Compare commits

..

1 commit

Author SHA1 Message Date
282e051c00 Import __coturn type from ungleich's dot-cdist 2020-04-07 22:07:45 +02:00
394 changed files with 3025 additions and 11534 deletions

2
.gitattributes vendored
View file

@ -4,5 +4,5 @@
docs/speeches export-ignore
docs/video export-ignore
docs/src/man7 export-ignore
bin/cdist-build-helper export-ignore
bin/build-helper export-ignore
README-maintainers export-ignore

View file

@ -1,23 +1,18 @@
---
image: code.ungleich.ch:5050/ungleich-public/cdist/cdist-ci:latest
stages:
- test
before_script:
- ./bin/cdist-build-helper version
shellcheck:
stage: test
script:
- ./bin/cdist-build-helper shellcheck
pycodestyle:
stage: test
script:
- ./bin/cdist-build-helper pycodestyle
unit_tests:
stage: test
script:
- ./bin/cdist-build-helper test
- ./bin/build-helper version
- ./bin/build-helper test
pycodestyle:
stage: test
script:
- ./bin/build-helper pycodestyle
shellcheck:
stage: test
script:
- ./bin/build-helper shellcheck

View file

@ -35,9 +35,9 @@ DOCS_SRC_DIR=./docs/src
SPEECHDIR=./docs/speeches
TYPEDIR=./cdist/conf/type
SPHINXM=$(MAKE) -C $(DOCS_SRC_DIR) man
SPHINXH=$(MAKE) -C $(DOCS_SRC_DIR) html
SPHINXC=$(MAKE) -C $(DOCS_SRC_DIR) clean
SPHINXM=make -C $(DOCS_SRC_DIR) man
SPHINXH=make -C $(DOCS_SRC_DIR) html
SPHINXC=make -C $(DOCS_SRC_DIR) clean
################################################################################
# Manpages
@ -81,7 +81,7 @@ version:
}
# Manpages #3: generic part
man: version configskel $(MANTYPES) $(DOCSREF) $(DOCSTYPESREF)
man: version $(MANTYPES) $(DOCSREF)
$(SPHINXM)
html: version configskel $(MANTYPES) $(DOCSREF) $(DOCSTYPESREF)
@ -104,7 +104,7 @@ DOTMANTYPES=$(subst /man.rst,.rst,$(DOTMANTYPEPREFIX))
$(DOTMAN7DSTDIR)/cdist-type%.rst: $(DOTTYPEDIR)/%/man.rst
ln -sf "$^" $@
dotman: version configskel $(DOTMANTYPES) $(DOCSREF) $(DOCSTYPESREF)
dotman: version $(DOTMANTYPES)
$(SPHINXM)
################################################################################

7
README Normal file
View file

@ -0,0 +1,7 @@
cdist
-----
cdist is a usable configuration management system.
For the web documentation have a look at https://www.cdi.st/
or at docs/src for reStructuredText manual.

View file

@ -1,4 +1,4 @@
Maintainers should use ./bin/cdist-build-helper script.
Maintainers should use ./bin/build-helper script.
Makefile is intended for end users. It can be used for non-maintaining
targets that can be run from pure source (without git repository).

View file

@ -1,31 +0,0 @@
# cdist
**cdist** is a usable configuration management system.
It adheres to the [**KISS principle**](https://en.wikipedia.org/wiki/KISS_principle)
and is being used in small up to enterprise grade environments.
For more information have a look at [**homepage**](https://cdi.st)
or at **``docs/src``** for manual in **reStructuredText** format.
## Contributing
Merge/Pull requests can be made in both
[upstream **GitLab**](https://code.ungleich.ch/ungleich-public/cdist/merge_requests)
(managed by [**ungleich**](https://ungleich.ch))
and [**GitHub** project](https://github.com/ungleich/cdist/pulls).
Issues can be made and other project management activites happen
[**only in GitLab**](https://code.ungleich.ch/ungleich-public/cdist)
(needs [**ungleich** account](https://account.ungleich.ch)).
For community-maintained types there is
[**cdist-contrib** project](https://code.ungleich.ch/ungleich-public/cdist-contrib).
## Participating
IRC: ``#cdist`` @ [libera](https://libera.chat)
Matrix: ``#cdist:ungleich.ch``
Matrix and IRC are bridged.

View file

@ -1,6 +1,6 @@
#!/bin/sh
#
# 2011-2022 Nico Schottelius (nico-cdist at schottelius.org)
# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2016-2019 Darko Poljak (darko.poljak at gmail.com)
#
# This file is part of cdist.
@ -45,7 +45,7 @@ usage() {
shellcheck-manifests
shellcheck-local-gencodes
shellcheck-remote-gencodes
shellcheck-bin
shellcheck-scripts
shellcheck-gencodes
shellcheck-types
shellcheck
@ -100,7 +100,7 @@ case "$option" in
if (\$0 ~ /^$end/) {
exit
} else {
print \$0
print \$0
}
}
}" "$basedir/docs/changelog"
@ -135,7 +135,7 @@ case "$option" in
version=$1; shift
(
(
cat << eof
Subject: cdist $version has been released
@ -336,7 +336,7 @@ eof
make docs-clean
make docs
#############################################################
#############################################################
# Everything green, let's do the release
# Tag the current commit
@ -371,6 +371,7 @@ eof
Manual steps post release:
- cdist-web
- send generated mailinglist.tmp mail
- twitter
eof
;;
@ -405,7 +406,7 @@ eof
;;
pycodestyle|pep8)
pycodestyle "${basedir}" "${basedir}/bin/cdist"
pycodestyle "${basedir}" "${basedir}/scripts/cdist"
;;
check-pycodestyle)
@ -460,34 +461,27 @@ eof
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
;;
# NOTE: shellcheck-scripts is kept for compatibility
shellcheck-bin|shellcheck-scripts)
shellcheck-scripts)
# shellcheck disable=SC2086
${SHELLCHECKCMD} bin/cdist-dump bin/cdist-new-type > "${SHELLCHECKTMP}"
${SHELLCHECKCMD} scripts/cdist-dump scripts/cdist-new-type > "${SHELLCHECKTMP}"
test ! -s "${SHELLCHECKTMP}" || { cat "${SHELLCHECKTMP}"; exit 1; }
;;
shellcheck-gencodes)
errors=false
"$0" shellcheck-local-gencodes || errors=true
"$0" shellcheck-remote-gencodes || errors=true
! $errors || exit 1
"$0" shellcheck-local-gencodes || exit 1
"$0" shellcheck-remote-gencodes || exit 1
;;
shellcheck-types)
errors=false
"$0" shellcheck-type-explorers || errors=true
"$0" shellcheck-manifests || errors=true
"$0" shellcheck-gencodes || errors=true
! $errors || exit 1
"$0" shellcheck-type-explorers || exit 1
"$0" shellcheck-manifests || exit 1
"$0" shellcheck-gencodes || exit 1
;;
shellcheck)
errors=false
"$0" shellcheck-global-explorers || errors=true
"$0" shellcheck-types || errors=true
"$0" shellcheck-bin || errors=true
! $errors || exit 1
"$0" shellcheck-global-explorers || exit 1
"$0" shellcheck-types || exit 1
"$0" shellcheck-scripts || exit 1
;;
shellcheck-type-files)
@ -497,14 +491,12 @@ eof
;;
shellcheck-with-files)
errors=false
"$0" shellcheck || errors=true
"$0" shellcheck-type-files || errors=true
! $errors || exit 1
"$0" shellcheck || exit 1
"$0" shellcheck-type-files || exit 1
;;
shellcheck-build-helper)
${SHELLCHECKCMD} ./bin/cdist-build-helper
${SHELLCHECKCMD} ./bin/build-helper
;;
check-shellcheck)
@ -534,8 +526,7 @@ eof
;;
version)
target_version="$(git describe | sed 's/-/.dev/; s/-/+/g')"
printf "VERSION = \"%s\"\n" "${target_version}" > cdist/version.py
printf "VERSION = \"%s\"\n" "$(git describe)" > cdist/version.py
;;
target-version)

View file

@ -1,8 +1,7 @@
#!/usr/bin/env python3
#!/bin/sh
# -*- coding: utf-8 -*-
#
# 2010-2016 Nico Schottelius (nico-cdist at schottelius.org)
# 2016 Darko Poljak (darko.poljak at gmail.com)
# 2012 Nico Schottelius (nico-cdist at schottelius.org)
#
# This file is part of cdist.
#
@ -21,83 +20,14 @@
#
#
import logging
import os
import sys
# Wrapper for real script to allow execution from checkout
dir=${0%/*}
# See if this file's parent is cdist module
# and if so add it to module search path.
cdist_dir = os.path.realpath(
os.path.join(
os.path.dirname(os.path.realpath(__file__)),
os.pardir))
cdist_init_dir = os.path.join(cdist_dir, 'cdist', '__init__.py')
if os.path.exists(cdist_init_dir):
sys.path.insert(0, cdist_dir)
# Ensure version is present - the bundled/shipped version contains a static version,
# the git version contains a dynamic version
"$dir/build-helper" version
import cdist # noqa 402
import cdist.argparse # noqa 402
import cdist.banner # noqa 402
import cdist.config # noqa 402
import cdist.install # noqa 402
import cdist.shell # noqa 402
import cdist.inventory # noqa 402
libdir=$(cd "${dir}/../" && pwd -P)
export PYTHONPATH="${libdir}"
def commandline():
"""Parse command line"""
# preos subcommand hack
if len(sys.argv) > 1 and sys.argv[1] == 'preos':
return cdist.preos.PreOS.commandline(sys.argv[1:])
parser, cfg = cdist.argparse.parse_and_configure(sys.argv[1:])
args = cfg.get_args()
# Work around python 3.3 bug:
# http://bugs.python.org/issue16308
# http://bugs.python.org/issue9253
# FIXME: catching AttributeError also hides
# real problems.. try a different way
# FIXME: we always print main help, not
# the help of the actual parser being used!
try:
getattr(args, "func")
except AttributeError:
parser['main'].print_help()
sys.exit(0)
args.func(args)
if __name__ == "__main__":
if sys.version_info[:3] < cdist.MIN_SUPPORTED_PYTHON_VERSION:
print(
'Python >= {} is required on the source host.'.format(
".".join(map(str, cdist.MIN_SUPPORTED_PYTHON_VERSION))),
file=sys.stderr)
sys.exit(1)
exit_code = 0
try:
import re
import os
if re.match("__", os.path.basename(sys.argv[0])):
import cdist.emulator
emulator = cdist.emulator.Emulator(sys.argv)
emulator.run()
else:
commandline()
except KeyboardInterrupt:
exit_code = 2
except cdist.Error as e:
log = logging.getLogger("cdist")
log.error(e)
exit_code = 1
sys.exit(exit_code)
"$dir/../scripts/cdist" "$@"

View file

@ -22,27 +22,11 @@
import os
import hashlib
import subprocess
import cdist.log
import cdist.version
VERSION = 'unknown version'
try:
import cdist.version
VERSION = cdist.version.VERSION
except ModuleNotFoundError:
cdist_dir = os.path.abspath(
os.path.join(os.path.dirname(__file__), os.pardir))
if os.path.isdir(os.path.join(cdist_dir, '.git')):
try:
VERSION = subprocess.check_output(
['git', 'describe', '--always'],
cwd=cdist_dir,
universal_newlines=True)
except Exception:
pass
VERSION = cdist.version.VERSION
BANNER = """
.. . .x+=:. s
@ -64,9 +48,6 @@ REMOTE_EXEC = "ssh -o User=root"
REMOTE_CMDS_CLEANUP_PATTERN = "ssh -o User=root -O exit -S {}"
MIN_SUPPORTED_PYTHON_VERSION = (3, 5)
class Error(Exception):
"""Base exception class for this project"""
pass

