Compare commits

..

347 commits

Author SHA1 Message Date
Nico Schottelius
912eef6b5d ++changelog 2024-08-02 12:07:22 +02:00
Nico Schottelius
27471a4a82 [__timezone] add support for openwrt 2024-08-02 12:05:37 +02:00
3e82b0085b Make development version strings PEP 440 compliant (#366)
With current pip (23.1.2) and setuptools (67.7.2) versions, installation
from Git was failing with "Invalid version: '7.0.0-17-ge57cf1e7'"
message. The issue can be reproduced by running the following command
with the latest pip and setuptools installed:

  $ pip install git+https://code.ungleich.ch/ungleich-public/cdist.git@e57cf1e70a3818180b3f54e1e0364ff3b6bbd9cc#egg=cdist

Reviewed-on: #366
Co-authored-by: Ľubomír Kučera <lubomir.kucera.jr@gmail.com>
Co-committed-by: Ľubomír Kučera <lubomir.kucera.jr@gmail.com>
2024-05-01 12:11:07 +00:00
Mark Verboom
b7394ff4c2 Locally sort remote group information, to prevent differences in sort output. 2024-05-01 11:58:13 +00:00
61fc5e5de8
Fix typo in __apt_pin docs 2024-05-01 13:50:17 +02:00
2b102f303a changed package state from installed to present 2024-03-01 11:43:23 +00:00
Nico Schottelius
e57cf1e70a Apply machine_type explorer fix from pedro
e139397529
2023-03-25 12:53:24 +01:00
Nico Schottelius
7dd2d1025a ++changelog 2023-02-03 22:54:18 +01:00
513a8ae177 Merge pull request 'Make sure flag is followed by end of line or space.' (#349) from mark/cdist:machine_type into master
Reviewed-on: #349
2023-02-03 21:53:12 +00:00
2a2f91959e Merge pull request 'Updated the python version of cerbot freebsd' (#359) from CamilionEU/cdist:cerbot-freebsd into master
Reviewed-on: #359
2023-02-03 21:43:02 +00:00
fcf76cdb2c Merge pull request 'Added support for Devuan Daedalus' (#358) from CamilionEU/cdist:explorer-devuan-update into master
Reviewed-on: #358
2023-02-03 21:40:33 +00:00
Michelle
1450861e26
Updated the python version of cerbot freebsd
The package referenced for cerbot to be install in the FreeBSD platform
used python 3.7 package, updated to python 3.9
2023-02-02 18:21:43 -05:00
Michelle
08a6b467fa
Added support for Devuan Daedalus
Added one line that allows cdist to support Devuan Daedelus version
2023-01-25 16:06:35 -05:00
Nico Schottelius
ed3da3c829 ++changes 2022-12-26 21:02:41 +01:00
Nico Schottelius
b974969f28 Remove double definition of scan parser
Fixes #353
2022-12-26 20:59:16 +01:00
Nico Schottelius
bdfd92dc37 ++changes 2022-12-21 09:41:33 +01:00
5c85b04309 Merge pull request 'Initialise options variable to avoid unset variable expansion' (#351) from mark/cdist:options-initialise into master
Reviewed-on: #351
2022-12-20 17:04:45 +00:00
Nico Schottelius
f36069754c ++changelog 2022-12-20 18:03:15 +01:00
d4dfe95a97 Merge pull request 'Make grep more specific' (#352) from marcoduif/cdist:master into master
Reviewed-on: #352
2022-12-20 17:02:16 +00:00
ffeaafe9b6 Make grep more specific
package name should be an exact match, not a substring
2022-10-07 07:22:31 +00:00
Mark Verboom
62db96bb37 Initialise options variable so expansion when running files/source.list.template
there will not be an error when the variable is not set.
2022-09-29 16:19:07 +02:00
Mark Verboom
c85184dcb4 Make sure flag is followed by end of line or space. 2022-09-18 08:49:37 +02:00
Nico Schottelius
90488d2e9e [doc] add release process documentation 2022-08-01 00:03:51 +02:00
Nico Schottelius
be6e7fcc08 Prepare release of cdist 7.0.0 2022-07-31 21:59:35 +02:00
Nico Schottelius
d4bf41ce3b ++changelog 2022-07-29 10:57:01 +02:00
7de931829a Merge pull request 'Add Check Point Gaia (FW1) management and firewall appliances to explorers' (#339) from stephan/cdist:master into master
Reviewed-on: #339
2022-07-29 08:56:09 +00:00
17466452f0 revert __line for clean PR history 2022-07-28 17:53:41 +02:00
7d8fc8a5c3 improve checkpoint sed, add __line changes 2022-07-28 17:18:41 +02:00
6243165645 add create and ifexists to line type 2022-07-28 16:27:12 +02:00
483f0c1614 add Check Point Gaia 2022-07-13 14:50:17 +02:00
ff6b2d0abf Merge pull request 'master' (#2) from ungleich-public/cdist:master into master
Reviewed-on: stephan/cdist#2
2022-07-13 11:58:31 +00:00
Nico Schottelius
339ca9347b ++changelog 2022-07-02 19:21:27 +02:00
5a7542db75 Merge pull request 'Handle signed-by option in __apt_source' (#335) from fancsali/cdist:apt-source-signed-by into master
Reviewed-on: #335
2022-07-02 17:20:29 +00:00
0ae37b3445 Handle signed-by option in __apt_source
Allow users to specify a GPG key fingerprint or keyring file to be
included as the 'signed-by' option.
2022-07-01 16:14:38 +01:00
5e6cde1398 Merge pull request 'master' (#1) from ungleich-public/cdist:master into master
Reviewed-on: stephan/cdist#1
2022-05-20 13:17:47 +00:00
Nico Schottelius
77d9a757ec ++changelog 2022-05-20 14:58:45 +02:00
e5adcf451b Merge pull request 'bug: apt-ppa-noninteractive' (#327) from romain-dartigues/cdist:apt-ppa-noninteractive into master
Reviewed-on: #327
2022-05-20 12:57:08 +00:00
Nico Schottelius
9839c2d8ec ++changelog
Signed-off-by: Nico Schottelius <nico@nico-notebook.schottelius.org>
2022-05-20 14:55:12 +02:00
1edc4d0a60 Merge pull request 'add optional file parameter to allow for use in a loop without object_id clashes' (#334) from stephan/cdist:master into master
Reviewed-on: #334
2022-05-20 12:53:13 +00:00
3d58c9b24f add optional file parameter to allow for use in a loop without object_id clashes 2022-05-20 13:48:07 +02:00
Steven Armstrong
6c8c692a22 __file: kiss and fix regression on Mac OSX
Signed-off-by: Steven Armstrong <steven@armstrong.cc>
2022-05-02 23:25:59 +02:00
Steven Armstrong
abbc7dfc37 since we already remove the destination, we have no need to use -T on move, fixes #333
Signed-off-by: Steven Armstrong <steven@armstrong.cc>
2022-04-16 19:05:31 +02:00
Steven Armstrong
8b915b15b5 __file: make the create-empty-file case work again
Signed-off-by: Steven Armstrong <steven@armstrong.cc>
2022-04-14 00:46:13 +02:00
Steven Armstrong
2df2578e36 __file: remove the questionable check for uploadfile existence
Signed-off-by: Steven Armstrong <steven@armstrong.cc>
2022-04-14 00:27:28 +02:00
Steven Armstrong
6f8c774cb0 workaround mktemp -u checking for write access
Signed-off-by: Steven Armstrong <steven@armstrong.cc>
2022-04-14 00:16:10 +02:00
54a5cb17b7 use add-apt-repository instead of add-apt-repository
Remove `remove-apt-repository` which is now no longer needed;
use `add-apt-repository` which allow removal through the `-r` flag.
2022-04-11 21:09:31 +02:00
cb0fa0f2e4 force add-apt-repository to act in non-interactive mode 2022-04-11 21:05:56 +02:00
Steven Armstrong
af54fe6feb changelog++
Signed-off-by: Steven Armstrong <steven@armstrong.cc>
2022-04-11 00:04:41 +02:00
Steven Armstrong
22039284f5 __file: make file uploading and attribute changes more atomic
Fixes #331

Signed-off-by: Steven Armstrong <steven@armstrong.cc>
2022-04-10 23:52:53 +02:00
bd44c023d3 Fix typos; add default priority; comments in generated files 2022-03-09 16:17:11 +01:00
Nico Schottelius
e0150e7796 ++changes 2022-03-09 16:16:49 +01:00
15e1ce6450 Merge pull request 'Added rm of tmpfile.' (#330) from mark/cdist:__ssh_authorized_keys-rm into master
Reviewed-on: #330
2022-03-09 15:12:21 +00:00
Mark Verboom
08ff41efde Added rm of tmpfile. 2022-03-08 12:04:58 +01:00
c2c5668b70 ++changelog 2021-12-23 20:08:49 +01:00
6e3ad11ea0 [__package_upgrade_all] Add new --apt-with-new-pkgs argument 2021-12-23 20:07:28 +01:00
fnux
fc6ddac718 Merge pull request 'Python 3.10: collections.X -> collections.abc.X' (#323) from py3.10 into master
Reviewed-on: #323
2021-12-16 13:04:51 +00:00
3a321469a8
Python 3.10: collections.X -> collections.abc.X 2021-12-02 12:02:36 +01:00
e2500248f2 ++changelog 2021-11-03 11:03:33 +01:00
0b710c6173 Merge branch 'haproxy-dualstack' into 'master'
[__haproxy_dualstack] New type with PROXY protocol support

See merge request ungleich-public/cdist!1027
2021-11-03 07:38:24 +01:00
c33d99ee12 [__haproxy_dualstack] New type with PROXY protocol support
This is backwards compatible with what is already used internally @ungleich, but
adds on top of that the ability to customise ports and, most importantly, it
adds PROXY protocol support.
2021-10-31 17:38:10 +01:00
560374a686 ++changelog 2021-10-01 13:16:11 +02:00
fc9bd40c9a Improve bullseye support, perticularly __letsencrypt_cert 2021-10-01 13:14:57 +02:00
5b7cca99f7 ++changelog 2021-10-01 12:09:42 +02:00
15c642a9b7 [__debconf_set_selections] Fix --file not being supported
Even if deprecated, the parameter *must* be supported, which isn't the case
right now.

This was due to a misunderstanding of how deprecating parameters work, see:
https://www.cdi.st/manual/latest/cdist-type.html#deprecated-parameters
2021-10-01 12:06:45 +02:00
Darko Poljak
bf222d0543 ++changelog 2021-09-21 08:55:54 +02:00
433399d4dc Merge branch 'fix/__package_apt/allow-releaseinfo-change' into 'master'
__package_apt: fix complain about suite change

See merge request ungleich-public/cdist!1023
2021-09-21 08:55:06 +02:00
12c536dbf9 Merge branch 'fix/__apt_source/allow-releaseinfo-change' into 'master'
__apt_source: fix complain about suite change

See merge request ungleich-public/cdist!1022
2021-09-21 08:54:49 +02:00
67a6965e1d Merge branch 'fix/__package_update_index/allow-releaseinfo-change' into 'master'
__package_update_index: fix complain about suite change

See merge request ungleich-public/cdist!1021
2021-09-21 08:54:27 +02:00
398ee1e416 Merge branch 'fix/__apt_update_index/allow-releaseinfo-change' into 'master'
__apt_update_index: fix complain about suite change

See merge request ungleich-public/cdist!1020
2021-09-21 08:53:29 +02:00
b209adcfca Merge branch 'ander/__sed' into 'master'
new type: __sed

See merge request ungleich-public/cdist!1006
2021-09-21 08:52:29 +02:00
72ff48154c
add comments, add -u to diff 2021-09-16 21:36:39 +03:00
3d7b31cbb4 __package_apt: fix complain about suite change
the last fix for ticket #861 :-)
2021-09-15 15:22:16 +02:00
d246e06710 __apt_update_index: fix complain about suite change
1 of 4th fix for ticket #861
2021-09-15 15:15:49 +02:00
12787ffe2c __apt_source: fix complain about suite change
3 of 4th fix for ticket #861
2021-09-15 15:13:52 +02:00
7b6789ddeb __package_update_index: fix complain about suite change
2 of 4th fix for ticket #861
2021-09-15 15:04:12 +02:00
cd4acde67e
grammar 2021-09-15 09:22:27 +03:00
5bf0c71e7a
update man 2021-09-14 22:45:36 +03:00
aabef7f44a
remove reading script from file 2021-09-14 22:40:06 +03:00
b7f392fa37
use -E for better compat (not really sure if it is posix at all) 2021-09-14 22:38:55 +03:00
90488fcebc
use -e 2021-09-14 22:27:42 +03:00
0f6e48dbc6
use $__object/tempfile in target instead of mktemp, add comments 2021-09-14 22:24:26 +03:00
d7fdc8006f
allow empty file 2021-09-14 21:54:45 +03:00
fcd730f905
Merge branch 'master' into ander/__sed 2021-09-14 21:52:12 +03:00
Darko Poljak
b8eb6e984c ++changelog 2021-08-24 20:48:14 +02:00
b762ea0233 Merge branch 'feature/explorer/machine_type/rewrite' into 'master'
explorer/machine type: Rewrite

See merge request ungleich-public/cdist!1010
2021-08-24 20:46:28 +02:00
Darko Poljak
44741e714b Release 6.9.8 2021-08-24 20:33:17 +02:00
Darko Poljak
0546283d0e Update shellcheck disable 2021-08-24 20:33:17 +02:00
Darko Poljak
46ed48d546 ++changelog 2021-08-24 08:09:47 +02:00
c683bce66e Merge branch 'ander/os_version_debian_sid' into 'master'
[explorer/os_version] add new debian code names: bookworm and trixie

See merge request ungleich-public/cdist!1019
2021-08-24 08:08:59 +02:00
e1e1348998
[explorer/os_version] use 99.99 as fallback for unknown code names in */sid 2021-08-23 10:47:21 +03:00
67f85546ec
[explorer/os_version] add new debian code names: bookworm and trixie 2021-08-23 10:09:41 +03:00
Dennis Camera
05c2a62191 [explorer/machine_type] Implement chroot detection using /proc/.../mountinfo 2021-08-05 13:52:51 +02:00
Dennis Camera
5af1317c29 [explorer/machine_type] Try to detect chroot path 2021-08-05 13:52:51 +02:00
Dennis Camera
4a05669765 [explorer/machine_type] Implement chroot detection 2021-08-05 13:52:51 +02:00
Dennis Camera
23fbfaf035 [explorer/machine_type] Use systemd-detect-virt (if available) to detect containers and VMs 2021-08-05 13:52:51 +02:00
Dennis Camera
2ffa895f57 [explorer/machine_type] Remove CPUID check
it's a lot of code and depends on a binary helper unlikely to be installed.
2021-08-05 13:52:51 +02:00
Dennis Camera
abc6d009b2 [explorer/machine_type] Print top most machine layer as first line (fallback to physical) 2021-08-05 13:52:51 +02:00
Dennis Camera
edcac70b2a [explorer/machine_type] Reimplement 2021-08-05 13:52:51 +02:00
Darko Poljak
3ae5a606ca ++changelog 2021-08-05 10:27:51 +02:00
841ebb9b88 Merge branch 'fix/explorer/os_version/old-freebsd' into 'master'
explorer/os_version: fix for FreeBSD < 10.0 (again)

See merge request ungleich-public/cdist!1017
2021-08-05 10:26:33 +02:00
39dcb41349 Merge branch 'fix/explorer/os_version/legacy-macosx' into 'master'
explorer/os_version: Fix for legacy Mac OS X versions

See merge request ungleich-public/cdist!1018
2021-08-05 10:25:17 +02:00
d37772f3ea Merge branch 'fix/type/__update_alternatives/dry-run' into 'master'
update alternatives: fixes for dry runs and non-English systems

See merge request ungleich-public/cdist!1016
2021-08-05 10:23:29 +02:00
49a9bcdf93 Merge branch 'fix/explorer/memory/gt-2g' into 'master'
explorer/memory: fix conversion of large numbers (>= 2GiB)

See merge request ungleich-public/cdist!1015
2021-08-05 10:23:20 +02:00
f9ce4bc33a Merge branch 'feature/explorer/os_version/ubuntu-os-release-fallback' into 'master'
explorer/os_version: Fall back to os-release/lsb-release file on Ubuntu

See merge request ungleich-public/cdist!1014
2021-08-05 10:20:53 +02:00
Dennis Camera
2a0c073d40 [explorer/os_version] Fix for legacy Mac OS X versions 2021-08-04 21:55:56 +02:00
Dennis Camera
bbcc81a984 [type/__update_alternatives] Fix for non-English locales
Since update-alternatives(1) is localized, screen scraping its output breaks
if the locale is set to non-English.
2021-08-04 21:44:04 +02:00
Dennis Camera
0b3b47396f [type/__update_alternatives] dry-run fixes 2021-08-04 21:39:39 +02:00
Dennis Camera
a7d6481a7d [type/__update_alternatives] Secure cdist-defined environment variables with :? 2021-08-04 21:38:21 +02:00
Dennis Camera
83fe6e9f5b [explorer/memory] Fix conversion of large numbers (>= 2GiB)
At least mawk uses scientific notation when using print for
numbers >=2^31 (INT_MAX of a signed 32-bit int).

`printf "%.f\n"` works around this.
2021-08-04 20:45:14 +02:00
Dennis Camera
e108cbc205 [explorer/os_version] Ubuntu: fall back to os-release/lsb-release files 2021-08-04 20:44:17 +02:00
Dennis Camera
53334fb4eb [explorer/os_version] Fix for FreeBSD < 10.0 (again) 2021-08-04 19:50:10 +02:00
Darko Poljak
542674dae8 ++changelog 2021-07-30 10:30:33 +02:00
b0e00efe64 Merge branch 'filesystem-ubuntu' into 'master'
[filesystem] Add ubuntu as supported distribution.

See merge request ungleich-public/cdist!1013
2021-07-30 10:29:55 +02:00
4156fea900
[filesystem] Add ubuntu as supported distribution. 2021-07-28 12:56:39 +02:00
Darko Poljak
cb8695cc88 ++changelog 2021-07-24 12:53:39 +02:00
7ce68e3cb7 Merge branch 'evilham-compatibility-fixes' into 'master'
Improve Makefile compatibility and build docs

See merge request ungleich-public/cdist!1012
2021-07-24 12:52:41 +02:00
67bcc6cae3 Improve Makefile compatibility and build docs
We now use `$(MAKE)` for subsequent calls to `make`.
This means that systems that do not default to GNU make can run `gmake man` and
produce the man pages.

While there also document a dependency on the rtd theme for sphinx.
2021-07-24 02:37:58 +02:00
Darko Poljak
71fee1fd6b ++changelog 2021-07-23 08:06:45 +02:00
4307e8e7fa Merge branch 'fix/logging/custom-levels' into 'master'
Define custom log functions on logging.Logger

See merge request ungleich-public/cdist!1011
2021-07-23 08:06:13 +02:00
Dennis Camera
fed01ded83 [cdist.log] Define custom log functions on logging.Logger
Define out custom logger functions on logging.Logger so that they are passed on
to all other loggers.

Also, the logger functions need to take a self argument so that they can log on
the corrent Logger.
2021-07-22 11:28:48 +02:00
f730aa7679 Merge branch 'feature/docs/bump-copyright' into 'master'
docs: Bump copyright year to 2021

See merge request ungleich-public/cdist!1009
2021-07-20 14:29:46 +02:00
Dennis Camera
c7daaabc6c [docs] Bump copyright year to 2021 2021-07-20 09:03:16 +02:00
Darko Poljak
fbc9594729 ++changelog 2021-07-20 06:38:46 +02:00
bf0c355fe7 Merge branch 'feature/explorer/os_version/devuan-ceres' into 'master'
explorer/os_version: Convert Devuan ceres to version number

See merge request ungleich-public/cdist!1008
2021-07-20 06:37:40 +02:00
Dennis Camera
24c9406ea0 [explorer/os_version] Convert Devuan ceres to version number
Conversion of Devuan ceres to version numbers is done based on Devuan codenames.
The version number is the version number of the final release - 0.01.

