blob: 8ba8768407d8e86d64615e1449a22c5776ffb7f8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
. ${BUILDFILE%/*}/common.sh
pkgver=20180826
package() {
preamble
# #### etckeeper
depends+=(etckeeper pristine-etc-keeper)
# [etckeeper][] is configured to use git (the default) to keep track
# of changes in `/etc`. The systemd unit `etckeeper.timer` is
# enabled, which makes a commit (if necessary) daily. It will also
# run before and after pacman via libalpm hooks.
#
# [etckeeper]: https://www.parabola.nu/packages/community/any/etckeeper/
add-unit etc/systemd/system/multi-user.target.wants/etckeeper.timer
add-file etc/systemd/system/etckeeper-init.service <<EOF
[Unit]
Description=Initialize etckeeper
DefaultDependencies=no
Conflicts=shutdown.target
After=local-fs.target time-sync.target
Before=shutdown.target
Before=etckeeper.service
ConditionPathExists=!/etc/.git
[Service]
Type=oneshot
ExecStart=/usr/bin/etckeeper init
RemainAfterExit=yes
[Install]
WantedBy=etckeeper.service
WantedBy=multi-user.target
EOF
add-unit etc/systemd/system/etckeeper.service.wants/etckeeper-init.service
add-unit etc/systemd/system/multi-user.target.wants/etckeeper-init.service
add-file etc/pacman.d/hooks/zz-etckeeper-post-install-holo.hook <<'EOF'
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = File
Target = usr/share/holo/*
[Action]
Description = etckeeper: post-transaction commit (holo trigger)
When = PostTransaction
Exec = /usr/bin/etckeeper post-install
Depends = etckeeper
Depends = holo
EOF
# Of course, if root will be making git commits, root's git
# credentials need configured.
install -d -m0750 root
add-file root/.gitconfig <<EOF
[user]
email = root@localhost
name = Root McRooty
EOF
# In addition to etckeeper keeping track of the current configuration,
# lukeshu's [pristine-etc-keeper][] maintains a branch of what `/etc`
# would be like if we never made any changes from the default files.
# The clean version of etc is available as the `pristine` remote's
# `master` branch. Doing a `git diff pristine/master master` should
# be helpful in investigating how things have been configured.
#
# [pristine-etc-keeper]: https://www.parabola.nu/packages/pcr/any/pristine-etc-keeper-git/
# etckeeper is configured to automatically "forget" about files that
# become .gitignore'ed; normally you'd have to manually run
# `git rm --cached` on them.
add-file -m755 etc/etckeeper/commit.d/40git-ignore <<EOF
#!/bin/sh
git ls-files --ignored --exclude-standard -z|xargs -0r git rm --cached --
EOF
# etckeeper has been configured to run the pre-commit hook at exta
# times, to work around [a bug][0].
#
# [0]: https://etckeeper.branchable.com/todo/metadata_changes_don__39__t_cause_a_new_commit/
add-file -m755 etc/etckeeper/unclean.d/20pre-commit <<'EOF'
#!/bin/sh
# pre-commit hook for etckeeper, to store metadata and do sanity checks
set -e
etckeeper pre-commit
EOF
add-file -m755 etc/etckeeper/commit.d/20pre-commit <<'EOF'
#!/bin/sh
# pre-commit hook for etckeeper, to store metadata and do sanity checks
set -e
etckeeper pre-commit
EOF
# It has also been configured to maintain a list of installed packages
# as `/etc/.installed-packages.txt`.
add-file -m755 etc/etckeeper/pre-commit.d/25list-installed <<EOF
#!/bin/sh
etckeeper list-installed > .installed-packages.txt
# stage the file as part of the current commit
if [ "\$VCS" = git ]; then
# this will do nothing if the file is unchanged.
git add .installed-packages.txt
fi
EOF
# By default, etckeeper only updates the .gitignore file on init.
# Let's not ever make our admins have to manually run `etckeeper
# update-ignore`.
add-file -m755 etc/etckeeper/pre-commit.d/25update-ignore <<'EOF'
#!/bin/bash
set -e
etckeeper update-ignore
EOF
# The etckeeper update-ignore hook is customized to ignore a couple
# more files in `/etc` (and avoid ignoring `/etc/mtab`).
add-file -m755 etc/etckeeper/update-ignore.d/02custom <<'_EOF_'
#!/bin/bash
sed -i '/^# end section managed by etckeeper$/,$d' .gitignore
cat >> .gitignore <<EOF
# end section managed by etckeeper
!/mtab
/group-
/gshadow-
/passwd-
/passwd.OLD
/shadow-
/.updated
EOF
_EOF_
# For files in subdirectories of `/etc`, we use separate `.gitignore`
# files in each directory:
add-file etc/ca-certificates/.gitignore <<EOF
/trust-source/blacklist/
/trust-source/anchors/
/extracted/
EOF
add-file etc/ssl/.gitignore <<EOF
/certs/*.0
/certs/*.1
/certs/*.pem
/certs/java/cacerts
/.ssh/
EOF
add-file etc/udev/.gitignore <<EOF
/hwdb.bin
EOF
add-file etc/pacman.d/.gitignore <<EOF
/gnupg/
EOF
add-file etc/xml/.gitignore <<EOF
/catalog
EOF
postamble
}
|
