From d53077f4e8fbca26c6f1105efa1060df749900b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Mon, 6 Apr 2020 09:26:52 +0200 Subject: [PATCH 01/23] Add --encoding, --lc-collate, --lc-support to __postgres_database type --- .../type/__postgres_database/gencode-remote | 18 +++++++++++++++++- cdist/conf/type/__postgres_database/man.rst | 12 ++++++++++-- .../__postgres_database/parameter/optional | 3 +++ 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/cdist/conf/type/__postgres_database/gencode-remote b/cdist/conf/type/__postgres_database/gencode-remote index 47e6b97c..b5f52f50 100755 --- a/cdist/conf/type/__postgres_database/gencode-remote +++ b/cdist/conf/type/__postgres_database/gencode-remote @@ -43,8 +43,24 @@ if [ "$state_should" != "$state_is" ]; then if [ -f "$__object/parameter/owner" ]; then owner="-O \"$(cat "$__object/parameter/owner")\"" fi + + encoding="" + if [ -f "$__object/parameter/encoding" ]; then + encoding="--encoding \"$(cat "$__object/parameter/encoding")\"" + fi + + lc_collate="" + if [ -f "$__object/parameter/lc-collate" ]; then + lc_collate="--lc-collate \"$(cat "$__object/parameter/lc-collate")\"" + fi + + lc_ctype="" + if [ -f "$__object/parameter/lc-ctype" ]; then + lc_ctype="--lc-ctype \"$(cat "$__object/parameter/lc-ctype")\"" + fi + cat << EOF -su - '$postgres_user' -c "createdb $owner \"$name\"" +su - '$postgres_user' -c "createdb $owner \"$name\" $encoding $lc_collate $lc_ctype" EOF ;; absent) diff --git a/cdist/conf/type/__postgres_database/man.rst b/cdist/conf/type/__postgres_database/man.rst index acceec9b..97ac95eb 100644 --- a/cdist/conf/type/__postgres_database/man.rst +++ b/cdist/conf/type/__postgres_database/man.rst @@ -14,11 +14,19 @@ This cdist type allows you to create or drop postgres databases. OPTIONAL PARAMETERS ------------------- state - either 'present' or 'absent', defaults to 'present'. + Either 'present' or 'absent', defaults to 'present'. owner - the role owning this database + Specifies the database user who will own the new database. +encoding + Specifies the character encoding scheme to be used in this database. + +lc-collate + Specifies the LC_COLLATE setting to be used in this database. + +lc-ctype + Specifies the LC_CTYPE setting to be used in this database. EXAMPLES -------- diff --git a/cdist/conf/type/__postgres_database/parameter/optional b/cdist/conf/type/__postgres_database/parameter/optional index d86b6469..fed2581e 100644 --- a/cdist/conf/type/__postgres_database/parameter/optional +++ b/cdist/conf/type/__postgres_database/parameter/optional @@ -1,2 +1,5 @@ state owner +encoding +lc-collate +lc-ctype From c3f924d350772d7c3af1ce8bbbe29f1b8010d4f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 14 Apr 2020 10:23:08 +0200 Subject: [PATCH 02/23] Add --template flag to __postgres_database type --- cdist/conf/type/__postgres_database/gencode-remote | 7 ++++++- cdist/conf/type/__postgres_database/man.rst | 4 ++++ cdist/conf/type/__postgres_database/parameter/optional | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cdist/conf/type/__postgres_database/gencode-remote b/cdist/conf/type/__postgres_database/gencode-remote index b5f52f50..0f11cff4 100755 --- a/cdist/conf/type/__postgres_database/gencode-remote +++ b/cdist/conf/type/__postgres_database/gencode-remote @@ -44,6 +44,11 @@ if [ "$state_should" != "$state_is" ]; then owner="-O \"$(cat "$__object/parameter/owner")\"" fi + template="" + if [ -f "$__object/parameter/template" ]; then + template="--template \"$(cat "$__object/parameter/template")\"" + fi + encoding="" if [ -f "$__object/parameter/encoding" ]; then encoding="--encoding \"$(cat "$__object/parameter/encoding")\"" @@ -60,7 +65,7 @@ if [ "$state_should" != "$state_is" ]; then fi cat << EOF -su - '$postgres_user' -c "createdb $owner \"$name\" $encoding $lc_collate $lc_ctype" +su - '$postgres_user' -c "createdb $owner \"$name\" $template $encoding $lc_collate $lc_ctype" EOF ;; absent) diff --git a/cdist/conf/type/__postgres_database/man.rst b/cdist/conf/type/__postgres_database/man.rst index 97ac95eb..870b4917 100644 --- a/cdist/conf/type/__postgres_database/man.rst +++ b/cdist/conf/type/__postgres_database/man.rst @@ -28,6 +28,10 @@ lc-collate lc-ctype Specifies the LC_CTYPE setting to be used in this database. +template + Specifies the template database from which to build this database. + + EXAMPLES -------- diff --git a/cdist/conf/type/__postgres_database/parameter/optional b/cdist/conf/type/__postgres_database/parameter/optional index fed2581e..877fbf32 100644 --- a/cdist/conf/type/__postgres_database/parameter/optional +++ b/cdist/conf/type/__postgres_database/parameter/optional @@ -3,3 +3,4 @@ owner encoding lc-collate lc-ctype +template From 742163e38c2a8124390cecee02a9c865fe18fdff Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Wed, 15 Apr 2020 17:10:33 +0200 Subject: [PATCH 03/23] Fix configuration file location --- cdist/configuration.