summaryrefslogtreecommitdiff
path: root/puppet/modules
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2014-05-22 16:38:28 -0400
committerMicah Anderson <micah@leap.se>2014-05-22 16:38:28 -0400
commit6100b6ded99241f10e7fb12c13a0820fda084912 (patch)
tree863a9120010f32fdae304af94cd102c1da5096a6 /puppet/modules
parent327d5c934e408f90011d7949b89ab01fed88998e (diff)
parenta622e49c5df2150049afb6f6ed47177537b7e6da (diff)
Merge branch 'develop' (0.5.1)0.5.1
Change-Id: I4e9d845f9758232f4da0d4bfbf785e52982b825b
Diffstat (limited to 'puppet/modules')
-rw-r--r--puppet/modules/site_apt/manifests/preferences/openvpn.pp9
-rw-r--r--puppet/modules/site_apt/manifests/preferences/rsyslog.pp9
-rw-r--r--puppet/modules/site_apt/manifests/preferences/unbound.pp10
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/mx.pp2
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/soledad.pp2
-rw-r--r--puppet/modules/site_config/manifests/caching_resolver.pp18
-rw-r--r--puppet/modules/site_config/manifests/default.pp3
-rw-r--r--puppet/modules/site_config/manifests/initial_firewall.pp4
-rw-r--r--puppet/modules/site_config/manifests/syslog.pp16
-rw-r--r--puppet/modules/site_config/templates/ipv4firewall_up.rules.erb2
-rw-r--r--puppet/modules/site_config/templates/ipv6firewall_up.rules.erb1
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp7
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp58
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp170
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp16
-rw-r--r--puppet/modules/site_static/manifests/init.pp2
-rw-r--r--puppet/modules/site_stunnel/manifests/clients.pp2
-rw-r--r--puppet/modules/site_tor/manifests/init.pp3
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb3
-rw-r--r--puppet/modules/tapicero/manifests/init.pp9
20 files changed, 194 insertions, 152 deletions
diff --git a/puppet/modules/site_apt/manifests/preferences/openvpn.pp b/puppet/modules/site_apt/manifests/preferences/openvpn.pp
new file mode 100644
index 00000000..c7ddae25
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/openvpn.pp
@@ -0,0 +1,9 @@
+class site_apt::preferences::openvpn {
+
+ apt::preferences_snippet { 'openvpn':
+ package => 'openvpn',
+ release => "${::lsbdistcodename}-backports",
+ priority => 999;
+ }
+
+}
diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp
new file mode 100644
index 00000000..132a6e24
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp
@@ -0,0 +1,9 @@
+class site_apt::preferences::rsyslog {
+
+ apt::preferences_snippet { 'rsyslog_anon_depends':
+ package => 'libestr0 librelp0 rsyslog*',
+ priority => '999',
+ pin => 'release a=wheezy-backports',
+ before => Class['rsyslog::install']
+ }
+}
diff --git a/puppet/modules/site_apt/manifests/preferences/unbound.pp b/puppet/modules/site_apt/manifests/preferences/unbound.pp
new file mode 100644
index 00000000..6da964f9
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/unbound.pp
@@ -0,0 +1,10 @@
+class site_apt::preferences::unbound {
+
+ apt::preferences_snippet { 'unbound':
+ package => 'libunbound* unbound*',
+ release => "${::lsbdistcodename}-backports",
+ priority => 999,
+ before => Class['unbound::package'];
+ }
+
+}
diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp
index 35a4e9a5..1e370125 100644
--- a/puppet/modules/site_check_mk/manifests/agent/mx.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp
@@ -8,7 +8,7 @@ class site_check_mk::agent::mx {
# local nagios plugin checks via mrpe
file_line {
'Leap_MX_Procs':
- line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a leap_mx',
+ line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap_mx.log\'',
path => '/etc/check_mk/mrpe.cfg';
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp
index cbae81fe..512d1a3d 100644
--- a/puppet/modules/site_check_mk/manifests/agent/soledad.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp
@@ -7,7 +7,7 @@ class site_check_mk::agent::soledad {
# local nagios plugin checks via mrpe
file_line {
'Soledad_Procs':
- line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a soledad',
+ line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/soledad.pid --logfile=/var/log/soledad.log web --wsgi=leap.soledad.server.application\'',
path => '/etc/check_mk/mrpe.cfg';
}
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index 3d7b9206..1b8bd1a2 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -10,16 +10,16 @@ class site_config::caching_resolver {
# the newer unbound, then we will add 'include: /etc/unbound.d/*' to the
# configuration file
+ include site_apt::preferences::unbound
+
file {
+ # cleanup from how we used to do it
'/etc/unbound/conf.d':
- ensure => directory,
- owner => root, group => root, mode => '0755',
- require => Package['unbound'];
+ force => true,
+ ensure => absent;
'/etc/unbound/conf.d/placeholder':
- ensure => present,
- content => '',
- owner => root, group => root, mode => '0644';
+ ensure => absent;
}
class { 'unbound':
@@ -39,4 +39,10 @@ class site_config::caching_resolver {
}
}
}
+
+ concat::fragment { 'unbound glob include':
+ target => $unbound::params::config,
+ content => "include: /etc/unbound/unbound.conf.d/*.conf\n\n",
+ order => 10
+ }
}
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index 7e421a21..c7352857 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -27,6 +27,9 @@ class site_config::default {
if $::ec2_instance_id {
include site_config::dhclient
}
+ if $::virtual == 'virtualbox' {
