From 6687a12f42b28fac7b170c03c150ec45f1c9acff Mon Sep 17 00:00:00 2001
From: Didier METRAL <didier.metral@fraudbuster.mobi>
Date: Thu, 10 Apr 2025 19:00:35 +0200
Subject: [PATCH] feat(repositories): stop removing sources files and support
 unmanaged

---
 apt/apt_conf.sls                              |  4 ++--
 apt/listchanges.sls                           |  2 +-
 apt/map.jinja                                 | 10 +++++---
 apt/repositories.sls                          | 24 ++++++++++++++++++-
 kitchen.yml                                   |  4 ++++
 pillar.example                                |  3 +++
 .../controls/repositories_spec.rb             |  9 ++-----
 test/salt/pillar/repositories.sls             | 10 +++-----
 test/salt/states/unmanaged.sls                |  5 ++++
 9 files changed, 50 insertions(+), 21 deletions(-)
 create mode 100644 test/salt/states/unmanaged.sls

diff --git a/apt/apt_conf.sls b/apt/apt_conf.sls
index 8a07461..be6d436 100644
--- a/apt/apt_conf.sls
+++ b/apt/apt_conf.sls
@@ -18,7 +18,7 @@
 
 {{ confd_dir }}:
   file.directory:
-    - mode: 755
+    - mode: '0755'
     - user: root
     - group: root
     - clean: {{ clean_apt_conf_d }}
@@ -30,7 +30,7 @@
     - template: jinja
     - user: root
     - group: root
-    - mode: 644
+    - mode: '0644'
     - context:
         data: {{ contents }}
     - require_in:
diff --git a/apt/listchanges.sls b/apt/listchanges.sls
index 87fb06f..2d81edc 100644
--- a/apt/listchanges.sls
+++ b/apt/listchanges.sls
@@ -13,5 +13,5 @@ apt_listchanges_pkgs:
     - template: jinja
     - user: root
     - group: root
-    - mode: 644
+    - mode: '0644'
     - source: {{ listchanges_config_template }}
diff --git a/apt/map.jinja b/apt/map.jinja
index 2355584..c1ae3b4 100644
--- a/apt/map.jinja
+++ b/apt/map.jinja
@@ -1,5 +1,6 @@
 {% set distribution = salt['grains.get']('lsb_distrib_codename') %}
 {% set arch = salt['grains.get']('osarch').split(' ') %}
+{% set debian_comp = ['main', 'contrib', 'non-free', 'non-free-firmware'] if salt['grains.get']('osmajorrelease') >= 12  else ['main', 'contrib', 'non-free'] %}
 {% set apt = salt['grains.filter_by']({
     'Debian': {
         'pkgs': ['unattended-upgrades'],
@@ -26,19 +27,22 @@
                 'distro': distribution,
                 'url': 'http://deb.debian.org/debian/',
                 'arch': arch,
-                'comps': ['main'],
+                'comps': debian_comp,
+                'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg'
             },
             'security-stable': {
                 'distro': distribution ~ '/updates',
                 'url': 'http://security.debian.org/',
                 'arch': arch,
-                'comps': ['main'],
+                'comps': debian_comp,
+                'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg'
             },
             'default-updates': {
                 'distro': distribution ~ '-updates',
                 'url': 'http://deb.debian.org/debian/',
                 'arch': arch,
-                'comps': ['main'],
+                'comps': debian_comp,
+                'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg'
             },
         },
     },
diff --git a/apt/repositories.sls b/apt/repositories.sls
index beb3266..6f61a1d 100644
--- a/apt/repositories.sls
+++ b/apt/repositories.sls
@@ -25,12 +25,28 @@
     - replace: False
   {% endif %}
 
+{% set excluded_sources = [] %}
+{% set unmanaged_repos = [] %}
+{% for repo, args in repositories.items() %}
+  {% if args.unmanaged is defined and args.unmanaged %}
+    {# repo.list is considered the filename unless filename is explicitly defined.
+     # managed repo lists files are constructed repo-type.list #}
+    {% do excluded_sources.append(args.filename if args.filename is defined else repo ~ '.list') %}
+    {% do unmanaged_repos.append(repo) %}
+  {% endif %}
+{% endfor %}
+{% for repo in unmanaged_repos %}
+  {# remove these repo's to avoid pgrepo.managed loop #}
+  {% do repositories.pop(repo) %}
+{% endfor %}
+
 {{ sources_list_dir }}:
   file.directory:
     - mode: '0755'
     - user: root
     - group: root
     - clean: {{ clean_sources_list_d }}
+    - exclude_pat: {{ excluded_sources | json }}
 
