 2>&1"
fi
echo "$_cmd >/dev/null 2>&1" # Silence the output of the command
echo "status=\$?"
echo "if [ \"\$status\" -ne \"0\" ]; then"

View file

@ -7,7 +7,9 @@ action="$(cat "$__object/parameter/action")"
case "$manager" in
systemd)
__systemd_service "$name" --action "$action"
test "$action" = "start" && action="running"
test "$action" = "stop" && action="stopped"
__systemd_service "$name" --state "$action"
;;
*)
# Unknown: handled by `service $NAME $action` in gencode-remote.

View file

@ -0,0 +1,121 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Determines the current state of the config option.
# Possible output:
# - present: "should" option present in config file
# - default: the "should" option is the default -> dont know if present
# - absent: no such option present in config file
#
joinlines() { sed -n -e H -e "\${x;s/^\\n//;s/\\n/${1:?}/g;p;}"; }
trlower() { tr '[:upper:]' '[:lower:]'; }
tolower() { printf '%s' "$*" | trlower; }
default_value() {
sshd -T -f /dev/null -C "$(make_conn_spec)" \
| sed -n -e 's/^'"$(tolower "${1:?}")"'[[:blank:]]\{1,\}//p'
}
make_conn_spec() {
if test -s "${__object:?}/parameter/match"
then
_match_file="${__object:?}/parameter/match"
else
_match_file='/dev/null'
fi
for _kw in \
addr=Address \
user=User \
host=Host \
laddr=LocalAddress \
lport=LocalPort \
rdomain=RDomain
do
_specname=${_kw%%=*}
_confname=$(tolower "${_kw#*=}")
while read -r _k _v
do
if test "$(tolower "${_k}")" = "${_confname}"
then
printf '%s=%s\n' "${_specname}" "${_v}"
continue 2
fi
done <"${_match_file}"
# NOTE: Print test spec even for empty keys to suppress errors like:
# 'Match User' in configuration but 'user' not in connection test specification.
# except lport:
# Invalid port '' in test mode specification lport=
test "${_specname}" = 'lport' || printf '%s=\n' "${_specname}"
done \
| joinlines ','
unset _match_file
}
sshd_config_file=$(cat "${__object:?}/parameter/file")
state_should=$(cat "${__object:?}/parameter/state")
if test -s "${__object:?}/parameter/option"
then
option_name=$(cat "${__object:?}/parameter/option")
else
option_name=${__object_id:?}
fi
value_should=$(cat "${__object:?}/parameter/value" 2>/dev/null) \
|| test "${state_should}" = absent || exit 0 # param optional if --state absent
command -v sshd >/dev/null 2>&1 || {
echo 'Cannot find sshd.' >&2
exit 1
}
test -e "${sshd_config_file}" || {
echo 'absent'
exit 0
}
value_is=$(
sshd -T -f "${sshd_config_file}" -C "$(make_conn_spec)" \
| sed -n -e 's/^'"$(tolower "${option_name}")"'[[:blank:]]\{1,\}//p')
if printf '%s\n' "${value_is}" | {
if test -n "${value_should}"
then
grep -q -x -F "${value_should}"
else
# if no value provided, assume "any" value
grep -q -e .
fi
}
then
if default_value "${option_name}" | grep -q -x -F "${value_is}"
then
# Might produce false positives for default values.
# TODO: Manual checking should be done, but for simplicity, this case is
# currently ignored here.
echo default
else
echo present
fi
else
echo absent
fi

