summaryrefslogtreecommitdiff
path: root/puppet/modules
diff options
context:
space:
mode:
authorkwadronaut <kwadronaut@leap.se>2015-11-12 10:00:27 +0100
committerkwadronaut <kwadronaut@leap.se>2015-11-12 10:00:27 +0100
commit92cc2b1118e98a4fb086d7c62a140dbfc845f4b0 (patch)
tree92896619c0cf4ace177cecfbdea6cbbbb9bc8419 /puppet/modules
parent81467100826ad95266a4c29b11a2ecef759dd782 (diff)
parent7d0b6b25e49a1ccb70c4f502f7dfc58878b900cc (diff)
Merge remote-tracking branch 'origin/develop' into HEAD
Diffstat (limited to 'puppet/modules')
m---------puppet/modules/apt0
-rw-r--r--puppet/modules/clamav/files/01-leap.conf58
-rw-r--r--puppet/modules/clamav/files/clamav-daemon_default8
-rw-r--r--puppet/modules/clamav/files/clamav-milter_default14
-rw-r--r--puppet/modules/clamav/manifests/daemon.pp90
-rw-r--r--puppet/modules/clamav/manifests/freshclam.pp23
-rw-r--r--puppet/modules/clamav/manifests/init.pp8
-rw-r--r--puppet/modules/clamav/manifests/milter.pp50
-rw-r--r--puppet/modules/clamav/manifests/unofficial_sigs.pp23
-rw-r--r--puppet/modules/clamav/templates/clamav-milter.conf.erb28
-rw-r--r--puppet/modules/clamav/templates/local.pdb.erb1
-rw-r--r--puppet/modules/clamav/templates/whitelisted_addresses.erb5
m---------puppet/modules/couchdb0
-rw-r--r--puppet/modules/leap/manifests/cli/install.pp33
-rw-r--r--puppet/modules/leap_mx/manifests/init.pp22
m---------puppet/modules/nagios0
-rw-r--r--puppet/modules/opendkim/manifests/init.pp38
-rw-r--r--puppet/modules/opendkim/templates/opendkim.conf44
m---------puppet/modules/postfix0
-rw-r--r--puppet/modules/postfwd/files/postfwd_default19
-rw-r--r--puppet/modules/postfwd/manifests/init.pp42
-rw-r--r--puppet/modules/postfwd/templates/postfwd.cf.erb28
m---------puppet/modules/ruby0
-rw-r--r--puppet/modules/site_apache/manifests/common.pp21
-rw-r--r--puppet/modules/site_apache/manifests/common/tls.pp6
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/common.conf.erb2
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb10
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg2
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg5
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg5
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg11
-rw-r--r--puppet/modules/site_check_mk/files/extra_host_conf.mk6
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/couchdb.pp41
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp49
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp23
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/tapicero.pp26
-rw-r--r--puppet/modules/site_check_mk/manifests/server.pp2
-rw-r--r--puppet/modules/site_check_mk/templates/extra_host_conf.mk13
-rw-r--r--puppet/modules/site_config/manifests/default.pp7
-rw-r--r--puppet/modules/site_config/manifests/remove.pp4
-rw-r--r--puppet/modules/site_config/manifests/remove/files.pp (renamed from puppet/modules/site_config/manifests/remove_files.pp)22
-rw-r--r--puppet/modules/site_config/manifests/remove/monitoring.pp10
-rw-r--r--puppet/modules/site_config/manifests/remove/tapicero.pp69
-rw-r--r--puppet/modules/site_config/manifests/remove/webapp.pp7
-rw-r--r--puppet/modules/site_config/manifests/x509/dkim/key.pp13
-rw-r--r--puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json22
-rw-r--r--puppet/modules/site_couchdb/manifests/add_users.pp11
-rw-r--r--puppet/modules/site_couchdb/manifests/bigcouch.pp3
-rw-r--r--puppet/modules/site_couchdb/manifests/create_dbs.pp9
-rw-r--r--puppet/modules/site_couchdb/manifests/designs.pp13
-rw-r--r--puppet/modules/site_couchdb/manifests/init.pp9
-rw-r--r--puppet/modules/site_couchdb/manifests/master.pp2
-rw-r--r--puppet/modules/site_couchdb/manifests/setup.pp35
-rw-r--r--puppet/modules/site_nagios/files/configs/Debian/nagios.cfg2
-rw-r--r--puppet/modules/site_nagios/manifests/init.pp4
-rw-r--r--puppet/modules/site_nagios/manifests/server.pp1
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp7
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp26
-rw-r--r--puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp15
-rw-r--r--puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp11
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp2
-rw-r--r--puppet/modules/site_postfix/manifests/mx/static_aliases.pp88