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cdist/configuration.py b/cdist/configuration.py index f05a5963..1011a382 100644 --- a/cdist/configuration.py +++ b/cdist/configuration.py @@ -274,7 +274,8 @@ class Configuration(metaclass=Singleton): os.path.isfile(_local_config_file))): _local_config_file = os.path.join( os.environ.get('XDG_CONFIG_HOME', - os.path.expanduser('~/.config/cdist')), + os.path.expanduser('~/.config/')), + 'cdist', _config_basename) _dist_config_file = os.path.join( os.path.abspath(os.path.join(os.path.dirname(cdist.__file__), "conf")), From c9c1e7d79050afe2bc69b875096dbd1379d70eea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 21 Apr 2020 08:13:32 +0200 Subject: [PATCH 04/23] Import CI image definition --- other/ci/Dockerfile | 8 ++++++++ other/ci/README.md | 3 +++ other/ci/repositories | 3 +++ 3 files changed, 14 insertions(+) create mode 100644 other/ci/Dockerfile create mode 100644 other/ci/README.md create mode 100644 other/ci/repositories diff --git a/other/ci/Dockerfile b/other/ci/Dockerfile new file mode 100644 index 00000000..03d6b546 --- /dev/null +++ b/other/ci/Dockerfile @@ -0,0 +1,8 @@ +FROM alpine:latest + +COPY ./repositories /etc/apk/ + +RUN apk update +RUN apk upgrade +RUN apk add python3 py3-pycodestyle rsync make shellcheck git +RUN apk fix diff --git a/other/ci/README.md b/other/ci/README.md new file mode 100644 index 00000000..0bd64613 --- /dev/null +++ b/other/ci/README.md @@ -0,0 +1,3 @@ +This container is used for cdist's CI pipeline, and deployed in ungleich's docker registry at: + + code.ungleich.ch:5050/ungleich-public/cdist-ci:latest diff --git a/other/ci/repositories b/other/ci/repositories new file mode 100644 index 00000000..46cabcc3 --- /dev/null +++ b/other/ci/repositories @@ -0,0 +1,3 @@ +https://mirror.ungleich.ch/mirror/packages/alpine/edge/main +https://mirror.ungleich.ch/mirror/packages/alpine/edge/community +https://mirror.ungleich.ch/mirror/packages/alpine/edge/testing From 7d576554708115cef78eac364b20265386998882 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 21 Apr 2020 08:15:51 +0200 Subject: [PATCH 05/23] Fix typo in cdist-ci image README --- other/ci/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/ci/README.md b/other/ci/README.md index 0bd64613..6a9b0ac5 100644 --- a/other/ci/README.md +++ b/other/ci/README.md @@ -1,3 +1,3 @@ This container is used for cdist's CI pipeline, and deployed in ungleich's docker registry at: - code.ungleich.ch:5050/ungleich-public/cdist-ci:latest + code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest From e2b26aa233fe702f19a39fa1378a6c531d36720f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 21 Apr 2020 08:16:46 +0200 Subject: [PATCH 06/23] Patch CI configuration to use cdist-ci image --- .gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1cc17995..e215652c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,8 @@ stages: - test +image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest + unit_tests: stage: test script: From 38ccdfda321e6bdb683842d227b379feea5e752c Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Wed, 22 Apr 2020 23:21:34 +0200 Subject: [PATCH 07/23] Fix newly found shellcheck issues --- cdist/conf/type/__cdist/manifest | 1 + cdist/conf/type/__openldap_server/manifest | 1 + 2 files changed, 2 insertions(+) diff --git a/cdist/conf/type/__cdist/manifest b/cdist/conf/type/__cdist/manifest index a97cf288..0b0f1263 100755 --- a/cdist/conf/type/__cdist/manifest +++ b/cdist/conf/type/__cdist/manifest @@ -37,6 +37,7 @@ source="$(cat "$__object/parameter/source")" # out of it home=/home/$username +# shellcheck disable=SC2086 __user "$username" --home "$home" $shell require="__user/$username" __directory "$home" \ diff --git a/cdist/conf/type/__openldap_server/manifest b/cdist/conf/type/__openldap_server/manifest index dadc9f20..d35603c4 100644 --- a/cdist/conf/type/__openldap_server/manifest +++ b/cdist/conf/type/__openldap_server/manifest @@ -168,6 +168,7 @@ if [ -z "${_skip_letsencrypt_cert}" ]; then staging="" fi + # shellcheck disable=SC2086 __letsencrypt_cert "${name}" --admin-email "${admin_email}" \ --renew-hook "cp ${ETC}/letsencrypt/live/${name}/*.pem ${SLAPD_DIR}/sasl2 && chown -R openldap:openldap ${SLAPD_DIR}/sasl2 && service slapd restart" \ --automatic-renewal ${staging} From 41e59a748dc45aaec88edc7a7eaed96c6086b1b1 Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Wed, 22 Apr 2020 23:24:34 +0200 Subject: [PATCH 08/23] Fix newly found shellcheck issues --- scripts/cdist-dump | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/cdist-dump b/scripts/cdist-dump index 83b09eb8..d29e5985 100755 --- a/scripts/cdist-dump +++ b/scripts/cdist-dump @@ -224,6 +224,7 @@ hor_line() if [ "${do_global_explorer}" ] then print_verbose 2 "Dumping global explorers" + # shellcheck disable=SC2086 set -- "$@" ${or} \( \ -path "*/explorer/*" -a \ ! -path "*/conf/*" -a \ From de37b0ce450109306e31affa67dd2ff3653b6d68 Mon Sep 17 00:00:00 2001 From: Evilham Date: Fri, 24 Apr 2020 20:26:44 +0200 Subject: [PATCH 09/23] [__motd] Improve documentation and support for FreeBSD This makes it easier to use the type just by reading the man page and also treats FreeBSD's MOTD better. --- cdist/conf/type/__motd/gencode-remote | 11 +++++++++++ cdist/conf/type/__motd/man.rst | 19 ++++++++++++++++++- cdist/conf/type/__motd/manifest | 8 ++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/cdist/conf/type/__motd/gencode-remote b/cdist/conf/type/__motd/gencode-remote index bc842cc8..738ea834 100755 --- a/cdist/conf/type/__motd/gencode-remote +++ b/cdist/conf/type/__motd/gencode-remote @@ -29,7 +29,18 @@ case "$os" in echo "uname -snrvm > /var/run/motd" echo "cat /etc/motd.tail >> /var/run/motd" ;; + freebsd) + # FreeBSD only updates /etc/motd on boot, + # as seen in /etc/rc.d/motd + echo "uname -sri > /etc/motd" + echo "cat /etc/motd.template >> /etc/motd" + # FreeBSD 13 starts treating motd slightly different from previous + # versions this ensures hosts have the expected config. + echo "rm /etc/motd.template || true" + echo "service motd start" + ;; *) + # Other OS tend to treat /etc/motd statically exit 0 ;; esac diff --git a/cdist/conf/type/__motd/man.rst b/cdist/conf/type/__motd/man.rst index 17369684..a567dc80 100644 --- a/cdist/conf/type/__motd/man.rst +++ b/cdist/conf/type/__motd/man.rst @@ -10,6 +10,13 @@ DESCRIPTION ----------- This cdist type allows you to easily setup /etc/motd. +.. note:: + In some OS, motd is a bit special, check `motd(5)`. + Currently Debian, Devuan, Ubuntu and FreeBSD are taken into account. + If your OS of choice does something besides /etc/motd, check the source + and contribute support for it. + Otherwise it will likely just work. + REQUIRED PARAMETERS ------------------- @@ -20,6 +27,7 @@ OPTIONAL PARAMETERS ------------------- source If supplied, copy this file from the host running cdist to the target. + If source is '-' (dash), take what was written to stdin as the file content. If not supplied, a default message will be placed onto the target. @@ -34,6 +42,15 @@ EXAMPLES # Supply source file from a different type __motd --source "$__type/files/my-motd" + # Supply source from stdin + __motd --source "-" < COPYING ------- -Copyright \(C) 2011 Nico Schottelius. You can redistribute it +Copyright \(C) 2020 Nico Schottelius. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. diff --git a/cdist/conf/type/__motd/manifest b/cdist/conf/type/__motd/manifest index cd741cf4..ded734d7 100755 --- a/cdist/conf/type/__motd/manifest +++ b/cdist/conf/type/__motd/manifest @@ -34,9 +34,17 @@ os=$(cat "$__global/explorer/os") case "$os" in debian|ubuntu|devuan) + # Debian-based systems use /etc/motd.tail as a template destination=/etc/motd.tail ;; + freebsd) + # FreeBSD uses motd.template to prepend system information on boot + # (this actually only applies starting with version 13, + # but we fix that for whatever version in gencode-remote) + destination=/etc/motd.template + ;; *) + # Most UNIX systems, including other Linux and OpenBSD just use /etc/motd destination=/etc/motd ;; esac From 056c7c5400e7beeb15de800be6b62661998259ff Mon Sep 17 00:00:00 2001 From: Evilham Date: Sat, 25 Apr 2020 00:12:24 +0200 Subject: [PATCH 10/23] [__openldap_server] Support extra config parameter. This allows the user