View file

@ -0,0 +1,293 @@
# -*- mode: awk; indent-tabs-mode: t -*-
function usage() {
print_err("Usage: awk -f update_sshd_config.awk -- -o set|unset [-m 'User git'] -l 'X11Forwarding no' /etc/ssh/sshd_config")
}
function print_err(s) { print s | "cat >&2" }
function alength(a, i) {
for (i = 0; (i + 1) in a; ++i);
return i
}
function join(sep, a, i, s) {
for (i = i ? i : 1; i in a; i++)
s = s sep a[i]
return substr(s, 2)
}
function getopt(opts, argv, target, files, i, c, lv, idx, nf) {
# trivial getopt(3) implementation; only basic functionality
if (argv[1] == "--") i++
for (i += 1; i in argv; i++) {
if (lv) { target[c] = argv[i]; lv = 0; continue }
if (argv[i] ~ /^-/) {
c = substr(argv[i], 2, 1)
idx = index(opts, c)
if (!idx) {
print_err(sprintf("invalid option -%c\n", c))
continue
}
if (substr(opts, idx + 1, 1) == ":") {
# option takes argument
if (length(argv[i]) > 2)
target[c] = substr(argv[i], 3)
else
lv = 1
} else {
target[c] = 1
}
} else
files[++nf] = argv[i]
}
}
# tokenise configuration line
# this function mimics the counterpart in OpenSSH (misc.c)
# but it returns two (next token SUBSEP rest) because I didnt want to have to
# simulate any pointer magic.
function strdelim_internal(s, split_equals, old) {
if (!s)
return ""
old = s
if (!match(s, WHITESPACE "|" QUOTE "" (split_equals ? "|" EQUALS : "")))
return s
s = substr(s, RSTART)
old = substr(old, 1, RSTART - 1)
if (s ~ "^" QUOTE) {
old = substr(old, 2)
# Find matching quote
if (match(s, QUOTE)) {
old = substr(old, 1, RSTART)
# s = substr()
if (match(s, "^" WHITESPACE "*"))
s = substr(s, RLENGTH)
return old
} else {
# no matching quote
return ""
}
}
if (match(s, "^" WHITESPACE "+")) {
sub("^" WHITESPACE "+", "", s)
if (split_equals)
sub(EQUALS WHITESPACE "*", "", s)
} else if (s ~ "^" EQUALS) {
s = substr(s, 2)
}
return old SUBSEP s
}
function strdelim(s) { return strdelim_internal(s, 1) }
function strdelimw(s) { return strdelim_internal(s, 0) }
function singleton_option(opt) {
return tolower(opt) !~ /^(acceptenv|allowgroups|allowusers|authenticationmethods|authorizedkeysfile|denygroups|denyusers|hostcertificate|hostkey|listenaddress|logverbose|permitlisten|permitopen|port|setenv|subsystem)$/
}
function print_update() {
if (mode) {
if (match_only) printf "\t"
printf "%s\n", line_should
updated = 1
}
}
BEGIN {
FS = "\n" # disable field splitting
WHITESPACE = "[ \t]" # servconf.c, misc.c:strdelim_internal (without line breaks, cf. bugs)
QUOTE = "[\"]" # misc.c:strdelim_internal
EQUALS = "[=]"
split("", opts)
split("", files)
getopt("ho:l:m:", ARGV, opts, files)
if (opts["h"]) { usage(); exit (e="0") }
line_should = opts["l"]
match_only = opts["m"]
num_files = alength(files)
if (num_files != 1 || !opts["o"] || !line_should) {
usage()
exit (e=126)
}
if (opts["o"] == "set") {
mode = 1
} else if (opts["o"] == "unset") {
mode = 0
} else {
print_err(sprintf("invalid mode %s\n", mode))
exit (e=1)
}
if (mode) {
# loop over sshd_config twice!
ARGV[2] = ARGV[1] = files[1]
ARGC = 3
} else {
# only loop once
ARGV[1] = files[1]
ARGC = 2
}
split(strdelim(line_should), should, SUBSEP)
option_should = tolower(should[1])
