diff options
| -rw-r--r-- | files/etc/apt/keyrings/signal.org.gpg (renamed from files/etc/apt/trusted.gpg.d/signal.org.gpg) | bin | 2223 -> 2223 bytes | |||
| -rw-r--r-- | files/usr/share/keyrings/deb.torproject.org-keyring.gpg (renamed from files/etc/apt/trusted.gpg.d/torproject.org.gpg) | bin | 37730 -> 38678 bytes | |||
| -rw-r--r-- | manifests/resources.pp | 4 | ||||
| -rw-r--r-- | manifests/subsystem/apt.pp | 12 | ||||
| -rw-r--r-- | manifests/subsystem/apt/repo.pp | 25 | ||||
| -rw-r--r-- | manifests/subsystem/inception.pp | 2 | ||||
| -rw-r--r-- | manifests/utils/multimedia.pp | 1 | ||||
| -rw-r--r-- | manifests/utils/multimedia/cdplayer.pp | 8 | ||||
| -rw-r--r-- | manifests/utils/multimedia/studio.pp | 1 | ||||
| -rw-r--r-- | manifests/utils/network/signal.pp | 4 | ||||
| -rw-r--r-- | manifests/utils/network/tor.pp | 32 | ||||
| -rw-r--r-- | templates/apt/Debian.preferences.erb | 27 |
12 files changed, 104 insertions, 12 deletions
diff --git a/files/etc/apt/trusted.gpg.d/signal.org.gpg b/files/etc/apt/keyrings/signal.org.gpg Binary files differindex b5e68a0..b5e68a0 100644 --- a/files/etc/apt/trusted.gpg.d/signal.org.gpg +++ b/files/etc/apt/keyrings/signal.org.gpg diff --git a/files/etc/apt/trusted.gpg.d/torproject.org.gpg b/files/usr/share/keyrings/deb.torproject.org-keyring.gpg Binary files differindex 7614b20..738ef5d 100644 --- a/files/etc/apt/trusted.gpg.d/torproject.org.gpg +++ b/files/usr/share/keyrings/deb.torproject.org-keyring.gpg diff --git a/manifests/resources.pp b/manifests/resources.pp index 7a48367..4e61fb9 100644 --- a/manifests/resources.pp +++ b/manifests/resources.pp @@ -59,4 +59,8 @@ class nodo::resources { # Repositories $vcsrepos = lookup('vcsrepos', { merge => hash, default_value => {} }) create_resources('vcsrepo', $vcsrepos) + + # Sysctl + $sysctl = lookup('nodo::subsystem::sysctl', { merge => hash, default_value => {} }) + create_resources('nodo::subsystem::sysctl::entry', $sysctl) } diff --git a/manifests/subsystem/apt.pp b/manifests/subsystem/apt.pp index d2d531d..2dcbc26 100644 --- a/manifests/subsystem/apt.pp +++ b/manifests/subsystem/apt.pp @@ -57,6 +57,18 @@ class nodo::subsystem::apt( }, } + file { '/etc/apt/preferences': + ensure => present, + owner => root, + group => root, + mode => '0644', + require => [ File['/etc/apt/apt.conf.d/1000-force-ipv4-transport'], Package['apt-transport-https'] ], + content => $ensure ? { + 'present' => template("nodo/apt/${::operatingsystem}.preferences.erb"), + default => undef, + }, + } + # We have /var/log/dpkg.log, so we do not need to rotate /var/log/upgrade.log $log = ">> /var/log/upgrade.log 2>&1" $apt = '/usr/bin/apt-get' diff --git a/manifests/subsystem/apt/repo.pp b/manifests/subsystem/apt/repo.pp index ca8f5e1..0495a0f 100644 --- a/manifests/subsystem/apt/repo.pp +++ b/manifests/subsystem/apt/repo.pp @@ -1,15 +1,32 @@ define nodo::subsystem::apt::repo( $definition, $key_source, - $ensure = present, + $keyrings_folder = '/etc/apt/keyrings', + $keyring_name = $name, + $ensure = present, ) { - file { "/etc/apt/trusted.gpg.d/${name}.gpg": + # The recommended locations for keyrings are /usr/share/keyrings for keyrings + # managed by packages, and /etc/apt/keyrings for keyrings managed by the + # system operator. If no keyring files are specified the default is the + # trusted.gpg keyring and all keyrings in the trusted.gpg.d/ directory (see + # apt-key fingerprint). + # + # -- sources.list(5) + file { "${keyrings_folder}/${name}.gpg": ensure => $ensure, owner => "root", group => "root", mode => "0644", source => $key_source, - notify => Exec["apt-repo-auto-update-${name}"], + } + + # Old location + file { "/etc/apt/trusted.gpg.d/${name}.gpg": + ensure => absent, + owner => "root", + group => "root", + mode => "0644", + source => $key_source, } file { "/etc/apt/sources.list.d/${name}.list": @@ -18,7 +35,7 @@ define nodo::subsystem::apt::repo( group => "root", mode => "0644", content => "${definition}\n", - require => [ File["/etc/apt/trusted.gpg.d/${name}.gpg"], Package['apt-transport-https'] ], + require => [ File["${keyrings_folder}/${name}.gpg"], Package['apt-transport-https'] ], notify => Exec["apt-repo-auto-update-${name}"], } diff --git a/manifests/subsystem/inception.pp b/manifests/subsystem/inception.pp index 7cd9d0a..913f5d5 100644 --- a/manifests/subsystem/inception.pp +++ b/manifests/subsystem/inception.pp @@ -9,7 +9,7 @@ define nodo::subsystem::inception( user => $name, provider => git, source => "https://git.fluxo.info/${git_dev}/apps", - revision => 'e59e4465dd90943853aba944056e0790c8c746e1', + revision => '63e093c355258142053d37a46579d9b19074324d', submodules => true, require => [ File["/home/${name}"], User[$name] ], } diff --git a/manifests/utils/multimedia.pp b/manifests/utils/multimedia.pp index 0b40660..30f5999 100644 --- a/manifests/utils/multimedia.pp +++ b/manifests/utils/multimedia.pp @@ -33,7 +33,6 @@ class nodo::utils::multimedia inherits nodo::utils::multimedia::minimal { 'audacious', 'qjackctl', 'easytag', - 'audacity', 'opencubicplayer', 'picard', 'gxine', diff --git a/manifests/utils/multimedia/cdplayer.pp b/manifests/utils/multimedia/cdplayer.pp index e2c7a71..6ec3d0e 100644 --- a/manifests/utils/multimedia/cdplayer.pp +++ b/manifests/utils/multimedia/cdplayer.pp @@ -3,10 +3,16 @@ class nodo::utils::multimedia::cdplayer ( ) { # CD writers and extractors package { [ - 'mcdp', 'cdtool', 'cd-discid', ]: ensure => $ensure, } + + # No longer available + package { [ + 'mcdp', + ]: + ensure => absent, + } } diff --git a/manifests/utils/multimedia/studio.pp b/manifests/utils/multimedia/studio.pp index 72b42b1..0675a08 100644 --- a/manifests/utils/multimedia/studio.pp +++ b/manifests/utils/multimedia/studio.pp @@ -5,6 +5,7 @@ class nodo::utils::multimedia::studio ( 'ardour', 'hydrogen', 'mixxx', + 'audacity', ]: ensure => $ensure, } diff --git a/manifests/utils/network/signal.pp b/manifests/utils/network/signal.pp index 037140a..6cd200b 100644 --- a/manifests/utils/network/signal.pp +++ b/manifests/utils/network/signal.pp @@ -1,7 +1,7 @@ class nodo::utils::network::signal { nodo::subsystem::apt::repo { 'signal.org': - definition => 'deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main', - key_source => 'puppet:///modules/nodo/etc/apt/trusted.gpg.d/signal.org.gpg', + definition => 'deb [signed-by=/etc/apt/keyrings/signal.org.gpg arch=amd64] https://updates.signal.org/desktop/apt xenial main', + key_source => 'puppet:///modules/nodo/etc/apt/keyrings/signal.org.gpg', } package { 'signal-desktop': diff --git a/manifests/utils/network/tor.pp b/manifests/utils/network/tor.pp index 78b08a4..f93d37a 100644 --- a/manifests/utils/network/tor.pp +++ b/manifests/utils/network/tor.pp @@ -3,9 +3,28 @@ class nodo::utils::network::tor ( $ensure = 'installed', ) { + $keyrings_folder = "/usr/share/keyrings" + $keyring = "${keyrings_folder}/deb.torproject.org-keyring.gpg" + nodo::subsystem::apt::repo { 'torproject.org': - definition => "deb [signed-by=/etc/apt/trusted.gpg.d/torproject.org.gpg] https://deb.torproject.org/torproject.org ${::lsbdistcodename} main", - key_source => 'puppet:///modules/nodo/etc/apt/trusted.gpg.d/torproject.org.gpg', + definition => "deb [signed-by=${keyring}] https://deb.torproject.org/torproject.org ${::lsbdistcodename} main", + key_source => "puppet:///modules/nodo/${keyring}", + keyrings_folder => "${keyrings_folder}", + } + + # Puppet should setup the Tor Project's APT keyring only in the first time + # Afterwards ${keyring} will be managed by the deb.torproject.org-keyring package + # + # References: + # + # * https://support.torproject.org/apt/tor-deb-repo/ + # * https://gitlab.torproject.org/tpo/web/support/-/merge_requests/220 + exec { 'torproject-keyring-copy': + command => "cp ${keyrings_folder}/torproject.org.gpg ${keyring}", + onlyif => "/bin/test ! -e ${keyring}", + creates => "${keyring}", + require => File["${keyrings_folder}/torproject.org.gpg"], + notify => Exec["apt-repo-auto-update-torproject.org"], } package { "deb.torproject.org-keyring": @@ -14,8 +33,15 @@ class nodo::utils::network::tor ( } package { [ - 'tor-arm', + 'nyx', ]: ensure => $ensure, } + + # Package 'tor-arm' was renamed to 'nyx' + package { [ + 'tor-arm', + ]: + ensure => absent, + } } diff --git a/templates/apt/Debian.preferences.erb b/templates/apt/Debian.preferences.erb new file mode 100644 index 0000000..63729ff --- /dev/null +++ b/templates/apt/Debian.preferences.erb @@ -0,0 +1,27 @@ +# This file is managed by puppet +# all local modifications will be overwritten + +Explanation: Debian <%= scope.lookupvar('::lsbdistcodename') %> +Package: * +Pin: release o=Debian,n=<%= scope.lookupvar('::lsbdistcodename') %> +Pin-Priority: 990 + +Explanation: Debian <%= scope.lookupvar('::lsbdistcodename') %>-updates +Package: * +Pin: release o=Debian,n=<%= scope.lookupvar('::lsbdistcodename') %>-updates +Pin-Priority: 990 + +Explanation: Debian <%= scope.lookupvar('::lsbdistcodename') %>-security +Package: * +Pin: release o=Debian,n=<%= scope.lookupvar('::lsbdistcodename') %>-security +Pin-Priority: 990 + +Explanation: Debian sid +Package: * +Pin: release o=Debian,n=sid +Pin-Priority: 1 + +Explanation: Debian fallback +Package: * +Pin: release o=Debian +Pin-Priority: -10 |