summaryrefslogtreecommitdiff
path: root/puppet/modules/site_apt
AgeCommit message (Collapse)Author
2018-03-20Bug: Directly deploy leap-archive keyringsVarac
The leap-archive keyring expired March 8th 2018. We updated it, and published updated installation docs at https://bitmask.net/en/install/linux. For jessie, we dont install the leap-archive-keyring package anymore but directly deploy the keys to apt's trusted keystore. - Fixes: https://0xacab.org/leap/bitmask-dev/issues/9279
2017-11-17Bug: Fix unattended-upgrades for LEAP debsVarac
Resolves: #8891
2017-10-31Bug: fix repository layoutMicah Anderson
Fix the order of the leap repository so it matches the correct repository layout. Fixes #8888.
2017-10-03Bug: jessie apt keys stable/experimental/stagingkwadronaut
The apt sources lines for people using more experimental software was wrong, we abolished the 'experimental' repository some time ago and develoment happens now in the master branch. solves #8862, #8876
2017-09-28Bug: jessie apt keys must be in /etc/apt/trusted.gpg.dkwadronaut
For newer than jessie the 'old' code was enough. This bug didn't show up because our testing images had the keys and sources lines already included within /etc/apt… solves #8862
2017-06-27Pin python-cryptography to jessie-backportsVarac
Needed to satisfy leap-mx dependency (>=17.0) - Resolves: #8837
2017-06-27Install python-treq from strech on jessie nodesVarac
New soledad-common depends on `python-treq`, which is only available in debian stretch. We pin all stretch packages to 1 (same as for sid), which means (from `man apt_preferences`): "causes a version to be installed only if there is no installed version of the package" - Resolves: #8836
2017-06-24Add configured apt component to the unattended-upgrades whitelistVarac
Resolves: #8792
2017-05-02Add signed-by option to sources.list (Closes: #8425)Micah Anderson
This gets us a simple apt repository privilege separation: (a) our key can't be used to forge other repos (b) other keys can't be used to forge our repo. From sources.list(5): · Signed-By (signed-by) is either an absolute path to a keyring file (has to be accessible and readable for the _apt user, so ensure everyone has read-permissions on the file) or one or more fingerprints of keys either in the trusted.gpg keyring or in the keyrings in the trusted.gpg.d/ directory (see apt-key fingerprint). If the option is set, only the key(s) in this keyring or only the keys with these fingerprints are used for the apt-secure(8) verification of this repository. Defaults to the value of the option with the same name if set in the previously acquired Release file. Otherwise all keys in the trusted keyrings are considered valid signers for this repository.
2017-03-16Make platform apt dist/component configurablevarac
2017-02-23[feat] dont use backports for rsyslog anymorevarac
2017-02-23[feat] dont use backports for passenger anymorevarac
2016-08-30[feat] Use twisted 16.2 from jessie-backportsvarac
New soledad packages now depend on Twisted 16.2.0 (see https://leap.se/code/issues/8412), so we need to pin twisted to get installed from jessie-backports. - Resolves: #8418
2016-07-19Only use the 'main' repository for apt (#8253)Micah
Change-Id: If39222dc9ec68d1786c70c4b82b740e0a06773c4
2016-03-10[jessie] Remove obsolete backports pinningvarac
2016-03-08update copy of the archive signing keys, switching to the new namesMicah
Change-Id: I0305e33c743c15ec38abcf66979a1b2f582f693c
2016-03-08change name of leap-keyring package to leap-archive-keyring (#7950)Micah
Change-Id: I5f04e31e49642597c69895b5aca3ff5326dfd6ec
2016-02-16remove pinning of openvpn package to backportselijah
2016-02-02[refactor] Dont duplicate Package resource overridevarac
`site_apt` aready ensures for installing packages after Exec[update_apt] is run, so we don't need to duplicate this in `site_config::default.pp`.
2016-02-02[refactor] Use Exec[apt_updated] instead of Exec[refresh_apt]varac
Because this is the recommended way of depnending in the apt README.
2016-02-02[refactor] Remove atomic apt package dependecyvarac
`site_config::default.pp` takes care the all packages are installed before `Exec['refresh_apt']`, so we don't need to add it here for a single package.
2016-02-02[refactor] Don't declare dependencies for apt resourcesvarac
The apt module now takes care of all the dependencies removed from `site_apt`. Also, the dependency to install the `lsb` package after `refresh_apt` is unnesseccary because lsb facts won't work anyway on the first run if `lsb` is not installed before, so we can safely remove it.
