cp over all the bundles from kunsis bw repo

bundles/apt/files/apt-listchanges.conf

@@ -0,0 +1,6 @@
+[apt]
+frontend=pager
+email_address=${data['mail']}
+confirm=0
+save_seen=/var/lib/apt/listchanges.db
+which=both

bundles/apt/files/check_unattended_upgrades

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+statusfile="/var/tmp/unattended_upgrades.status"
+if ! [[ -f "$statusfile" ]]
+then
+    echo "Status file not found"
+    exit 3
+fi
+
+mtime=$(stat -c %Y $statusfile)
+now=$(date +%s)
+if (( $now - $mtime > 60*60*24*8 ))
+then
+    echo "Status file is older than 8 days!"
+    exit 3
+fi
+
+exitcode=$(cat $statusfile)
+case "$exitcode" in
+    abort_ssh)
+        echo "Upgrades skipped due to active SSH login"
+        exit 1
+        ;;
+    0)
+        echo "OK"
+        exit 0
+        ;;
+    *)
+        echo "Last exitcode was $exitcode"
+        exit 2
+        ;;
+esac

bundles/apt/files/do-unattended-upgrades

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+set -xeuo pipefail
+
+apt-get update
+
+DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade
+
+DEBIAN_FRONTEND=noninteractive apt-get -y -q autoclean
+
+DEBIAN_FRONTEND=noninteractive apt-get -y -q autoremove
+
+% if clean_old_kernels:
+existing=$(dpkg --get-selections | grep -E '^linux-(image|headers)-[0-9]' || true)
+
+if [[ -z "$existing" ]]
+then
+    echo "ERROR: No installed kernels found! Aborting!" >&2
+    exit 1
+fi
+
+current=$(uname -r | sed -r 's/-[a-zA-Z]+$//')
+latest=$(echo "$existing" | sort --version-sort -t- -k 3,4 | tail -n 1 | sed -r 's/[^0-9]+([0-9]\.[^-]+-[0-9]+).*/\1/')
+todelete=$(echo "$existing" | grep -v -E "($current|$latest)" | awk '{ print $1 }' || true)
+
+if [[ -n "$todelete" ]]
+then
+    DEBIAN_FRONTEND=noninteractive apt-get -qy purge $todelete
+fi
+% endif
+
+% for affected, restarts in sorted(restart_triggers.items()):
+    up_since=$(systemctl show "${affected}" | sed -n 's/^ActiveEnterTimestamp=//p' || echo 0)
+    up_since_ts=$(date -d "$up_since" +%s || echo 0)
+    now=$(date +%s)
+
+    if [ $((now - up_since_ts)) -lt 3600 ]
+    then
+% for restart in sorted(restarts):
+        systemctl restart "${restart}" || true
+% endfor
+    fi
+% endfor

bundles/apt/files/kernel-postinst.d

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# /etc/kernel/postinst.d/unattended-upgrades
+
+case "$DPKG_MAINTSCRIPT_PACKAGE::$DPKG_MAINTSCRIPT_NAME" in
+    linux-image-extra*::postrm)
+        exit 0;;
+esac
+
+if [ -d /var/run ]; then
+    touch /var/run/reboot-required
+    if ! grep -q "^$DPKG_MAINTSCRIPT_PACKAGE$" /var/run/reboot-required.pkgs 2> /dev/null ; then
+        echo "$DPKG_MAINTSCRIPT_PACKAGE" >> /var/run/reboot-required.pkgs
+    fi
+fi

bundles/apt/files/sources.list-debian-bullseye

@@ -0,0 +1,3 @@
+deb http://deb.debian.org/debian/ bullseye main non-free contrib
+deb http://security.debian.org/debian-security bullseye-security main contrib non-free
+deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free

bundles/apt/files/sources.list-debian-buster

@@ -0,0 +1,3 @@
+deb http://deb.debian.org/debian/ buster main non-free contrib
+deb http://security.debian.org/debian-security buster/updates main contrib non-free
+deb http://deb.debian.org/debian/ buster-updates main contrib non-free