Analogous to Debian.
2021-07-19 12:14:20 +02:00
Darko Poljak
de11666161 ++changelog 2021-07-18 17:45:19 +02:00
8b160841ad Merge branch 'apt-pin-type' into 'master'
New type: __apt_pin - manage apt pinning

See merge request ungleich-public/cdist!1005
2021-07-18 17:44:04 +02:00
Darko Poljak
5229337611 ++changelog 2021-07-18 17:41:29 +02:00
917a5d1aa8 Merge branch 'ander/__rsync' into 'master'
[__rsync] rewrite

See merge request ungleich-public/cdist!1007
2021-07-18 17:40:51 +02:00
46b5c24cd2
use $__remote_exec for RSYNC_RSH 2021-07-18 16:25:00 +03:00
0e611af2a6
[__rsync] rewrite 2021-07-17 11:44:09 +03:00
Darko Poljak
65c43d3c1d Fix docs code block errors 2021-07-10 21:02:27 +02:00
Darko Poljak
77dab4c5c6 Release 6.9.7 2021-07-10 20:37:02 +02:00
Darko Poljak
3e76d1cd3f ++changelog 2021-07-08 08:09:05 +02:00
b8f601ee15 Merge branch 'rsync-ssh-multiplex' into 'master'
__rsync: Use $__remote_exec and thus the ssh multiplexing

See merge request ungleich-public/cdist!1001
2021-07-08 08:05:52 +02:00
cf0032d667
add messaging and exit earlier 2021-07-07 21:28:00 +03:00
7a5896acfa
add --onchange, fix shellcheck 2021-07-07 21:23:25 +03:00
485283f2e5
new type: __sed 2021-07-07 20:47:22 +03:00
166b58aeea Fix typo in distro names... 2021-07-05 15:32:27 +02:00
521241d741 Refine docs even more 2021-07-05 15:28:05 +02:00
be92731c5c Shell check quoting
We're actually echo-ing the command, hence the escape in front of the
quotes - the issue Shellcheck alludes too would actually occur, had the
escaping bakcslashes been omitted.
2021-07-05 12:44:09 +01:00
Darko Poljak
853e5cf7b4 ++changelog 2021-07-05 09:07:06 +02:00
d8da298cdf Merge branch '__snakeoil_cert' into 'master'
new type: __snakeoil_cert

See merge request ungleich-public/cdist!1002
2021-07-05 08:59:59 +02:00
fnux
44eeb4bbfc Merge branch 'scanner' into 'master'
usable cdist scan

See merge request ungleich-public/cdist!993
2021-07-05 07:44:28 +02:00
30ba796d06
new type: __snakeoil_cert 2021-07-02 10:09:38 +03:00
Darko Poljak
243a4b904a ++changelog 2021-07-02 06:50:02 +02:00
6528fd1c77 Merge branch 'feature/type/__debconf_set_selections/state-explorer' into 'master'
__debconf set selections: Add state explorer

See merge request ungleich-public/cdist!999
2021-07-02 06:49:24 +02:00
99188b4822 Merge branch '__download_improvements' into 'master'
[__download] improvements

See merge request ungleich-public/cdist!1003
2021-07-02 06:38:15 +02:00
62ea1d2721 Merge branch 'ander/update_readme' into 'master'
update README

See merge request ungleich-public/cdist!1004
2021-07-02 06:33:53 +02:00
a90e642c13
update README 2021-07-01 14:50:40 +03:00
60753ddfcc
fix shellcheck 2021-07-01 14:42:10 +03:00
d937d53f3d Add quotes to rsync command 2021-06-28 18:09:35 +01:00
2db40d8d70 Use $__remote_exec and thus the ssh multiplexing 2021-06-28 12:54:20 +02:00
7b3f268df2
[__download] improvements
1. post download checksum verification
2. detect hashes without prefix
3. add optional --destination
4. updated man
2021-06-22 16:36:30 +03:00
b726697e07 Add documentation 2021-06-11 15:05:33 +01:00
a3102022e1 More sensible defaults; reword debian-only error message 2021-06-11 15:05:17 +01:00
Darko Poljak
c308a28969 ++changelog 2021-06-10 06:39:55 +02:00
02aa88463a Merge branch 'fix/type/__pyvenv/group-explorer' into 'master'
__pyvenv: Fix group explorer

See merge request ungleich-public/cdist!998
2021-06-10 06:37:21 +02:00
Dennis Camera
6ede76b08b [type/__debconf_set_selections] man.rst: Fix line break in AUTHORS 2021-06-08 16:20:55 +02:00
Dennis Camera
d596986af8 [type/__pyvenv] Fix group explorer 2021-05-31 09:06:52 +02:00
Darko Poljak
defa3c22ea ++changelog 2021-05-29 11:21:34 +02:00
d2ce55ea6e Merge branch '__git_fix_group_explorer' into 'master'
[__git] fix group explorer

See merge request ungleich-public/cdist!992
2021-05-29 11:20:20 +02:00
e0c52d0e1d
[scanner] remove mention of non-implemented trigger soruce script 2021-05-26 11:27:11 +02:00
b8733c65f5
[scanner] fix minor CLI handling and --list bugs / typo 2021-05-26 11:26:35 +02:00
ab10b453f2
[scanner] populate cdist(1) 2021-05-26 11:15:41 +02:00
75c71f69c1
[scanner] pycodestyle compliance 2021-05-26 10:18:12 +02:00
503a06ed28
[__git] fix group explorer
group name from numberic id wasn't resolved correctly.

try to use getent and fallback to reading /etc/group directly.
2021-05-23 13:35:33 +03:00
6210cccb28 ++changelog 2021-05-10 12:34:04 +02:00
f14623e45f ++changelog 2021-05-10 12:17:08 +02:00
81b426e4e2 [__letsencrypt_cert] Revamp explorers, add locking.
Closes #839

See merge request ungleich-public/cdist!976

This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.
2021-05-10 12:10:01 +02:00
a696f3cf00 [__letsencrypt_cert] Revamp explorers, add locking.
This would fix #839

Certbot uses locking [1] even for read-only operations and does not properly
use exit codes, which means that sometimes it would print:
"Another instance of Certbot is already running" and exit with success.

However, the previous explorers would take that as the certificate being absent
and would trigger code generation.

The issue was made worse by having many explorers running certbot, so for N
certificates, we'd run certbot N*4 times, potentially "in parallel".

[1]: https://certbot.eff.org/docs/using.html#id5

This patch joins all explorers in one to avoid starting multiple remote python
processes and uses a cdist-specific lock in /tmp/certbot.cdist.lock with a
60 seconds timeout.

It has been tested with certbot 0.31.0 and 0.17 that the:

    from certbot.main import main

trick works. It is somewhat well documented so it can be somewhat relied upon.
2021-05-10 12:10:00 +02:00
0b05a8f5f7 [__apt_key*] Deprecate __apt_key_uri and improve __apt_key
See: https://code.ungleich.ch/ungleich-public/cdist/-/merge_requests/994

Previously this type was falling back to using the deprecated apt-key(8) by
checking for existence of files/directories on the controller host in
gencode-remote.

Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes:
1. It prevents fallbacks that might end up doing the wrong thing
   (as was the case)
2. It allows for a simple way to remove keys from the keyring that were
   previously added with apt-key(8) to /etc/apt/trusted.gpg

This parameter is added marked as deprecated as is only intended use is to
migrate to directory-based keyrings as recommended by Debian for a few releases.
It will be removed when Debian 11 stops being supported.

During the review process of this merge request, it was noted that the state of
PGP Key Servers is somewhat suboptimal, that the examples encouraged bad
practise (it is trivial to produce collisions for short key IDs), and that 
this use does not require the Web of Trust, but instead only the public key
that is signing the repository.

That is why this also adds `--source` as an argument allowing for in-type or
in-manifest provision of such public keys by the type/manifest maintainer and
the use of Key Servers is still supported, but discouraged.
2021-05-10 12:08:23 +02:00
c00c8c2012 [__apt_key*] Deprecate __apt_key_uri and improve __apt_key
Previously this type was falling back to using the deprecated apt-key(8) by
checking for existence of files/directories on the controller host in
gencode-remote.

Adding `--use-deprecated-apt-key` as an explicit boolean serves two purposes:
1. It prevents fallbacks that might end up doing the wrong thing
   (as was the case)
2. It allows for a simple way to remove keys from the keyring that were
   previously added with apt-key(8) to /etc/apt/trusted.gpg

This parameter is added marked as deprecated as is only intended use is to
migrate to directory-based keyrings as recommended by Debian for a few releases.
It will be removed when Debian 11 stops being supported.

During the review process of this merge request, it was noted that the state of
PGP Key Servers is somewhat suboptimal, that the examples encouraged bad
practise (it is trivial to produce collisions for short key IDs), and that
this use does not require the Web of Trust, but instead only the public key
that is signing the repository.

That is why this also adds `--source` as an argument allowing for in-type or
in-manifest provision of such public keys by the type/manifest maintainer and
the use of Key Servers is still supported, but discouraged.
2021-05-10 12:08:22 +02:00
Dennis Camera
a42ebc7a78 [type/__debconf_set_selections] Synchronise objects
Works around locking error:

	debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable
2021-04-27 19:46:07 +02:00
Darko Poljak
3a25b80466 ++changelog 2021-04-26 21:27:15 +02:00
3e190c3481 Merge branch 'feature/type/__postgres/postgres_user-explorer' into 'master'
__postgres_*: Improve OS support and some cleanup

See merge request ungleich-public/cdist!990
2021-04-26 21:26:38 +02:00
Dennis Camera
9cf19388ab [type/__debconf_set_selections] Send message about each debconf setting that is changed 2021-04-26 16:47:44 +02:00
Dennis Camera
a4122882f2 [type/__debconf_set_selections] Add state explorer
…and to make it work, replace --file with --line.

--file is deprecated because it does not work with the state explorer as the
contents of the file are not available on the target.
2021-04-26 16:39:51 +02:00
2232435c22
[scanner] initial documentation
Note: still needs to patch main cdist(1) manpage
2021-04-26 14:39:26 +02:00
3a9dd5b166
[scanner] add minimal (non-configurable) config mode 2021-04-26 12:09:55 +02:00
92fff7cb77
[scanner] fix crash on --list with name mapper provided 2021-04-26 12:09:44 +02:00
Dennis Camera
0f05f38384 [type/__postgres_role] Treat --password '' like no --password 2021-04-25 20:01:36 +02:00
Dennis Camera
0d33407b18 [type/__postgres_database] Proper quoting in state explorer 2021-04-25 20:01:36 +02:00
Dennis Camera
8296051653 [type/__postgres_extension] Add state explorer 2021-04-25 20:01:36 +02:00
Dennis Camera
3cf93249c3 [type/__postgres_extension] Include postgres_user explorer from __postgres_conf 2021-04-25 20:01:36 +02:00
Dennis Camera
beb8da6d5f [type/__postgres_role] Include postgres_user explorer from __postgres_conf 2021-04-25 20:01:36 +02:00
Dennis Camera
58b279a8d0 [type/__postgres_database] Improve quoting 2021-04-25 20:01:36 +02:00
Dennis Camera
6ac8cbf98f [type/__postgres_database] Include postgres_user explorer from __postgres_conf 2021-04-25 20:01:36 +02:00
Darko Poljak
512e9b23c0 ++changelog 2021-04-25 15:53:40 +02:00
71d79ed6ee Merge branch 'feature/type/__postgres_conf' into 'master'
__postgres_conf: new type

See merge request ungleich-public/cdist!972
2021-04-25 15:49:19 +02:00
13e2ad175f
[scanner] add host class, name mapper and pre-config logic 2021-04-25 12:45:34 +02:00
bb24d632d6
[scanner] implement the --list flag 2021-04-22 10:20:49 +02:00
a4464209b6
[scanner] add minimal error handling, consolidate CLI args processing 2021-04-22 09:31:06 +02:00
acf9bf91f1
[scanner] error to stderr and exit when scapy is not available 2021-04-22 08:55:14 +02:00
Darko Poljak
1bb696a410 Release 6.9.6 2021-04-20 07:33:07 +02:00
2f05467358 Merge branch 'fix/py-version-check' into 'master'
Fix Python version check

See merge request ungleich-public/cdist!991
2021-04-19 07:02:15 +02:00
Dennis Camera
1c047353a9 [bin/cdist] Fix Python version check 2021-04-17 09:57:10 +02:00
Dennis Camera
19bf37be1a [type/__postgres_conf] Update man.rst 2021-04-15 15:56:15 +02:00
Dennis Camera
686e4f0f2d [type/__postgres_conf] Reverse state logic (decide based on source first) 2021-04-15 15:50:03 +02:00
Dennis Camera
bef1433ba3 [type/__postgres_conf] Accept empty values 2021-04-15 15:50:03 +02:00
Dennis Camera
12c2995494 [type/__postgres_conf] Implement complex state compare logic 2021-04-15 15:50:02 +02:00
Dennis Camera
e0416403c4 [type/__postgres_conf] Add psql_conf_source function to state explorer 2021-04-15 15:50:02 +02:00
Dennis Camera
2ccc03fef1 [type/__postgres_conf] Add psql_conf_cmp function to state explorer 2021-04-15 15:50:02 +02:00
Dennis Camera
92b8942a8c [type/__postgres_conf] Add psql_exec function to state explorer 2021-04-15 15:50:02 +02:00
Darko Poljak
9ec01d9f97 ++changelog 2021-04-13 12:22:45 +02:00
e27e88512b Merge branch '__download_optional_sum' into 'master'
[__download] make --sum optional

See merge request ungleich-public/cdist!989
2021-04-13 12:21:49 +02:00
d2eec60668
[__download] make --sum optional 2021-04-11 23:16:00 +03:00
Darko Poljak
750c71fb5a Minor refactoring and remove code duplication 2021-04-07 10:25:26 +02:00
Darko Poljak
199effb7ef Improve unfinished object requirements bool check
When we need only boolean value for unfinished object requirements then
we don't need to determine the whole list of unfinished objects.
2021-04-06 19:35:14 +02:00
Darko Poljak
ab811ad282 ++changelog 2021-04-01 15:37:11 +02:00
ce79a2069c Merge branch 'fix/type/__pyvenv/numeric-owner' into 'master'
__pyvenv: Fix if --owner / --group is numeric

See merge request ungleich-public/cdist!988
2021-04-01 15:36:02 +02:00
c981f654f1 Merge branch 'fix/type/__git/numeric-owner' into 'master'
__git: Fix if --owner / --group is numeric

See merge request ungleich-public/cdist!987
2021-04-01 15:35:46 +02:00
87698395b8 Merge branch 'cleanup/string-formatting' into 'master'
Cleanup/string formatting

Closes #855

See merge request ungleich-public/cdist!985
2021-03-31 08:28:21 +02:00
Darko Poljak
4c2d273f07 Unify string formatting
Use one way of string formatting: replace old `%` style with new `str.format`.

Resolve #855.
2021-03-31 08:19:34 +02:00
Darko Poljak
f984a918b9 Fix log message string formatting
Use logging message format with args, instead of direct `%` or `str.format`.

Resolve #855.
2021-03-31 08:19:28 +02:00
Darko Poljak
1e765fcab7 ++changelog 2021-03-31 07:54:00 +02:00
28c13bd29b Merge branch 'feature/type-relationship-graph' into 'master'
Implement maintaining object relationship graph

See merge request ungleich-public/cdist!986
2021-03-31 07:52:42 +02:00
Dennis Camera
985252585c [type/__pyvenv] Fix if --owner / --group is numeric
Before, if --owner and/or --group was numeric, gencode-remote would generate
`chown` code every time.
2021-03-30 13:26:21 +02:00
Dennis Camera
167c2ad7ea [type/__git] Fix if --owner / --group is numeric
Before, if --owner and/or --group was numeric, gencode-remote would generate
`chown` code every time.
2021-03-30 13:24:56 +02:00
Darko Poljak
7a0b697f4c Implement maintaining object relationship graph
For each object maintain parent-child relationship graph, i.e. list of
parent objects ('parents' property) and list of children objects ('children'
property).

Objects without parent(s) are objects specified in init manifest.
Objects without children are object of types that do not reuse other types.
2021-03-30 12:09:59 +02:00
Darko Poljak
10ca1c12fd ++changelog 2021-03-12 08:21:03 +01:00
c55397766e Merge branch 'feature/type/__sshd_config/whitelist-openbmc' into 'master'
__sshd_config: Whitelist OpenBMC

See merge request ungleich-public/cdist!980
2021-03-12 08:20:35 +01:00
Dennis Camera
e47c4dd8a4 [type/__sshd_config] Whitelist OpenBMC in manifest 2021-03-11 14:17:44 +01:00
Darko Poljak
31cc592aa1 ++changelog 2021-03-10 19:25:04 +01:00
2f4a7e1a94 Merge branch 'fix/type/__ssh_authorized_key/grep-only-if-file-exists' into 'master'
__ssh_authorized_key: only grep if file exists

See merge request ungleich-public/cdist!979
2021-03-10 19:24:23 +01:00
Dennis Camera
fb19f34266 [type/__ssh_authorized_key] Only grep if file exists 2021-03-09 21:15:26 +01:00
Steven Armstrong
ecba284fc8 changelog++
Signed-off-by: Steven Armstrong <steven@icarus.ethz.ch>
2021-03-05 16:13:02 +01:00
Steven Armstrong
ea0126dd81 Make local state dir available to custom remote scripts
Signed-off-by: Steven Armstrong <steven@icarus.ethz.ch>
2021-03-05 16:11:49 +01:00
Darko Poljak
e7d33891df ++changelog 2021-03-02 09:29:33 +01:00
1bc0d912bf Merge branch 'fix/type/__pyvenv/man-typo' into 'master'
__pyvenv: Fix user example

See merge request ungleich-public/cdist!978
2021-03-02 09:28:50 +01:00
Dennis Camera
8ef19d47f6 [type/__pyvenv] Fix example (--user -> --owner) 2021-03-01 17:59:45 +01:00
Darko Poljak
60fd7ba1f3 Release 6.9.5 2021-02-28 13:37:23 +01:00
dc66efa690 Fix shellcheck issues 2021-02-23 11:59:09 +00:00
1a74470c4d __apt_pin: Always use $__object_id as preferences.d filename 2021-02-23 09:43:02 +00:00
0734288483 First draft of __apt_pin 2021-02-23 09:43:02 +00:00
Darko Poljak
22f637c15b ++changelog 2021-02-23 06:29:24 +01:00
6358885d26 Merge branch 'feature/__package_pip/extras' into 'master'
__package_pip: add optional (extra) dependencies

See merge request ungleich-public/cdist!975
2021-02-23 06:27:09 +01:00
Darko Poljak
5e0572189f ++changelog 2021-02-22 09:11:22 +01:00
b3a9c907ad Merge branch '__letsencrypt_cert-fix-hooks' into 'master'
[__letsencrypt_cert] Fix various issues with hooks.

Closes #853

See merge request ungleich-public/cdist!977
2021-02-22 09:09:45 +01:00
e854db096e Merge branch 'fix/type/__postgres_role/implement-alter' into 'master'
__postgres_role: implement modification of roles

See merge request ungleich-public/cdist!973
2021-02-22 08:58:58 +01:00
d1f45d3524 __package_pip: corrected typo in man
.. by fully replacing it with a smaller sentence.
2021-02-19 09:03:56 +01:00
Dennis Camera
0835f414a5 [type/__postgres_conf] Extract PostgreSQL service user detection to separate explorer 2021-02-16 16:03:23 +01:00
2ce1fce767 __package_pip: match package names case insensitive
Pip matches them insensitive, so we need to do the same to avoid
problems by saying extras are not installed but already is there in
place.
2021-02-15 16:17:46 +01:00
951712740f __package_pip: update man.rst
Adjusted comments for `explorer/extras` and updated the man page for the
new behaviour of updating the extras.
2021-02-12 13:42:51 +01:00
a9d7dfb2ed __package_pip: split extra 'all' to a list of all extras
This will fix if a package will be upgraded from some extras to all
extras. Previously, it will not work because some dependencies of 'all'
are already installed, so the feature 'all' is already installed.

Now, it will use a list of all extras to iterate over them separatly. This
will result it will never install all extras via `[all]`, but rather
`[foo,bar]`.
2021-02-12 09:17:02 +01:00
7398382890 __package_pip: fix shellcheck
Useless `cat $file`, use `< $file` instead.
2021-02-11 23:12:10 +01:00
2db0ef7c98 __package_pip: updating real detection of extras
As the previous detection took the wrong values, this explorer now
checks if packages for an extra are installed or not. If not, the extra
is not installed.