+ include site_config::dhclient
+ }
# configure /etc/resolv.conf
include site_config::resolvconf
diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp
index 51cceb31..93cfb847 100644
--- a/puppet/modules/site_config/manifests/initial_firewall.pp
+++ b/puppet/modules/site_config/manifests/initial_firewall.pp
@@ -51,12 +51,14 @@ class site_config::initial_firewall {
command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules',
logoutput => true,
unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ subscribe => File['/etc/network/ipv4firewall_up.rules'],
require => File['/etc/network/ipv4firewall_up.rules'];
'default_ipv6_firewall':
command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules',
logoutput => true,
- unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
+ unless => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status',
+ subscribe => File['/etc/network/ipv6firewall_up.rules'],
require => File['/etc/network/ipv6firewall_up.rules'];
}
}
diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp
index d3abeca1..26c65f02 100644
--- a/puppet/modules/site_config/manifests/syslog.pp
+++ b/puppet/modules/site_config/manifests/syslog.pp
@@ -1,20 +1,6 @@
class site_config::syslog {
- # we need to pull in rsyslog from the leap repository until it is availbale in
- # wheezy-backports
- apt::preferences_snippet { 'fixed_rsyslog_anon_package':
- package => 'rsyslog*',
- priority => '999',
- pin => 'release o=leap.se',
- before => Class['rsyslog::install']
- }
-
- apt::preferences_snippet { 'rsyslog_anon_depends':
- package => 'libestr0 librelp0',
- priority => '999',
- pin => 'release a=wheezy-backports',
- before => Class['rsyslog::install']
- }
+ include site_apt::preferences::rsyslog
class { 'rsyslog::client':
log_remote => false,
diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
index 524ae308..928a2b31 100644
--- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb
@@ -5,6 +5,7 @@
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
@@ -13,6 +14,7 @@
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
index e7fae52e..e2c92524 100644
--- a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
+++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb
@@ -3,5 +3,6 @@
:INPUT DROP [24:1980]
:FORWARD DROP [0:0]
:OUTPUT DROP [14:8030]
+-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT
# Completed on Tue Aug 20 12:19:43 2013
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 7aec0faa..b6331f12 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -168,9 +168,14 @@ class site_openvpn {
include site_shorewall::eip
+ # In wheezy, we need the openvpn backport to get the 2.3 version of
+ # openvpn which has proper ipv6 support
+ include site_apt::preferences::openvpn
+
package {
'openvpn':
- ensure => installed;
+ ensure => latest,
+ require => Class['site_apt::preferences::openvpn'];
}
service {
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index c74fb509..c1367a33 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -3,82 +3,48 @@ class site_openvpn::resolver {
if $site_openvpn::openvpn_allow_unlimited {
$ensure_unlimited = 'present'
file {
- '/etc/unbound/conf.d/vpn_unlimited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_unlimited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': }
}
if $site_openvpn::openvpn_allow_limited {
$ensure_limited = 'present'
file {
- '/etc/unbound/conf.d/vpn_limited_udp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/conf.d/vpn_limited_tcp_resolver':
+ '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver':
content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
- require => Service['openvpn'],
+ require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
}
} else {
$ensure_limited = 'absent'
- tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': }
- tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': }
}
-
- # this is an unfortunate way to get around the fact that the version of
- # unbound we are working with does not accept a wildcard include directive
- # (/etc/unbound/conf.d/*), when it does, these line definitions should
- # go away and instead the caching_resolver should be configured to
- # include: /etc/unbound/conf.d/*
-
- file_line {
- 'add_unlimited_tcp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_unlimited_udp_resolver':
- ensure => $ensure_unlimited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_tcp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- 'add_limited_udp_resolver':
- ensure => $ensure_limited,
- path => '/etc/unbound/unbound.conf',
- line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver',
- notify => Service['unbound'],
- require => [ Package['openvpn'], Package['unbound'] ];
- }
-
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index b1f4997c..97cf2842 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -60,12 +60,13 @@ define site_openvpn::server_config(
concat {
"/etc/openvpn/${openvpn_configname}.conf":
- owner => root,
- group => root,
- mode => 644,
- warn => true,
- require => File['/etc/openvpn'],
- notify => Exec['restart_openvpn'];
+ owner => root,
+ group => root,
+ mode => 644,
+ warn => true,
+ require => File['/etc/openvpn'],
+ before => Service['openvpn'],
+ notify => Exec['restart_openvpn'];
}
if $tls_remote != undef {
@@ -77,101 +78,116 @@ define site_openvpn::server_config(
}
}
+ # according to openvpn man page: tcp-nodelay is a "generally a good latency optimization".