View file

@ -5,14 +5,12 @@ import logging
import collections
import functools
import cdist.configuration
import cdist.log
import cdist.preos
import cdist.info
import cdist.scan.commandline
# set of beta sub-commands
BETA_COMMANDS = set(('install', 'inventory', 'scan', ))
BETA_COMMANDS = set(('install', 'inventory', ))
# set of beta arguments for sub-commands
BETA_ARGS = {
'config': set(('tag', 'all_tagged_hosts', 'use_archiving', )),
@ -127,14 +125,6 @@ def get_parsers():
'value.'),
action='count', default=None)
parser['colored_output'] = argparse.ArgumentParser(add_help=False)
parser['colored_output'].add_argument(
'--colors', metavar='WHEN',
help="Colorize cdist's output based on log level; "
"WHEN is 'always', 'never', or 'auto'.",
action='store', dest='colored_output', required=False,
choices=cdist.configuration.ColoredOutputOption.CHOICES)
parser['beta'] = argparse.ArgumentParser(add_help=False)
parser['beta'].add_argument(
'-b', '--beta',
@ -207,13 +197,6 @@ def get_parsers():
'supported. Without argument CPU count is used by default. '),
action='store', dest='jobs',
const=multiprocessing.cpu_count())
parser['config_main'].add_argument(
'--log-server',
action='store_true',
help=('Start a log server for sub processes to use. '
'This is mainly useful when running cdist nested '
'from a code-local script. Log server is alwasy '
'implicitly started for \'install\' command.'))
parser['config_main'].add_argument(
'-n', '--dry-run',
help='Do not execute code.', action='store_true')
@ -274,7 +257,8 @@ def get_parsers():
'-f', '--file',
help=('Read specified file for a list of additional hosts to '
'operate on or if \'-\' is given, read stdin (one host per '
'line).'),
'line). If no host or host file is specified then, by '
'default, read hosts from stdin.'),
dest='hostfile', required=False)
parser['config_args'].add_argument(
'-p', '--parallel', nargs='?', metavar='HOST_MAX',
@ -299,7 +283,6 @@ def get_parsers():
'host', nargs='*', help='Host(s) to operate on.')
parser['config'] = parser['sub'].add_parser(
'config', parents=[parser['loglevel'], parser['beta'],
parser['colored_output'],
parser['common'],
parser['config_main'],
parser['inventory_common'],
@ -318,7 +301,6 @@ def get_parsers():
parser['add-host'] = parser['invsub'].add_parser(
'add-host', parents=[parser['loglevel'], parser['beta'],
parser['colored_output'],
parser['common'],
parser['inventory_common']])
parser['add-host'].add_argument(
@ -326,12 +308,13 @@ def get_parsers():
parser['add-host'].add_argument(
'-f', '--file',
help=('Read additional hosts to add from specified file '
'or from stdin if \'-\' (each host on separate line). '),
'or from stdin if \'-\' (each host on separate line). '
'If no host or host file is specified then, by default, '
'read from stdin.'),
dest='hostfile', required=False)
parser['add-tag'] = parser['invsub'].add_parser(
'add-tag', parents=[parser['loglevel'], parser['beta'],
parser['colored_output'],
parser['common'],
parser['inventory_common']])
parser['add-tag'].add_argument(
@ -340,12 +323,20 @@ def get_parsers():
parser['add-tag'].add_argument(
'-f', '--file',
help=('Read additional hosts to add tags from specified file '
'or from stdin if \'-\' (each host on separate line). '),
'or from stdin if \'-\' (each host on separate line). '
'If no host or host file is specified then, by default, '
'read from stdin. If no tags/tagfile nor hosts/hostfile'
' are specified then tags are read from stdin and are'
' added to all hosts.'),
dest='hostfile', required=False)
parser['add-tag'].add_argument(
'-T', '--tag-file',
help=('Read additional tags to add from specified file '
'or from stdin if \'-\' (each tag on separate line). '),
'or from stdin if \'-\' (each tag on separate line). '
'If no tag or tag file is specified then, by default, '
'read from stdin. If no tags/tagfile nor hosts/hostfile'
' are specified then tags are read from stdin and are'
' added to all hosts.'),
dest='tagfile', required=False)
parser['add-tag'].add_argument(
'-t', '--taglist',
@ -355,7 +346,6 @@ def get_parsers():
parser['del-host'] = parser['invsub'].add_parser(
'del-host', parents=[parser['loglevel'], parser['beta'],
parser['colored_output'],
parser['common'],
parser['inventory_common']])
parser['del-host'].add_argument(
@ -366,12 +356,13 @@ def get_parsers():
parser['del-host'].add_argument(
'-f', '--file',
help=('Read additional hosts to delete from specified file '
'or from stdin if \'-\' (each host on separate line). '),
'or from stdin if \'-\' (each host on separate line). '
'If no host or host file is specified then, by default, '
'read from stdin.'),
dest='hostfile', required=False)
parser['del-tag'] = parser['invsub'].add_parser(
'del-tag', parents=[parser['loglevel'], parser['beta'],
parser['colored_output'],
parser['common'],
parser['inventory_common']])
parser['del-tag'].add_argument(
@ -384,13 +375,20 @@ def get_parsers():
parser['del-tag'].add_argument(
'-f', '--file',
help=('Read additional hosts to delete tags for from specified '
'file or from stdin if \'-\' (each host on separate '
'line). '),
'file or from stdin if \'-\' (each host on separate line). '
'If no host or host file is specified then, by default, '
'read from stdin. If no tags/tagfile nor hosts/hostfile'
' are specified then tags are read from stdin and are'
' deleted from all hosts.'),
dest='hostfile', required=False)
parser['del-tag'].add_argument(
'-T', '--tag-file',
help=('Read additional tags from specified file '
'or from stdin if \'-\' (each tag on separate line). '),
'or from stdin if \'-\' (each tag on separate line). '
'If no tag or tag file is specified then, by default, '
'read from stdin. If no tags/tagfile nor'
' hosts/hostfile are specified then tags are read from'
' stdin and are added to all hosts.'),
dest='tagfile', required=False)
parser['del-tag'].add_argument(
'-t', '--taglist',
@ -400,7 +398,6 @@ def get_parsers():
parser['list'] = parser['invsub'].add_parser(
'list', parents=[parser['loglevel'], parser['beta'],
parser['colored_output'],
parser['common'],
parser['inventory_common']])
parser['list'].add_argument(
@ -433,7 +430,7 @@ def get_parsers():
# Shell
parser['shell'] = parser['sub'].add_parser(
'shell', parents=[parser['loglevel'], parser['colored_output']])
'shell', parents=[parser['loglevel']])
parser['shell'].add_argument(
'-s', '--shell',
help=('Select shell to use, defaults to current shell. Used shell'
@ -471,44 +468,6 @@ def get_parsers():
'pattern', nargs='?', help='Glob pattern.')
parser['info'].set_defaults(func=cdist.info.Info.commandline)
# Scan = config + further
parser['scan'] = parser['sub'].add_parser(
'scan', parents=[parser['loglevel'],
parser['beta'],
parser['colored_output'],
parser['common'],
parser['config_main']])
parser['scan'].add_argument(
'-m', '--mode', help='Which modes should run',
action='append', default=[],
choices=['scan', 'trigger', 'config'])
parser['scan'].add_argument(
'--list',
action='store_true',
help='List the known hosts and exit')
parser['scan'].add_argument(
'--config',
action='store_true',
help='Try to configure detected hosts')
parser['scan'].add_argument(
'-I', '--interface',
action='append', default=[], required=True,
help='On which interfaces to scan/trigger')
parser['scan'].add_argument(
'--name-mapper',
action='store', default=None,
help='Map addresses to names, required for config mode')
parser['scan'].add_argument(
'-d', '--config-delay',
action='store', default=3600, type=int,
help='How long (seconds) to wait before reconfiguring after last try')
parser['scan'].add_argument(
'-t', '--trigger-delay',
action='store', default=5, type=int,
help='How long (seconds) to wait between ICMPv6 echo requests')
parser['scan'].set_defaults(func=cdist.scan.commandline.commandline)
for p in parser:
parser[p].epilog = EPILOG
@ -519,12 +478,7 @@ def handle_loglevel(args):
if hasattr(args, 'quiet') and args.quiet:
args.verbose = _verbosity_level_off
logging.getLogger().setLevel(_verbosity_level[args.verbose])
def handle_log_colors(args):
if cdist.configuration.ColoredOutputOption.translate(args.colored_output):
cdist.log.CdistFormatter.USE_COLORS = True
logging.root.setLevel(_verbosity_level[args.verbose])
def parse_and_configure(argv, singleton=True):
@ -538,14 +492,13 @@ def parse_and_configure(argv, singleton=True):
raise cdist.Error(str(e))
# Loglevels are handled globally in here
handle_loglevel(args)
handle_log_colors(args)
log = logging.getLogger("cdist")
log.verbose("version %s", cdist.VERSION)
log.trace('command line args: %s', cfg.command_line_args)
log.trace('configuration: %s', cfg.get_config())
log.trace('configured args: %s', args)
log.verbose("version %s" % cdist.VERSION)
log.trace('command line args: {}'.format(cfg.command_line_args))
log.trace('configuration: {}'.format(cfg.get_config()))
log.trace('configured args: {}'.format(args))
check_beta(vars(args))

View file

@ -32,11 +32,6 @@ case "$os" in
sysctl -n hw.ncpuonline
;;
"freebsd"|"netbsd")
PATH=$(getconf PATH)
sysctl -n hw.ncpu
;;
*)
if [ -r /proc/cpuinfo ]; then
cores="$(grep "core id" /proc/cpuinfo | sort | uniq | wc -l)"

View file

@ -30,8 +30,9 @@ case $uname_s in
sysctl -n hw.disknames | grep -Eo '[lsw]d[0-9]+'
;;
NetBSD)
PATH=$(getconf PATH)
sysctl -n hw.disknames | awk -v RS=' ' '/^[lsw]d[0-9]+/'
PATH="${PATH}:/usr/local/sbin:/usr/sbin:/sbin"
sysctl -n hw.disknames \
| awk 'BEGIN { RS = " " } /^[lsw]d[0-9]+/'
;;
Linux)
# list of major device numbers toexclude:

View file

@ -221,7 +221,6 @@ check_systemstarter() {
check_sysvinit() (
init_path=${1:-/sbin/init}
test -x "${init_path}" || return 1
grep -q 'INIT_VERSION=sysvinit-[0-9.]*' "${init_path}" || return 1
# It is quite common to use SysVinit to stack other init systemd

View file

@ -21,9 +21,6 @@
set +e
case "$("$__explorer/os")" in
checkpoint)
awk '{printf("%s\n", $(NF-1))}' /etc/cp-release
;;
openwrt)
# shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_CODENAME")

View file

@ -21,9 +21,6 @@
set +e
case "$("$__explorer/os")" in
checkpoint)
cat /etc/cp-release
;;
openwrt)
# shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_DESCRIPTION")

View file

@ -21,9 +21,6 @@
set +e
case "$("$__explorer/os")" in
checkpoint)
echo "CheckPoint"
;;
openwrt)
# shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_ID")

View file

@ -21,9 +21,6 @@
set +e
case "$("$__explorer/os")" in
checkpoint)
sed /etc/cp-release -e 's/.* R\([1-9][0-9]*\)\.[0-9]*$/\1/'
;;
openwrt)
# shellcheck disable=SC1091
(. /etc/openwrt_release && echo "$DISTRIB_RELEASE")

File diff suppressed because it is too large Load diff

View file

@ -1,9 +1,8 @@
#!/bin/sh -e
#!/bin/sh
#
# 2014 Daniel Heule (hda at sfs.biz)
# 2014 Thomas Oettli (otho at sfs.biz)
# Copyright 2017, Philippe Gregoire <pg@pgregoire.xyz>
# 2020 Dennis Camera <dennis.camera at ssrq-sds-fds.ch>
#
# This file is part of cdist.
#
@ -20,73 +19,23 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Returns the amount of memory physically installed in the system, or if that
# cannot be determined the amount available to the operating system kernel,
# in kibibytes (kiB).
#
str2bytes() {
awk -F' ' '
$2 == "B" || !$2 { print $1 }
$2 == "kB" { printf "%.f\n", ($1 * 1000) }
$2 == "MB" { printf "%.f\n", ($1 * 1000 * 1000) }
$2 == "GB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000) }
$2 == "TB" { printf "%.f\n", ($1 * 1000 * 1000 * 1000 * 1000) }
$2 == "kiB" { printf "%.f\n", ($1 * 1024) }
$2 == "MiB" { printf "%.f\n", ($1 * 1024 * 1024) }
$2 == "GiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024) }
$2 == "TiB" { printf "%.f\n", ($1 * 1024 * 1024 * 1024 * 1024) }'
}
# FIXME: other system types (not linux ...)
bytes2kib() {
awk '$0 > 0 { printf "%.f\n", ($0 / 1024) }'
}
os=$("$__explorer/os")
case "$os" in
"macosx")
echo "$(sysctl -n hw.memsize)/1024" | bc
;;
"openbsd")
echo "$(sysctl -n hw.physmem) / 1048576" | bc
;;
case $(uname -s)
in
(Darwin)
sysctl -n hw.memsize | bytes2kib
;;
(FreeBSD)
sysctl -n hw.realmem | bytes2kib
;;
(NetBSD|OpenBSD)
# NOTE: This reports "usable" memory, not physically installed memory.
command -p sysctl -n hw.physmem | bytes2kib
;;
(SunOS)
# Make sure that awk from xpg4 is used for the scripts to work
export PATH="/usr/xpg4/bin:${PATH}"
prtconf \
| awk -F ': ' '
$1 == "Memory size" { sub(/Megabytes/, "MiB", $2); print $2 }
/^$/ { exit }' \
| str2bytes \
| bytes2kib
;;
(Linux)
if test -d /sys/devices/system/memory
then
# Use memory blocks if the architecture (e.g. x86, PPC64, s390)
# supports them (they denote physical memory)
num_mem_blocks=$(cat /sys/devices/system/memory/memory[0-9]*/state | grep -cxF online)
mem_block_size=$(cat /sys/devices/system/memory/block_size_bytes)
echo $((num_mem_blocks * 0x$mem_block_size)) | bytes2kib && exit
fi
if test -r /proc/meminfo
then
# Fall back to meminfo file on other architectures (e.g. ARM, MIPS,
# PowerPC)
# NOTE: This is "usable" memory, not physically installed memory.
awk -F ': +' '$1 == "MemTotal" { sub(/B$/, "iB", $2); print $2 }' /proc/meminfo \
| str2bytes \
| bytes2kib
fi
;;
(*)
printf "Your kernel (%s) is currently not supported by the memory explorer\n" "$(uname -s)" >&2
printf "Please contribute an implementation for it if you can.\n" >&2
exit 1
;;
*)
if [ -r /proc/meminfo ]; then
grep "MemTotal:" /proc/meminfo | awk '{print $2}'
fi
;;
esac

