Compare commits

..

No commits in common. "master" and "bugfix/preos-debug" have entirely different histories.

190 changed files with 1248 additions and 5293 deletions

View file

@ -35,9 +35,9 @@ DOCS_SRC_DIR=./docs/src
SPEECHDIR=./docs/speeches SPEECHDIR=./docs/speeches
TYPEDIR=./cdist/conf/type TYPEDIR=./cdist/conf/type
SPHINXM=$(MAKE) -C $(DOCS_SRC_DIR) man SPHINXM=make -C $(DOCS_SRC_DIR) man
SPHINXH=$(MAKE) -C $(DOCS_SRC_DIR) html SPHINXH=make -C $(DOCS_SRC_DIR) html
SPHINXC=$(MAKE) -C $(DOCS_SRC_DIR) clean SPHINXC=make -C $(DOCS_SRC_DIR) clean
################################################################################ ################################################################################
# Manpages # Manpages

View file

@ -24,8 +24,8 @@ For community-maintained types there is
## Participating ## Participating
IRC: ``#cdist`` @ [libera](https://libera.chat) IRC: ``#cdist`` @ freenode
Matrix: ``#cdist:ungleich.ch`` Matrix: ``#cdist:ungleich.ch``
Matrix and IRC are bridged. Mattermost: https://chat.ungleich.ch/ungleich/channels/cdist

View file

@ -72,11 +72,9 @@ def commandline():
if __name__ == "__main__": if __name__ == "__main__":
if sys.version_info[:3] < cdist.MIN_SUPPORTED_PYTHON_VERSION: if sys.version < cdist.MIN_SUPPORTED_PYTHON_VERSION:
print( print('Python >= {} is required on the source host.'.format(
'Python >= {} is required on the source host.'.format( cdist.MIN_SUPPORTED_PYTHON_VERSIO), file=sys.stderr)
".".join(map(str, cdist.MIN_SUPPORTED_PYTHON_VERSION))),
file=sys.stderr)
sys.exit(1) sys.exit(1)
exit_code = 0 exit_code = 0

View file

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# 2011-2022 Nico Schottelius (nico-cdist at schottelius.org) # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2016-2019 Darko Poljak (darko.poljak at gmail.com) # 2016-2019 Darko Poljak (darko.poljak at gmail.com)
# #
# This file is part of cdist. # This file is part of cdist.
@ -534,8 +534,7 @@ eof
;; ;;
version) version)
target_version="$(git describe | sed 's/-/.dev/; s/-/+/g')" printf "VERSION = \"%s\"\n" "$(git describe)" > cdist/version.py
printf "VERSION = \"%s\"\n" "${target_version}" > cdist/version.py
;; ;;
target-version) target-version)

View file

@ -64,7 +64,7 @@ REMOTE_EXEC = "ssh -o User=root"
REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}" REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
MIN_SUPPORTED_PYTHON_VERSION = (3, 5) MIN_SUPPORTED_PYTHON_VERSION = '3.5'
class Error(Exception): class Error(Exception):

View file

@ -472,6 +472,9 @@ def get_parsers():
parser['info'].set_defaults(func=cdist.info.Info.commandline) parser['info'].set_defaults(func=cdist.info.Info.commandline)
# Scan = config + further # Scan = config + further
parser['scan'] = parser['sub'].add_parser('scan', add_help=False,
parents=[parser['config']])
parser['scan'] = parser['sub'].add_parser( parser['scan'] = parser['sub'].add_parser(
'scan', parents=[parser['loglevel'], 'scan', parents=[parser['loglevel'],
parser['beta'], parser['beta'],
@ -482,31 +485,19 @@ def get_parsers():
parser['scan'].add_argument( parser['scan'].add_argument(
'-m', '--mode', help='Which modes should run', '-m', '--mode', help='Which modes should run',
action='append', default=[], action='append', default=[],
choices=['scan', 'trigger', 'config']) choices=['scan', 'trigger'])
parser['scan'].add_argument(
'--list',
action='store_true',
help='List the known hosts and exit')
parser['scan'].add_argument( parser['scan'].add_argument(
'--config', '--config',
action='store_true', action='store_true',
help='Try to configure detected hosts') help='Try to configure detected hosts')
parser['scan'].add_argument( parser['scan'].add_argument(
'-I', '--interface', '-I', '--interfaces',
action='append', default=[], required=True, action='append', default=[],
help='On which interfaces to scan/trigger') help='On which interfaces to scan/trigger')
parser['scan'].add_argument( parser['scan'].add_argument(
'--name-mapper', '-d', '--delay',
action='store', default=None, action='store', default=3600,
help='Map addresses to names, required for config mode') help='How long to wait before reconfiguring after last try')
parser['scan'].add_argument(
'-d', '--config-delay',
action='store', default=3600, type=int,
help='How long (seconds) to wait before reconfiguring after last try')
parser['scan'].add_argument(
'-t', '--trigger-delay',
action='store', default=5, type=int,
help='How long (seconds) to wait between ICMPv6 echo requests')
parser['scan'].set_defaults(func=cdist.scan.commandline.commandline) parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
for p in parser: for p in parser:
@ -542,10 +533,10 @@ def parse_and_configure(argv, singleton=True):
log = logging.getLogger("cdist") log = logging.getLogger("cdist")
log.verbose("version %s", cdist.VERSION) log.verbose("version %s" % cdist.VERSION)
log.trace('command line args: %s', cfg.command_line_args) log.trace('command line args: {}'.format(cfg.command_line_args))
log.trace('configuration: %s', cfg.get_config()) log.trace('configuration: {}'.format(cfg.get_config()))
log.trace('configured args: %s', args) log.trace('configured args: {}'.format(args))
check_beta(vars(args)) check_beta(vars(args))

View file

@ -21,9 +21,6 @@
set +e set +e
case "$("$__explorer/os")" in case "$("$__explorer/os")" in
checkpoint)
awk '{printf("%s\n", $(NF-1))}' /etc/cp-release
;;
openwrt) openwrt)
# shellcheck disable=SC1091 # shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_CODENAME") (. /etc/openwrt_release && echo "$DISTRIB_CODENAME")

View file

@ -21,9 +21,6 @@
set +e set +e
case "$("$__explorer/os")" in case "$("$__explorer/os")" in
checkpoint)
cat /etc/cp-release
;;
openwrt) openwrt)
# shellcheck disable=SC1091 # shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION") (. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION")

View file

@ -21,9 +21,6 @@
set +e set +e
case "$("$__explorer/os")" in case "$("$__explorer/os")" in
checkpoint)
echo "CheckPoint"
;;
openwrt) openwrt)
# shellcheck disable=SC1091 # shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_ID") (. /etc/openwrt_release && echo "$DISTRIB_ID")

View file

@ -21,9 +21,6 @@
set +e set +e
case "$("$__explorer/os")" in case "$("$__explorer/os")" in
checkpoint)
sed /etc/cp-release -e 's/.* R\([1-9][0-9]*\)\.[0-9]*$/\1/'
;;
openwrt) openwrt)
# shellcheck disable=SC1091 # shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_RELEASE") (. /etc/openwrt_release && echo "$DISTRIB_RELEASE")

File diff suppressed because it is too large Load diff

View file

@ -1,9 +1,8 @@
#!/bin/sh -e #!/bin/sh
# #
# 2014 Daniel Heule (hda at sfs.biz) # 2014 Daniel Heule (hda at sfs.biz)
# 2014 Thomas Oettli (otho at sfs.biz) # 2014 Thomas Oettli (otho at sfs.biz)
# Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz> # Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -20,73 +19,24 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>. # along with cdist. If not, see <http://www.gnu.org/licenses/>.
# #
# Returns the amount of memory physically installed in the system, or if that #
# cannot be determined the amount available to the operating system kernel,
# in kibibytes (kiB).
str2bytes() { # FIXME: other system types (not linux ...)
awk -F' ' '
$2 == "B" || !$2 { print $1 }
$2 == "kB" { printf "%.f\n", ($1 * 1000) }
$2 == "MB" { printf "%.f\n", ($1 * 1000 * 1000) }
$2 == "GB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000) }
$2 == "TB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000 * 1000) }
$2 == "kiB" { printf "%.f\n", ($1 * 1024) }
$2 == "MiB" { printf "%.f\n", ($1 * 1024 * 1024) }
$2 == "GiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024) }
$2 == "TiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024 * 1024) }'
}
bytes2kib() { os=$("$__explorer/os")
awk '$0 > 0 { printf "%.f\n", ($0 / 1024) }' case "$os" in
} "macosx")
echo "$(sysctl -n hw.memsize)/1024" | bc
;;
*"bsd")
PATH=$(getconf PATH)
echo "$(sysctl -n hw.physmem) / 1048576" | bc
;;
case $(uname -s) *)
in if [ -r /proc/meminfo ]; then
(Darwin) grep "MemTotal:" /proc/meminfo | awk '{print $2}'
sysctl -n hw.memsize | bytes2kib fi
;; ;;
(FreeBSD)
sysctl -n hw.realmem | bytes2kib
;;
(NetBSD|OpenBSD)
# NOTE: This reports "usable" memory, not physically installed memory.
command -p sysctl -n hw.physmem | bytes2kib
;;
(SunOS)
# Make sure that awk from xpg4 is used for the scripts to work
export PATH="/usr/xpg4/bin:${PATH}"
prtconf \
| awk -F ': ' '
$1 == "Memory size" { sub(/Megabytes/, "MiB", $2); print $2 }
/^$/ { exit }' \
| str2bytes \
| bytes2kib
;;
(Linux)
if test -d /sys/devices/system/memory
then
# Use memory blocks if the architecture (e.g. x86, PPC64, s390)
# supports them (they denote physical memory)
num_mem_blocks=$(cat /sys/devices/system/memory/memory[0-9]*/state | grep -cxF online)
mem_block_size=$(cat /sys/devices/system/memory/block_size_bytes)
echo $((num_mem_blocks * 0x$mem_block_size)) | bytes2kib && exit
fi
if test -r /proc/meminfo
then
# Fall back to meminfo file on other architectures (e.g. ARM, MIPS,
# PowerPC)
# NOTE: This is "usable" memory, not physically installed memory.
awk -F ': +' '$1 == "MemTotal" { sub(/B$/, "iB", $2); print $2 }' /proc/meminfo \
| str2bytes \
| bytes2kib
fi
;;
(*)
printf "Your kernel (%s) is currently not supported by the memory explorer\n" "$(uname -s)" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
esac esac

View file

@ -116,13 +116,6 @@ if [ -f /etc/slackware-version ]; then
exit 0 exit 0
fi fi
# Appliances
if grep -q '^Check Point Gaia' /etc/cp-release 2>/dev/null; then
echo checkpoint
exit 0
fi
uname_s="$(uname -s)" uname_s="$(uname -s)"
# Assume there is no tr on the client -> do lower case ourselves # Assume there is no tr on the client -> do lower case ourselves

View file

@ -34,9 +34,5 @@ elif test -f /var/run/os-release
then then
# FreeBSD (created by os-release service) # FreeBSD (created by os-release service)
cat /var/run/os-release cat /var/run/os-release
elif test -f /etc/cp-release
then
# Checkpoint firewall or management (actually linux based)
cat /etc/cp-release
fi fi

