From b2c9479e50c1d19468e0fdd9ac9dfb65f322146c Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Thu, 16 May 2024 18:54:38 +0200
Subject: [PATCH] fix: enforce https on repository installation

Previously was just http to allow for caching and non-caching of
packages. Currently, a client tool exists to rewrite repository
definitions.
---
 salt/ansible/files/repo/ansible.list                  | 2 +-
 salt/ansible/files/repo/ansible.sources               | 2 +-
 salt/browser/files/repo/chrome.list                   | 2 +-
 salt/browser/files/repo/chrome.sources                | 2 +-
 salt/browser/files/repo/chrome.yum.repo               | 2 +-
 salt/docker/files/repo/docker.list                    | 2 +-
 salt/docker/files/repo/docker.sources                 | 2 +-
 salt/kicksecure-minimal/files/repo/derivative.sources | 2 +-
 salt/opentofu/files/repo/opentofu.list                | 2 +-
 salt/opentofu/files/repo/opentofu.sources             | 2 +-
 salt/opentofu/files/repo/opentofu.yum.repo            | 4 ++--
 salt/signal/files/repo/signal.list                    | 2 +-
 salt/signal/files/repo/signal.sources                 | 2 +-
 salt/sys-cacher/uninstall-client.sls                  | 6 ++++++
 salt/sys-syncthing/files/repo/syncthing.list          | 2 +-
 salt/sys-syncthing/files/repo/syncthing.sources       | 2 +-
 salt/terraform/files/repo/terraform.list              | 2 +-
 salt/terraform/files/repo/terraform.sources           | 2 +-
 salt/utils/macros/install-repo.sls                    | 6 ++++++
 19 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/salt/ansible/files/repo/ansible.list b/salt/ansible/files/repo/ansible.list
index 9f52a4e2..d8779669 100644
--- a/salt/ansible/files/repo/ansible.list
+++ b/salt/ansible/files/repo/ansible.list
@@ -1,2 +1,2 @@
-deb [signed-by=/usr/share/keyrings/ansible.asc] http://ppa.launchpad.net/ansible/ansible/ubuntu focal main
+deb [signed-by=/usr/share/keyrings/ansible.asc] https://ppa.launchpad.net/ansible/ansible/ubuntu focal main
 # vim: ft=debsources
diff --git a/salt/ansible/files/repo/ansible.sources b/salt/ansible/files/repo/ansible.sources
index b46570dc..3b854dfb 100644
--- a/salt/ansible/files/repo/ansible.sources
+++ b/salt/ansible/files/repo/ansible.sources
@@ -1,5 +1,5 @@
 Types: deb
-URIs: http://ppa.launchpad.net/ansible/ansible/ubuntu
+URIs: https://ppa.launchpad.net/ansible/ansible/ubuntu
 Suites: jammy
 Components: main
 Signed-by: /usr/share/keyrings/ansible.asc
diff --git a/salt/browser/files/repo/chrome.list b/salt/browser/files/repo/chrome.list
index 416e029f..403d1f31 100644
--- a/salt/browser/files/repo/chrome.list
+++ b/salt/browser/files/repo/chrome.list
@@ -1,2 +1,2 @@
-deb [signed-by=/usr/share/keyrings/chrome.asc] http://dl.google.com/linux/chrome/deb/ stable main
+deb [signed-by=/usr/share/keyrings/chrome.asc] https://dl.google.com/linux/chrome/deb/ stable main
 # vim:ft=debsources
diff --git a/salt/browser/files/repo/chrome.sources b/salt/browser/files/repo/chrome.sources
index 48e50ea7..438f16ea 100644
--- a/salt/browser/files/repo/chrome.sources
+++ b/salt/browser/files/repo/chrome.sources
@@ -1,5 +1,5 @@
 Types: deb
-URIs: http://dl.google.com/linux/chrome/deb/
+URIs: https://dl.google.com/linux/chrome/deb/
 Suites: stable
 Components: main
 Signed-by: /usr/share/keyrings/chrome.asc
diff --git a/salt/browser/files/repo/chrome.yum.repo b/salt/browser/files/repo/chrome.yum.repo
index ddbfd39b..f54d9f5c 100644
--- a/salt/browser/files/repo/chrome.yum.repo
+++ b/salt/browser/files/repo/chrome.yum.repo
@@ -1,6 +1,6 @@
 [google-chrome]
 name=google-chrome - $basearch
-baseurl=http://dl.google.com/linux/chrome/rpm/stable/$basearch
+baseurl=https://dl.google.com/linux/chrome/rpm/stable/$basearch
 enabled=1
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-chrome
diff --git a/salt/docker/files/repo/docker.list b/salt/docker/files/repo/docker.list
index b9510476..a12dafa0 100644
--- a/salt/docker/files/repo/docker.list
+++ b/salt/docker/files/repo/docker.list
@@ -1,2 +1,2 @@
-deb [arch=amd64 signed-by=/usr/share/keyrings/docker.asc] http://download.docker.com/linux/debian bookworm stable
+deb [arch=amd64 signed-by=/usr/share/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable
 # vim: ft=debsources
diff --git a/salt/docker/files/repo/docker.sources b/salt/docker/files/repo/docker.sources
index 57c08b7e..7277aa49 100644
--- a/salt/docker/files/repo/docker.sources
+++ b/salt/docker/files/repo/docker.sources
@@ -1,5 +1,5 @@
 Types: deb
-URIs: http://download.docker.com/linux/debian
+URIs: https://download.docker.com/linux/debian
 Suites: bookworm
 Components: stable
 Signed-by: /usr/share/keyrings/docker.asc
diff --git a/salt/kicksecure-minimal/files/repo/derivative.sources b/salt/kicksecure-minimal/files/repo/derivative.sources
index 69d839ef..b300b645 100644
--- a/salt/kicksecure-minimal/files/repo/derivative.sources
+++ b/salt/kicksecure-minimal/files/repo/derivative.sources
@@ -1,5 +1,5 @@
 Types: deb
-URIs: http://deb.kicksecure.com
+URIs: https://deb.kicksecure.com
 Suites: bookworm
 Components: main contrib non-free
 Signed-by: /usr/share/keyrings/derivative.asc
diff --git a/salt/opentofu/files/repo/opentofu.list b/salt/opentofu/files/repo/opentofu.list
index f0e216ec..234652f2 100644
--- a/salt/opentofu/files/repo/opentofu.list
+++ b/salt/opentofu/files/repo/opentofu.list
@@ -1,2 +1,2 @@
-deb [signed-by=/usr/share/keyrings/opentofu.asc] http://packages.opentofu.org/opentofu/tofu/any/ any main
+deb [signed-by=/usr/share/keyrings/opentofu.asc] https://packages.opentofu.org/opentofu/tofu/any/ any main
 # vim:ft=debsources
diff --git a/salt/opentofu/files/repo/opentofu.sources b/salt/opentofu/files/repo/opentofu.sources
index ec34871e..8ba08b2e 100644
--- a/salt/opentofu/files/repo/opentofu.sources
+++ b/salt/opentofu/files/repo/opentofu.sources
@@ -1,5 +1,5 @@
 Types: deb
-URIs: http://packages.opentofu.org/opentofu/tofu/any/
+URIs: https://packages.opentofu.org/opentofu/tofu/any/
 Suites: any
 Components: main
 Signed-by: /usr/share/keyrings/opentofu.asc
diff --git a/salt/opentofu/files/repo/opentofu.yum.repo b/salt/opentofu/files/repo/opentofu.yum.repo
index 455f4e22..5a3268af 100644
--- a/salt/opentofu/files/repo/opentofu.yum.repo
+++ b/salt/opentofu/files/repo/opentofu.yum.repo
@@ -1,6 +1,6 @@
 [opentofu]
 name=opentofu
-baseurl=http://packages.opentofu.org/opentofu/tofu/rpm_any/rpm_any/$basearch
+baseurl=https://packages.opentofu.org/opentofu/tofu/rpm_any/rpm_any/$basearch
 repo_gpgcheck=0
 gpgcheck=1
 enabled=1
@@ -11,7 +11,7 @@ metadata_expire=300
 