value_should = should[2]
}
{
line = $0
# Strip trailing whitespace. Allow \f (form feed) at EOL only
sub("(" WHITESPACE "|\f)*$", "", line)
# Strip leading whitespace
sub("^" WHITESPACE "*", "", line)
if (match(line, "^#" WHITESPACE "*")) {
prefix = substr(line, RSTART, RLENGTH)
line = substr(line, RSTART + RLENGTH)
} else {
prefix = ""
}
line_type = "invalid"
option_is = value_is = ""
if (line) {
split(strdelim(line), toks, SUBSEP)
if (tolower(toks[1]) == "match") {
MATCH = (prefix ~ /^#/ ? "#" : "") join(" ", toks, 2)
line_type = "match"
} else if (toks[1] ~ /^[A-Za-z][A-Za-z0-9]+$/) {
# This could be an option line
line_type = "option"
option_is = tolower(toks[1])
value_is = toks[2]
}
} else {
line_type = "empty"
}
}
# mode: unset
!mode {
# delete matching config
if (prefix !~ /^#/)
if (MATCH == match_only && option_is == option_should)
if (!value_should || value_should == value_is)
next
print
next
}
# mode: set
mode && NR == FNR {
if (line_type == "option") {
if (MATCH !~ /^#/) {
if (prefix ~ /^#/) {
# comment line
last_occ[MATCH, "#" option_is] = FNR
} else {
# option line
last_occ[MATCH, option_is] = FNR
}
last_occ[MATCH] = FNR
}
} else if (line_type == "invalid" && !prefix) {
# INVALID LINE
print_err(sprintf("%s: syntax error on line %u\n", ARGV[0], FNR))
}
next
}
# before second pass prepare hashes containing location information to be used
# in the second pass.
mode && NR > FNR && FNR == 1 {
# First we drop the locations of commented-out options if a non-commented
# option is available. If a non-commented option is available, we will
# append new config options there to have them all at one place.
for (k in last_occ) {
if (k ~ /^#/) {
# delete entries of commented out match blocks
delete last_occ[k]
continue
}
split(k, parts, SUBSEP)
if (parts[2] ~ /^#/ && ((parts[1], substr(parts[2], 2)) in last_occ))
delete last_occ[k]
}
# Reverse the option => line mapping. The line_map allows for easier lookups
# in the second pass.
# We only keep options, not top-level keywords, because we can only have
# one entry per line and there are conflicts with last lines of "sections".
for (k in last_occ) {
if (!index(k, SUBSEP)) continue
line_map[last_occ[k]] = k
}
}
# Second pass
mode && line_map[FNR] == match_only SUBSEP option_should && !updated {
split(line_map[FNR], parts, SUBSEP)
# If option allows multiple values, print current value
if (!singleton_option(parts[2])) {
if (value_should != value_is)
print
}
print_update()
next
}
mode { print }
# Is a comment option
mode && line_map[FNR] == match_only SUBSEP "#" option_should && !updated {
print_update()
}
# Last line of the should match section
mode && last_occ[match_only] == FNR && !updated {
# NOTE: Inserting empty lines is only cosmetic. It is only done if
# different options are next to each other and not in a match block
# (match blocks are usually not in the default config and thus dont
# contain commented blocks.)
if (line && option_is != option_should && !MATCH)
print ""
print_update()
}
END {
if (e) exit e
if (mode && !updated) {
if (match_only && MATCH != match_only) {
printf "\nMatch %s\n", match_only
}
print_update()
}
}