View file

@ -116,13 +116,6 @@ if [ -f /etc/slackware-version ]; then
exit 0
fi
# Appliances
if grep -q '^Check Point Gaia' /etc/cp-release 2>/dev/null; then
echo checkpoint
exit 0
fi
uname_s="$(uname -s)"
# Assume there is no tr on the client -> do lower case ourselves
@ -150,13 +143,6 @@ case "$uname_s" in
esac
if [ -f /etc/os-release ]; then
# after sles15, suse don't provide an /etc/SuSE-release anymore, but there is almost no difference between sles and opensuse leap, so call it suse
# shellcheck disable=SC1091
if (. /etc/os-release && echo "${ID_LIKE}" | grep -q '\(^\|\ \)suse\($\|\ \)')
then
echo suse
exit 0
fi
# already lowercase, according to:
# https://www.freedesktop.org/software/systemd/man/os-release.html
awk -F= '/^ID=/ { if ($2 ~ /^'"'"'(.*)'"'"'$/ || $2 ~ /^"(.*)"$/) { print substr($2, 2, length($2) - 2) } else { print $2 } }' /etc/os-release

View file

@ -34,9 +34,5 @@ elif test -f /var/run/os-release
then
# FreeBSD (created by os-release service)
cat /var/run/os-release
elif test -f /etc/cp-release
then
# Checkpoint firewall or management (actually linux based)
cat /etc/cp-release
fi

View file

@ -1,7 +1,6 @@
#!/bin/sh -e
#!/bin/sh
#
# 2010-2011 Nico Schottelius (nico-cdist at schottelius.org)
# 2020-2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -18,22 +17,12 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# All os variables are lower case
#
#
rc_getvar() {
awk -F= -v varname="$2" '
function unquote(s) {
if (s ~ /^".*"$/ || s ~ /^'\''.*'\''$/)
return substr(s, 2, length(s) - 2)
else
return s
}
$1 == varname { print unquote(substr($0, index($0, "=") + 1)) }' "$1"
}
case $("${__explorer:?}/os")
in
case "$("$__explorer/os")" in
amazon)
cat /etc/system-release
;;
@ -41,58 +30,11 @@ in
# empty, but well...
cat /etc/arch-release
;;
checkpoint)
awk '{version=$NF; printf("%s\n", substr(version, 2))}' /etc/cp-release
;;
debian)
debian_version=$(cat /etc/debian_version)
case $debian_version
in
testing/unstable)
# previous to Debian 4.0 testing/unstable was used
# cf. https://metadata.ftp-master.debian.org/changelogs/main/b/base-files/base-files_11_changelog
echo 3.99
;;
*/sid)
# sid versions don't have a number, so we decode by codename:
case $(expr "$debian_version" : '\([a-z]\{1,\}\)/')
in
trixie) echo 12.99 ;;
bookworm) echo 11.99 ;;
bullseye) echo 10.99 ;;
buster) echo 9.99 ;;
stretch) echo 8.99 ;;
jessie) echo 7.99 ;;
wheezy) echo 6.99 ;;
squeeze) echo 5.99 ;;
lenny) echo 4.99 ;;
*) echo 99.99 ;;
esac
;;
*)
echo "$debian_version"
;;
esac
cat /etc/debian_version
;;
devuan)
devuan_version=$(cat /etc/devuan_version)
case ${devuan_version}
in
(*/ceres)
# ceres versions don't have a number, so we decode by codename:
case ${devuan_version}
in
(daedalus/ceres) echo 4.99 ;;
(chimaera/ceres) echo 3.99 ;;
(beowulf/ceres) echo 2.99 ;;
(ascii/ceres) echo 1.99 ;;
(*) exit 1
esac
;;
(*)
echo "${devuan_version}"
;;
esac
cat /etc/devuan_version
;;
fedora)
cat /etc/fedora-release
@ -101,20 +43,7 @@ in
cat /etc/gentoo-release
;;
macosx)
# NOTE: Legacy versions (< 10.3) do not support options
sw_vers | awk -F ':[ \t]+' '$1 == "ProductVersion" { print $2 }'
;;
freebsd)
# Apparently uname -r is not a reliable way to get the patch level.
# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251743
if command -v freebsd-version >/dev/null 2>&1
then
# get userland version
freebsd-version -u
else
# fallback to kernel release for FreeBSD < 10.0
uname -r
fi
sw_vers -productVersion
;;
*bsd|solaris)
uname -r
@ -139,22 +68,9 @@ in
fi
;;
ubuntu)
if command -v lsb_release >/dev/null 2>&1
then
lsb_release -sr
elif test -r /usr/lib/os-release
then
# fallback to /usr/lib/os-release if lsb_release is not present (like
# on minimized Ubuntu installations)
rc_getvar /usr/lib/os-release VERSION_ID
elif test -r /etc/lsb-release
then
# extract DISTRIB_RELEASE= variable from /etc/lsb-release on old
# versions without /usr/lib/os-release.
rc_getvar /etc/lsb-release DISTRIB_RELEASE
fi
lsb_release -sr
;;
alpine)
cat /etc/alpine-release
;;
esac
esac

View file

@ -1,7 +1,6 @@
#!/bin/sh -e
# -*- mode: sh; indent-tabs-mode: t -*-
#
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
# 2019 Ander Punnar (ander-at-kvlt-dot-ee)
#
# This file is part of cdist.
#
@ -18,24 +17,23 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Prints "present" if the extension is currently installed.
# "absent" otherwise.
quote() { printf '%s\n' "$*" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"; }
# TODO check if filesystem has ACL turned on etc
postgres_user=$("${__type_explorer:?}/postgres_user")
IFS=: read -r dbname extname <<EOF
${__object_id:?}
EOF
psql_exec() {
su - "${postgres_user}" -c "psql $(quote "$1") -twAc $(quote "$2")"
}
if psql_exec "${dbname}" 'SELECT extname FROM pg_extension' | grep -qFx "${extname}"
if [ -f "$__object/parameter/acl" ]
then
echo present
else
echo absent
grep -E '^(default:)?(user|group):' "$__object/parameter/acl" \
| while read -r acl
do
param="$( echo "$acl" | awk -F: '{print $(NF-2)}' )"
check="$( echo "$acl" | awk -F: '{print $(NF-1)}' )"
[ "$param" = 'user' ] && db=passwd || db="$param"
if ! getent "$db" "$check" > /dev/null
then
echo "missing $param '$check'" >&2
exit 1
fi
done
fi

View file

@ -1,4 +0,0 @@
#!/bin/sh -e
getent passwd | awk -F: '{print "user:"$1}'
getent group | awk -F: '{print "group:"$1}'

View file

@ -22,8 +22,8 @@ file_is="$( cat "$__object/explorer/file_is" )"
if [ "$file_is" = 'missing' ] \
&& [ -z "$__cdist_dry_run" ] \
&& [ ! -f "$__object/parameter/file" ] \
&& [ ! -f "$__object/parameter/directory" ]
&& \( [ ! -f "$__object/parameter/file" ] \
|| [ ! -f "$__object/parameter/directory" ] \)
then
exit 0
fi
@ -47,26 +47,28 @@ then
elif [ -f "$__object/parameter/entry" ]
then
acl_should="$( cat "$__object/parameter/entry" )"
elif [ -f "$__object/parameter/acl" ]
then
acl_should="$( cat "$__object/parameter/acl" )"
elif
[ -f "$__object/parameter/user" ] \
|| [ -f "$__object/parameter/group" ] \
|| [ -f "$__object/parameter/mask" ] \
|| [ -f "$__object/parameter/other" ]
then
acl_should="$( for param in user group mask other
do
[ ! -f "$__object/parameter/$param" ] && continue
echo "$param" | grep -Eq 'mask|other' && sep=:: || sep=:
echo "$param$sep$( cat "$__object/parameter/$param" )"
done )"
else
echo 'no parameters set' >&2
exit 1
fi
# instead of setfacl's non-helpful message "Option -m: Invalid argument near character X"
# let's check if target has necessary users and groups, since mistyped or missing
# users/groups in target is most common reason.
echo "$acl_should" \
| grep -Po '(user|group):[^:]+' \
| sort -u \
| while read -r l
do
if ! grep "$l" -Fxq "$__object/explorer/getent"
then
echo "no $l' in target" | sed "s/:/ '/" >&2
exit 1
fi
done
if [ -f "$__object/parameter/default" ]
then
acl_should="$( echo "$acl_should" \

View file

@ -12,14 +12,11 @@ Fully supported and tested on Linux (ext4 filesystem), partial support for FreeB
See ``setfacl`` and ``acl`` manpages for more details.
One of ``--entry`` or ``--source`` must be used.
OPTIONAL MULTIPLE PARAMETERS
REQUIRED MULTIPLE PARAMETERS
----------------------------
entry
Set ACL entry following ``getfacl`` output syntax.
Must be used if ``--source`` is not used.
OPTIONAL PARAMETERS
@ -28,7 +25,6 @@ source
Read ACL entries from stdin or file.
Ordering of entries is not important.
When reading from file, comments and empty lines are ignored.
Must be used if ``--entry`` is not used.
file
Create/change file with ``__file`` using ``user:group:mode`` pattern.
@ -52,6 +48,12 @@ remove
``mask`` and ``other`` entries can't be removed, but only changed.
DEPRECATED PARAMETERS
---------------------
Parameters ``acl``, ``user``, ``group``, ``mask`` and ``other`` are deprecated and they
will be removed in future versions. Please use ``entry`` parameter instead.
EXAMPLES
--------

View file

@ -0,0 +1 @@
see manual for details

View file

@ -0,0 +1 @@
see manual for details

View file

@ -0,0 +1 @@
see manual for details

View file

@ -0,0 +1 @@
see manual for details

View file

@ -0,0 +1 @@
see manual for details

View file

@ -1,3 +1,5 @@
mask
other
source
file
directory

View file

@ -1 +1,4 @@
entry
acl
user
group

View file

@ -1,104 +0,0 @@
cdist-type__debian_backports(7)
===============================
NAME
----
cdist-type__apt_backports - Install backports
DESCRIPTION
-----------
This singleton type installs backports for the current OS release.
It aborts if backports are not supported for the specified OS or
no version codename could be fetched (like Debian unstable).
The package index will be automatically updated if required.
It supports backports from following OSes:
- Debian
- Devuan
- Ubuntu
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
state
Represents the state of the backports repository. ``present`` or
``absent``, defaults to ``present``.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
mirror
The mirror to fetch the backports from. Will defaults to the generic
mirror of the current OS.
Will be directly passed to :strong:`cdist-type__apt_source`\ (7).
BOOLEAN PARAMETERS
------------------
None.
MESSAGES
--------
None.
EXAMPLES
--------
.. code-block:: sh
# setup the backports
__apt_backports
__apt_backports --state absent
__apt_backports --state present --mirror "http://ftp.de.debian.org/debian/"
# install a backports package
# currently for the buster release backports
require="__apt_backports" __package_apt wireguard \
--target-release buster-backports
ABORTS
------
Aborts if the detected os is not Debian.
Aborts if no distribuition codename could be detected. This is common for the
unstable distribution, but there is no backports repository for it already.
CAVEATS
-------
For Ubuntu, it setup all componenents for the backports repository: ``main``,
``restricted``, ``universe`` and ``multiverse``. The user may not want to
install proprietary packages, which will only be installed if the user
explicitly uses the backports target-release. The user may change this behavior
to install backports packages without the need of explicitly select it.
SEE ALSO
--------
`Official Debian Backports site <https://backports.debian.org/>`_
:strong:`cdist-type__apt_source`\ (7)
AUTHORS
-------
Matthias Stecher <matthiasstecher at gmx.de>
COPYING
-------
Copyright \(C) 2020 Matthias Stecher. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,82 +0,0 @@
#!/bin/sh -e
# __apt_backports/manifest
#
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Enables/disables backports repository. Utilises __apt_source for it.
#
# Get the distribution codename by /etc/os-release.
# is already executed in a subshell by string substitution
# lsb_release may not be given in all installations
codename_os_release() {
# shellcheck disable=SC1090
# shellcheck disable=SC1091
. "$__global/explorer/os_release"
printf "%s" "$VERSION_CODENAME"
}
# detect backport distribution
os="$(cat "$__global/explorer/os")"
case "$os" in
debian)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.debian.org/debian/"
;;
devuan)
dist="$( codename_os_release )"
components="main"
mirror="http://deb.devuan.org/merged"
;;
ubuntu)
dist="$( codename_os_release )"
components="main restricted universe multiverse"
mirror="http://archive.ubuntu.com/ubuntu"
;;
*)
printf "Backports for %s are not supported!\n" "$os" >&2
exit 1
;;
esac
# error if no codename given (e.g. on Debian unstable)
if [ -z "$dist" ]; then
printf "No backports for unkown version of distribution %s!\n" "$os" >&2
exit 1
fi
# parameters
state="$(cat "$__object/parameter/state")"
# mirror already set for the os, only override user-values
if [ -f "$__object/parameter/mirror" ]; then
mirror="$(cat "$__object/parameter/mirror")"
fi
# install the given backports repository
__apt_source "${dist}-backports" \
--state "$state" \
--distribution "${dist}-backports" \
--component "$components" \
--uri "$mirror"