-rw-r--r--puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb13
-rw-r--r--puppet/modules/site_postfix/templates/virtual-aliases.erb21
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp18
-rw-r--r--puppet/modules/site_static/manifests/init.pp20
-rw-r--r--puppet/modules/site_static/templates/apache.conf.erb2
-rw-r--r--puppet/modules/site_webapp/files/server-status.conf28
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp3
-rw-r--r--puppet/modules/site_webapp/manifests/common_vhost.pp18
-rw-r--r--puppet/modules/site_webapp/manifests/couchdb.pp16
-rw-r--r--puppet/modules/site_webapp/manifests/cron.pp4
-rw-r--r--puppet/modules/site_webapp/manifests/hidden_service.pp10
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp10
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb63
-rw-r--r--puppet/modules/soledad/manifests/client.pp18
-rw-r--r--puppet/modules/soledad/manifests/common.pp6
-rw-r--r--puppet/modules/soledad/manifests/init.pp29
-rw-r--r--puppet/modules/soledad/manifests/server.pp67
-rw-r--r--puppet/modules/soledad/templates/soledad-server.conf.erb11
-rwxr-xr-xpuppet/modules/tapicero/files/tapicero.init60
-rw-r--r--puppet/modules/tapicero/manifests/init.pp137
-rw-r--r--puppet/modules/tapicero/templates/tapicero.yaml.erb52
m---------puppet/modules/unbound0
84 files changed, 1229 insertions, 525 deletions
diff --git a/puppet/modules/apt b/puppet/modules/apt
-Subproject fca103484ddc1f647a54135b6a902edabf45955
+Subproject ab90d1d0fe9655d367c637e95dff59e4dbe2dd3
diff --git a/puppet/modules/clamav/files/01-leap.conf b/puppet/modules/clamav/files/01-leap.conf
new file mode 100644
index 00000000..abeeb302
--- /dev/null
+++ b/puppet/modules/clamav/files/01-leap.conf
@@ -0,0 +1,58 @@
+# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and
+# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module
+# are installed on the system, and you want to report whether clamd
+# is running or not, uncomment the "clamd_socket" variable below (you
+# will be warned if neither socat nor IO::Socket::UNIX are found, but
+# the script will still run). You will also need to set the correct
+# path to your clamd socket file (if unsure of the path, check the
+# "LocalSocket" setting in your clamd.conf file for socket location).
+clamd_socket="/run/clamav/clamd.ctl"
+
+# If you would like to attempt to restart ClamD if detected not running,
+# uncomment the next 2 lines. Confirm the path to the "clamd_lock" file
+# (usually can be found in the clamd init script) and also enter the clamd
+# start command for your particular distro for the "start_clamd" variable
+# (the sample start command shown below should work for most linux distros).
+# NOTE: these 2 variables are dependant on the "clamd_socket" variable
+# shown above - if not enabled, then the following 2 variables will be
+# ignored, whether enabled or not.
+clamd_lock="/run/clamav/clamd.pid"
+start_clamd="service clamav-daemon start"
+
+ss_dbs="
+ junk.ndb
+ phish.ndb
+ rogue.hdb
+ sanesecurity.ftm
+ scam.ndb
+ sigwhitelist.ign2
+ spamattach.hdb
+ spamimg.hdb
+ winnow.attachments.hdb
+ winnow_bad_cw.hdb
+ winnow_extended_malware.hdb
+ winnow_malware.hdb
+ winnow_malware_links.ndb
+ malwarehash.hsb
+ doppelstern.hdb
+ bofhland_cracked_URL.ndb
+ bofhland_malware_attach.hdb
+ bofhland_malware_URL.ndb
+ bofhland_phishing_URL.ndb
+ crdfam.clamav.hdb
+ phishtank.ndb
+ porcupine.ndb
+ spear.ndb
+ spearl.ndb
+"
+
+# ========================
+# SecuriteInfo Database(s)
+# ========================
+# Add or remove database file names between quote marks as needed. To
+# disable any SecuriteInfo database downloads, remove the appropriate
+# lines below. To disable all SecuriteInfo database file downloads,
+# comment all of the following lines.
+si_dbs=""
+
+mbl_dbs="" \ No newline at end of file
diff --git a/puppet/modules/clamav/files/clamav-daemon_default b/puppet/modules/clamav/files/clamav-daemon_default
new file mode 100644
index 00000000..b4cd6a4f
--- /dev/null
+++ b/puppet/modules/clamav/files/clamav-daemon_default
@@ -0,0 +1,8 @@
+# This is a file designed only t0 set special environment variables
+# eg TMP or TMPDIR. It is sourced from a shell script, so anything
+# put in here must be in variable=value format, suitable for sourcing
+# from a shell script.