 [opentofu-source]
 name=opentofu-source
-baseurl=http://packages.opentofu.org/opentofu/tofu/rpm_any/rpm_any/SRPMS
+baseurl=https://packages.opentofu.org/opentofu/tofu/rpm_any/rpm_any/SRPMS
 repo_gpgcheck=0
 gpgcheck=1
 enabled=1
diff --git a/salt/signal/files/repo/signal.list b/salt/signal/files/repo/signal.list
index 16c5a784..41380130 100644
--- a/salt/signal/files/repo/signal.list
+++ b/salt/signal/files/repo/signal.list
@@ -1,2 +1,2 @@
-deb [arch=amd64 signed-by=/usr/share/keyrings/signal.asc] http://updates.signal.org/desktop/apt xenial main
+deb [arch=amd64 signed-by=/usr/share/keyrings/signal.asc] https://updates.signal.org/desktop/apt xenial main
 # vim: ft=debsources
diff --git a/salt/signal/files/repo/signal.sources b/salt/signal/files/repo/signal.sources
index 3879b14a..933843a4 100644
--- a/salt/signal/files/repo/signal.sources
+++ b/salt/signal/files/repo/signal.sources
@@ -1,5 +1,5 @@
 Types: deb
-URIs: http://updates.signal.org/desktop/apt
+URIs: https://updates.signal.org/desktop/apt
 Suites: xenial
 Components: main
 Signed-by: /usr/share/keyrings/signal.asc
diff --git a/salt/sys-cacher/uninstall-client.sls b/salt/sys-cacher/uninstall-client.sls
index 1b889726..02a461d3 100644
--- a/salt/sys-cacher/uninstall-client.sls
+++ b/salt/sys-cacher/uninstall-client.sls
@@ -4,11 +4,17 @@ SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.co
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
+{% if salt['cmd.shell']('command -v apt-cacher-ng-repo >/dev/null') -%}
 "{{ slsdotpath }}-uninstall-client-repository-modifications":
   cmd.run:
     - name: apt-cacher-ng-repo uninstall
     - stateful: True
     - runas: root
+{% endif -%}
+
+"{{ slsdotpath }}-uninstall-client-scripts":
+  file.absent:
+    - name: /usr/bin/apt-cacher-ng-repo
 
