8 files changed, 100 insertions, 16 deletions

diff --git a/README b/README
index 956c1d3..cbb1fa5 100644
--- a/README
+++ b/README
@@ -17,6 +17,14 @@ Ubuntu support is lagging behind but not absent either.
 
 ! Upgrade Notice !
 
+ * Several parser functions have been updated: you need to restart your puppet
+   master, otherwise some nodes may keep on using an old, cached version!
+   (https://docs.puppetlabs.com/guides/custom_functions.html#gotchas)
+
+ * If you were using custom 50unattended-upgrades.${::lsbdistcodename} in your
+   site_apt, these are no longer supported. You should migrate to passing
+   $blacklisted_packages to the apt::unattended_upgrades class.
+
  * the apt class has been moved to a paramterized class. if you were including
    this class before, after passing some variables, you will need to move to
    instantiating the class with those variables instead. For example, if you
@@ -91,6 +99,7 @@ This module needs:
 
 - the lsb module: git://labs.riseup.net/shared-lsb
 - the common module: git://labs.riseup.net/shared-common
+- the stdlib module: https://forge.puppetlabs.com/puppetlabs/stdlib
 
 By default, on normal hosts, this module sets the configuration option
 DSelect::Clean to 'auto'. On virtual servers, the value is set by default to
@@ -462,6 +471,46 @@ Example:
                 'puppet:///modules/site_apt/company_internals.list' ],
   }
 
+apt::key
+--------
+
+Deploys a secure apt OpenPGP key. This usually accompanies the
+sources.list snippets above for third party repositories. For example,
+you would do:
+
+  apt::key { 'neurodebian.gpg':
+    ensure => present,
+    source => 'puppet:///modules/site_apt/neurodebian.gpg',
+  }
+
+This deploys the key in the `/etc/apt/trusted.gpg.d` directory, which
+is assumed by secure apt to be binary OpenPGP keys and *not*
+"ascii-armored" or "plain text" OpenPGP key material. For the latter,
+use `apt::key::plain`.
+
+The `.gpg` extension is compulsory for `apt` to pickup the key properly.
+
+apt::key::plain
+---------------
+
+Deploys a secure apt OpenPGP key. This usually accompanies the
+sources.list snippets above for third party repositories. For example,
+you would do:
+
+  apt::key::plain { 'neurodebian.asc':
+    source => 'puppet:///modules/site_apt/neurodebian.asc',
+  }
+
+This deploys the key in the `${apt_base_dir}/keys` directory (as
+opposed to `$custom_key_dir` which deploys it in `keys.d`). The reason
+this exists on top of `$custom_key_dir` is to allow a more
+decentralised distribution of those keys, without having all modules
+throw their keys in the same directory in the manifests.
+
+Note that this model does *not* currently allow keys to be removed!
+Use `apt::key` instead for a more practical, revokable approach, but
+that needs binary keys.
+
 apt::upgrade_package
 --------------------
 
diff --git a/manifests/init.pp b/manifests/init.pp
index 68856cc..062be4c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -7,6 +7,7 @@ class apt(
   $codename = $apt::params::codename,
   $use_lts = $apt::params::use_lts,
   $use_volatile = $apt::params::use_volatile,
+  $use_backports = $apt::params::use_backports,
   $include_src = $apt::params::include_src,
   $use_next_release = $apt::params::use_next_release,
   $debian_url = $apt::params::debian_url,
diff --git a/manifests/key.pp b/manifests/key.pp
new file mode 100644
index 0000000..65b62e9
--- /dev/null
+++ b/manifests/key.pp
@@ -0,0 +1,13 @@
+define apt::key ($source, $ensure = 'present') {
+  validate_re(
+    $name, '\.gpg$',
+    'An apt::key resource name must have the .gpg extension',
+  )
+
+  file {
+    "/etc/apt/trusted.gpg.d/${name}":
+      ensure => $ensure,
+      source => $source,
+      notify => Exec['refresh_apt'],
+  }
+}
diff --git a/manifests/key/plain.pp b/manifests/key/plain.pp
new file mode 100644
index 0000000..e4a2f89
--- /dev/null
+++ b/manifests/key/plain.pp
@@ -0,0 +1,13 @@
+define apt::key::plain ($source) {
+  file {
+    "${apt::apt_base_dir}/keys/${name}":
+      source  => $source;
+    "${apt::apt_base_dir}/keys":
+      ensure  => directory;
+  }
+  exec { "apt-key add '${apt::apt_base_dir}/keys/${name}'":
+    subscribe   => File["${apt::apt_base_dir}/keys/${name}"],
+    refreshonly => true,
+    notify      => Exec['refresh_apt'],
+  }
+}
diff --git a/manifests/params.pp b/manifests/params.pp
index f977c27..a1c7392 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -2,6 +2,7 @@ class apt::params () {
   $codename = $::lsbdistcodename
   $use_lts = false
   $use_volatile = false
+  $use_backports = true
   $include_src = false
   $use_next_release = false
   $debian_url = 'http://httpredir.debian.org/debian/'
diff --git a/templates/50unattended-upgrades.erb b/templates/50unattended-upgrades.erb
index 94059d5..23c5c89 100644
--- a/templates/50unattended-upgrades.erb
+++ b/templates/50unattended-upgrades.erb
@@ -1,17 +1,18 @@
 // this file is managed by puppet !
 
