shfmt & shellcheck

[theseal]

No description provided.

[github-actions]

Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit

shfmt

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Lines 19 to 20 in 47ff356

	echo "Usage $0 HOSTNAME REPO TAGPATTERN"
	exit 3

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Lines 33 to 35 in 47ff356

	# script is running with "set -e", use "|| true" to allow packages to not
	# exist without stopping the script
	apt-get -y install $pkg || true

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Line 41 in 47ff356

cosmos clone "$cmd_repo"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Lines 49 to 52 in 47ff356

	echo ""
	echo "test -f /etc/run-cosmos-at-boot && (bash -l cosmos -v update; bash -l cosmos -v apply && rm /etc/run-cosmos-at-boot)"
	echo ""
	echo "exit 0"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Lines 61 to 63 in 47ff356

	if [ -f ${file} ]; then
	sed -i 's/manage_etc_hosts: true/manage_etc_hosts: false/g' ${file}
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Line 79 in 47ff356

min_version=20.04

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Line 81 in 47ff356

min_version=11

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Lines 91 to 93 in 47ff356

	# When hostname pointed to loopback in /etc/hosts containers running on the
	# host tried to connect to the container itself instead of the host.
	host_ip=$(ip -j address show "$(ip -j route show default | jq -r '.[0].dev')" | jq -r .[0].addr_info[0].local)

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Lines 104 to 105 in 47ff356

	# shellcheck disable=SC2016
	models_array+=('$COSMOS_REPO/'"${_host_type}-common/")

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Lines 110 to 111 in 47ff356

	IFS=:
	echo "${models_array[*]}"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/etc/cosmos/apt/bootstrap-cosmos.sh

Lines 125 to 127 in 47ff356

	date
	nohup cosmos -v update && nohup cosmos -v apply && rm /etc/run-cosmos-at-boot
	date

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 22 to 24 in 47ff356

	local prefix=$1
	local fd=${2:-$LOCK_FD}
	local lock_file=$LOCKFILE_DIR/$prefix.lock

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 26 to 27 in 47ff356

	# create lock file
	eval "exec $fd>$lock_file"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 29 to 32 in 47ff356

	# acquier the lock
	flock -n "$fd" &&
	return 0 ||
	return 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Line 36 in 47ff356

local error_str="$*"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 38 to 39 in 47ff356

	echo "$error_str"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Line 43 in 47ff356

local info_str="$*"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 45 to 46 in 47ff356

	echo "$info_str"
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 50 to 65 in 47ff356

	# In case e.g. the unit file has been removed "FragmentPath" will still
	# return the old filename until daemon-reload is called, so do that here
	# before we try checking for the FragmentPath.
	need_reload=$(systemctl show --property NeedDaemonReload $FLEETLOCK_UNLOCK_SERVICE | awk -F= '{print $2}')
	if [ "$need_reload" = "yes" ]; then
	systemctl daemon-reload
	fi
	unit_file=$(systemctl show --property FragmentPath $FLEETLOCK_UNLOCK_SERVICE | awk -F= '{print $2}')
	if [ -z "$unit_file" ]; then
	# No unit file matching the service name, do nothing
	return 0
	fi
	# Enable the service if needed
	systemctl is-enabled --quiet $FLEETLOCK_UNLOCK_SERVICE || systemctl enable --quiet $FLEETLOCK_UNLOCK_SERVICE

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 69 to 89 in 47ff356

	if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then
	# Make sure the unlock service is enabled before we take a lock if
	# cosmos ends up rebooting the machine before fleetlock_unlock() is
	# called.
	fleetlock_enable_unlock_service || return 1
	local fleetlock_group=""
	local optional_args=()
	# shellcheck source=/dev/null
	. $FLEETLOCK_CONFIG || return 1
	if [ -z "$fleetlock_group" ]; then
	echo "Unable to set fleetlock_group"
	return 1
	fi
	if [ -n "$fleetlock_lock_timeout" ]; then
	optional_args+=("--timeout")
	optional_args+=("$fleetlock_lock_timeout")
	fi
	echo "Getting fleetlock lock"
	$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --lock "${optional_args[@]}" || return 1
	fi
	return 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 93 to 110 in 47ff356

	if [ ! -f $FLEETLOCK_DISABLE_FILE ] && [ -f $FLEETLOCK_CONFIG ] && [ -x $FLEETLOCK_TOOL ]; then
	local fleetlock_group=""
	local optional_args=()
	# shellcheck source=/dev/null
	. $FLEETLOCK_CONFIG || return 1
	if [ -z "$fleetlock_group" ]; then
	echo "Unable to set fleetlock_group"
	return 1
	fi
	if [ -n "$fleetlock_unlock_timeout" ]; then
	optional_args+=("--timeout")
	optional_args+=("$fleetlock_unlock_timeout")
	fi
	machine_is_healthy || return 1
	echo "Releasing fleetlock lock"
	$FLEETLOCK_TOOL --lock-group "$fleetlock_group" --unlock "${optional_args[@]}" || return 1
	fi
	return 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 114 to 126 in 47ff356

	if [ ! -f $HEALTHCHECK_DISABLE_FILE ] && [ -x $HEALTHCHECK_TOOL ]; then
	local fleetlock_healthcheck_timeout=""
	local optional_args=()
	# shellcheck source=/dev/null
	. $FLEETLOCK_CONFIG || return 1
	if [ -n "$fleetlock_healthcheck_timeout" ]; then
	optional_args+=("--timeout")
	optional_args+=("$fleetlock_healthcheck_timeout")
	fi
	echo "Running any health checks"
	$HEALTHCHECK_TOOL "${optional_args[@]}" || return 1
	fi
	return 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 130 to 132 in 47ff356

	if [[ $1 == '--random-sleep' ]]; then
	shift
	sleep=$((RANDOM % 300))

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 134 to 136 in 47ff356

	echo "$0: Sleeping for ${sleep} seconds before attempting to run cosmos"
	sleep $sleep
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 138 to 141 in 47ff356

	lock "$PROGNAME" || eexit "Only one instance of $PROGNAME can run at one time."
	fleetlock_lock || eexit "Unable to acquire fleetlock lock."
	cosmos "$@" update
	cosmos "$@" apply

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 143 to 145 in 47ff356

	if [ -f /var/run/reboot-required ] && [ -f /var/run/cosmos-reboot-in-progress ]; then
	oexit "${PROGNAME}: Will not attempt fleetlock_unlock (exiting early) due to existing reboot files"
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Line 147 in 47ff356

fleetlock_unlock || eexit "Unable to release fleetlock lock."

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Line 149 in 47ff356

touch /var/run/last-cosmos-ok.stamp

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 151 to 154 in 47ff356

	if [ -f /cosmos-reboot ]; then
	rm -f /cosmos-reboot
	reboot
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/bin/run-cosmos

Lines 161 to 167 in 47ff356

	"fleetlock-unlock")
	lock "$PROGNAME" || oexit "$PROGNAME appears locked by a running run-cosmos, let it handle unlocking instead."
	fleetlock_unlock || eexit "Unable to release fleetlock lock."
	;;
	*)
	main "$@"
	;;

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/libexec/cosmos-cron-wrapper