Based on the information of the explorer, it will install the package
again with the absent extras.
2021-02-11 22:53:26 +01:00
8dc6ab9738 __package_pip: install not found extras
Compares the explorer against the parameters and install those extras
that are not already installed.
2021-02-11 13:49:53 +01:00
4717e5ceff __package_pip: add extras explorer
The two new explorers detect all installed extras for this package.
2021-02-11 10:31:07 +01:00
aa80c09c80 [__letsencrypt_cert] Move hook contents generation out of manifest
While there address some minor issues in the comments in the hook contents.
2021-02-10 10:10:21 +01:00
b832af5e3b [__letsencrypt_cert] Don't mess with user script indentation
This could break in odd ways if they passed sth like:
cat <<eof
bla bla
eof
2021-02-09 20:53:58 +01:00
e49da474c4 [__letsencrypt_cert] Remove problematic trailing slash in sed.
Happy fingers are happy and like adding slashes places.
2021-02-09 20:29:17 +01:00
bc145bbc27 [__letsencrypt_cert] Fix various issues with hooks.
Closes #853, see issue for full description / discussion.

Short summary:
- There was about 6.53% chances of `--renewal-hook` not being applied
- Using --automatic-renewal in one cert and not in another was an error.
- It was not possible to use different hooks for different certificates.
- FreeBSD support was utterly broken.
2021-02-09 19:58:47 +01:00
Darko Poljak
65a6a2ed52 ++changelog 2021-02-08 08:28:31 +01:00
c8141d28c3 Merge branch 'fix/explorer/memory' into 'master'
explorer/memory: fix to return result in kiB for all systems and add support for Solaris

See merge request ungleich-public/cdist!967
2021-02-08 08:27:07 +01:00
cda17be38a [explorer/memory] Clean up, return kiB for all systems, add SunOS
BSDs were MiB before.
2021-02-08 08:27:03 +01:00
73a03d75d7 __package_pip: fix shellcheck 2021-02-04 19:18:02 +01:00
8eccacec59 __package_pip: add optional dependencies
This is a poor implementation of optional dependencies for pip packages.
It ensures to install them if the package will be installed, but does
not take into account if they must be added/removed after the package is
already installed. Also, it will not be autoremoved, as all dependencies
will not be removed.
2021-02-04 19:09:26 +01:00
Dennis Camera
6b18cace75 [type/__postgres_conf] Catch connection errors early 2021-01-26 14:01:44 +01:00
Dennis Camera
f9ebb4333c [type/__postgres_conf] Add NetBSD PostgreSQL UNIX user 2021-01-26 14:01:44 +01:00
Dennis Camera
4967c7ebbb [type/__postgres_conf] Silence psql output 2021-01-26 14:01:44 +01:00
Dennis Camera
3f605c31ac [type/__postgres_conf] Add support for more init systems to restart service 2021-01-26 14:01:44 +01:00
Dennis Camera
0f2ff47738 [type/__postgres_conf] Restart PostgreSQL server based on pending_restart column of pg_settings 2021-01-26 14:01:44 +01:00
Dennis Camera
5051d4f40b [type/__postgres_conf] Catch invalid values 2021-01-26 14:01:44 +01:00
Dennis Camera
891c98567e [type/__postgres_conf] Compare configuration parameter names case insensitively 2021-01-26 14:01:44 +01:00
Dennis Camera
803367b316 [type/__postgres_conf] Fix default detection when default is also set in config file
e.g. port is usually also set to the default value in postgresql.conf
2021-01-26 14:01:44 +01:00
Dennis Camera
1b49fec972 [type/__postgres_conf] Refactor 2021-01-26 14:01:43 +01:00
Beni Ruef
b4060720dc [type/__postgres_conf] Fix psql options for ALTER command 2021-01-26 14:01:43 +01:00
Beni Ruef
50bcd95105 [type/__postgres_conf] Remove faulty quotes 2021-01-26 14:01:43 +01:00
Beni Ruef
534d5f6bb5 [type/__postgres_conf] Fix errors found by ShellCheck 2021-01-26 14:01:43 +01:00
Beni Ruef
c51d68a737 [type/__postgres_conf] New type based on ALTER SYSTEM command 2021-01-26 14:01:43 +01:00
Dennis Camera
35cde3e666 [type/__postgres_role] Fix state explorer when stored password is empty 2021-01-18 13:09:29 +01:00
Darko Poljak
92a50da487 Fix pycodestyle issues 2021-01-18 06:28:09 +01:00
Darko Poljak
6e9b13d949 ++changelog 2021-01-18 06:22:32 +01:00
878a65a8b7 Merge branch 'fix/type/__sshd_config/error-on-invalid' into 'master'
sshd config: Produce error if invalid config is generated, fix processing of AuthenticationMethods and AuthorizedKeysFile, document explorer bug

See merge request ungleich-public/cdist!968
2021-01-18 06:22:02 +01:00
cce470b556 Merge branch 'bugfix/preos-debug' into 'master'
Fix debug parameter

Closes #849

See merge request ungleich-public/cdist!970
2021-01-18 06:17:36 +01:00
Dennis Camera
2954347771 [type/__postgres_role] Add note regarding empty passwords 2021-01-14 13:46:40 +01:00
Nico Schottelius
f0e1b3b849 Merge branch 'master' of code.ungleich.ch:ungleich-public/cdist 2021-01-11 22:20:50 +01:00
Darko Poljak
c819548343 Fix debug parameter
-d was removed from cdist in favor of mulitple -v and -l parameters, but
-d was not removed from preos.

Resolve #849.
2021-01-11 09:51:52 +01:00
Dennis Camera
bd8ab8f26f [type/__sshd_config] Document "bug" in state explorer 2021-01-05 17:02:42 +01:00
Dennis Camera
8753b7eedf [type/__sshd_config] Make AuthenticationMethods and AuthorizedKeysFile singleton options
They were incorrectly treated as non-singleton options before.

cf. https://github.com/openssh/openssh-portable/blob/V_8_4/servconf.c#L2273
and https://github.com/openssh/openssh-portable/blob/V_8_4/servconf.c#L1899 resp.
2021-01-05 16:59:04 +01:00
Dennis Camera
766198912d [type/__sshd_config] Produce error if invalid config file is generated
Previously, cdist would silently swallow the error (no invalid config file was
generated).

Reason: `set -e` does not exit if a command in a sub-command group fails,
it merely returns with a non-zero exit status.

e.g. the following snippet does not abort the script if sshd -t returns with a
non-zero exit status:

    set -e
    cmp -s old new || {
        # check config file and update it
        sshd -t -f new \
        && cat new >old
    }

or compressed:

    set -e
    false || { false && true; }
    echo $?
    # prints 1
2021-01-05 15:50:21 +01:00
Darko Poljak
7cf85c4659 Release 6.9.4 2020-12-21 19:21:51 +01:00
Nico Schottelius
a10d43bc69 Merge branch 'master' of code.ungleich.ch:ungleich-public/cdist 2020-12-20 11:42:44 +01:00
Darko Poljak
4bae2863db ++changelog 2020-12-18 12:54:33 +01:00
3566901e1c Merge branch '__dot_file-dirmode' into 'master'
Added optional dirmode parameter to set the mode of (optional) the directory.

See merge request ungleich-public/cdist!966
2020-12-18 12:50:30 +01:00
Mark Verboom
8dc2c4207c Added optional dirmode parameter to set the mode of (optional) the directory. 2020-12-18 11:16:28 +01:00
Dennis Camera
99d82fd0d5 [type/__postgres_role] Always set psql -q 2020-12-17 17:05:58 +01:00
Dennis Camera
1180f13ed6 [type/__postgres_role] Fix setting password
We need to make sure that the password does not end up in ~/.psql_history.
2020-12-17 17:03:58 +01:00
Dennis Camera
4859c27900 [type/__postgres_role] Refactor gencode-remote 2020-12-17 16:57:43 +01:00
Dennis Camera
7b7ca4d385 [type/__postgres_role] Handle password changes 2020-12-16 19:07:05 +01:00
Dennis Camera
c36df82882 [type/__postgres_role] ALTER ROLE when parameters change 2020-12-15 21:11:48 +01:00
Dennis Camera
932e2496ed [type/__postgres_role] Lint 2020-12-15 18:40:39 +01:00
Darko Poljak
71f2283117 ++changelog 2020-12-13 16:03:39 +01:00
f87da8150c Merge branch 'type/__debian_backports' into 'master'
__apt_backports type

See merge request ungleich-public/cdist!964
2020-12-13 16:03:31 +01:00
ae747ac021 Merge branch 'os_version-freebsd' into 'master'
[explorer/os_version] Improve FreeBSD support.

See merge request ungleich-public/cdist!965
2020-12-13 16:00:45 +01:00
27aca06fb8 __apt_backports: undo __apt_update_index call
Becuase it is already done by __apt_source.
2020-12-12 17:34:51 +01:00
fca35fc858 __apt_backports: fix explorer call
s/-/_/ because the explorers are following an other convention :-)
2020-12-12 17:29:58 +01:00
645734c629 [explorer/os_version] Improve FreeBSD support.
It looks like uname -r is not the most reliable way to get the target patch
level for the target system.

For more information see:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
2020-12-12 12:15:17 +01:00
fafa3d9ea5 __apt_backports: update index if required
This type now automatically calls the type __apt_update_index to update
the package index if something changed.
2020-12-12 10:00:23 +01:00
49aec0b5e4 __apt_backports: list supported OSes
The manpage now lists all OSes where this type supports backports.
2020-12-12 09:40:47 +01:00
c4d19a2319 __debian_backports -> __apt_backports; add wider os support
As discussed in the chat, this type now supports a broader list of OSes
which it supports backports for. Because of this, it was renamed to
something more generic. "apt" should fit in.
2020-12-12 09:36:17 +01:00
Nico Schottelius
69b8bc9af0 Merge branch 'master' of code.ungleich.ch:ungleich-public/cdist 2020-12-11 19:38:03 +01:00
Nico Schottelius
bc2948a8a5 ++scan stuff 2020-12-11 19:37:53 +01:00
0d96b31b56 __debian_backports: pass shellcheck for sourced file
Because the sourced explorer can't be detected by shellcheck, it will be
completely disabled. Changing the path to /etc/os-release isn't
deterministic either.

The shellcheck wiki page suggests to use `source=/dev/null` instead of
`disable=SC1090`, but it was choosen to completely avoid that check ..
2020-12-11 18:13:44 +01:00
a5169ad858 new type __debian_backports
This new type will setup the backports distribution for the current
Debian release.
2020-12-10 21:24:26 +01:00
Darko Poljak
a58f5ffa7f ++changelog 2020-12-08 19:36:44 +01:00
0546d6e476 Merge branch 'fix/__block/escape' into 'master'
__block: fix escaping in here-doc

Closes #838

See merge request ungleich-public/cdist!962
2020-12-08 19:36:45 +01:00
Darko Poljak
14c81d6c7e ++changelog 2020-12-08 07:16:26 +01:00
a1987fe410 Merge branch 'feature/__iptables_rule/ipv6' into 'master'
__iptables*: add IPv6 support

See merge request ungleich-public/cdist!959
2020-12-08 07:10:29 +01:00
c5ca4cd2e1 __block: securly quote via the quote function
Because the function already exists, it will be used for the file to be
changed, too. Therefor, no quotes are required for that value.

The prefix and suffix match was also improved: There is no regex check
any more (the regex did checked the whole line); instead it will do it
simple.
2020-12-07 19:59:05 +01:00
Darko Poljak
2966296173 ++changelog 2020-12-07 19:47:52 +01:00
226f665fb5 Merge branch 'imp-deprecation' into 'master'
Deal with deprecation of imp module.

See merge request ungleich-public/cdist!963
2020-12-07 19:48:08 +01:00
1c61989c03 Merge branch 'fix/type/__package_pkgng_freebsd/bootstrap' into 'master'
__package_pkgng_freebsd: Fix bootstrapping pkg(7)

See merge request ungleich-public/cdist!961
2020-12-07 19:42:21 +01:00
bed08c2c5c Deal with deprecation of imp module.
importlib has been a thing since Python 3.1, and imp has been deprecated since
3.4.

Insert random complaint here about not being able to use f-strings because they
were introduced in Python 3.6 and apparently we support Python 3.5 >,<.

Output diff before to after for ./bin/cdist-build-helper test (on heavy load):
```
1,2d0
< /usr/home/evilham/s/cdist/cdist/cdist/test/__main__.py:23: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
<   import imp
72c70
< ERROR: cdisttesthost: __file/tmp/foobar requires object __file without object id. Defined at /tmp/tmp.cdist.test.g87lx7c8/tmp.cdist.test.6ramsakx
---
> ERROR: cdisttesthost: __file/tmp/foobar requires object __file without object id. Defined at /tmp/tmp.cdist.test.aqdf6vjz/tmp.cdist.test.jgv3udel
76c74
< test_nonexistent_type_requirement (cdist.test.emulator.EmulatorTestCase) ... ERROR: cdisttesthost: __file/tmp/foobar requires object __does-not-exist/some-id, but type __does-not-exist does not exist. Defined at /tmp/tmp.cdist.test.mma5j8ln/tmp.cdist.test.3zg4by4d
---
> test_nonexistent_type_requirement (cdist.test.emulator.EmulatorTestCase) ... ERROR: cdisttesthost: __file/tmp/foobar requires object __does-not-exist/some-id, but type __does-not-exist does not exist. Defined at /tmp/tmp.cdist.test.t8d6ockr/tmp.cdist.test.uimxurg9
86c84
< test_initial_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running initial manifest /tmp/tmp.cdist.test.uvid60ij/759547ff4356de6e3d9e08522b0d0807/data/conf/manifest/dump_environment
---
> test_initial_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running initial manifest /tmp/tmp.cdist.test._cttcnrj/759547ff4356de6e3d9e08522b0d0807/data/conf/manifest/dump_environment
89c87
< test_type_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running type manifest /tmp/tmp.cdist.test.k1i2onpb/759547ff4356de6e3d9e08522b0d0807/data/conf/type/__dump_environment/manifest for object __dump_environment/whatever
---
> test_type_manifest_environment (cdist.test.manifest.ManifestTestCase) ... VERBOSE: cdisttesthost: Running type manifest /tmp/tmp.cdist.test.ukr7lrzd/759547ff4356de6e3d9e08522b0d0807/data/conf/type/__dump_environment/manifest for object __dump_environment/whatever
272c270
< Ran 225 tests in 44.457s
---
> Ran 225 tests in 43.750s
```
2020-12-06 20:24:00 +01:00
3930f69456 __block: fix escaping in here-doc
This changes the here-document to do not interpret any shell-things. It
also single-quotes some more strings that are printed to code-remote.

Fixes #838
2020-12-06 16:45:58 +01:00
087be130fa __iptables_apply: shorten copyright header
Do we need all the copyright header or is this sufficient? The licence
is given for cdist, but not on the target host. But it should be clear
anyway.
2020-12-04 19:23:49 +01:00
Dennis Camera
2d19856840 [type/__package_pkgng_freebsd] Set ASSUME_ALWAYS_YES instead of -y 2020-12-04 18:26:03 +01:00
ba7d16a155 __iptables_*: correct manpage spelling 2020-12-04 17:57:55 +01:00
Darko Poljak
d44b5cfdc9 Release 6.9.3 2020-12-04 15:31:35 +01:00
Darko Poljak
c7fa2efe6b ++changelog 2020-12-04 15:30:08 +01:00
74426a7827 Merge branch 'fix/pip-install' into 'master'
Hotfix: Add cdist.scan to packages

See merge request ungleich-public/cdist!960
2020-12-04 15:30:12 +01:00
Dennis Camera
1055e92545 [setup.py] Add cdist.scan to packages 2020-12-02 19:54:41 +01:00
a1db5c3d0e __iptables*: Update manpages for execution order
To make some thinks clear if someone needs it ..
2020-12-02 18:22:31 +01:00
bee255c1ae __iptables_apply: man updates 2020-12-02 18:04:50 +01:00
f568462e49 __iptables_rule: fix shellcheck SC2235 2020-12-02 17:48:41 +01:00
84172550df __iptables*: add IPv6 support
Because it currently only support IPv4. To implement this, it falls back
to IPv4 for backward compatibilty, but now supports rules for IPv6 and
both protocols at the same time.
2020-11-30 20:35:19 +01:00
Darko Poljak
23e0da521c Release 6.9.2 2020-11-20 19:46:55 +01:00
Darko Poljak
803a9d62a7 ++changelog 2020-11-20 19:46:03 +01:00
a234445e85 Merge branch 'feature/type/__localedef' into 'master'
__localedef: Add new type to replace __locale

See merge request ungleich-public/cdist!951
2020-11-20 19:42:52 +01:00
Darko Poljak
82eadb6994 ++changelog 2020-11-19 19:34:43 +01:00
58b28d2d75 Merge branch 'feature/type/__sshd_config' into 'master'
__sshd config: New type

See merge request ungleich-public/cdist!958
2020-11-19 19:33:49 +01:00
9d4f69250e __sshd config: New type 2020-11-19 19:33:47 +01:00
6c539d67af Merge branch 'fix/type/__hostname/fix-os-version-detection' into 'master'
__hostname: fix guessing of SuSE OS version

See merge request ungleich-public/cdist!953
2020-11-19 19:31:53 +01:00
d30cd5c2b2 Merge branch 'bugfix/in-script-import' into 'master'
Fix importing cdist module

Closes #845

See merge request ungleich-public/cdist!957
2020-11-14 15:09:42 +01:00
Dennis Camera
87faffd875 [type/__localdef] Also check for aliases in state explorer 2020-11-14 11:45:31 +01:00
Dennis Camera
eeb9871919 [type/__localedef] glibc: Also delete aliases when removing a locale 2020-11-14 11:45:31 +01:00
Dennis Camera
575bb62dc5 [type/__localedef] Externalise functions to separate files 2020-11-14 11:45:31 +01:00
Dennis Camera
c1c60e3374 [type/__localedef] Blacklist OpenBSD and NetBSD 2020-11-14 11:45:31 +01:00
Dennis Camera
dcef2c19f5 [type/__localedef] Add support for FreeBSD 2020-11-14 11:45:31 +01:00
Dennis Camera
f44888f192 [type/__localedef] Only install dependencies in manifest. OS checking moved to gencode-remote 2020-11-14 11:45:31 +01:00
Dennis Camera
cc29e54b85 [type/__localedef] Differentiate between OSes and better handling of normalized locale names 2020-11-14 11:45:31 +01:00
Dennis Camera
54e689f7c2 [type/__localedef] Add state explorer 2020-11-14 10:48:18 +01:00
Dennis Camera
f75d477209 Deprecate __locale and replace with __localedef 2020-11-14 10:48:18 +01:00
Dennis Camera
87a0d91587 [type/__hostname] Fix OS version detection for SuSE
everything should be suse now…
2020-11-11 14:21:35 +01:00
Dennis Camera
702f3eba4f [type/__hostname] Remove opensuse-leap OS string
everything should be suse now…
2020-11-11 14:21:35 +01:00
Dennis Camera
3e48ef9e11 [type/__hostname] Lint
- Error if expected environment variables are unset
- Always wrap variable expansions in {}
2020-11-11 14:21:35 +01:00
222 changed files with 6810 additions and 1404 deletions

View file

@ -35,9 +35,9 @@ DOCS_SRC_DIR=./docs/src
SPEECHDIR=./docs/speeches
TYPEDIR=./cdist/conf/type
SPHINXM=make -C $(DOCS_SRC_DIR) man
SPHINXH=make -C $(DOCS_SRC_DIR) html
SPHINXC=make -C $(DOCS_SRC_DIR) clean
SPHINXM=$(MAKE) -C $(DOCS_SRC_DIR) man
SPHINXH=$(MAKE) -C $(DOCS_SRC_DIR) html
SPHINXC=$(MAKE) -C $(DOCS_SRC_DIR) clean
################################################################################
# Manpages

View file

@ -24,8 +24,8 @@ For community-maintained types there is
## Participating
IRC: ``#cdist`` @ freenode
IRC: ``#cdist`` @ [libera](https://libera.chat)
Matrix: ``#cdist:ungleich.ch``
Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist
Matrix and IRC are bridged.