View file

@ -1,7 +1,6 @@
#!/bin/sh -e #!/bin/sh
# #
# 2010-2011 Nico Schottelius (nico-cdist at schottelius.org) # 2010-2011 Nico Schottelius (nico-cdist at schottelius.org)
# 2020-2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -18,22 +17,12 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>. # along with cdist. If not, see <http://www.gnu.org/licenses/>.
# #
#
# All os variables are lower case # All os variables are lower case
# #
#
rc_getvar() { case "$("$__explorer/os")" in
awk -F= -v varname="$2" '
function unquote(s) {
if (s ~ /^".*"$/ || s ~ /^'\''.*'\''$/)
return substr(s, 2, length(s) - 2)
else
return s
}
$1 == varname { print unquote(substr($0, index($0, "=") + 1)) }' "$1"
}
case $("${__explorer:?}/os")
in
amazon) amazon)
cat /etc/system-release cat /etc/system-release
;; ;;
@ -41,9 +30,6 @@ in
# empty, but well... # empty, but well...
cat /etc/arch-release cat /etc/arch-release
;; ;;
checkpoint)
awk '{version=$NF; printf("%s\n", substr(version, 2))}' /etc/cp-release
;;
debian) debian)
debian_version=$(cat /etc/debian_version) debian_version=$(cat /etc/debian_version)
case $debian_version case $debian_version
@ -57,8 +43,6 @@ in
# sid versions don't have a number, so we decode by codename: # sid versions don't have a number, so we decode by codename:
case $(expr "$debian_version" : '\([a-z]\{1,\}\)/') case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
in in
trixie) echo 12.99 ;;
bookworm) echo 11.99 ;;
bullseye) echo 10.99 ;; bullseye) echo 10.99 ;;
buster) echo 9.99 ;; buster) echo 9.99 ;;
stretch) echo 8.99 ;; stretch) echo 8.99 ;;
@ -66,7 +50,7 @@ in
wheezy) echo 6.99 ;; wheezy) echo 6.99 ;;
squeeze) echo 5.99 ;; squeeze) echo 5.99 ;;
lenny) echo 4.99 ;; lenny) echo 4.99 ;;
*) echo 99.99 ;; *) exit 1
esac esac
;; ;;
*) *)
@ -75,24 +59,7 @@ in
esac esac
;; ;;
devuan) devuan)
devuan_version=$(cat /etc/devuan_version) cat /etc/devuan_version
case ${devuan_version}
in
(*/ceres)
# ceres versions don't have a number, so we decode by codename:
case ${devuan_version}
in
(daedalus/ceres) echo 4.99 ;;
(chimaera/ceres) echo 3.99 ;;
(beowulf/ceres) echo 2.99 ;;
(ascii/ceres) echo 1.99 ;;
(*) exit 1
esac
;;
(*)
echo "${devuan_version}"
;;
esac
;; ;;
fedora) fedora)
cat /etc/fedora-release cat /etc/fedora-release
@ -101,20 +68,12 @@ in
cat /etc/gentoo-release cat /etc/gentoo-release
;; ;;
macosx) macosx)
# NOTE: Legacy versions (< 10.3) do not support options sw_vers -productVersion
sw_vers | awk -F ':[ \t]+' '$1 == "ProductVersion" { print $2 }'
;; ;;
freebsd) freebsd)
# Apparently uname -r is not a reliable way to get the patch level. # Apparently uname -r is not a reliable way to get the patch level.
# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743 # See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
if command -v freebsd-version >/dev/null 2>&1 freebsd-version
then
# get userland version
freebsd-version -u
else
# fallback to kernel release for FreeBSD < 10.0
uname -r
fi
;; ;;
*bsd|solaris) *bsd|solaris)
uname -r uname -r
@ -139,20 +98,7 @@ in
fi fi
;; ;;
ubuntu) ubuntu)
if command -v lsb_release >/dev/null 2>&1 lsb_release -sr
then
lsb_release -sr
elif test -r /usr/lib/os-release
then
# fallback to /usr/lib/os-release if lsb_release is not present (like
# on minimized Ubuntu installations)
rc_getvar /usr/lib/os-release VERSION_ID
elif test -r /etc/lsb-release
then
# extract DISTRIB_RELEASE= variable from /etc/lsb-release on old
# versions without /usr/lib/os-release.
rc_getvar /etc/lsb-release DISTRIB_RELEASE
fi
;; ;;
alpine) alpine)
cat /etc/alpine-release cat /etc/alpine-release

View file

@ -28,7 +28,6 @@
# lsb_release may not be given in all installations # lsb_release may not be given in all installations
codename_os_release() { codename_os_release() {
# shellcheck disable=SC1090 # shellcheck disable=SC1090
# shellcheck disable=SC1091
. "$__global/explorer/os_release" . "$__global/explorer/os_release"
printf "%s" "$VERSION_CODENAME" printf "%s" "$VERSION_CODENAME"
} }

View file

@ -27,25 +27,18 @@ else
keyid="$__object_id" keyid="$__object_id"
fi fi
# From apt-key(8):
# Use of apt-key is deprecated, except for the use of apt-key del in
# maintainer scripts to remove existing keys from the main keyring.
# If such usage of apt-key is desired the additional installation of
# the GNU Privacy Guard suite (packaged in gnupg) is required.
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
then echo present
else echo absent
fi
exit
fi
keydir="$(cat "$__object/parameter/keydir")" keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg" keyfile="$keydir/$__object_id.gpg"
if [ -f "$keyfile" ] if [ -d "$keydir" ]
then then
echo present if [ -f "$keyfile" ]
exit then echo present
else echo absent
fi
else
# fallback to deprecated apt-key
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
&& echo present \
|| echo absent
fi fi
echo absent

View file

@ -25,7 +25,11 @@ else
fi fi
state_should="$(cat "$__object/parameter/state")" state_should="$(cat "$__object/parameter/state")"
state_is="$(cat "$__object/explorer/state")" state_is="$(cat "$__object/explorer/state")"
method="$(cat "$__object/key_method")"
if [ "$state_should" = "$state_is" ]; then
# nothing to do
exit 0
fi
keydir="$(cat "$__object/parameter/keydir")" keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg" keyfile="$keydir/$__object_id.gpg"
@ -33,18 +37,30 @@ keyfile="$keydir/$__object_id.gpg"
case "$state_should" in case "$state_should" in
present) present)
keyserver="$(cat "$__object/parameter/keyserver")" keyserver="$(cat "$__object/parameter/keyserver")"
# Using __download or __file as key source
# Propagate messages if needed if [ -f "$__object/parameter/uri" ]; then
if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then uri="$(cat "$__object/parameter/uri")"
if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
echo "added '$keyid'" >> "$__messages_out" if [ -d "$keydir" ]; then
cat << EOF
curl -s -L \\
-o "$keyfile" \\
"$uri"
key="\$( cat "$keyfile" )"
if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
then
echo "\$key" | gpg --dearmor > "$keyfile"
fi
EOF
else
# fallback to deprecated apt-key
echo "curl -s -L '$uri' | apt-key add -"
fi fi
exit 0 elif [ -d "$keydir" ]; then
elif [ "${state_is}" = "present" ]; then
exit 0
fi
# Using key servers to fetch the key
if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
# we need to kill gpg after 30 seconds, because gpg # we need to kill gpg after 30 seconds, because gpg
# can get stuck if keyserver is not responding. # can get stuck if keyserver is not responding.
# exporting env var and not exit 1, # exporting env var and not exit 1,
@ -84,16 +100,13 @@ EOF
echo "added '$keyid'" >> "$__messages_out" echo "added '$keyid'" >> "$__messages_out"
;; ;;
absent) absent)
# Removal for keys added from a keyserver without this flag if [ -f "$keyfile" ]; then
# is done in the manifest echo "rm '$keyfile'"
if [ "$state_is" != "absent" ] && \ else
[ -f "$__object/parameter/use-deprecated-apt-key" ]; then
# fallback to deprecated apt-key # fallback to deprecated apt-key
echo "apt-key del \"$keyid\"" echo "apt-key del \"$keyid\""
echo "removed '$keyid'" >> "$__messages_out"
# Propagate messages if needed
elif grep -Eq "^__file$keyfile" "$__messages_in"; then
echo "removed '$keyid'" >> "$__messages_out"
fi fi
echo "removed '$keyid'" >> "$__messages_out"
;; ;;
esac esac

View file

@ -10,14 +10,6 @@ DESCRIPTION
----------- -----------
Manages the list of keys used by apt to authenticate packages. Manages the list of keys used by apt to authenticate packages.
This is done by placing the requested key in a file named
``$__object_id.gpg`` in the ``keydir`` directory.
This is supported by modern releases of Debian-based distributions.
In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
must be specified.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------
@ -26,49 +18,21 @@ None.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
keydir
keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
enabled system-wide by default.
source
path to a file containing the GPG key of the repository.
Using this is recommended as it ensures that the manifest/type manintainer
has validated the key.
If ``-``, the GPG key is read from the type's stdin.
state state
'present' or 'absent'. Defaults to 'present' 'present' or 'absent'. Defaults to 'present'
uri
the URI from which to download the key.
It is highly recommended that you only use protocols with TLS like HTTPS.
This uses ``__download`` but does not use checksums, if you want to ensure
that the key doesn't change, you are better off downloading it and using
``--source``.
DEPRECATED OPTIONAL PARAMETERS
------------------------------
keyid keyid
the id of the key to download from the ``keyserver``. the id of the key to add. Defaults to __object_id
This is to be used in absence of ``--source`` and ``--uri`` or together
with ``--use-deprecated-apt-key`` for key removal.
Defaults to ``$__object_id``.
keyserver keyserver
the keyserver from which to fetch the key. the keyserver from which to fetch the key. If omitted the default set
Defaults to ``pool.sks-keyservers.net``. in ./parameter/default/keyserver is used.
keydir
key save location, defaults to ``/etc/apt/trusted.pgp.d``
DEPRECATED BOOLEAN PARAMETERS uri
----------------------------- the URI from which to download the key
use-deprecated-apt-key
``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
You can use this parameter to force usage of ``apt-key(8)``.
Please only use this parameter to *remove* keys from the keyring,
in order to prepare for removal of ``apt-key``.
Adding keys should be done without this parameter.
This parameter will be removed when Debian 11 stops being supported.
EXAMPLES EXAMPLES
@ -76,39 +40,33 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
# add a key that has been verified by a type maintainer # Add Ubuntu Archive Automatic Signing Key
__apt_key jitsi_meet_2021 \ __apt_key 437D05B5
--source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg # Same thing
__apt_key 437D05B5 --state present
# Get rid of it
__apt_key 437D05B5 --state absent
# remove an old, deprecated or expired key # same thing with human readable name and explicit keyid
__apt_key jitsi_meet_2016 --state absent __apt_key UbuntuArchiveKey --keyid 437D05B5
# Get rid of a key that might have been added to # same thing with other keyserver
# /etc/apt/trusted.gpg with apt-key __apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
__apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
# add a key that we define in-line # download key from the internet
__apt_key jitsi_meet_2021 --source '-' <<EOF __apt_key rabbitmq \
-----BEGIN PGP PUBLIC KEY BLOCK----- --uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
[...]
-----END PGP PUBLIC KEY BLOCK-----
EOF
# download or update key from the internet
__apt_key rabbitmq_2007 \
--uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
AUTHORS AUTHORS
------- -------
Steven Armstrong <steven-cdist--@--armstrong.cc> Steven Armstrong <steven-cdist--@--armstrong.cc>
Ander Punnar <ander-at-kvlt-dot-ee> Ander Punnar <ander-at-kvlt-dot-ee>
Evilham <contact~~@~~evilham.com>
COPYING COPYING
------- -------
Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
redistribute it and/or modify it under the terms of the GNU General Public redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation, either version 3 of the License as published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version. License, or (at your option) any later version.

View file

@ -2,105 +2,7 @@
__package gnupg __package gnupg
state_should="$(cat "${__object}/parameter/state")" if [ -f "$__object/parameter/uri" ]
then __package curl
incompatible_args() else __package dirmngr
{
cat >> /dev/stderr <<-EOF
This type does not support --${1} and --${method} simultaneously.
EOF
exit 1
}
if [ -f "${__object}/parameter/source" ]; then
method="source"
src="$(cat "${__object}/parameter/source")"
if [ "${src}" = "-" ]; then
src="${__object}/stdin"
fi
fi
if [ -f "${__object}/parameter/uri" ]; then
if [ -n "${method}" ]; then
incompatible_args uri
fi
method="uri"
src="$(cat "${__object}/parameter/uri")"
fi
if [ -f "${__object}/parameter/keyid" ]; then
if [ -n "${method}" ]; then
incompatible_args keyid
fi
method="keyid"
fi
# Keep old default
if [ -z "${method}" ]; then
method="keyid"
fi
# Save this for later in gencode-remote
echo "${method}" > "${__object}/key_method"
# Required remotely (most likely already installed)
__package dirmngr
# We need this in case a key has to be dearmor'd
__package gnupg
export require="__package/gnupg"
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
# This is required if apt-key(8) is to be used
if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
incompatible_args use-deprecated-apt-key
fi
else
if [ "${state_should}" = "absent" ] && \
[ -f "${__object}/parameter/keyid" ]; then
cat >> /dev/stderr <<EOF
You can't reliably remove by keyid without --use-deprecated-apt-key.
This would very likely do something you do not intend.
EOF
exit 1
fi
fi
keydir="$(cat "${__object}/parameter/keydir")"
keyfile="${keydir}/${__object_id}.gpg"
keyfilecdist="${keyfile}.cdist"
if [ "${state_should}" != "absent" ]; then
# Ensure keydir exists
__directory "${keydir}" --state exists --mode 0755
fi
if [ "${state_should}" = "absent" ]; then
__file "${keyfile}" --state "absent"
__file "${keyfilecdist}" --state "absent"
elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
dearmor="$(cat <<-EOF
if [ '${state_should}' = 'present' ]; then
# Dearmor if necessary
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
else
cp '${keyfilecdist}' '${keyfile}'
fi
# Ensure permissions
chown root '${keyfile}'
chmod 0444 '${keyfile}'
fi
EOF
)"
if [ "${method}" = "uri" ]; then
__download "${keyfilecdist}" \
--url "${src}" \
--onchange "${dearmor}"
require="__download${keyfilecdist}" \
__file "${keyfile}" \
--owner root \
--mode 0444 \
--state pre-exists
else
__file "${keyfilecdist}" --state "${state_should}" \
--mode 0444 \
--source "${src}" \
--onchange "${dearmor}"
fi
fi fi

View file

@ -1 +0,0 @@
use-deprecated-apt-key

View file

@ -1,3 +0,0 @@
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
Use this flag *only* to migrate to placing a keyring directly in the
/etc/apt/trusted.gpg.d/ directory with a descriptive name.