View file

@ -1,2 +0,0 @@
state
mirror

View file

@ -27,25 +27,18 @@ else
keyid="$__object_id"
fi
# From apt-key(8):
# Use of apt-key is deprecated, except for the use of apt-key del in
# maintainer scripts to remove existing keys from the main keyring.
# If such usage of apt-key is desired the additional installation of
# the GNU Privacy Guard suite (packaged in gnupg) is required.
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
if apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK"
then echo present
else echo absent
fi
exit
fi
keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg"
if [ -f "$keyfile" ]
if [ -d "$keydir" ]
then
echo present
exit
if [ -f "$keyfile" ]
then echo present
else echo absent
fi
else
# fallback to deprecated apt-key
apt-key export "$keyid" | head -n 1 | grep -Fqe "BEGIN PGP PUBLIC KEY BLOCK" \
&& echo present \
|| echo absent
fi
echo absent

View file

@ -25,7 +25,11 @@ else
fi
state_should="$(cat "$__object/parameter/state")"
state_is="$(cat "$__object/explorer/state")"
method="$(cat "$__object/key_method")"
if [ "$state_should" = "$state_is" ]; then
# nothing to do
exit 0
fi
keydir="$(cat "$__object/parameter/keydir")"
keyfile="$keydir/$__object_id.gpg"
@ -33,18 +37,30 @@ keyfile="$keydir/$__object_id.gpg"
case "$state_should" in
present)
keyserver="$(cat "$__object/parameter/keyserver")"
# Using __download or __file as key source
# Propagate messages if needed
if [ "${method}" = "uri" ] || [ "${method}" = "source" ]; then
if grep -Eq "^__(file|download)$keyfile" "$__messages_in"; then
echo "added '$keyid'" >> "$__messages_out"
if [ -f "$__object/parameter/uri" ]; then
uri="$(cat "$__object/parameter/uri")"
if [ -d "$keydir" ]; then
cat << EOF
curl -s -L \\
-o "$keyfile" \\
"$uri"
key="\$( cat "$keyfile" )"
if echo "\$key" | grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK'
then
echo "\$key" | gpg --dearmor > "$keyfile"
fi
EOF
else
# fallback to deprecated apt-key
echo "curl -s -L '$uri' | apt-key add -"
fi
exit 0
elif [ "${state_is}" = "present" ]; then
exit 0
fi
# Using key servers to fetch the key
if [ ! -f "$__object/parameter/use-deprecated-apt-key" ]; then
elif [ -d "$keydir" ]; then
# we need to kill gpg after 30 seconds, because gpg
# can get stuck if keyserver is not responding.
# exporting env var and not exit 1,
@ -84,16 +100,13 @@ EOF
echo "added '$keyid'" >> "$__messages_out"
;;
absent)
# Removal for keys added from a keyserver without this flag
# is done in the manifest
if [ "$state_is" != "absent" ] && \
[ -f "$__object/parameter/use-deprecated-apt-key" ]; then
if [ -f "$keyfile" ]; then
echo "rm '$keyfile'"
else
# fallback to deprecated apt-key
echo "apt-key del \"$keyid\""
echo "removed '$keyid'" >> "$__messages_out"
# Propagate messages if needed
elif grep -Eq "^__file$keyfile" "$__messages_in"; then
echo "removed '$keyid'" >> "$__messages_out"
fi
echo "removed '$keyid'" >> "$__messages_out"
;;
esac

View file

@ -10,14 +10,6 @@ DESCRIPTION
-----------
Manages the list of keys used by apt to authenticate packages.
This is done by placing the requested key in a file named
``$__object_id.gpg`` in the ``keydir`` directory.
This is supported by modern releases of Debian-based distributions.
In order of preference, exactly one of: ``source``, ``uri`` or ``keyid``
must be specified.
REQUIRED PARAMETERS
-------------------
@ -26,49 +18,21 @@ None.
OPTIONAL PARAMETERS
-------------------
keydir
keyring directory, defaults to ``/etc/apt/trusted.pgp.d``, which is
enabled system-wide by default.
source
path to a file containing the GPG key of the repository.
Using this is recommended as it ensures that the manifest/type manintainer
has validated the key.
If ``-``, the GPG key is read from the type's stdin.
state
'present' or 'absent'. Defaults to 'present'
uri
the URI from which to download the key.
It is highly recommended that you only use protocols with TLS like HTTPS.
This uses ``__download`` but does not use checksums, if you want to ensure
that the key doesn't change, you are better off downloading it and using
``--source``.
DEPRECATED OPTIONAL PARAMETERS
------------------------------
keyid
the id of the key to download from the ``keyserver``.
This is to be used in absence of ``--source`` and ``--uri`` or together
with ``--use-deprecated-apt-key`` for key removal.
Defaults to ``$__object_id``.
the id of the key to add. Defaults to __object_id
keyserver
the keyserver from which to fetch the key.
Defaults to ``pool.sks-keyservers.net``.
the keyserver from which to fetch the key. If omitted the default set
in ./parameter/default/keyserver is used.
keydir
key save location, defaults to ``/etc/apt/trusted.pgp.d``
DEPRECATED BOOLEAN PARAMETERS
-----------------------------
use-deprecated-apt-key
``apt-key(8)`` will last be available in Debian 11 and Ubuntu 22.04.
You can use this parameter to force usage of ``apt-key(8)``.
Please only use this parameter to *remove* keys from the keyring,
in order to prepare for removal of ``apt-key``.
Adding keys should be done without this parameter.
This parameter will be removed when Debian 11 stops being supported.
uri
the URI from which to download the key
EXAMPLES
@ -76,39 +40,33 @@ EXAMPLES
.. code-block:: sh
# add a key that has been verified by a type maintainer
__apt_key jitsi_meet_2021 \
--source cdist-contrib/type/__jitsi_meet/files/apt_2021.gpg
# Add Ubuntu Archive Automatic Signing Key
__apt_key 437D05B5
# Same thing
__apt_key 437D05B5 --state present
# Get rid of it
__apt_key 437D05B5 --state absent
# remove an old, deprecated or expired key
__apt_key jitsi_meet_2016 --state absent
# same thing with human readable name and explicit keyid
__apt_key UbuntuArchiveKey --keyid 437D05B5
# Get rid of a key that might have been added to
# /etc/apt/trusted.gpg with apt-key
__apt_key 0x40976EAF437D05B5 --use-deprecated-apt-key --state absent
# same thing with other keyserver
__apt_key UbuntuArchiveKey --keyid 437D05B5 --keyserver keyserver.ubuntu.com
# add a key that we define in-line
__apt_key jitsi_meet_2021 --source '-' <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
[...]
-----END PGP PUBLIC KEY BLOCK-----
EOF
# download or update key from the internet
__apt_key rabbitmq_2007 \
--uri https://www.rabbitmq.com/rabbitmq-signing-key-public.asc
# download key from the internet
__apt_key rabbitmq \
--uri http://www.rabbitmq.com/rabbitmq-signing-key-public.asc
AUTHORS
-------
Steven Armstrong <steven-cdist--@--armstrong.cc>
Ander Punnar <ander-at-kvlt-dot-ee>
Evilham <contact~~@~~evilham.com>
COPYING
-------
Copyright \(C) 2011-2021 Steven Armstrong, Ander Punnar and Evilham. You can
Copyright \(C) 2011-2019 Steven Armstrong and Ander Punnar. You can
redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -2,105 +2,7 @@
__package gnupg
state_should="$(cat "${__object}/parameter/state")"
incompatible_args()
{
cat >> /dev/stderr <<-EOF
This type does not support --${1} and --${method} simultaneously.
EOF
exit 1
}
if [ -f "${__object}/parameter/source" ]; then
method="source"
src="$(cat "${__object}/parameter/source")"
if [ "${src}" = "-" ]; then
src="${__object}/stdin"
fi
fi
if [ -f "${__object}/parameter/uri" ]; then
if [ -n "${method}" ]; then
incompatible_args uri
fi
method="uri"
src="$(cat "${__object}/parameter/uri")"
fi
if [ -f "${__object}/parameter/keyid" ]; then
if [ -n "${method}" ]; then
incompatible_args keyid
fi
method="keyid"
fi
# Keep old default
if [ -z "${method}" ]; then
method="keyid"
fi
# Save this for later in gencode-remote
echo "${method}" > "${__object}/key_method"
# Required remotely (most likely already installed)
__package dirmngr
# We need this in case a key has to be dearmor'd
__package gnupg
export require="__package/gnupg"
if [ -f "${__object}/parameter/use-deprecated-apt-key" ]; then
# This is required if apt-key(8) is to be used
if [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
incompatible_args use-deprecated-apt-key
fi
else
if [ "${state_should}" = "absent" ] && \
[ -f "${__object}/parameter/keyid" ]; then
cat >> /dev/stderr <<EOF
You can't reliably remove by keyid without --use-deprecated-apt-key.
This would very likely do something you do not intend.
EOF
exit 1
fi
fi
keydir="$(cat "${__object}/parameter/keydir")"
keyfile="${keydir}/${__object_id}.gpg"
keyfilecdist="${keyfile}.cdist"
if [ "${state_should}" != "absent" ]; then
# Ensure keydir exists
__directory "${keydir}" --state exists --mode 0755
fi
if [ "${state_should}" = "absent" ]; then
__file "${keyfile}" --state "absent"
__file "${keyfilecdist}" --state "absent"
elif [ "${method}" = "source" ] || [ "${method}" = "uri" ]; then
dearmor="$(cat <<-EOF
if [ '${state_should}' = 'present' ]; then
# Dearmor if necessary
if grep -Fq 'BEGIN PGP PUBLIC KEY BLOCK' '${keyfilecdist}'; then
gpg --dearmor < '${keyfilecdist}' > '${keyfile}'
else
cp '${keyfilecdist}' '${keyfile}'
fi
# Ensure permissions
chown root '${keyfile}'
chmod 0444 '${keyfile}'
fi
EOF
)"
if [ "${method}" = "uri" ]; then
__download "${keyfilecdist}" \
--url "${src}" \
--onchange "${dearmor}"
require="__download${keyfilecdist}" \
__file "${keyfile}" \
--owner root \
--mode 0444 \
--state pre-exists
else
__file "${keyfilecdist}" --state "${state_should}" \
--mode 0444 \
--source "${src}" \
--onchange "${dearmor}"
fi
if [ -f "$__object/parameter/uri" ]
then __package curl
else __package dirmngr
fi

View file

@ -1 +0,0 @@
use-deprecated-apt-key

View file

@ -1,3 +0,0 @@
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
Use this flag *only* to migrate to placing a keyring directly in the
/etc/apt/trusted.gpg.d/ directory with a descriptive name.

View file

@ -1,6 +1,5 @@
keydir
state
keyid
keyserver
source
state
keydir
uri

View file

@ -1 +0,0 @@
Please migrate to using __apt_key key_id --uri URI.

View file

@ -24,4 +24,4 @@ else
name="$__object_id"
fi
apt-mark showhold | grep -q "^${name}$" && echo hold || echo unhold
apt-mark showhold | grep -Fq "$name" && echo hold || echo unhold

View file

@ -32,12 +32,11 @@ EXAMPLES
AUTHORS
-------
Steven Armstrong <steven-cdist--@--armstrong.cc>
Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
COPYING
-------
Copyright \(C) 2014 Steven Armstrong, 2020 Dennis Camera.
You can redistribute it and/or modify it under the terms of the GNU General
Public License as published by the Free Software Foundation, either version 3 of
the License, or (at your option) any later version.
Copyright \(C) 2014 Steven Armstrong. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,7 +1,6 @@
#!/bin/sh -e
#
# 2014 Steven Armstrong (steven-cdist at armstrong.cc)
# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -20,28 +19,26 @@
#
os=$(cat "${__global:?}/explorer/os")
os=$(cat "$__global/explorer/os")
case ${os}
in
(ubuntu|debian|devuan)
__file /etc/apt/apt.conf.d/00InstallRecommends --state present \
--owner root --group root --mode 0644 --source - <<-'EOF'
APT::Install-Recommends "false";
APT::Install-Suggests "false";
APT::AutoRemove::RecommendsImportant "false";
APT::AutoRemove::SuggestsImportant "false";
EOF
# TODO: Remove the following object after some time
require=__file/etc/apt/apt.conf.d/00InstallRecommends \
__file /etc/apt/apt.conf.d/99-no-recommends --state absent
;;
(*)
cat >&2 <<EOF
case "$os" in
ubuntu|debian|devuan)
# No stinking recommends thank you very much.
# If I want something installed I will do so myself.
__file /etc/apt/apt.conf.d/99-no-recommends \
--owner root --group root --mode 644 \
--source - << DONE
APT::Install-Recommends "0";
APT::Install-Suggests "0";
APT::AutoRemove::RecommendsImportant "0";
APT::AutoRemove::SuggestsImportant "0";
DONE
;;
*)
cat >&2 << DONE
The developer of this type (${__type##*/}) did not think your operating system
($os) would have any use for it. If you think otherwise please submit a patch.
EOF
exit 1
;;
DONE
exit 1
;;
esac

