diff options
author | Micah Anderson <micah@leap.se> | 2014-05-22 16:38:28 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2014-05-22 16:38:28 -0400 |
commit | 6100b6ded99241f10e7fb12c13a0820fda084912 (patch) | |
tree | 863a9120010f32fdae304af94cd102c1da5096a6 /puppet/modules | |
parent | 327d5c934e408f90011d7949b89ab01fed88998e (diff) | |
parent | a622e49c5df2150049afb6f6ed47177537b7e6da (diff) |
Merge branch 'develop' (0.5.1)0.5.1
Change-Id: I4e9d845f9758232f4da0d4bfbf785e52982b825b
Diffstat (limited to 'puppet/modules')
20 files changed, 194 insertions, 152 deletions
diff --git a/puppet/modules/site_apt/manifests/preferences/openvpn.pp b/puppet/modules/site_apt/manifests/preferences/openvpn.pp new file mode 100644 index 00000000..c7ddae25 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/openvpn.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::openvpn { + + apt::preferences_snippet { 'openvpn': + package => 'openvpn', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + +} diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp new file mode 100644 index 00000000..132a6e24 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::rsyslog { + + apt::preferences_snippet { 'rsyslog_anon_depends': + package => 'libestr0 librelp0 rsyslog*', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install'] + } +} diff --git a/puppet/modules/site_apt/manifests/preferences/unbound.pp b/puppet/modules/site_apt/manifests/preferences/unbound.pp new file mode 100644 index 00000000..6da964f9 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/unbound.pp @@ -0,0 +1,10 @@ +class site_apt::preferences::unbound { + + apt::preferences_snippet { 'unbound': + package => 'libunbound* unbound*', + release => "${::lsbdistcodename}-backports", + priority => 999, + before => Class['unbound::package']; + } + +} diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp index 35a4e9a5..1e370125 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mx.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -8,7 +8,7 @@ class site_check_mk::agent::mx { # local nagios plugin checks via mrpe file_line { 'Leap_MX_Procs': - line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a leap_mx', + line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap_mx.log\'', path => '/etc/check_mk/mrpe.cfg'; } diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp index cbae81fe..512d1a3d 100644 --- a/puppet/modules/site_check_mk/manifests/agent/soledad.pp +++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp @@ -7,7 +7,7 @@ class site_check_mk::agent::soledad { # local nagios plugin checks via mrpe file_line { 'Soledad_Procs': - line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a soledad', + line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/soledad.pid --logfile=/var/log/soledad.log web --wsgi=leap.soledad.server.application\'', path => '/etc/check_mk/mrpe.cfg'; } diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 3d7b9206..1b8bd1a2 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -10,16 +10,16 @@ class site_config::caching_resolver { # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the # configuration file + include site_apt::preferences::unbound + file { + # cleanup from how we used to do it '/etc/unbound/conf.d': - ensure => directory, - owner => root, group => root, mode => '0755', - require => Package['unbound']; + force => true, + ensure => absent; '/etc/unbound/conf.d/placeholder': - ensure => present, - content => '', - owner => root, group => root, mode => '0644'; + ensure => absent; } class { 'unbound': @@ -39,4 +39,10 @@ class site_config::caching_resolver { } } } + + concat::fragment { 'unbound glob include': + target => $unbound::params::config, + content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n", + order => 10 + } } diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 7e421a21..c7352857 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -27,6 +27,9 @@ class site_config::default { if $::ec2_instance_id { include site_config::dhclient } + if $::virtual == 'virtualbox' { + include site_config::dhclient + } # configure /etc/resolv.conf include site_config::resolvconf diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 51cceb31..93cfb847 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -51,12 +51,14 @@ class site_config::initial_firewall { command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + subscribe => File['/etc/network/ipv4firewall_up.rules'], require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status', + subscribe => File['/etc/network/ipv6firewall_up.rules'], require => File['/etc/network/ipv6firewall_up.rules']; } } diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index d3abeca1..26c65f02 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,20 +1,6 @@ class site_config::syslog { - # we need to pull in rsyslog from the leap repository until it is availbale in - # wheezy-backports - apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog*', - priority => '999', - pin => 'release o=leap.se', - before => Class['rsyslog::install'] - } - - apt::preferences_snippet { 'rsyslog_anon_depends': - package => 'libestr0 librelp0', - priority => '999', - pin => 'release a=wheezy-backports', - before => Class['rsyslog::install'] - } + include site_apt::preferences::rsyslog class { 'rsyslog::client': log_remote => false, diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb index 524ae308..928a2b31 100644 --- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -5,6 +5,7 @@ :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT -A INPUT -p udp -m udp --sport 