to, e.g. manually define ACLs, while this type does not support that. --- cdist/conf/type/__openldap_server/man.rst | 3 +++ cdist/conf/type/__openldap_server/manifest | 3 +++ cdist/conf/type/__openldap_server/parameter/optional | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/cdist/conf/type/__openldap_server/man.rst b/cdist/conf/type/__openldap_server/man.rst index d20101d1..fbad21d8 100644 --- a/cdist/conf/type/__openldap_server/man.rst +++ b/cdist/conf/type/__openldap_server/man.rst @@ -92,6 +92,9 @@ tls-ca Required if `tls-cert` is defined. Path in the remote hosts to the PEM-encoded CA certificate file. +extra-config + Custom settings to be added in `slapd.conf(5)`. + OPTIONAL MULTIPLE PARAMETERS ---------------------------- diff --git a/cdist/conf/type/__openldap_server/manifest b/cdist/conf/type/__openldap_server/manifest index d35603c4..84ba176f 100644 --- a/cdist/conf/type/__openldap_server/manifest +++ b/cdist/conf/type/__openldap_server/manifest @@ -9,6 +9,7 @@ slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true) schemas=$(cat "${__object}/parameter/schema") slapd_urls=$(tr '\n' ' ' < "${__object}/parameter/slapd-url") tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true) +extra_config=$(cat "${__object}/parameter/extra-config" || true) os="$(cat "${__global}/explorer/os")" @@ -231,6 +232,8 @@ index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq +${extra_config} + serverid ${serverid} EOF diff --git a/cdist/conf/type/__openldap_server/parameter/optional b/cdist/conf/type/__openldap_server/parameter/optional index a92b9c6e..71c64659 100644 --- a/cdist/conf/type/__openldap_server/parameter/optional +++ b/cdist/conf/type/__openldap_server/parameter/optional @@ -5,4 +5,5 @@ admin-email tls-cipher-suite tls-cert tls-privkey -tls-ca \ No newline at end of file +tls-ca +extra-config From 5981d0a5f1deb2e60ea3c95ad3b535f1425060f6 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sat, 25 Apr 2020 00:22:28 +0200 Subject: [PATCH 11/23] [__postfix] Automagically support more OSs by not checking too much. It is quite likely that the package is going to be called postfix, rather than trying to have an exhaustive "allow list" for this package, we can just add special cases for OSs where that is not the case (not aware of any atm). --- cdist/conf/type/__postfix/manifest | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/cdist/conf/type/__postfix/manifest b/cdist/conf/type/__postfix/manifest index f3616979..121bba96 100755 --- a/cdist/conf/type/__postfix/manifest +++ b/cdist/conf/type/__postfix/manifest @@ -19,16 +19,4 @@ # along with cdist. If not, see . # - -os=$(cat "$__global/explorer/os") - -case "$os" in - alpine|ubuntu|debian|archlinux|suse|scientific|centos|devuan) - __package postfix --state present - ;; - *) - echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2 - echo "Please contribute an implementation for it if you can." >&2 - exit 1 - ;; -esac +__package postfix --state present From fefe90e9c9bde2ad00c142c01d5a588eb99751e5 Mon Sep 17 00:00:00 2001 From: Evilham Date: Sat, 25 Apr 2020 12:23:27 +0200 Subject: [PATCH 12/23] [__pf*] (~) __pf_ruleset (+)__pf_apply_anchor, deprecate __pf_apply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit __pf_apply the way it exists on cdist is not really useful and __pf_ruleset does not take advantage of other types as it should, being instead overly complex and not as reliable. The new __pf_ruleset is compatible with the previous one, and __pf_apply_anchors allows for a simple and powerful way of managing pf anchors. The functionality previously provided by __pf_apply is still possible out of the box in __pf_ruleset. These patches were mostly contributed by Kamila Součková and made fit for upstreaming by Evilham. --- cdist/conf/type/__pf_apply/deprecated | 1 + .../gencode-remote} | 28 +++---- cdist/conf/type/__pf_apply_anchor/man.rst | 62 ++++++++++++++ .../type/__pf_apply_anchor/parameter/optional | 1 + cdist/conf/type/__pf_ruleset/gencode-local | 81 ------------------- cdist/conf/type/__pf_ruleset/man.rst | 14 ++-- .../__pf_ruleset/{gencode-remote => manifest} | 47 +++++------ 7 files changed, 105 insertions(+), 129 deletions(-) create mode 100644 cdist/conf/type/__pf_apply/deprecated rename cdist/conf/type/{__pf_ruleset/explorer/cksum => __pf_apply_anchor/gencode-remote} (55%) create mode 100644 cdist/conf/type/__pf_apply_anchor/man.rst create mode 