View file

@ -1,79 +0,0 @@
cdist-type__apt_pin(7)
======================
NAME
----
cdist-type__apt_pin - Manage apt pinning rules
DESCRIPTION
-----------
Adds/removes/edits rules to pin some packages to a specific distribution. Useful if using multiple debian repositories at the same time. (Useful, if one wants to use a few specific packages from backports or perhaps Debain testing... or even sid.)
REQUIRED PARAMETERS
-------------------
distribution
Specifies what distribution the package should be pinned to. Accepts both codenames (buster/bullseye/sid) and suite names (stable/testing/...).
OPTIONAL PARAMETERS
-------------------
package
Package name, glob or regular expression to match (multiple) packages. If not specified `__object_id` is used.
priority
The priority value to assign to matching packages. Defaults to 500. (To match the default target distro's priority)
state
Will be passed to underlying `__file` type; see there for valid values and defaults.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Add the bullseye repo to buster, but do not install any packages by default,
# only if explicitely asked for (-1 means "never" for apt)
__apt_pin bullseye-default \
--package "*" \
--distribution bullseye \
--priority -1
require="__apt_pin/bullseye-default" __apt_source bullseye \
--uri http://deb.debian.org/debian/ \
--distribution bullseye \
--component main
__apt_pin foo --package "foo foo-*" --distribution bullseye
__foo # Assuming, this installs the `foo` package internally
__package foo-plugin-extras # Assuming we also need some extra stuff
SEE ALSO
--------
:strong:`apt_preferences`\ (5)
:strong:`cdist-type__apt_source`\ (7)
:strong:`cdist-type__apt_backports`\ (7)
:strong:`cdist-type__file`\ (7)
AUTHORS
-------
Daniel Fancsali <fancsali@gmail.com>
COPYING
-------
Copyright \(C) 2021 Daniel Fancsali. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,68 +0,0 @@
#!/bin/sh -e
#
# 2021 Daniel Fancsali (fancsali@gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
name="$__object_id"
os=$(cat "$__global/explorer/os")
state="$(cat "$__object/parameter/state")"
if [ -f "$__object/parameter/package" ]; then
package="$(cat "$__object/parameter/package")"
else
package=$name
fi
distribution="$(cat "$__object/parameter/distribution")"
priority="$(cat "$__object/parameter/priority")"
case "$os" in
debian|ubuntu|devuan)
;;
*)
printf "This type is specific to Debian and it's derivatives" >&2
exit 1
;;
esac
case $distribution in
stable|testing|unstable|experimental)
pin="release a=$distribution"
;;
*)
pin="release n=$distribution"
;;
esac
__file "/etc/apt/preferences.d/$name" \
--owner root --group root --mode 0644 \
--state "$state" \
--source - << EOF
# Created by cdist ${__type##*/}
# Do not change. Changes will be overwritten.
#
# $name
Package: $package
Pin: $pin
Pin-Priority: $priority
EOF

View file

@ -1 +0,0 @@
present

View file

@ -1,3 +0,0 @@
state
package
priority

View file

@ -1 +0,0 @@
distribution

View file

@ -0,0 +1,55 @@
#!/usr/bin/env python
#
# Remove the given apt repository.
#
# Exit with:
# 0: if it worked
# 1: if not
# 2: on other error
import os
import sys
from aptsources import distro, sourceslist
from softwareproperties import ppa
from softwareproperties.SoftwareProperties import SoftwareProperties
def remove_if_empty(file_name):
with open(file_name, 'r') as f:
if f.read().strip():
return
os.unlink(file_name)
def remove_repository(repository):
#print 'repository:', repository
codename = distro.get_distro().codename
#print 'codename:', codename
(line, file) = ppa.expand_ppa_line(repository.strip(), codename)
#print 'line:', line
#print 'file:', file
deb_source_entry = sourceslist.SourceEntry(line, file)
src_source_entry = sourceslist.SourceEntry('deb-src{}'.format(line[3:]), file)
try:
sp = SoftwareProperties()
sp.remove_source(deb_source_entry)
try:
# If there's a deb-src entry, remove that too
sp.remove_source(src_source_entry)
except:
pass
remove_if_empty(file)
return True
except ValueError:
print >> sys.stderr, "Error: '%s' doesn't exists in a sourcelist file" % line
return False
if __name__ == '__main__':
if (len(sys.argv) != 2):
print >> sys.stderr, 'Error: need a repository as argument'
sys.exit(2)
repository = sys.argv[1]
if remove_repository(repository):
sys.exit(0)
else:
sys.exit(1)

View file

@ -29,9 +29,9 @@ fi
case "$state_should" in
present)
echo "add-apt-repository -y '$name'"
echo "add-apt-repository '$name'"
;;
absent)
echo "add-apt-repository -r -y '$name'"
echo "remove-apt-repository '$name'"
;;
esac

View file

@ -20,4 +20,9 @@
__package software-properties-common
require="__package/software-properties-common" \
__file /usr/local/bin/remove-apt-repository \
--source "$__type/files/remove-apt-repository" \
--mode 0755
require="$__object_name" __apt_update_index

View file

@ -2,14 +2,13 @@
set -u
entry="$uri $distribution $component"
cat << DONE
# Created by cdist ${__type##*/}
# Do not change. Changes will be overwritten.
#
# $name
deb ${options} $entry
deb ${forcedarch} $entry
DONE
if [ -f "$__object/parameter/include-src" ]; then
echo "deb-src $entry"

View file

@ -22,21 +22,7 @@
name="$__object_id"
destination="/etc/apt/sources.list.d/${name}.list"
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
# updated after the 19th April 2021 till the bullseye release. The additional
# arguments acknoledge the happend suite change (the apt(8) update does the
# same by itself).
#
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
# allows backward compatablility to pre-buster Debian versions.
#
# See more: ticket #861
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
# run 'apt-get update' only if something changed with our sources.list file
# it will be run a second time on error as a redundancy messure to success
if grep -q "^__file${destination}" "$__messages_in"; then
printf 'apt-get %s update || apt-get %s update\n' "$apt_opts" "$apt_opts"
printf 'apt-get update || apt-get update\n'
fi

View file

@ -23,9 +23,6 @@ OPTIONAL PARAMETERS
arch
set this if you need to force and specific arch (ubuntu specific)
signed-by
provide a GPG key fingerprint or keyring path for signature checks
state
'present' or 'absent', defaults to 'present'
@ -59,11 +56,6 @@ EXAMPLES
--uri http://archive.canonical.com/ \
--component partner --state present
__apt_source goaccess \
--uri http://deb.goaccess.io/ \
--component main \
--signed-by C03B48887D5E56B046715D3297BD1A0133449C3D
AUTHORS
-------

View file

@ -21,7 +21,6 @@
name="$__object_id"
state="$(cat "$__object/parameter/state")"
uri="$(cat "$__object/parameter/uri")"
options=""
if [ -f "$__object/parameter/distribution" ]; then
distribution="$(cat "$__object/parameter/distribution")"
@ -32,15 +31,9 @@ fi
component="$(cat "$__object/parameter/component")"
if [ -f "$__object/parameter/arch" ]; then
options="arch=$(cat "$__object/parameter/arch")"
fi
if [ -f "$__object/parameter/signed-by" ]; then
options="$options signed-by=$(cat "$__object/parameter/signed-by")"
fi
if [ "$options" ]; then
options="[$options]"
forcedarch="[arch=$(cat "$__object/parameter/arch")]"
else
forcedarch=""
fi
# export variables for use in template
@ -48,7 +41,7 @@ export name
export uri
export distribution
export component
export options
export forcedarch
# generate file from template
mkdir "$__object/files"

View file

@ -1,5 +1,4 @@
state
distribution
component
arch
signed-by
arch

View file

@ -18,23 +18,9 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# There are special arguments to apt(8) to prevent aborts if apt woudn't been
# updated after the 19th April 2021 till the bullseye release. The additional
# arguments acknoledge the happend suite change (the apt(8) update does the
# same by itself).
#
# Using '-o $config' instead of the --allow-releaseinfo-change-* parameter
# allows backward compatablility to pre-buster Debian versions.
#
# See more: ticket #861
# https://code.ungleich.ch/ungleich-public/cdist/-/issues/861
apt_opts="-o Acquire::AllowReleaseInfoChange::Suite=true -o Acquire::AllowReleaseInfoChange::Version=true"
# run 'apt-get update' if anything in /etc/apt is newer then /var/lib/apt/lists
# it will be run a second time on error as a redundancy messure to success
cat << DONE
if find /etc/apt -mindepth 1 -cnewer /var/lib/apt/lists | grep . > /dev/null; then
apt-get $apt_opts update || apt-get $apt_opts update
apt-get update || apt-get update
fi
DONE

View file

@ -46,29 +46,28 @@ fi
remove_block() {
cat << DONE
tmpfile=\$(mktemp ${quoted_file}.cdist.XXXXXXXXXX)
tmpfile=\$(mktemp ${file}.cdist.XXXXXXXXXX)
# preserve ownership and permissions of existing file
if [ -f $quoted_file ]; then
cp -p $quoted_file "\$tmpfile"
if [ -f "$file" ]; then
cp -p "$file" "\$tmpfile"
fi
awk -v prefix=$(quote "$prefix") -v suffix=$(quote "$suffix") '
awk -v prefix=^$(quote "$prefix")\$ -v suffix=^$(quote "$suffix")\$ '
{
if (\$0 == prefix) {
if (match(\$0,prefix)) {
triggered=1
}
if (triggered) {
if (\$0 == suffix) {
if (match(\$0,suffix)) {
triggered=0
}
} else {
print
}
}' $quoted_file > "\$tmpfile"
mv -f "\$tmpfile" $quoted_file
}' "$file" > "\$tmpfile"
mv -f "\$tmpfile" "$file"
DONE
}
quoted_file="$(quote "$file")"
case "$state_should" in
present)
if [ "$state_is" = "changed" ]; then
@ -78,7 +77,7 @@ case "$state_should" in
echo add >> "$__messages_out"
fi
cat << DONE
cat >> $quoted_file << '${__type##*/}_DONE'
cat >> "$file" << ${__type##*/}_DONE
$(cat "$block")
${__type##*/}_DONE
DONE

View file

@ -37,7 +37,6 @@ source="$(cat "$__object/parameter/source")"
# out of it
home=/home/$username
# shellcheck disable=SC2086
__user "$username" --home "$home" $shell
require="__user/$username" __directory "$home" \

View file

@ -18,12 +18,7 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
if [ -f "$__object/parameter/path" ]
then
path="$( cat "$__object/parameter/path" )"
else
path="/$__object_id"
fi
path="/$__object_id"
[ ! -d "$path" ] && exit 0

View file

@ -20,12 +20,7 @@
[ ! -s "$__object/explorer/list" ] && exit 0
if [ -f "$__object/parameter/path" ]
then
path="$( cat "$__object/parameter/path" )"
else
path="/$__object_id"
fi
path="/$__object_id"
pattern="$( cat "$__object/parameter/pattern" )"

View file

@ -10,7 +10,7 @@ DESCRIPTION
-----------
Remove files and directories which match the pattern.
Provided path must be a directory.
Provided path (as __object_id) must be a directory.
Patterns are passed to ``find``'s ``-regex`` - see ``find(1)`` for more details.
@ -29,9 +29,6 @@ pattern
OPTIONAL PARAMETERS
-------------------
path
Path which will be cleaned. Defaults to ``$__object_id``.
exclude
Pattern of files which are excluded from removal.
@ -49,11 +46,6 @@ EXAMPLES
--exclude '.+\(charset\.conf\|security\.conf\)' \
--onchange 'service apache2 restart'
__clean_path apache2-conf-enabled \
--path /etc/apache2/conf-enabled \
--pattern '.+' \
--exclude '.+\(charset\.conf\|security\.conf\)' \
--onchange 'service apache2 restart'
AUTHORS
-------