+# Examples:
+# export TMPDIR=/dev/shm
+export TMP=/var/tmp
+export TMPDIR=/var/tmp
diff --git a/puppet/modules/clamav/files/clamav-milter_default b/puppet/modules/clamav/files/clamav-milter_default
new file mode 100644
index 00000000..5e33e822
--- /dev/null
+++ b/puppet/modules/clamav/files/clamav-milter_default
@@ -0,0 +1,14 @@
+#
+# clamav-milter init options
+#
+
+## SOCKET_RWGROUP
+# by default, the socket created by the milter has permissions
+# clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the
+# permissions to 775 to give read-write access to that group.
+#
+# If you are using postfix to speak to the milter, you have to give permission
+# to the postfix group to write
+#
+SOCKET_RWGROUP=postfix
+export TMPDIR=/var/tmp
diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp
new file mode 100644
index 00000000..bf232e2c
--- /dev/null
+++ b/puppet/modules/clamav/manifests/daemon.pp
@@ -0,0 +1,90 @@
+class clamav::daemon {
+
+ $domain_hash = hiera('domain')
+ $domain = $domain_hash['full_suffix']
+
+ package { [ 'clamav-daemon', 'arj' ]:
+ ensure => installed;
+ }
+
+ service {
+ 'clamav-daemon':
+ ensure => running,
+ name => clamav-daemon,
+ pattern => '/usr/sbin/clamd',
+ enable => true,
+ hasrestart => true,
+ subscribe => File['/etc/default/clamav-daemon'],
+ require => Package['clamav-daemon'];
+ }
+
+ file {
+ '/var/run/clamav':
+ ensure => directory,
+ mode => '0750',
+ owner => clamav,
+ group => postfix,
+ require => [Package['postfix'], Package['clamav-daemon']];
+
+ '/var/lib/clamav':
+ mode => '0755',
+ owner => clamav,
+ group => clamav,
+ require => Package['clamav-daemon'];
+
+ '/etc/default/clamav-daemon':
+ source => 'puppet:///modules/clamav/clamav-daemon_default',
+ mode => '0644',
+ owner => root,
+ group => root;
+
+ # this file contains additional domains that we want the clamav
+ # phishing process to look for (our domain)
+ '/var/lib/clamav/local.pdb':
+ content => template('clamav/local.pdb.erb'),
+ mode => '0644',
+ owner => clamav,
+ group => clamav,
+ require => Package['clamav-daemon'];
+ }
+
+ file_line {
+ 'clamav_daemon_tmp':
+ path => '/etc/clamav/clamd.conf',
+ line => 'TemporaryDirectory /var/tmp',
+ require => Package['clamav-daemon'],
+ notify => Service['clamav-daemon'];
+
+ 'enable_phishscanurls':
+ path => '/etc/clamav/clamd.conf',
+ match => 'PhishingScanURLs no',
+ line => 'PhishingScanURLs yes',
+ require => Package['clamav-daemon'],
+ notify => Service['clamav-daemon'];
+
+ 'clamav_LogSyslog_true':
+ path => '/etc/clamav/clamd.conf',
+ match => '^LogSyslog false',
+ line => 'LogSyslog true',
+ require => Package['clamav-daemon'],
+ notify => Service['clamav-daemon'];
+
+ 'clamav_MaxThreads':
+ path => '/etc/clamav/clamd.conf',
+ match => 'MaxThreads 20',
+ line => 'MaxThreads 100',
+ require => Package['clamav-daemon'],
+ notify => Service['clamav-daemon'];
+ }
+
+ # remove LogFile line
+ file_line {
+ 'clamav_LogFile':
+ path => '/etc/clamav/clamd.conf',
+ match => '^LogFile .*',
+ line => '',
+ require => Package['clamav-daemon'],
+ notify => Service['clamav-daemon'];
+ }
+
+}
diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp
new file mode 100644
index 00000000..80c822a4
--- /dev/null
+++ b/puppet/modules/clamav/manifests/freshclam.pp
@@ -0,0 +1,23 @@
+class clamav::freshclam {
+
+ package { 'clamav-freshclam': ensure => installed }
+
+ service {
+ 'freshclam':
+ ensure => running,
+ enable => true,
+ name => clamav-freshclam,
+ pattern => '/usr/bin/freshclam',
+ hasrestart => true,
+ require => Package['clamav-freshclam'];
+ }
+
+ file_line {
+ 'freshclam_notify':
+ path => '/etc/clamav/freshclam.conf',
+ line => 'NotifyClamd /etc/clamav/clamd.conf',
+ require => Package['clamav-freshclam'],
+ notify => Service['freshclam'];
+ }
+
+}
diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp
new file mode 100644
index 00000000..de8fb4dc
--- /dev/null