-Unattended-Upgrade::Allowed-Origins {
 <% if scope.lookupvar('::operatingsystem') == 'Ubuntu' -%>
+Unattended-Upgrade::Allowed-Origins {
   "${distro_id}:${distro_codename}-security";
   "${distro_id}:${distro_codename}-updates";
   "${distro_id}:${distro_codename}-backports";
 <% elsif scope.lookupvar('::operatingsystem') == 'Debian' and scope.lookupvar('::operatingsystemmajrelease') == 6 -%>
-  "${distro-id} ${distro-codename}-security";
-  "${distro-id} ${distro-codename}-lts";
+Unattended-Upgrade::Allowed-Origins {
+  "${distro_id}:oldoldstable";
+  "${distro_id}:squeeze-lts";
 <% else -%>
-  # See Debian bug #704087
-  "o=Debian,a=oldstable,l=Debian-Security";
-  "o=Debian,a=stable,l=Debian-Security";
+Unattended-Upgrade::Origins-Pattern {
+  "origin=Debian,archive=<%= scope.lookupvar('::apt::release') %>,label=Debian-Security";
+  "origin=Debian,archive=${distro_codename}-lts";
 <% end -%>
 };
 
@@ -20,7 +21,7 @@ Unattended-Upgrade::Package-Blacklist {
 <% @blacklisted_packages.each do |pkg| -%>
   "<%= pkg %>";
 <% end -%>
-}
+};
 <% end -%>
 
 APT::Periodic::Update-Package-Lists "1";
diff --git a/templates/Debian/sources.list.erb b/templates/Debian/sources.list.erb
index 37f1c35..ce43135 100644
--- a/templates/Debian/sources.list.erb
+++ b/templates/Debian/sources.list.erb
@@ -19,14 +19,16 @@ deb-src <%= security_url %> <%= codename %>/updates <%= lrepos %>
 # There is no security support for <%= release %>
 <% end -%>
 
+<% if use_backports=scope.lookupvar('apt::use_backports') -%>
 # backports
-<% if (release == "testing" || release == "unstable" || release == "experimental") -%>
+<%   if (release == "testing" || release == "unstable" || release == "experimental") -%>
 # There is no backports archive for <%= release %>
-<% else -%>
+<%   else -%>
 deb <%= backports_url=scope.lookupvar('apt::backports_url') %> <%= codename %>-backports <%= lrepos %>
-<%   if include_src -%>
+<%     if include_src -%>
 deb-src <%= backports_url %> <%= codename %>-backports <%= lrepos %>
-<%   end
+<%     end
+     end
    end -%>
 
 <% if use_volatile=scope.lookupvar('apt::use_volatile') -%>
@@ -43,7 +45,7 @@ deb-src <%= debian_url %> <%= codename %>-updates <%= lrepos %>
 
 <% if use_lts=scope.lookupvar('apt::use_lts') -%>
 # LTS
-<% if release != "oldstable" -%>
+<% if release != "oldoldstable" -%>
 # There is no LTS archive for <%= release %>
 <% else -%>
 deb <%= debian_url %> <%= codename %>-lts <%= lrepos %>
diff --git a/templates/Ubuntu/sources.list.erb b/templates/Ubuntu/sources.list.erb
index 8d2585d..213f051 100644
--- a/templates/Ubuntu/sources.list.erb
+++ b/templates/Ubuntu/sources.list.erb
@@ -7,11 +7,13 @@ deb <%= ubuntu_url=scope.lookupvar('apt::ubuntu_url') %> <%= codename %> <%= lre
 deb-src <%= ubuntu_url %> <%= codename %> <%= lrepos %>
 <% end -%>
 
+<% if use_volatile=scope.lookupvar('apt::use_volatile') -%>
 # updates
 deb <%= ubuntu_url %> <%= codename %>-updates <%= lrepos %>
-<% if include_src -%>
+<%   if include_src -%>
 deb-src <%= ubuntu_url %> <%= codename %>-updates <%= lrepos %>
-<% end -%>
+<%   end
+   end -%>
 
 # security suppport
 deb <%= ubuntu_url %> <%= codename %>-security <%= lrepos %>
@@ -19,8 +21,10 @@ deb <%= ubuntu_url %> <%= codename %>-security <%= lrepos %>
 deb-src <%= ubuntu_url %> <%= codename %>-security <%= lrepos %>
 <% end -%>
 
+<% if use_backports=scope.lookupvar('apt::use_backports') -%>
 # backports
 deb <%= ubuntu_url %> <%= codename %>-backports <%= lrepos %>
-<% if include_src -%>
+<%   if include_src -%>
 deb-src <%= ubuntu_url %> <%= codename %>-backports <%= lrepos %>
-<% end -%>
+<%   end
+   end -%>