 "{{ slsdotpath }}-uninstall-client-systemd-service":
   file.absent:
diff --git a/salt/sys-syncthing/files/repo/syncthing.list b/salt/sys-syncthing/files/repo/syncthing.list
index b0e5a700..9dffce08 100644
--- a/salt/sys-syncthing/files/repo/syncthing.list
+++ b/salt/sys-syncthing/files/repo/syncthing.list
@@ -1,2 +1,2 @@
-deb [signed-by=/usr/share/keyrings/syncthing.asc] http://apt.syncthing.net/ syncthing stable
+deb [signed-by=/usr/share/keyrings/syncthing.asc] https://apt.syncthing.net/ syncthing stable
 # vim:ft=debsources
diff --git a/salt/sys-syncthing/files/repo/syncthing.sources b/salt/sys-syncthing/files/repo/syncthing.sources
index a389c42f..cad968f5 100644
--- a/salt/sys-syncthing/files/repo/syncthing.sources
+++ b/salt/sys-syncthing/files/repo/syncthing.sources
@@ -1,6 +1,6 @@
 ## NOTE: Syncthing maintainers inverted the Suites with the Components field.
 Types: deb
-URIs: http://apt.syncthing.net/
+URIs: https://apt.syncthing.net/
 Suites: syncthing
 Components: stable
 Signed-by: /usr/share/keyrings/syncthing.asc
diff --git a/salt/terraform/files/repo/terraform.list b/salt/terraform/files/repo/terraform.list
index 6ced8000..5f340cbe 100644
--- a/salt/terraform/files/repo/terraform.list
+++ b/salt/terraform/files/repo/terraform.list
@@ -1,2 +1,2 @@
-deb [signed-by=/usr/share/keyrings/terraform.asc] http://apt.releases.hashicorp.com bookworm main
+deb [signed-by=/usr/share/keyrings/terraform.asc] https://apt.releases.hashicorp.com bookworm main
 # vim:ft=debsources
diff --git a/salt/terraform/files/repo/terraform.sources b/salt/terraform/files/repo/terraform.sources
index c7861a7d..5eea45a5 100644
--- a/salt/terraform/files/repo/terraform.sources
+++ b/salt/terraform/files/repo/terraform.sources
@@ -1,5 +1,5 @@
 Types: deb
-URIs: http://apt.releases.hashicorp.com
+URIs: https://apt.releases.hashicorp.com
 Suites: bookworm
 Components: main
 Signed-by: /usr/share/keyrings/terraform.asc
diff --git a/salt/utils/macros/install-repo.sls b/salt/utils/macros/install-repo.sls
index af548bbd..379ed77f 100644
--- a/salt/utils/macros/install-repo.sls
+++ b/salt/utils/macros/install-repo.sls
@@ -81,4 +81,10 @@ If sls_path is 'browser', then this would install the repo from:
 
 {% endif -%}
 
+{% if salt['cmd.shell']('command -v apt-cacher-ng-repo >/dev/null') -%}
+"{{ name }}-run-apt-cacher-ng-repo":
+  cmd.run:
+    - name: apt-cacher-ng-repo
+{% endif -%}
+
 {% endmacro -%}