+++ b/puppet/modules/clamav/manifests/init.pp
@@ -0,0 +1,8 @@
+class clamav {
+
+ include clamav::daemon
+ include clamav::milter
+ include clamav::unofficial_sigs
+ include clamav::freshclam
+
+}
diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp
new file mode 100644
index 00000000..e8a85e3f
--- /dev/null
+++ b/puppet/modules/clamav/manifests/milter.pp
@@ -0,0 +1,50 @@
+class clamav::milter {
+
+ $clamav = hiera('clamav')
+ $whitelisted_addresses = $clamav['whitelisted_addresses']
+ $domain_hash = hiera('domain')
+ $domain = $domain_hash['full_suffix']
+
+ package { 'clamav-milter': ensure => installed }
+
+ service {
+ 'clamav-milter':
+ ensure => running,
+ enable => true,
+ name => clamav-milter,
+ pattern => '/usr/sbin/clamav-milter',
+ hasrestart => true,
+ require => Package['clamav-milter'],
+ subscribe => File['/etc/default/clamav-milter'];
+ }
+
+ file {
+ '/run/clamav/milter.ctl':
+ mode => '0666',
+ owner => clamav,
+ group => postfix,
+ require => Class['clamav::daemon'];
+
+ '/etc/clamav/clamav-milter.conf':
+ content => template('clamav/clamav-milter.conf.erb'),
+ mode => '0644',
+ owner => root,
+ group => root,
+ require => Package['clamav-milter'],
+ subscribe => Service['clamav-milter'];
+
+ '/etc/default/clamav-milter':
+ source => 'puppet:///modules/clamav/clamav-milter_default',
+ mode => '0644',
+ owner => root,
+ group => root;
+
+ '/etc/clamav/whitelisted_addresses':
+ content => template('clamav/whitelisted_addresses.erb'),
+ mode => '0644',
+ owner => root,
+ group => root,
+ require => Package['clamav-milter'];
+ }
+
+}
diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp
new file mode 100644
index 00000000..2d849585
--- /dev/null
+++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp
@@ -0,0 +1,23 @@
+class clamav::unofficial_sigs {
+
+ package { 'clamav-unofficial-sigs':
+ ensure => installed
+ }
+
+ ensure_packages(['wget', 'gnupg', 'socat', 'rsync', 'curl'])
+
+ file {
+ '/var/log/clamav-unofficial-sigs.log':
+ ensure => file,
+ owner => clamav,
+ group => clamav,
+ require => Package['clamav-unofficial-sigs'];
+
+ '/etc/clamav-unofficial-sigs.conf.d/01-leap.conf':
+ source => 'puppet:///modules/clamav/01-leap.conf',
+ mode => '0755',
+ owner => root,
+ group => root,
+ require => Package['clamav-unofficial-sigs'];
+ }
+}
diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb
new file mode 100644
index 00000000..9bf7099e
--- /dev/null
+++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb
@@ -0,0 +1,28 @@
+# THIS FILE MANAGED BY PUPPET
+MilterSocket /var/run/clamav/milter.ctl
+FixStaleSocket true
+User clamav
+MilterSocketGroup clamav
+MilterSocketMode 666
+AllowSupplementaryGroups true
+ReadTimeout 120
+Foreground false
+PidFile /var/run/clamav/clamav-milter.pid
+ClamdSocket unix:/var/run/clamav/clamd.ctl
+OnClean Accept
+OnInfected Reject
+OnFail Defer
+AddHeader Replace
+LogSyslog true
+LogFacility LOG_LOCAL6
+LogVerbose yes
+LogInfected Basic
+LogTime true
+LogFileUnlock false
+LogClean Off
+LogRotate true
+SupportMultipleRecipients false
+MaxFileSize 10M
+TemporaryDirectory /var/tmp
+RejectMsg "Message refused due to content violation: %v - contact https://<%= @domain %>/tickets/new if this is in error"
+Whitelist /etc/clamav/whitelisted_addresses
diff --git a/puppet/modules/clamav/templates/local.pdb.erb b/puppet/modules/clamav/templates/local.pdb.erb
new file mode 100644
index 00000000..9ea0584a
--- /dev/null
+++ b/puppet/modules/clamav/templates/local.pdb.erb
@@ -0,0 +1 @@
+H:<%= @domain %>
diff --git a/puppet/modules/clamav/templates/whitelisted_addresses.erb b/puppet/modules/clamav/templates/whitelisted_addresses.erb
new file mode 100644
index 00000000..9e068ec5
--- /dev/null
+++ b/puppet/modules/clamav/templates/whitelisted_addresses.erb
@@ -0,0 +1,5 @@
+<%- if @whitelisted_addresses then -%>
+<% @whitelisted_addresses.each do |name| -%>
+From::<%= name %>
+<% end -%>
+<% end -%>