Lines 9 to 15 in 47ff356

	SCRIPTHERDER_CMD+=('/usr/local/bin/scriptherder')
	SCRIPTHERDER_CMD+=('--mode')
	SCRIPTHERDER_CMD+=('wrap')
	SCRIPTHERDER_CMD+=('--syslog')
	SCRIPTHERDER_CMD+=('--name')
	SCRIPTHERDER_CMD+=('cosmos')
	SCRIPTHERDER_CMD+=('--')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Lines 23 to 91 in 47ff356

	case "$1" in
	-h)
	echo "Usage: $0 [-h] [-H hostname] [-M <memory>] [-C <#cpus>] [-B <bridge>] [-D (dhcp)] [-i/-I <ip4/6>] [-n/-N <mask4/6>] [-g/-G <gw4/6>] [-R <resolver(s)>] [-s <src image>]"
	exit 0
	;;
	-H)
	hostname="$2"
	shift
	;;
	-s)
	src_image="$2"
	shift
	;;
	-D) dhcp="yes" ;;
	-S)
	size="$2"
	shift
	;;
	-B)
	bridge="$2"
	shift
	;;
	-M)
	mem="$2"
	shift
	;;
	-C)
	cpus="$2"
	shift
	;;
	-R)
	resolver="$2"
	shift
	;;
	-i)
	ip="$2"
	shift
	;;
	-g)
	gateway="$2"
	shift
	;;
	-n)
	netmask="$2"
	shift
	;;
	-I)
	ip6="$2"
	shift
	;;
	-G)
	gateway6="$2"
	shift
	;;
	-N)
	netmask6="$2"
	shift
	;;
	--)
	shift
	break
	;;
	-*)
	printf "Unknown option %s\nUsage: %s [-h] [-H hostname] [-M <memory>] [-C <#cpus>] [-B <bridge>] [-D (dhcp)] [-i/-I <ip4/6>] [-n/-N <mask4/6>] [-g/-G <gw4/6>] [-R <resolver(s)>] [-s <src image>]" "$1" "$0"
	exit 1
	;;
	*) break ;;
	esac
	shift

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Line 128 in 47ff356

cat >>"${meta_data}" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Lines 134 to 135 in 47ff356

	if [ -n "${ip}" ]; then
	cat >>"${meta_data}" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Line 145 in 47ff356

fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Lines 147 to 148 in 47ff356

	if [ -n "${ip6}" ]; then
	cat >>"${meta_data}" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Line 158 in 47ff356

fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010cosmos-modules

Lines 15 to 17 in 47ff356

	test "$COSMOS_VERBOSE" = "y" &&
	echo "$0: /etc/puppet/cosmos-modules.conf is present in the model, exiting"
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010cosmos-modules

Lines 21 to 23 in 47ff356

	test "$COSMOS_VERBOSE" = "y" &&
	echo "$0: Updating /etc/puppet/cosmos-modules.conf with /etc/puppet/setup_cosmos_modules"
	/etc/puppet/setup_cosmos_modules

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010cosmos-modules

Line 25 in 47ff356

test -f /etc/puppet/cosmos-modules.conf && exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010cosmos-modules

Line 29 in 47ff356

echo "$0: Creating/updating /etc/puppet/cosmos-modules.conf with defaults from this script"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010fix-ssh-perms

Lines 7 to 8 in 47ff356

	test "$(stat -t /root/.ssh | cut -d\ -f5)" != 0; then
	chown root.root /root/.ssh

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010fix-ssh-perms

Lines 12 to 13 in 47ff356

	test "$(stat -c %a /root/.ssh)" != 700; then
	chmod 700 /root/.ssh

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010fix-ssh-perms

Lines 17 to 22 in 47ff356

	if test "$(stat -t /root/.ssh/authorized_keys | cut -d\ -f5)" != 0; then
	chown root.root /root/.ssh/authorized_keys
	fi
	if test "$(stat --printf=%a /root/.ssh/authorized_keys)" != 440; then
	chmod 440 /root/.ssh/authorized_keys
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/014set-cosmos-permissions

Lines 14 to 15 in 47ff356

	test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/014set-cosmos-permissions

Line 20 in 47ff356

args="-v"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 5 to 7 in 47ff356

	# gpg on Ubuntu 16 and less is gnupg < 2, which doesn't have --import-options show-only
	# but on the other hand defaults to this mode (https://dev.gnupg.org/T2943)
	gnupg_show_options=("--dry-run")

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Line 11 in 47ff356

COSMOS_KEYS=/etc/cosmos/keys

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 26 to 32 in 47ff356

	if [[ ! -s $k ]]; then
	# Silently ignore empty files
	continue
	fi
	pubkeys_in_file=$(cosmos gpg "${gnupg_show_options[@]}" \
	--with-colons --with-fingerprint --quiet <"$k" |
	grep "^pub:")

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 34 to 39 in 47ff356

	# We only support files with one key in them
	num_pub_keys=$(echo "$pubkeys_in_file" | wc -l)
	if [ "$num_pub_keys" -ne 1 ]; then
	echo -e "$0: ${red}Ignoring file that does not have exactly one pubkey (found $num_pub_keys): ${k}${reset}"
	continue
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 41 to 45 in 47ff356

	expired_pubkey_in_file=$(echo "${pubkeys_in_file}" | awk -F: '$2 == "e" { print $0 }')
	if [[ $expired_pubkey_in_file ]]; then
	echo -e "$0: ${red}Ignoring file with expired pubkey: ${k}${reset}"
	continue
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Line 47 in 47ff356

fp=$(echo "${pubkeys_in_file}" | awk -F: '{print $5}')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 49 to 50 in 47ff356

	# Remember that we saw fingerprint $fp in file $k
	SEEN[$fp]=$k

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 52 to 55 in 47ff356

	# Always import a non-expired file since it may have been updated
	gpg_output=$(cosmos gpg --no-tty --import <"$k" 2>&1)
	# Only print output if a key is changed
	echo "$gpg_output" | grep -q " not changed$" || echo "$gpg_output"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Line 60 in 47ff356

KEYRING[$fp]='1'

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 64 to 66 in 47ff356

	echo -e "$0: ${red}NO trusted keys found in directory ${COSMOS_KEYS} - aborting${reset}"
	echo "(this is probably a syntax problem with the gpg commands in this script)"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 71 to 75 in 47ff356

	if [[ ! ${SEEN[$fp]} ]]; then
	echo -e "$0: ${bold}Deleting key${reset} ${fp} not present (or expired) in ${COSMOS_KEYS}"
	cosmos gpg --fingerprint "$fp"
	cosmos gpg --yes --batch --delete-key "$fp" || true
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 17 to 18 in 47ff356

	rm -rf "$CACHE_DIR/staging/$1"
	git archive --format=tar --prefix="$1"/ "$2" | (cd "$CACHE_DIR/staging/" && tar xf -)

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 22 to 27 in 47ff356

	if [ ! -d "$MODULES_DIR" ]; then
	mkdir -p "$MODULES_DIR"
	fi
	if [ ! -d "$CACHE_DIR" ]; then
	mkdir -p "$CACHE_DIR"/{scm,staging}
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 29 to 32 in 47ff356

	files=()
	if [ -f "$CONFIG" ]; then
	files+=("$CONFIG")
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 34 to 36 in 47ff356

	if [ -f "$LOCALCONFIG" ]; then
	files+=("$LOCALCONFIG")
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 38 to 74 in 47ff356

	# First pass to clone any new modules, and update those marked for updating.
	grep -h -E -v "^#" "${files[@]}" | sort | (
	while read -r module src update pattern; do
	# We only support git://, file:/// and https:// urls at the moment
	if [ "${src:0:6}" = "git://" ] || [ "${src:0:8}" = "file:///" ] || [ "${src:0:8}" = "https://" ]; then
	if [ ! -d "$CACHE_DIR/scm/$module" ]; then
	git clone -q "$src" "$CACHE_DIR/scm/$module"
	elif [ -d "$CACHE_DIR/scm/$module/.git" ]; then
	if [ "$update" = "yes" ]; then
	cd "$CACHE_DIR/scm/$module" || exit 1
	if [ "$src" != "$(git config remote.origin.url)" ]; then
	git config remote.origin.url "$src"
	fi
	# Support master branch being renamed to main
	git branch --all | grep -q '^[[:space:]]*remotes/origin/main$' && git checkout main
	# Update repo and clean out any local inconsistencies
	git pull -q || (git fetch && git reset --hard)
	else
	continue
	fi
	else
	echo -e "${red}ERROR: Ignoring non-git repository${reset}"
	continue
	fi
	elif [[ "$src" =~ .*:// ]]; then
	echo -e "${red}ERROR: Don't know how to install '${src}'${reset}"
	continue
	else
	echo -e "${bold}WARNING - attempting UNSAFE installation/upgrade of puppet-module ${module} from ${src}${reset}"
	if [ ! -d "/etc/puppet/modules/$module" ]; then
	puppet module install "$src"
	elif [ "$update" = "yes" ]; then
	puppet module upgrade "$src"
	fi
	fi
	done
	)