100644 cdist/conf/type/__pf_apply_anchor/parameter/optional delete mode 100755 cdist/conf/type/__pf_ruleset/gencode-local rename cdist/conf/type/__pf_ruleset/{gencode-remote => manifest} (51%) diff --git a/cdist/conf/type/__pf_apply/deprecated b/cdist/conf/type/__pf_apply/deprecated new file mode 100644 index 00000000..36cfed90 --- /dev/null +++ b/cdist/conf/type/__pf_apply/deprecated @@ -0,0 +1 @@ +Consider moving to __pf_apply_anchor. Get in touch if you need __pf_apply. diff --git a/cdist/conf/type/__pf_ruleset/explorer/cksum b/cdist/conf/type/__pf_apply_anchor/gencode-remote similarity index 55% rename from cdist/conf/type/__pf_ruleset/explorer/cksum rename to cdist/conf/type/__pf_apply_anchor/gencode-remote index 9be6c901..36c26521 100755 --- a/cdist/conf/type/__pf_ruleset/explorer/cksum +++ b/cdist/conf/type/__pf_apply_anchor/gencode-remote @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/sh -e # -# 2012 Jake Guffey (jake.guffey at eprotex.com) +# 2016 Kamila Součková (coding at kamila.is) # # This file is part of cdist. # @@ -18,24 +18,16 @@ # along with cdist. If not, see . # # -# Get the 256 bit SHA2 checksum of the pf ruleset on the target host. +# Apply pf(4) ruleset on *BSD # -# Debug -#exec >&2 -#set -x +ANCHORS_DIR="/etc/pf.d" -# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf -# See if file exists and if so, get checksum - -RC="/etc/rc.conf" -TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')" -PFCONF="${TMP:-"/etc/pf.conf"}" - -if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum. - cksum -o 1 "${PFCONF}" | cut -d= -f2 | awk '{print $1}' +if [ -f "${__object}/parameter/anchor_name" ]; then + anchor_name="$(cat "${__object}/parameter/anchor_name")" +else + anchor_name="${__object_id}" fi +anchor_file="${ANCHORS_DIR}/${anchor_name}" -# Debug -#set +x - +echo "pfctl -a \"${anchor_name}\" -f \"${anchor_file}\"" diff --git a/cdist/conf/type/__pf_apply_anchor/man.rst b/cdist/conf/type/__pf_apply_anchor/man.rst new file mode 100644 index 00000000..aef6cdf4 --- /dev/null +++ b/cdist/conf/type/__pf_apply_anchor/man.rst @@ -0,0 +1,62 @@ +cdist-type__pf_apply_anchor(7) +============================== + +NAME +---- +cdist-type__pf_apply_anchor - Apply a pf(4) anchor on $__target_host + + +DESCRIPTION +----------- +This type is used on \*BSD systems to manage anchors for the pf firewall. + +Notice this type does not take care of copying the ruleset, that must be +done by the user with, e.g. `__file`. + + +OPTIONAL PARAMETERS +------------------- +anchor_name + The name of the anchor to apply. If not set, `${__object_id}` is used. + This type requires `/etc/pf.d/${anchor_name}` to exist on + `$__target_host`. + + +EXAMPLES +-------- + +.. code-block:: sh + + # Copy anchor file to ${__target_host} + __file "/etc/pf.d/80_dns" --source - < +Kamila Součková +Jake Guffey + + +COPYING +------- +Copyright \(C) 2020 Evilham. +Copyright \(C) 2016 Kamila Součková. +Copyright \(C) 2012 Jake Guffey. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/cdist/conf/type/__pf_apply_anchor/parameter/optional b/cdist/conf/type/__pf_apply_anchor/parameter/optional new file mode 100644 index 00000000..b9f61e28 --- /dev/null +++ b/cdist/conf/type/__pf_apply_anchor/parameter/optional @@ -0,0 +1 @@ +anchor_name diff --git a/cdist/conf/type/__pf_ruleset/gencode-local b/cdist/conf/type/__pf_ruleset/gencode-local deleted file mode 100755 index 11bfb0b1..00000000 --- a/cdist/conf/type/__pf_ruleset/gencode-local +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/sh -e -# -# 2012 Jake Guffey (jake.guffey at eprotex.com) -# -# This file is part of cdist. -# -# cdist is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# cdist is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with cdist. If not, see . -# -# -# Manage pf(4) on *BSD -# - -# Debug -#exec >&2 -#set -x - -# Send files to $__target_host via $__remote_copy - -uname=$(uname) # Need to know what the cdist host is running so we know how to compute the ruleset's checksum -state=$(cat "$__object/parameter/state") - -if [ "$state" = "absent" ]; then # There is nothing more for a *local* script to do - exit 0 -fi - -if [ -f "$__object/parameter/source" ]; then - source=$(cat "$__object/parameter/source") -fi - -rcvar=$(cat "$__object/explorer/rcvar") -cksum=$(cat "$__object/explorer/cksum") - - -cat <&2 - exit 1 - ;; -esac - -# IPv6 fix -if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$') -then - my_target_host="[${__target_host}]" -else - my_target_host="${__target_host}" -fi - -if [ -n "${cksum}" ]; then - if [ ! "\${currentSum}" = "${cksum}" ]; then - $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new" - fi -else # File just doesn't exist yet - $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new" -fi -EOF - -# Debug -#exec +x - diff --git a/cdist/conf/type/__pf_ruleset/man.rst b/cdist/conf/type/__pf_ruleset/man.rst index 5719e94e..db8873ac 100644 --- a/cdist/conf/type/__pf_ruleset/man.rst +++ b/cdist/conf/type/__pf_ruleset/man.rst @@ -10,6 +10,9 @@ DESCRIPTION ----------- This type is used on \*BSD systems to manage the pf firewall's ruleset. +It will also enable and disable the pf firewall as requested in the `state` +parameter. + REQUIRED PARAMETERS ------------------- @@ -20,9 +23,8 @@ state OPTIONAL PARAMETERS ------------------- source - If supplied, use to define the ruleset to load onto the $__target_host for pf(4). - Note that this type is almost useless without a ruleset defined, but it's technically not - needed, e.g. for the case of disabling the firewall temporarily. + Required when state is "present". + Defines the ruleset to load onto the $__target_host for `pf(4)`. EXAMPLES @@ -30,10 +32,10 @@ EXAMPLES .. code-block:: sh - # Remove the current ruleset in place + # Remove the current ruleset in place and disable pf __pf_ruleset --state absent - # Enable the firewall with the ruleset defined in $__manifest/files/pf.conf + # Enable pf with the ruleset defined in $__manifest/files/pf.conf __pf_ruleset --state present --source $__manifest/files/pf.conf @@ -44,11 +46,13 @@ SEE ALSO AUTHORS ------- +Kamila Součková Jake Guffey COPYING ------- +Copyright \(C) 2016 Kamila Součková. Copyright \(C) 2012 Jake Guffey. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the diff --git a/cdist/conf/type/__pf_ruleset/gencode-remote b/cdist/conf/type/__pf_ruleset/manifest similarity index 51% rename from cdist/conf/type/__pf_ruleset/gencode-remote rename to cdist/conf/type/__pf_ruleset/manifest index 12760fdf..34fee5dd 100755 --- a/cdist/conf/type/__pf_ruleset/gencode-remote +++ b/cdist/conf/type/__pf_ruleset/manifest @@ -1,6 +1,6 @@ #!/bin/sh -e # -# 2012 Jake Guffey (jake.guffey at eprotex.com) +# 2016 Kamila Součková (coding at kamila.is) # # This file is part of cdist. # @@ -21,29 +21,26 @@ # Manage pf(4) on *BSD # -# Debug -#exec >&2 -#set -x - -# Remove ${rcvar} in the case of --state absent - -state=$(cat "$__object/parameter/state") -rcvar=$(cat "$__object/explorer/rcvar") - -if [ "$state" = "present" ]; then # There is nothing more for a *remote* script to do - exit 0 -elif [ "$state" = "absent" ]; then - # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old - cat <&2 - exit 1 +rcvar="$(cat "${__object}/explorer/rcvar")" +state="$(cat "${__object}/parameter/state")" +if [ -f "${__object}/parameter/source" ]; then + source="$(cat "${__object}/parameter/source")" fi +if [ "${state}" = "absent" ]; then + action="/etc/rc.d/pf stop" +else + action="/etc/rc.d/pf reload || /etc/rc.d/pf start" +fi + +__key_value __pf_ruleset/rcvar \ + --state "${state}" \ + --file /etc/rc.conf \ + --delimiter "=" \ + --key "pf_enable" \ + --value "YES" + +require="__key_value/__pf_ruleset/rcvar" __config_file ${rcvar} \ + --source "${source}" \ + --state "${state}" \ + --onchange "${action}" From 292879544154f11f4cd719ebf0c67c25000a25fd Mon Sep 17 00:00:00 2001 From: Evilham Date: Sat, 25 Apr 2020 14:54:29 +0200 Subject: [PATCH 13/23] [__pf_ruleset] Fix shellcheck issue. --- cdist/conf/type/__pf_ruleset/manifest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cdist/conf/type/__pf_ruleset/manifest b/cdist/conf/type/__pf_ruleset/manifest index 34fee5dd..27b35328 100755 --- a/cdist/conf/type/__pf_ruleset/manifest +++ b/cdist/conf/type/__pf_ruleset/manifest @@ -40,7 +40,7 @@ __key_value __pf_ruleset/rcvar \ --key "pf_enable" \ --value "YES" -require="__key_value/__pf_ruleset/rcvar" __config_file ${rcvar} \ +require="__key_value/__pf_ruleset/rcvar" __config_file "${rcvar}" \ --source "${source}" \ --state "${state}" \ --onchange "${action}" From 04b7f240ebc1ae5b0f23279d75b65b50d062ccd1 Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Sun, 26 Apr 2020 10:01:18 +0200 Subject: [PATCH 14/23] ++changelog --- docs/changelog | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/changelog b/docs/changelog