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject 3c20a3169e77e5a5f9abc06788c3a7730d5530c
+Subproject cdde1e172b3ed2c6c1f203341e75bcef5c3c349
diff --git a/puppet/modules/leap/manifests/cli/install.pp b/puppet/modules/leap/manifests/cli/install.pp
new file mode 100644
index 00000000..858bd7da
--- /dev/null
+++ b/puppet/modules/leap/manifests/cli/install.pp
@@ -0,0 +1,33 @@
+# installs leap_cli on node
+class leap::cli::install ( $source = false ) {
+ if $source {
+ # needed for building leap_cli from source
+ include ::git
+ include ::site_config::ruby::dev
+
+ vcsrepo { '/srv/leap/cli':
+ ensure => present,
+ force => true,
+ revision => 'develop',
+ provider => 'git',
+ source => 'https://leap.se/git/leap_cli.git',
+ owner => 'root',
+ group => 'root',
+ notify => Exec['install_leap_cli'],
+ require => Package['git']
+ }
+
+ exec { 'install_leap_cli':
+ command => '/usr/bin/rake build && /usr/bin/rake install',
+ cwd => '/srv/leap/cli',
+ refreshonly => true,
+ require => [ Package['ruby-dev'], File['/etc/gemrc'], Package['rake'] ]
+ }
+ }
+ else {
+ package { 'leap_cli':
+ ensure => installed,
+ provider => gem
+ }
+ }
+}
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp
index 6bcdd19a..284662d2 100644
--- a/puppet/modules/leap_mx/manifests/init.pp
+++ b/puppet/modules/leap_mx/manifests/init.pp
@@ -77,16 +77,18 @@ class leap_mx {
}
augeas {
- "logrotate_mx":
- context => "/files/etc/logrotate.d/leap-mx/rule",
+ 'logrotate_mx':
+ context => '/files/etc/logrotate.d/leap-mx/rule',
changes => [
- "set file /var/log/leap/mx.log",
- 'set rotate 5',
- 'set schedule daily',
- 'set compress compress',
- 'set missingok missingok',
- 'set ifempty notifempty',
- 'set copytruncate copytruncate'
- ]
+ 'set file /var/log/leap/mx.log',
+ 'set rotate 5',
+ 'set schedule daily',
+ 'clear nocreate',
+ 'rm create',
+ 'rm ifempty',
+ 'set compress compress',
+ 'set missingok missingok',
+ 'set copytruncate copytruncate'
+ ]
}
}
diff --git a/puppet/modules/nagios b/puppet/modules/nagios
-Subproject b55f23d4d90c97cec08251544aa9700df86ad0b
+Subproject 6c3ca97f1524e2b6242c27a2c97dbfb78105889
diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp
new file mode 100644
index 00000000..9e67569e
--- /dev/null
+++ b/puppet/modules/opendkim/manifests/init.pp
@@ -0,0 +1,38 @@
+# configure opendkim service (#5924)
+class opendkim {
+
+ $domain_hash = hiera('domain')
+ $domain = $domain_hash['full_suffix']
+ $dkim = hiera('dkim')
+ $selector = $dkim['dkim_selector']
+
+ include site_config::x509::dkim::key
+ $dkim_key = "${x509::variables::keys}/dkim.key"
+
+ ensure_packages(['opendkim', 'libopendkim7', 'libvbr2'])
+
+ # postfix user needs to be in the opendkim group
+ # in order to access the opendkim socket located at:
+ # local:/var/run/opendkim/opendkim.sock
+ user { 'postfix':
+ groups => 'opendkim';
+ }
+
+ service { 'opendkim':
+ ensure => running,
+ enable => true,
+ hasstatus => true,
+ hasrestart => true,
+ require => Class['Site_config::X509::Dkim::Key'],
+ subscribe => File[$dkim_key];
+ }
+
+ file { '/etc/opendkim.conf':
+ ensure => present,
+ content => template('opendkim/opendkim.conf'),
+ mode => '0644',
+ owner => root,
+ group => root,
+ notify => Service['opendkim'],
+ require => Package['opendkim'];
+}
diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf
new file mode 100644
index 00000000..46ddb7a8
--- /dev/null
+++ b/puppet/modules/opendkim/templates/opendkim.conf
@@ -0,0 +1,44 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog yes
+SyslogSuccess yes
+LogWhy no
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask 002
+
+Domain <%= @domain %>
+SubDomains yes
+
+# set internal hosts to all the known hosts, like mydomains?
+
+# can we generate a larger key and get it in dns?
+KeyFile <%= @dkim_key %>
+
+# what selector do we use?
+Selector <%= @selector %>
+
+# Commonly-used options; the commented-out versions show the defaults.