View file

@ -72,9 +72,11 @@ def commandline():
if __name__ == "__main__":
if sys.version < cdist.MIN_SUPPORTED_PYTHON_VERSION:
print('Python >= {} is required on the source host.'.format(
cdist.MIN_SUPPORTED_PYTHON_VERSIO), file=sys.stderr)
if sys.version_info[:3] < cdist.MIN_SUPPORTED_PYTHON_VERSION:
print(
'Python >= {} is required on the source host.'.format(
".".join(map(str, cdist.MIN_SUPPORTED_PYTHON_VERSION))),
file=sys.stderr)
sys.exit(1)
exit_code = 0

View file

@ -1,6 +1,6 @@
#!/bin/sh
#
# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2011-2022 Nico Schottelius (nico-cdist at schottelius.org)
# 2016-2019 Darko Poljak (darko.poljak at gmail.com)
#
# This file is part of cdist.
@ -534,7 +534,8 @@ eof
;;
version)
printf "VERSION = \"%s\"\n" "$(git describe)" > cdist/version.py
target_version="$(git describe | sed 's/-/.dev/; s/-/+/g')"
printf "VERSION = \"%s\"\n" "${target_version}" > cdist/version.py
;;
target-version)

View file

@ -64,7 +64,7 @@ REMOTE_EXEC = "ssh -o User=root"
REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
MIN_SUPPORTED_PYTHON_VERSION = '3.5'
MIN_SUPPORTED_PYTHON_VERSION = (3, 5)
class Error(Exception):

View file

@ -472,9 +472,6 @@ def get_parsers():
parser['info'].set_defaults(func=cdist.info.Info.commandline)
# Scan = config + further
parser['scan'] = parser['sub'].add_parser('scan', add_help=False,
parents=[parser['config']])
parser['scan'] = parser['sub'].add_parser(
'scan', parents=[parser['loglevel'],
parser['beta'],
@ -485,19 +482,31 @@ def get_parsers():
parser['scan'].add_argument(
'-m', '--mode', help='Which modes should run',
action='append', default=[],
choices=['scan', 'trigger'])
choices=['scan', 'trigger', 'config'])
parser['scan'].add_argument(
'--list',
action='store_true',
help='List the known hosts and exit')
parser['scan'].add_argument(
'--config',
action='store_true',
help='Try to configure detected hosts')
parser['scan'].add_argument(
'-I', '--interfaces',
action='append', default=[],
'-I', '--interface',
action='append', default=[], required=True,
help='On which interfaces to scan/trigger')
parser['scan'].add_argument(
'-d', '--delay',
action='store', default=3600,
help='How long to wait before reconfiguring after last try')
'--name-mapper',
action='store', default=None,
help='Map addresses to names, required for config mode')
parser['scan'].add_argument(
'-d', '--config-delay',
action='store', default=3600, type=int,
help='How long (seconds) to wait before reconfiguring after last try')
parser['scan'].add_argument(
'-t', '--trigger-delay',
action='store', default=5, type=int,
help='How long (seconds) to wait between ICMPv6 echo requests')
parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
for p in parser:
@ -533,10 +542,10 @@ def parse_and_configure(argv, singleton=True):
log = logging.getLogger("cdist")
log.verbose("version %s" % cdist.VERSION)
log.trace('command line args: {}'.format(cfg.command_line_args))
log.trace('configuration: {}'.format(cfg.get_config()))
log.trace('configured args: {}'.format(args))
log.verbose("version %s", cdist.VERSION)
log.trace('command line args: %s', cfg.command_line_args)
log.trace('configuration: %s', cfg.get_config())
log.trace('configured args: %s', args)
check_beta(vars(args))

View file

@ -21,6 +21,9 @@
set +e
case "$("$__explorer/os")" in
checkpoint)
awk '{printf("%s\n", $(NF-1))}' /etc/cp-release
;;
openwrt)
# shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_CODENAME")

View file

@ -21,6 +21,9 @@
set +e
case "$("$__explorer/os")" in
checkpoint)
cat /etc/cp-release
;;
openwrt)
# shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION")

View file

@ -21,6 +21,9 @@
set +e
case "$("$__explorer/os")" in
checkpoint)
echo "CheckPoint"
;;
openwrt)
# shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_ID")

View file

@ -21,6 +21,9 @@
set +e
case "$("$__explorer/os")" in
checkpoint)
sed /etc/cp-release -e 's/.* R\([1-9][0-9]*\)\.[0-9]*$/\1/'
;;
openwrt)
# shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_RELEASE")

File diff suppressed because it is too large Load diff

View file

@ -1,8 +1,9 @@
#!/bin/sh
#!/bin/sh -e
#
# 2014 Daniel Heule (hda at sfs.biz)
# 2014 Thomas Oettli (otho at sfs.biz)
# Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
#
# This file is part of cdist.
#
@ -19,24 +20,73 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Returns the amount of memory physically installed in the system, or if that
# cannot be determined the amount available to the operating system kernel,
# in kibibytes (kiB).
# FIXME: other system types (not linux ...)
str2bytes() {
awk -F' ' '
$2 == "B" || !$2 { print $1 }
$2 == "kB" { printf "%.f\n", ($1 * 1000) }
$2 == "MB" { printf "%.f\n", ($1 * 1000 * 1000) }
$2 == "GB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000) }
$2 == "TB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000 * 1000) }
$2 == "kiB" { printf "%.f\n", ($1 * 1024) }
$2 == "MiB" { printf "%.f\n", ($1 * 1024 * 1024) }
$2 == "GiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024) }
$2 == "TiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024 * 1024) }'
}
os=$("$__explorer/os")
case "$os" in
"macosx")
echo "$(sysctl -n hw.memsize)/1024" | bc
;;
bytes2kib() {
awk '$0 > 0 { printf "%.f\n", ($0 / 1024) }'
}
*"bsd")
PATH=$(getconf PATH)
echo "$(sysctl -n hw.physmem) / 1048576" | bc
;;
*)
if [ -r /proc/meminfo ]; then
grep "MemTotal:" /proc/meminfo | awk '{print $2}'
fi
;;
case $(uname -s)
in
(Darwin)
sysctl -n hw.memsize | bytes2kib
;;
(FreeBSD)
sysctl -n hw.realmem | bytes2kib
;;
(NetBSD|OpenBSD)
# NOTE: This reports "usable" memory, not physically installed memory.
command -p sysctl -n hw.physmem | bytes2kib
;;
(SunOS)
# Make sure that awk from xpg4 is used for the scripts to work
export PATH="/usr/xpg4/bin:${PATH}"
prtconf \
| awk -F ': ' '
$1 == "Memory size" { sub(/Megabytes/, "MiB", $2); print $2 }
/^$/ { exit }' \
| str2bytes \
| bytes2kib
;;
(Linux)
if test -d /sys/devices/system/memory
then
# Use memory blocks if the architecture (e.g. x86, PPC64, s390)
# supports them (they denote physical memory)
num_mem_blocks=$(cat /sys/devices/system/memory/memory[0-9]*/state | grep -cxF online)
mem_block_size=$(cat /sys/devices/system/memory/block_size_bytes)
echo $((num_mem_blocks * 0x$mem_block_size)) | bytes2kib && exit
fi
if test -r /proc/meminfo
then
# Fall back to meminfo file on other architectures (e.g. ARM, MIPS,
# PowerPC)
# NOTE: This is "usable" memory, not physically installed memory.
awk -F ': +' '$1 == "MemTotal" { sub(/B$/, "iB", $2); print $2 }' /proc/meminfo \
| str2bytes \
| bytes2kib
fi
;;
(*)
printf "Your kernel (%s) is currently not supported by the memory explorer\n" "$(uname -s)" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac

View file

@ -116,6 +116,13 @@ if [ -f /etc/slackware-version ]; then
exit 0
fi
# Appliances
if grep -q '^Check Point Gaia' /etc/cp-release 2>/dev/null; then
echo checkpoint
exit 0
fi
uname_s="$(uname -s)"
# Assume there is no tr on the client -> do lower case ourselves

View file

@ -34,5 +34,9 @@ elif test -f /var/run/os-release
then
# FreeBSD (created by os-release service)
cat /var/run/os-release
elif test -f /etc/cp-release
then
# Checkpoint firewall or management (actually linux based)
cat /etc/cp-release
fi

View file

@ -1,6 +1,7 @@
#!/bin/sh
#!/bin/sh -e
#
# 2010-2011 Nico Schottelius (nico-cdist at schottelius.org)
# 2020-2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -17,12 +18,22 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# All os variables are lower case
#
#
case "$("$__explorer/os")" in
rc_getvar() {
awk -F= -v varname="$2" '
function unquote(s) {
if (s ~ /^".*"$/ || s ~ /^'\''.*'\''$/)
return substr(s, 2, length(s) - 2)
else
return s
}
$1 == varname { print unquote(substr($0, index($0, "=") + 1)) }' "$1"
}
case $("${__explorer:?}/os")
in
amazon)
cat /etc/system-release
;;
@ -30,6 +41,9 @@ case "$("$__explorer/os")" in
# empty, but well...
cat /etc/arch-release
;;
checkpoint)
awk '{version=$NF; printf("%s\n", substr(version, 2))}' /etc/cp-release
;;
debian)
debian_version=$(cat /etc/debian_version)
case $debian_version
@ -43,6 +57,8 @@ case "$("$__explorer/os")" in
# sid versions don't have a number, so we decode by codename:
case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
in
trixie) echo 12.99 ;;
bookworm) echo 11.99 ;;
bullseye) echo 10.99 ;;
buster) echo 9.99 ;;
stretch) echo 8.99 ;;
@ -50,7 +66,7 @@ case "$("$__explorer/os")" in
wheezy) echo 6.99 ;;
squeeze) echo 5.99 ;;
lenny) echo 4.99 ;;
*) exit 1
*) echo 99.99 ;;
esac
;;
*)
@ -59,7 +75,24 @@ case "$("$__explorer/os")" in
esac
;;
devuan)
cat /etc/devuan_version
devuan_version=$(cat /etc/devuan_version)
case ${devuan_version}
in
(*/ceres)
# ceres versions don't have a number, so we decode by codename:
case ${devuan_version}
in
(daedalus/ceres) echo 4.99 ;;
(chimaera/ceres) echo 3.99 ;;
(beowulf/ceres) echo 2.99 ;;
(ascii/ceres) echo 1.99 ;;
(*) exit 1
esac
;;
(*)
echo "${devuan_version}"
;;
esac
;;
fedora)
cat /etc/fedora-release
@ -68,7 +101,20 @@ case "$("$__explorer/os")" in
cat /etc/gentoo-release
;;
macosx)
sw_vers -productVersion
# NOTE: Legacy versions (< 10.3) do not support options
sw_vers | awk -F ':[ \t]+' '$1 == "ProductVersion" { print $2 }'
;;
freebsd)
# Apparently uname -r is not a reliable way to get the patch level.
# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
if command -v freebsd-version >/dev/null 2>&1
then
# get userland version
freebsd-version -u
else
# fallback to kernel release for FreeBSD < 10.0
uname -r
fi
;;
*bsd|solaris)
uname -r
@ -93,7 +139,20 @@ case "$("$__explorer/os")" in
fi
;;
ubuntu)
lsb_release -sr
if command -v lsb_release >/dev/null 2>&1
then
lsb_release -sr
elif test -r /usr/lib/os-release
then
# fallback to /usr/lib/os-release if lsb_release is not present (like
# on minimized Ubuntu installations)
rc_getvar /usr/lib/os-release VERSION_ID
elif test -r /etc/lsb-release
then
# extract DISTRIB_RELEASE= variable from /etc/lsb-release on old
# versions without /usr/lib/os-release.
rc_getvar /etc/lsb-release DISTRIB_RELEASE
fi
;;
alpine)
cat /etc/alpine-release

View file

@ -0,0 +1,104 @@
cdist-type__debian_backports(7)
===============================
NAME
----
cdist-type__apt_backports - Install backports
DESCRIPTION
-----------
This singleton type installs backports for the current OS release.
It aborts if backports are not supported for the specified OS or
no version codename could be fetched (like Debian unstable).
The package index will be automatically updated if required.
It supports backports from following OSes:
- Debian
- Devuan
- Ubuntu
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
state
Represents the state of the backports repository. ``present`` or
``absent``, defaults to ``present``.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
mirror
The mirror to fetch the backports from. Will defaults to the generic
mirror of the current OS.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
BOOLEAN PARAMETERS
------------------
None.
MESSAGES
--------
None.
EXAMPLES
--------
.. code-block:: sh
# setup the backports
__apt_backports
__apt_backports --state absent
__apt_backports --state present --mirror "http://ftp.de.debian.org/debian/"
# install a backports package
# currently for the buster release backports
require="__apt_backports" __package_apt wireguard \
--target-release buster-backports
ABORTS
------
Aborts if the detected os is not Debian.
Aborts if no distribuition codename could be detected. This is common for the
unstable distribution, but there is no backports repository for it already.
CAVEATS
-------
For Ubuntu, it setup all componenents for the backports repository: ``main``,
``restricted``, ``universe`` and ``multiverse``. The user may not want to
install proprietary packages, which will only be installed if the user
explicitly uses the backports target-release. The user may change this behavior
to install backports packages without the need of explicitly select it.
SEE ALSO
--------
`Official Debian Backports site <https://backports.debian.org/>`_
:strong:`cdist-type__apt_source`\ (7)
AUTHORS
-------
Matthias Stecher <matthiasstecher at gmx.de>
COPYING
-------
Copyright \(C) 2020 Matthias Stecher. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,82 @@
#!/bin/sh -e
# __apt_backports/manifest
#
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Enables/disables backports repository. Utilises __apt_source for it.
#
# Get the distribution codename by /etc/os-release.
# is already executed in a subshell by string substitution
# lsb_release may not be given in all installations
codename_os_release() {
# shellcheck disable=SC1090
# shellcheck disable=SC1091
. "$__global/explorer/os_release"
printf "%s" "$VERSION_CODENAME"
}
# detect backport distribution
os="$(cat "$__global/explorer/os")"
case "$os" in
debian)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.debian.org/debian/"
;;
devuan)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.devuan.org/merged"
;;
ubuntu)
dist="$( codename_os_release )"
components="main restricted universe multiverse"
mirror="http://archive.ubuntu.com/ubuntu"
;;
*)
printf "Backports for %s are not supported!\n" "$os" >&2
exit 1
;;
esac
# error if no codename given (e.g. on Debian unstable)
if [ -z "$dist" ]; then
printf "No backports for unkown version of distribution %s!\n" "$os" >&2
exit 1
fi
# parameters
state="$(cat "$__object/parameter/state")"
# mirror already set for the os, only override user-values
if [ -f "$__object/parameter/mirror" ]; then
mirror="$(cat "$__object/parameter/mirror")"
fi
# install the given backports repository
__apt_source "${dist}-backports" \
--state "$state" \
--distribution "${dist}-backports" \
--component "$components" \
--uri "$mirror"

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1,2 @@
state
mirror

View file

@ -27,18 +27,25 @@ else
keyid="$__object_id"
fi
# From apt-key(8):
# Use of apt-key is deprecated, except for the use of apt-key del in
# maintainer scripts to remove existing keys from the main keyring.
# If such usage of apt-key is desired the additional installation of
# the GNU Privacy Guard suite (packaged in gnupg) is required.
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
then echo present
else echo absent
fi
exit
fi
keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg"
if [ -d "$keydir" ]
if [ -f "$keyfile" ]
then
if [ -f "$keyfile" ]
then echo present
else echo absent
fi
else
# fallback to deprecated apt-key
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
&& echo present \
|| echo absent
echo present
exit
fi
echo absent

View file

@ -25,11 +25,7 @@ else
fi
state_should="$(cat "$__object/parameter/state")"
state_is="$(cat "$__object/explorer/state")"
if [ "$state_should" = "$state_is" ]; then
# nothing to do
exit 0
fi
method="$(cat "$__object/key_method")"
keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg"
@ -37,30 +33,18 @@ keyfile="$keydir/$__object_id.gpg"
case "$state_should" in
present)
keyserver="$(cat "$__object/parameter/keyserver")"
if [ -f "$__object/parameter/uri" ]; then
uri="$(cat "$__object/parameter/uri")"
if [ -d "$keydir" ]; then
cat << EOF
curl -s -L \\
-o "$keyfile" \\
"$uri"
key="\$( cat "$keyfile" )"
if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
then
echo "\$key" | gpg --dearmor > "$keyfile"
fi
EOF
else
# fallback to deprecated apt-key
echo "curl -s -L '$uri' | apt-key add -"
# Using __download or __file as key source
# Propagate messages if needed
if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
echo "added '$keyid'" >> "$__messages_out"
fi
elif [ -d "$keydir" ]; then
exit 0
elif [ "${state_is}" = "present" ]; then
exit 0
fi
# Using key servers to fetch the key
if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
# we need to kill gpg after 30 seconds, because gpg
# can get stuck if keyserver is not responding.
# exporting env var and not exit 1,
@ -100,13 +84,16 @@ EOF
echo "added '$keyid'" >> "$__messages_out"
;;
absent)
if [ -f "$keyfile" ]; then
echo "rm '$keyfile'"
else
# Removal for keys added from a keyserver without this flag
# is done in the manifest
if [ "$state_is" != "absent" ] && \
[ -f "$__object/parameter/use-deprecated-apt-key" ]; then
# fallback to deprecated apt-key
echo "apt-key del \"$keyid\""
echo "removed '$keyid'" >> "$__messages_out"
# Propagate messages if needed
elif grep -Eq "^__file$keyfile" "$__messages_in"; then
echo "removed '$keyid'" >> "$__messages_out"
fi
echo "removed '$keyid'" >> "$__messages_out"
;;
esac

View file

@ -10,6 +10,14 @@ DESCRIPTION
-----------
Manages the list of keys used by apt to authenticate packages.
This is done by placing the requested key in a file named
``$__object_id.gpg`` in the ``keydir`` directory.
This is supported by modern releases of Debian-based distributions.
In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
must be specified.
REQUIRED PARAMETERS
-------------------
@ -18,21 +26,49 @@ None.
OPTIONAL PARAMETERS
-------------------
keydir
keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
enabled system-wide by default.
source
path to a file containing the GPG key of the repository.
Using this is recommended as it ensures that the manifest/type manintainer
has validated the key.
If ``-``, the GPG key is read from the type's stdin.
state
'present' or 'absent'. Defaults to 'present'
uri
the URI from which to download the key.
It is highly recommended that you only use protocols with TLS like HTTPS.
This uses ``__download`` but does not use checksums, if you want to ensure
that the key doesn't change, you are better off downloading it and using
``--source``.
DEPRECATED OPTIONAL PARAMETERS
------------------------------
keyid
the id of the key to add. Defaults to __object_id
the id of the key to download from the ``keyserver``.
This is to be used in absence of ``--source`` and ``--uri`` or together
with ``--use-deprecated-apt-key`` for key removal.
Defaults to ``$__object_id``.
keyserver
the keyserver from which to fetch the key. If omitted the default set
in ./parameter/default/keyserver is used.
the keyserver from which to fetch the key.
Defaults to ``pool.sks-keyservers.net``.
keydir
key save location, defaults to ``/etc/apt/trusted.pgp.d``
uri
the URI from which to download the key
DEPRECATED BOOLEAN PARAMETERS
-----------------------------
use-deprecated-apt-key
``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
You can use this parameter to force usage of ``apt-key(8)``.
Please only use this parameter to *remove* keys from the keyring,
in order to prepare for removal of ``apt-key``.
Adding keys should be done without this parameter.
This parameter will be removed when Debian 11 stops being supported.
EXAMPLES
@ -40,33 +76,39 @@ EXAMPLES
.. code-block:: sh
# Add Ubuntu Archive Automatic Signing Key
__apt_key 437D05B5
# Same thing
__apt_key 437D05B5 --state present
# Get rid of it
__apt_key 437D05B5 --state absent
# add a key that has been verified by a type maintainer
__apt_key jitsi_meet_2021 \
--source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
# same thing with human readable name and explicit keyid
__apt_key UbuntuArchiveKey --keyid 437D05B5
# remove an old, deprecated or expired key
__apt_key jitsi_meet_2016 --state absent
# same thing with other keyserver
__apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
# Get rid of a key that might have been added to
# /etc/apt/trusted.gpg with apt-key
__apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
# download key from the internet
__apt_key rabbitmq \
--uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
# add a key that we define in-line
__apt_key jitsi_meet_2021 --source '-' <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
[...]
-----END PGP PUBLIC KEY BLOCK-----
EOF
# download or update key from the internet
__apt_key rabbitmq_2007 \
--uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
AUTHORS
-------
Steven Armstrong <steven-cdist--@--armstrong.cc>
Ander Punnar <ander-at-kvlt-dot-ee>
Evilham <contact~~@~~evilham.com>
COPYING
-------
Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -2,7 +2,105 @@
__package gnupg
if [ -f "$__object/parameter/uri" ]
then __package curl
else __package dirmngr
state_should="$(cat "${__object}/parameter/state")"
incompatible_args()
{
cat >> /dev/stderr <<-EOF
This type does not support --${1} and --${method} simultaneously.
EOF
exit 1
}
if [ -f "${__object}/parameter/source" ]; then
method="source"
src="$(cat "${__object}/parameter/source")"
if [ "${src}" = "-" ]; then
src="${__object}/stdin"
fi
fi
if [ -f "${__object}/parameter/uri" ]; then
if [ -n "${method}" ]; then
incompatible_args uri
fi
method="uri"
src="$(cat "${__object}/parameter/uri")"
fi
if [ -f "${__object}/parameter/keyid" ]; then
if [ -n "${method}" ]; then
incompatible_args keyid
fi
method="keyid"
fi
# Keep old default
if [ -z "${method}" ]; then
method="keyid"
fi
# Save this for later in gencode-remote
echo "${method}" > "${__object}/key_method"
# Required remotely (most likely already installed)
__package dirmngr
# We need this in case a key has to be dearmor'd
__package gnupg
export require="__package/gnupg"
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
# This is required if apt-key(8) is to be used
if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
incompatible_args use-deprecated-apt-key
fi
else
if [ "${state_should}" = "absent" ] && \
[ -f "${__object}/parameter/keyid" ]; then
cat >> /dev/stderr <<EOF
You can't reliably remove by keyid without --use-deprecated-apt-key.
This would very likely do something you do not intend.
EOF
exit 1
fi
fi
keydir="$(cat "${__object}/parameter/keydir")"
keyfile="${keydir}/${__object_id}.gpg"
keyfilecdist="${keyfile}.cdist"
if [ "${state_should}" != "absent" ]; then
# Ensure keydir exists
__directory "${keydir}" --state exists --mode 0755
fi
if [ "${state_should}" = "absent" ]; then
__file "${keyfile}" --state "absent"
__file "${keyfilecdist}" --state "absent"
elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
dearmor="$(cat <<-EOF
if [ '${state_should}' = 'present' ]; then
# Dearmor if necessary
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
else
cp '${keyfilecdist}' '${keyfile}'
fi
# Ensure permissions
chown root '${keyfile}'
chmod 0444 '${keyfile}'
fi
EOF
)"
if [ "${method}" = "uri" ]; then
__download "${keyfilecdist}" \
--url "${src}" \
--onchange "${dearmor}"
require="__download${keyfilecdist}" \
__file "${keyfile}" \
--owner root \
--mode 0444 \
--state pre-exists
else
__file "${keyfilecdist}" --state "${state_should}" \
--mode 0444 \
--source "${src}" \
--onchange "${dearmor}"
fi
fi

View file

@ -0,0 +1 @@
use-deprecated-apt-key

View file

@ -0,0 +1,3 @@
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
Use this flag *only* to migrate to placing a keyring directly in the
/etc/apt/trusted.gpg.d/ directory with a descriptive name.