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 76 to 106 in 47ff356

	# Second pass to verify the signatures on all modules and stage those that
	# have good signatures.
	grep -h -E -v "^#" "${files[@]}" | sort | (
	while read -r module src update pattern; do
	# We only support git://, file:/// and https:// urls at the moment
	if [ "${src:0:6}" = "git://" ] || [ "${src:0:8}" = "file:///" ] || [ "${src:0:8}" = "https://" ]; then
	# Verify git tag
	cd "$CACHE_DIR/scm/$module" || exit 1
	TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)
	if [ "$COSMOS_VERBOSE" = "y" ]; then
	echo -e "Checking signature on puppet-module:tag ${bold}${module}:${TAG}${reset}"
	fi
	if [ -z "$TAG" ]; then
	echo -e "${red}ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module ${module}${reset}"
	continue
	fi
	if git tag -v "$TAG" &>/dev/null; then
	#if [ "$COSMOS_VERBOSE" = "y" ]; thengg
	# # short output on good signature
	# git tag -v $TAG 2>&1 | grep "gpg: Good signature"
	#fi
	# Put archive in staging since tag verified OK
	stage_module "$module" "$TAG"
	else
	echo -e "${red}FAILED signature check on puppet-module ${module}${reset}"
	git tag -v "$TAG"
	echo ''
	fi
	fi
	done
	)

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 108 to 113 in 47ff356

	# Cleanup removed puppet modules from CACHE_DIR
	for MODULE in "$CACHE_DIR"/staging/*; do
	if ! grep -h -E -q "^$MODULE\s+" "$CONFIG" "$LOCALCONFIG"; then
	rm -rf "$CACHE_DIR"/{scm,staging}/"$MODULE"
	fi
	done

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 115 to 116 in 47ff356

	# Installing verified puppet modules
	rsync --archive --delete "$CACHE_DIR/staging/" "$MODULES_DIR/"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Lines 7 to 8 in 47ff356

	args+=('--verbose')
	args+=('--show_diff')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Line 10 in 47ff356

args+=('--logdest=syslog')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Lines 14 to 17 in 47ff356

	find /etc/puppet/manifests -name \*.pp | while read -r m; do
	test "$COSMOS_VERBOSE" = "y" && echo "$0: Applying Puppet manifest $m"
	puppet apply "${args[@]}" "$m"
	done

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Lines 19 to 22 in 47ff356

	PUPPET_REPORTS_DIR='/var/lib/puppet/reports'
	if [ -d "${PUPPET_REPORTS_DIR}" ]; then
	find "${PUPPET_REPORTS_DIR}" -type f -mtime +10 -print0 | xargs -0 rm -f
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/099autoremove

Lines 6 to 7 in 47ff356

	apt-get -qq update
	apt-get -qq -y autoremove

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 5 to 8 in 47ff356

	# May contain ALLOW_REBOOT_AT=
	# Eg. ALLOW_REBOOT_AT=06
	# shellcheck source=/dev/null
	. /etc/cosmos-automatic-reboot

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 10 to 15 in 47ff356

	if [ -n "${ALLOW_REBOOT_AT}" ]; then
	if [ "${ALLOW_REBOOT_AT}" != "$(date +%H)" ]; then
	echo "Scheduled to reboot at ${ALLOW_REBOOT_AT}"
	exit
	fi
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 17 to 30 in 47ff356

	if [[ $HOSTNAME =~ -tug- ]]; then
	# Reboot hosts in site TUG with 15 seconds delay (enough to manually
	# cancel the reboot if logged in and seeing the 'emerg' message broadcasted to console)
	sleep=15
	elif [[ $HOSTNAME =~ -fre- ]]; then
	# reboot hosts in site FRE with 15+180 to 15+180+180 seconds delay
	sleep=$((180 + (RANDOM % 180)))
	elif [[ $HOSTNAME =~ -lla- ]]; then
	# reboot hosts in site LLA with 15+180+180 to 15+180+180+180 seconds delay
	sleep=$((375 + (RANDOM % 180)))
	else
	# reboot hosts in any other site with 15 to 315 seconds delay
	sleep=$((15 + (RANDOM % 300)))
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 32 to 39 in 47ff356

	logger -p local0.emerg -i -t cosmos-automatic-reboot "Rebooting automatically in $sleep seconds (if /var/run/reboot-required still exists)"
	sleep $sleep
	if [ -f /var/run/reboot-required ]; then
	logger -p local0.crit -i -t cosmos-automatic-reboot "Rebooting automatically"
	# Signal to run-cosmos
	touch /var/run/cosmos-reboot-in-progress
	reboot
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/014set-cosmos-permissions

Lines 14 to 15 in 47ff356

	test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/014set-cosmos-permissions

Line 20 in 47ff356

args="-v"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Lines 13 to 14 in 47ff356

	test -z "$COSMOS_VERBOSE" || echo "$self: overlay is a no-op"
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Line 19 in 47ff356

args="-v"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Lines 23 to 24 in 47ff356

	chown ${args} root:root "$MODEL_OVERLAY"/root
	chmod ${args} 0700 "$MODEL_OVERLAY"/root

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Lines 28 to 29 in 47ff356

	chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
	chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/020common-tools

Lines 11 to 12 in 47ff356

	apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades
	update-alternatives --set editor /usr/bin/vim.basic

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/020common-tools

Lines 14 to 15 in 47ff356

	mkdir -p "$(dirname "$stamp")"
	touch "$stamp"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Lines 11 to 14 in 47ff356

	apt-get update
	apt-get -y install puppet
	# shellcheck source=/dev/null
	. /etc/os-release

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Lines 16 to 25 in 47ff356

	# Note: in posix shell, string comparison is done with a single =
	if [ "${ID}" = "debian" ] && [ "${VERSION_ID}" -ge 12 ] || ([ "${ID}" = "ubuntu" ] && dpkg --compare-versions "${VERSION_ID}" ge 24.04); then
	apt-get -y install \
	cron \
	puppet-module-camptocamp-augeas \
	puppet-module-puppetlabs-apt \
	puppet-module-puppetlabs-concat \
	puppet-module-puppetlabs-cron-core \
	puppet-module-puppetlabs-stdlib \
	puppet-module-puppetlabs-vcsrepo

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Line 27 in 47ff356

fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Lines 29 to 30 in 47ff356

	mkdir -p "$(dirname "${stamp}")"
	touch "${stamp}"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-eyaml

Lines 21 to 25 in 47ff356

	apt-get update
	# If we don't install emacs before yaml-mode the default emacs package
	# will be emacs-gtk which brings x11 with friends which we don't need.
	apt-get -y install emacs-nox
	apt-get -y install hiera-eyaml yaml-mode

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-eyaml

Lines 29 to 35 in 47ff356

	# hiera-eyaml wants a certificate and public key, not just a public key oddly enough
	echo "$0: Generating eyaml key in ${EYAMLDIR} - this might take a while..."
	mkdir -p /etc/hiera/eyaml
	openssl req -x509 -newkey rsa:4096 -keyout ${EYAMLDIR}/private_key.pkcs7.pem \
	-out ${EYAMLDIR}/public_certkey.pkcs7.pem -days 3653 -nodes -sha256 \
	-subj "/C=SE/O=SUNET/OU=EYAML/CN=$(hostname)"
	rm -f ${EYAMLDIR}/public_key.pkcs7.pem # cleanup

