feat(repositories): stop removing sources files and support unmanaged

apt/apt_conf.sls

@@ -18,7 +18,7 @@
 
 {{ confd_dir }}:
   file.directory:
-    - mode: 755
+    - mode: '0755'
     - user: root
     - group: root
     - clean: {{ clean_apt_conf_d }}
@@ -30,7 +30,7 @@
     - template: jinja
     - user: root
     - group: root
-    - mode: 644
+    - mode: '0644'
     - context:
         data: {{ contents }}
     - require_in:

apt/listchanges.sls

@@ -13,5 +13,5 @@ apt_listchanges_pkgs:
     - template: jinja
     - user: root
     - group: root
-    - mode: 644
+    - mode: '0644'
     - source: {{ listchanges_config_template }}

apt/map.jinja

@@ -1,5 +1,6 @@
 {% set distribution = salt['grains.get']('lsb_distrib_codename') %}
 {% set arch = salt['grains.get']('osarch').split(' ') %}
+{% set debian_comp = ['main', 'contrib', 'non-free', 'non-free-firmware'] if salt['grains.get']('osmajorrelease') >= 12  else ['main', 'contrib', 'non-free'] %}
 {% set apt = salt['grains.filter_by']({
     'Debian': {
         'pkgs': ['unattended-upgrades'],
@@ -26,19 +27,22 @@
                 'distro': distribution,
                 'url': 'http://deb.debian.org/debian/',
                 'arch': arch,
-                'comps': ['main'],
+                'comps': debian_comp,
+                'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg'
             },
             'security-stable': {
                 'distro': distribution ~ '/updates',
                 'url': 'http://security.debian.org/',
                 'arch': arch,
-                'comps': ['main'],
+                'comps': debian_comp,
+                'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg'
             },
             'default-updates': {
                 'distro': distribution ~ '-updates',
                 'url': 'http://deb.debian.org/debian/',
                 'arch': arch,
-                'comps': ['main'],
+                'comps': debian_comp,
+                'opts': 'signed-by=/usr/share/keyrings/debian-archive-keyring.gpg'
             },
         },
     },

apt/repositories.sls

@@ -25,12 +25,28 @@
     - replace: False
   {% endif %}
 
+{% set excluded_sources = [] %}
+{% set unmanaged_repos = [] %}
+{% for repo, args in repositories.items() %}
+  {% if args.unmanaged is defined and args.unmanaged %}
+    {# repo.list is considered the filename unless filename is explicitly defined.
+     # managed repo lists files are constructed repo-type.list #}
+    {% do excluded_sources.append(args.filename if args.filename is defined else repo ~ '.list') %}
+    {% do unmanaged_repos.append(repo) %}
+  {% endif %}
+{% endfor %}
+{% for repo in unmanaged_repos %}
+  {# remove these repo's to avoid pgrepo.managed loop #}
+  {% do repositories.pop(repo) %}
+{% endfor %}
+
 {{ sources_list_dir }}:
   file.directory:
     - mode: '0755'
     - user: root
     - group: root
     - clean: {{ clean_sources_list_d }}
+    - exclude_pat: {{ excluded_sources | json }}
 
 {{ keyrings_dir }}:
   file.directory:
@@ -95,7 +111,13 @@
     {% endif %}
     - onchanges_in:
       - module: apt.refresh_db
-
+  file.managed:
+    - name: {{ sources_list_dir }}/{{ r_file }}
+    - replace: false
+    - require_in:
+      - file: {{ sources_list_dir }}
+      # require_in the directory clean state
+      # This way, we don't remove all the files, just to add them again.
   {%- endfor %}
 {% endfor %}
 

kitchen.yml

@@ -259,6 +259,7 @@ suites:
       state_top:
         base:
           '*':
+            - states/unmanaged
             - apt._mapdata
             - apt.repositories
             - apt.update
@@ -269,6 +270,9 @@ suites:
               - apt
       pillars_from_files:
         apt.sls: test/salt/pillar/repositories.sls
+      dependencies:
+        - name: states
+          path: ./test/salt
     verifier:
       inspec_tests:
         - path: test/integration/repositories

pillar.example

@@ -136,6 +136,9 @@ apt:
       type: [binary]
       key_url: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public  # yamllint disable-line rule:line-length
       opts: "signed-by=/etc/apt/keyrings/salt-archive-keyring.pgp"
+    rabbitmq:
+      unmanaged: true  # useful when rabbitmq.list is managed by another formula
+      filename: rabbitmq.list
 
   preferences:
     00-rspamd:

test/integration/repositories/controls/repositories_spec.rb

@@ -25,15 +25,10 @@
     its('mode') { should cmp '0755' }
   end
 
-  describe file('/etc/apt/sources.list.d/multimedia-stable-binary.list') do
+  describe file('/etc/apt/sources.list.d/unmanaged.list') do
     it { should exist }
-    it { should be_owned_by 'root' }
-    it { should be_grouped_into 'root' }
-    its('mode') { should cmp '0644' }
     its(:content) do
-      should match(
-        %r{deb \[arch=amd64\] http://www.deb-multimedia.org stable main}
-      )
+      should match("## unmanged list file that shouldn't be removed")
     end
   end
 

test/salt/pillar/repositories.sls

@@ -6,13 +6,9 @@ apt:
   clean_sources_list_d: true
 
   repositories:
-    multimedia-stable:
-      distro: stable
-      url: http://www.deb-multimedia.org
-      arch: [amd64]
-      comps: [main]
-      keyid: 5C808C2B65558117
-      keyserver: keyserver.ubuntu.com
+    unmanaged:
+      unmanaged: true  # do not remove this file when clean_sources_list_d=true
+      filename: unmanaged.list  # optional
     heroku:
       distro: ./
       url: https://cli-assets.heroku.com/apt

test/salt/states/unmanaged.sls

@@ -0,0 +1,5 @@
+repos_maintained_by_another_formula:
+  file.managed:
+    - name: /etc/apt/sources.list.d/unmanaged.list
+    - mode: '0644'
+    - contents: "## unmanged list file that shouldn't be removed"