summaryrefslogtreecommitdiff
path: root/puppet/modules/site_config
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2014-05-22 16:38:28 -0400
committerMicah Anderson <micah@leap.se>2014-05-22 16:38:28 -0400
commit6100b6ded99241f10e7fb12c13a0820fda084912 (patch)
tree863a9120010f32fdae304af94cd102c1da5096a6 /puppet/modules/site_config
parent327d5c934e408f90011d7949b89ab01fed88998e (diff)
parenta622e49c5df2150049afb6f6ed47177537b7e6da (diff)
Merge branch 'develop' (0.5.1)0.5.1
Change-Id: I4e9d845f9758232f4da0d4bfbf785e52982b825b
Diffstat (limited to 'puppet/modules/site_config')
-rw-r--r--puppet/modules/site_config/manifests/caching_resolver.pp18
-rw-r--r--puppet/modules/site_config/manifests/default.pp3
-rw-r--r--puppet/modules/site_config/manifests/initial_firewall.pp4
-rw-r--r--puppet/modules/site_config/manifests/syslog.pp16
-rw-r--r--puppet/modules/site_config/templates/ipv4firewall_up.rules.erb2
-rw-r--r--puppet/modules/site_config/templates/ipv6firewall_up.rules.erb1
6 files changed, 22 insertions, 22 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index 3d7b9206..1b8bd1a2 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -10,16 +10,16 @@ class site_config::caching_resolver {
# the newer unbound, then we will add 'include: /etc/unbound.d/*' to the
# configuration file
+ include site_apt::preferences::unbound
+
file {
+ # cleanup from how we used to do it
'/etc/unbound/conf.d':
- ensure => directory,
- owner => root, group => root, mode => '0755',
- require => Package['unbound'];
+ force => true,
+ ensure => absent;
'/etc/unbound/conf.d/placeholder':
- ensure => present,
- content => '',
- owner => root, group => root, mode => '0644';
+ ensure => absent;
}
class { 'unbound':
@@ -39,4 +39,10 @@ class site_config::caching_resolver {
}
}
}
+
+ concat::fragment { 'unbound glob include':
+ target => $unbound::params::config,
+ content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n",
+ order => 10
+ }
}
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index 7e421a21..c7352857 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -27,6 +27,9 @@ class site_config::default {
if $::ec2_instance_id {
include site_config::dhclient
}
+ if $::virtual == 'virtualbox' {
+ include site_config::dhclient
+ }
# configure /etc/resolv.conf
include site_config::resolvconf
diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp
index 51cceb31..93cfb847 100644
--- a/puppet/modules/site_config/manifests/initial_firewall.pp
+++ b/puppet/modules/site_config/manifests/initial_firewall.pp
@@ -51,12 +51,14 @@ class site_config::initial_firewall {
command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules',
logoutput => true,
unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ subscribe => File['/etc/network/ipv4firewall_up.rules'],
require => File['/etc/network/ipv4firewall_up.rules'];
'default_ipv6_firewall':
command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules',
logoutput => true,
- unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status',
+ subscribe => File['/etc/network/ipv6firewall_up.rules'],
require => File['/etc/network/ipv6firewall_up.rules'];
}
}
diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp
index d3abeca1..26c65f02 100644
--- a/puppet/modules/site_config/manifests/syslog.pp
+++ b/puppet/modules/site_config/manifests/syslog.pp
@@ -1,20 +1,6 @@
class site_config::syslog {
- # we need to pull in rsyslog from the leap repository until it is availbale in
- # wheezy-backports
- apt::preferences_snippet { 'fixed_rsyslog_anon_package':
- package => 'rsyslog*',
- priority => '999',
- pin => 'release o=leap.se',
- before => Class['rsyslog::install']
- }
-
- apt::preferences_snippet { 'rsyslog_anon_depends':
- package => 'libestr0 librelp0',
- priority => '999',
- pin => 'release a=wheezy-backports',
- before => Class['rsyslog::install']
- }
+ include site_apt::preferences::rsyslog
class { 'rsyslog::client':
log_remote => false,
diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
index 524ae308..928a2b31 100644
--- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
@@ -5,6 +5,7 @@
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
@@ -13,6 +14,7 @@
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
index e7fae52e..e2c92524 100644
--- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
@@ -3,5 +3,6 @@
:INPUT DROP [24:1980]
:FORWARD DROP [0:0]
:OUTPUT DROP [14:8030]
+-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Tue Aug 20 12:19:43 2013