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 23 to 24 in 47ff356

	apt-get update
	apt-get -y install ruby-gpgme

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 29 to 36 in 47ff356

	if [ "$1" != "--force" ]; then
	echo ""
	echo "Automatic Hiera-GPG key generation DISABLED (to not block on missing entropy)"
	echo ""
	echo " Run \`$0 --force' manually"
	echo ""
	exit 0
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 38 to 41 in 47ff356

	if [ ! -f /usr/bin/gpg2 ]; then
	apt-get update
	apt-get -y install gnupg2
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 43 to 44 in 47ff356

	mkdir -p $GNUPGHOME
	chmod 700 $GNUPGHOME

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 46 to 47 in 47ff356

	TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX)
	cat >"$TMPFILE" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 59 to 60 in 47ff356

	gpg2 --batch --gen-key "$TMPFILE"
	rm -f "$TMPFILE"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 9 to 10 in 47ff356

	echo "Usage: $0 fqdn"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 14 to 15 in 47ff356

	echo "$0: No host-directory for '$HOSTNAME' found - execute in top-level cosmos dir"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 23 to 26 in 47ff356

	echo "Copying files to host..."
	rsync -av --exclude '*~' global/overlay/etc/puppet/cosmos-rules.yaml root@"$HOSTNAME":/etc/puppet/cosmos-rules.yaml
	rsync -av --exclude '*~' global/overlay/etc/puppet/manifests/cosmos-site.pp root@"$HOSTNAME":/etc/puppet/manifests/cosmos-site.pp
	rsync -av --exclude '*~' global/overlay/etc/hiera/data/common.yaml root@"$HOSTNAME":/etc/hiera/data/common.yaml

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 28 to 34 in 47ff356

	# Test if the user has symlinked puppet-sunet correctly
	# by first checking if the link exits and then whether
	# or not the directory contains any files.
	if [ -L global/overlay/etc/puppet/cosmos-modules/sunet ] &&
	[ -n "$(ls -A global/overlay/etc/puppet/cosmos-modules/sunet/*)" ]; then
	rsync -av --delete --exclude '*~' global/overlay/etc/puppet/cosmos-modules/sunet/* root@"$HOSTNAME":/etc/puppet/cosmos-modules/sunet/.
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 36 to 37 in 47ff356

	echo "Running puppet apply..."
	ssh root@"$HOSTNAME" /usr/bin/puppet apply "${PUPPET_ARGS[@]}" /etc/puppet/manifests/cosmos-site.pp

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 39 to 40 in 47ff356

	echo "Cosmos or puppet already running. Exiting."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-debian

Lines 6 to 11 in 47ff356

	echo "Please specify a cloud image host that the script should do the following on:"
	echo " #1 enable root-login"
	echo " #2 remove the default user"
	echo " #3 run apt-get update and dist-upgrade without interaction"
	echo " #4 reboot to start using the new kernel, updated packages etc."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-debian

Lines 15 to 16 in 47ff356

	proxyjump+=("-o")
	proxyjump+=("ProxyJump=${ssh_proxy}")

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-ubuntu

Lines 6 to 11 in 47ff356

	echo "Please specify a cloud image host that the script should do the following on:"
	echo " #1 enable root-login"
	echo " #2 remove the default user"
	echo " #3 run apt-get update and dist-upgrade without interaction"
	echo " #4 reboot to start using the new kernel, updated packages etc."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-ubuntu

Lines 16 to 17 in 47ff356

	proxyjump+=("-o")
	proxyjump+=("ProxyJump=${ssh_proxy}")

[github-actions]

Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit

shfmt

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/libexec/cosmos-cron-wrapper

Lines 9 to 15 in ee20d90

	SCRIPTHERDER_CMD+=('/usr/local/bin/scriptherder')
	SCRIPTHERDER_CMD+=('--mode')
	SCRIPTHERDER_CMD+=('wrap')
	SCRIPTHERDER_CMD+=('--syslog')
	SCRIPTHERDER_CMD+=('--name')
	SCRIPTHERDER_CMD+=('cosmos')
	SCRIPTHERDER_CMD+=('--')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Lines 23 to 91 in ee20d90

	case "$1" in
	-h)
	echo "Usage: $0 [-h] [-H hostname] [-M <memory>] [-C <#cpus>] [-B <bridge>] [-D (dhcp)] [-i/-I <ip4/6>] [-n/-N <mask4/6>] [-g/-G <gw4/6>] [-R <resolver(s)>] [-s <src image>]"
	exit 0
	;;
	-H)
	hostname="$2"
	shift
	;;
	-s)
	src_image="$2"
	shift
	;;
	-D) dhcp="yes" ;;
	-S)
	size="$2"
	shift
	;;
	-B)
	bridge="$2"
	shift
	;;
	-M)
	mem="$2"
	shift
	;;
	-C)
	cpus="$2"
	shift
	;;
	-R)
	resolver="$2"
	shift
	;;
	-i)
	ip="$2"
	shift
	;;
	-g)
	gateway="$2"
	shift
	;;
	-n)
	netmask="$2"
	shift
	;;
	-I)
	ip6="$2"
	shift
	;;
	-G)
	gateway6="$2"
	shift
	;;
	-N)
	netmask6="$2"
	shift
	;;
	--)
	shift
	break
	;;
	-*)
	printf "Unknown option %s\nUsage: %s [-h] [-H hostname] [-M <memory>] [-C <#cpus>] [-B <bridge>] [-D (dhcp)] [-i/-I <ip4/6>] [-n/-N <mask4/6>] [-g/-G <gw4/6>] [-R <resolver(s)>] [-s <src image>]" "$1" "$0"
	exit 1
	;;
	*) break ;;
	esac
	shift

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Line 128 in ee20d90

cat >>"${meta_data}" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Lines 134 to 135 in ee20d90

	if [ -n "${ip}" ]; then
	cat >>"${meta_data}" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Line 145 in ee20d90

fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Lines 147 to 148 in ee20d90

	if [ -n "${ip6}" ]; then
	cat >>"${meta_data}" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/overlay/usr/local/sbin/cosmos_vm

Line 158 in ee20d90

fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010cosmos-modules

Lines 15 to 17 in ee20d90

	test "$COSMOS_VERBOSE" = "y" &&
	echo "$0: /etc/puppet/cosmos-modules.conf is present in the model, exiting"
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010cosmos-modules

Lines 21 to 23 in ee20d90

	test "$COSMOS_VERBOSE" = "y" &&
	echo "$0: Updating /etc/puppet/cosmos-modules.conf with /etc/puppet/setup_cosmos_modules"
	/etc/puppet/setup_cosmos_modules

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010cosmos-modules

Line 25 in ee20d90

test -f /etc/puppet/cosmos-modules.conf && exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010cosmos-modules

Line 29 in ee20d90

echo "$0: Creating/updating /etc/puppet/cosmos-modules.conf with defaults from this script"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010fix-ssh-perms

Lines 7 to 8 in ee20d90

	test "$(stat -t /root/.ssh | cut -d\ -f5)" != 0; then
	chown root.root /root/.ssh

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010fix-ssh-perms

Lines 12 to 13 in ee20d90

	test "$(stat -c %a /root/.ssh)" != 700; then
	chmod 700 /root/.ssh

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/010fix-ssh-perms

Lines 17 to 22 in ee20d90

	if test "$(stat -t /root/.ssh/authorized_keys | cut -d\ -f5)" != 0; then
	chown root.root /root/.ssh/authorized_keys
	fi
	if test "$(stat --printf=%a /root/.ssh/authorized_keys)" != 440; then
	chmod 440 /root/.ssh/authorized_keys
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/014set-cosmos-permissions

Lines 14 to 15 in ee20d90

	test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/014set-cosmos-permissions

Line 20 in ee20d90

args="-v"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 5 to 7 in ee20d90

	# gpg on Ubuntu 16 and less is gnupg < 2, which doesn't have --import-options show-only
	# but on the other hand defaults to this mode (https://dev.gnupg.org/T2943)
	gnupg_show_options=("--dry-run")

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Line 11 in ee20d90

COSMOS_KEYS=/etc/cosmos/keys

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 26 to 32 in ee20d90

	if [[ ! -s $k ]]; then
	# Silently ignore empty files
	continue
	fi
	pubkeys_in_file=$(cosmos gpg "${gnupg_show_options[@]}" \
	--with-colons --with-fingerprint --quiet <"$k" |
	grep "^pub:")