index b6b1bb39..7cacf3cf 100644 --- a/docs/changelog +++ b/docs/changelog @@ -1,6 +1,16 @@ Changelog --------- +next: + * Core: Fix XDG_CONFIG_HOME config file location (Joachim Desroches) + * Type __postgres_database: Add encoding, lc-collate, lc-ctype, template parameters (Timothée Floure) + * Type __motd: Improve documentation and support for FreeBSD (Evil Ham) + * Type __openldap_server: Support extra config parameter (Evil Ham) + * Type __postfix: Automagically support more OSs by not checking too much (Evil Ham) + * New type: __pf_apply_anchor (Kamila Součková, Evil Ham) + * Type __pf_ruleset: Refactor (Kamila Součková, Evil Ham) + * Type __pf_apply: Deprecate type (Kamila Součková, Evil Ham) + 6.5.4: 2020-04-11 * Explorer init: Do not grep on non-existent init (Steven Armstrong) * Core: Bugfix to preserve conf dirs order (Steven Armstrong) From fefc828780bc76c4245fa96ef517a66ec3eda3fa Mon Sep 17 00:00:00 2001 From: Evilham Date: Sun, 26 Apr 2020 19:06:42 +0200 Subject: [PATCH 15/23] [docs] Improve cdist.cfg.skeleton --- configuration/cdist.cfg.skeleton | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configuration/cdist.cfg.skeleton b/configuration/cdist.cfg.skeleton index 22c1ccaf..bfac9f5c 100644 --- a/configuration/cdist.cfg.skeleton +++ b/configuration/cdist.cfg.skeleton @@ -19,6 +19,9 @@ # such as ':' for POSIX or ';' for Windows. # If also specified at command line then values from command line are # appended to this value. +# Notice that this works in a "last one wins" fashion, so if a type is redefined +# in multiple conf_dirs, the last one in which it is defined will be used. +# Consider using a unique prefix for your own roles if this can be an issue. # conf_dir = : # # init_manifest From 678df1ec8a24b4c3884554b1931445435e098787 Mon Sep 17 00:00:00 2001 From: Evilham Date: Mon, 27 Apr 2020 01:23:48 +0200 Subject: [PATCH 16/23] [explorers] Improve *BSD support. cpu_cores and memory did lacked support for other BSDs. --- cdist/conf/explorer/cpu_cores | 4 ++++ cdist/conf/explorer/memory | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/cdist/conf/explorer/cpu_cores b/cdist/conf/explorer/cpu_cores index a52bddac..c6744142 100755 --- a/cdist/conf/explorer/cpu_cores +++ b/cdist/conf/explorer/cpu_cores @@ -32,6 +32,10 @@ case "$os" in sysctl -n hw.ncpuonline ;; + "freebsd"|"netbsd") + sysctl -n hw.ncpu + ;; + *) if [ -r /proc/cpuinfo ]; then cores="$(grep "core id" /proc/cpuinfo | sort | uniq | wc -l)" diff --git a/cdist/conf/explorer/memory b/cdist/conf/explorer/memory index 4e3efff8..302b4cda 100755 --- a/cdist/conf/explorer/memory +++ b/cdist/conf/explorer/memory @@ -29,7 +29,7 @@ case "$os" in echo "$(sysctl -n hw.memsize)/1024" | bc ;; - "openbsd") + *"bsd") echo "$(sysctl -n hw.physmem) / 1048576" | bc ;; From 0b3c417aef13eceb51195bb42e9a17205a9afc6c Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Mon, 27 Apr 2020 14:00:39 +0300 Subject: [PATCH 17/23] update README --- README | 7 ------- README.md | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 7 deletions(-) delete mode 100644 README create mode 100644 README.md diff --git a/README b/README deleted file mode 100644 index caf2dac8..00000000 --- a/README +++ /dev/null @@ -1,7 +0,0 @@ -cdist ------ - -cdist is a usable configuration management system. - -For the web documentation have a look at https://www.cdi.st/ -or at docs/src for reStructuredText manual. diff --git a/README.md b/README.md new file mode 100644 index 00000000..9e49b053 --- /dev/null +++ b/README.md @@ -0,0 +1,20 @@ +# cdist + +**cdist** is a usable configuration management system. + +It adheres to the [**KISS principle**](https://en.wikipedia.org/wiki/KISS_principle) +and is being used in small up to enterprise grade environments. + +For more information have a look at [**homepage**](https://cdi.st) +or at **``docs/src``** for manual in **reStructuredText** format. + +## Contributing + +Merge/Pull requests can be made in both +[upstream **GitLab**](https://code.ungleich.ch/ungleich-public/cdist/merge_requests) +(managed by [**ungleich**](https://ungleich.ch)) +and [**GitHub** project](https://github.com/ungleich/cdist/pulls). + +Issues can be made and other project management activites happen +[**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist) +(needs [**ungleich** account](https://account.ungleich.ch)). From 56a65518ab6171d0f19152642fccb94038a3c5ad Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Mon, 