View file

@ -1,5 +1,6 @@
state
keydir
keyid
keyserver
keydir
source
state
uri

View file

@ -0,0 +1 @@
Please migrate to using __apt_key key_id --uri URI.

View file

@ -24,4 +24,4 @@ else
name="$__object_id"
fi
apt-mark showhold | grep -Fq "$name" && echo hold || echo unhold
apt-mark showhold | grep -q "^${name}$" && echo hold || echo unhold

View file

@ -0,0 +1,79 @@
cdist-type__apt_pin(7)
======================
NAME
----
cdist-type__apt_pin - Manage apt pinning rules
DESCRIPTION
-----------
Adds/removes/edits rules to pin some packages to a specific distribution. Useful if using multiple debian repositories at the same time. (Useful, if one wants to use a few specific packages from backports or perhaps Debain testing... or even sid.)
REQUIRED PARAMETERS
-------------------
distribution
Specifies what distribution the package should be pinned to. Accepts both codenames (buster/bullseye/sid) and suite names (stable/testing/...).
OPTIONAL PARAMETERS
-------------------
package
Package name, glob or regular expression to match (multiple) packages. If not specified `__object_id` is used.
priority
The priority value to assign to matching packages. Defaults to 500. (To match the default target distro's priority)
state
Will be passed to underlying `__file` type; see there for valid values and defaults.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Add the bullseye repo to buster, but do not install any packages by default,
# only if explicitely asked for (-1 means "never" for apt)
__apt_pin bullseye-default \
--package "*" \
--distribution bullseye \
--priority -1
require="__apt_pin/bullseye-default" __apt_source bullseye \
--uri http://deb.debian.org/debian/ \
--distribution bullseye \
--component main
__apt_pin foo --package "foo foo-*" --distribution bullseye
__foo # Assuming, this installs the `foo` package internally
__package foo-plugin-extras # Assuming we also need some extra stuff
SEE ALSO
--------
:strong:`apt_preferences`\ (5)
:strong:`cdist-type__apt_source`\ (7)
:strong:`cdist-type__apt_backports`\ (7)
:strong:`cdist-type__file`\ (7)
AUTHORS
-------
Daniel Fancsali <fancsali@gmail.com>
COPYING
-------
Copyright \(C) 2021 Daniel Fancsali. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,68 @@
#!/bin/sh -e
#
# 2021 Daniel Fancsali (fancsali@gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
name="$__object_id"
os=$(cat "$__global/explorer/os")
state="$(cat "$__object/parameter/state")"
if [ -f "$__object/parameter/package" ]; then
package="$(cat "$__object/parameter/package")"
else
package=$name
fi
distribution="$(cat "$__object/parameter/distribution")"
priority="$(cat "$__object/parameter/priority")"
case "$os" in
debian|ubuntu|devuan)
;;
*)
printf "This type is specific to Debian and it's derivatives" >&2
exit 1
;;
esac
case $distribution in
stable|testing|unstable|experimental)
pin="release a=$distribution"
;;
*)
pin="release n=$distribution"
;;
esac
__file "/etc/apt/preferences.d/$name" \
--owner root --group root --mode 0644 \
--state "$state" \
--source - << EOF
# Created by cdist ${__type##*/}
# Do not change. Changes will be overwritten.
#
# $name
Package: $package
Pin: $pin
Pin-Priority: $priority
EOF

View file

View file

@ -0,0 +1 @@
500

View file

@ -0,0 +1 @@
present

View file

@ -0,0 +1,3 @@
state
package
priority

View file

@ -0,0 +1 @@
distribution

View file

@ -1,55 +0,0 @@
#!/usr/bin/env python
#
# Remove the given apt repository.
#
# Exit with:
# 0: if it worked
# 1: if not
# 2: on other error
import os
import sys
from aptsources import distro, sourceslist
from softwareproperties import ppa
from softwareproperties.SoftwareProperties import SoftwareProperties
def remove_if_empty(file_name):
with open(file_name, 'r') as f:
if f.read().strip():
return
os.unlink(file_name)
def remove_repository(repository):
#print 'repository:', repository
codename = distro.get_distro().codename
#print 'codename:', codename
(line, file) = ppa.expand_ppa_line(repository.strip(), codename)
#print 'line:', line
#print 'file:', file
deb_source_entry = sourceslist.SourceEntry(line, file)
src_source_entry = sourceslist.SourceEntry('deb-src{}'.format(line[3:]), file)
try:
sp = SoftwareProperties()
sp.remove_source(deb_source_entry)
try:
# If there's a deb-src entry, remove that too
sp.remove_source(src_source_entry)
except:
pass
remove_if_empty(file)
return True
except ValueError:
print >> sys.stderr, "Error: '%s' doesn't exists in a sourcelist file" % line
return False
if __name__ == '__main__':
if (len(sys.argv) != 2):
print >> sys.stderr, 'Error: need a repository as argument'
sys.exit(2)
repository = sys.argv[1]
if remove_repository(repository):
sys.exit(0)
else:
sys.exit(1)

View file

@ -29,9 +29,9 @@ fi
case "$state_should" in
present)
echo "add-apt-repository '$name'"
echo "add-apt-repository -y '$name'"
;;
absent)
echo "remove-apt-repository '$name'"
echo "add-apt-repository -r -y '$name'"
;;
esac

View file

@ -20,9 +20,4 @@
__package software-properties-common
require="__package/software-properties-common" \
__file /usr/local/bin/remove-apt-repository \
--source "$__type/files/remove-apt-repository" \
--mode 0755
require="$__object_name" __apt_update_index

View file

@ -2,13 +2,14 @@
set -u
entry="$uri $distribution $component"
cat << DONE
# Created by cdist ${__type##*/}
# Do not change. Changes will be overwritten.
#
# $name
deb ${forcedarch} $entry
deb ${options} $entry
DONE
if [ -f "$__object/parameter/include-src" ]; then
echo "deb-src $entry"

View file

@ -22,7 +22,21 @@
name="$__object_id"
destination="/etc/apt/sources.list.d/${name}.list"
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
# updated after the 19th April 2021 till the bullseye release. The additional
# arguments acknoledge the happend suite change (the apt(8) update does the
# same by itself).
#
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
# allows backward compatablility to pre-buster Debian versions.
#
# See more: ticket #861
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
# run 'apt-get update' only if something changed with our sources.list file
# it will be run a second time on error as a redundancy messure to success
if grep -q "^__file${destination}" "$__messages_in"; then
printf 'apt-get update || apt-get update\n'
printf 'apt-get %s update || apt-get %s update\n' "$apt_opts" "$apt_opts"
fi

View file

@ -23,6 +23,9 @@ OPTIONAL PARAMETERS
arch
set this if you need to force and specific arch (ubuntu specific)
signed-by
provide a GPG key fingerprint or keyring path for signature checks
state
'present' or 'absent', defaults to 'present'
@ -56,6 +59,11 @@ EXAMPLES
--uri http://archive.canonical.com/ \
--component partner --state present
__apt_source goaccess \
--uri http://deb.goaccess.io/ \
--component main \
--signed-by C03B48887D5E56B046715D3297BD1A0133449C3D
AUTHORS
-------

View file

@ -21,6 +21,7 @@
name="$__object_id"
state="$(cat "$__object/parameter/state")"
uri="$(cat "$__object/parameter/uri")"
options=""
if [ -f "$__object/parameter/distribution" ]; then
distribution="$(cat "$__object/parameter/distribution")"
@ -31,9 +32,15 @@ fi
component="$(cat "$__object/parameter/component")"
if [ -f "$__object/parameter/arch" ]; then
forcedarch="[arch=$(cat "$__object/parameter/arch")]"
else
forcedarch=""
options="arch=$(cat "$__object/parameter/arch")"
fi
if [ -f "$__object/parameter/signed-by" ]; then
options="$options signed-by=$(cat "$__object/parameter/signed-by")"
fi
if [ "$options" ]; then
options="[$options]"
fi
# export variables for use in template
@ -41,7 +48,7 @@ export name
export uri
export distribution
export component
export forcedarch
export options
# generate file from template
mkdir "$__object/files"

View file

@ -1,4 +1,5 @@
state
distribution
component
arch
arch
signed-by

View file

@ -18,9 +18,23 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
# updated after the 19th April 2021 till the bullseye release. The additional
# arguments acknoledge the happend suite change (the apt(8) update does the
# same by itself).
#
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
# allows backward compatablility to pre-buster Debian versions.
#
# See more: ticket #861
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
# run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists
# it will be run a second time on error as a redundancy messure to success
cat << DONE
if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then
apt-get update || apt-get update
apt-get $apt_opts update || apt-get $apt_opts update
fi
DONE

View file

@ -46,28 +46,29 @@ fi
remove_block() {
cat << DONE
tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
tmpfile=\$(mktemp ${quoted_file}.cdist.XXXXXXXXXX)
# preserve ownership and permissions of existing file
if [ -f "$file" ]; then
cp -p "$file" "\$tmpfile"
if [ -f $quoted_file ]; then
cp -p $quoted_file "\$tmpfile"
fi
awk -v prefix=^$(quote "$prefix")\$ -v suffix=^$(quote "$suffix")\$ '
awk -v prefix=$(quote "$prefix") -v suffix=$(quote "$suffix") '
{
if (match(\$0,prefix)) {
if (\$0 == prefix) {
triggered=1
}
if (triggered) {
if (match(\$0,suffix)) {
if (\$0 == suffix) {
triggered=0
}
} else {
print
}
}' "$file" > "\$tmpfile"
mv -f "\$tmpfile" "$file"
}' $quoted_file > "\$tmpfile"
mv -f "\$tmpfile" $quoted_file
DONE
}
quoted_file="$(quote "$file")"
case "$state_should" in
present)
if [ "$state_is" = "changed" ]; then
@ -77,7 +78,7 @@ case "$state_should" in
echo add >> "$__messages_out"
fi
cat << DONE
cat >> "$file" << ${__type##*/}_DONE
cat >> $quoted_file << '${__type##*/}_DONE'
$(cat "$block")
${__type##*/}_DONE
DONE

View file

@ -0,0 +1,142 @@
#!/bin/sh -e
#
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Determine current debconf selections' state.
# Prints one of:
# present: all selections are already set as they should.
# different: one or more of the selections have a different value.
# absent: one or more of the selections are not (currently) defined.
#
test -x /usr/bin/perl || {
# cannot find perl (no perl ~ no debconf)
echo 'absent'
exit 0
}
linesfile="${__object:?}/parameter/line"
test -s "${linesfile}" || {
if test -s "${__object:?}/parameter/file"
then
echo absent
else
echo present
fi
exit 0
}
# assert __type_explorer is set (because it is used by the Perl script)
: "${__type_explorer:?}"
/usr/bin/perl -- - "${linesfile}" <<'EOF'
use strict;
use warnings "all";
use Fcntl qw(:DEFAULT :flock);
use Debconf::Db;
use Debconf::Question;
# Extract @known... arrays from debconf-set-selections
# These values are required to distinguish flags and values in the given lines.
# DC: I couldn't think of a more ugly solution to the problem…
my @knownflags;
my @knowntypes;
my $debconf_set_selections = '/usr/bin/debconf-set-selections';
if (-e $debconf_set_selections) {
my $sed_known = 's/^my \(@known\(flags\|types\) = qw([a-z ]*);\).*$/\1/p';
eval `sed -n '$sed_known' '$debconf_set_selections'`;
}
sub mungeline ($) {
my $line = shift;
chomp $line;
$line =~ s/\r$//;
return $line;
}
sub fatal { printf STDERR @_; exit 1; }
my $state = 'present';
sub state {
my $new = shift;
if ($state eq 'present'
or ($state eq 'different' and $new eq 'absent')) {
$state = $new;
}
}
# Load Debconf DB but manually lock on the state explorer script,
# because Debconf aborts immediately if executed concurrently.
# This is not really an ideal solution because the Debconf DB could be locked by
# another process (e.g. apt-get), but no way to achieve this could be found.
# If you know how to, please provide a patch.
my $lockfile = "%ENV{'__type_explorer'}/state";
if (open my $lock_fh, '+<', $lockfile) {
flock $lock_fh, LOCK_EX or die "Cannot lock $lockfile";
}
{
Debconf::Db->load(readonly => 'true');
}
while (<>) {
# Read and process lines (taken from debconf-set-selections)
$_ = mungeline($_);
while (/\\$/ && ! eof) {
s/\\$//;
$_ .= mungeline(<>);
}
next if /^\s*$/ || /^\s*\#/;
my ($owner, $label, $type, $content) = /^\s*(\S+)\s+(\S+)\s+(\S+)(?:\s(.*))?/
or fatal "invalid line: %s\n", $_;
$content = '' unless defined $content;
# Compare is and should state
my $q = Debconf::Question->get($label);
unless (defined $q) {
# probably a preseed
state 'absent';
next;
}
if (grep { $_ eq $q->type } @knownflags) {
# This line wants to set a flag, presumably.
if ($q->flag($q->type) ne $content) {
state 'different';
}
} else {
# Otherwise, it's probably a value…
if ($q->value ne $content) {
state 'different';
}
unless (grep { $_ eq $owner } (split /, /, $q->owners)) {
state 'different';
}
}
}
printf "%s\n", $state;
EOF

View file

@ -1,6 +1,7 @@
#!/bin/sh -e
#
# 2011-2014 Nico Schottelius (nico-cdist at schottelius.org)
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -17,16 +18,37 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Setup selections
#
filename="$(cat "$__object/parameter/file")"
if [ "$filename" = "-" ]; then
filename="$__object/stdin"
if test -f "${__object:?}/parameter/line"
then
filename="${__object:?}/parameter/line"
elif test -s "${__object:?}/parameter/file"
then
filename=$(cat "${__object:?}/parameter/file")
if test "${filename}" = '-'
then
filename="${__object:?}/stdin"
fi
else
printf 'Neither --line nor --file set.\n' >&2
exit 1
fi
echo "debconf-set-selections << __file-eof"
cat "$filename"
echo "__file-eof"
# setting no lines makes no sense
test -s "${filename}" || exit 0
state_is=$(cat "${__object:?}/explorer/state")
if test "${state_is}" != 'present'
then
cat <<-CODE
debconf-set-selections <<'EOF'
$(cat "${filename}")
EOF
CODE
awk '
{
printf "set %s %s %s %s\n", $1, $2, $3, $4
}' "${filename}" >>"${__messages_out:?}"
fi

View file

@ -8,15 +8,33 @@ cdist-type__debconf_set_selections - Setup debconf selections
DESCRIPTION
-----------
On Debian and alike systems debconf-set-selections(1) can be used
On Debian and alike systems :strong:`debconf-set-selections`\ (1) can be used
to setup configuration parameters.
REQUIRED PARAMETERS
-------------------
cf. ``--line``.
OPTIONAL PARAMETERS
-------------------
file
Use the given filename as input for debconf-set-selections(1)
If filename is "-", read from stdin.
Use the given filename as input for :strong:`debconf-set-selections`\ (1)
If filename is ``-``, read from stdin.
**This parameter is deprecated, because it doesn't work with state detection.**
line
A line in :strong:`debconf-set-selections`\ (1) compatible format.
This parameter can be used multiple times to set multiple options.
(This parameter is actually required, but marked optional because the
deprecated ``--file`` is still accepted.)
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
@ -24,30 +42,29 @@ EXAMPLES
.. code-block:: sh
# Setup configuration for nslcd
__debconf_set_selections nslcd --file /path/to/file
# Setup gitolite's gituser
__debconf_set_selections nslcd --line 'gitolite gitolite/gituser string git'
# Setup configuration for nslcd from another type
__debconf_set_selections nslcd --file "$__type/files/preseed/nslcd"
__debconf_set_selections nslcd --file - << eof
gitolite gitolite/gituser string git
eof
# Setup configuration for nslcd from a file.
# NB: Multiple lines can be passed to --line, although this can be considered a hack.
__debconf_set_selections nslcd --line "$(cat "${__files:?}/preseed/nslcd.debconf")"
SEE ALSO
--------
:strong:`debconf-set-selections`\ (1), :strong:`cdist-type__update_alternatives`\ (7)
- :strong:`cdist-type__update_alternatives`\ (7)
- :strong:`debconf-set-selections`\ (1)
AUTHORS
-------
Nico Schottelius <nico-cdist--@--schottelius.org>
| Nico Schottelius <nico-cdist--@--schottelius.org>
| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2011-2014 Nico Schottelius. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2011-2014 Nico Schottelius, 2021 Dennis Camera.
You can redistribute it and/or modify it under the terms of the GNU General
Public License as published by the Free Software Foundation, either version 3 of
the License, or (at your option) any later version.

View file

@ -1,6 +1,6 @@
#!/bin/sh -e
#
# 2015 Dominique Roux (dominique.roux4 at gmail.com)
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -18,20 +18,4 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
if [ -f "$__object/parameter/destination" ]; then
destination=$(cat "$__object/parameter/destination")
else
destination="/$__object_id"
fi
ownergroup=""
if [ -f "$__object/parameter/owner" ]; then
ownergroup=$(cat "$__object/parameter/owner")
fi
if [ -f "$__object/parameter/group" ]; then
ownergroup="${ownergroup}:$(cat "$__object/parameter/group")"
fi
if [ "$ownergroup" ]; then
echo chown -R "$ownergroup" "$destination"
fi
__package_apt debconf

View file

@ -0,0 +1 @@
'file' has been deprecated in favour of 'line' in order to provide idempotency.