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 34 to 39 in ee20d90

	# We only support files with one key in them
	num_pub_keys=$(echo "$pubkeys_in_file" | wc -l)
	if [ "$num_pub_keys" -ne 1 ]; then
	echo -e "$0: ${red}Ignoring file that does not have exactly one pubkey (found $num_pub_keys): ${k}${reset}"
	continue
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 41 to 45 in ee20d90

	expired_pubkey_in_file=$(echo "${pubkeys_in_file}" | awk -F: '$2 == "e" { print $0 }')
	if [[ $expired_pubkey_in_file ]]; then
	echo -e "$0: ${red}Ignoring file with expired pubkey: ${k}${reset}"
	continue
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Line 47 in ee20d90

fp=$(echo "${pubkeys_in_file}" | awk -F: '{print $5}')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 49 to 50 in ee20d90

	# Remember that we saw fingerprint $fp in file $k
	SEEN[$fp]=$k

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 52 to 55 in ee20d90

	# Always import a non-expired file since it may have been updated
	gpg_output=$(cosmos gpg --no-tty --import <"$k" 2>&1)
	# Only print output if a key is changed
	echo "$gpg_output" | grep -q " not changed$" || echo "$gpg_output"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Line 60 in ee20d90

KEYRING[$fp]='1'

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 64 to 66 in ee20d90

	echo -e "$0: ${red}NO trusted keys found in directory ${COSMOS_KEYS} - aborting${reset}"
	echo "(this is probably a syntax problem with the gpg commands in this script)"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/015cosmos-trust

Lines 71 to 75 in ee20d90

	if [[ ! ${SEEN[$fp]} ]]; then
	echo -e "$0: ${bold}Deleting key${reset} ${fp} not present (or expired) in ${COSMOS_KEYS}"
	cosmos gpg --fingerprint "$fp"
	cosmos gpg --yes --batch --delete-key "$fp" || true
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 17 to 18 in ee20d90

	rm -rf "$CACHE_DIR/staging/$1"
	git archive --format=tar --prefix="$1"/ "$2" | (cd "$CACHE_DIR/staging/" && tar xf -)

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 22 to 27 in ee20d90

	if [ ! -d "$MODULES_DIR" ]; then
	mkdir -p "$MODULES_DIR"
	fi
	if [ ! -d "$CACHE_DIR" ]; then
	mkdir -p "$CACHE_DIR"/{scm,staging}
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 29 to 32 in ee20d90

	files=()
	if [ -f "$CONFIG" ]; then
	files+=("$CONFIG")
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 34 to 36 in ee20d90

	if [ -f "$LOCALCONFIG" ]; then
	files+=("$LOCALCONFIG")
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 38 to 74 in ee20d90

	# First pass to clone any new modules, and update those marked for updating.
	grep -h -E -v "^#" "${files[@]}" | sort | (
	while read -r module src update pattern; do
	# We only support git://, file:/// and https:// urls at the moment
	if [ "${src:0:6}" = "git://" ] || [ "${src:0:8}" = "file:///" ] || [ "${src:0:8}" = "https://" ]; then
	if [ ! -d "$CACHE_DIR/scm/$module" ]; then
	git clone -q "$src" "$CACHE_DIR/scm/$module"
	elif [ -d "$CACHE_DIR/scm/$module/.git" ]; then
	if [ "$update" = "yes" ]; then
	cd "$CACHE_DIR/scm/$module" || exit 1
	if [ "$src" != "$(git config remote.origin.url)" ]; then
	git config remote.origin.url "$src"
	fi
	# Support master branch being renamed to main
	git branch --all | grep -q '^[[:space:]]*remotes/origin/main$' && git checkout main
	# Update repo and clean out any local inconsistencies
	git pull -q || (git fetch && git reset --hard)
	else
	continue
	fi
	else
	echo -e "${red}ERROR: Ignoring non-git repository${reset}"
	continue
	fi
	elif [[ "$src" =~ .*:// ]]; then
	echo -e "${red}ERROR: Don't know how to install '${src}'${reset}"
	continue
	else
	echo -e "${bold}WARNING - attempting UNSAFE installation/upgrade of puppet-module ${module} from ${src}${reset}"
	if [ ! -d "/etc/puppet/modules/$module" ]; then
	puppet module install "$src"
	elif [ "$update" = "yes" ]; then
	puppet module upgrade "$src"
	fi
	fi
	done
	)

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 76 to 106 in ee20d90

	# Second pass to verify the signatures on all modules and stage those that
	# have good signatures.
	grep -h -E -v "^#" "${files[@]}" | sort | (
	while read -r module src update pattern; do
	# We only support git://, file:/// and https:// urls at the moment
	if [ "${src:0:6}" = "git://" ] || [ "${src:0:8}" = "file:///" ] || [ "${src:0:8}" = "https://" ]; then
	# Verify git tag
	cd "$CACHE_DIR/scm/$module" || exit 1
	TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)
	if [ "$COSMOS_VERBOSE" = "y" ]; then
	echo -e "Checking signature on puppet-module:tag ${bold}${module}:${TAG}${reset}"
	fi
	if [ -z "$TAG" ]; then
	echo -e "${red}ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module ${module}${reset}"
	continue
	fi
	if git tag -v "$TAG" &>/dev/null; then
	#if [ "$COSMOS_VERBOSE" = "y" ]; thengg
	# # short output on good signature
	# git tag -v $TAG 2>&1 | grep "gpg: Good signature"
	#fi
	# Put archive in staging since tag verified OK
	stage_module "$module" "$TAG"
	else
	echo -e "${red}FAILED signature check on puppet-module ${module}${reset}"
	git tag -v "$TAG"
	echo ''
	fi
	fi
	done
	)

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 108 to 113 in ee20d90

	# Cleanup removed puppet modules from CACHE_DIR
	for MODULE in "$CACHE_DIR"/staging/*; do
	if ! grep -h -E -q "^$MODULE\s+" "$CONFIG" "$LOCALCONFIG"; then
	rm -rf "$CACHE_DIR"/{scm,staging}/"$MODULE"
	fi
	done

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 115 to 116 in ee20d90

	# Installing verified puppet modules
	rsync --archive --delete "$CACHE_DIR/staging/" "$MODULES_DIR/"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Lines 7 to 8 in ee20d90

	args+=('--verbose')
	args+=('--show_diff')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Line 10 in ee20d90

args+=('--logdest=syslog')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Lines 14 to 17 in ee20d90

	find /etc/puppet/manifests -name \*.pp | while read -r m; do
	test "$COSMOS_VERBOSE" = "y" && echo "$0: Applying Puppet manifest $m"
	puppet apply "${args[@]}" "$m"
	done

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Lines 19 to 22 in ee20d90

	PUPPET_REPORTS_DIR='/var/lib/puppet/reports'
	if [ -d "${PUPPET_REPORTS_DIR}" ]; then
	find "${PUPPET_REPORTS_DIR}" -type f -mtime +10 -print0 | xargs -0 rm -f
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/099autoremove

Lines 6 to 7 in ee20d90

	apt-get -qq update
	apt-get -qq -y autoremove

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 5 to 8 in ee20d90

	# May contain ALLOW_REBOOT_AT=
	# Eg. ALLOW_REBOOT_AT=06
	# shellcheck source=/dev/null
	. /etc/cosmos-automatic-reboot

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 10 to 15 in ee20d90

	if [ -n "${ALLOW_REBOOT_AT}" ]; then
	if [ "${ALLOW_REBOOT_AT}" != "$(date +%H)" ]; then
	echo "Scheduled to reboot at ${ALLOW_REBOOT_AT}"
	exit
	fi
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 17 to 30 in ee20d90

	if [[ $HOSTNAME =~ -tug- ]]; then
	# Reboot hosts in site TUG with 15 seconds delay (enough to manually
	# cancel the reboot if logged in and seeing the 'emerg' message broadcasted to console)
	sleep=15
	elif [[ $HOSTNAME =~ -fre- ]]; then
	# reboot hosts in site FRE with 15+180 to 15+180+180 seconds delay
	sleep=$((180 + (RANDOM % 180)))
	elif [[ $HOSTNAME =~ -lla- ]]; then
	# reboot hosts in site LLA with 15+180+180 to 15+180+180+180 seconds delay
	sleep=$((375 + (RANDOM % 180)))
	else
	# reboot hosts in any other site with 15 to 315 seconds delay
	sleep=$((15 + (RANDOM % 300)))
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 32 to 39 in ee20d90

	logger -p local0.emerg -i -t cosmos-automatic-reboot "Rebooting automatically in $sleep seconds (if /var/run/reboot-required still exists)"
	sleep $sleep
	if [ -f /var/run/reboot-required ]; then
	logger -p local0.crit -i -t cosmos-automatic-reboot "Rebooting automatically"
	# Signal to run-cosmos
	touch /var/run/cosmos-reboot-in-progress
	reboot
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/014set-cosmos-permissions

