diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d92b1bc..3b7da7c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -131,12 +131,10 @@ rubocop: # Make sure the instances listed below match up with # the `platforms` defined in `kitchen.yml` # yamllint disable rule:line-length -# repositories-debian-11-tiamat-py3: {extends: '.test_instance'} -# repositories-debian-10-tiamat-py3: {extends: '.test_instance'} -# repositories-debian-9-tiamat-py3: {extends: '.test_instance'} -# repositories-ubuntu-2204-tiamat-py3: {extends: '.test_instance_failure_permitted'} -# repositories-ubuntu-2004-tiamat-py3: {extends: '.test_instance'} -# repositories-ubuntu-1804-tiamat-py3: {extends: '.test_instance'} +# repositories-debian-12-master-py3: {extends: '.test_instance_failure_permitted'} +# preferences-debian-12-master-py3: {extends: '.test_instance_failure_permitted'} +# unattended-debian-12-master-py3: {extends: '.test_instance_failure_permitted'} +# debian-12-master-py3: {extends: '.test_instance_failure_permitted'} # repositories-debian-11-master-py3: {extends: '.test_instance'} # preferences-debian-11-master-py3: {extends: '.test_instance'} # unattended-debian-11-master-py3: {extends: '.test_instance'} @@ -145,14 +143,14 @@ debian-11-master-py3: {extends: '.test_instance'} # preferences-debian-10-master-py3: {extends: '.test_instance'} # unattended-debian-10-master-py3: {extends: '.test_instance'} debian-10-master-py3: {extends: '.test_instance'} -# repositories-debian-9-master-py3: {extends: '.test_instance'} -# preferences-debian-9-master-py3: {extends: '.test_instance'} -# unattended-debian-9-master-py3: {extends: '.test_instance'} -debian-9-master-py3: {extends: '.test_instance'} -# repositories-ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'} -# preferences-ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'} -# unattended-ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'} -ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'} +# repositories-ubuntu-2404-master-py3: {extends: '.test_instance_failure_permitted'} +# preferences-ubuntu-2404-master-py3: {extends: '.test_instance_failure_permitted'} +# unattended-ubuntu-2404-master-py3: {extends: '.test_instance_failure_permitted'} +# ubuntu-2404-master-py3: {extends: '.test_instance_failure_permitted'} +# repositories-ubuntu-2204-master-py3: {extends: '.test_instance'} +# preferences-ubuntu-2204-master-py3: {extends: '.test_instance'} +# unattended-ubuntu-2204-master-py3: {extends: '.test_instance'} +ubuntu-2204-master-py3: {extends: '.test_instance'} # repositories-ubuntu-2004-master-py3: {extends: '.test_instance'} # preferences-ubuntu-2004-master-py3: {extends: '.test_instance'} # unattended-ubuntu-2004-master-py3: {extends: '.test_instance'} @@ -161,16 +159,20 @@ ubuntu-2004-master-py3: {extends: '.test_instance'} # preferences-ubuntu-1804-master-py3: {extends: '.test_instance'} # unattended-ubuntu-1804-master-py3: {extends: '.test_instance'} ubuntu-1804-master-py3: {extends: '.test_instance'} -# repositories-debian-11-3004-1-py3: {extends: '.test_instance'} -# repositories-debian-10-3004-1-py3: {extends: '.test_instance'} -# repositories-debian-9-3004-1-py3: {extends: '.test_instance'} -# repositories-ubuntu-2204-3004-1-py3: {extends: '.test_instance_failure_permitted'} -# repositories-ubuntu-2004-3004-1-py3: {extends: '.test_instance'} -# repositories-ubuntu-1804-3004-1-py3: {extends: '.test_instance'} -# repositories-debian-10-3003-4-py3: {extends: '.test_instance'} -# repositories-debian-9-3003-4-py3: {extends: '.test_instance'} -# repositories-ubuntu-2004-3003-4-py3: {extends: '.test_instance'} -# repositories-ubuntu-1804-3003-4-py3: {extends: '.test_instance'} +# repositories-debian-12-3007-1-py3: {extends: '.test_instance_failure_permitted'} +# repositories-debian-11-3007-1-py3: {extends: '.test_instance'} +# repositories-debian-10-3007-1-py3: {extends: '.test_instance'} +# repositories-ubuntu-2404-3007-1-py3: {extends: '.test_instance_failure_permitted'} +# repositories-ubuntu-2204-3007-1-py3: {extends: '.test_instance'} +# repositories-ubuntu-2004-3007-1-py3: {extends: '.test_instance'} +# repositories-ubuntu-1804-3007-1-py3: {extends: '.test_instance'} +# repositories-debian-12-3006-9-py3: {extends: '.test_instance_failure_permitted'} +# repositories-debian-11-3006-9-py3: {extends: '.test_instance'} +# repositories-debian-10-3006-9-py3: {extends: '.test_instance'} +# repositories-ubuntu-2404-3006-9-py3: {extends: '.test_instance_failure_permitted'} +# repositories-ubuntu-2204-3006-9-py3: {extends: '.test_instance'} +# repositories-ubuntu-2004-3006-9-py3: {extends: '.test_instance'} +# repositories-ubuntu-1804-3006-9-py3: {extends: '.test_instance'} # yamllint enable rule:line-length ############################################################################### diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1299a84..0abb695 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -53,7 +53,7 @@ repos: always_run: true pass_filenames: false - repo: https://github.com/warpnet/salt-lint - rev: v0.8.0 + rev: v0.9.2 hooks: - id: salt-lint name: Check Salt files using salt-lint diff --git a/.travis.yml b/.travis.yml index 75dabaf..4d3d799 100644 --- a/.travis.yml +++ b/.travis.yml @@ -83,12 +83,10 @@ jobs: ## Define the rest of the matrix based on Kitchen testing # Make sure the instances listed below match up with # the `platforms` defined in `kitchen.yml` - # - env: INSTANCE=repositories-debian-11-tiamat-py3 - # - env: INSTANCE=repositories-debian-10-tiamat-py3 - # - env: INSTANCE=repositories-debian-9-tiamat-py3 - # - env: INSTANCE=repositories-ubuntu-2204-tiamat-py3 - # - env: INSTANCE=repositories-ubuntu-2004-tiamat-py3 - # - env: INSTANCE=repositories-ubuntu-1804-tiamat-py3 + # - env: INSTANCE=repositories-debian-12-master-py3 + # - env: INSTANCE=preferences-debian-12-master-py3 + # - env: INSTANCE=unattended-debian-12-master-py3 + # - env: INSTANCE=debian-12-master-py3 # - env: INSTANCE=repositories-debian-11-master-py3 # - env: INSTANCE=preferences-debian-11-master-py3 # - env: INSTANCE=unattended-debian-11-master-py3 @@ -97,10 +95,10 @@ jobs: # - env: INSTANCE=preferences-debian-10-master-py3 # - env: INSTANCE=unattended-debian-10-master-py3 - env: INSTANCE=debian-10-master-py3 - # - env: INSTANCE=repositories-debian-9-master-py3 - # - env: INSTANCE=preferences-debian-9-master-py3 - # - env: INSTANCE=unattended-debian-9-master-py3 - - env: INSTANCE=debian-9-master-py3 + # - env: INSTANCE=repositories-ubuntu-2404-master-py3 + # - env: INSTANCE=preferences-ubuntu-2404-master-py3 + # - env: INSTANCE=unattended-ubuntu-2404-master-py3 + # - env: INSTANCE=ubuntu-2404-master-py3 # - env: INSTANCE=repositories-ubuntu-2204-master-py3 # - env: INSTANCE=preferences-ubuntu-2204-master-py3 # - env: INSTANCE=unattended-ubuntu-2204-master-py3 diff --git a/apt/apt_conf.sls b/apt/apt_conf.sls index 8a07461..be6d436 100644 --- a/apt/apt_conf.sls +++ b/apt/apt_conf.sls @@ -18,7 +18,7 @@ {{ confd_dir }}: file.directory: - - mode: 755 + - mode: '0755' - user: root - group: root - clean: {{ clean_apt_conf_d }} @@ -30,7 +30,7 @@ - template: jinja - user: root - group: root - - mode: 644 + - mode: '0644' - context: data: {{ contents }} - require_in: diff --git a/apt/listchanges.sls b/apt/listchanges.sls index 87fb06f..2d81edc 100644 --- a/apt/listchanges.sls +++ b/apt/listchanges.sls @@ -13,5 +13,5 @@ apt_listchanges_pkgs: - template: jinja - user: root - group: root - - mode: 644 + - mode: '0644' - source: {{ listchanges_config_template }} diff --git a/apt/map.jinja b/apt/map.jinja index d77073e..0cb5384 100644 --- a/apt/map.jinja +++ b/apt/map.jinja @@ -1,5 +1,7 @@ {% set distribution = salt['grains.get']('lsb_distrib_codename') %} {% set arch = salt['grains.get']('osarch').split(' ') %} +{% set debian_comp = ['main', 'contrib', 'non-free', 'non-free-firmware'] if salt['grains.get']('osmajorrelease') >= 12 else ['main', 'contrib', 'non-free'] %} + {% set apt = salt['grains.filter_by']({ 'Debian': { 'pkgs': ['unattended-upgrades'], @@ -13,6 +15,8 @@ 'preferences': {}, 'remove_preferences': false, 'clean_preferences_d': false, + 'keyrings_dir': '/etc/apt/keyrings', + 'clean_keyrings_list_d': false, 'remove_apt_conf': false, 'clean_apt_conf_d': false, 'apt_conf_d': {}, @@ -24,19 +28,22 @@ 'distro': distribution, 'url': 'http://deb.debian.org/debian/', 'arch': arch, - 'comps': ['main'], + 'comps': debian_comp, + 'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg' }, 'security-stable': { - 'distro': distribution ~ '/updates', + 'distro': distribution ~ '-security', 'url': 'http://security.debian.org/', 'arch': arch, - 'comps': ['main'], + 'comps': debian_comp, + 'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg' }, 'default-updates': { 'distro': distribution ~ '-updates', 'url': 'http://deb.debian.org/debian/', 'arch': arch, - 'comps': ['main'], + 'comps': debian_comp, + 'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg' }, }, }, @@ -52,6 +59,8 @@ 'preferences': {}, 'remove_preferences': false, 'clean_preferences_d': false, + 'keyrings_dir': '/etc/apt/keyrings', + 'clean_keyrings_list_d': false, 'remove_apt_conf': false, 'clean_apt_conf_d': false, 'apt_conf_d': {}, @@ -83,4 +92,5 @@ 'Mint': { 'keyring_package': 'linuxmint-keyring' }, + }, grain='oscodename', merge=salt['pillar.get']('apt:lookup'), default='Debian')) %} diff --git a/apt/repositories.sls b/apt/repositories.sls index 032cc47..8332f31 100644 --- a/apt/repositories.sls +++ b/apt/repositories.sls @@ -3,6 +3,8 @@ {% set remove_sources_list = apt.get('remove_sources_list', apt_map.remove_sources_list) %} {% set clean_sources_list_d = apt.get('clean_sources_list_d', apt_map.clean_sources_list_d) %} {% set sources_list_dir = apt.get('sources_list_dir', apt_map.sources_list_dir) %} +{% set keyrings_dir = apt.get('keyrings_dir', apt_map.keyrings_dir) %} +{% set clean_keyrings_list_d = apt.get('clean_keyrings_list_d', apt_map.clean_keyrings_list_d) %} {% set repositories = apt.get('repositories', apt_map.repositories) %} {% set default_url = apt.get('default_url', apt_map.default_url) %} {% set keyring_package = apt.get('keyring_package', apt_map.default_keyring_package) %} @@ -23,12 +25,36 @@ - replace: False {% endif %} +{% set excluded_sources = [] %} +{% set unmanaged_repos = [] %} +{% for repo, args in repositories.items() %} + {% if args.unmanaged is defined and args.unmanaged %} + {# repo.list is considered the filename unless filename is explicitly defined. + # managed repo lists files are constructed repo-type.list #} + {% do excluded_sources.append(args.filename if args.filename is defined else repo ~ '.list') %} + {% do unmanaged_repos.append(repo) %} + {% endif %} +{% endfor %} +{% for repo in unmanaged_repos %} + {# remove these repo's to avoid pgrepo.managed loop #} + {% do repositories.pop(repo) %} +{% endfor %} + {{ sources_list_dir }}: file.directory: - mode: '0755' - user: root - group: root - clean: {{ clean_sources_list_d }} + - exclude_pat: {{ excluded_sources | json }} + +{{ keyrings_dir }}: + file.directory: + - mode: '0755' + - user: root + - group: root + - clean: {{ clean_keyrings_list_d }} + {% for repo, args in repositories.items() %} @@ -69,6 +95,9 @@ the latter will be used. #} {% if args.key_url is defined %} - key_url: {{ args.key_url }} + {% if 'signed-by=' in r_opts|lower and args.aptkey is not defined %} + - aptkey: false + {% endif %} {% elif args.key_text is defined %} - key_text: {{ args.key_text }} {% elif args.keyid is defined %} @@ -78,9 +107,18 @@ - clean_file: true - refresh: False - refresh_db: False + {% if args.aptkey is defined %} + - aptkey: {{ args.aptkey }} + {% endif %} - onchanges_in: - module: apt.refresh_db - + file.managed: + - name: {{ sources_list_dir }}/{{ r_file }} + - replace: false + - require_in: + - file: {{ sources_list_dir }} + # require_in the directory clean state + # This way, we don't remove all the files, just to add them again. {%- endfor %} {% endfor %} diff --git a/kitchen.yml b/kitchen.yml index a46b6c6..f1adb20 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -19,33 +19,11 @@ provisioner: - .git platforms: - ## SALT `tiamat` - - name: debian-11-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:debian-11 - run_command: /lib/systemd/systemd - - name: debian-10-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:debian-10 - run_command: /lib/systemd/systemd - - name: debian-9-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:debian-9 - run_command: /lib/systemd/systemd - - name: ubuntu-2204-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:ubuntu-22.04 - run_command: /lib/systemd/systemd - - name: ubuntu-2004-tiamat-py3 - driver: - image: saltimages/salt-tiamat-py3:ubuntu-20.04 - run_command: /lib/systemd/systemd - - name: ubuntu-1804-tiamat-py3 + ## SALT `master` + - name: debian-12-master-py3 driver: - image: saltimages/salt-tiamat-py3:ubuntu-18.04 + image: saltimages/salt-master-py3:debian-12 run_command: /lib/systemd/systemd - - ## SALT `master` - name: debian-11-master-py3 driver: image: saltimages/salt-master-py3:debian-11 @@ -54,9 +32,9 @@ platforms: driver: image: saltimages/salt-master-py3:debian-10 run_command: /lib/systemd/systemd - - name: debian-9-master-py3 + - name: ubuntu-2404-master-py3 driver: - image: saltimages/salt-master-py3:debian-9 + image: saltimages/salt-master-py3:ubuntu-24.04 run_command: /lib/systemd/systemd - name: ubuntu-2204-master-py3 driver: @@ -71,48 +49,64 @@ platforms: image: saltimages/salt-master-py3:ubuntu-18.04 run_command: /lib/systemd/systemd - ## SALT `3004.1` - - name: debian-11-3004-1-py3 + ## SALT `3007.1` + - name: debian-12-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:debian-11 + image: saltimages/salt-3007.1-py3:debian-12 run_command: /lib/systemd/systemd - - name: debian-10-3004-1-py3 + - name: debian-11-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:debian-10 + image: saltimages/salt-3007.1-py3:debian-11 run_command: /lib/systemd/systemd - - name: debian-9-3004-1-py3 + - name: debian-10-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:debian-9 + image: saltimages/salt-3007.1-py3:debian-10 run_command: /lib/systemd/systemd - - name: ubuntu-2204-3004-1-py3 + - name: ubuntu-2404-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:ubuntu-22.04 + image: saltimages/salt-3007.1-py3:ubuntu-24.04 run_command: /lib/systemd/systemd - - name: ubuntu-2004-3004-1-py3 + - name: ubuntu-2204-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:ubuntu-20.04 + image: saltimages/salt-3007.1-py3:ubuntu-22.04 run_command: /lib/systemd/systemd - - name: ubuntu-1804-3004-1-py3 + - name: ubuntu-2004-3007-1-py3 driver: - image: saltimages/salt-3004.1-py3:ubuntu-18.04 + image: saltimages/salt-3007.1-py3:ubuntu-20.04 + run_command: /lib/systemd/systemd + - name: ubuntu-1804-3007-1-py3 + driver: + image: saltimages/salt-3007.1-py3:ubuntu-18.04 run_command: /lib/systemd/systemd - ## SALT `3003.4` - - name: debian-10-3003-4-py3 + ## SALT `3006.9` + - name: debian-12-3006-9-py3 + driver: + image: saltimages/salt-3006.9-py3:debian-12 + run_command: /lib/systemd/systemd + - name: debian-11-3006-9-py3 + driver: + image: saltimages/salt-3006.9-py3:debian-11 + run_command: /lib/systemd/systemd + - name: debian-10-3006-9-py3 + driver: + image: saltimages/salt-3006.9-py3:debian-10 + run_command: /lib/systemd/systemd + - name: ubuntu-2404-3006-9-py3 driver: - image: saltimages/salt-3003.4-py3:debian-10 + image: saltimages/salt-3006.9-py3:ubuntu-24.04 run_command: /lib/systemd/systemd - - name: debian-9-3003-4-py3 + - name: ubuntu-2204-3006-9-py3 driver: - image: saltimages/salt-3003.4-py3:debian-9 + image: saltimages/salt-3006.9-py3:ubuntu-22.04 run_command: /lib/systemd/systemd - - name: ubuntu-2004-3003-4-py3 + - name: ubuntu-2004-3006-9-py3 driver: - image: saltimages/salt-3003.4-py3:ubuntu-20.04 + image: saltimages/salt-3006.9-py3:ubuntu-20.04 run_command: /lib/systemd/systemd - - name: ubuntu-1804-3003-4-py3 + - name: ubuntu-1804-3006-9-py3 driver: - image: saltimages/salt-3003.4-py3:ubuntu-18.04 + image: saltimages/salt-3006.9-py3:ubuntu-18.04 