geteduroam-ops/global/post-tasks.d/018packages
2016-08-28 00:08:37 +02:00

106 lines
3.4 KiB
Bash
Executable file

#!/bin/bash
CONFIG=${CONFIG:=/etc/puppet/cosmos-modules.conf}
CACHE_DIR=/var/cache/puppet-modules
MODULES_DIR=${MODULES_DIR:=/etc/puppet/cosmos-modules}
export GNUPGHOME=/etc/cosmos/gnupg
python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml
stage_module() {
rm -rf $CACHE_DIR/staging/$1
git archive --format=tar --prefix=$1/ $2 | (cd $CACHE_DIR/staging/ && tar xf -)
}
if [ -f $CONFIG ]; then
if [ ! -d $MODULES_DIR ]; then
mkdir -p $MODULES_DIR
fi
if [ ! -d $CACHE_DIR ]; then
mkdir -p $CACHE_DIR/{scm,staging}
fi
# First pass to clone any new modules, and update those marked for updating.
grep -E -v "^#" $CONFIG | (
while read module src update pattern; do
# We only support git:// urls and https:// urls atm
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
if [ ! -d $CACHE_DIR/scm/$module ]; then
git clone -q $src $CACHE_DIR/scm/$module
elif [ -d $CACHE_DIR/scm/$module/.git ]; then
if [ "$update" = "yes" ]; then
cd $CACHE_DIR/scm/$module
if [ "$src" != "$(git config remote.origin.url)" ]; then
git config remote.origin.url $src
fi
git pull -q
else
continue
fi
else
echo "ERROR: Ignoring non-git repository"
continue
fi
elif [[ "$src" =~ .*:// ]]; then
echo "ERROR: Don't know how to install '$src'"
continue
else
echo "WARNING"
echo "WARNING - attempting UNSAFE installation/upgrade of puppet-module $module from $src"
echo "WARNING"
if [ ! -d /etc/puppet/modules/$module ]; then
puppet module install $src
elif [ "$update" = "yes" ]; then
puppet module upgrade $src
fi
fi
done
)
# Second pass to verify the signatures on all modules and stage those that
# have good signatures.
grep -E -v "^#" $CONFIG | (
while read module src update pattern; do
# We only support git:// urls atm
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
# Verify git tag
cd $CACHE_DIR/scm/$module
TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)
if [ "$COSMOS_VERBOSE" = "y" ]; then
echo ""
echo "Checking signature on tag ${TAG} for puppet-module $module"
fi
if [ -z "$TAG" ]; then
echo "ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module $module"
continue
fi
git tag -v $TAG &> /dev/null
if [ $? == 0 ]; then
if [ "$COSMOS_VERBOSE" = "y" ]; then
# short output on good signature
git tag -v $TAG 2>&1 | grep "gpg: Good signature"
fi
# Put archive in staging since tag verified OK
stage_module $module $TAG
else
echo "################################################################"
echo "FAILED signature check on puppet-module $module"
echo "################################################################"
git tag -v $TAG
fi
fi
done
)
# Cleanup removed puppet modules from CACHE_DIR
for MODULE in $(ls -1 $CACHE_DIR/staging/); do
if ! grep -E -q "^$MODULE\s+" $CONFIG; then
rm -rf $CACHE_DIR/{scm,staging}/$MODULE
fi
done
# Installing verified puppet modules
rsync --archive --delete $CACHE_DIR/staging/ $MODULES_DIR/
fi