+Canonicalization relaxed
+#Mode sv
+#ADSPDiscard no
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier. From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders From
+
+# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
+# (ATPS) (experimental)
+
+#ATPSDomains example.com
+
+RemoveOldSignatures yes
+
+Mode sv
+BaseDirectory /var/tmp
diff --git a/puppet/modules/postfix b/puppet/modules/postfix
-Subproject f09cd0eff2bcab7e12c09ec67be3c918bc83fac
+Subproject 53572a8934fe5b0a3a567cdec10664f28892373
diff --git a/puppet/modules/postfwd/files/postfwd_default b/puppet/modules/postfwd/files/postfwd_default
new file mode 100644
index 00000000..79d0e3de
--- /dev/null
+++ b/puppet/modules/postfwd/files/postfwd_default
@@ -0,0 +1,19 @@
+### This file managed by Puppet
+# Global options for postfwd(8).
+
+# Set to '1' to enable startup (daemon mode)
+STARTUP=1
+
+# Config file
+CONF=/etc/postfix/postfwd.cf
+# IP where listen to
+INET=127.0.0.1
+# Port where listen to
+PORT=10040
+# run as user postfwd
+RUNAS="postfw"
+# Arguments passed on start (--daemon implied)
+# RISEUP disable summary and cache-no-size
+#ARGS="--summary=600 --cache=600 --cache-rdomain-only --cache-no-size"
+ARGS="--cache=600 --cache-rdomain-only --no-rulestats"
+
diff --git a/puppet/modules/postfwd/manifests/init.pp b/puppet/modules/postfwd/manifests/init.pp
new file mode 100644
index 00000000..1ebc1d53
--- /dev/null
+++ b/puppet/modules/postfwd/manifests/init.pp
@@ -0,0 +1,42 @@
+# This class provides rate-limiting for outgoing SMTP, using postfwd
+# it is configured with some limits that seem reasonable for a generic
+# use-case. Each of the following applies to sasl_authenticated users:
+#
+# . 150 recipients at a time
+# . no more than 50 messages in 60 minutes
+# . no more than 250 recipients in 60 minutes.
+#
+# This class could be easily extended to add overrides to these rules,
+# maximum sizes per client, or additional rules
+class postfwd {
+
+ ensure_packages(['libnet-server-perl', 'libnet-dns-perl', 'postfwd'])
+
+ file {
+ '/etc/default/postfwd':
+ source => 'puppet:///modules/postfwd/postfwd_default',
+ mode => '0644',
+ owner => root,
+ group => root,
+ require => Package['postfwd'];
+
+ '/etc/postfix/postfwd.cf':
+ content => template('postfwd/postfwd.cf.erb'),
+ mode => '0644',
+ owner => root,
+ group => root,
+ require => Package['postfix'];
+ }
+
+ service {
+ 'postfwd':
+ ensure => running,
+ name => postfwd,
+ pattern => '/usr/sbin/postfwd',
+ enable => true,
+ hasrestart => true,
+ hasstatus => false,
+ require => [ File['/etc/default/postfwd'],
+ File['/etc/postfix/postfwd.cf']];
+ }
+}
diff --git a/puppet/modules/postfwd/templates/postfwd.cf.erb b/puppet/modules/postfwd/templates/postfwd.cf.erb
new file mode 100644
index 00000000..1c45dd03
--- /dev/null
+++ b/puppet/modules/postfwd/templates/postfwd.cf.erb
@@ -0,0 +1,28 @@
+### This file managed by Puppet
+# Before deploying a rule
+# 1. test with an additional "sender==test@domain.org;" in the rule so it
+# only applies to your test account
+# 2. then when ready to test for all users, use WARN and watch the logs
+# for a few days and make sure it working the way you like
+# 3. Then when ready to deploy for real set a proper error code
+
+## Overrides - make like the following example
+# id=exampleuser; sasl_username==exampleuser; action=dunno
+
+## Rules that apply to all senders
+# Recipient Per Message Limit
+# We only receive mail via smtp from sasl authenticated users
+# directly. We want to limit to a lower amount to prevent phished accounts
+# spamming
+id=RCPTSENDER; recipient_count=150; action=REJECT Too many recipients, please try again. Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:RCPTSENDER
+
+# Message Rate Limit
+# This limits sasl authenticated users to no more than 50/60mins
+# NOTE: sasl_username needs to be set to something or this check will fail
+id=MSGRATE ; sasl_username=!!(^$); action==rate($$sasl_username/100/3600/450 4.7.1 exceeded message rate. Contact Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:MSGRATE)
+
+# Total Recipient Rate Limit
+# This adds up the recipients for all the sasl authenticated users messages
+# and can't exceed more than 250/60min
+# NOTE: sasl_username needs to be set to something or this check will fail
+id=RCPTRATE ; sasl_username=!!(^$); action==rcpt($$sasl_username/500/3600/450 4.7.1 exceeded message rate. Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:RCPTRATE)