2016-01-26[bug] Fix unattended-upgrades on jessievarac
- Resolves: #7842
2016-01-05[style] Lint site_apt::dist_upgradevarac
2016-01-05[feat] Remove double run of apt-get updatevarac
2015-12-10[bug] Configure default sources.platform.apt.basicvarac
Providing a custom sources.platform.apt.basic value worked with the last commit, but without that the platform would fail. So we provide a default value now in provider_base/common.json, which can get overridden.
2015-12-10[feat] Make leap apt sources url configurablevarac
So we can use the experimental-0.8 repo instead of 0.8 i.e. Use this to customize the main LEAP deb url: "sources": { "apt": { "leap": { "basic": "http://deb.leap.se/experimental-0.9" } } }
2015-12-10[feat] Add LEAP experimental apt signing keyvarac
so we can easily use the experimental-0.(8|9) deb repos, which are signed with this key
2015-11-30Revert "[feat] install couchdb from unstable on jessie"varac
This reverts commit 02b1b484ad9a5d065ceac72b8263b7bcc112c923. Now that we have a proper couchdb jessie package we don't need to install it from Debian unstable.
2015-11-24[bug] [jessie] Install pnp4nagios deb from stretchvarac
Configure the apt class together with "use_next_release => true", so pnp4nagios* packages can get installed from strech. No other package will be upgraded as the apt module pins stretch very low, so that only packages are installed if there are no other sources available. - Resolves: #7604
2015-11-17[deprec] use @ in front of erb template tagsvarac
Puppet 3 shows now deprecation warnings if the "@" is missing. see https://docs.puppetlabs.com/puppet/latest/reference/lang_template_erb.html#non-printing-tags#[bug|feat|docs|style|refactor|test|pkg|i18n]
2015-11-17[feat] Provide postfix preseed fix also for jessievarac
2015-11-17[feat] install couchdb from unstable on jessievarac
- Related: #6920
2015-11-17[feat] Release-specific apt sources file for leapvarac
- Related: #6920
2015-06-24remove static site circular dependency (closes #7145)elijah
2015-06-06Configure apt preferences before installing any packagesvarac
Change-Id: Iac4dc8428ff5e663870ed4dd6a2b840e0904e5be
2015-06-04add preferences snippet for leap repository (#7090)Micah Anderson
Change-Id: Ia7a35c8613350ad75ff1ebbdda0a09efa0960ba6
2015-05-26Revert "remove old leap_mx logfile location from check_mk logwatch state ↵varac
file #6964" This reverts commit 984684f56f15d9d89ea78ffe6ed67dabf3d63208. Needed because: Augeas fails after upgrading augeas packages during same puppetrun, but only on first deploy - https://leap.se/code/issues/6997
2015-05-14remove old leap_mx logfile location from check_mk logwatch state file #6964varac
Change-Id: I385c639e5c096deef4f81691a85c1b83cbab9421
2015-05-06fix unattended-upgrades now that jessie has been releasedMicah Anderson
Change-Id: I69e6a0f8e676be72bce492af32fef76c9167f5ee
2015-02-26update leap archive signing key with version that expires in 2 yearsMicah Anderson
Change-Id: I0587ee6d9033824ca66b70de09e4e0f65d67cab1
2015-02-11updated LEAP archive signing key 0x1E34A1828E207901 (#6728)varac
Change-Id: I110e93a64f82e4133a043ff3fa18ab14b69a5dcc
2015-02-04consolidate sources into common.jsonelijah
2015-01-27provide way to customize all three apt sources urls (basic, security, backports)varac
Change-Id: I5542b320bb1edb52c63350b5e4fd2af681991fb5
2015-01-27use apt.url hiera value for customizing apt sources urlvarac
Change-Id: Ib18c9031df13dab3187e0bb0f2202ffddd0d228d
2014-11-04add local 50unattended-upgrades to fix unattended-upgrades not upgradingMicah Anderson
leap packages (#4425) Change-Id: I78c00c4410ff9f712206f95854d8803e43acb286
2014-10-28upgrade unattended-upgrades on deploy (#6245)Micah Anderson
unattended-upgrades is not able to upgrade itself in certain situations, such as when the conffile prompt is generated due to the config being changed. We want to set this package as latest in the platform so that it is upgraded on every deploy (we deploy the config anyway). Change-Id: I8c99bfb1b001079f0e1a4ffbf048e0e867633335
2014-10-21modify the leap repository contents so they pick the correct repository,Micah Anderson
based on the hiera value 'major_version' (#6251) Change-Id: I10532ef83e3aa2d35d9c0be241952a35e366bba4
2014-09-25remove /etc/apt/preferences.d/fixed_rsyslog_anon_package (#6138)varac
This was a leftover from earlier versions, where we installed rsyslog from the leap debian package repo. Change-Id: I88a852f08b5aff3bd7b591b6220ac354463a9786
2014-07-01Explicitly set apt preferences for obfsproxy to wheezy-backportsirregulator