View file

@ -1,6 +1,5 @@
keydir state
keyid keyid
keyserver keyserver
source keydir
state
uri uri

View file

@ -1 +0,0 @@
Please migrate to using __apt_key key_id --uri URI.

View file

@ -24,4 +24,4 @@ else
name="$__object_id" name="$__object_id"
fi fi
apt-mark showhold | grep -q "^${name}$" && echo hold || echo unhold apt-mark showhold | grep -Fq "$name" && echo hold || echo unhold

View file

@ -1,79 +0,0 @@
cdist-type__apt_pin(7)
======================
NAME
----
cdist-type__apt_pin - Manage apt pinning rules
DESCRIPTION
-----------
Adds/removes/edits rules to pin some packages to a specific distribution. Useful if using multiple debian repositories at the same time. (Useful, if one wants to use a few specific packages from backports or perhaps Debain testing... or even sid.)
REQUIRED PARAMETERS
-------------------
distribution
Specifies what distribution the package should be pinned to. Accepts both codenames (buster/bullseye/sid) and suite names (stable/testing/...).
OPTIONAL PARAMETERS
-------------------
package
Package name, glob or regular expression to match (multiple) packages. If not specified `__object_id` is used.
priority
The priority value to assign to matching packages. Defaults to 500. (To match the default target distro's priority)
state
Will be passed to underlying `__file` type; see there for valid values and defaults.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Add the bullseye repo to buster, but do not install any packages by default,
# only if explicitely asked for (-1 means "never" for apt)
__apt_pin bullseye-default \
--package "*" \
--distribution bullseye \
--priority -1
require="__apt_pin/bullseye-default" __apt_source bullseye \
--uri http://deb.debian.org/debian/ \
--distribution bullseye \
--component main
__apt_pin foo --package "foo foo-*" --distribution bullseye
__foo # Assuming, this installs the `foo` package internally
__package foo-plugin-extras # Assuming we also need some extra stuff
SEE ALSO
--------
:strong:`apt_preferences`\ (5)
:strong:`cdist-type__apt_source`\ (7)
:strong:`cdist-type__apt_backports`\ (7)
:strong:`cdist-type__file`\ (7)
AUTHORS
-------
Daniel Fancsali <fancsali@gmail.com>
COPYING
-------
Copyright \(C) 2021 Daniel Fancsali. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,68 +0,0 @@
#!/bin/sh -e
#
# 2021 Daniel Fancsali (fancsali@gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
name="$__object_id"
os=$(cat "$__global/explorer/os")
state="$(cat "$__object/parameter/state")"
if [ -f "$__object/parameter/package" ]; then
package="$(cat "$__object/parameter/package")"
else
package=$name
fi
distribution="$(cat "$__object/parameter/distribution")"
priority="$(cat "$__object/parameter/priority")"
case "$os" in
debian|ubuntu|devuan)
;;
*)
printf "This type is specific to Debian and it's derivatives" >&2
exit 1
;;
esac
case $distribution in
stable|testing|unstable|experimental)
pin="release a=$distribution"
;;
*)
pin="release n=$distribution"
;;
esac
__file "/etc/apt/preferences.d/$name" \
--owner root --group root --mode 0644 \
--state "$state" \
--source - << EOF
# Created by cdist ${__type##*/}
# Do not change. Changes will be overwritten.
#
# $name
Package: $package
Pin: $pin
Pin-Priority: $priority
EOF

View file

@ -1 +0,0 @@
present

View file

@ -1,3 +0,0 @@
state
package
priority

View file

@ -1 +0,0 @@
distribution

View file

@ -0,0 +1,55 @@
#!/usr/bin/env python
#
# Remove the given apt repository.
#
# Exit with:
# 0: if it worked
# 1: if not
# 2: on other error
import os
import sys
from aptsources import distro, sourceslist
from softwareproperties import ppa
from softwareproperties.SoftwareProperties import SoftwareProperties
def remove_if_empty(file_name):
with open(file_name, 'r') as f:
if f.read().strip():
return
os.unlink(file_name)
def remove_repository(repository):
#print 'repository:', repository
codename = distro.get_distro().codename
#print 'codename:', codename
(line, file) = ppa.expand_ppa_line(repository.strip(), codename)
#print 'line:', line
#print 'file:', file
deb_source_entry = sourceslist.SourceEntry(line, file)
src_source_entry = sourceslist.SourceEntry('deb-src{}'.format(line[3:]), file)
try:
sp = SoftwareProperties()
sp.remove_source(deb_source_entry)
try:
# If there's a deb-src entry, remove that too
sp.remove_source(src_source_entry)
except:
pass
remove_if_empty(file)
return True
except ValueError:
print >> sys.stderr, "Error: '%s' doesn't exists in a sourcelist file" % line
return False
if __name__ == '__main__':
if (len(sys.argv) != 2):
print >> sys.stderr, 'Error: need a repository as argument'
sys.exit(2)
repository = sys.argv[1]
if remove_repository(repository):
sys.exit(0)
else:
sys.exit(1)

View file

@ -29,9 +29,9 @@ fi
case "$state_should" in case "$state_should" in
present) present)
echo "add-apt-repository -y '$name'" echo "add-apt-repository '$name'"
;; ;;
absent) absent)
echo "add-apt-repository -r -y '$name'" echo "remove-apt-repository '$name'"
;; ;;
esac esac

View file

@ -20,4 +20,9 @@
__package software-properties-common __package software-properties-common
require="__package/software-properties-common" \
__file /usr/local/bin/remove-apt-repository \
--source "$__type/files/remove-apt-repository" \
--mode 0755
require="$__object_name" __apt_update_index require="$__object_name" __apt_update_index

View file

@ -2,14 +2,13 @@
set -u set -u
entry="$uri $distribution $component" entry="$uri $distribution $component"
cat << DONE cat << DONE
# Created by cdist ${__type##*/} # Created by cdist ${__type##*/}
# Do not change. Changes will be overwritten. # Do not change. Changes will be overwritten.
# #
# $name # $name
deb ${options} $entry deb ${forcedarch} $entry
DONE DONE
if [ -f "$__object/parameter/include-src" ]; then if [ -f "$__object/parameter/include-src" ]; then
echo "deb-src $entry" echo "deb-src $entry"

View file

@ -22,21 +22,7 @@
name="$__object_id" name="$__object_id"
destination="/etc/apt/sources.list.d/${name}.list" destination="/etc/apt/sources.list.d/${name}.list"
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
# updated after the 19th April 2021 till the bullseye release. The additional
# arguments acknoledge the happend suite change (the apt(8) update does the
# same by itself).
#
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
# allows backward compatablility to pre-buster Debian versions.
#
# See more: ticket #861
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
# run 'apt-get update' only if something changed with our sources.list file
# it will be run a second time on error as a redundancy messure to success
if grep -q "^__file${destination}" "$__messages_in"; then if grep -q "^__file${destination}" "$__messages_in"; then
printf 'apt-get %s update || apt-get %s update\n' "$apt_opts" "$apt_opts" printf 'apt-get update || apt-get update\n'
fi fi

View file

@ -23,9 +23,6 @@ OPTIONAL PARAMETERS
arch arch
set this if you need to force and specific arch (ubuntu specific) set this if you need to force and specific arch (ubuntu specific)
signed-by
provide a GPG key fingerprint or keyring path for signature checks
state state
'present' or 'absent', defaults to 'present' 'present' or 'absent', defaults to 'present'
@ -59,11 +56,6 @@ EXAMPLES
--uri http://archive.canonical.com/ \ --uri http://archive.canonical.com/ \
--component partner --state present --component partner --state present
__apt_source goaccess \
--uri http://deb.goaccess.io/ \
--component main \
--signed-by C03B48887D5E56B046715D3297BD1A0133449C3D
AUTHORS AUTHORS
------- -------

View file

@ -21,7 +21,6 @@
name="$__object_id" name="$__object_id"
state="$(cat "$__object/parameter/state")" state="$(cat "$__object/parameter/state")"
uri="$(cat "$__object/parameter/uri")" uri="$(cat "$__object/parameter/uri")"
options=""
if [ -f "$__object/parameter/distribution" ]; then if [ -f "$__object/parameter/distribution" ]; then
distribution="$(cat "$__object/parameter/distribution")" distribution="$(cat "$__object/parameter/distribution")"
@ -32,15 +31,9 @@ fi
component="$(cat "$__object/parameter/component")" component="$(cat "$__object/parameter/component")"
if [ -f "$__object/parameter/arch" ]; then if [ -f "$__object/parameter/arch" ]; then
options="arch=$(cat "$__object/parameter/arch")" forcedarch="[arch=$(cat "$__object/parameter/arch")]"
fi else
forcedarch=""
if [ -f "$__object/parameter/signed-by" ]; then
options="$options signed-by=$(cat "$__object/parameter/signed-by")"
fi
if [ "$options" ]; then
options="[$options]"
fi fi
# export variables for use in template # export variables for use in template
@ -48,7 +41,7 @@ export name
export uri export uri
export distribution export distribution
export component export component
export options export forcedarch
# generate file from template # generate file from template
mkdir "$__object/files" mkdir "$__object/files"

View file

@ -1,5 +1,4 @@
state state
distribution distribution
component component
arch arch
signed-by

View file

@ -18,23 +18,9 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>. # along with cdist. If not, see <http://www.gnu.org/licenses/>.
# #
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
# updated after the 19th April 2021 till the bullseye release. The additional
# arguments acknoledge the happend suite change (the apt(8) update does the
# same by itself).
#
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
# allows backward compatablility to pre-buster Debian versions.
#
# See more: ticket #861
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
# run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists # run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists
# it will be run a second time on error as a redundancy messure to success
cat << DONE cat << DONE
if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then
apt-get $apt_opts update || apt-get $apt_opts update apt-get update || apt-get update
fi fi
DONE DONE

View file

@ -1,142 +0,0 @@
#!/bin/sh -e
#
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Determine current debconf selections' state.
# Prints one of:
# present: all selections are already set as they should.
# different: one or more of the selections have a different value.
# absent: one or more of the selections are not (currently) defined.
#
test -x /usr/bin/perl || {
# cannot find perl (no perl ~ no debconf)
echo 'absent'
exit 0
}
linesfile="${__object:?}/parameter/line"
test -s "${linesfile}" || {
if test -s "${__object:?}/parameter/file"
then
echo absent
else
echo present
fi
exit 0
}
# assert __type_explorer is set (because it is used by the Perl script)
: "${__type_explorer:?}"
/usr/bin/perl -- - "${linesfile}" <<'EOF'
use strict;
use warnings "all";
use Fcntl qw(:DEFAULT :flock);
use Debconf::Db;
use Debconf::Question;
# Extract @known... arrays from debconf-set-selections
# These values are required to distinguish flags and values in the given lines.
# DC: I couldn't think of a more ugly solution to the problem…
my @knownflags;
my @knowntypes;
my $debconf_set_selections = '/usr/bin/debconf-set-selections';
if (-e $debconf_set_selections) {
my $sed_known = 's/^my \(@known\(flags\|types\) = qw([a-z ]*);\).*$/\1/p';
eval `sed -n '$sed_known' '$debconf_set_selections'`;
}
sub mungeline ($) {
my $line = shift;
chomp $line;
$line =~ s/\r$//;
return $line;
}
sub fatal { printf STDERR @_; exit 1; }
my $state = 'present';
sub state {
my $new = shift;
if ($state eq 'present'
or ($state eq 'different' and $new eq 'absent')) {
$state = $new;
}
}
# Load Debconf DB but manually lock on the state explorer script,
# because Debconf aborts immediately if executed concurrently.
# This is not really an ideal solution because the Debconf DB could be locked by
# another process (e.g. apt-get), but no way to achieve this could be found.
# If you know how to, please provide a patch.
my $lockfile = "%ENV{'__type_explorer'}/state";
if (open my $lock_fh, '+<', $lockfile) {
flock $lock_fh, LOCK_EX or die "Cannot lock $lockfile";
}
{
Debconf::Db->load(readonly => 'true');
}
while (<>) {
# Read and process lines (taken from debconf-set-selections)
$_ = mungeline($_);
while (/\\$/ && ! eof) {
s/\\$//;
$_ .= mungeline(<>);
}
next if /^\s*$/ || /^\s*\#/;
my ($owner, $label, $type, $content) = /^\s*(\S+)\s+(\S+)\s+(\S+)(?:\s(.*))?/
or fatal "invalid line: %s\n", $_;
$content = '' unless defined $content;
# Compare is and should state
my $q = Debconf::Question->get($label);
unless (defined $q) {
# probably a preseed
state 'absent';
next;
}
if (grep { $_ eq $q->type } @knownflags) {
# This line wants to set a flag, presumably.
if ($q->flag($q->type) ne $content) {
state 'different';
}
} else {
# Otherwise, it's probably a value…
if ($q->value ne $content) {
state 'different';
}
unless (grep { $_ eq $owner } (split /, /, $q->owners)) {
state 'different';
}
}
}
printf "%s\n", $state;
EOF

