From 2e2cc75029b70e3e8042dbc656a773b610c3b345 Mon Sep 17 00:00:00 2001
From: John Van de Meulebrouck Brendgard <john@nordu.net>
Date: Sat, 27 Aug 2016 23:51:58 +0200
Subject: [PATCH 1/5] Do not fetch puppet deb over http, instead do as seen in
 eduID

---
 global/pre-tasks.d/030puppet | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/global/pre-tasks.d/030puppet b/global/pre-tasks.d/030puppet
index cdc9989..ef08016 100755
--- a/global/pre-tasks.d/030puppet
+++ b/global/pre-tasks.d/030puppet
@@ -9,9 +9,13 @@ stamp="$COSMOS_BASE/stamps/puppet-tools-v01.stamp"
 
 if ! test -f $stamp -a -f /usr/bin/puppet; then
     codename=`lsb_release -c| awk '{print $2}'`
-    wget -c http://apt.puppetlabs.com/puppetlabs-release-${codename}.deb
-    dpkg -i puppetlabs-release-${codename}.deb
-    rm -f puppetlabs-release-${codename}.deb*
+    puppetdeb="$COSMOS_REPO/apt/puppetlabs-release-${codename}.deb"
+    if [ ! -f $puppetdeb ]; then
+	echo "$0: Puppet deb for release $codename not found in $COSMOS_REPO/apt/"
+	echo "    Get it from https://apt.puppetlabs.com/ and put it in the Cosmos repo."
+	exit 1
+    fi
+    dpkg -i $puppetdeb
     apt-get update
     apt-get -y install puppet-common
 

From b56799bcc65d8b7022781d40f338eaa89e64588c Mon Sep 17 00:00:00 2001
From: John Van de Meulebrouck Brendgard <john@nordu.net>
Date: Sat, 27 Aug 2016 23:52:14 +0200
Subject: [PATCH 2/5] Added automatic re-import of expired keys as in eduID

---
 global/post-tasks.d/015cosmos-trust | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/global/post-tasks.d/015cosmos-trust b/global/post-tasks.d/015cosmos-trust
index 447d875..74835e0 100755
--- a/global/post-tasks.d/015cosmos-trust
+++ b/global/post-tasks.d/015cosmos-trust
@@ -4,11 +4,19 @@ if [ -z "$COSMOS_KEYS" ]; then
    COSMOS_KEYS=/etc/cosmos/keys
 fi
 
+# Install new keys discovered in the $COSMOS_KEYS directory
 for k in $COSMOS_KEYS/*.pub; do
-   fp=`cosmos gpg --with-colons --with-fingerprint < $k| awk -F: '$1 == "pub" {print $5}'`
-   cosmos gpg --with-colons --fingerprint | grep -q ":$fp:" || cosmos gpg --import < $k
+   fp=`cosmos gpg --with-colons --with-fingerprint < $k | awk -F: '$1 == "pub" {print $5}'`
+   fp_in_db=`cosmos gpg --with-colons --fingerprint | grep ":$fp:"`
+   if [ "x`echo $fp_in_db | grep '^pub:e:'`" != "x" ]; then
+       echo "$0: Key expired, will re-import it from $k"
+       cosmos gpg --fingerprint $fp
+   fi
+   # The removal of any ^pub:e: entrys means to ignore expired keys - thereby importing them again.
+   echo $fp_in_db | grep -v "^pub:e:" | grep -q ":$fp:" || cosmos gpg --import < $k
 done
 
+# Delete keys no longer present in $COSMOS_KEYS directory
 for fp in `cosmos gpg --with-colons --fingerprint | awk -F: '$1 == "pub" {print $5}'`; do
    seen="no"
    for k in $COSMOS_KEYS/*.pub; do

From a94f87c41c94425fef5cd1f3d713f526e089ad1d Mon Sep 17 00:00:00 2001
From: John Van de Meulebrouck Brendgard <john@nordu.net>
Date: Sun, 28 Aug 2016 00:08:37 +0200
Subject: [PATCH 3/5] Support fetching of git over https:// as seen in eduID

---
 global/post-tasks.d/018packages | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/global/post-tasks.d/018packages b/global/post-tasks.d/018packages
index 3e2e26e..9370e10 100755
--- a/global/post-tasks.d/018packages
+++ b/global/post-tasks.d/018packages
@@ -24,8 +24,8 @@ if [ -f $CONFIG ]; then
   # First pass to clone any new modules, and update those marked for updating.
   grep -E -v "^#" $CONFIG | (
     while read module src update pattern; do
-      # We only support git:// urls atm
-      if [ "${src:0:6}" = "git://" ]; then
+      # We only support git:// urls and https:// urls atm
+      if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
         if [ ! -d $CACHE_DIR/scm/$module ]; then
           git clone -q $src $CACHE_DIR/scm/$module
         elif [ -d $CACHE_DIR/scm/$module/.git ]; then
@@ -63,7 +63,7 @@ if [ -f $CONFIG ]; then
   grep -E -v "^#" $CONFIG | (
     while read module src update pattern; do
       # We only support git:// urls atm
-      if [ "${src:0:6}" = "git://" ]; then
+      if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
         # Verify git tag
         cd $CACHE_DIR/scm/$module
         TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)

From b81de45e773ae9cce84b1b0c11d6bc169ce63cfd Mon Sep 17 00:00:00 2001
From: John Van de Meulebrouck Brendgard <john@nordu.net>
Date: Sun, 28 Aug 2016 00:11:33 +0200
Subject: [PATCH 4/5] Show diff of puppet changes as seen in eduID

---
 global/post-tasks.d/030puppet | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/global/post-tasks.d/030puppet b/global/post-tasks.d/030puppet
index 6742949..b94b9ff 100755
--- a/global/post-tasks.d/030puppet
+++ b/global/post-tasks.d/030puppet
@@ -1,13 +1,13 @@
 #!/bin/sh
 
 if [ "x$COSMOS_VERBOSE" = "xy" ]; then
-   args="--verbose"
+   args="--verbose --show_diff"
 else
    args="--logdest=syslog"
 fi
 
 if [ -f /usr/bin/puppet -a -d /etc/puppet/manifests ]; then
    for m in `find /etc/puppet/manifests -name \*.pp`; do
-      puppet apply $args < $m
+      puppet apply $args $m
    done
 fi

From 5fbd6f5b94ef67c70fc4bb5c13ab96b3df3b9591 Mon Sep 17 00:00:00 2001
From: John Van de Meulebrouck Brendgard <john@nordu.net>
Date: Sun, 28 Aug 2016 00:13:10 +0200
Subject: [PATCH 5/5] Do not run update and autoremove on all machines at the
 same time as seen in eduID

---
 global/post-tasks.d/099autoremove | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/global/post-tasks.d/099autoremove b/global/post-tasks.d/099autoremove
index 2cc6996..74b0aa4 100755
--- a/global/post-tasks.d/099autoremove
+++ b/global/post-tasks.d/099autoremove
@@ -1,4 +1,6 @@
 #!/bin/sh
 
-apt-get -qq update
-apt-get -qq -y autoremove
+if (( $RANDOM % 20 == 0)); then
+    apt-get -qq update
+    apt-get -qq -y autoremove
+fi