View file

@ -1,3 +1,2 @@
exclude
onchange
path

View file

@ -0,0 +1,744 @@
#!/bin/sh
generate_use_auth_secret () {
if [ $USE_AUTH_SECRET ]; then
echo 'use-auth-secret'
else
echo '#use-auth-secret'
fi
}
generate_static_auth_secret () {
if [ "$STATIC_AUTH_SECRET" $! "" ]; then
echo "static-auth-secret=$STATIC_AUTH_SECRET"
else
echo "#static-auth-secret=north"
fi
}
generate_realm () {
if [ "$REALM" != "" ]; then
echo "realm=$REALM"
else
echo "#realm=mycompany.org"
fi
}
generate_no_tcp_relay () {
if [ $NO_TCP_RELAY ]; then
echo 'no-tcp-releay'
else
echo '#no-tcp-relay'
fi
}
cat << EOF
# Coturn TURN SERVER configuration file
#
# Boolean values note: where boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
# If the value is missed, then it means 'true'.
#
# Listener interface device (optional, Linux only).
# NOT RECOMMENDED.
#
#listening-device=eth0
# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
#listening-port=3478
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, we currently support SSL version 3 and
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, we support DTLS version 1.
#
#tls-listening-port=5349
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
# This is needed for RFC 5780 support
# (STUN extension specs, NAT behavior discovery). The TURN Server
# supports RFC 5780 only if it is started with more than one
# listening IP address of the same family (IPv4 or IPv6).
# RFC 5780 is supported only by UDP protocol, other protocols
# are listening to that endpoint only for "symmetry".
#
#alt-listening-port=0
# Alternative listening port for TLS and DTLS protocols.
# Default (or zero) value means "TLS listening port plus one".
#
#alt-tls-listening-port=0
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
#
#listening-ip=172.17.19.101
#listening-ip=10.207.21.238
#listening-ip=2607:f0d0:1002:51::4
# Auxiliary STUN/TURN server listening endpoint.
# Aux servers have almost full TURN and STUN functionality.
# The (minor) limitations are:
#
# 1) Auxiliary servers do not have alternative ports and
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
#
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
#
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
#
# There may be multiple aux-server options, each will be used for listening
# to client requests.
#
#aux-server=172.17.19.110:33478
#aux-server=[2607:f0d0:1002:51::4]:33478
# (recommended for older Linuxes only)
# Automatically balance UDP traffic over auxiliary servers (if configured).
# The load balancing is using the ALTERNATE-SERVER mechanism.
# The TURN client must support 300 ALTERNATE-SERVER response for this
# functionality.
#
#udp-self-balance
# Relay interface device for relay sockets (optional, Linux only).
# NOT RECOMMENDED.
#
#relay-device=eth1
# Relay address (the local IP address that will be used to relay the
# packets to the peer).
# Multiple relay addresses may be used.
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
#
# If no relay IP(s) specified, then the turnserver will apply the default
# policy: it will decide itself which relay addresses to be used, and it
# will always be using the client socket IP address as the relay IP address
# of the TURN session (if the requested relay address family is the same
# as the family of the client socket).
#
#relay-ip=172.17.19.105
#relay-ip=2607:f0d0:1002:51::5
# For Amazon EC2 users:
#
# TURN Server public/private address mapping, if the server is behind NAT.
# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
# as relay IP address of all allocations. This scenario works only in a simple case
# when one single relay address is be used, and no RFC5780 functionality is required.
# That single relay address must be mapped by NAT to the 'external' IP.
# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
# For that 'external' IP, NAT must forward ports directly (relayed port 12345
# must be always mapped to the same 'external' port 12345).
#
# In more complex case when more than one IP address is involved,
# that option must be used several times, each entry must
# have form "-X <public-ip/private-ip>", to map all involved addresses.
# RFC5780 NAT discovery STUN functionality will work correctly,
# if the addresses are mapped properly, even when the TURN server itself
# is behind A NAT.
#
# By default, this value is empty, and no address mapping is used.
#
#external-ip=60.70.80.91
#
#OR:
#
#external-ip=60.70.80.91/172.17.19.101
#external-ip=60.70.80.92/172.17.19.102
# Number of the relay threads to handle the established connections
# (in addition to authentication thread and the listener thread).
# If explicitly set to 0 then application runs relay process in a
# single thread, in the same thread with the listener process
# (the authentication thread will still be a separate thread).
#
# If this parameter is not set, then the default OS-dependent
# thread pattern algorithm will be employed. Usually the default
# algorithm is the most optimal, so you have to change this option
# only if you want to make some fine tweaks.
#
# In the older systems (Linux kernel before 3.9),
# the number of UDP threads is always one thread per network listening
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
# 1 (one) value is set.
#
#relay-threads=0
# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
#
#min-port=49152
#max-port=65535
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
# By default the verbose mode is off.
#verbose
# Uncomment to run TURN server in 'extra' verbose mode.
# This mode is very annoying and produces lots of output.
# Not recommended under any normal circumstances.
#
#Verbose
# Uncomment to use fingerprints in the TURN messages.
# By default the fingerprints are off.
#
#fingerprint
# Uncomment to use long-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
#
#lt-cred-mech
# This option is opposite to lt-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined,
# in this file or in command line or in usersdb file, then
# lt-cred-mech is default.
#
#no-auth
# TURN REST API flag.
# (Time Limited Long Term Credential)
# Flag that sets a special authorization option that is based upon authentication secret.
#
# This feature's purpose is to support "TURN Server REST API", see
# "TURN REST API" link in the project's page
# https://github.com/coturn/coturn/
#
# This option is used with timestamp:
#
# usercombo -> "timestamp:userid"
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
#
# This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, the timestamp alone can be used.
# This option is just turning on secret-based authentication.
# The actual value of the secret is defined either by option static-auth-secret,
# or can be found in the turn_secret table in the database (see below).
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
# Notice that this feature depends internally on lt-cred-mech, so if you set
# use-auth-secret then it enables internally automatically lt-cred-mech option
# like if you enable both.
#
# You can use only one of the to auth mechanisms in the same time because,
# both mechanism use the username and password validation in different way.
#
# This way be aware that you can't use both auth mechnaism in the same time!
# Use in config either the lt-cred-mech or the use-auth-secret
# to avoid any confusion.
#
$(generate_use_auth_secret)
# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server
# will try to use the 'dynamic' value in turn_secret table
# in user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that other mode is 'dynamic'.
#
$(generate_static_auth_secret)
# Server name used for
# the oAuth authentication purposes.
# The default value is the realm name.
#
#server-name=blackdow.carleon.gov
# Flag that allows oAuth authentication.
#
#oauth
# 'Static' user accounts for long term credentials mechanism, only.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so that they can NOT be changed while the turnserver is running.
#
#user=username1:key1
#user=username2:key2
# OR:
#user=username1:password1
#user=username2:password2
#
# Keys must be generated by turnadmin utility. The key value depends
# on user name, realm, and password:
#
# Example:
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
# ('0x' in the beginning of the key is what differentiates the key from
# password. If it has 0x then it is a key, otherwise it is a password).
#
# The corresponding user account entry in the config file will be:
#
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently, with open clear password (less secure):
#user=ninefingers:youhavetoberealistic
#
# SQLite database file name.
#
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
# /var/lib/turn/turndb.
#
#userdb=/var/db/turndb
# PostgreSQL database connection string in the case that we are using PostgreSQL
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats.
#
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
# MySQL database connection string in the case that we are using MySQL
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
#
# Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# command options description).
#
# Use string format as below (space separated parameters, all optional):
#
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
# If you want to use in the MySQL connection string the password in encrypted format,
# then set in this option the MySQL password encryption secret key file.
#
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
# If you want to use cleartext password then do not set this option!
#
# This is the file path which contain secret key of aes encryption while using password encryption.
#
#secret-key-file=/path/
# MongoDB database connection string in the case that we are using MongoDB
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
#
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
# Redis database connection string in the case that we are using Redis
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
# This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string.
# Use string format as below (space separated parameters, all optional):
#
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# The default realm to be used for the users when no explicit
# origin/realm relationship was found in the database, or if the TURN
# server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API.
#
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
#
$(generate_realm)
# The flag that sets the origin consistency
# check: across the session, all requests must have the same
# main ORIGIN attribute value (if the ORIGIN was
# initially used by the session).
#
#check-origin-consistency
# Per-user allocation quota.
# default value is 0 (no quota, unlimited number of sessions per user).
# This option can also be set through the database, for a particular realm.
#
#user-quota=0
# Total allocation quota.
# default value is 0 (no quota).
# This option can also be set through the database, for a particular realm.
#
#total-quota=0
# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporary suppressed (within
# the available buffer limits).
# This option can also be set through the database, for a particular realm.
#
#max-bps=0
#
# Maximum server capacity.
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
# for the sessions, combined (input and output network streams are treated separately).
#
# bps-capacity=0
# Uncomment if no UDP client listener is desired.
# By default UDP client listener is always started.
#
#no-udp
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
#
#no-udp-relay
# Uncomment if no TCP relay endpoints are allowed.
# By default TCP relay endpoints are enabled (like in RFC 6062).
#
$(generate_no_tcp_relay)
# Uncomment if extra security is desired,
# with nonce value having limited lifetime.
# By default, the nonce value is unique for a session,
# and has unlimited lifetime.
# Set this option to limit the nonce lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
# the client will get 438 error and will have to re-authenticate itself.
#
#stale-nonce=600
# Uncomment if you want to set the maximum allocation
# time before it has to be refreshed.
# Default is 3600s.
#
#max-allocate-lifetime=3600
# Uncomment to set the lifetime for the channel.
# Default value is 600 secs (10 minutes).
# This value MUST not be changed for production purposes.
#
#channel-lifetime=600
# Uncomment to set the permission lifetime.
# Default to 300 secs (5 minutes).
# In production this value MUST not be changed,
# however it can be useful for test purposes.
#
#permission-lifetime=300
# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
#
#cert=/usr/local/etc/turn_server_cert.pem
# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
#pkey=/usr/local/etc/turn_server_pkey.pem
# Private key file password, if it is in encoded format.
# This option has no default value.
#
#pkey-pwd=...
# Allowed OpenSSL cipher list for TLS/DTLS connections.
# Default value is "DEFAULT".
#
#cipher-list="DEFAULT"
# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default it is not set: there is no default value and the client
# certificate is not checked.
#
# Example:
#CA-file=/etc/ssh/id_rsa.cert
# Curve name for EC ciphers, if supported by OpenSSL
# library (TLS and DTLS). The default value is prime256v1,
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
# an optimal curve will be automatically calculated, if not defined
# by this option.
#
#ec-curve-name=prime256v1
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh566
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh2066
# Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
#
#dh-file=<DH-PEM-file-name>
# Flag to prevent stdout log messages.
# By default, all log messages are going to both stdout and to
# the configured log file. With this option everything will be
# going to the configured log only (unless the log file itself is stdout).
#
#no-stdout-log
# Option to set the log file name.
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and current directories directories
# (which open operation succeeds first that file will be used).
# With this option you can set the definite log file name.
# The special names are "stdout" and "-" - they will force everything
# to the stdout. Also, the "syslog" name will force everything to
# the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
#log-file=/var/tmp/turn.log
# Option to redirect all log output into system log (syslog).
#
syslog
# This flag means that no log file rollover will be used, and the log file
# name will be constructed as-is, without PID and date appendage.
# This option can be used, for example, together with the logrotate tool.
#
#simple-log
# Option to set the "redirection" mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in form of
# <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
# The client must use the obtained value for subsequent TURN communications.
# If more than one --alternate-server options are provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used.
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if we have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# can emulate "weighting" of the servers.
#
# Examples:
#alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous
# option for the functionality description.
#
# Examples:
#tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to suppress TURN functionality, only STUN requests will be processed.
# Run as STUN server only, all TURN requests will be ignored.
# By default, this option is NOT set.
#
#stun-only
# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set.
#
#no-stun
# This is the timestamp/username separator symbol (character) in TURN REST API.
# The default value is ':'.
# rest-api-separator=:
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure.
#
# (To avoid any security issue that allowing loopback access may raise,
# the no-loopback-peers option is replaced by allow-loopback-peers.)
#
# Allow it only for testing in a development environment!
# In production it adds a possible security vulnerability, so for security reasons
# it is not allowed using it together with empty cli-password.
#
#allow-loopback-peers
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
# This is an extra security measure.
#
#no-multicast-peers
# Option to set the max time, in seconds, allowed for full allocation establishment.
# Default is 60 seconds.
#
#max-allocate-timeout=60
# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
#
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
# Examples:
# denied-peer-ip=83.166.64.0-83.166.95.255
# allowed-peer-ip=83.166.68.45
# File name to store the pid of the process.
# Default is /var/run/turnserver.pid (if superuser account is used) or
# /var/tmp/turnserver.pid .
#
#pidfile="/var/run/turnserver.pid"
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
#secure-stun
# Mobility with ICE (MICE) specs support.
#
#mobility
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default coTURN works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
#
#keep-address-family
# User name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current user ID to that user.
#
#proc-user=<user-name>
# Group name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current group ID to that group.
#
#proc-group=<group-name>
# Turn OFF the CLI support.
# By default it is always ON.
# See also options cli-ip and cli-port.
#
#no-cli
#Local system IP address to be used for CLI server endpoint. Default value
# is 127.0.0.1.
#
#cli-ip=127.0.0.1
# CLI server port. Default is 5766.
#
#cli-port=5766
# CLI access password. Default is empty (no password).
# For the security reasons, it is recommended to use the encrypted
# for of the password (see the -P command in the turnadmin utility).
#
# Secure form for password 'qwerty':
#
#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
#
# Or unsecure form for the same password:
#
#cli-password=qwerty
# Enable Web-admin support on https. By default it is Disabled.
# If it is enabled it also enables a http a simple static banner page
# with a small reminder that the admin page is available only on https.
#
#web-admin
# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
#
#web-admin-ip=127.0.0.1
# Web-admin server port. Default is 8080.
#
#web-admin-port=8080
# Web-admin server listen on STUN/TURN worker threads
# By default it is disabled for security resons! (Not recommended in any production environment!)
#
#web-admin-listen-on-workers
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when we want to run
# server applications on the relay endpoints.
# This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints.
#
#server-relay
# Maximum number of output sessions in ps CLI command.
# This value can be changed on-the-fly in CLI. The default value is 256.
#
#cli-max-output-sessions
# Set network engine type for the process (for internal purposes).
#
#ne=[1|2|3]
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
EOF