View file

@ -25,6 +25,9 @@ user
OPTIONAL PARAMETERS
-------------------
dirmode
forwarded to :strong:`__directory` type as mode
mode
forwarded to :strong:`__file` type
@ -34,6 +37,12 @@ state
source
forwarded to :strong:`__file` type
file
forwarded to :strong:`__file` type
This can be used if multiple users need to have a dotfile updated,
which will result in duplicate object id errors. When using the
file parameter the object id can be some unique value.
MESSAGES
--------
@ -58,6 +67,15 @@ EXAMPLES
# Install default xmonad config for user 'eve'. Parent directory is created automatically.
__dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs"
# install .vimrc for root and some users
for user in root userx usery userz; do
__dot_file "${user}_dot_vimrc" \
--user $user \
--file .vimrc \
--state exists \
--source "$__files/$user/.vimrc"
done
SEE ALSO
--------

View file

@ -19,13 +19,20 @@ set -eu
user="$(cat "${__object}/parameter/user")"
home="$(cat "${__object}/explorer/home")"
primary_group="$(cat "${__object}/explorer/primary_group")"
dirmode="$(cat "${__object}/parameter/dirmode")"
if [ -f "${__object}/parameter/file" ]; then
file="$(cat "${__object}/parameter/file")"
else
file="${__object_id}"
fi
# Create parent directory. Type __directory has flag 'parents', but it
# will leave us with root-owned directory in user home, which is not
# acceptable. So we create parent directories one-by-one. XXX: maybe
# it should be fixed in '__directory'?
set --
subpath=${__object_id}
subpath=${file}
while subpath="$(dirname "${subpath}")" ; do
[ "${subpath}" = . ] && break
set -- "${subpath}" "$@"
@ -36,6 +43,7 @@ export CDIST_ORDER_DEPENDENCY
for dir ; do
__directory "${home}/${dir}" \
--group "${primary_group}" \
--mode "${dirmode}" \
--owner "${user}"
done
@ -62,4 +70,4 @@ if [ "${source}" = "-" ] ; then
fi
unset source
__file "${home}/${__object_id}" --owner "$user" --group "$primary_group" "$@"
__file "${home}/${file}" --owner "$user" --group "$primary_group" "$@"

View file

@ -0,0 +1 @@
0700

View file

@ -1,3 +1,4 @@
state
mode
source
dirmode

View file

@ -1,19 +0,0 @@
#!/bin/sh -e
if [ -f "$__object/parameter/cmd-get" ]
then
cmd="$( cat "$__object/parameter/cmd-get" )"
elif command -v curl > /dev/null
then
cmd="curl -L -o - '%s'"
elif command -v fetch > /dev/null
then
cmd="fetch -o - '%s'"
else
cmd="wget -O - '%s'"
fi
echo "$cmd"

View file

@ -0,0 +1,16 @@
#!/bin/sh -e
if [ -f "$__object/parameter/cmd-get" ]
then
cat "$__object/parameter/cmd-get"
elif
command -v curl > /dev/null
then
echo "curl -sSL -o - '%s'"
elif
command -v fetch > /dev/null
then
echo "fetch -o - '%s'"
else
echo "wget -O - '%s'"
fi

View file

@ -0,0 +1,82 @@
#!/bin/sh -e
if [ ! -f "$__object/parameter/sum" ]
then
exit 0
fi
if [ -f "$__object/parameter/cmd-sum" ]
then
cat "$__object/parameter/cmd-sum"
exit 0
fi
sum_should="$( cat "$__object/parameter/sum" )"
if echo "$sum_should" | grep -Fq ':'
then
sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
else
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
then
sum_hash='cksum'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
then
sum_hash='md5'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
then
sum_hash='sha1'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
then
sum_hash='sha256'
else
echo 'hash format detection failed' >&2
exit 1
fi
fi
os="$( "$__explorer/os" )"
case "$sum_hash" in
cksum)
echo "cksum %s | awk '{print \$1\" \"\$2}'"
;;
md5)
case "$os" in
freebsd)
echo "md5 -q %s"
;;
*)
echo "md5sum %s | awk '{print \$1}'"
;;
esac
;;
sha1)
case "$os" in
freebsd)
echo "sha1 -q %s"
;;
*)
echo "sha1sum %s | awk '{print \$1}'"
;;
esac
;;
sha256)
case "$os" in
freebsd)
echo "sha256 -q %s"
;;
*)
echo "sha256sum %s | awk '{print \$1}'"
;;
esac
;;
*)
# we arrive here only if --sum is given with unknown format prefix
echo "unknown hash format: $sum_hash" >&2
exit 1
;;
esac

View file

@ -1,6 +1,11 @@
#!/bin/sh -e
dst="/$__object_id"
if [ -f "$__object/parameter/destination" ]
then
dst="$( cat "$__object/parameter/destination" )"
else
dst="/$__object_id"
fi
if [ ! -f "$dst" ]
then
@ -8,59 +13,27 @@ then
exit 0
fi
if [ ! -f "$__object/parameter/sum" ]
then
echo 'present'
exit 0
fi
sum_should="$( cat "$__object/parameter/sum" )"
if [ -f "$__object/parameter/cmd-sum" ]
if echo "$sum_should" | grep -Fq ':'
then
# shellcheck disable=SC2059
sum_is="$( eval "$( printf \
"$( cat "$__object/parameter/cmd-sum" )" \
"$dst" )" )"
else
os="$( "$__explorer/os" )"
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
then
sum_is="$( cksum "$dst" | awk '{print $1" "$2}' )"
elif echo "$sum_should" | grep -Eiq '^md5:[a-f0-9]{32}$'
then
case "$os" in
freebsd)
sum_is="md5:$( md5 -q "$dst" )"
;;
*)
sum_is="md5:$( md5sum "$dst" | awk '{print $1}' )"
;;
esac
elif echo "$sum_should" | grep -Eiq '^sha1:[a-f0-9]{40}$'
then
case "$os" in
freebsd)
sum_is="sha1:$( sha1 -q "$dst" )"
;;
*)
sum_is="sha1:$( sha1sum "$dst" | awk '{print $1}' )"
;;
esac
elif echo "$sum_should" | grep -Eiq '^sha256:[a-f0-9]{64}$'
then
case "$os" in
freebsd)
sum_is="sha256:$( sha256 -q "$dst" )"
;;
*)
sum_is="sha256:$( sha256sum "$dst" | awk '{print $1}' )"
;;
esac
fi
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
fi
sum_cmd="$( "$__type_explorer/remote_cmd_sum" )"
# shellcheck disable=SC2059
sum_is="$( eval "$( printf "$sum_cmd" "'$dst'" )" )"
if [ -z "$sum_is" ]
then
echo 'no checksum from target' >&2
echo 'existing destination checksum failed' >&2
exit 1
fi

View file

@ -11,34 +11,133 @@ fi
url="$( cat "$__object/parameter/url" )"
tmp="$( mktemp )"
dst="/$__object_id"
if [ -f "$__object/parameter/destination" ]
then
dst="$( cat "$__object/parameter/destination" )"
else
dst="/$__object_id"
fi
if [ -f "$__object/parameter/cmd-get" ]
then
cmd="$( cat "$__object/parameter/cmd-get" )"
elif command -v wget > /dev/null
then
cmd="wget -O - '%s'"
elif command -v curl > /dev/null
then
cmd="curl -L -o - '%s'"
cmd="curl -sSL -o - '%s'"
elif command -v fetch > /dev/null
then
cmd="fetch -o - '%s'"
elif command -v wget > /dev/null
then
cmd="wget -O - '%s'"
else
echo 'no usable locally installed utility for downloading' >&2
echo 'local download failed, no usable utility' >&2
exit 1
fi
printf "$cmd > %s\n" \
"$url" \
"$tmp"
echo "download_tmp=\"\$( mktemp )\""
# shellcheck disable=SC2059
printf "$cmd > \"\$download_tmp\"\n" "$url"
if [ -f "$__object/parameter/sum" ]
then
sum_should="$( cat "$__object/parameter/sum" )"
if [ -f "$__object/parameter/cmd-sum" ]
then
local_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
else
if echo "$sum_should" | grep -Fq ':'
then
sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
else
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
then
sum_hash='cksum'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
then
sum_hash='md5'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
then
sum_hash='sha1'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
then
sum_hash='sha256'
else
echo 'hash format detection failed' >&2
exit 1
fi
fi
case "$sum_hash" in
cksum)
local_cmd_sum="cksum %s | awk '{print \$1\" \"\$2}'"
;;
md5)
if command -v md5 > /dev/null
then
local_cmd_sum="md5 -q %s"
elif
command -v md5sum > /dev/null
then
local_cmd_sum="md5sum %s | awk '{print \$1}'"
fi
;;
sha1)
if command -v sha1 > /dev/null
then
local_cmd_sum="sha1 -q %s"
elif
command -v sha1sum > /dev/null
then
local_cmd_sum="sha1sum %s | awk '{print \$1}'"
fi
;;
sha256)
if command -v sha256 > /dev/null
then
local_cmd_sum="sha256 -q %s"
elif
command -v sha256sum > /dev/null
then
local_cmd_sum="sha256sum %s | awk '{print \$1}'"
fi
;;
*)
# we arrive here only if --sum is given with unknown format prefix
echo "unknown hash format: $sum_hash" >&2
exit 1
;;
esac
if [ -z "$local_cmd_sum" ]
then
echo 'local checksum verification failed, no usable utility' >&2
exit 1
fi
fi
# shellcheck disable=SC2059
echo "sum_is=\"\$( $( printf "$local_cmd_sum" "\"\$download_tmp\"" ) )\""
echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
echo "echo 'local download checksum mismatch' >&2"
echo "rm -f \"\$download_tmp\""
echo 'exit 1; fi'
fi
if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
then
@ -47,12 +146,10 @@ else
target_host="$__target_host"
fi
printf '%s %s %s:%s\n' \
# shellcheck disable=SC2016
printf '%s "$download_tmp" %s:%s\n' \
"$__remote_copy" \
"$tmp" \
"$target_host" \
"$dst"
echo "rm -f '$tmp'"
echo 'downloaded' > "$__messages_out"
echo "rm -f \"\$download_tmp\""

View file

@ -6,17 +6,51 @@ state_is="$( cat "$__object/explorer/state" )"
if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
then
cmd="$( cat "$__object/explorer/remote_cmd" )"
cmd_get="$( cat "$__object/explorer/remote_cmd_get" )"
url="$( cat "$__object/parameter/url" )"
dst="/$__object_id"
if [ -f "$__object/parameter/destination" ]
then
dst="$( cat "$__object/parameter/destination" )"
else
dst="/$__object_id"
fi
printf "$cmd > %s\n" \
"$url" \
"$dst"
echo "download_tmp=\"\$( mktemp )\""
echo 'downloaded' > "$__messages_out"
# shellcheck disable=SC2059
printf "$cmd_get > \"\$download_tmp\"\n" "$url"
if [ -f "$__object/parameter/sum" ]
then
sum_should="$( cat "$__object/parameter/sum" )"
if [ -f "$__object/parameter/cmd-sum" ]
then
remote_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
else
remote_cmd_sum="$( cat "$__object/explorer/remote_cmd_sum" )"
if echo "$sum_should" | grep -Fq ':'
then
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
fi
fi
# shellcheck disable=SC2059
echo "sum_is=\"\$( $( printf "$remote_cmd_sum" "\"\$download_tmp\"" ) )\""
echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
echo "echo 'remote download checksum mismatch' >&2"
echo "rm -f \"\$download_tmp\""
echo 'exit 1; fi'
fi
echo "mv \"\$download_tmp\" '$dst'"
fi
if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]

View file

@ -8,10 +8,7 @@ cdist-type__download - Download a file
DESCRIPTION
-----------
Destination (``$__object_id``) in target host must be persistent storage
in order to calculate checksum and decide if file must be (re-)downloaded.
By default type will try to use ``wget``, ``curl`` or ``fetch``.
By default type will try to use ``curl``, ``fetch`` or ``wget``.
If download happens in target (see ``--download``) then type will
fallback to (and install) ``wget``.
@ -19,23 +16,40 @@ If download happens in local machine, then environment variables like
``{http,https,ftp}_proxy`` etc can be used on cdist execution
(``http_proxy=foo cdist config ...``).
To change downloaded file's owner, group or permissions, use ``require='__download/path/to/file' __file ...``.
REQUIRED PARAMETERS
-------------------
url
File's URL.
sum
Checksum of file going to be downloaded.
By default output of ``cksum`` without filename is expected.
Other hash formats supported with prefixes: ``md5:``, ``sha1:`` and ``sha256:``.
OPTIONAL PARAMETERS
-------------------
destination
Downloaded file's destination in target. If unset, ``$__object_id`` is used.
sum
Supported formats: ``cksum`` output without file name, MD5, SHA1 and SHA256.
Type tries to detect hash format with regexes, but prefixes
``cksum:``, ``md5:``, ``sha1:`` and ``sha256:`` are also supported.
Checksum have two purposes - state check and post-download verification.
In state check, if destination checksum mismatches, then content of URL
will be downloaded to temporary file. If downloaded temporary file's
checksum matches, then it will be moved to destination (overwritten).
For local downloads it is expected that usable utilities for checksum
calculation exist in the system.
download
If ``local`` (default), then download file to local storage and copy
it to target host. If ``remote``, then download happens in target.
If ``local`` (default), then file is downloaded to local storage and copied
to target host. If ``remote``, then download happens in target.
For local downloads it is expected that usable utilities for downloading
exist in the system. Type will try to use ``curl``, ``fetch`` or ``wget``.
cmd-get
Command used for downloading.
@ -65,7 +79,7 @@ EXAMPLES
require='__directory/opt/cpma' \
__download /opt/cpma/cnq3.zip \
--url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
--sum md5:46da3021ca9eace277115ec9106c5b46
--sum 46da3021ca9eace277115ec9106c5b46
require='__download/opt/cpma/cnq3.zip' \
__unpack /opt/cpma/cnq3.zip \
@ -81,7 +95,7 @@ Ander Punnar <ander-at-kvlt-dot-ee>
COPYING
-------
Copyright \(C) 2020 Ander Punnar. You can redistribute it
Copyright \(C) 2021 Ander Punnar. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,6 +1,6 @@
#!/bin/sh -e
if grep -Eq '^wget' "$__object/explorer/remote_cmd"
if grep -Eq '^wget' "$__object/explorer/remote_cmd_get"
then
__package wget
fi

View file

@ -1,4 +1,6 @@
cmd-get
cmd-sum
destination
download
onchange
sum

View file

@ -1,2 +1 @@
url
sum

View file

@ -1,7 +1,7 @@
#!/bin/sh -e
#
# 2011-2012 Nico Schottelius (nico-cdist at schottelius.org)
# 2013 Steven Armstrong (steven-cdist armstrong.cc)
# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
#
# This file is part of cdist.
#
@ -72,6 +72,7 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
if [ "$type" != "file" ]; then
# destination is not a regular file, upload source to replace it
upload_file=1
echo upload >> "$__messages_out"
else
local_cksum="$(cksum < "$source")"
remote_cksum="$(cat "$__object/explorer/cksum")"
@ -88,27 +89,39 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
mkdir "$__object/files"
touch "$__object/files/set-attributes"
# upload file to temp location
tempfile_template="${destination}.cdist.XXXXXXXXXX"
cat << DONE
destination_upload="\$($__remote_exec $__target_host "mktemp $tempfile_template")"
DONE
if [ "$upload_file" ]; then
echo upload >> "$__messages_out"
# IPv6 fix
if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
then
my_target_host="[${__target_host}]"
else
my_target_host="${__target_host}"
fi
cat << DONE
$__remote_copy "$source" "${my_target_host}:\$destination_upload"
DONE
if [ "$create_file" ]; then
# When creating an empty file we create it locally and then
# upload it so that permissions can be set before moving the file
# into place.
source="$__object/files/empty"
touch "$source"
fi
# move uploaded file into place
cat << DONE
$__remote_exec $__target_host "rm -rf \"$destination\"; mv \"\$destination_upload\" \"$destination\""
# upload file to temp location
upload_destination="${destination}.cdist.${__cdist_object_marker}.$$"
# Yes, we are aware that this is a race condition.
# However:
# a) cdist usually writes to directories that are not user writable
# (probably > 99.9%)
# b) if they are user owned, the user / attacker always wins
# (probably < 0.1%)
# c) the only case which we could improve are tmp directories and we
# don't think managing tmp directories with cdist is a typical case
# ("the rest %)"
# Tell gencode-remote to where we uploaded the file so it can move
# it to its final destination.
echo "$upload_destination" > "$__object/files/upload-destination"
# IPv6 fix
if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
then
my_target_host="[${__target_host}]"
else
my_target_host="${__target_host}"
fi
cat << DONE
$__remote_copy "$source" "${my_target_host}:${upload_destination}"
DONE
fi
fi

View file

@ -1,7 +1,7 @@
#!/bin/sh -e
#
# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2013 Steven Armstrong (steven-cdist armstrong.cc)
# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
#
# This file is part of cdist.
#
@ -62,6 +62,13 @@ set_mode() {
case "$state_should" in
present|exists)
if [ -f "$__object/files/upload-destination" ]; then
final_destination="$destination"
# We change the 'global' $destination variable here so we can
# change attributes of the new/uploaded file before moving it
# to it's final destination.
destination="$(cat "$__object/files/upload-destination")"
fi
# Note: Mode - needs to happen last as a chown/chgrp can alter mode by
# clearing S_ISUID and S_ISGID bits (see chown(2))
for attribute in group owner mode; do
@ -81,6 +88,11 @@ case "$state_should" in
fi
fi
done
if [ -f "$__object/files/upload-destination" ]; then
# move uploaded file into place
printf 'rm -rf "%s"\n' "$final_destination"
printf 'mv "%s" "%s"\n' "$destination" "$final_destination"
fi
if [ -f "$__object/files/set-attributes" ]; then
# set-attributes is created if file is created or uploaded in gencode-local
fire_onchange=1

View file

@ -27,7 +27,7 @@ else
fi
case "$os" in
alpine|centos|fedora|redhat|suse|gentoo)
alpine|centos|fedora|gentoo|redhat|suse|ubuntu)
if [ ! -x "$(command -v lsblk)" ]; then
echo "lsblk is required for __filesystem type" >&2
exit 1

View file

@ -1,5 +1,24 @@
#!/bin/sh
#!/bin/sh -e
destination="/$__object_id/.git"
destination="/${__object_id:?}/.git"
stat --print "%G" "${destination}" 2>/dev/null || exit 0
# shellcheck disable=SC2012
group_gid=$(ls -ldn "${destination}" | awk '{ print $4 }')
# NOTE: +1 because $((notanum)) prints 0.
if test $((group_gid + 1)) -ge 0
then
group_should=$(cat "${__object:?}/parameter/group")
if expr "${group_should}" : '[0-9]*$' >/dev/null
then
printf '%u\n' "${group_gid}"
else
if command -v getent > /dev/null
then
getent group "${group_gid}" | cut -d : -f 1
else
awk -F: -v gid="${group_gid}" '$3 == gid { print $1 }' /etc/group
fi
fi
fi

View file

@ -1,5 +1,19 @@
#!/bin/sh
#!/bin/sh -e
destination="/$__object_id/.git"
destination="/${__object_id:?}/.git"
stat --print "%U" "${destination}" 2>/dev/null || exit 0
# shellcheck disable=SC2012
owner_uid=$(ls -ldn "${destination}" | awk '{ print $3 }')
# NOTE: +1 because $((notanum)) prints 0.
if test $((owner_uid + 1)) -ge 0
then
owner_should=$(cat "${__object:?}/parameter/owner")
if expr "${owner_should}" : '[0-9]*$' >/dev/null
then
printf '%u\n' "${owner_uid}"
else
printf '%s\n' "$(id -u -n "${owner_uid}")"
fi
fi

View file

@ -15,7 +15,7 @@ case $os in
# Differntation not needed anymore
apt_source_distribution=stable
;;
10*)
10*|11*)
# Differntation not needed anymore
apt_source_distribution=stable
;;

View file

@ -0,0 +1,8 @@
frontend http
bind BIND@:80
mode http
option httplog
default_backend http
backend http
mode http

View file

@ -0,0 +1,10 @@
frontend https
bind BIND@:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend https
backend https
mode tcp

View file

@ -0,0 +1,12 @@
frontend imaps
bind BIND@:143
bind BIND@:993
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend imaps
backend imaps
mode tcp

View file

@ -0,0 +1,12 @@
frontend smtps
bind BIND@:25
bind BIND@:465
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend smtps
backend smtps
mode tcp