+ if $proto == 'tcp' {
+ openvpn::option {
+ "tcp-nodelay ${openvpn_configname}":
+ key => 'tcp-nodelay',
+ server => $openvpn_configname;
+ }
+ }
+
openvpn::option {
"ca ${openvpn_configname}":
- key => 'ca',
- value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",
- server => $openvpn_configname;
+ key => 'ca',
+ value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",
+ server => $openvpn_configname;
"cert ${openvpn_configname}":
- key => 'cert',
- value => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
+ key => 'cert',
+ value => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
server => $openvpn_configname;
"key ${openvpn_configname}":
- key => 'key',
- value => "${x509::variables::keys}/${site_config::params::cert_name}.key",
- server => $openvpn_configname;
+ key => 'key',
+ value => "${x509::variables::keys}/${site_config::params::cert_name}.key",
+ server => $openvpn_configname;
"dh ${openvpn_configname}":
- key => 'dh',
- value => '/etc/openvpn/keys/dh.pem',
- server => $openvpn_configname;
+ key => 'dh',
+ value => '/etc/openvpn/keys/dh.pem',
+ server => $openvpn_configname;
"tls-cipher ${openvpn_configname}":
- key => 'tls-cipher',
- value => $config['tls-cipher'],
- server => $openvpn_configname;
+ key => 'tls-cipher',
+ value => $config['tls-cipher'],
+ server => $openvpn_configname;
"auth ${openvpn_configname}":
- key => 'auth',
- value => $config['auth'],
- server => $openvpn_configname;
+ key => 'auth',
+ value => $config['auth'],
+ server => $openvpn_configname;
"cipher ${openvpn_configname}":
- key => 'cipher',
- value => $config['cipher'],
- server => $openvpn_configname;
+ key => 'cipher',
+ value => $config['cipher'],
+ server => $openvpn_configname;
"dev ${openvpn_configname}":
- key => 'dev',
- value => 'tun',
- server => $openvpn_configname;
+ key => 'dev',
+ value => 'tun',
+ server => $openvpn_configname;
+ "tun-ipv6 ${openvpn_configname}":
+ key => 'tun-ipv6',
+ server => $openvpn_configname;
"duplicate-cn ${openvpn_configname}":
- key => 'duplicate-cn',
- server => $openvpn_configname;
+ key => 'duplicate-cn',
+ server => $openvpn_configname;
"keepalive ${openvpn_configname}":
- key => 'keepalive',
- value => $config['keepalive'],
- server => $openvpn_configname;
+ key => 'keepalive',
+ value => $config['keepalive'],
+ server => $openvpn_configname;
"local ${openvpn_configname}":
- key => 'local',
- value => $local,
- server => $openvpn_configname;
+ key => 'local',
+ value => $local,
+ server => $openvpn_configname;
"mute ${openvpn_configname}":
- key => 'mute',
- value => '5',
- server => $openvpn_configname;
+ key => 'mute',
+ value => '5',
+ server => $openvpn_configname;
"mute-replay-warnings ${openvpn_configname}":
- key => 'mute-replay-warnings',
- server => $openvpn_configname;
+ key => 'mute-replay-warnings',
+ server => $openvpn_configname;
"management ${openvpn_configname}":
- key => 'management',
- value => $management,
- server => $openvpn_configname;
+ key => 'management',
+ value => $management,
+ server => $openvpn_configname;
"proto ${openvpn_configname}":
- key => 'proto',
- value => $proto,
- server => $openvpn_configname;
+ key => 'proto',
+ value => $proto,
+ server => $openvpn_configname;
"push1 ${openvpn_configname}":
- key => 'push',
- value => $push,
- server => $openvpn_configname;
+ key => 'push',
+ value => $push,
+ server => $openvpn_configname;
"push2 ${openvpn_configname}":
- key => 'push',
- value => '"redirect-gateway def1"',
- server => $openvpn_configname;
+ key => 'push',
+ value => '"redirect-gateway def1"',
+ server => $openvpn_configname;
+ "push-ipv6 ${openvpn_configname}":
+ key => 'push',
+ value => '"route-ipv6 2000::/3"',
+ server => $openvpn_configname;
"script-security ${openvpn_configname}":
- key => 'script-security',
- value => '2',
- server => $openvpn_configname;
+ key => 'script-security',
+ value => '1',
+ server => $openvpn_configname;
"server ${openvpn_configname}":
- key => 'server',
- value => $server,
- server => $openvpn_configname;
+ key => 'server',
+ value => $server,
+ server => $openvpn_configname;
+ "server-ipv6 ${openvpn_configname}":