Lines 14 to 15 in ee20d90

	test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/014set-cosmos-permissions

Line 20 in ee20d90

args="-v"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Lines 13 to 14 in ee20d90

	test -z "$COSMOS_VERBOSE" || echo "$self: overlay is a no-op"
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Line 19 in ee20d90

args="-v"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Lines 23 to 24 in ee20d90

	chown ${args} root:root "$MODEL_OVERLAY"/root
	chmod ${args} 0700 "$MODEL_OVERLAY"/root

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Lines 28 to 29 in ee20d90

	chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
	chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/020common-tools

Lines 11 to 12 in ee20d90

	apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades
	update-alternatives --set editor /usr/bin/vim.basic

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/020common-tools

Lines 14 to 15 in ee20d90

	mkdir -p "$(dirname "$stamp")"
	touch "$stamp"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Lines 11 to 14 in ee20d90

	apt-get update
	apt-get -y install puppet
	# shellcheck source=/dev/null
	. /etc/os-release

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Lines 16 to 25 in ee20d90

	# Note: in posix shell, string comparison is done with a single =
	if [ "${ID}" = "debian" ] && [ "${VERSION_ID}" -ge 12 ] || ([ "${ID}" = "ubuntu" ] && dpkg --compare-versions "${VERSION_ID}" ge 24.04); then
	apt-get -y install \
	cron \
	puppet-module-camptocamp-augeas \
	puppet-module-puppetlabs-apt \
	puppet-module-puppetlabs-concat \
	puppet-module-puppetlabs-cron-core \
	puppet-module-puppetlabs-stdlib \
	puppet-module-puppetlabs-vcsrepo

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Line 27 in ee20d90

fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Lines 29 to 30 in ee20d90

	mkdir -p "$(dirname "${stamp}")"
	touch "${stamp}"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-eyaml

Lines 21 to 25 in ee20d90

	apt-get update
	# If we don't install emacs before yaml-mode the default emacs package
	# will be emacs-gtk which brings x11 with friends which we don't need.
	apt-get -y install emacs-nox
	apt-get -y install hiera-eyaml yaml-mode

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-eyaml

Lines 29 to 35 in ee20d90

	# hiera-eyaml wants a certificate and public key, not just a public key oddly enough
	echo "$0: Generating eyaml key in ${EYAMLDIR} - this might take a while..."
	mkdir -p /etc/hiera/eyaml
	openssl req -x509 -newkey rsa:4096 -keyout ${EYAMLDIR}/private_key.pkcs7.pem \
	-out ${EYAMLDIR}/public_certkey.pkcs7.pem -days 3653 -nodes -sha256 \
	-subj "/C=SE/O=SUNET/OU=EYAML/CN=$(hostname)"
	rm -f ${EYAMLDIR}/public_key.pkcs7.pem # cleanup

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 23 to 24 in ee20d90

	apt-get update
	apt-get -y install ruby-gpgme

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 29 to 36 in ee20d90

	if [ "$1" != "--force" ]; then
	echo ""
	echo "Automatic Hiera-GPG key generation DISABLED (to not block on missing entropy)"
	echo ""
	echo " Run \`$0 --force' manually"
	echo ""
	exit 0
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 38 to 41 in ee20d90

	if [ ! -f /usr/bin/gpg2 ]; then
	apt-get update
	apt-get -y install gnupg2
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 43 to 44 in ee20d90

	mkdir -p $GNUPGHOME
	chmod 700 $GNUPGHOME

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 46 to 47 in ee20d90

	TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX)
	cat >"$TMPFILE" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 59 to 60 in ee20d90

	gpg2 --batch --gen-key "$TMPFILE"
	rm -f "$TMPFILE"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 9 to 10 in ee20d90

	echo "Usage: $0 fqdn"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 14 to 15 in ee20d90

	echo "$0: No host-directory for '$HOSTNAME' found - execute in top-level cosmos dir"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 23 to 26 in ee20d90

	echo "Copying files to host..."
	rsync -av --exclude '*~' global/overlay/etc/puppet/cosmos-rules.yaml root@"$HOSTNAME":/etc/puppet/cosmos-rules.yaml
	rsync -av --exclude '*~' global/overlay/etc/puppet/manifests/cosmos-site.pp root@"$HOSTNAME":/etc/puppet/manifests/cosmos-site.pp
	rsync -av --exclude '*~' global/overlay/etc/hiera/data/common.yaml root@"$HOSTNAME":/etc/hiera/data/common.yaml

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 28 to 34 in ee20d90

	# Test if the user has symlinked puppet-sunet correctly
	# by first checking if the link exits and then whether
	# or not the directory contains any files.
	if [ -L global/overlay/etc/puppet/cosmos-modules/sunet ] &&
	[ -n "$(ls -A global/overlay/etc/puppet/cosmos-modules/sunet/*)" ]; then
	rsync -av --delete --exclude '*~' global/overlay/etc/puppet/cosmos-modules/sunet/* root@"$HOSTNAME":/etc/puppet/cosmos-modules/sunet/.
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 36 to 37 in ee20d90

	echo "Running puppet apply..."
	ssh root@"$HOSTNAME" /usr/bin/puppet apply "${PUPPET_ARGS[@]}" /etc/puppet/manifests/cosmos-site.pp

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 39 to 40 in ee20d90

	echo "Cosmos or puppet already running. Exiting."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-debian

Lines 6 to 11 in ee20d90

	echo "Please specify a cloud image host that the script should do the following on:"
	echo " #1 enable root-login"
	echo " #2 remove the default user"
	echo " #3 run apt-get update and dist-upgrade without interaction"
	echo " #4 reboot to start using the new kernel, updated packages etc."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-debian

Lines 15 to 16 in ee20d90

	proxyjump+=("-o")
	proxyjump+=("ProxyJump=${ssh_proxy}")

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-ubuntu

Lines 6 to 11 in ee20d90

	echo "Please specify a cloud image host that the script should do the following on:"
	echo " #1 enable root-login"
	echo " #2 remove the default user"
	echo " #3 run apt-get update and dist-upgrade without interaction"
	echo " #4 reboot to start using the new kernel, updated packages etc."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-ubuntu

Lines 16 to 17 in ee20d90

	proxyjump+=("-o")
	proxyjump+=("ProxyJump=${ssh_proxy}")

[github-actions]

Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit

shfmt

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 29 to 32 in 20e36b6

	files=()
	if [ -f "$CONFIG" ]; then
	files+=("$CONFIG")
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 34 to 36 in 20e36b6

	if [ -f "$LOCALCONFIG" ]; then
	files+=("$LOCALCONFIG")
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 38 to 74 in 20e36b6