View file

@ -0,0 +1,121 @@
cdist-type__haproxy_dualstack(7)
================================
NAME
----
cdist-type__haproxy_dualstack - Proxy services from a dual-stack server
DESCRIPTION
-----------
This (singleton) type installs and configures haproxy to act as a dual-stack
proxy for single-stack services.
This can be useful to add IPv4 support to IPv6-only services while only using
one IPv4 for many such services.
By default this type uses the plain TCP proxy mode, which means that there is no
need for TLS termination on this host when SNI is supported.
This also means that proxied services will not receive the client's IP address,
but will see the proxy's IP address instead (that of `$__target_host`).
This can be solved by using the PROXY protocol, but do take into account that,
e.g. nginx cannot serve both regular HTTP(S) and PROXY protocols on the same
port, so you will need to use other ports for that.
As a recommendation in this type: use TCP ports 8080 and 591 respectively to
serve HTTP and HTTPS using the PROXY protocol.
See the EXAMPLES for more details.
OPTIONAL PARAMETERS
-------------------
v4proxy
Proxy incoming IPv4 connections to the equivalent IPv6 endpoint.
In its simplest use, it must be a NAME with an `AAAA` DNS entry, which is
the IP address actually providing the proxied services.
The full format of this argument is:
`[proxy:]NAME[[:PROTOCOL_1=PORT_1]...[:PROTOCOL_N=PORT_N]]`
Where starting with `proxy:` determines that the PROXY protocol must be
used and each `:PROTOCOL=PORT` (e.g. `:http=8080` or `:https=591`) is a PORT
override for the given PROTOCOL (see `--protocol`), if not present the
PROTOCOL's default port will be used.
v6proxy
Proxy incoming IPv6 connections to the equivalent IPv4 endpoint.
In its simplest use, it must be a NAME with an `A` DNS entry, which is
the IP address actually providing the proxied services.
See `--v4proxy` for more options and details.
protocol
Can be passed multiple times or as a space-separated list of protocols.
Currently supported protocols are: `http`, `https`, `imaps`, `smtps`.
This defaults to: `http https imaps smtps`.
EXAMPLES
--------
.. code-block:: sh
# Proxy the IPv6-only services so IPv4-only clients can access them
# This uses HAProxy's TCP mode for http, https, imaps and smtps
__haproxy_dualstack \
--v4proxy ipv6.chat \
--v4proxy matrix.ungleich.ch
# Proxy the IPv6-only HTTP(S) services so IPv4-only clients can access them
# Note this means that the backend IPv6-only server will only see
# the IPv6 address of the haproxy host managed by cdist, which can be
# troublesome if this information is relevant for analytics/security/...
# See the PROXY example below
__haproxy_dualstack \
--protocol http --protocol https \
--v4proxy ipv6.chat \
--v4proxy matrix.ungleich.ch
# Use the PROXY protocol to proxy the IPv6-only HTTP(S) services enabling
# IPv4-only clients to access them while maintaining the client's IP address
__haproxy_dualstack \
--protocol http --protocol https \
--v4proxy proxy:ipv6.chat:http=8080:https=591 \
--v4proxy proxy:matrix.ungleich.ch:http=8080:https=591
# Note however that the PROXY protocol is not compatible with regular
# HTTP(S) protocols, so your nginx will have to listen on different ports
# with the PROXY settings.
# Note that you will need to restrict access to the 8080 port to prevent
# Client IP spoofing.
# This can be something like:
# server {
# # listen for regular HTTP connections
# listen [::]:80 default_server;
# listen 80 default_server;
# # listen for PROXY HTTP connections
# listen [::]:8080 proxy_protocol;
# # Accept the Client's IP from the PROXY protocol
# real_ip_header proxy_protocol;
# }
SEE ALSO
--------
- https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
- https://www.haproxy.com/blog/haproxy/proxy-protocol/
- https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
AUTHORS
-------
ungleich <foss--@--ungleich.ch>
Evilham <cvs--@--evilham.com>
COPYING
-------
Copyright \(C) 2021 ungleich glarus ag. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,155 @@
#!/bin/sh -eu
__package haproxy
require="__package/haproxy" __start_on_boot haproxy
tmpdir="$__object/files"
mkdir "$tmpdir"
configtmp="$__object/files/haproxy.cfg"
os=$(cat "$__global/explorer/os")
case $os in
freebsd)
CONFIG_FILE="/usr/local/etc/haproxy.conf"
cat <<EOF > "$configtmp"
global
maxconn 4000
user nobody
group nogroup
daemon
EOF
;;
*)
CONFIG_FILE="/etc/haproxy/haproxy.cfg"
cat <<EOF > "$configtmp"
global
log [::1] local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
EOF
;;
esac
cat <<EOF >> "$configtmp"
defaults
retries 3
log global
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
EOF
dig_cmd="$(command -v dig || true)"
get_ip() {
# Usage: get_ip (ipv4|ipv6) NAME
# uses "dig" if available, else fallback to "host"
case $1 in
ipv4)
if [ -n "${dig_cmd}" ]; then
${dig_cmd} +short A "$2"
else
host -t A "$2" | cut -d ' ' -f 4 | grep -v 'found:'
fi
;;
ipv6)
if [ -n "${dig_cmd}" ]; then
${dig_cmd} +short AAAA "$2"
else
host -t AAAA "$2" | cut -d ' ' -f 5 | grep -v 'NXDOMAIN'
fi
;;
esac
}
PROTOCOLS="$(cat "$__object/parameter/protocol")"
for proxy in v4proxy v6proxy; do
param=$__object/parameter/$proxy
# no backend? skip generating code
if [ ! -f "$param" ]; then
continue
fi
# turn backend name into bind parameter: v4backend -> ipv4@
bind=$(echo $proxy | sed -e 's/^/ip/' -e 's/proxy//')
case $bind in
ipv4)
backendproto=ipv6
;;
ipv6)
backendproto=ipv4
;;
esac
for proto in ${PROTOCOLS}; do
# Add protocol "header"
printf "\n# %s %s \n" "${bind}" "${proto}" >> "$configtmp"
sed -e "s/BIND/$bind/" \
-e "s/\(frontend[[:space:]].*\)/\1$bind/" \
-e "s/\(backend[[:space:]].*\)/\\1$bind/" \
"$__type/files/$proto" >> "$configtmp"
while read -r hostdefinition; do
if echo "$hostdefinition" | grep -qE '^proxy:'; then
# Proxy protocol was requested
host="$(echo "$hostdefinition" | sed -E 's/^proxy:([^:]+).*$/\1/')"
send_proxy=" send-proxy"
else
# Just use tcp proxy mode
host="$hostdefinition"
send_proxy=""
fi
if echo "$hostdefinition" | grep -qE ":${proto}="; then
# Use custom port definition if requested
port="$(echo "$hostdefinition" | sed -E "s/^(.*:)?${proto}=([0-9]+).*$/:\2/")"
else
# Else use the default
port=""
fi
servername=$host
res=$(get_ip "$bind" "$servername")
if [ -z "$res" ]; then
echo "$servername does not resolve - aborting config" >&2
exit 1
fi
# Treat protocols without TLS+SNI specially
if [ "$proto" = http ]; then
echo " use-server $servername if { hdr(host) -i $host }" >> "$configtmp"
else
echo " use-server $servername if { req_ssl_sni -i $host }" >> "$configtmp"
fi
# Create the "server" itself.
# Note that port and send_proxy will be empty unless
# they were requested by the type user
echo " server $servername ${backendproto}@${host}${port}${send_proxy}" >> "$configtmp"
done < "$param"
done
done
# Create config file
require="__package/haproxy" __file ${CONFIG_FILE} --source "$configtmp" --mode 0644
require="__file${CONFIG_FILE}" __check_messages "haproxy_reload" \
--pattern "^__file${CONFIG_FILE}" \
--execute "service haproxy reload || service haproxy restart"

View file

@ -0,0 +1 @@
http https imaps smtps

View file

@ -0,0 +1,3 @@
protocol
v4proxy
v6proxy

View file

@ -20,26 +20,27 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "$__global/explorer/os")
name_running=$(cat "$__global/explorer/hostname")
has_hostnamectl=$(cat "$__object/explorer/has_hostnamectl")
os=$(cat "${__global:?}/explorer/os")
name_running=$(cat "${__global:?}/explorer/hostname")
has_hostnamectl=$(cat "${__object:?}/explorer/has_hostnamectl")
if test -s "$__object/parameter/name"
if test -s "${__object:?}/parameter/name"
then
name_should=$(cat "$__object/parameter/name")
name_should=$(cat "${__object:?}/parameter/name")
else
case $os
case ${os}
in
# RedHat-derivatives and BSDs
centos|fedora|redhat|scientific|freebsd|macosx|netbsd|openbsd)
(centos|fedora|redhat|scientific|freebsd|macosx|netbsd|openbsd)
# Hostname is FQDN
name_should="${__target_host}"
;;
*)
name_should=${__target_host:?}
;;
(*)
# Hostname is only first component of FQDN
name_should="${__target_host%%.*}"
;;
name_should=${__target_host:?}
name_should=${name_should%%.*}
;;
esac
fi
@ -47,46 +48,46 @@ fi
################################################################################
# Check if the (running) hostname is already correct
#
test "$name_running" != "$name_should" || exit 0
test "${name_running}" != "${name_should}" || exit 0
################################################################################
# Setup hostname
#
echo 'changed' >>"$__messages_out"
echo 'changed' >>"${__messages_out:?}"
# Use the good old way to set the hostname.
case $os
case ${os}
in
alpine|debian|devuan|ubuntu)
(alpine|debian|devuan|ubuntu)
echo 'hostname -F /etc/hostname'
;;
archlinux)
;;
(archlinux)
echo 'command -v hostnamectl >/dev/null 2>&1' \
"&& hostnamectl set-hostname '$name_should'" \
"|| hostname '$name_should'"
;;
centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|gentoo|void)
echo "hostname '$name_should'"
;;
openwrt)
echo "echo '$name_should' >/proc/sys/kernel/hostname"
;;
macosx)
echo "scutil --set HostName '$name_should'"
;;
solaris)
echo "uname -S '$name_should'"
;;
slackware|suse|opensuse-leap)
"&& hostnamectl set-hostname '${name_should}'" \
"|| hostname '${name_should}'"
;;
(centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|gentoo|void)
echo "hostname '${name_should}'"
;;
(openwrt)
echo "echo '${name_should}' >/proc/sys/kernel/hostname"
;;
(macosx)
echo "scutil --set HostName '${name_should}'"
;;
(solaris)
echo "uname -S '${name_should}'"
;;
(slackware|suse)
# We do not read from /etc/HOSTNAME, because the running
# hostname is the first component only while the file contains
# the FQDN.
echo "hostname '$name_should'"
;;
*)
echo "hostname '${name_should}'"
;;
(*)
# Fall back to set the hostname using hostnamectl, if available.
if test -n "$has_hostnamectl"
if test -n "${has_hostnamectl}"
then
# Don't use hostnamectl as the primary means to set the hostname for
# systemd systems, because it cannot be trusted to work reliably and
@ -97,7 +98,8 @@ in
echo "test \"\$(hostname)\" = \"\$(cat /etc/hostname)\"" \
" || hostname -F /etc/hostname"
else
printf "echo 'Unsupported OS: %s' >&2\nexit 1\n" "$os"
printf "echo 'Unsupported OS: %s' >&2\n" "${os}"
printf 'exit 1\n'
fi
;;
;;
esac

View file

@ -20,69 +20,49 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
not_supported() {
echo "Your operating system ($os) is currently not supported by this type (${__type##*/})." >&2
echo "Please contribute an implementation for it if you can." >&2
exit 1
}
set_hostname_systemd() {
echo "$1" | __file /etc/hostname --source -
}
os=$(cat "$__global/explorer/os")
os_version=$(cat "$__global/explorer/os_version")
os_major=$(echo "$os_version" | grep -o '^[0-9][0-9]*' || true)
os=$(cat "${__global:?}/explorer/os")
max_len=$(cat "$__object/explorer/max_len")
has_hostnamectl=$(cat "$__object/explorer/has_hostnamectl")
max_len=$(cat "${__object:?}/explorer/max_len")
has_hostnamectl=$(cat "${__object:?}/explorer/has_hostnamectl")
if test -s "$__object/parameter/name"
if test -s "${__object:?}/parameter/name"
then
name_should=$(cat "$__object/parameter/name")
name_should=$(cat "${__object:?}/parameter/name")
else
case $os
case ${os}
in
# RedHat-derivatives and BSDs
centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|slackware)
(centos|fedora|redhat|scientific|freebsd|netbsd|openbsd|slackware|suse)
# Hostname is FQDN
name_should="${__target_host}"
;;
suse|opensuse-leap)
# Classic SuSE stores the FQDN in /etc/HOSTNAME, while
# systemd does not. The running hostname is the first
# component in both cases.
# In versions before 15.x, the FQDN is stored in /etc/hostname.
if test -n "$has_hostnamectl" && test "$os_major" -ge 15 \
&& test "$os_major" -ne 42
then
name_should="${__target_host%%.*}"
else
name_should="${__target_host}"
fi
;;
name_should=${__target_host:?}
;;
*)
# Hostname is only first component of FQDN on all other systems.
name_should="${__target_host%%.*}"
;;
name_should=${__target_host:?}
name_should=${name_should%%.*}
;;
esac
fi
if test -n "$max_len" && test "$(printf '%s' "$name_should" | wc -c)" -gt "$max_len"
if test -n "${max_len}" && test "$(printf '%s' "${name_should}" | wc -c)" -gt "${max_len}"
then
printf "Host name too long. Up to %u characters allowed.\n" "${max_len}" >&2
exit 1
fi
case $os
case ${os}
in
alpine|debian|devuan|ubuntu|void)
echo "$name_should" | __file /etc/hostname --source -
;;
archlinux)
if test -n "$has_hostnamectl"
(alpine|debian|devuan|ubuntu|void)
echo "${name_should}" | __file /etc/hostname --source -
;;
(archlinux)
if test -n "${has_hostnamectl}"
then
set_hostname_systemd "$name_should"
set_hostname_systemd "${name_should}"
else
echo 'Ancient ArchLinux variants without hostnamectl are not supported.' >&2
exit 1
@ -97,8 +77,8 @@ in
# --value "\"$name_should\""
fi
;;
centos|fedora|redhat|scientific)
if test -z "$has_hostnamectl"
(centos|fedora|redhat|scientific)
if test -z "${has_hostnamectl}"
then
# Only write to /etc/sysconfig/network on non-systemd versions.
# On systemd-based versions this entry is ignored.
@ -106,63 +86,83 @@ in
--file /etc/sysconfig/network \
--delimiter '=' --exact_delimiter \
--key HOSTNAME \
--value "\"$name_should\""
--value "\"${name_should}\""
else
set_hostname_systemd "$name_should"
set_hostname_systemd "${name_should}"
fi
;;
gentoo)
;;
(gentoo)
# Only write to /etc/conf.d/hostname on OpenRC-based installations.
# On systemd use hostnamectl(1) in gencode-remote.
if test -z "$has_hostnamectl"
if test -z "${has_hostnamectl}"
then
__key_value '/etc/conf.d/hostname:hostname' \
--file /etc/conf.d/hostname \
--delimiter '=' --exact_delimiter \
--key 'hostname' \
--value "\"$name_should\""
--value "\"${name_should}\""
else
set_hostname_systemd "$name_should"
fi
;;
freebsd)
;;
(freebsd)
__key_value '/etc/rc.conf:hostname' \
--file /etc/rc.conf \
--delimiter '=' --exact_delimiter \
--key 'hostname' \
--value "\"$name_should\""
;;
macosx)
--value "\"${name_should}\""
;;
(macosx)
# handled in gencode-remote
:
;;
netbsd)
;;
(netbsd)
__key_value '/etc/rc.conf:hostname' \
--file /etc/rc.conf \
--delimiter '=' --exact_delimiter \
--key 'hostname' \
--value "\"$name_should\""
--value "\"${name_should}\""
# To avoid confusion, ensure that the hostname is only stored once.
__file /etc/myname --state absent
;;
openbsd)
echo "$name_should" | __file /etc/myname --source -
;;
openwrt)
__uci system.@system[0].hostname --value "$name_should"
;;
(openbsd)
echo "${name_should}" | __file /etc/myname --source -
;;
(openwrt)
__uci system.@system[0].hostname --value "${name_should}"
# --transaction hostname
;;
slackware)
;;
(slackware)
# We write the FQDN into /etc/HOSTNAME. But /etc/rc.d/rc.M will only
# read the first component from this file and set it as the running
# hostname on boot.
echo "$name_should" | __file /etc/HOSTNAME --source -
;;
solaris)
echo "$name_should" | __file /etc/nodename --source -
;;
suse|opensuse-leap)
echo "${name_should}" | __file /etc/HOSTNAME --source -
;;
(solaris)
echo "${name_should}" | __file /etc/nodename --source -
;;
(suse)
if test -s "${__global:?}/explorer/os_release"
then
# shellcheck source=/dev/null
os_version=$(. "${__global:?}/explorer/os_release" && echo "${VERSION}")
else
os_version=$(sed -n 's/^VERSION\ *=\ *//p' "${__global:?}/explorer/os_version")
fi
os_major=$(expr "${os_version}" : '\([0-9]\{1,\}\)')
# Classic SuSE stores the FQDN in /etc/HOSTNAME, while
# systemd does not. The running hostname is the first
# component in both cases.
# In versions before 15.x, the FQDN is stored in /etc/hostname.
if test -n "${has_hostnamectl}" \
&& test "${os_major}" -ge 15 \
&& test "${os_major}" -ne 42
then
# strip away everything but the first part from $name_should
name_should=${name_should%%.*}
fi
# Modern SuSE provides /etc/HOSTNAME as a symlink for
# backwards-compatibility. Unfortunately it cannot be used
# here as __file does not follow the symlink.
@ -171,23 +171,25 @@ in
# not work correctly on openSUSE 12.x which provides
# hostnamectl but not /etc/hostname.
if test -n "$has_hostnamectl" -a "$os_major" -gt 12
if test -n "${has_hostnamectl}" -a "${os_major}" -gt 12
then
hostname_file='/etc/hostname'
hostname_file=/etc/hostname
else
hostname_file='/etc/HOSTNAME'
hostname_file=/etc/HOSTNAME
fi
echo "$name_should" | __file "$hostname_file" --source -
;;
*)
echo "${name_should}" | __file "${hostname_file}" --source -
;;
(*)
# On other operating systems we fall back to systemd's
# hostnamectl if available…
if test -n "$has_hostnamectl"
if test -n "${has_hostnamectl}"
then
set_hostname_systemd "$name_should"
set_hostname_systemd "${name_should}"
else
not_supported
echo "Your operating system (${os}) is currently not supported by this type (${__type##*/})." >&2
echo "Please contribute an implementation for it if you can." >&2
exit 1
fi
;;
;;
esac

View file

@ -1,7 +1,4 @@
#!/bin/sh
# Nico Schottelius
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs $remote_fs
@ -14,34 +11,72 @@
# and saves/restores previous status
### END INIT INFO
# Originally written by:
# Nico Schottelius
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
#
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is distributed with cdist and licenced under the
# GNU GPLv3+ WITHOUT ANY WARRANTY.
# Read files and execute the content with the given commands
#
# Arguments:
# 1: Directory
# 2..n: Commands which should be used to execute the file content
gothrough() {
cd "$1" || return
shift
# iterate through all rules and continue if it's not a file
for rule in *; do
[ -f "$rule" ] || continue
echo "Appling iptables rule $rule ..."
# execute it with all commands specificed
ruleparam="$(cat "$rule")"
for cmd in "$@"; do
# Command and Rule should be split.
# shellcheck disable=SC2046
command $cmd $ruleparam
done
done
}
# Shortcut for iptables command to do IPv4 and v6
# only applies to the "reset" target
iptables() {
command iptables "$@"
command ip6tables "$@"
}
basedir=/etc/iptables.d
status="${basedir}/.pre-start"
status4="${basedir}/.pre-start"
status6="${basedir}/.pre-start6"
case $1 in
start)
# Save status
iptables-save > "$status"
iptables-save > "$status4"
ip6tables-save > "$status6"
# Apply our ruleset
cd "$basedir" || exit
count="$(find . ! -name . -prune | wc -l)"
# Only do something if there are rules
if [ "$count" -ge 1 ]; then
for rule in *; do
echo "Applying iptables rule $rule ..."
# Rule should be split.
# shellcheck disable=SC2046
iptables $(cat "$rule")
done
fi
gothrough "$basedir" iptables
#gothrough "$basedir/v4" iptables # conflicts with $basedir
gothrough "$basedir/v6" ip6tables
gothrough "$basedir/all" iptables ip6tables
;;
stop)
# Restore from status before, if there is something to restore
if [ -f "$status" ]; then
iptables-restore < "$status"
if [ -f "$status4" ]; then
iptables-restore < "$status4"
fi
if [ -f "$status6" ]; then
ip6tables-restore < "$status6"
fi
;;
restart)

View file

@ -10,7 +10,24 @@ DESCRIPTION
-----------
This cdist type deploys an init script that triggers
the configured rules and also re-applies them on
configuration.
configuration. Rules are written from __iptables_rule
into the folder ``/etc/iptables.d/``.
It reads all rules from the base folder as rules for IPv4.
Rules in the subfolder ``v6/`` are IPv6 rules. Rules in
the subfolder ``all/`` are applied to both rule tables. All
files contain the arguments for a single ``iptables`` and/or
``ip6tables`` command.
Rules are applied in the following order:
1. All IPv4 rules
2. All IPv6 rules
2. All rules that should be applied to both tables
The order of the rules that will be applied are definite
from the result the shell glob returns, which should be
alphabetical. If rules must be applied in a special order,
prefix them with a number like ``02-some-rule``.
REQUIRED PARAMETERS
@ -24,7 +41,7 @@ None
EXAMPLES
--------
None (__iptables_apply is used by __iptables_rule)
None (__iptables_apply is used by __iptables_rule automatically)
SEE ALSO
@ -35,11 +52,13 @@ SEE ALSO
AUTHORS
-------
Nico Schottelius <nico-cdist--@--schottelius.org>
Matthias Stecher <matthiasstecher--@--gmx.de>
COPYING
-------
Copyright \(C) 2013 Nico Schottelius. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2013 Nico Schottelius.
Copyright \(C) 2020 Matthias Stecher.
You can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.