27 Apr 2020 15:25:43 +0300 Subject: [PATCH 18/23] README: add participating section --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 9e49b053..0a0d6e6d 100644 --- a/README.md +++ b/README.md @@ -18,3 +18,11 @@ and [**GitHub** project](https://github.com/ungleich/cdist/pulls). Issues can be made and other project management activites happen [**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist) (needs [**ungleich** account](https://account.ungleich.ch)). + +## Participating + +IRC: ``#cdist`` @ freenode + +Matrix: ``#cdist:ungleich.ch`` + +Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist From b31e13eacf2cb23e6a7bdadc33741026ae88553a Mon Sep 17 00:00:00 2001 From: Ander Punnar Date: Mon, 27 Apr 2020 16:30:52 +0300 Subject: [PATCH 19/23] README: add bits about cdist-contrib --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 0a0d6e6d..de6901c7 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,9 @@ Issues can be made and other project management activites happen [**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist) (needs [**ungleich** account](https://account.ungleich.ch)). +For community-maintained types there is +[**cdist-contrib** project](https://code.ungleich.ch/ungleich-public/cdist-contrib). + ## Participating IRC: ``#cdist`` @ freenode From 515992249de513492a725dbf4072a6c3f376668a Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Mon, 27 Apr 2020 22:55:57 +0200 Subject: [PATCH 20/23] ++changelog --- docs/changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/changelog b/docs/changelog index 7cacf3cf..1e213187 100644 --- a/docs/changelog +++ b/docs/changelog @@ -10,6 +10,8 @@ next: * New type: __pf_apply_anchor (Kamila Součková, Evil Ham) * Type __pf_ruleset: Refactor (Kamila Součková, Evil Ham) * Type __pf_apply: Deprecate type (Kamila Součková, Evil Ham) + * Configuration: Add notes to cdist.cfg.skeleton (Evil Ham) + * Explorers cpu_cores, memory: Improve *BSD support (Evil Ham) 6.5.4: 2020-04-11 * Explorer init: Do not grep on non-existent init (Steven Armstrong) From ea3bd14d8b377818a16578bd5032a853188baeec Mon Sep 17 00:00:00 2001 From: Evilham Date: Tue, 28 Apr 2020 14:54:51 +0200 Subject: [PATCH 21/23] [logging] Mute warning on return_output=True when running scripts. This fixes #806 which contains more information about the issue. The TL;DR: this warning is not being useful and hinders debugging types because it creates an innecessary line for each explorer. An alternative proposal was #807 but was abandoned in favour of just dropping the warning. --- cdist/exec/remote.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/cdist/exec/remote.py b/cdist/exec/remote.py index e0ef66ec..f72bf3bf 100644 --- a/cdist/exec/remote.py +++ b/cdist/exec/remote.py @@ -280,9 +280,6 @@ class Remote(object): assert isinstance(command, (list, tuple)), ( "list or tuple argument expected, got: %s" % command) - if return_output and stdout is not subprocess.PIPE: - self.log.debug("return_output is True, ignoring stdout") - close_stdout = False close_stderr = False if self.save_output_streams: From 250161e42d1fe32bcb7b6945014aa4786d3b46ed Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Tue, 28 Apr 2020 23:08:03 +0200 Subject: [PATCH 22/23] ++ --- docs/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/changelog b/docs/changelog index 1e213187..c29f70de 100644 --- a/docs/changelog +++ b/docs/changelog @@ -12,6 +12,7 @@ next: * Type __pf_apply: Deprecate type (Kamila Součková, Evil Ham) * Configuration: Add notes to cdist.cfg.skeleton (Evil Ham) * Explorers cpu_cores, memory: Improve *BSD support (Evil Ham) + * Core: Remove debug logging noise (Evil Ham) 6.5.4: 2020-04-11 * Explorer init: Do not grep on non-existent init (Steven Armstrong) From 310045d9fb5a5a63a337867a90009f89e0ded5ed Mon Sep 17 00:00:00 2001 From: Darko Poljak Date: Fri, 1 May 2020 13:02:00 +0200 Subject: [PATCH 23/23] Release 6.5.5 --- docs/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/changelog b/docs/changelog index c29f70de..e6a7927e 100644 --- a/docs/changelog +++ b/docs/changelog @@ -1,7 +1,7 @@ Changelog --------- -next: +6.5.5: 2020-05-01 * Core: Fix XDG_CONFIG_HOME config file location (Joachim Desroches) * Type __postgres_database: Add encoding, lc-collate, lc-ctype, template parameters (Timothée Floure) * Type __motd: Improve documentation and support for FreeBSD (Evil Ham)