bundles/apt/files/sources.list-debian-unstable

@@ -0,0 +1 @@
+deb http://deb.debian.org/debian/ unstable main non-free contrib

bundles/apt/files/sources.list-raspbian-buster

@@ -0,0 +1 @@
+deb http://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi

bundles/apt/files/upgrade-and-reboot

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# With systemd, we can force logging to the journal. This is better than
+# spamming the world with cron mails. You can then view these logs using
+# "journalctl -rat upgrade-and-reboot".
+if which logger >/dev/null 2>&1
+then
+    # Dump stdout and stderr to logger, which will then put everything
+    # into the journal.
+    exec 1> >(logger -t upgrade-and-reboot -p user.info)
+    exec 2> >(logger -t upgrade-and-reboot -p user.error)
+fi
+
+. /etc/upgrade-and-reboot.conf
+
+echo "Starting upgrade-and-reboot for node $nodename ..."
+
+statusfile="/var/tmp/unattended_upgrades.status"
+# Workaround, because /var/tmp is usually 1777
+[[ "$UID" == 0 ]] && chown root:root "$statusfile"
+
+logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd" && $1 != "sshmon"')
+if [[ -n "$logins" ]]
+then
+    echo "Will abort now, there are active SSH logins: $logins"
+    echo "abort_ssh" > "$statusfile"
+    exit 1
+fi
+
+softlockdir=/var/lib/bundlewrap/soft-$nodename
+mkdir -p "$softlockdir"
+printf '{"comment": "UPDATE", "date": %s, "expiry": %s, "id": "UNATTENDED", "items": ["*"], "user": "root@localhost"}\n' \
+    $(date +%s) \
+    $(date -d 'now + 30 mins' +%s) \
+    >"$softlockdir"/UNATTENDED
+trap 'rm -f "$softlockdir"/UNATTENDED' EXIT
+
+do-unattended-upgrades
+ret=$?
+
+echo "$ret" > "$statusfile"
+if (( $ret != 0 ))
+then
+    exit 1
+fi
+
+if [[ -f /var/run/reboot-required ]]
+then
+    if [[ -n "$reboot_mail_to" ]]
+    then
+        date | mail -s "SYSREBOOTNOW $nodename" "$reboot_mail_to"
+    fi
+    systemctl reboot
+else
+    echo "upgrade-and-reboot for node $nodename is DONE"
+fi

bundles/apt/files/upgrade-and-reboot.conf

@@ -0,0 +1,2 @@
+nodename="${node.name}"
+reboot_mail_to="${node.metadata.get('apt/unattended-upgrades/reboot_mail_to', '')}"