 {{ keyrings_dir }}:
   file.directory:
@@ -95,7 +111,13 @@
     {% endif %}
     - onchanges_in:
       - module: apt.refresh_db
-
+  file.managed:
+    - name: {{ sources_list_dir }}/{{ r_file }}
+    - replace: false
+    - require_in:
+      - file: {{ sources_list_dir }}
+      # require_in the directory clean state
+      # This way, we don't remove all the files, just to add them again.
   {%- endfor %}
 {% endfor %}
 
diff --git a/kitchen.yml b/kitchen.yml
index b35a801..c3c6eb0 100644
--- a/kitchen.yml
+++ b/kitchen.yml
@@ -259,6 +259,7 @@ suites:
       state_top:
         base:
           '*':
+            - states/unmanaged
             - apt._mapdata
             - apt.repositories
             - apt.update
@@ -269,6 +270,9 @@ suites:
               - apt
       pillars_from_files:
         apt.sls: test/salt/pillar/repositories.sls
+      dependencies:
+        - name: states
+          path: ./test/salt
     verifier:
       inspec_tests:
         - path: test/integration/repositories
diff --git a/pillar.example b/pillar.example
index 9a217ef..8df4614 100644
--- a/pillar.example
+++ b/pillar.example
@@ -136,6 +136,9 @@ apt:
       type: [binary]
       key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public  # yamllint disable-line rule:line-length
       opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp"
+    rabbitmq:
+      unmanaged: true  # useful when rabbitmq.list is managed by another formula
+      filename: rabbitmq.list
 
   preferences:
     00-rspamd:
diff --git a/test/integration/repositories/controls/repositories_spec.rb b/test/integration/repositories/controls/repositories_spec.rb
index cac9731..12cfdd1 100644
--- a/test/integration/repositories/controls/repositories_spec.rb
+++ b/test/integration/repositories/controls/repositories_spec.rb
@@ -25,15 +25,10 @@
     its('mode') { should cmp '0755' }
   end
 
-  describe file('/etc/apt/sources.list.d/multimedia-stable-binary.list') do
+  describe file('/etc/apt/sources.list.d/unmanaged.list') do
     it { should exist }
-    it { should be_owned_by 'root' }
-    it { should be_grouped_into 'root' }
-    its('mode') { should cmp '0644' }
     its(:content) do
-      should match(
-        %r{deb \[arch=amd64\] http://www.deb-multimedia.org stable main}
-      )
+      should match("## unmanged list file that shouldn't be removed")
     end
   end
 
diff --git a/test/salt/pillar/repositories.sls b/test/salt/pillar/repositories.sls
index ade535e..91d82ce 100644
--- a/test/salt/pillar/repositories.sls
+++ b/test/salt/pillar/repositories.sls
@@ -6,13 +6,9 @@ apt:
   clean_sources_list_d: true
 
   repositories:
-    multimedia-stable:
-      distro: stable
-      url: http://www.deb-multimedia.org
-      arch: [amd64]
-      comps: [main]
-      keyid: 5C808C2B65558117
-      keyserver: keyserver.ubuntu.com
+    unmanaged:
+      unmanaged: true  # do not remove this file when clean_sources_list_d=true
+      filename: unmanaged.list  # optional
     heroku:
       distro: ./
       url: https://cli-assets.heroku.com/apt
diff --git a/test/salt/states/unmanaged.sls b/test/salt/states/unmanaged.sls
new file mode 100644
index 0000000..4cd5468
--- /dev/null
+++ b/test/salt/states/unmanaged.sls
@@ -0,0 +1,5 @@
+repos_maintained_by_another_formula:
+  file.managed:
+    - name: /etc/apt/sources.list.d/unmanaged.list
+    - mode: '0644'
+    - contents: "## unmanged list file that shouldn't be removed"