View file

@ -1,7 +1,6 @@
#!/bin/sh -e #!/bin/sh -e
# #
# 2011-2014 Nico Schottelius (nico-cdist at schottelius.org) # 2011-2014 Nico Schottelius (nico-cdist at schottelius.org)
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -18,37 +17,16 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>. # along with cdist. If not, see <http://www.gnu.org/licenses/>.
# #
#
# Setup selections
#
if test -f "${__object:?}/parameter/line" filename="$(cat "$__object/parameter/file")"
then
filename="${__object:?}/parameter/line" if [ "$filename" = "-" ]; then
elif test -s "${__object:?}/parameter/file" filename="$__object/stdin"
then
filename=$(cat "${__object:?}/parameter/file")
if test "${filename}" = '-'
then
filename="${__object:?}/stdin"
fi
else
printf 'Neither --line nor --file set.\n' >&2
exit 1
fi fi
# setting no lines makes no sense echo "debconf-set-selections << __file-eof"
test -s "${filename}" || exit 0 cat "$filename"
echo "__file-eof"
state_is=$(cat "${__object:?}/explorer/state")
if test "${state_is}" != 'present'
then
cat <<-CODE
debconf-set-selections <<'EOF'
$(cat "${filename}")
EOF
CODE
awk '
{
printf "set %s %s %s %s\n", $1, $2, $3, $4
}' "${filename}" >>"${__messages_out:?}"
fi

View file

@ -8,33 +8,15 @@ cdist-type__debconf_set_selections - Setup debconf selections
DESCRIPTION DESCRIPTION
----------- -----------
On Debian and alike systems :strong:`debconf-set-selections`\ (1) can be used On Debian and alike systems debconf-set-selections(1) can be used
to setup configuration parameters. to setup configuration parameters.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------
cf. ``--line``.
OPTIONAL PARAMETERS
-------------------
file file
Use the given filename as input for :strong:`debconf-set-selections`\ (1) Use the given filename as input for debconf-set-selections(1)
If filename is ``-``, read from stdin. If filename is "-", read from stdin.
**This parameter is deprecated, because it doesn't work with state detection.**
line
A line in :strong:`debconf-set-selections`\ (1) compatible format.
This parameter can be used multiple times to set multiple options.
(This parameter is actually required, but marked optional because the
deprecated ``--file`` is still accepted.)
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES EXAMPLES
@ -42,29 +24,30 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
# Setup gitolite's gituser # Setup configuration for nslcd
__debconf_set_selections nslcd --line 'gitolite gitolite/gituser string git' __debconf_set_selections nslcd --file /path/to/file
# Setup configuration for nslcd from a file. # Setup configuration for nslcd from another type
# NB: Multiple lines can be passed to --line, although this can be considered a hack. __debconf_set_selections nslcd --file "$__type/files/preseed/nslcd"
__debconf_set_selections nslcd --line "$(cat "${__files:?}/preseed/nslcd.debconf")"
__debconf_set_selections nslcd --file - << eof
gitolite gitolite/gituser string git
eof
SEE ALSO SEE ALSO
-------- --------
- :strong:`cdist-type__update_alternatives`\ (7) :strong:`debconf-set-selections`\ (1), :strong:`cdist-type__update_alternatives`\ (7)
- :strong:`debconf-set-selections`\ (1)
AUTHORS AUTHORS
------- -------
| Nico Schottelius <nico-cdist--@--schottelius.org> Nico Schottelius <nico-cdist--@--schottelius.org>
| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
COPYING COPYING
------- -------
Copyright \(C) 2011-2014 Nico Schottelius, 2021 Dennis Camera. Copyright \(C) 2011-2014 Nico Schottelius. You can redistribute it
You can redistribute it and/or modify it under the terms of the GNU General and/or modify it under the terms of the GNU General Public License as
Public License as published by the Free Software Foundation, either version 3 of published by the Free Software Foundation, either version 3 of the
the License, or (at your option) any later version. License, or (at your option) any later version.

View file

@ -1 +0,0 @@
'file' has been deprecated in favour of 'line' in order to provide idempotency.

View file

@ -37,12 +37,6 @@ state
source source
forwarded to :strong:`__file` type forwarded to :strong:`__file` type
file
forwarded to :strong:`__file` type
This can be used if multiple users need to have a dotfile updated,
which will result in duplicate object id errors. When using the
file parameter the object id can be some unique value.
MESSAGES MESSAGES
-------- --------
@ -67,15 +61,6 @@ EXAMPLES
# Install default xmonad config for user 'eve'. Parent directory is created automatically. # Install default xmonad config for user 'eve'. Parent directory is created automatically.
__dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs" __dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs"
# install .vimrc for root and some users
for user in root userx usery userz; do
__dot_file "${user}_dot_vimrc" \
--user $user \
--file .vimrc \
--state exists \
--source "$__files/$user/.vimrc"
done
SEE ALSO SEE ALSO
-------- --------

View file

@ -20,19 +20,13 @@ user="$(cat "${__object}/parameter/user")"
home="$(cat "${__object}/explorer/home")" home="$(cat "${__object}/explorer/home")"
primary_group="$(cat "${__object}/explorer/primary_group")" primary_group="$(cat "${__object}/explorer/primary_group")"
dirmode="$(cat "${__object}/parameter/dirmode")" dirmode="$(cat "${__object}/parameter/dirmode")"
if [ -f "${__object}/parameter/file" ]; then
file="$(cat "${__object}/parameter/file")"
else
file="${__object_id}"
fi
# Create parent directory. Type __directory has flag 'parents', but it # Create parent directory. Type __directory has flag 'parents', but it
# will leave us with root-owned directory in user home, which is not # will leave us with root-owned directory in user home, which is not
# acceptable. So we create parent directories one-by-one. XXX: maybe # acceptable. So we create parent directories one-by-one. XXX: maybe
# it should be fixed in '__directory'? # it should be fixed in '__directory'?
set -- set --
subpath=${file} subpath=${__object_id}
while subpath="$(dirname "${subpath}")" ; do while subpath="$(dirname "${subpath}")" ; do
[ "${subpath}" = . ] && break [ "${subpath}" = . ] && break
set -- "${subpath}" "$@" set -- "${subpath}" "$@"
@ -70,4 +64,4 @@ if [ "${source}" = "-" ] ; then
fi fi
unset source unset source
__file "${home}/${file}" --owner "$user" --group "$primary_group" "$@" __file "${home}/${__object_id}" --owner "$user" --group "$primary_group" "$@"

View file

@ -0,0 +1,19 @@
#!/bin/sh -e
if [ -f "$__object/parameter/cmd-get" ]
then
cmd="$( cat "$__object/parameter/cmd-get" )"
elif command -v curl > /dev/null
then
cmd="curl -L -o - '%s'"
elif command -v fetch > /dev/null
then
cmd="fetch -o - '%s'"
else
cmd="wget -O - '%s'"
fi
echo "$cmd"

View file

@ -1,16 +0,0 @@
#!/bin/sh -e
if [ -f "$__object/parameter/cmd-get" ]
then
cat "$__object/parameter/cmd-get"
elif
command -v curl > /dev/null
then
echo "curl -sSL -o - '%s'"
elif
command -v fetch > /dev/null
then
echo "fetch -o - '%s'"
else
echo "wget -O - '%s'"
fi

View file

@ -1,82 +0,0 @@
#!/bin/sh -e
if [ ! -f "$__object/parameter/sum" ]
then
exit 0
fi
if [ -f "$__object/parameter/cmd-sum" ]
then
cat "$__object/parameter/cmd-sum"
exit 0
fi
sum_should="$( cat "$__object/parameter/sum" )"
if echo "$sum_should" | grep -Fq ':'
then
sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
else
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
then
sum_hash='cksum'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
then
sum_hash='md5'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
then
sum_hash='sha1'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
then
sum_hash='sha256'
else
echo 'hash format detection failed' >&2
exit 1
fi
fi
os="$( "$__explorer/os" )"
case "$sum_hash" in
cksum)
echo "cksum %s | awk '{print \$1\" \"\$2}'"
;;
md5)
case "$os" in
freebsd)
echo "md5 -q %s"
;;
*)
echo "md5sum %s | awk '{print \$1}'"
;;
esac
;;
sha1)
case "$os" in
freebsd)
echo "sha1 -q %s"
;;
*)
echo "sha1sum %s | awk '{print \$1}'"
;;
esac
;;
sha256)
case "$os" in
freebsd)
echo "sha256 -q %s"
;;
*)
echo "sha256sum %s | awk '{print \$1}'"
;;
esac
;;
*)
# we arrive here only if --sum is given with unknown format prefix
echo "unknown hash format: $sum_hash" >&2
exit 1
;;
esac

View file

@ -1,11 +1,6 @@
#!/bin/sh -e #!/bin/sh -e
if [ -f "$__object/parameter/destination" ] dst="/$__object_id"
then
dst="$( cat "$__object/parameter/destination" )"
else
dst="/$__object_id"
fi
if [ ! -f "$dst" ] if [ ! -f "$dst" ]
then then
@ -13,27 +8,59 @@ then
exit 0 exit 0
fi fi
if [ ! -f "$__object/parameter/sum" ]
then
echo 'present'
exit 0
fi
sum_should="$( cat "$__object/parameter/sum" )" sum_should="$( cat "$__object/parameter/sum" )"
if echo "$sum_should" | grep -Fq ':' if [ -f "$__object/parameter/cmd-sum" ]
then then
sum_should="$( echo "$sum_should" | cut -d : -f 2 )" # shellcheck disable=SC2059
sum_is="$( eval "$( printf \
"$( cat "$__object/parameter/cmd-sum" )" \
"$dst" )" )"
else
os="$( "$__explorer/os" )"
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
then
sum_is="$( cksum "$dst" | awk '{print $1" "$2}' )"
elif echo "$sum_should" | grep -Eiq '^md5:[a-f0-9]{32}$'
then
case "$os" in
freebsd)
sum_is="md5:$( md5 -q "$dst" )"
;;
*)
sum_is="md5:$( md5sum "$dst" | awk '{print $1}' )"
;;
esac
elif echo "$sum_should" | grep -Eiq '^sha1:[a-f0-9]{40}$'
then
case "$os" in
freebsd)
sum_is="sha1:$( sha1 -q "$dst" )"
;;
*)
sum_is="sha1:$( sha1sum "$dst" | awk '{print $1}' )"
;;
esac
elif echo "$sum_should" | grep -Eiq '^sha256:[a-f0-9]{64}$'
then
case "$os" in
freebsd)
sum_is="sha256:$( sha256 -q "$dst" )"
;;
*)
sum_is="sha256:$( sha256sum "$dst" | awk '{print $1}' )"
;;
esac
fi
fi fi
sum_cmd="$( "$__type_explorer/remote_cmd_sum" )"
# shellcheck disable=SC2059
sum_is="$( eval "$( printf "$sum_cmd" "'$dst'" )" )"
if [ -z "$sum_is" ] if [ -z "$sum_is" ]
then then
echo 'existing destination checksum failed' >&2 echo 'no checksum from target' >&2
exit 1 exit 1
fi fi