	# First pass to clone any new modules, and update those marked for updating.
	grep -h -E -v "^#" "${files[@]}" | sort | (
	while read -r module src update pattern; do
	# We only support git://, file:/// and https:// urls at the moment
	if [ "${src:0:6}" = "git://" ] || [ "${src:0:8}" = "file:///" ] || [ "${src:0:8}" = "https://" ]; then
	if [ ! -d "$CACHE_DIR/scm/$module" ]; then
	git clone -q "$src" "$CACHE_DIR/scm/$module"
	elif [ -d "$CACHE_DIR/scm/$module/.git" ]; then
	if [ "$update" = "yes" ]; then
	cd "$CACHE_DIR/scm/$module" || exit 1
	if [ "$src" != "$(git config remote.origin.url)" ]; then
	git config remote.origin.url "$src"
	fi
	# Support master branch being renamed to main
	git branch --all | grep -q '^[[:space:]]*remotes/origin/main$' && git checkout main
	# Update repo and clean out any local inconsistencies
	git pull -q || (git fetch && git reset --hard)
	else
	continue
	fi
	else
	echo -e "${red}ERROR: Ignoring non-git repository${reset}"
	continue
	fi
	elif [[ "$src" =~ .*:// ]]; then
	echo -e "${red}ERROR: Don't know how to install '${src}'${reset}"
	continue
	else
	echo -e "${bold}WARNING - attempting UNSAFE installation/upgrade of puppet-module ${module} from ${src}${reset}"
	if [ ! -d "/etc/puppet/modules/$module" ]; then
	puppet module install "$src"
	elif [ "$update" = "yes" ]; then
	puppet module upgrade "$src"
	fi
	fi
	done
	)

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 76 to 106 in 20e36b6

	# Second pass to verify the signatures on all modules and stage those that
	# have good signatures.
	grep -h -E -v "^#" "${files[@]}" | sort | (
	while read -r module src update pattern; do
	# We only support git://, file:/// and https:// urls at the moment
	if [ "${src:0:6}" = "git://" ] || [ "${src:0:8}" = "file:///" ] || [ "${src:0:8}" = "https://" ]; then
	# Verify git tag
	cd "$CACHE_DIR/scm/$module" || exit 1
	TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)
	if [ "$COSMOS_VERBOSE" = "y" ]; then
	echo -e "Checking signature on puppet-module:tag ${bold}${module}:${TAG}${reset}"
	fi
	if [ -z "$TAG" ]; then
	echo -e "${red}ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module ${module}${reset}"
	continue
	fi
	if git tag -v "$TAG" &>/dev/null; then
	#if [ "$COSMOS_VERBOSE" = "y" ]; thengg
	# # short output on good signature
	# git tag -v $TAG 2>&1 | grep "gpg: Good signature"
	#fi
	# Put archive in staging since tag verified OK
	stage_module "$module" "$TAG"
	else
	echo -e "${red}FAILED signature check on puppet-module ${module}${reset}"
	git tag -v "$TAG"
	echo ''
	fi
	fi
	done
	)

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 108 to 113 in 20e36b6

	# Cleanup removed puppet modules from CACHE_DIR
	for MODULE in "$CACHE_DIR"/staging/*; do
	if ! grep -h -E -q "^$MODULE\s+" "$CONFIG" "$LOCALCONFIG"; then
	rm -rf "$CACHE_DIR"/{scm,staging}/"$MODULE"
	fi
	done

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/018packages

Lines 115 to 116 in 20e36b6

	# Installing verified puppet modules
	rsync --archive --delete "$CACHE_DIR/staging/" "$MODULES_DIR/"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Lines 7 to 8 in 20e36b6

	args+=('--verbose')
	args+=('--show_diff')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Line 10 in 20e36b6

args+=('--logdest=syslog')

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Lines 14 to 17 in 20e36b6

	find /etc/puppet/manifests -name \*.pp | while read -r m; do
	test "$COSMOS_VERBOSE" = "y" && echo "$0: Applying Puppet manifest $m"
	puppet apply "${args[@]}" "$m"
	done

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/030puppet

Lines 19 to 22 in 20e36b6

	PUPPET_REPORTS_DIR='/var/lib/puppet/reports'
	if [ -d "${PUPPET_REPORTS_DIR}" ]; then
	find "${PUPPET_REPORTS_DIR}" -type f -mtime +10 -print0 | xargs -0 rm -f
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/099autoremove

Lines 6 to 7 in 20e36b6

	apt-get -qq update
	apt-get -qq -y autoremove

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 5 to 8 in 20e36b6

	# May contain ALLOW_REBOOT_AT=
	# Eg. ALLOW_REBOOT_AT=06
	# shellcheck source=/dev/null
	. /etc/cosmos-automatic-reboot

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 10 to 15 in 20e36b6

	if [ -n "${ALLOW_REBOOT_AT}" ]; then
	if [ "${ALLOW_REBOOT_AT}" != "$(date +%H)" ]; then
	echo "Scheduled to reboot at ${ALLOW_REBOOT_AT}"
	exit
	fi
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 17 to 30 in 20e36b6

	if [[ $HOSTNAME =~ -tug- ]]; then
	# Reboot hosts in site TUG with 15 seconds delay (enough to manually
	# cancel the reboot if logged in and seeing the 'emerg' message broadcasted to console)
	sleep=15
	elif [[ $HOSTNAME =~ -fre- ]]; then
	# reboot hosts in site FRE with 15+180 to 15+180+180 seconds delay
	sleep=$((180 + (RANDOM % 180)))
	elif [[ $HOSTNAME =~ -lla- ]]; then
	# reboot hosts in site LLA with 15+180+180 to 15+180+180+180 seconds delay
	sleep=$((375 + (RANDOM % 180)))
	else
	# reboot hosts in any other site with 15 to 315 seconds delay
	sleep=$((15 + (RANDOM % 300)))
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/post-tasks.d/999reboot

Lines 32 to 39 in 20e36b6

	logger -p local0.emerg -i -t cosmos-automatic-reboot "Rebooting automatically in $sleep seconds (if /var/run/reboot-required still exists)"
	sleep $sleep
	if [ -f /var/run/reboot-required ]; then
	logger -p local0.crit -i -t cosmos-automatic-reboot "Rebooting automatically"
	# Signal to run-cosmos
	touch /var/run/cosmos-reboot-in-progress
	reboot
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/014set-cosmos-permissions

Lines 14 to 15 in 20e36b6

	test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/014set-cosmos-permissions

Line 20 in 20e36b6

args="-v"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Lines 13 to 14 in 20e36b6

	test -z "$COSMOS_VERBOSE" || echo "$self: overlay is a no-op"
	exit 0

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Line 19 in 20e36b6

args="-v"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Lines 23 to 24 in 20e36b6

	chown ${args} root:root "$MODEL_OVERLAY"/root
	chmod ${args} 0700 "$MODEL_OVERLAY"/root

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/015set-overlay-permissions

Lines 28 to 29 in 20e36b6

	chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
	chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/020common-tools

Lines 11 to 12 in 20e36b6

	apt-get -y install vim traceroute tcpdump molly-guard less rsync git-core unattended-upgrades
	update-alternatives --set editor /usr/bin/vim.basic

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/020common-tools

Lines 14 to 15 in 20e36b6

	mkdir -p "$(dirname "$stamp")"
	touch "$stamp"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Lines 11 to 14 in 20e36b6

	apt-get update
	apt-get -y install puppet
	# shellcheck source=/dev/null
	. /etc/os-release

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Lines 16 to 25 in 20e36b6

	# Note: in posix shell, string comparison is done with a single =
	if [ "${ID}" = "debian" ] && [ "${VERSION_ID}" -ge 12 ] || ([ "${ID}" = "ubuntu" ] && dpkg --compare-versions "${VERSION_ID}" ge 24.04); then
	apt-get -y install \
	cron \
	puppet-module-camptocamp-augeas \
	puppet-module-puppetlabs-apt \
	puppet-module-puppetlabs-concat \
	puppet-module-puppetlabs-cron-core \
	puppet-module-puppetlabs-stdlib \
	puppet-module-puppetlabs-vcsrepo

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Line 27 in 20e36b6

fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/030puppet

Lines 29 to 30 in 20e36b6

	mkdir -p "$(dirname "${stamp}")"
	touch "${stamp}"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-eyaml

Lines 21 to 25 in 20e36b6

	apt-get update
	# If we don't install emacs before yaml-mode the default emacs package
	# will be emacs-gtk which brings x11 with friends which we don't need.
	apt-get -y install emacs-nox
	apt-get -y install hiera-eyaml yaml-mode