diff --git a/puppet/modules/ruby b/puppet/modules/ruby
-Subproject e4de25d78eefc7df70a35dee22a3e0dc1b7e1d0
+Subproject 0fb2b398dbfce59c678d6f4044a55969e42c6d4
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 2b83ffa5..64beb231 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -1,27 +1,8 @@
class site_apache::common {
- # installs x509 cert + key and common config
- # that both nagios + leap webapp use
-
- $web_domain = hiera('domain')
- $domain_name = $web_domain['name']
-
- include x509::variables
- include site_config::x509::commercial::cert
- include site_config::x509::commercial::key
- include site_config::x509::commercial::ca
-
- Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
- Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
- Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
include site_apache::module::rewrite
class { '::apache': no_default_site => true, ssl => true }
- apache::vhost::file {
- 'common':
- content => template('site_apache/vhosts.d/common.conf.erb')
- }
-
- apache::config::include{ 'ssl_common.inc': }
+ include site_apache::common::tls
}
diff --git a/puppet/modules/site_apache/manifests/common/tls.pp b/puppet/modules/site_apache/manifests/common/tls.pp
new file mode 100644
index 00000000..040868bf
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/common/tls.pp
@@ -0,0 +1,6 @@
+class site_apache::common::tls {
+ # class to setup common SSL configurations
+
+ apache::config::include{ 'ssl_common.inc': }
+
+}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index ee5cd707..7f9fd5ab 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -4,7 +4,7 @@
ServerAlias <%= domain %>
ServerAlias www.<%= domain %>
RewriteEngine On
- RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
+ RewriteRule ^.*$ https://<%= webapp_domain -%>%{REQUEST_URI} [R=permanent,L]
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
</VirtualHost>
diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
index 0c6f3b8e..2c8d5eb5 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
@@ -30,4 +30,14 @@
ExpiresDefault "access plus 1 year"
</Location>
<% end -%>
+
+<% if (defined? @services) and (@services.include? 'static') -%>
+ DocumentRoot "/srv/static/root/public"
+ AccessFileName .htaccess
+
+ Alias /provider.json /srv/leap/provider.json
+ <Location /provider.json>
+ Header set X-Minimum-Client-Version 0.5
+ </Location>
+<% end -%>
</VirtualHost>
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
index 95ddd2ca..0f378a5a 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
@@ -6,7 +6,7 @@
I 127.0.0.1 localhost:5984 .* ok
# https://leap.se/code/issues/5246
I Shutting down group server
- # ignore bigcouch conflict errors, mainly coming from tapicero creating new users
+ # ignore bigcouch conflict errors
I Error in process.*{{nocatch,conflict}
# ignore "Uncaught error in HTTP request: {exit, normal}" error
# it's suppressed in later versions of bigcouch anhow
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg
new file mode 100644
index 00000000..f53f0780
--- /dev/null
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg
@@ -0,0 +1,5 @@
+# on one-node bigcouch setups, we'll get this msg
+# a lot, so we ignore it here until we fix
+# https://leap.se/code/issues/5244
+ I epmd: got partial packet only on file descriptor
+
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg
index f546135a..5f8d5b95 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg
@@ -1,7 +1,2 @@
C /usr/local/bin/couch-doc-update.*failed
C /usr/local/bin/couch-doc-update.*ERROR
-# on one-node bigcouch setups, we'll get this msg
-# a lot, so we ignore it here until we fix
-# https://leap.se/code/issues/5244
- I epmd: got partial packet only on file descriptor
-
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg
deleted file mode 100644
index d98f5094..00000000
--- a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg
+++ /dev/null
@@ -1,11 +0,0 @@
-/var/log/leap/tapicero.log
-# Ignore transient Tapicero errors when creating a db (#6511)
- I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )?due to): (RestClient::ResourceNotFound|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error)
- C tapicero.*RestClient::InternalServerError:
-# possible race condition between multiple tapicero
-# instances, so we ignore it
-# see https://leap.se/code/issues/5168
- I tapicero.*RestClient::PreconditionFailed:
- C tapicero.*Creating database.*failed due to:
- C tapicero.*failed
- W tapicero.*Couch stream ended unexpectedly.