View file

@ -11,133 +11,34 @@ fi
url="$( cat "$__object/parameter/url" )" url="$( cat "$__object/parameter/url" )"
if [ -f "$__object/parameter/destination" ] tmp="$( mktemp )"
then
dst="$( cat "$__object/parameter/destination" )" dst="/$__object_id"
else
dst="/$__object_id"
fi
if [ -f "$__object/parameter/cmd-get" ] if [ -f "$__object/parameter/cmd-get" ]
then then
cmd="$( cat "$__object/parameter/cmd-get" )" cmd="$( cat "$__object/parameter/cmd-get" )"
elif command -v wget > /dev/null
then
cmd="wget -O - '%s'"
elif command -v curl > /dev/null elif command -v curl > /dev/null
then then
cmd="curl -sSL -o - '%s'" cmd="curl -L -o - '%s'"
elif command -v fetch > /dev/null elif command -v fetch > /dev/null
then then
cmd="fetch -o - '%s'" cmd="fetch -o - '%s'"
elif command -v wget > /dev/null
then
cmd="wget -O - '%s'"
else else
echo 'local download failed, no usable utility' >&2 echo 'no usable locally installed utility for downloading' >&2
exit 1 exit 1
fi fi
echo "download_tmp=\"\$( mktemp )\"" printf "$cmd > %s\n" \
"$url" \
# shellcheck disable=SC2059 "$tmp"
printf "$cmd > \"\$download_tmp\"\n" "$url"
if [ -f "$__object/parameter/sum" ]
then
sum_should="$( cat "$__object/parameter/sum" )"
if [ -f "$__object/parameter/cmd-sum" ]
then
local_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
else
if echo "$sum_should" | grep -Fq ':'
then
sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
else
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
then
sum_hash='cksum'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
then
sum_hash='md5'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
then
sum_hash='sha1'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
then
sum_hash='sha256'
else
echo 'hash format detection failed' >&2
exit 1
fi
fi
case "$sum_hash" in
cksum)
local_cmd_sum="cksum %s | awk '{print \$1\" \"\$2}'"
;;
md5)
if command -v md5 > /dev/null
then
local_cmd_sum="md5 -q %s"
elif
command -v md5sum > /dev/null
then
local_cmd_sum="md5sum %s | awk '{print \$1}'"
fi
;;
sha1)
if command -v sha1 > /dev/null
then
local_cmd_sum="sha1 -q %s"
elif
command -v sha1sum > /dev/null
then
local_cmd_sum="sha1sum %s | awk '{print \$1}'"
fi
;;
sha256)
if command -v sha256 > /dev/null
then
local_cmd_sum="sha256 -q %s"
elif
command -v sha256sum > /dev/null
then
local_cmd_sum="sha256sum %s | awk '{print \$1}'"
fi
;;
*)
# we arrive here only if --sum is given with unknown format prefix
echo "unknown hash format: $sum_hash" >&2
exit 1
;;
esac
if [ -z "$local_cmd_sum" ]
then
echo 'local checksum verification failed, no usable utility' >&2
exit 1
fi
fi
# shellcheck disable=SC2059
echo "sum_is=\"\$( $( printf "$local_cmd_sum" "\"\$download_tmp\"" ) )\""
echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
echo "echo 'local download checksum mismatch' >&2"
echo "rm -f \"\$download_tmp\""
echo 'exit 1; fi'
fi
if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$' if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
then then
@ -146,10 +47,12 @@ else
target_host="$__target_host" target_host="$__target_host"
fi fi
# shellcheck disable=SC2016 printf '%s %s %s:%s\n' \
printf '%s "$download_tmp" %s:%s\n' \
"$__remote_copy" \ "$__remote_copy" \
"$tmp" \
"$target_host" \ "$target_host" \
"$dst" "$dst"
echo "rm -f \"\$download_tmp\"" echo "rm -f '$tmp'"
echo 'downloaded' > "$__messages_out"

View file

@ -6,51 +6,17 @@ state_is="$( cat "$__object/explorer/state" )"
if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ] if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
then then
cmd_get="$( cat "$__object/explorer/remote_cmd_get" )" cmd="$( cat "$__object/explorer/remote_cmd" )"
url="$( cat "$__object/parameter/url" )" url="$( cat "$__object/parameter/url" )"
if [ -f "$__object/parameter/destination" ] dst="/$__object_id"
then
dst="$( cat "$__object/parameter/destination" )"
else
dst="/$__object_id"
fi
echo "download_tmp=\"\$( mktemp )\"" printf "$cmd > %s\n" \
"$url" \
"$dst"
# shellcheck disable=SC2059 echo 'downloaded' > "$__messages_out"
printf "$cmd_get > \"\$download_tmp\"\n" "$url"
if [ -f "$__object/parameter/sum" ]
then
sum_should="$( cat "$__object/parameter/sum" )"
if [ -f "$__object/parameter/cmd-sum" ]
then
remote_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
else
remote_cmd_sum="$( cat "$__object/explorer/remote_cmd_sum" )"
if echo "$sum_should" | grep -Fq ':'
then
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
fi
fi
# shellcheck disable=SC2059
echo "sum_is=\"\$( $( printf "$remote_cmd_sum" "\"\$download_tmp\"" ) )\""
echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
echo "echo 'remote download checksum mismatch' >&2"
echo "rm -f \"\$download_tmp\""
echo 'exit 1; fi'
fi
echo "mv \"\$download_tmp\" '$dst'"
fi fi
if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ] if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]

View file

@ -8,7 +8,10 @@ cdist-type__download - Download a file
DESCRIPTION DESCRIPTION
----------- -----------
By default type will try to use ``curl``, ``fetch`` or ``wget``. Destination (``$__object_id``) in target host must be persistent storage
in order to calculate checksum and decide if file must be (re-)downloaded.
By default type will try to use ``wget``, ``curl`` or ``fetch``.
If download happens in target (see ``--download``) then type will If download happens in target (see ``--download``) then type will
fallback to (and install) ``wget``. fallback to (and install) ``wget``.
@ -16,40 +19,23 @@ If download happens in local machine, then environment variables like
``{http,https,ftp}_proxy`` etc can be used on cdist execution ``{http,https,ftp}_proxy`` etc can be used on cdist execution
(``http_proxy=foo cdist config ...``). (``http_proxy=foo cdist config ...``).
To change downloaded file's owner, group or permissions, use ``require='__download/path/to/file' __file ...``.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------
url url
File's URL. File's URL.
sum
Checksum of file going to be downloaded.
By default output of ``cksum`` without filename is expected.
Other hash formats supported with prefixes: ``md5:``, ``sha1:`` and ``sha256:``.
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
destination
Downloaded file's destination in target. If unset, ``$__object_id`` is used.
sum
Supported formats: ``cksum`` output without file name, MD5, SHA1 and SHA256.
Type tries to detect hash format with regexes, but prefixes
``cksum:``, ``md5:``, ``sha1:`` and ``sha256:`` are also supported.
Checksum have two purposes - state check and post-download verification.
In state check, if destination checksum mismatches, then content of URL
will be downloaded to temporary file. If downloaded temporary file's
checksum matches, then it will be moved to destination (overwritten).
For local downloads it is expected that usable utilities for checksum
calculation exist in the system.
download download
If ``local`` (default), then file is downloaded to local storage and copied If ``local`` (default), then download file to local storage and copy
to target host. If ``remote``, then download happens in target. it to target host. If ``remote``, then download happens in target.
For local downloads it is expected that usable utilities for downloading
exist in the system. Type will try to use ``curl``, ``fetch`` or ``wget``.
cmd-get cmd-get
Command used for downloading. Command used for downloading.
@ -79,7 +65,7 @@ EXAMPLES
require='__directory/opt/cpma' \ require='__directory/opt/cpma' \
__download /opt/cpma/cnq3.zip \ __download /opt/cpma/cnq3.zip \
--url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \ --url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
--sum 46da3021ca9eace277115ec9106c5b46 --sum md5:46da3021ca9eace277115ec9106c5b46
require='__download/opt/cpma/cnq3.zip' \ require='__download/opt/cpma/cnq3.zip' \
__unpack /opt/cpma/cnq3.zip \ __unpack /opt/cpma/cnq3.zip \
@ -95,7 +81,7 @@ Ander Punnar <ander-at-kvlt-dot-ee>
COPYING COPYING
------- -------
Copyright \(C) 2021 Ander Punnar. You can redistribute it Copyright \(C) 2020 Ander Punnar. You can redistribute it
and/or modify it under the terms of the GNU General Public License as and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version. License, or (at your option) any later version.

View file

@ -1,6 +1,6 @@
#!/bin/sh -e #!/bin/sh -e
if grep -Eq '^wget' "$__object/explorer/remote_cmd_get" if grep -Eq '^wget' "$__object/explorer/remote_cmd"
then then
__package wget __package wget
fi fi

View file

@ -1,6 +1,4 @@
cmd-get cmd-get
cmd-sum cmd-sum
destination
download download
onchange onchange
sum

View file

@ -1 +1,2 @@
url url
sum

View file

@ -1,7 +1,7 @@
#!/bin/sh -e #!/bin/sh -e
# #
# 2011-2012 Nico Schottelius (nico-cdist at schottelius.org) # 2011-2012 Nico Schottelius (nico-cdist at schottelius.org)
# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc) # 2013 Steven Armstrong (steven-cdist armstrong.cc)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -72,7 +72,6 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
if [ "$type" != "file" ]; then if [ "$type" != "file" ]; then
# destination is not a regular file, upload source to replace it # destination is not a regular file, upload source to replace it
upload_file=1 upload_file=1
echo upload >> "$__messages_out"
else else
local_cksum="$(cksum < "$source")" local_cksum="$(cksum < "$source")"
remote_cksum="$(cat "$__object/explorer/cksum")" remote_cksum="$(cat "$__object/explorer/cksum")"
@ -89,39 +88,27 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
mkdir "$__object/files" mkdir "$__object/files"
touch "$__object/files/set-attributes" touch "$__object/files/set-attributes"
if [ "$create_file" ]; then
# When creating an empty file we create it locally and then
# upload it so that permissions can be set before moving the file
# into place.
source="$__object/files/empty"
touch "$source"
fi
# upload file to temp location # upload file to temp location
upload_destination="${destination}.cdist.${__cdist_object_marker}.$$" tempfile_template="${destination}.cdist.XXXXXXXXXX"
# Yes, we are aware that this is a race condition.
# However:
# a) cdist usually writes to directories that are not user writable
# (probably > 99.9%)
# b) if they are user owned, the user / attacker always wins
# (probably < 0.1%)
# c) the only case which we could improve are tmp directories and we
# don't think managing tmp directories with cdist is a typical case
# ("the rest %)"
# Tell gencode-remote to where we uploaded the file so it can move
# it to its final destination.
echo "$upload_destination" > "$__object/files/upload-destination"
# IPv6 fix
if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
then
my_target_host="[${__target_host}]"
else
my_target_host="${__target_host}"
fi
cat << DONE cat << DONE
$__remote_copy "$source" "${my_target_host}:${upload_destination}" destination_upload="\$($__remote_exec $__target_host "mktemp $tempfile_template")"
DONE
if [ "$upload_file" ]; then
echo upload >> "$__messages_out"
# IPv6 fix
if echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$'
then
my_target_host="[${__target_host}]"
else
my_target_host="${__target_host}"
fi
cat << DONE
$__remote_copy "$source" "${my_target_host}:\$destination_upload"
DONE
fi
# move uploaded file into place
cat << DONE
$__remote_exec $__target_host "rm -rf \"$destination\"; mv \"\$destination_upload\" \"$destination\""
DONE DONE
fi fi
fi fi

View file

@ -1,7 +1,7 @@
#!/bin/sh -e #!/bin/sh -e
# #
# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org) # 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc) # 2013 Steven Armstrong (steven-cdist armstrong.cc)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -62,13 +62,6 @@ set_mode() {
case "$state_should" in case "$state_should" in
present|exists) present|exists)
if [ -f "$__object/files/upload-destination" ]; then
final_destination="$destination"
# We change the 'global' $destination variable here so we can
# change attributes of the new/uploaded file before moving it
# to it's final destination.
destination="$(cat "$__object/files/upload-destination")"
fi
# Note: Mode - needs to happen last as a chown/chgrp can alter mode by # Note: Mode - needs to happen last as a chown/chgrp can alter mode by
# clearing S_ISUID and S_ISGID bits (see chown(2)) # clearing S_ISUID and S_ISGID bits (see chown(2))
for attribute in group owner mode; do for attribute in group owner mode; do
@ -88,11 +81,6 @@ case "$state_should" in
fi fi
fi fi
done done
if [ -f "$__object/files/upload-destination" ]; then
# move uploaded file into place
printf 'rm -rf "%s"\n' "$final_destination"
printf 'mv "%s" "%s"\n' "$destination" "$final_destination"
fi
if [ -f "$__object/files/set-attributes" ]; then if [ -f "$__object/files/set-attributes" ]; then
# set-attributes is created if file is created or uploaded in gencode-local # set-attributes is created if file is created or uploaded in gencode-local
fire_onchange=1 fire_onchange=1

View file

@ -27,7 +27,7 @@ else
fi fi
case "$os" in case "$os" in
alpine|centos|fedora|gentoo|redhat|suse|ubuntu) alpine|centos|fedora|redhat|suse|gentoo)
if [ ! -x "$(command -v lsblk)" ]; then if [ ! -x "$(command -v lsblk)" ]; then
echo "lsblk is required for __filesystem type" >&2 echo "lsblk is required for __filesystem type" >&2
exit 1 exit 1