bundles/apt/items.py

@@ -0,0 +1,191 @@
+from bundlewrap.exceptions import BundleError
+
+supported_os = {
+    'debian': {
+        10: 'buster',
+        11: 'bullseye',
+        99: 'unstable',
+    },
+    'raspbian': {
+        10: 'buster',
+    },
+}
+
+try:
+    supported_os[node.os][node.os_version[0]]
+except (KeyError, IndexError):
+    raise BundleError(f'{node.name}: OS {node.os} {node.os_version} is not supported by bundle:apt')
+
+
+actions = {
+    'apt_update': {
+        'command': 'apt-get update',
+        'needed_by': {
+            'pkg_apt:',
+        },
+        'triggered': True,
+        'cascade_skip': False,
+    },
+}
+
+files = {
+    '/etc/apt/sources.list': {
+        'source': 'sources.list-{}-{}'.format(node.os, supported_os[node.os][node.os_version[0]]),
+        'triggers': {
+            'action:apt_update',
+        },
+    },
+    '/etc/cloud': {
+        'delete': True,
+    },
+    '/etc/kernel/postinst.d/unattended-upgrades': {
+        'source': 'kernel-postinst.d',
+        'mode': '0755',
+    },
+    '/etc/netplan': {
+        'delete': True,
+    },
+    '/etc/upgrade-and-reboot.conf': {
+        'content_type': 'mako',
+    },
+    '/usr/local/sbin/upgrade-and-reboot': {
+        'mode': '0700',
+    },
+    '/usr/local/sbin/do-unattended-upgrades': {
+        'content_type': 'mako',
+        'mode': '0700',
+        'context': {
+            'clean_old_kernels': node.metadata.get('apt/clean_old_kernels', True),
+            'restart_triggers': node.metadata.get('apt/restart_triggers', {}),
+        }
+    },
+    '/usr/local/share/icinga/plugins/check_unattended_upgrades': {
+        'mode': '0755',
+    },
+    '/var/lib/cloud': {
+        'delete': True,
+    },
+}
+
+directories = {
+    '/etc/apt/sources.list.d': {
+        'purge': True,
+        'triggers': {
+            'action:apt_update',
+        },
+    },
+}
+
+svc_systemd = {
+    'apt-daily.timer': {
+        'running': False,
+        'enabled': False,
+    },
+    'apt-daily-upgrade.timer': {
+        'running': False,
+        'enabled': False,
+    },
+}
+
+pkg_apt = {
+    'apt-transport-https': {},
+
+    'arping': {},
+    'at': {},
+    'build-essential': {},
+    'bzip2': {},
+    'curl': {},
+    'diffutils': {},
+    'dnsutils': {},
+    'git': {},
+    'grep': {},
+    'gzip': {},
+    'htop': {},
+    'jq': {},
+    'less': {},
+    'logrotate': {},
+    'lsof': {},
+    'mailutils': {},
+    'manpages': {},
+    'moreutils': {},
+    'mount': {},
+    'mtr': {},
+    'ncdu': {},
+    'ncurses-term': {},
+    'netcat': {},
+    'nmap': {},
+    'python3': {},
+    'python3-dev': {},
+    'python3-setuptools': {
+        'needed_by': {
+            'pkg_pip:',
+        },
+    },
+    'python3-pip': {
+        'needed_by': {
+            'pkg_pip:',
+        },
+    },
+    'python3-virtualenv': {},
+    'rsync': {},
+    'tar': {},
+    'tcpdump': {},
+    'telnet': {},
+    'tmux': {},
+    'tree': {},
+    'unzip': {},
+    'vim': {},
+    'wget': {},
+    'whois': {},
+    'zip': {},
+
+    'cloud-init': {
+        'installed': False,
+    },
+    'netplan.io': {
+        'installed': False,
+    },
+    'popularity-contest': {
+        'installed': False,
+    },
+    'unattended-upgrades': {
+        'installed': False,
+    },
+}
+
+if node.os_version[0] >= 11:
+    symlinks = {
+        '/usr/bin/python': {
+            'target': '/usr/bin/python3',
+            'needs': {
+                'pkg_apt:python3',
+            },
+        },
+    }
+
+for name, data in node.metadata.get('apt/repos', {}).items():
+    files['/etc/apt/sources.list.d/{}.list'.format(name)] = {
+        'content_type': 'mako',
+        'content': ("\n".join(sorted(data['items']))).format(
+            os=node.os,
+            os_release=supported_os[node.os][node.os_version[0]],
+        ),
+        'triggers': {
+            'action:apt_update',
+        },
+    }
+
+    if data.get('install_gpg_key', True):
+        files['/etc/apt/sources.list.d/{}.list'.format(name)]['needs'] = {
+            'file:/etc/apt/trusted.gpg.d/{}.list.asc'.format(name),
+        }
+
+        files['/etc/apt/trusted.gpg.d/{}.list.asc'.format(name)] = {
+            'source': 'gpg-keys/{}.asc'.format(name),
+            'triggers': {
+                'action:apt_update',
+            },
+        }
+
+for package, options in node.metadata.get('apt/packages', {}).items():
+    pkg_apt[package] = options

bundles/apt/metadata.py

@@ -0,0 +1,35 @@
+defaults = {
+    'apt': {
+        'unattended_upgrades': {
+            'day': 5,
+            'hour': 21,
+        },
+    },
+    'icinga2_api': {
+        'apt': {
+            'services': {
+                'UNATTENDED UPGRADES': {
+                    'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_unattended_upgrades',
+                },
+            },
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'cron/upgrade-and-reboot'
+)
+def patchday(metadata):
+    day = metadata.get('apt/unattended_upgrades/day')
+    hour = metadata.get('apt/unattended_upgrades/hour')
+
+    return {
+        'cron': {
+            'upgrade-and-reboot': '{minute} {hour} * * {day}    root    /usr/local/sbin/upgrade-and-reboot'.format(
+                minute=node.magic_number % 30,
+                hour=hour,
+                day=day,
+            ),
+        },
+    }