View file

@ -0,0 +1,97 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
joinlines() { sed -n -e H -e "\${x;s/^\\n//;s/\\n/${1:?}/g;p;}"; }
state_is=$(cat "${__object:?}/explorer/state")
state_should=$(cat "${__object:?}/parameter/state")
if test "${state_is}" = "${state_should}" -o "${state_is}" = 'default'
then
# nothing to do (if the value is the default, ignore its state)
exit 0
fi
case ${state_should}
in
(present)
mode='set'
;;
(absent)
mode='unset'
;;
(*)
printf 'Invalid --state: %s\n' "${state_should}" >&2
exit 1
;;
esac
sshd_config_file=$(cat "${__object:?}/parameter/file")
quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; }
# Ensure the sshd_config file is there
cat <<EOF
test -e $(quote "${sshd_config_file}") || {
: >$(quote "${sshd_config_file}")
chown 0:0 $(quote "${sshd_config_file}")
chmod 0644 $(quote "${sshd_config_file}")
}
EOF
match_only=
if test -s "${__object:?}/parameter/match"
then
match_only=$(joinlines ' ' <"${__object:?}/parameter/match")
fi
if test -s "${__object:?}/parameter/option"
then
option_line=$(cat "${__object:?}/parameter/option")
else
option_line=${__object_id:?}
fi
if test -s "${__object:?}/parameter/value"
then
option_line="${option_line} $(cat "${__object:?}/parameter/value")"
fi
# Send message on config update
printf '%s%s %s\n' "${mode}" "${match_only:+ [${match_only}]}" \
"${option_line}" >>"${__messages_out:?}"
# Update sshd_config (remote code)
cat <<EOF
awk $(drop_awk_comments "${__type:?}/files/update_sshd_config.awk") \\
-o ${mode} \\
-m $(quote "${match_only}") \\
-l $(quote "${option_line}") \\
$(quote "${sshd_config_file}") >$(quote "${sshd_config_file}.tmp") \\
|| exit
cmp -s $(quote "${sshd_config_file}") $(quote "${sshd_config_file}.tmp") || {
sshd -t -f $(quote "${sshd_config_file}.tmp") \\
&& cat $(quote "${sshd_config_file}.tmp") >$(quote "${sshd_config_file}")
}
rm -f $(quote "${sshd_config_file}.tmp")
EOF

View file

@ -0,0 +1,94 @@
cdist-type__sshd_config(7)
==========================
NAME
----
cdist-type__sshd_config - Manage options in sshd_config
DESCRIPTION
-----------
This space intentionally left blank.
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
file
The path to the sshd_config file to edit.
Defaults to ``/etc/ssh/sshd_config``.
match
Restrict this option to apply only for certain connections.
Allowed values are what would be allowed to be written after a ``Match``
keyword in ``sshd_config``, e.g. ``--match 'User anoncvs'``.
Can be used multiple times. All of the values are ANDed together.
option
The name of the option to manipulate. Defaults to ``__object_id``.
state
Can be:
- ``present``: ensure a matching config line is present (or the default
value).
- ``absent``: ensure no matching config line is present.
value
The option's value to be assigned to the option (if ``--state present``) or
removed (if ``--state absent``).
This option is required if ``--state present``. If not specified and
``--state absent``, all values for the given option are removed.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Disallow root logins with password
__sshd_config PermitRootLogin --value without-password
# Disallow password-based authentication
__sshd_config PasswordAuthentication --value no
# Accept the EDITOR environment variable
__sshd_config AcceptEnv:EDITOR --option AcceptEnv --value EDITOR
# Force command for connections as git user
__sshd_config git@ForceCommand --match 'User git' --option ForceCommand \
--value 'cd ~git && exec git-shell ${SSH_ORIGINAL_COMMAND:+-c "${SSH_ORIGINAL_COMMAND}"}'
SEE ALSO
--------
:strong:`sshd_config`\ (5)
BUGS
----
- This type assumes a nicely formatted config file,
i.e. no config options spanning multiple lines.
- ``Include`` directives are ignored.
- Config options are not added/removed to/from the config file if their value is
the default value.
AUTHORS
-------
Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2020 Dennis Camera. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,48 @@
#!/bin/sh -e
#
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "${__global:?}/explorer/os")
state_should=$(cat "${__object:?}/parameter/state")
case ${os}
in
(alpine|centos|fedora|redhat|scientific|debian|devuan|ubuntu)
if test "${state_should}" != 'absent'
then
__package openssh-server --state present
fi
;;
(archlinux|gentoo|slackware|suse)
if test "${state_should}" != 'absent'
then
__package openssh --state present
fi
;;
(freebsd|netbsd|openbsd)
# whitelist
;;
(*)
printf 'Your operating system (%s) is currently not supported by this type (%s)\n' \
"${os}" "${__type##*/}" >&2
printf 'Please contribute an implementation for it if you can.\n' >&2
exit 1
;;
esac

View file

@ -0,0 +1 @@
/etc/ssh/sshd_config

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1,4 @@
file
option
state
value

Some files were not shown because too many files have changed in this diff Show more