View file

@ -1,24 +1,5 @@
#!/bin/sh -e #!/bin/sh
destination="/${__object_id:?}/.git" destination="/$__object_id/.git"
# shellcheck disable=SC2012 stat --print "%G" "${destination}" 2>/dev/null || exit 0
group_gid=$(ls -ldn "${destination}" | awk '{ print $4 }')
# NOTE: +1 because $((notanum)) prints 0.
if test $((group_gid + 1)) -ge 0
then
group_should=$(cat "${__object:?}/parameter/group")
if expr "${group_should}" : '[0-9]*$' >/dev/null
then
printf '%u\n' "${group_gid}"
else
if command -v getent > /dev/null
then
getent group "${group_gid}" | cut -d : -f 1
else
awk -F: -v gid="${group_gid}" '$3 == gid { print $1 }' /etc/group
fi
fi
fi

View file

@ -1,19 +1,5 @@
#!/bin/sh -e #!/bin/sh
destination="/${__object_id:?}/.git" destination="/$__object_id/.git"
# shellcheck disable=SC2012 stat --print "%U" "${destination}" 2>/dev/null || exit 0
owner_uid=$(ls -ldn "${destination}" | awk '{ print $3 }')
# NOTE: +1 because $((notanum)) prints 0.
if test $((owner_uid + 1)) -ge 0
then
owner_should=$(cat "${__object:?}/parameter/owner")
if expr "${owner_should}" : '[0-9]*$' >/dev/null
then
printf '%u\n' "${owner_uid}"
else
printf '%s\n' "$(id -u -n "${owner_uid}")"
fi
fi

View file

@ -15,7 +15,7 @@ case $os in
# Differntation not needed anymore # Differntation not needed anymore
apt_source_distribution=stable apt_source_distribution=stable
;; ;;
10*|11*) 10*)
# Differntation not needed anymore # Differntation not needed anymore
apt_source_distribution=stable apt_source_distribution=stable
;; ;;

View file

@ -1,8 +0,0 @@
frontend http
bind BIND@:80
mode http
option httplog
default_backend http
backend http
mode http

View file

@ -1,10 +0,0 @@
frontend https
bind BIND@:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend https
backend https
mode tcp

View file

@ -1,12 +0,0 @@
frontend imaps
bind BIND@:143
bind BIND@:993
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend imaps
backend imaps
mode tcp

View file

@ -1,12 +0,0 @@
frontend smtps
bind BIND@:25
bind BIND@:465
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend smtps
backend smtps
mode tcp

View file

@ -1,121 +0,0 @@
cdist-type__haproxy_dualstack(7)
================================
NAME
----
cdist-type__haproxy_dualstack - Proxy services from a dual-stack server
DESCRIPTION
-----------
This (singleton) type installs and configures haproxy to act as a dual-stack
proxy for single-stack services.
This can be useful to add IPv4 support to IPv6-only services while only using
one IPv4 for many such services.
By default this type uses the plain TCP proxy mode, which means that there is no
need for TLS termination on this host when SNI is supported.
This also means that proxied services will not receive the client's IP address,
but will see the proxy's IP address instead (that of `$__target_host`).
This can be solved by using the PROXY protocol, but do take into account that,
e.g. nginx cannot serve both regular HTTP(S) and PROXY protocols on the same
port, so you will need to use other ports for that.
As a recommendation in this type: use TCP ports 8080 and 591 respectively to
serve HTTP and HTTPS using the PROXY protocol.
See the EXAMPLES for more details.
OPTIONAL PARAMETERS
-------------------
v4proxy
Proxy incoming IPv4 connections to the equivalent IPv6 endpoint.
In its simplest use, it must be a NAME with an `AAAA` DNS entry, which is
the IP address actually providing the proxied services.
The full format of this argument is:
`[proxy:]NAME[[:PROTOCOL_1=PORT_1]...[:PROTOCOL_N=PORT_N]]`
Where starting with `proxy:` determines that the PROXY protocol must be
used and each `:PROTOCOL=PORT` (e.g. `:http=8080` or `:https=591`) is a PORT
override for the given PROTOCOL (see `--protocol`), if not present the
PROTOCOL's default port will be used.
v6proxy
Proxy incoming IPv6 connections to the equivalent IPv4 endpoint.
In its simplest use, it must be a NAME with an `A` DNS entry, which is
the IP address actually providing the proxied services.
See `--v4proxy` for more options and details.
protocol
Can be passed multiple times or as a space-separated list of protocols.
Currently supported protocols are: `http`, `https`, `imaps`, `smtps`.
This defaults to: `http https imaps smtps`.
EXAMPLES
--------
.. code-block:: sh
# Proxy the IPv6-only services so IPv4-only clients can access them
# This uses HAProxy's TCP mode for http, https, imaps and smtps
__haproxy_dualstack \
--v4proxy ipv6.chat \
--v4proxy matrix.ungleich.ch
# Proxy the IPv6-only HTTP(S) services so IPv4-only clients can access them
# Note this means that the backend IPv6-only server will only see
# the IPv6 address of the haproxy host managed by cdist, which can be
# troublesome if this information is relevant for analytics/security/...
# See the PROXY example below
__haproxy_dualstack \
--protocol http --protocol https \
--v4proxy ipv6.chat \
--v4proxy matrix.ungleich.ch
# Use the PROXY protocol to proxy the IPv6-only HTTP(S) services enabling
# IPv4-only clients to access them while maintaining the client's IP address
__haproxy_dualstack \
--protocol http --protocol https \
--v4proxy proxy:ipv6.chat:http=8080:https=591 \
--v4proxy proxy:matrix.ungleich.ch:http=8080:https=591
# Note however that the PROXY protocol is not compatible with regular
# HTTP(S) protocols, so your nginx will have to listen on different ports
# with the PROXY settings.
# Note that you will need to restrict access to the 8080 port to prevent
# Client IP spoofing.
# This can be something like:
# server {
# # listen for regular HTTP connections
# listen [::]:80 default_server;
# listen 80 default_server;
# # listen for PROXY HTTP connections
# listen [::]:8080 proxy_protocol;
# # Accept the Client's IP from the PROXY protocol
# real_ip_header proxy_protocol;
# }
SEE ALSO
--------
- https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/
- https://www.haproxy.com/blog/haproxy/proxy-protocol/
- https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
AUTHORS
-------
ungleich <foss--@--ungleich.ch>
Evilham <cvs--@--evilham.com>
COPYING
-------
Copyright \(C) 2021 ungleich glarus ag. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,155 +0,0 @@
#!/bin/sh -eu
__package haproxy
require="__package/haproxy" __start_on_boot haproxy
tmpdir="$__object/files"
mkdir "$tmpdir"
configtmp="$__object/files/haproxy.cfg"
os=$(cat "$__global/explorer/os")
case $os in
freebsd)
CONFIG_FILE="/usr/local/etc/haproxy.conf"
cat <<EOF > "$configtmp"
global
maxconn 4000
user nobody
group nogroup
daemon
EOF
;;
*)
CONFIG_FILE="/etc/haproxy/haproxy.cfg"
cat <<EOF > "$configtmp"
global
log [::1] local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
EOF
;;
esac
cat <<EOF >> "$configtmp"
defaults
retries 3
log global
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
EOF
dig_cmd="$(command -v dig || true)"
get_ip() {
# Usage: get_ip (ipv4|ipv6) NAME
# uses "dig" if available, else fallback to "host"
case $1 in
ipv4)
if [ -n "${dig_cmd}" ]; then
${dig_cmd} +short A "$2"
else
host -t A "$2" | cut -d ' ' -f 4 | grep -v 'found:'
fi
;;
ipv6)
if [ -n "${dig_cmd}" ]; then
${dig_cmd} +short AAAA "$2"
else
host -t AAAA "$2" | cut -d ' ' -f 5 | grep -v 'NXDOMAIN'
fi
;;
esac
}
PROTOCOLS="$(cat "$__object/parameter/protocol")"
for proxy in v4proxy v6proxy; do
param=$__object/parameter/$proxy
# no backend? skip generating code
if [ ! -f "$param" ]; then
continue
fi
# turn backend name into bind parameter: v4backend -> ipv4@
bind=$(echo $proxy | sed -e 's/^/ip/' -e 's/proxy//')
case $bind in
ipv4)
backendproto=ipv6
;;
ipv6)
backendproto=ipv4
;;
esac
for proto in ${PROTOCOLS}; do
# Add protocol "header"
printf "\n# %s %s \n" "${bind}" "${proto}" >> "$configtmp"
sed -e "s/BIND/$bind/" \
-e "s/\(frontend[[:space:]].*\)/\1$bind/" \
-e "s/\(backend[[:space:]].*\)/\\1$bind/" \
"$__type/files/$proto" >> "$configtmp"
while read -r hostdefinition; do
if echo "$hostdefinition" | grep -qE '^proxy:'; then
# Proxy protocol was requested
host="$(echo "$hostdefinition" | sed -E 's/^proxy:([^:]+).*$/\1/')"
send_proxy=" send-proxy"
else
# Just use tcp proxy mode
host="$hostdefinition"
send_proxy=""
fi
if echo "$hostdefinition" | grep -qE ":${proto}="; then
# Use custom port definition if requested
port="$(echo "$hostdefinition" | sed -E "s/^(.*:)?${proto}=([0-9]+).*$/:\2/")"
else
# Else use the default
port=""
fi
servername=$host
res=$(get_ip "$bind" "$servername")
if [ -z "$res" ]; then
echo "$servername does not resolve - aborting config" >&2
exit 1
fi
# Treat protocols without TLS+SNI specially
if [ "$proto" = http ]; then
echo " use-server $servername if { hdr(host) -i $host }" >> "$configtmp"
else
echo " use-server $servername if { req_ssl_sni -i $host }" >> "$configtmp"
fi
# Create the "server" itself.
# Note that port and send_proxy will be empty unless
# they were requested by the type user
echo " server $servername ${backendproto}@${host}${port}${send_proxy}" >> "$configtmp"
done < "$param"
done
done
# Create config file
require="__package/haproxy" __file ${CONFIG_FILE} --source "$configtmp" --mode 0644
require="__file${CONFIG_FILE}" __check_messages "haproxy_reload" \
--pattern "^__file${CONFIG_FILE}" \
--execute "service haproxy reload || service haproxy restart"

View file

@ -1 +0,0 @@
http https imaps smtps

View file

@ -1,3 +0,0 @@
protocol
v4proxy
v6proxy

View file

@ -0,0 +1,3 @@
#!/bin/sh -e
command -v certbot 2>/dev/null || true

View file

@ -1,78 +0,0 @@
#!/bin/sh -e
certbot_path="$(command -v certbot 2>/dev/null || true)"
# Defaults
certificate_exists="no"
certificate_is_test="no"
if [ -n "${certbot_path}" ]; then
# Find python executable that has access to certbot's module
python_path=$(sed -n '1s/^#! *//p' "${certbot_path}")
# Use a lock for cdist due to certbot not exiting with failure
# or having any flags for concurrent use.
_certbot() {
${python_path} - 2>/dev/null <<EOF
from certbot.main import main
import fcntl
lock_file = "/tmp/certbot.cdist.lock"
timeout=60
with open(lock_file, 'w') as fd:
for i in range(timeout):
try:
# Get exclusive lock
fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
break
except:
# Wait if that fails
import time
time.sleep(1)
else:
# Timed out, exit with failure
import sys
sys.exit(1)
# Do list certificates
main(["certificates", "--cert-name", "${__object_id:?}"])
EOF
}
_certificate_exists() {
if grep -q " Certificate Name: ${__object_id:?}$"; then
echo yes
else
echo no
fi
}
_certificate_is_test() {
if grep -q 'INVALID: TEST_CERT'; then
echo yes
else
echo no
fi
}
_certificate_domains() {
grep ' Domains: ' | cut -d ' ' -f 6- | tr ' ' '\n'
}
# Get data about all available certificates
certificates="$(_certbot)"
# Check whether or not the certificate exists
certificate_exists="$(echo "${certificates}" | _certificate_exists)"
# Check whether or not the certificate is for testing
certificate_is_test="$(echo "${certificates}" | _certificate_is_test)"
# Get domains for certificate
certificate_domains="$(echo "${certificates}" | _certificate_domains)"
fi
# Return received data
cat <<EOF
certbot_path:${certbot_path}
certificate_exists:${certificate_exists}
certificate_is_test:${certificate_is_test}
${certificate_domains}
EOF

View file

@ -0,0 +1,8 @@
#!/bin/sh -e
certbot_path=$("${__type_explorer}/certbot-path")
if [ -n "${certbot_path}" ]
then
certbot certificates --cert-name "${__object_id:?}" | grep ' Domains: ' | \
cut -d ' ' -f 6- | tr ' ' '\n'
fi

View file

@ -0,0 +1,13 @@
#!/bin/sh -e
certbot_path=$("${__type_explorer}/certbot-path")
if [ -n "${certbot_path}" ]
then
if certbot certificates | grep -q " Certificate Name: ${__object_id:?}$"; then
echo yes
else
echo no
fi
else
echo no
fi