View file

@ -11,6 +11,10 @@ DESCRIPTION
This cdist type allows you to manage iptable rules
in a distribution independent manner.
See :strong:`cdist-type__iptables_apply`\ (7) for the
execution order of these rules. It will be executed
automaticly to apply all rules non-volaite.
REQUIRED PARAMETERS
-------------------
@ -25,6 +29,24 @@ state
'present' or 'absent', defaults to 'present'
BOOLEAN PARAMETERS
------------------
All rules without any of these parameters will be treated like ``--v4`` because
of backward compatibility.
v4
Explicitly set it as rule for IPv4. If IPv6 is set, too, it will be
threaten like ``--all``. Will be the default if nothing else is set.
v6
Explicitly set it as rule for IPv6. If IPv4 is set, too, it will be
threaten like ``--all``.
all
Set the rule for both IPv4 and IPv6. It will be saved separately from the
other rules.
EXAMPLES
--------
@ -48,6 +70,16 @@ EXAMPLES
--state absent
# IPv4-only rule for ICMPv4
__iptables_rule icmp-v4 --v4 --rule "-A INPUT -p icmp -j ACCEPT"
# IPv6-only rule for ICMPv6
__iptables_rule icmp-v6 --v6 --rule "-A INPUT -p icmpv6 -j ACCEPT"
# doing something for the dual stack
__iptables_rule fwd-eth0-eth1 --v4 --v6 --rule "-A INPUT -i eth0 -o eth1 -j ACCEPT"
__iptables_rule fwd-eth1-eth0 --all --rule "-A -o eth1 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
SEE ALSO
--------
:strong:`cdist-type__iptables_apply`\ (7), :strong:`iptables`\ (8)
@ -56,11 +88,13 @@ SEE ALSO
AUTHORS
-------
Nico Schottelius <nico-cdist--@--schottelius.org>
Matthias Stecher <matthiasstecher--@--gmx.de>
COPYING
-------
Copyright \(C) 2013 Nico Schottelius. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
Copyright \(C) 2013 Nico Schottelius.
Copyright \(C) 2020 Matthias Stecher.
You can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.

View file

@ -1,6 +1,7 @@
#!/bin/sh -e
#
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
@ -24,12 +25,36 @@ base_dir=/etc/iptables.d
name="$__object_id"
state="$(cat "$__object/parameter/state")"
if [ -f "$__object/parameter/v4" ]; then
only_v4="yes"
# $specific_dir is $base_dir
fi
if [ -f "$__object/parameter/v6" ]; then
only_v6="yes"
specific_dir="$base_dir/v6"
fi
# If rules should be set for both protocols
if { [ "$only_v4" = "yes" ] && [ "$only_v6" = "yes" ]; } ||
[ -f "$__object/parameter/all" ]; then
# all to a specific directory
specific_dir="$base_dir/all"
fi
# set rule directory based on if it's the base or subdirectory
rule_dir="${specific_dir:-$base_dir}"
################################################################################
# Basic setup
#
__directory "$base_dir" --state present
# sub-directory if required
if [ "$specific_dir" ]; then
require="__directory/$base_dir" __directory "$specific_dir" --state present
fi
# Have apply do the real job
require="$__object_name" __iptables_apply
@ -37,6 +62,15 @@ require="$__object_name" __iptables_apply
# The rule
#
require="__directory/$base_dir" __file "$base_dir/${name}" \
--source "$__object/parameter/rule" \
--state "$state"
for dir in "$base_dir" "$base_dir/v6" "$base_dir/all"; do
# defaults to absent except the directory that should contain the file
if [ "$rule_dir" = "$dir" ]; then
curr_state="$state"
else
curr_state="absent"
fi
require="__directory/$rule_dir" __file "$dir/$name" \
--source "$__object/parameter/rule" \
--state "$curr_state"
done

View file

@ -0,0 +1,3 @@
all
v4
v6

View file

@ -1,3 +0,0 @@
#!/bin/sh -e
command -v certbot 2>/dev/null || true

View file

@ -0,0 +1,78 @@
#!/bin/sh -e
certbot_path="$(command -v certbot 2>/dev/null || true)"
# Defaults
certificate_exists="no"
certificate_is_test="no"
if [ -n "${certbot_path}" ]; then
# Find python executable that has access to certbot's module
python_path=$(sed -n '1s/^#! *//p' "${certbot_path}")
# Use a lock for cdist due to certbot not exiting with failure
# or having any flags for concurrent use.
_certbot() {
${python_path} - 2>/dev/null <<EOF
from certbot.main import main
import fcntl
lock_file = "/tmp/certbot.cdist.lock"
timeout=60
with open(lock_file, 'w') as fd:
for i in range(timeout):
try:
# Get exclusive lock
fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
break
except:
# Wait if that fails
import time
time.sleep(1)
else:
# Timed out, exit with failure
import sys
sys.exit(1)
# Do list certificates
main(["certificates", "--cert-name", "${__object_id:?}"])
EOF
}
_certificate_exists() {
if grep -q " Certificate Name: ${__object_id:?}$"; then
echo yes
else
echo no
fi
}
_certificate_is_test() {
if grep -q 'INVALID: TEST_CERT'; then
echo yes
else
echo no
fi
}
_certificate_domains() {
grep ' Domains: ' | cut -d ' ' -f 6- | tr ' ' '\n'
}
# Get data about all available certificates
certificates="$(_certbot)"
# Check whether or not the certificate exists
certificate_exists="$(echo "${certificates}" | _certificate_exists)"
# Check whether or not the certificate is for testing
certificate_is_test="$(echo "${certificates}" | _certificate_is_test)"
# Get domains for certificate
certificate_domains="$(echo "${certificates}" | _certificate_domains)"
fi
# Return received data
cat <<EOF
certbot_path:${certbot_path}
certificate_exists:${certificate_exists}
certificate_is_test:${certificate_is_test}
${certificate_domains}
EOF

View file

@ -1,8 +0,0 @@
#!/bin/sh -e
certbot_path=$("${__type_explorer}/certbot-path")
if [ -n "${certbot_path}" ]
then
certbot certificates --cert-name "${__object_id:?}" | grep ' Domains: ' | \
cut -d ' ' -f 6- | tr ' ' '\n'
fi

View file

@ -1,13 +0,0 @@
#!/bin/sh -e
certbot_path=$("${__type_explorer}/certbot-path")
if [ -n "${certbot_path}" ]
then
if certbot certificates | grep -q " Certificate Name: ${__object_id:?}$"; then
echo yes
else
echo no
fi
else
echo no
fi

View file

@ -1,14 +0,0 @@
#!/bin/sh -e
certbot_path=$("${__type_explorer}/certbot-path")
if [ -n "${certbot_path}" ]
then
if certbot certificates --cert-name "${__object_id:?}" | \
grep -q 'INVALID: TEST_CERT'; then
echo yes
else
echo no
fi
else
echo no
fi

View file

@ -0,0 +1,84 @@
#!/bin/sh -e
# It is expected that this defines hook_contents
# Reasonable defaults
hook_source="${__object}/parameter/${hook}-hook"
hook_state="absent"
hook_contents_head="#!/bin/sh -e"
hook_contents_logic=""
hook_contents_tail=""
# Backwards compatibility
# Remove this when renew-hook is removed
# Falling back to renew-hook if deploy-hook is not passed
if [ "${hook}" = "deploy" ] && [ ! -f "${hook_source}" ]; then
hook_source="${__object}/parameter/renew-hook"
fi
if [ "${state}" = "present" ] && \
[ -f "${hook_source}" ]; then
# This hook is to be installed, let's generate it with some
# safety boilerplate
# Since certbot runs all hooks for all renewal processes
# (at each state for deploy, pre, post), it is up to us to
# differentiate whether or not the hook must run
hook_state="present"
hook_contents_head="$(cat <<EOF
#!/bin/sh -e
#
# Managed remotely with https://cdi.st
#
# Domains for which this hook is supposed to apply
lineage="${LE_DIR}/live/${__object_id}"
domains="\$(cat <<eof
${domains}
eof
)"
EOF
)"
case "${hook}" in
pre|post)
# Certbot is kind of terrible, we have
# no way of knowing what domain/lineage the
# hook is running for
hook_contents_logic="$(cat <<EOF
# pre/post-hooks apply always due to a certbot limitation
APPLY_HOOK="YES"
EOF
)"
;;
deploy)
hook_contents_logic="$(cat <<EOF
# certbot defines these environment variables:
# RENEWED_DOMAINS="DOMAIN1 DOMAIN2"
# RENEWED_LINEAGE="/etc/letsencrypt/live/__object_id"
# It feels more stable to use RENEWED_LINEAGE
if [ "\${lineage}" = "\${RENEWED_LINEAGE}" ]; then
APPLY_HOOK="YES"
fi
EOF
)"
;;
*)
echo "Unknown hook '${hook}'" >> /dev/stderr
exit 1
;;
esac
hook_contents_tail="$(cat <<EOF
if [ -n "\${APPLY_HOOK}" ]; then
# Messing with indentation can eff up the users' scripts, let's not
$(cat "${hook_source}")
fi
EOF
)"
fi
hook_contents="$(cat <<EOF
${hook_contents_head}
${hook_contents_logic}
${hook_contents_tail}
EOF
)"

View file

@ -1,6 +1,10 @@
#!/bin/sh -e
certificate_exists=$(cat "${__object:?}/explorer/certificate-exists")
_explorer_var() {
grep "^$1:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-
}
certificate_exists="$(_explorer_var certificate_exists)"
name="${__object_id:?}"
state=$(cat "${__object}/parameter/state")
@ -29,8 +33,9 @@ case "${state}" in
fi
if [ "${certificate_exists}" = "yes" ]; then
existing_domains="${__object}/explorer/certificate-domains"
certificate_is_test=$(cat "${__object}/explorer/certificate-is-test")
existing_domains=$(mktemp "${TMPDIR:-/tmp}/existing_domains.cdist.XXXXXXXXXX")
tail -n +4 "${__object:?}/explorer/certificate-data" | grep -v '^$' > "${existing_domains}"
certificate_is_test="$(_explorer_var certificate_is_test)"
sort -uo "${requested_domains}" "${requested_domains}"
sort -uo "${existing_domains}" "${existing_domains}"

View file

@ -1,16 +1,33 @@
cdist-type__letsencrypt_cert(7)
===============================
NAME
----
cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt
DESCRIPTION
-----------
Automatically obtain a Let's Encrypt SSL certificate using Certbot.
This type attempts to setup automatic renewals always. In many Linux
distributions, that is the case out of the box, see:
https://certbot.eff.org/docs/using.html#automated-renewals
For Alpine Linux and Arch Linux, we setup a system-wide cronjob that
attempts to renew certificates daily.
If you are using FreeBSD, we configure periodic(8) as recommended by
the port mantainer, so there will be a weekly attempt at renewal.
If your OS is not mentioned here or on Certbot's docs as having
support for automated renewals, please make sure you check your OS
and possibly patch this type so the system-wide cronjob is installed.
REQUIRED PARAMETERS
-------------------
@ -21,6 +38,7 @@ object id
admin-email
Where to send Let's Encrypt emails like "certificate needs renewal".
OPTIONAL PARAMETERS
-------------------
@ -36,25 +54,68 @@ webroot
The path to your webroot, as set up in your webserver config. If this
parameter is not present, Certbot will be run in standalone mode.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
renew-hook
Renew hook command directly passed to Certbot in cron job.
domain
Domains to be included in the certificate. When specified then object id
is not used as a domain.
deploy-hook
Command to be executed only when the certificate associated with this
``$__object_id`` is issued or renewed.
You can specify it multiple times, but any failure will prevent further
commands from being executed.
For this command, the
shell variable ``$RENEWED_LINEAGE`` will point to the
config live subdirectory (for example,
``/etc/letsencrypt/live/${__object_id}``) containing the
new certificates and keys; the shell variable
``$RENEWED_DOMAINS`` will contain a space-delimited list
of renewed certificate domains (for example,
``example.com www.example.com``)
pre-hook
Command to be run in a shell before obtaining any
certificates.
You can specify it multiple times, but any failure will prevent further
commands from being executed.
Note these run regardless of which certificate is attempted, you may want to
manage these system-wide hooks with ``__file`` in
``/etc/letsencrypt/renewal-hooks/pre/``.
Intended primarily for renewal, where it
can be used to temporarily shut down a webserver that
might conflict with the standalone plugin. This will
only be called if a certificate is actually to be
obtained/renewed.
post-hook
Command to be run in a shell after attempting to
obtain/renew certificates.
You can specify it multiple times, but any failure will prevent further
commands from being executed.
Note these run regardless of which certificate was attempted, you may want to
manage these system-wide hooks with ``__file`` in
``/etc/letsencrypt/renewal-hooks/post/``.
Can be used to deploy
renewed certificates, or to restart any servers that
were stopped by --pre-hook. This is only run if an
attempt was made to obtain/renew a certificate.
BOOLEAN PARAMETERS
------------------
automatic-renewal
Install a cron job, which attempts to renew certificates daily.
staging
Obtain a test certificate from a staging server.
MESSAGES
--------
@ -67,6 +128,7 @@ create
remove
Certificate was removed.
EXAMPLES
--------
@ -75,8 +137,7 @@ EXAMPLES
# use object id as domain
__letsencrypt_cert example.com \
--admin-email root@example.com \
--automatic-renewal \
--renew-hook "service nginx reload" \
--deploy-hook "service nginx reload" \
--webroot /data/letsencrypt/root
.. code-block:: sh
@ -85,11 +146,10 @@ EXAMPLES
# and example.com needs to be included again with domain parameter
__letsencrypt_cert example.com \
--admin-email root@example.com \
--automatic-renewal \
--domain example.com \
--domain foo.example.com \
--domain bar.example.com \
--renew-hook "service nginx reload" \
--deploy-hook "service nginx reload" \
--webroot /data/letsencrypt/root
AUTHORS
@ -99,11 +159,13 @@ AUTHORS
| Kamila Součková <kamila--@--ksp.sk>
| Darko Poljak <darko.poljak--@--gmail.com>
| Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
| Evilham <contact@evilham.com>
COPYING
-------
Copyright \(C) 2017-2018 Nico Schottelius, Kamila Součková, Darko Poljak and
Copyright \(C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak and
Ľubomír Kučera. You can redistribute it and/or modify it under the terms of
the GNU General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version.

106
cdist/conf/type/__letsencrypt_cert/manifest Executable file → Normal file
View file

@ -1,18 +1,20 @@
#!/bin/sh
certbot_fullpath="$(cat "${__object:?}/explorer/certbot-path")"
certbot_fullpath="$(grep "^certbot_path:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-)"
state=$(cat "${__object}/parameter/state")
os="$(cat "${__global:?}/explorer/os")"
if [ -z "${certbot_fullpath}" ]; then
os="$(cat "${__global:?}/explorer/os")"
os_version="$(cat "${__global}/explorer/os_version")"
# Use this, very common value, as a default. It is OS-dependent
certbot_fullpath="/usr/bin/certbot"
case "$os" in
archlinux)
__package certbot
;;
alpine)
__package certbot
;;
archlinux)
__package certbot
;;
alpine)
__package certbot
;;
debian)
case "$os_version" in
8*)
@ -39,7 +41,7 @@ if [ -z "${certbot_fullpath}" ]; then
require="__apt_source/stretch-backports" __package_apt certbot \
--target-release stretch-backports
;;
10*)
10*|11*)
__package_apt certbot
;;
@ -48,9 +50,7 @@ if [ -z "${certbot_fullpath}" ]; then
exit 1
;;
esac
certbot_fullpath=/usr/bin/certbot
;;
;;
devuan)
case "$os_version" in
jessie)
@ -83,17 +83,14 @@ if [ -z "${certbot_fullpath}" ]; then
exit 1
;;
esac
certbot_fullpath=/usr/bin/certbot
;;
freebsd)
__package py27-certbot
certbot_fullpath=/usr/local/bin/certbot
__package py39-certbot
certbot_fullpath="/usr/local/bin/certbot"
;;
ubuntu)
__package certbot
;;
__package certbot
;;
*)
echo "Unsupported os: $os" >&2
exit 1
@ -101,18 +98,61 @@ if [ -z "${certbot_fullpath}" ]; then
esac
fi
if [ -f "${__object}/parameter/automatic-renewal" ]; then
renew_hook_param="${__object}/parameter/renew-hook"
renew_hook=""
if [ -f "${renew_hook_param}" ]; then
while read -r hook; do
renew_hook="${renew_hook} --renew-hook \"${hook}\""
done < "${renew_hook_param}"
fi
# Other OS-dependent values that we want to set every time
LE_DIR="/etc/letsencrypt"
certbot_cronjob_state="absent"
case "$os" in
archlinux|alpine)
certbot_cronjob_state="present"
;;
freebsd)
LE_DIR="/usr/local/etc/letsencrypt"
# FreeBSD uses periodic(8) instead of crontabs for this
__line "periodic.conf_weekly_certbot" \
--file "/etc/periodic.conf" \
--regex "^(#[[:space:]]*)?weekly_certbot_enable=.*" \
--state "replace" \
--line 'weekly_certbot_enable="YES"'
;;
*)
;;
esac
__cron letsencrypt-certbot \
--user root \
--command "${certbot_fullpath} renew -q ${renew_hook}" \
--hour 0 \
--minute 47
# This is only necessary in certain OS
__cron letsencrypt-certbot \
--user root \
--command "${certbot_fullpath} renew -q" \
--hour 0 \
--minute 47 \
--state "${certbot_cronjob_state}"
# Ensure hook directories
HOOKS_DIR="${LE_DIR}/renewal-hooks"
__directory "${LE_DIR}" --mode 0755
require="__directory/${LE_DIR}" __directory "${HOOKS_DIR}" --mode 0755
if [ -f "${__object}/parameter/domain" ]; then
domains="$(sort "${__object}/parameter/domain")"
else
domains="${__object_id}"
fi
# Install hooks as needed
for hook in deploy pre post; do
# Using something unique and specific to this object
hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh"
# This defines hook_contents
# shellcheck source=cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
. "${__type}/files/gen_hook.sh"
# Ensure hook directory exists
require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \
--mode 0755
require="__directory/${HOOKS_DIR}/${hook}" __file "${hook_file}" \
--mode 0555 \
--source '-' \
--state "${hook_state}" <<EOF
${hook_contents}
EOF
done

View file

@ -0,0 +1,2 @@
Deprecated in favour of consistent behaviour. It has no effect, see:
https://code.ungleich.ch/ungleich-public/cdist/-/issues/853

Some files were not shown because too many files have changed in this diff Show more