View file

@ -0,0 +1,61 @@
cdist-type__coturn(7)
=====================
NAME
----
cdist-type__coturn - Install and configure a coturn TURN server
DESCRIPTION
-----------
This (singleton) type install and configure a coturn TURN
server.
REQUIRED PARAMETERS
-------------------
None.
OPTIONAL PARAMETERS
-------------------
static_auth_secret
Secret used to access the TURN REST API.
realm
Defailt realm.
BOOLEAN PARAMETERS
------------------
use_auth_secret
Allows TURN credentials to be accounted for a specific user id.
no_tcp_relay
Disable TCP relay endpoints.
EXAMPLES
--------
.. code-block:: sh
__coturn \
--realm turn.domain.tld \
--no_tcp_relay
SEE ALSO
--------
- `coturn Github repository <https://github.com/coturn/coturn>`_
AUTHORS
-------
Timothée Floure <timothee.floure@ungleich.ch>
COPYING
-------
Copyright \(C) 2020 Timothée Floure. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,52 @@
#!/bin/sh -e
#
# 2020 Timothée Floure (timothee.floure@ungleich.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
__package coturn
# Optional parameters.
if [ -f "$__object/parameter/use_auth_secret" ]; then
export USE_AUTH_SECRET=1
fi
if [ -f "$__object/parameter/static_auth_secret" ]; then
export STATIC_AUTH_SECRET=$(cat "$__object/parameter/static_auth_secret")
fi
if [ -f "$__object/parameter/realm" ]; then
export REALM=$(cat "$__object/parameter/realm")
fi
if [ -f "$__object/parameter/no_tcp_relay" ]; then
export NO_TCP_RELAY=$(cat "$__object/parameter/no_tcp_relay")
fi
# Hardcoded.
coturn_config='/etc/turnserver.conf'
# Generate and deploy configuration file.
mkdir -p "$__object/files"
"$__type/files/turnserver.conf.sh" > "$__object/files/turnserver.conf"
__file $coturn_config \
--source "$__object/files/turnserver.conf" \
--state present
# Restart coturn server.
require="__file/$coturn_config" __service coturn --action restart

View file

@ -0,0 +1,2 @@
use_auth_secret
no_tcp_relay

View file

@ -0,0 +1,2 @@
static_auth_secret
realm

View file

@ -21,11 +21,6 @@ command
OPTIONAL PARAMETERS
-------------------
**NOTE**: All time-related parameters (``--minute``, ``--hour``, ``--day_of_month``
``--month`` and ``--day_of_week``) defaults to ``*``, which means to execute it
**always**. If you set ``--hour 0`` to execute the cronjob only at midnight, it
will execute **every** minute in the first hour of the morning all days.
state
Either present or absent. Defaults to present.
minute

View file

@ -1,142 +0,0 @@
#!/bin/sh -e
#
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
# Determine current debconf selections' state.
# Prints one of:
# present: all selections are already set as they should.
# different: one or more of the selections have a different value.
# absent: one or more of the selections are not (currently) defined.
#
test -x /usr/bin/perl || {
# cannot find perl (no perl ~ no debconf)
echo 'absent'
exit 0
}
linesfile="${__object:?}/parameter/line"
test -s "${linesfile}" || {
if test -s "${__object:?}/parameter/file"
then
echo absent
else
echo present
fi
exit 0
}
# assert __type_explorer is set (because it is used by the Perl script)
: "${__type_explorer:?}"
/usr/bin/perl -- - "${linesfile}" <<'EOF'
use strict;
use warnings "all";
use Fcntl qw(:DEFAULT :flock);
use Debconf::Db;
use Debconf::Question;
# Extract @known... arrays from debconf-set-selections
# These values are required to distinguish flags and values in the given lines.
# DC: I couldn't think of a more ugly solution to the problem…
my @knownflags;
my @knowntypes;
my $debconf_set_selections = '/usr/bin/debconf-set-selections';
if (-e $debconf_set_selections) {
my $sed_known = 's/^my \(@known\(flags\|types\) = qw([a-z ]*);\).*$/\1/p';
eval `sed -n '$sed_known' '$debconf_set_selections'`;
}
sub mungeline ($) {
my $line = shift;
chomp $line;
$line =~ s/\r$//;
return $line;
}
sub fatal { printf STDERR @_; exit 1; }
my $state = 'present';
sub state {
my $new = shift;
if ($state eq 'present'
or ($state eq 'different' and $new eq 'absent')) {
$state = $new;
}
}
# Load Debconf DB but manually lock on the state explorer script,
# because Debconf aborts immediately if executed concurrently.
# This is not really an ideal solution because the Debconf DB could be locked by
# another process (e.g. apt-get), but no way to achieve this could be found.
# If you know how to, please provide a patch.
my $lockfile = "%ENV{'__type_explorer'}/state";
if (open my $lock_fh, '+<', $lockfile) {
flock $lock_fh, LOCK_EX or die "Cannot lock $lockfile";
}
{
Debconf::Db->load(readonly => 'true');
}
while (<>) {
# Read and process lines (taken from debconf-set-selections)
$_ = mungeline($_);
while (/\\$/ && ! eof) {
s/\\$//;
$_ .= mungeline(<>);
}
next if /^\s*$/ || /^\s*\#/;
my ($owner, $label, $type, $content) = /^\s*(\S+)\s+(\S+)\s+(\S+)(?:\s(.*))?/
or fatal "invalid line: %s\n", $_;
$content = '' unless defined $content;
# Compare is and should state
my $q = Debconf::Question->get($label);
unless (defined $q) {
# probably a preseed
state 'absent';
next;
}
if (grep { $_ eq $q->type } @knownflags) {
# This line wants to set a flag, presumably.
if ($q->flag($q->type) ne $content) {
state 'different';
}
} else {
# Otherwise, it's probably a value…
if ($q->value ne $content) {
state 'different';
}
unless (grep { $_ eq $owner } (split /, /, $q->owners)) {
state 'different';
}
}
}
printf "%s\n", $state;
EOF

View file

@ -1,7 +1,6 @@
#!/bin/sh -e
#
# 2011-2014 Nico Schottelius (nico-cdist at schottelius.org)
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
@ -18,37 +17,16 @@
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Setup selections
#
if test -f "${__object:?}/parameter/line"
then
filename="${__object:?}/parameter/line"
elif test -s "${__object:?}/parameter/file"
then
filename=$(cat "${__object:?}/parameter/file")
if test "${filename}" = '-'
then
filename="${__object:?}/stdin"
fi
else
printf 'Neither --line nor --file set.\n' >&2
exit 1
filename="$(cat "$__object/parameter/file")"
if [ "$filename" = "-" ]; then
filename="$__object/stdin"
fi
# setting no lines makes no sense
test -s "${filename}" || exit 0
state_is=$(cat "${__object:?}/explorer/state")
if test "${state_is}" != 'present'
then
cat <<-CODE
debconf-set-selections <<'EOF'
$(cat "${filename}")
EOF
CODE
awk '
{
printf "set %s %s %s %s\n", $1, $2, $3, $4
}' "${filename}" >>"${__messages_out:?}"
fi
echo "debconf-set-selections << __file-eof"
cat "$filename"
echo "__file-eof"

View file

@ -8,33 +8,15 @@ cdist-type__debconf_set_selections - Setup debconf selections
DESCRIPTION
-----------
On Debian and alike systems :strong:`debconf-set-selections`\ (1) can be used
On Debian and alike systems debconf-set-selections(1) can be used
to setup configuration parameters.
REQUIRED PARAMETERS
-------------------
cf. ``--line``.
OPTIONAL PARAMETERS
-------------------
file
Use the given filename as input for :strong:`debconf-set-selections`\ (1)
If filename is ``-``, read from stdin.
**This parameter is deprecated, because it doesn't work with state detection.**
line
A line in :strong:`debconf-set-selections`\ (1) compatible format.
This parameter can be used multiple times to set multiple options.
(This parameter is actually required, but marked optional because the
deprecated ``--file`` is still accepted.)
BOOLEAN PARAMETERS
------------------
None.
Use the given filename as input for debconf-set-selections(1)
If filename is "-", read from stdin.
EXAMPLES
@ -42,29 +24,30 @@ EXAMPLES
.. code-block:: sh
# Setup gitolite's gituser
__debconf_set_selections nslcd --line 'gitolite gitolite/gituser string git'
# Setup configuration for nslcd
__debconf_set_selections nslcd --file /path/to/file
# Setup configuration for nslcd from a file.
# NB: Multiple lines can be passed to --line, although this can be considered a hack.
__debconf_set_selections nslcd --line "$(cat "${__files:?}/preseed/nslcd.debconf")"
# Setup configuration for nslcd from another type
__debconf_set_selections nslcd --file "$__type/files/preseed/nslcd"
__debconf_set_selections nslcd --file - << eof
gitolite gitolite/gituser string git
eof
SEE ALSO
--------
- :strong:`cdist-type__update_alternatives`\ (7)
- :strong:`debconf-set-selections`\ (1)
:strong:`debconf-set-selections`\ (1), :strong:`cdist-type__update_alternatives`\ (7)
AUTHORS
-------
| Nico Schottelius <nico-cdist--@--schottelius.org>
| Dennis Camera <dennis.camera--@--ssrq-sds-fds.ch>
Nico Schottelius <nico-cdist--@--schottelius.org>
COPYING
-------
Copyright \(C) 2011-2014 Nico Schottelius, 2021 Dennis Camera.
You can redistribute it and/or modify it under the terms of the GNU General
Public License as published by the Free Software Foundation, either version 3 of
the License, or (at your option) any later version.
Copyright \(C) 2011-2014 Nico Schottelius. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,21 +0,0 @@
#!/bin/sh -e
#
# 2021 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
__package_apt debconf

View file

@ -1 +0,0 @@
'file' has been deprecated in favour of 'line' in order to provide idempotency.

View file

@ -30,10 +30,10 @@ fallback() {
gid=$(echo "$ls_line" | awk '{ print $4 }')
owner=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/passwd)
group=$(awk -F: -v gid="$gid" '$3 == gid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
group=$(awk -F: -v uid="$uid" '$3 == uid { print $1; f=1 } END { if (!f) print "UNKNOWN" }' /etc/group)
mode_text=$(echo "$ls_line" | awk '{ print $1 }')
mode=$(echo "$mode_text" | awk '{for(i=8;i>=0;--i){c=substr($1,10-i,1);k+=((c~/[rwxst]/)*2^i);if(!(i%3))k+=(tolower(c)~/[lst]/)*2^(9+i/3)}printf("%04o",k)}')
mode=$(echo "$mode_text" | awk '{ k=0; for (i=0; i<=8; i++) k += ((substr($1, i+2, 1) ~ /[rwx]/) * 2^(8-i)); printf("%0o", k) }')
printf 'type: %s\nowner: %d %s\ngroup: %d %s\nmode: %s %s\n' \
"$("$__type_explorer/type")" \
@ -45,27 +45,56 @@ fallback() {
# nothing to work with, nothing we could do
[ -e "$destination" ] || exit 0
command -v stat >/dev/null 2>&1 || {
if ! command -v stat >/dev/null
then
fallback
exit
}
fi
case $("$__explorer/os")
in
freebsd|netbsd|openbsd|macosx)
stat -f 'type: %HT
case $("$__explorer/os") in
"freebsd"|"netbsd"|"openbsd"|"macosx")
stat -f "type: %HT
owner: %Du %Su
group: %Dg %Sg
mode: %Mp%03Lp %Sp
' "$destination" | awk '/^type/ { print tolower($0); next } { print }'
mode: %Lp %Sp
" "$destination" | awk '/^type/ { print tolower($0); next } { print }'
;;
solaris)
ls1="$( ls -ld "$destination" )"
ls2="$( ls -ldn "$destination" )"
if [ -f "$__object/parameter/mode" ]
then mode_should="$( cat "$__object/parameter/mode" )"
fi
# yes, it is ugly hack, but if you know better way...
if [ -z "$( find "$destination" -perm "$mode_should" )" ]
then octets=888
else octets="$( echo "$mode_should" | sed 's/^0//' )"
fi
case "$( echo "$ls1" | cut -c1-1 )" in
-) echo 'type: regular file' ;;
d) echo 'type: directory' ;;
esac
echo "owner: $( echo "$ls2" \
| awk '{print $3}' ) $( echo "$ls1" \
| awk '{print $3}' )"
echo "group: $( echo "$ls2" \
| awk '{print $4}' ) $( echo "$ls1" \
| awk '{print $4}' )"
echo "mode: $octets $( echo "$ls1" | awk '{print $1}' )"
;;
*)
# NOTE: Do not use --printf here as it is not supported by BusyBox stat.
# NOTE: BusyBox's stat might not support the "-c" option, in which case
# we fall through to the shell fallback.
stat -c 'type: %F
stat -c "type: %F
owner: %u %U
group: %g %G
mode: %04a %A' "$destination" 2>/dev/null || fallback
;;
mode: %a %A" "$destination" 2>/dev/null || fallback
;;
esac

View file

@ -97,11 +97,9 @@ case "$state_should" in
value_should="$(cat "$__object/parameter/$attribute")"
value_is="$(get_current_value "$attribute" "$value_should")"
# format mode in four digits => same as stat returns
# change 0xxx format to xxx format => same as stat returns
if [ "$attribute" = mode ]; then
# Convert to four-digit octal number (printf interprets
# strings with leading 0s as octal!)
value_should=$(printf '%04o' "0${value_should}")
value_should="$(echo "$value_should" | sed 's/^0\(...\)/\1/')"
fi
if [ "$set_attributes" = 1 ] || [ "$value_should" != "$value_is" ]; then