View file

@ -0,0 +1,14 @@
#!/bin/sh -e
certbot_path=$("${__type_explorer}/certbot-path")
if [ -n "${certbot_path}" ]
then
if certbot certificates --cert-name "${__object_id:?}" | \
grep -q 'INVALID: TEST_CERT'; then
echo yes
else
echo no
fi
else
echo no
fi

View file

@ -1,84 +0,0 @@
#!/bin/sh -e
# It is expected that this defines hook_contents
# Reasonable defaults
hook_source="${__object}/parameter/${hook}-hook"
hook_state="absent"
hook_contents_head="#!/bin/sh -e"
hook_contents_logic=""
hook_contents_tail=""
# Backwards compatibility
# Remove this when renew-hook is removed
# Falling back to renew-hook if deploy-hook is not passed
if [ "${hook}" = "deploy" ] && [ ! -f "${hook_source}" ]; then
hook_source="${__object}/parameter/renew-hook"
fi
if [ "${state}" = "present" ] && \
[ -f "${hook_source}" ]; then
# This hook is to be installed, let's generate it with some
# safety boilerplate
# Since certbot runs all hooks for all renewal processes
# (at each state for deploy, pre, post), it is up to us to
# differentiate whether or not the hook must run
hook_state="present"
hook_contents_head="$(cat <<EOF
#!/bin/sh -e
#
# Managed remotely with https://cdi.st
#
# Domains for which this hook is supposed to apply
lineage="${LE_DIR}/live/${__object_id}"
domains="\$(cat <<eof
${domains}
eof
)"
EOF
)"
case "${hook}" in
pre|post)
# Certbot is kind of terrible, we have
# no way of knowing what domain/lineage the
# hook is running for
hook_contents_logic="$(cat <<EOF
# pre/post-hooks apply always due to a certbot limitation
APPLY_HOOK="YES"
EOF
)"
;;
deploy)
hook_contents_logic="$(cat <<EOF
# certbot defines these environment variables:
# RENEWED_DOMAINS="DOMAIN1 DOMAIN2"
# RENEWED_LINEAGE="/etc/letsencrypt/live/__object_id"
# It feels more stable to use RENEWED_LINEAGE
if [ "\${lineage}" = "\${RENEWED_LINEAGE}" ]; then
APPLY_HOOK="YES"
fi
EOF
)"
;;
*)
echo "Unknown hook '${hook}'" >> /dev/stderr
exit 1
;;
esac
hook_contents_tail="$(cat <<EOF
if [ -n "\${APPLY_HOOK}" ]; then
# Messing with indentation can eff up the users' scripts, let's not
$(cat "${hook_source}")
fi
EOF
)"
fi
hook_contents="$(cat <<EOF
${hook_contents_head}
${hook_contents_logic}
${hook_contents_tail}
EOF
)"

View file

@ -1,10 +1,6 @@
#!/bin/sh -e #!/bin/sh -e
_explorer_var() { certificate_exists=$(cat "${__object:?}/explorer/certificate-exists")
grep "^$1:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-
}
certificate_exists="$(_explorer_var certificate_exists)"
name="${__object_id:?}" name="${__object_id:?}"
state=$(cat "${__object}/parameter/state") state=$(cat "${__object}/parameter/state")
@ -33,9 +29,8 @@ case "${state}" in
fi fi
if [ "${certificate_exists}" = "yes" ]; then if [ "${certificate_exists}" = "yes" ]; then
existing_domains=$(mktemp "${TMPDIR:-/tmp}/existing_domains.cdist.XXXXXXXXXX") existing_domains="${__object}/explorer/certificate-domains"
tail -n +4 "${__object:?}/explorer/certificate-data" | grep -v '^$' > "${existing_domains}" certificate_is_test=$(cat "${__object}/explorer/certificate-is-test")
certificate_is_test="$(_explorer_var certificate_is_test)"
sort -uo "${requested_domains}" "${requested_domains}" sort -uo "${requested_domains}" "${requested_domains}"
sort -uo "${existing_domains}" "${existing_domains}" sort -uo "${existing_domains}" "${existing_domains}"

View file

@ -1,33 +1,16 @@
cdist-type__letsencrypt_cert(7) cdist-type__letsencrypt_cert(7)
=============================== ===============================
NAME NAME
---- ----
cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt
DESCRIPTION DESCRIPTION
----------- -----------
Automatically obtain a Let's Encrypt SSL certificate using Certbot. Automatically obtain a Let's Encrypt SSL certificate using Certbot.
This type attempts to setup automatic renewals always. In many Linux
distributions, that is the case out of the box, see:
https://certbot.eff.org/docs/using.html#automated-renewals
For Alpine Linux and Arch Linux, we setup a system-wide cronjob that
attempts to renew certificates daily.
If you are using FreeBSD, we configure periodic(8) as recommended by
the port mantainer, so there will be a weekly attempt at renewal.
If your OS is not mentioned here or on Certbot's docs as having
support for automated renewals, please make sure you check your OS
and possibly patch this type so the system-wide cronjob is installed.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------
@ -38,7 +21,6 @@ object id
admin-email admin-email
Where to send Let's Encrypt emails like "certificate needs renewal". Where to send Let's Encrypt emails like "certificate needs renewal".
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
@ -54,68 +36,25 @@ webroot
The path to your webroot, as set up in your webserver config. If this The path to your webroot, as set up in your webserver config. If this
parameter is not present, Certbot will be run in standalone mode. parameter is not present, Certbot will be run in standalone mode.
OPTIONAL MULTIPLE PARAMETERS OPTIONAL MULTIPLE PARAMETERS
---------------------------- ----------------------------
renew-hook
Renew hook command directly passed to Certbot in cron job.
domain domain
Domains to be included in the certificate. When specified then object id Domains to be included in the certificate. When specified then object id
is not used as a domain. is not used as a domain.
deploy-hook
Command to be executed only when the certificate associated with this
``$__object_id`` is issued or renewed.
You can specify it multiple times, but any failure will prevent further
commands from being executed.
For this command, the
shell variable ``$RENEWED_LINEAGE`` will point to the
config live subdirectory (for example,
``/etc/letsencrypt/live/${__object_id}``) containing the
new certificates and keys; the shell variable
``$RENEWED_DOMAINS`` will contain a space-delimited list
of renewed certificate domains (for example,
``example.com www.example.com``)
pre-hook
Command to be run in a shell before obtaining any
certificates.
You can specify it multiple times, but any failure will prevent further
commands from being executed.
Note these run regardless of which certificate is attempted, you may want to
manage these system-wide hooks with ``__file`` in
``/etc/letsencrypt/renewal-hooks/pre/``.
Intended primarily for renewal, where it
can be used to temporarily shut down a webserver that
might conflict with the standalone plugin. This will
only be called if a certificate is actually to be
obtained/renewed.
post-hook
Command to be run in a shell after attempting to
obtain/renew certificates.
You can specify it multiple times, but any failure will prevent further
commands from being executed.
Note these run regardless of which certificate was attempted, you may want to
manage these system-wide hooks with ``__file`` in
``/etc/letsencrypt/renewal-hooks/post/``.
Can be used to deploy
renewed certificates, or to restart any servers that
were stopped by --pre-hook. This is only run if an
attempt was made to obtain/renew a certificate.
BOOLEAN PARAMETERS BOOLEAN PARAMETERS
------------------ ------------------
automatic-renewal
Install a cron job, which attempts to renew certificates daily.
staging staging
Obtain a test certificate from a staging server. Obtain a test certificate from a staging server.
MESSAGES MESSAGES
-------- --------
@ -128,7 +67,6 @@ create
remove remove
Certificate was removed. Certificate was removed.
EXAMPLES EXAMPLES
-------- --------
@ -137,7 +75,8 @@ EXAMPLES
# use object id as domain # use object id as domain
__letsencrypt_cert example.com \ __letsencrypt_cert example.com \
--admin-email root@example.com \ --admin-email root@example.com \
--deploy-hook "service nginx reload" \ --automatic-renewal \
--renew-hook "service nginx reload" \
--webroot /data/letsencrypt/root --webroot /data/letsencrypt/root
.. code-block:: sh .. code-block:: sh
@ -146,10 +85,11 @@ EXAMPLES
# and example.com needs to be included again with domain parameter # and example.com needs to be included again with domain parameter
__letsencrypt_cert example.com \ __letsencrypt_cert example.com \
--admin-email root@example.com \ --admin-email root@example.com \
--automatic-renewal \
--domain example.com \ --domain example.com \
--domain foo.example.com \ --domain foo.example.com \
--domain bar.example.com \ --domain bar.example.com \
--deploy-hook "service nginx reload" \ --renew-hook "service nginx reload" \
--webroot /data/letsencrypt/root --webroot /data/letsencrypt/root
AUTHORS AUTHORS
@ -159,13 +99,11 @@ AUTHORS
| Kamila Součková <kamila--@--ksp.sk> | Kamila Součková <kamila--@--ksp.sk>
| Darko Poljak <darko.poljak--@--gmail.com> | Darko Poljak <darko.poljak--@--gmail.com>
| Ľubomír Kučera <lubomir.kucera.jr at gmail.com> | Ľubomír Kučera <lubomir.kucera.jr at gmail.com>
| Evilham <contact@evilham.com>
COPYING COPYING
------- -------
Copyright \(C) 2017-2021 Nico Schottelius, Kamila Součková, Darko Poljak and Copyright \(C) 2017-2018 Nico Schottelius, Kamila Součková, Darko Poljak and
Ľubomír Kučera. You can redistribute it and/or modify it under the terms of Ľubomír Kučera. You can redistribute it and/or modify it under the terms of
the GNU General Public License as published by the Free Software Foundation, the GNU General Public License as published by the Free Software Foundation,
either version 3 of the License, or (at your option) any later version. either version 3 of the License, or (at your option) any later version.

106
cdist/conf/type/__letsencrypt_cert/manifest Normal file → Executable file
View file

@ -1,20 +1,18 @@
#!/bin/sh #!/bin/sh
certbot_fullpath="$(grep "^certbot_path:" "${__object:?}/explorer/certificate-data" | cut -d ':' -f 2-)" certbot_fullpath="$(cat "${__object:?}/explorer/certbot-path")"
state=$(cat "${__object}/parameter/state")
os="$(cat "${__global:?}/explorer/os")"
if [ -z "${certbot_fullpath}" ]; then if [ -z "${certbot_fullpath}" ]; then
os="$(cat "${__global:?}/explorer/os")"
os_version="$(cat "${__global}/explorer/os_version")" os_version="$(cat "${__global}/explorer/os_version")"
# Use this, very common value, as a default. It is OS-dependent
certbot_fullpath="/usr/bin/certbot"
case "$os" in case "$os" in
archlinux) archlinux)
__package certbot __package certbot
;; ;;
alpine) alpine)
__package certbot __package certbot
;; ;;
debian) debian)
case "$os_version" in case "$os_version" in
8*) 8*)
@ -41,7 +39,7 @@ if [ -z "${certbot_fullpath}" ]; then
require="__apt_source/stretch-backports" __package_apt certbot \ require="__apt_source/stretch-backports" __package_apt certbot \
--target-release stretch-backports --target-release stretch-backports
;; ;;
10*|11*) 10*)
__package_apt certbot __package_apt certbot
;; ;;
@ -50,7 +48,9 @@ if [ -z "${certbot_fullpath}" ]; then
exit 1 exit 1
;; ;;
esac esac
;;
certbot_fullpath=/usr/bin/certbot
;;
devuan) devuan)
case "$os_version" in case "$os_version" in
jessie) jessie)
@ -83,14 +83,17 @@ if [ -z "${certbot_fullpath}" ]; then
exit 1 exit 1
;; ;;
esac esac
certbot_fullpath=/usr/bin/certbot
;; ;;
freebsd) freebsd)
__package py39-certbot __package py27-certbot
certbot_fullpath="/usr/local/bin/certbot"
certbot_fullpath=/usr/local/bin/certbot
;; ;;
ubuntu) ubuntu)
__package certbot __package certbot
;; ;;
*) *)
echo "Unsupported os: $os" >&2 echo "Unsupported os: $os" >&2
exit 1 exit 1
@ -98,61 +101,18 @@ if [ -z "${certbot_fullpath}" ]; then
esac esac
fi fi
# Other OS-dependent values that we want to set every time if [ -f "${__object}/parameter/automatic-renewal" ]; then
LE_DIR="/etc/letsencrypt" renew_hook_param="${__object}/parameter/renew-hook"
certbot_cronjob_state="absent" renew_hook=""
case "$os" in if [ -f "${renew_hook_param}" ]; then
archlinux|alpine) while read -r hook; do
certbot_cronjob_state="present" renew_hook="${renew_hook} --renew-hook \"${hook}\""
;; done < "${renew_hook_param}"
freebsd) fi
LE_DIR="/usr/local/etc/letsencrypt"
# FreeBSD uses periodic(8) instead of crontabs for this
__line "periodic.conf_weekly_certbot" \
--file "/etc/periodic.conf" \
--regex "^(#[[:space:]]*)?weekly_certbot_enable=.*" \
--state "replace" \
--line 'weekly_certbot_enable="YES"'
;;
*)
;;
esac
# This is only necessary in certain OS __cron letsencrypt-certbot \
__cron letsencrypt-certbot \ --user root \
--user root \ --command "${certbot_fullpath} renew -q ${renew_hook}" \
--command "${certbot_fullpath} renew -q" \ --hour 0 \
--hour 0 \ --minute 47
--minute 47 \
--state "${certbot_cronjob_state}"
# Ensure hook directories
HOOKS_DIR="${LE_DIR}/renewal-hooks"
__directory "${LE_DIR}" --mode 0755
require="__directory/${LE_DIR}" __directory "${HOOKS_DIR}" --mode 0755
if [ -f "${__object}/parameter/domain" ]; then
domains="$(sort "${__object}/parameter/domain")"
else
domains="${__object_id}"
fi fi
# Install hooks as needed
for hook in deploy pre post; do
# Using something unique and specific to this object
hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh"
# This defines hook_contents
# shellcheck source=cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
. "${__type}/files/gen_hook.sh"
# Ensure hook directory exists
require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \
--mode 0755
require="__directory/${HOOKS_DIR}/${hook}" __file "${hook_file}" \
--mode 0555 \
--source '-' \
--state "${hook_state}" <<EOF
${hook_contents}
EOF
done