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-eyaml

Lines 29 to 35 in 20e36b6

	# hiera-eyaml wants a certificate and public key, not just a public key oddly enough
	echo "$0: Generating eyaml key in ${EYAMLDIR} - this might take a while..."
	mkdir -p /etc/hiera/eyaml
	openssl req -x509 -newkey rsa:4096 -keyout ${EYAMLDIR}/private_key.pkcs7.pem \
	-out ${EYAMLDIR}/public_certkey.pkcs7.pem -days 3653 -nodes -sha256 \
	-subj "/C=SE/O=SUNET/OU=EYAML/CN=$(hostname)"
	rm -f ${EYAMLDIR}/public_key.pkcs7.pem # cleanup

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 23 to 24 in 20e36b6

	apt-get update
	apt-get -y install ruby-gpgme

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 29 to 36 in 20e36b6

	if [ "$1" != "--force" ]; then
	echo ""
	echo "Automatic Hiera-GPG key generation DISABLED (to not block on missing entropy)"
	echo ""
	echo " Run \`$0 --force' manually"
	echo ""
	exit 0
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 38 to 41 in 20e36b6

	if [ ! -f /usr/bin/gpg2 ]; then
	apt-get update
	apt-get -y install gnupg2
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 43 to 44 in 20e36b6

	mkdir -p $GNUPGHOME
	chmod 700 $GNUPGHOME

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 46 to 47 in 20e36b6

	TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX)
	cat >"$TMPFILE" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 59 to 60 in 20e36b6

	gpg2 --batch --gen-key "$TMPFILE"
	rm -f "$TMPFILE"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 9 to 10 in 20e36b6

	echo "Usage: $0 fqdn"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 14 to 15 in 20e36b6

	echo "$0: No host-directory for '$HOSTNAME' found - execute in top-level cosmos dir"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 23 to 26 in 20e36b6

	echo "Copying files to host..."
	rsync -av --exclude '*~' global/overlay/etc/puppet/cosmos-rules.yaml root@"$HOSTNAME":/etc/puppet/cosmos-rules.yaml
	rsync -av --exclude '*~' global/overlay/etc/puppet/manifests/cosmos-site.pp root@"$HOSTNAME":/etc/puppet/manifests/cosmos-site.pp
	rsync -av --exclude '*~' global/overlay/etc/hiera/data/common.yaml root@"$HOSTNAME":/etc/hiera/data/common.yaml

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 28 to 34 in 20e36b6

	# Test if the user has symlinked puppet-sunet correctly
	# by first checking if the link exits and then whether
	# or not the directory contains any files.
	if [ -L global/overlay/etc/puppet/cosmos-modules/sunet ] &&
	[ -n "$(ls -A global/overlay/etc/puppet/cosmos-modules/sunet/*)" ]; then
	rsync -av --delete --exclude '*~' global/overlay/etc/puppet/cosmos-modules/sunet/* root@"$HOSTNAME":/etc/puppet/cosmos-modules/sunet/.
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 36 to 37 in 20e36b6

	echo "Running puppet apply..."
	ssh root@"$HOSTNAME" /usr/bin/puppet apply "${PUPPET_ARGS[@]}" /etc/puppet/manifests/cosmos-site.pp

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 39 to 40 in 20e36b6

	echo "Cosmos or puppet already running. Exiting."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-debian

Lines 6 to 11 in 20e36b6

	echo "Please specify a cloud image host that the script should do the following on:"
	echo " #1 enable root-login"
	echo " #2 remove the default user"
	echo " #3 run apt-get update and dist-upgrade without interaction"
	echo " #4 reboot to start using the new kernel, updated packages etc."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-debian

Lines 15 to 16 in 20e36b6

	proxyjump+=("-o")
	proxyjump+=("ProxyJump=${ssh_proxy}")

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-ubuntu

Lines 6 to 11 in 20e36b6

	echo "Please specify a cloud image host that the script should do the following on:"
	echo " #1 enable root-login"
	echo " #2 remove the default user"
	echo " #3 run apt-get update and dist-upgrade without interaction"
	echo " #4 reboot to start using the new kernel, updated packages etc."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-ubuntu

Lines 16 to 17 in 20e36b6

	proxyjump+=("-o")
	proxyjump+=("ProxyJump=${ssh_proxy}")

[github-actions]

Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit

shfmt

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 29 to 36 in d75a049

	if [ "$1" != "--force" ]; then
	echo ""
	echo "Automatic Hiera-GPG key generation DISABLED (to not block on missing entropy)"
	echo ""
	echo " Run \`$0 --force' manually"
	echo ""
	exit 0
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 38 to 41 in d75a049

	if [ ! -f /usr/bin/gpg2 ]; then
	apt-get update
	apt-get -y install gnupg2
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 43 to 44 in d75a049

	mkdir -p $GNUPGHOME
	chmod 700 $GNUPGHOME

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 46 to 47 in d75a049

	TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX)
	cat >"$TMPFILE" <<EOF

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/global/pre-tasks.d/040hiera-gpg

Lines 59 to 60 in d75a049

	gpg2 --batch --gen-key "$TMPFILE"
	rm -f "$TMPFILE"

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 9 to 10 in d75a049

	echo "Usage: $0 fqdn"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 14 to 15 in d75a049

	echo "$0: No host-directory for '$HOSTNAME' found - execute in top-level cosmos dir"
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 23 to 26 in d75a049

	echo "Copying files to host..."
	rsync -av --exclude '*~' global/overlay/etc/puppet/cosmos-rules.yaml root@"$HOSTNAME":/etc/puppet/cosmos-rules.yaml
	rsync -av --exclude '*~' global/overlay/etc/puppet/manifests/cosmos-site.pp root@"$HOSTNAME":/etc/puppet/manifests/cosmos-site.pp
	rsync -av --exclude '*~' global/overlay/etc/hiera/data/common.yaml root@"$HOSTNAME":/etc/hiera/data/common.yaml

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 28 to 34 in d75a049

	# Test if the user has symlinked puppet-sunet correctly
	# by first checking if the link exits and then whether
	# or not the directory contains any files.
	if [ -L global/overlay/etc/puppet/cosmos-modules/sunet ] &&
	[ -n "$(ls -A global/overlay/etc/puppet/cosmos-modules/sunet/*)" ]; then
	rsync -av --delete --exclude '*~' global/overlay/etc/puppet/cosmos-modules/sunet/* root@"$HOSTNAME":/etc/puppet/cosmos-modules/sunet/.
	fi

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 36 to 37 in d75a049

	echo "Running puppet apply..."
	ssh root@"$HOSTNAME" /usr/bin/puppet apply "${PUPPET_ARGS[@]}" /etc/puppet/manifests/cosmos-site.pp

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/host-puppet-conf-test

Lines 39 to 40 in d75a049

	echo "Cosmos or puppet already running. Exiting."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-debian

Lines 6 to 11 in d75a049

	echo "Please specify a cloud image host that the script should do the following on:"
	echo " #1 enable root-login"
	echo " #2 remove the default user"
	echo " #3 run apt-get update and dist-upgrade without interaction"
	echo " #4 reboot to start using the new kernel, updated packages etc."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-debian

Lines 15 to 16 in d75a049

	proxyjump+=("-o")
	proxyjump+=("ProxyJump=${ssh_proxy}")

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-ubuntu

Lines 6 to 11 in d75a049

	echo "Please specify a cloud image host that the script should do the following on:"
	echo " #1 enable root-login"
	echo " #2 remove the default user"
	echo " #3 run apt-get update and dist-upgrade without interaction"
	echo " #4 reboot to start using the new kernel, updated packages etc."
	exit 1

---

[shfmt] _{reported by reviewdog 🐶}

multiverse/prepare-iaas-ubuntu

Lines 16 to 17 in d75a049

	proxyjump+=("-o")
	proxyjump+=("ProxyJump=${ssh_proxy}")

[sonarqubecloud]

Quality Gate passed

Issues
8 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[theseal]

Closing to get rid of some errors.

[theseal]

Continues in #70.