+ key => 'server-ipv6',
+ value => '2001:db8:123::/64',
+ server => $openvpn_configname;
"status ${openvpn_configname}":
- key => 'status',
- value => '/var/run/openvpn-status 10',
- server => $openvpn_configname;
+ key => 'status',
+ value => '/var/run/openvpn-status 10',
+ server => $openvpn_configname;
"status-version ${openvpn_configname}":
- key => 'status-version',
- value => '3',
- server => $openvpn_configname;
+ key => 'status-version',
+ value => '3',
+ server => $openvpn_configname;
"topology ${openvpn_configname}":
- key => 'topology',
- value => 'subnet',
- server => $openvpn_configname;
- # no need for server-up.sh right now
- #"up $openvpn_configname":
- # key => 'up',
- # value => '/etc/openvpn/server-up.sh',
- # server => $openvpn_configname;
+ key => 'topology',
+ value => 'subnet',
+ server => $openvpn_configname;
"verb ${openvpn_configname}":
- key => 'verb',
- value => '3',
- server => $openvpn_configname;
+ key => 'verb',
+ value => '3',
+ server => $openvpn_configname;
}
}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 7109b770..8fbba658 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -68,6 +68,22 @@ class site_shorewall::eip {
destination => '$FW',
action => 'leap_eip(ACCEPT)',
order => 200;
+
+ 'block_eip_dns_udp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'udp',
+ destinationport => 'domain',
+ order => 300;
+
+ 'block_eip_dns_tcp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => 'domain',
+ order => 301;
}
# create dnat rule for each port
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index 91a4a7a9..4f6d895f 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -6,7 +6,7 @@ class site_static {
if (member($formats, 'amber')) {
include site_config::ruby::dev
- rubygems::gem{'amber': }
+ rubygems::gem{'amber-0.3.0': }
}
create_resources(site_static::domain, $domains)
diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp
index 837665a3..b75c9ac3 100644
--- a/puppet/modules/site_stunnel/manifests/clients.pp
+++ b/puppet/modules/site_stunnel/manifests/clients.pp
@@ -22,7 +22,7 @@ define site_stunnel::clients (
pid => "/var/run/stunnel4/${pid}.pid",
rndfile => $rndfile,
debuglevel => $debuglevel,
- require => [
+ subscribe => [
Class['Site_config::X509::Key'],
Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca'] ];
diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp
index 02368a0e..e62cb12d 100644
--- a/puppet/modules/site_tor/manifests/init.pp
+++ b/puppet/modules/site_tor/manifests/init.pp
@@ -7,6 +7,7 @@ class site_tor {
$tor_type = $tor['type']
$nickname = $tor['nickname']
$contact_emails = join($tor['contacts'],', ')
+ $family = $tor['family']
$address = hiera('ip_address')
@@ -16,7 +17,7 @@ class site_tor {
address => $address,
contact_info => obfuscate_email($contact_emails),
bandwidth_rate => $bandwidth_rate,
- my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050',
+ my_family => $family
}
if ( $tor_type == 'exit'){
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 98f8564e..6461c5e8 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,3 +1,4 @@
+<%- require 'json' -%>
<%- cert_options = @webapp['client_certificates'] -%>
production:
admins: <%= @webapp['admins'].inspect %>
@@ -15,3 +16,5 @@ production:
limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
minimum_client_version: "<%= @webapp['client_version']['min'] %>"
+ default_service_level: "<%= @webapp['default_service_level'] %>"
+ service_levels: <%= @webapp['service_levels'].to_json %>
diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp
index 743e8a84..af1a96ac 100644
--- a/puppet/modules/tapicero/manifests/init.pp
+++ b/puppet/modules/tapicero/manifests/init.pp
@@ -56,6 +56,13 @@ class tapicero {
group => 'tapicero',
require => User['tapicero'];
+ # for pid file
+ '/var/run/tapicero':
+ ensure => directory,
+ owner => 'tapicero',
+ group => 'tapicero',
+ require => User['tapicero'];
+
##
## TAPICERO CONFIG
##
@@ -117,7 +124,7 @@ class tapicero {
enable => true,
hasstatus => true,
hasrestart => true,
- require => File['/etc/init.d/tapicero'];
+ require => [ File['/etc/init.d/tapicero'], File['/var/run/tapicero'] ];
}
}