summaryrefslogtreecommitdiff
path: root/puppet/modules/site_config/manifests
diff options
context:
space:
mode:
authorMicah Anderson <micah@riseup.net>2016-11-04 10:54:28 -0400
committerMicah Anderson <micah@riseup.net>2016-11-04 10:54:28 -0400
commit34a381efa8f6295080c843f86bfa07d4e41056af (patch)
tree9282cf5d4c876688602705a7fa0002bc4a810bde /puppet/modules/site_config/manifests
parent0a72bc6fd292bf9367b314fcb0347c4d35042f16 (diff)
parent5821964ff7e16ca7aa9141bd09a77d355db492a9 (diff)
Merge branch 'develop'
Diffstat (limited to 'puppet/modules/site_config/manifests')
-rw-r--r--puppet/modules/site_config/manifests/caching_resolver.pp27
-rw-r--r--puppet/modules/site_config/manifests/remove/bigcouch.pp27
-rw-r--r--puppet/modules/site_config/manifests/remove/files.pp28
-rw-r--r--puppet/modules/site_config/manifests/remove/soledad.pp12
-rw-r--r--puppet/modules/site_config/manifests/x509/commercial/ca.pp10
5 files changed, 95 insertions, 9 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index 8bf465c1..4da13d9c 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -1,20 +1,33 @@
# deploy local caching resolver
class site_config::caching_resolver {
tag 'leap_base'
+ $domain = hiera('domain')
+ $internal_domain = $domain['internal_suffix']
+
+ # We need to make sure Package['bind9'] isn't installed because when it is, it
+ # keeps unbound from running. Some base debian installs will install bind9,
+ # and then start it, so unbound will never get properly started. So this will
+ # make sure bind9 is removed before.
+ package { 'bind9':
+ ensure => purged
+ }
class { 'unbound':
root_hints => false,
anchor => false,
ssl => false,
+ require => Package['bind9'],
settings => {
server => {
- verbosity => '1',
- interface => [ '127.0.0.1', '::1' ],
- port => '53',
- hide-identity => 'yes',
- hide-version => 'yes',
- harden-glue => 'yes',
- access-control => [ '127.0.0.0/8 allow', '::1 allow' ]
+ verbosity => '1',
+ interface => [ '127.0.0.1', '::1' ],
+ port => '53',
+ hide-identity => 'yes',
+ hide-version => 'yes',
+ harden-glue => 'yes',
+ access-control => [ '127.0.0.0/8 allow', '::1 allow' ],
+ module-config => '"validator iterator"',
+ domain-insecure => $internal_domain
}
}
}
diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp
index 3535c3c1..9fd3e7ee 100644
--- a/puppet/modules/site_config/manifests/remove/bigcouch.pp
+++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp
@@ -10,6 +10,33 @@ class site_config::remove::bigcouch {
]
}
+ tidy {
+ '/etc/logrotate/bigcouch':;
+ '/srv/leap/nagios/plugins/check_unix_open_fds.pl':;
+ }
+
+ augeas {
+ 'Couchdb_open_files':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Couchdb_open_files',
+ 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs',
+ 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs',
+ 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
+ }
+
+ # check syslog msg from:
+ # - empd
+ # - /usr/local/bin/couch-doc-update
+ concat::fragment { 'syslog_bigcouch':
+ ensure => absent,
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/bigcouch.cfg',
+ target => '/etc/check_mk/logwatch.d/syslog.cfg',
+ order => '02';
+ }
+
exec { 'remove_bigcouch_logwatch_stateline':
command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state",
refreshonly => true,
diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp
index 41d6462e..ac2350a0 100644
--- a/puppet/modules/site_config/manifests/remove/files.pp
+++ b/puppet/modules/site_config/manifests/remove/files.pp
@@ -11,7 +11,35 @@
class site_config::remove::files {
+ #
+ # Platform 0.9 removals
+ #
+
+ tidy {
+ # moved to /srv/static/public/provider.json
+ # for permissions reasons.
+ '/srv/leap/provider.json':;
+
+ # tests are moved to /srv/leap/tests/server-tests
+ # by rsync is not able to clean up the old location,
+ # so, we do it here:
+ '/srv/leap/tests/order.rb':;
+ '/srv/leap/tests/README.md':;
+ '/srv/leap/tests/helpers':
+ recurse => true,
+ rmdirs => true;
+ '/srv/leap/tests/puppet':
+ recurse => true,
+ rmdirs => true;
+ '/srv/leap/tests/white-box':
+ recurse => true,
+ rmdirs => true;
+ }
+
+ #
# Platform 0.8 removals
+ #
+
tidy {
'/etc/default/leap_mx':;
'/etc/logrotate.d/mx':;
diff --git a/puppet/modules/site_config/manifests/remove/soledad.pp b/puppet/modules/site_config/manifests/remove/soledad.pp
new file mode 100644
index 00000000..46c23f26
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/soledad.pp
@@ -0,0 +1,12 @@
+# remove possible leftovers on soledad nodes
+class site_config::remove::soledad {
+
+ # remove soledad procs check because leap_cli already checks for them
+ augeas { 'Soledad_Procs':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [ 'rm /files/etc/check_mk/mrpe.cfg/Soledad_Procs' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
+ }
+
+}
diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp
index c76a9dbb..21d57445 100644
--- a/puppet/modules/site_config/manifests/x509/commercial/ca.pp
+++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp
@@ -5,7 +5,13 @@ class site_config::x509::commercial::ca {
$x509 = hiera('x509')
$ca = $x509['commercial_ca_cert']
- x509::ca { $site_config::params::commercial_ca_name:
- content => $ca
+ #
+ # CA cert might be empty, if it was bundled with 'commercial_cert'
+ # instead of specified separately.
+ #
+ if ($ca) {
+ x509::ca { $site_config::params::commercial_ca_name:
+ content => $ca
+ }
}
}