53 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT @@ -13,6 +14,7 @@ -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb index e7fae52e..e2c92524 100644 --- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb @@ -3,5 +3,6 @@ :INPUT DROP [24:1980] :FORWARD DROP [0:0] :OUTPUT DROP [14:8030] +-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT # Completed on Tue Aug 20 12:19:43 2013 diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7aec0faa..b6331f12 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -168,9 +168,14 @@ class site_openvpn { include site_shorewall::eip + # In wheezy, we need the openvpn backport to get the 2.3 version of + # openvpn which has proper ipv6 support + include site_apt::preferences::openvpn + package { 'openvpn': - ensure => installed; + ensure => latest, + require => Class['site_apt::preferences::openvpn']; } service { diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c74fb509..c1367a33 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -3,82 +3,48 @@ class site_openvpn::resolver { if $site_openvpn::openvpn_allow_unlimited { $ensure_unlimited = 'present' file { - '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_unlimited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': } } if $site_openvpn::openvpn_allow_limited { $ensure_limited = 'present' file { - '/etc/unbound/conf.d/vpn_limited_udp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', - require => Service['openvpn'], + require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; } } else { $ensure_limited = 'absent' - tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } - tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': } } - - # this is an unfortunate way to get around the fact that the version of - # unbound we are working with does not accept a wildcard include directive - # (/etc/unbound/conf.d/*), when it does, these line definitions should - # go away and instead the caching_resolver should be configured to - # include: /etc/unbound/conf.d/* - - file_line { - 'add_unlimited_tcp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_unlimited_udp_resolver': - ensure => $ensure_unlimited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_tcp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - 'add_limited_udp_resolver': - ensure => $ensure_limited, - path => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', - notify => Service['unbound'], - require => [ Package['openvpn'], Package['unbound'] ]; - } - } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index b1f4997c..97cf2842 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -60,12 +60,13 @@ define site_openvpn::server_config( concat { "/etc/openvpn/${openvpn_configname}.conf": - owner => root, - group => root, - mode => 644, - warn => true, - require => File['/etc/openvpn'], - notify => Exec['restart_openvpn']; + owner => root, + group => root, + mode => 644, + warn => true, + require => File['/etc/openvpn'], + before => Service['openvpn'], + notify => Exec['restart_openvpn']; } if $tls_remote != undef { @@ -77,101 +78,116 @@ define site_openvpn::server_config( } } + # according to openvpn man page: tcp-nodelay is a "generally a good latency optimization". + if $proto == 'tcp' { + openvpn::option { + "tcp-nodelay ${openvpn_configname}": + key => 'tcp-nodelay', + server => $openvpn_configname; + } + } + openvpn::option { "ca ${openvpn_configname}": - key => 'ca', - value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", - server => $openvpn_configname; + key => 'ca', + value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", + server => $openvpn_configname; "cert ${openvpn_configname}": - key => 'cert', - value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", + key => 'cert', + value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", server => $openvpn_configname; "key ${openvpn_configname}": - key => 'key', - value => "${x509::variables::keys}/${site_config::params::cert_name}.key", - server => $openvpn_configname; + key => 'key', + value => "${x509::variables::keys}/${site_config::params::cert_name}.key", + server => $openvpn_configname; "dh ${openvpn_configname}": - key => 'dh', - value => '/etc/openvpn/keys/dh.pem', - server => $openvpn_configname; + key => 'dh', + value => '/etc/openvpn/keys/dh.pem', + server => $openvpn_configname; "tls-cipher ${openvpn_configname}": - key => 'tls-cipher', - value => $config['tls-cipher'], - server => $openvpn_configname; + key => 'tls-cipher', + value => $config['tls-cipher'], + server => $openvpn_configname; "auth ${openvpn_configname}": - key => 'auth', - value => $config['auth'], - server => $openvpn_configname; + key => 'auth', + value => $config['auth'], + server => $openvpn_configname; "cipher ${openvpn_configname}": - key => 'cipher', - value => $config['cipher'], - server => $openvpn_configname; + key => 'cipher', + value => $config['cipher'], + server => $openvpn_configname; "dev ${openvpn_configname}": - key => 'dev', - value => 'tun', - server => $openvpn_configname; + key => 'dev', + value => 'tun', + server => $openvpn_configname; + "tun-ipv6 ${openvpn_configname}": + key => 'tun-ipv6', + server => $openvpn_configname; "duplicate-cn ${openvpn_configname}": - key => 'duplicate-cn', - server => $openvpn_configname; + key => 'duplicate-cn', + server => $openvpn_configname; "keepalive ${openvpn_configname}": - key => 'keepalive', - value => $config['keepalive'], - server => $openvpn_configname; + key => 'keepalive', + value => $config['keepalive'], + server => $openvpn_configname; "local ${openvpn_configname}": - key => 'local', - value => $local, - server => $openvpn_configname; + key => 'local', + value => $local, + server => $openvpn_configname; "mute ${openvpn_configname}": - key => 'mute', - value => '5', - server => $openvpn_configname; + key => 'mute', + value => '5', + server => $openvpn_configname; "mute-replay-warnings ${openvpn_configname}": - key => 'mute-replay-warnings', - server => $openvpn_configname; + key => 'mute-replay-warnings', + server => $openvpn_configname; "management ${openvpn_configname}": - key => 'management', - value => $management, - server => $openvpn_configname; + key => 'management', + value => $management, + server => $openvpn_configname; "proto ${openvpn_configname}": - key => 'proto', - value => $proto, - server => $openvpn_configname; + key => 'proto', + value => $proto, + server => $openvpn_configname; "push1 ${openvpn_configname}": - key => 'push', - value => $push, - server => $openvpn_configname; + key => 'push', + value => $push, + server => $openvpn_configname; "push2 ${openvpn_configname}": - key => 'push', - value => '"redirect-gateway def1"', - server => $openvpn_configname; + key => 'push', + value => '"redirect-gateway def1"', + server => $openvpn_configname; + "push-ipv6 ${openvpn_configname}": + key => 'push', + value => '"route-ipv6 2000::/3"', + server => $openvpn_configname; "script-security ${openvpn_configname}": - key => 'script-security', - value => '2', - server => $openvpn_configname; + key => 'script-security', + value => '1', + server => $openvpn_configname; "server ${openvpn_configname}": - key => 'server', - value => $server, - server => $openvpn_configname; + key => 'server', + value => $server, + server => $openvpn_configname; + "server-ipv6 ${openvpn_configname}": + key => 'server-ipv6', + value => '2001:db8:123::/64', + server => $openvpn_configname; "status ${openvpn_configname}": - key => 'status', - value => '/var/run/openvpn-status 10', - server => $openvpn_configname; + key => 'status', + value => '/var/run/openvpn-status 10', + server => $openvpn_configname; "status-version ${openvpn_configname}": - key => 'status-version', - value => '3', - server => $openvpn_configname; + key => 'status-version', + value => '3', + server => $openvpn_configname; "topology ${openvpn_configname}": - key => 'topology', - value => 'subnet', - server => $openvpn_configname; - # no need for server-up.sh right now - #"up $openvpn_configname": - # key => 'up', - # value => '/etc/openvpn/server-up.sh', - # server => $openvpn_configname; + key => 'topology', + value => 'subnet', + server => $openvpn_configname; "verb ${openvpn_configname}": - key => 'verb', - value => '3', - server => $openvpn_configname; + key => 'verb', + value => '3', + server => $openvpn_configname; } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7109b770..8fbba658 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -68,6 +68,22 @@ class site_shorewall::eip { destination => '$FW', action => 'leap_eip(ACCEPT)', order => 200; + + 'block_eip_dns_udp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'udp', + destinationport => 'domain', + order => 300; + + 'block_eip_dns_tcp': + action => 'REJECT', + source => 'eip', + destination => 'net', + proto => 'tcp', + destinationport => 'domain', + order => 301; } # create dnat rule for each port diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 91a4a7a9..4f6d895f 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -6,7 +6,7 @@ class site_static { if (member($formats, 'amber')) { include site_config::ruby::dev - rubygems::gem{'amber': } + rubygems::gem{'amber-0.3.0': } } create_resources(site_static::domain, $domains) diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 837665a3..b75c9ac3 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -22,7 +22,7 @@ define site_stunnel::clients ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, debuglevel => $debuglevel, - require => [ + subscribe => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 02368a0e..e62cb12d 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -7,6 +7,7 @@ class site_tor { $tor_type = $tor['type'] $nickname = $tor['nickname'] $contact_emails = join($tor['contacts'],', ') + $family = $tor['family'] $address = hiera('ip_address') @@ -16,7 +17,7 @@ class site_tor { address => $address, contact_info => obfuscate_email($contact_emails), bandwidth_rate => $bandwidth_rate, - my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', + my_family => $family } if ( $tor_type == 'exit'){ diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 98f8564e..6461c5e8 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,3 +1,4 @@ +<%- require 'json' -%> <%- cert_options = @webapp['client_certificates'] -%> production: admins: <%= @webapp['admins'].inspect %> @@ -15,3 +16,5 @@ production: limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" minimum_client_version: "<%= @webapp['client_version']['min'] %>" + default_service_level: "<%= @webapp['default_service_level'] %>" + service_levels: <%= @webapp['service_levels'].to_json %> diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index 743e8a84..af1a96ac 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -56,6 +56,13 @@ class tapicero { group => 'tapicero', require => User['tapicero']; + # for pid file + '/var/run/tapicero': + ensure => directory, + owner => 'tapicero', + group => 'tapicero', + require => User['tapicero']; + ## ## TAPICERO CONFIG ## @@ -117,7 +124,7 @@ class tapicero { enable => true, hasstatus => true, hasrestart => true, - require => File['/etc/init.d/tapicero']; + require => [ File['/etc/init.d/tapicero'], File['/var/run/tapicero'] ]; } } |