2014-02-22 18:29:41 +01:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
CONFIG=${CONFIG:=/etc/puppet/cosmos-modules.conf}
|
2019-01-15 13:07:47 +01:00
|
|
|
LOCALCONFIG=${LOCALCONFIG:=/etc/puppet/cosmos-modules_local.conf}
|
2014-02-22 18:29:41 +01:00
|
|
|
CACHE_DIR=/var/cache/puppet-modules
|
|
|
|
MODULES_DIR=${MODULES_DIR:=/etc/puppet/cosmos-modules}
|
|
|
|
export GNUPGHOME=/etc/cosmos/gnupg
|
2013-09-03 11:31:05 +02:00
|
|
|
|
2019-01-15 13:18:22 +01:00
|
|
|
# /etc/puppet/cosmos_enc.py needs the YAML module
|
|
|
|
python3 -c "import yaml" 2>/dev/null || apt-get -y install python3-yaml
|
2013-09-03 11:31:05 +02:00
|
|
|
|
2019-01-15 13:08:39 +01:00
|
|
|
bold='\e[1m'
|
|
|
|
reset='\e[0m'
|
|
|
|
red='\033[01;31m'
|
2014-02-22 18:29:41 +01:00
|
|
|
|
|
|
|
stage_module() {
|
|
|
|
rm -rf $CACHE_DIR/staging/$1
|
|
|
|
git archive --format=tar --prefix=$1/ $2 | (cd $CACHE_DIR/staging/ && tar xf -)
|
|
|
|
}
|
|
|
|
|
2019-01-15 13:07:47 +01:00
|
|
|
if [ -f $CONFIG -o $LOCALCONFIG ]; then
|
2014-02-22 18:29:41 +01:00
|
|
|
if [ ! -d $MODULES_DIR ]; then
|
|
|
|
mkdir -p $MODULES_DIR
|
|
|
|
fi
|
|
|
|
if [ ! -d $CACHE_DIR ]; then
|
|
|
|
mkdir -p $CACHE_DIR/{scm,staging}
|
|
|
|
fi
|
|
|
|
|
2019-01-15 13:07:47 +01:00
|
|
|
test -f $CONFIG || CONFIG=''
|
|
|
|
test -f $LOCALCONFIG || LOCALCONFIG=''
|
|
|
|
|
2014-02-22 18:29:41 +01:00
|
|
|
# First pass to clone any new modules, and update those marked for updating.
|
2019-01-15 13:07:47 +01:00
|
|
|
grep -h -E -v "^#" $CONFIG $LOCALCONFIG | sort | (
|
2014-02-22 18:29:41 +01:00
|
|
|
while read module src update pattern; do
|
2019-01-15 13:09:24 +01:00
|
|
|
# We only support git://, file:/// and https:// urls at the moment
|
|
|
|
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "file:///" -o "${src:0:8}" = "https://" ]; then
|
2014-02-22 18:29:41 +01:00
|
|
|
if [ ! -d $CACHE_DIR/scm/$module ]; then
|
|
|
|
git clone -q $src $CACHE_DIR/scm/$module
|
|
|
|
elif [ -d $CACHE_DIR/scm/$module/.git ]; then
|
|
|
|
if [ "$update" = "yes" ]; then
|
|
|
|
cd $CACHE_DIR/scm/$module
|
2014-03-03 18:00:11 +01:00
|
|
|
if [ "$src" != "$(git config remote.origin.url)" ]; then
|
|
|
|
git config remote.origin.url $src
|
|
|
|
fi
|
2023-01-31 08:19:41 +01:00
|
|
|
# Support master branch being renamed to main
|
|
|
|
git branch --all | grep -q '^[[:space:]]*remotes/origin/main$' && git checkout main
|
2023-01-30 14:12:13 +01:00
|
|
|
# Update repo and clean out any local inconsistencies
|
|
|
|
git pull -q || (git fetch && git reset --hard)
|
2014-02-22 18:29:41 +01:00
|
|
|
else
|
|
|
|
continue
|
2013-09-03 11:31:05 +02:00
|
|
|
fi
|
2014-02-22 18:29:41 +01:00
|
|
|
else
|
2019-01-15 13:08:39 +01:00
|
|
|
echo -e "${red}ERROR: Ignoring non-git repository${reset}"
|
2014-02-22 18:29:41 +01:00
|
|
|
continue
|
|
|
|
fi
|
2014-02-24 08:13:53 +01:00
|
|
|
elif [[ "$src" =~ .*:// ]]; then
|
2019-01-15 13:08:39 +01:00
|
|
|
echo -e "${red}ERROR: Don't know how to install '${src}'${reset}"
|
2014-02-24 08:13:53 +01:00
|
|
|
continue
|
|
|
|
else
|
2019-01-15 13:08:39 +01:00
|
|
|
echo -e "${bold}WARNING - attempting UNSAFE installation/upgrade of puppet-module ${module} from ${src}${reset}"
|
2014-02-24 08:13:53 +01:00
|
|
|
if [ ! -d /etc/puppet/modules/$module ]; then
|
|
|
|
puppet module install $src
|
|
|
|
elif [ "$update" = "yes" ]; then
|
|
|
|
puppet module upgrade $src
|
|
|
|
fi
|
2014-02-22 18:29:41 +01:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
)