run_command: /lib/systemd/systemd verifier: @@ -129,6 +123,7 @@ suites: state_top: base: '*': + - states/unmanaged - apt._mapdata - apt.repositories - apt.update @@ -139,6 +134,9 @@ suites: - apt pillars_from_files: apt.sls: test/salt/pillar/repositories.sls + dependencies: + - name: states + path: ./test/salt verifier: inspec_tests: - path: test/integration/repositories diff --git a/pillar.example b/pillar.example index 6f313a0..d4275fe 100644 --- a/pillar.example +++ b/pillar.example @@ -14,6 +14,9 @@ apt: remove_preferences: true clean_preferences_d: true + keyrings_dir: '/etc/apt/keyrings' + clean_keyrings_list_d: true + apt_conf_d: 30release: 'APT::Default-Release': stable @@ -126,6 +129,15 @@ apt: opts: trusted: 'yes' another: whatever + saltstack: + distro: stable + url: https://packages.broadcom.com/artifactory/saltproject-deb + comps: [main] + type: [binary] + key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public # yamllint disable-line rule:line-length + opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp" + rabbitmq: + unmanaged: true # useful when rabbitmq.list is managed by another formula preferences: 00-rspamd: diff --git a/test/integration/repositories/controls/repositories_spec.rb b/test/integration/repositories/controls/repositories_spec.rb index c08eef9..12cfdd1 100644 --- a/test/integration/repositories/controls/repositories_spec.rb +++ b/test/integration/repositories/controls/repositories_spec.rb @@ -25,15 +25,10 @@ its('mode') { should cmp '0755' } end - describe file('/etc/apt/sources.list.d/multimedia-stable-binary.list') do + describe file('/etc/apt/sources.list.d/unmanaged.list') do it { should exist } - it { should be_owned_by 'root' } - it { should be_grouped_into 'root' } - its('mode') { should cmp '0644' } its(:content) do - should match( - %r{deb \[arch=amd64\] http://www.deb-multimedia.org stable main} - ) + should match("## unmanged list file that shouldn't be removed") end end @@ -64,4 +59,23 @@ describe file('/etc/apt/sources.list.d/raspbian-binary.list') do it { should_not exist } end + + describe file('/etc/apt/sources.list.d/saltstack.list') do + it { should exist } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + its(:content) do + should match( + %r{deb \[\s?signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp\s?\] https://packages.broadcom.com/artifactory/saltproject-deb stable main} + ) + end + end + + describe file('/etc/apt/keyrings/salt-archive-keyring.pgp') do + it { should exist } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + end end diff --git a/test/salt/pillar/repositories.sls b/test/salt/pillar/repositories.sls index 97aeb3b..b9605ed 100644 --- a/test/salt/pillar/repositories.sls +++ b/test/salt/pillar/repositories.sls @@ -6,13 +6,10 @@ apt: clean_sources_list_d: true repositories: - multimedia-stable: - distro: stable - url: http://www.deb-multimedia.org - arch: [amd64] - comps: [main] - keyid: 5C808C2B65558117 - keyserver: keyserver.ubuntu.com + unmanaged: + unmanaged: true # do not remove this file when clean_sources_list_d=true + filename: unmanaged.list # optional + heroku: distro: ./ url: https://cli-assets.heroku.com/apt @@ -27,3 +24,11 @@ apt: url: http://archive.raspbian.org/raspbian type: [source] key_url: https://archive.raspbian.org/raspbian.public.key + saltstack: + filename: saltstack.list + distro: stable + url: https://packages.broadcom.com/artifactory/saltproject-deb + comps: [main] + type: [binary] + key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public # yamllint disable-line rule:line-length + opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp" \ No newline at end of file diff --git a/test/salt/states/unmanaged.sls b/test/salt/states/unmanaged.sls new file mode 100644 index 0000000..ea1b885 --- /dev/null +++ b/test/salt/states/unmanaged.sls @@ -0,0 +1,6 @@ + +repos_maintained_by_another_formula: + file.managed: + - name: /etc/apt/sources.list.d/unmanaged.list + - mode: '0644' + - contents: "## unmanged list file that shouldn't be removed"