View file

@ -25,9 +25,6 @@ user
OPTIONAL PARAMETERS
-------------------
dirmode
forwarded to :strong:`__directory` type as mode
mode
forwarded to :strong:`__file` type
@ -37,12 +34,6 @@ state
source
forwarded to :strong:`__file` type
file
forwarded to :strong:`__file` type
This can be used if multiple users need to have a dotfile updated,
which will result in duplicate object id errors. When using the
file parameter the object id can be some unique value.
MESSAGES
--------
@ -67,15 +58,6 @@ EXAMPLES
# Install default xmonad config for user 'eve'. Parent directory is created automatically.
__dot_file .xmonad/xmonad.hs --user eve --state exists --source "$__files/xmonad.hs"
# install .vimrc for root and some users
for user in root userx usery userz; do
__dot_file "${user}_dot_vimrc" \
--user $user \
--file .vimrc \
--state exists \
--source "$__files/$user/.vimrc"
done
SEE ALSO
--------

View file

@ -19,20 +19,13 @@ set -eu
user="$(cat "${__object}/parameter/user")"
home="$(cat "${__object}/explorer/home")"
primary_group="$(cat "${__object}/explorer/primary_group")"
dirmode="$(cat "${__object}/parameter/dirmode")"
if [ -f "${__object}/parameter/file" ]; then
file="$(cat "${__object}/parameter/file")"
else
file="${__object_id}"
fi
# Create parent directory. Type __directory has flag 'parents', but it
# will leave us with root-owned directory in user home, which is not
# acceptable. So we create parent directories one-by-one. XXX: maybe
# it should be fixed in '__directory'?
set --
subpath=${file}
subpath=${__object_id}
while subpath="$(dirname "${subpath}")" ; do
[ "${subpath}" = . ] && break
set -- "${subpath}" "$@"
@ -43,7 +36,6 @@ export CDIST_ORDER_DEPENDENCY
for dir ; do
__directory "${home}/${dir}" \
--group "${primary_group}" \
--mode "${dirmode}" \
--owner "${user}"
done
@ -70,4 +62,4 @@ if [ "${source}" = "-" ] ; then
fi
unset source
__file "${home}/${file}" --owner "$user" --group "$primary_group" "$@"
__file "${home}/${__object_id}" --owner "$user" --group "$primary_group" "$@"

View file

@ -1,4 +1,3 @@
state
mode
source
dirmode

View file

@ -1,16 +0,0 @@
#!/bin/sh -e
if [ -f "$__object/parameter/cmd-get" ]
then
cat "$__object/parameter/cmd-get"
elif
command -v curl > /dev/null
then
echo "curl -sSL -o - '%s'"
elif
command -v fetch > /dev/null
then
echo "fetch -o - '%s'"
else
echo "wget -O - '%s'"
fi

View file

@ -1,82 +0,0 @@
#!/bin/sh -e
if [ ! -f "$__object/parameter/sum" ]
then
exit 0
fi
if [ -f "$__object/parameter/cmd-sum" ]
then
cat "$__object/parameter/cmd-sum"
exit 0
fi
sum_should="$( cat "$__object/parameter/sum" )"
if echo "$sum_should" | grep -Fq ':'
then
sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
else
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
then
sum_hash='cksum'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
then
sum_hash='md5'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
then
sum_hash='sha1'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
then
sum_hash='sha256'
else
echo 'hash format detection failed' >&2
exit 1
fi
fi
os="$( "$__explorer/os" )"
case "$sum_hash" in
cksum)
echo "cksum %s | awk '{print \$1\" \"\$2}'"
;;
md5)
case "$os" in
freebsd)
echo "md5 -q %s"
;;
*)
echo "md5sum %s | awk '{print \$1}'"
;;
esac
;;
sha1)
case "$os" in
freebsd)
echo "sha1 -q %s"
;;
*)
echo "sha1sum %s | awk '{print \$1}'"
;;
esac
;;
sha256)
case "$os" in
freebsd)
echo "sha256 -q %s"
;;
*)
echo "sha256sum %s | awk '{print \$1}'"
;;
esac
;;
*)
# we arrive here only if --sum is given with unknown format prefix
echo "unknown hash format: $sum_hash" >&2
exit 1
;;
esac

View file

@ -1,45 +0,0 @@
#!/bin/sh -e
if [ -f "$__object/parameter/destination" ]
then
dst="$( cat "$__object/parameter/destination" )"
else
dst="/$__object_id"
fi
if [ ! -f "$dst" ]
then
echo 'absent'
exit 0
fi
if [ ! -f "$__object/parameter/sum" ]
then
echo 'present'
exit 0
fi
sum_should="$( cat "$__object/parameter/sum" )"
if echo "$sum_should" | grep -Fq ':'
then
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
fi
sum_cmd="$( "$__type_explorer/remote_cmd_sum" )"
# shellcheck disable=SC2059
sum_is="$( eval "$( printf "$sum_cmd" "'$dst'" )" )"
if [ -z "$sum_is" ]
then
echo 'existing destination checksum failed' >&2
exit 1
fi
if [ "$sum_is" = "$sum_should" ]
then
echo 'present'
else
echo 'mismatch'
fi

View file

@ -1,155 +0,0 @@
#!/bin/sh -e
download="$( cat "$__object/parameter/download" )"
state_is="$( cat "$__object/explorer/state" )"
if [ "$download" != 'local' ] || [ "$state_is" = 'present' ]
then
exit 0
fi
url="$( cat "$__object/parameter/url" )"
if [ -f "$__object/parameter/destination" ]
then
dst="$( cat "$__object/parameter/destination" )"
else
dst="/$__object_id"
fi
if [ -f "$__object/parameter/cmd-get" ]
then
cmd="$( cat "$__object/parameter/cmd-get" )"
elif command -v curl > /dev/null
then
cmd="curl -sSL -o - '%s'"
elif command -v fetch > /dev/null
then
cmd="fetch -o - '%s'"
elif command -v wget > /dev/null
then
cmd="wget -O - '%s'"
else
echo 'local download failed, no usable utility' >&2
exit 1
fi
echo "download_tmp=\"\$( mktemp )\""
# shellcheck disable=SC2059
printf "$cmd > \"\$download_tmp\"\n" "$url"
if [ -f "$__object/parameter/sum" ]
then
sum_should="$( cat "$__object/parameter/sum" )"
if [ -f "$__object/parameter/cmd-sum" ]
then
local_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
else
if echo "$sum_should" | grep -Fq ':'
then
sum_hash="$( echo "$sum_should" | cut -d : -f 1 )"
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
else
if echo "$sum_should" | grep -Eq '^[0-9]+\s[0-9]+$'
then
sum_hash='cksum'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{32}$'
then
sum_hash='md5'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{40}$'
then
sum_hash='sha1'
elif
echo "$sum_should" | grep -Eiq '^[a-f0-9]{64}$'
then
sum_hash='sha256'
else
echo 'hash format detection failed' >&2
exit 1
fi
fi
case "$sum_hash" in
cksum)
local_cmd_sum="cksum %s | awk '{print \$1\" \"\$2}'"
;;
md5)
if command -v md5 > /dev/null
then
local_cmd_sum="md5 -q %s"
elif
command -v md5sum > /dev/null
then
local_cmd_sum="md5sum %s | awk '{print \$1}'"
fi
;;
sha1)
if command -v sha1 > /dev/null
then
local_cmd_sum="sha1 -q %s"
elif
command -v sha1sum > /dev/null
then
local_cmd_sum="sha1sum %s | awk '{print \$1}'"
fi
;;
sha256)
if command -v sha256 > /dev/null
then
local_cmd_sum="sha256 -q %s"
elif
command -v sha256sum > /dev/null
then
local_cmd_sum="sha256sum %s | awk '{print \$1}'"
fi
;;
*)
# we arrive here only if --sum is given with unknown format prefix
echo "unknown hash format: $sum_hash" >&2
exit 1
;;
esac
if [ -z "$local_cmd_sum" ]
then
echo 'local checksum verification failed, no usable utility' >&2
exit 1
fi
fi
# shellcheck disable=SC2059
echo "sum_is=\"\$( $( printf "$local_cmd_sum" "\"\$download_tmp\"" ) )\""
echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
echo "echo 'local download checksum mismatch' >&2"
echo "rm -f \"\$download_tmp\""
echo 'exit 1; fi'
fi
if echo "$__target_host" | grep -Eq '^[0-9a-fA-F:]+$'
then
target_host="[$__target_host]"
else
target_host="$__target_host"
fi
# shellcheck disable=SC2016
printf '%s "$download_tmp" %s:%s\n' \
"$__remote_copy" \
"$target_host" \
"$dst"
echo "rm -f \"\$download_tmp\""

View file

@ -1,59 +0,0 @@
#!/bin/sh -e
download="$( cat "$__object/parameter/download" )"
state_is="$( cat "$__object/explorer/state" )"
if [ "$download" = 'remote' ] && [ "$state_is" != 'present' ]
then
cmd_get="$( cat "$__object/explorer/remote_cmd_get" )"
url="$( cat "$__object/parameter/url" )"
if [ -f "$__object/parameter/destination" ]
then
dst="$( cat "$__object/parameter/destination" )"
else
dst="/$__object_id"
fi
echo "download_tmp=\"\$( mktemp )\""
# shellcheck disable=SC2059
printf "$cmd_get > \"\$download_tmp\"\n" "$url"
if [ -f "$__object/parameter/sum" ]
then
sum_should="$( cat "$__object/parameter/sum" )"
if [ -f "$__object/parameter/cmd-sum" ]
then
remote_cmd_sum="$( cat "$__object/parameter/cmd-sum" )"
else
remote_cmd_sum="$( cat "$__object/explorer/remote_cmd_sum" )"
if echo "$sum_should" | grep -Fq ':'
then
sum_should="$( echo "$sum_should" | cut -d : -f 2 )"
fi
fi
# shellcheck disable=SC2059
echo "sum_is=\"\$( $( printf "$remote_cmd_sum" "\"\$download_tmp\"" ) )\""
echo "if [ \"\$sum_is\" != '$sum_should' ]; then"
echo "echo 'remote download checksum mismatch' >&2"
echo "rm -f \"\$download_tmp\""
echo 'exit 1; fi'
fi
echo "mv \"\$download_tmp\" '$dst'"
fi
if [ -f "$__object/parameter/onchange" ] && [ "$state_is" != "present" ]
then
cat "$__object/parameter/onchange"
fi

View file

@ -1,101 +0,0 @@
cdist-type__download(7)
=======================
NAME
----
cdist-type__download - Download a file
DESCRIPTION
-----------
By default type will try to use ``curl``, ``fetch`` or ``wget``.
If download happens in target (see ``--download``) then type will
fallback to (and install) ``wget``.
If download happens in local machine, then environment variables like
``{http,https,ftp}_proxy`` etc can be used on cdist execution
(``http_proxy=foo cdist config ...``).
To change downloaded file's owner, group or permissions, use ``require='__download/path/to/file' __file ...``.
REQUIRED PARAMETERS
-------------------
url
File's URL.
OPTIONAL PARAMETERS
-------------------
destination
Downloaded file's destination in target. If unset, ``$__object_id`` is used.
sum
Supported formats: ``cksum`` output without file name, MD5, SHA1 and SHA256.
Type tries to detect hash format with regexes, but prefixes
``cksum:``, ``md5:``, ``sha1:`` and ``sha256:`` are also supported.
Checksum have two purposes - state check and post-download verification.
In state check, if destination checksum mismatches, then content of URL
will be downloaded to temporary file. If downloaded temporary file's
checksum matches, then it will be moved to destination (overwritten).
For local downloads it is expected that usable utilities for checksum
calculation exist in the system.
download
If ``local`` (default), then file is downloaded to local storage and copied
to target host. If ``remote``, then download happens in target.
For local downloads it is expected that usable utilities for downloading
exist in the system. Type will try to use ``curl``, ``fetch`` or ``wget``.
cmd-get
Command used for downloading.
Command must output to ``stdout``.
Parameter will be used for ``printf`` and must include only one
format specification ``%s`` which will become URL.
For example: ``wget -O - '%s'``.
cmd-sum
Command used for checksum calculation.
Command output and ``--sum`` parameter must match.
Parameter will be used for ``printf`` and must include only one
format specification ``%s`` which will become destination.
For example: ``md5sum '%s' | awk '{print $1}'``.
onchange
Execute this command after download.
EXAMPLES
--------
.. code-block:: sh
__directory /opt/cpma
require='__directory/opt/cpma' \
__download /opt/cpma/cnq3.zip \
--url https://cdn.playmorepromode.com/files/cnq3/cnq3-1.51.zip \
--sum 46da3021ca9eace277115ec9106c5b46
require='__download/opt/cpma/cnq3.zip' \
__unpack /opt/cpma/cnq3.zip \
--backup-destination \
--preserve-archive \
--destination /opt/cpma/server
AUTHORS
-------
Ander Punnar <ander-at-kvlt-dot-ee>
COPYING
-------
Copyright \(C) 2021 Ander Punnar. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -1,6 +0,0 @@
#!/bin/sh -e
if grep -Eq '^wget' "$__object/explorer/remote_cmd_get"
then
__package wget
fi

View file

@ -1,6 +0,0 @@
cmd-get
cmd-sum
destination
download
onchange
sum

Some files were not shown because too many files have changed in this diff Show more