View file

@ -1,2 +0,0 @@
Deprecated in favour of consistent behaviour. It has no effect, see:
https://code.ungleich.ch/ungleich-public/cdist/-/issues/853

View file

@ -1,2 +0,0 @@
This parameter has been deprecated in favour of --deploy-hook.
See: https://code.ungleich.ch/ungleich-public/cdist/-/issues/853

View file

@ -1,5 +1,2 @@
deploy-hook
domain domain
post-hook
pre-hook
renew-hook renew-hook

View file

@ -81,24 +81,12 @@ aptget="DEBIAN_FRONTEND=noninteractive apt-get --quiet --yes -o Dpkg::Options::=
case "$state_should" in case "$state_should" in
present) present)
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
# updated after the 19th April 2021 till the bullseye release. The additional
# arguments acknoledge the happend suite change (the apt(8) update does the
# same by itself).
#
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
# allows backward compatablility to pre-buster Debian versions.
#
# See more: ticket #861
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
# following is bit ugly, but important hack. # following is bit ugly, but important hack.
# due to how cdist config run works, there isn't # due to how cdist config run works, there isn't
# currently better way to do it :( # currently better way to do it :(
cat << EOF cat << EOF
if [ ! -f /var/cache/apt/pkgcache.bin ] || [ "\$( stat --format %Y /var/cache/apt/pkgcache.bin )" -lt "\$( date +%s -d '-1 day' )" ] if [ ! -f /var/cache/apt/pkgcache.bin ] || [ "\$( stat --format %Y /var/cache/apt/pkgcache.bin )" -lt "\$( date +%s -d '-1 day' )" ]
then echo apt-get $apt_opts update > /dev/null 2>&1 || true then echo apt-get update > /dev/null 2>&1 || true
fi fi
EOF EOF
if [ -n "$version" ]; then if [ -n "$version" ]; then

View file

@ -19,5 +19,5 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>. # along with cdist. If not, see <http://www.gnu.org/licenses/>.
# #
__package luarocks --state present __package luarocks --state installed
__package make --state present __package make --state installed

View file

@ -1,45 +0,0 @@
#!/bin/sh
#
# 2021 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
nameparam="$__object/parameter/name"
if [ -f "$nameparam" ]; then
name=$(cat "$nameparam")
else
name="$__object_id"
fi
pipparam="$__object/parameter/pip"
if [ -f "$pipparam" ]; then
pip=$(cat "$pipparam")
else
pip="$( "$__type_explorer/pip" )"
fi
if command -v "$pip" >/dev/null 2>&1; then
# assemble the path where pip stores all pip package info
"$pip" show "$name" \
| awk -F': ' '
$1 == "Name" {name=$2; gsub(/-/,"_",name); next}
$1 == "Version" {version=$2; next}
$1 == "Location" {location=$2; next}
END {if (version != "") printf "%s/%s-%s.dist-info", location, name, version}'
fi

View file

@ -1,66 +0,0 @@
#!/bin/sh
#
# 2021 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Checks if the given extras are really installed or not. It will be
# done by querring all dependencies for that extra and return it as
# "to be installed" if no dependency was found.
#
distinfo_dir="$("$__type_explorer/distinfo-dir")"
# check if we have something to check
if [ "$distinfo_dir" ] && [ -s "$__object/parameter/extra" ]
then
# save cause freezing is slow
mkdir "$__object/files"
pip_freeze="$__object/files/pip-freeze.tmp"
pip3 freeze > "$pip_freeze"
# If all is set, it searches all available extras to separatly check them.
# It would work with just 'all' (cause dependencies are specified for
# 'all'), but will not update if one extra is already present. Side effect
# is that it will not use [all] but instead name all extras seperatly.
for extra in $(if grep -qFx all "$__object/parameter/extra";
then awk -F': ' '$1 == "Provides-Extra" && $2 != "all"{print $2}' "$distinfo_dir/METADATA";
else tr ',' '\n' < "$__object/parameter/extra";
fi)
do
# create a grep BRE pattern to search all packages
# maybe a file full of patterns for -F could be written
grep_pattern="$(
awk -F'(: | ; )' -v check="$extra" '
$1 == "Requires-Dist" {
split($2, r, " ");
sub("extra == ", "", $3); gsub("'"'"'", "", $3);
if($3 == check) print r[1]
}' "$distinfo_dir/METADATA" \
| sed ':a; $!N; s/\n/\\|/; ta'
)"
# echo the extra if no packages where found for it
# if there is no pattern, we don't need to search ;-)
# pip matches packages case-insensetive, we need to do that, too
if [ "$grep_pattern" ] && ! grep -qi "$grep_pattern" "$pip_freeze"
then
echo "$extra"
fi
done
fi

0
cdist/conf/type/__package_pip/explorer/state Executable file → Normal file
View file

View file

@ -2,7 +2,6 @@
# #
# 2012 Nico Schottelius (nico-cdist at schottelius.org) # 2012 Nico Schottelius (nico-cdist at schottelius.org)
# 2016 Darko Poljak (darko.poljak at gmail.com) # 2016 Darko Poljak (darko.poljak at gmail.com)
# 2021 Matthias Stecher (matthiasstecher at gmx.de)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -26,10 +25,7 @@
state_is=$(cat "$__object/explorer/state") state_is=$(cat "$__object/explorer/state")
state_should="$(cat "$__object/parameter/state")" state_should="$(cat "$__object/parameter/state")"
# short circuit if state is the same and no extras to install [ "$state_is" = "$state_should" ] && exit 0
[ "$state_is" = "$state_should" ] && ! [ -s "$__object/explorer/extras" ] \
&& exit 0
nameparam="$__object/parameter/name" nameparam="$__object/parameter/name"
if [ -f "$nameparam" ]; then if [ -f "$nameparam" ]; then
@ -60,14 +56,6 @@ fi
case "$state_should" in case "$state_should" in
present) present)
if [ -s "$__object/explorer/extras" ]
then
# all extras are passed to pip in a comma-separated list in the name
# sed loops through all input lines and add commas between them
extras="$(sed ':a; $!N; s/\n/,/; ta' "$__object/explorer/extras")"
name="${name}[${extras}]"
fi
if [ "$runas" ] if [ "$runas" ]
then then
echo "su -c '$pip install -q $name' $runas" echo "su -c '$pip install -q $name' $runas"

View file

@ -22,16 +22,6 @@ OPTIONAL PARAMETERS
name name
If supplied, use the name and not the object id as the package name. If supplied, use the name and not the object id as the package name.
extra
Extra optional dependencies which should be installed along the selected
package. Can be specified multiple times. Multiple extras can be passed
in one `--extra` as a comma-separated list.
Extra optional dependencies will be installed even when the base package
is already installed. Notice that the type will not remove installed extras
that are not explicitly named for the type because pip does not offer a
management for orphaned packages and they may be used by other packages.
pip pip
Instead of using pip from PATH, use the specific pip path. Instead of using pip from PATH, use the specific pip path.
@ -56,14 +46,6 @@ EXAMPLES
# Use pip in a virtualenv located at /foo/shinken_virtualenv as user foo # Use pip in a virtualenv located at /foo/shinken_virtualenv as user foo
__package_pip pyro --state present --pip /foo/shinken_virtualenv/bin/pip --runas foo __package_pip pyro --state present --pip /foo/shinken_virtualenv/bin/pip --runas foo
# Install package with optional dependencies
__package_pip mautrix-telegram --extra speedups --extra webp_convert --extra hq_thumbnails
# the extras can also be specified comma-separated
__package_pip mautrix-telegram --extra speedups,webp_convert,hq_thumbnails --extra postgres
# or take all extras
__package_pip mautrix-telegram --extra all
SEE ALSO SEE ALSO
-------- --------
@ -72,13 +54,12 @@ SEE ALSO
AUTHORS AUTHORS
------- -------
| Nico Schottelius <nico-cdist--@--schottelius.org> Nico Schottelius <nico-cdist--@--schottelius.org>
| Matthias Stecher <matthiasstecher--@--gmx.de>
COPYING COPYING
------- -------
Copyright \(C) 2012 Nico Schottelius, 2021 Matthias Stecher. You can Copyright \(C) 2012 Nico Schottelius. You can redistribute it
redistribute it and/or modify it under the terms of the GNU General and/or modify it under the terms of the GNU General Public License as
Public License as published by the Free Software Foundation, either published by the Free Software Foundation, either version 3 of the
version 3 of the License, or (at your option) any later version. License, or (at your option) any later version.

View file

@ -37,7 +37,6 @@ assert () # If condition false,
then then
echo "Assertion failed: \"$1\"" echo "Assertion failed: \"$1\""
# shellcheck disable=SC2039 # shellcheck disable=SC2039
# shellcheck disable=SC3044
echo "File \"$0\", line $lineno, called by $(caller 0)" echo "File \"$0\", line $lineno, called by $(caller 0)"
exit $E_ASSERT_FAILED exit $E_ASSERT_FAILED
fi fi

View file

@ -41,19 +41,7 @@ fi
case "$type" in case "$type" in
yum) ;; yum) ;;
apt) apt)
# There are special arguments to apt(8) to prevent aborts if apt woudn't been echo "apt-get --quiet update"
# updated after the 19th April 2021 till the bullseye release. The additional
# arguments acknoledge the happend suite change (the apt(8) update does the
# same by itself).
#
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
# allows backward compatablility to pre-buster Debian versions.
#
# See more: ticket #861
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
echo "apt-get --quiet $apt_opts update"
echo "apt-cache updated (age was: $currage)" >> "$__messages_out" echo "apt-cache updated (age was: $currage)" >> "$__messages_out"
;; ;;
pacman) pacman)

View file

@ -28,10 +28,6 @@ apt_clean="$__object/parameter/apt-clean"
apt_dist_upgrade="$__object/parameter/apt-dist-upgrade" apt_dist_upgrade="$__object/parameter/apt-dist-upgrade"
if [ -f "$__object/parameter/apt-with-new-pkgs" ]; then
apt_with_new_pkgs="--with-new-pkgs"
fi
if [ -f "$type" ]; then if [ -f "$type" ]; then
type="$(cat "$type")" type="$(cat "$type")"
else else
@ -58,7 +54,7 @@ case "$type" in
apt) apt)
if [ -f "$apt_dist_upgrade" ] if [ -f "$apt_dist_upgrade" ]
then echo "$aptget dist-upgrade" then echo "$aptget dist-upgrade"
else echo "$aptget $apt_with_new_pkgs upgrade" else echo "$aptget upgrade"
fi fi
if [ -f "$apt_clean" ] if [ -f "$apt_clean" ]

View file

@ -33,14 +33,6 @@ BOOLEAN PARAMETERS
apt-dist-upgrade apt-dist-upgrade
Do dist-upgrade instead of upgrade. Do dist-upgrade instead of upgrade.
apt-with-new-pkg
Allow installing new packages when used in conjunction with
upgrade. This is useful if the update of an installed package
requires new dependencies to be installed. Instead of holding the
package back upgrade will upgrade the package and install the new
dependencies. Note that upgrade with this option will never remove
packages, only allow adding new ones.
apt-clean apt-clean
Clean out the local repository of retrieved package files. Clean out the local repository of retrieved package files.

View file

@ -1,3 +1,2 @@
apt-clean apt-clean
apt-dist-upgrade apt-dist-upgrade
apt-with-new-pkgs

Some files were not shown because too many files have changed in this diff Show more