|
|
|
|
|
|
|
|
# Second pass to verify the signatures on all modules and stage those that
|
|
|
|
# have good signatures.
|
2019-01-15 13:07:47 +01:00
|
|
|
grep -h -E -v "^#" $CONFIG $LOCALCONFIG | sort | (
|
2014-02-22 18:29:41 +01:00
|
|
|
while read module src update pattern; do
|
2019-01-15 13:09:24 +01:00
|
|
|
# We only support git://, file:/// and https:// urls at the moment
|
|
|
|
if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "file:///" -o "${src:0:8}" = "https://" ]; then
|
2014-02-22 18:29:41 +01:00
|
|
|
# Verify git tag
|
|
|
|
cd $CACHE_DIR/scm/$module
|
|
|
|
TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)
|
|
|
|
if [ "$COSMOS_VERBOSE" = "y" ]; then
|
2019-01-15 13:08:39 +01:00
|
|
|
echo -e "Checking signature on puppet-module:tag ${bold}${module}:${TAG}${reset}"
|
2014-02-22 18:29:41 +01:00
|
|
|
fi
|
|
|
|
if [ -z "$TAG" ]; then
|
2019-01-15 13:08:39 +01:00
|
|
|
echo -e "${red}ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module ${module}${reset}"
|
2014-02-22 18:29:41 +01:00
|
|
|
continue
|
|
|
|
fi
|
|
|
|
git tag -v $TAG &> /dev/null
|
|
|
|
if [ $? == 0 ]; then
|
2019-01-15 13:08:39 +01:00
|
|
|
#if [ "$COSMOS_VERBOSE" = "y" ]; then
|
|
|
|
# # short output on good signature
|
|
|
|
# git tag -v $TAG 2>&1 | grep "gpg: Good signature"
|
|
|
|
#fi
|
2014-02-22 18:29:41 +01:00
|
|
|
# Put archive in staging since tag verified OK
|
|
|
|
stage_module $module $TAG
|
|
|
|
else
|
2019-01-15 13:08:39 +01:00
|
|
|
echo -e "${red}FAILED signature check on puppet-module ${module}${reset}"
|
2014-02-22 18:29:41 +01:00
|
|
|
git tag -v $TAG
|
2019-01-15 13:08:39 +01:00
|
|
|
echo ''
|
2014-02-22 18:29:41 +01:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
)
|
|
|
|
|
|
|
|
# Cleanup removed puppet modules from CACHE_DIR
|
|
|
|
for MODULE in $(ls -1 $CACHE_DIR/staging/); do
|
2019-01-15 13:07:47 +01:00
|
|
|
if ! grep -h -E -q "^$MODULE\s+" $CONFIG $LOCALCONFIG; then
|
|
|
|
rm -rf $CACHE_DIR/{scm,staging}/$MODULE
|
|
|
|
fi
|
2014-02-22 18:29:41 +01:00
|
|
|
done
|
|
|
|
|
|
|
|
# Installing verified puppet modules
|
|
|
|
rsync --archive --delete $CACHE_DIR/staging/ $MODULES_DIR/
|
2013-09-03 11:31:05 +02:00
|
|
|
fi
|