diff --git a/puppet/modules/site_check_mk/files/extra_host_conf.mk b/puppet/modules/site_check_mk/files/extra_host_conf.mk
deleted file mode 100644
index 2c96f97a..00000000
--- a/puppet/modules/site_check_mk/files/extra_host_conf.mk
+++ /dev/null
@@ -1,6 +0,0 @@
-# retry 3 times before setting a host into a hard state
-# and send out notification
-extra_host_conf["max_check_attempts"] = [
- ("4", ALL_HOSTS )
-]
-
diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
index abfc7ad0..1554fd3c 100644
--- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
@@ -1,32 +1,18 @@
+# configure logwatch and nagios checks for couchdb (both bigcouch and plain
+# couchdb installations)
class site_check_mk::agent::couchdb {
- # watch logs
- file { '/etc/check_mk/logwatch.d/bigcouch.cfg':
- source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg',
- }
concat::fragment { 'syslog_couchdb':
source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/couchdb.cfg',
target => '/etc/check_mk/logwatch.d/syslog.cfg',
order => '02';
}
-
- # check bigcouch processes
- augeas {
- 'Bigcouch_epmd_procs':
- incl => '/etc/check_mk/mrpe.cfg',
- lens => 'Spacevars.lns',
- changes => [
- 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs',
- 'set Bigcouch_epmd_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd\'' ],
- require => File['/etc/check_mk/mrpe.cfg'];
- 'Bigcouch_beam_procs':
- incl => '/etc/check_mk/mrpe.cfg',
- lens => 'Spacevars.lns',
- changes => [
- 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs',
- 'set Bigcouch_beam_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam\'' ],
- require => File['/etc/check_mk/mrpe.cfg'];
+ # check different couchdb stats
+ file { '/usr/lib/check_mk_agent/local/leap_couch_stats.sh':
+ source => 'puppet:///modules/site_check_mk/agent/local_checks/couchdb/leap_couch_stats.sh',
+ mode => '0755',
+ require => Package['check_mk-agent']
}
# check open files for bigcouch proc
@@ -36,20 +22,13 @@ class site_check_mk::agent::couchdb {
mode => '0755'
}
augeas {
- 'Bigcouch_open_files':
+ 'Couchdb_open_files':
incl => '/etc/check_mk/mrpe.cfg',
lens => 'Spacevars.lns',
changes => [
- 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files',
- 'set Bigcouch_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ],
+ 'rm /files/etc/check_mk/mrpe.cfg/Couchdb_open_files',
+ 'set Couchdb_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ],
require => File['/etc/check_mk/mrpe.cfg'];
}
-
- # check different couchdb stats
- file { '/usr/lib/check_mk_agent/local/leap_couch_stats.sh':
- source => 'puppet:///modules/site_check_mk/agent/local_checks/couchdb/leap_couch_stats.sh',
- mode => '0755',
- require => Package['check_mk-agent']
- }
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp
new file mode 100644
index 00000000..82c3ac72
--- /dev/null
+++ b/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp
@@ -0,0 +1,49 @@
+# configure logwatch and nagios checks for bigcouch
+class site_check_mk::agent::couchdb::bigcouch {
+
+ # watch bigcouch logs
+ # currently disabled because bigcouch is too noisy
+ # see https://leap.se/code/issues/7375 for more details
+ # and site_config::remove_files for removing leftovers
+ #file { '/etc/check_mk/logwatch.d/bigcouch.cfg':
+ # source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg',
+ #}
+
+ # check syslog msg from:
+ # - empd
+ # - /usr/local/bin/couch-doc-update
+ concat::fragment { 'syslog_bigcouch':
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/bigcouch.cfg',
+ target => '/etc/check_mk/logwatch.d/syslog.cfg',
+ order => '02';
+ }
+
+ # check bigcouch processes
+ augeas {
+ 'Bigcouch_epmd_procs':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs',
+ 'set Bigcouch_epmd_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
+ 'Bigcouch_beam_procs':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs',
+ 'set Bigcouch_beam_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
+ }
+
+ augeas {
+ 'Bigcouch_open_files':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files',
+ 'set Bigcouch_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
+ }
+
+}
diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp
new file mode 100644
index 00000000..291b87d1
--- /dev/null
+++ b/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp
@@ -0,0 +1,23 @@
+# configure logwatch and nagios checks for plain single couchdb master
+class site_check_mk::agent::couchdb::master {
+
+ # remove bigcouch leftovers
+ augeas {
+ 'Bigcouch_epmd_procs':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs',
+ require => File['/etc/check_mk/mrpe.cfg'];
+ 'Bigcouch_beam_procs':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs',
+ require => File['/etc/check_mk/mrpe.cfg'];
+ 'Bigcouch_open_files':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files',
+ require => File['/etc/check_mk/mrpe.cfg'];
+ }
+
+}
diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
deleted file mode 100644
index ad9962d4..00000000
--- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
+++ /dev/null
@@ -1,26 +0,0 @@
-# sets up tapicero monitoring
-class site_check_mk::agent::tapicero {
-
- include ::site_nagios::plugins
-
- # watch logs
- file { '/etc/check_mk/logwatch.d/tapicero.cfg':
- source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg',
- }
-
- # local nagios plugin checks via mrpe
- augeas {
- 'Tapicero_Procs':
- incl => '/etc/check_mk/mrpe.cfg',
- lens => 'Spacevars.lns',
- changes => [
- 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs',
- "set Tapicero_Procs \"/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 --ereg-argument-array='^tapicero$'\"" ],
- require => File['/etc/check_mk/mrpe.cfg'];
- 'Tapicero_Heartbeat':
- incl => '/etc/check_mk/mrpe.cfg',
- lens => 'Spacevars.lns',
- changes => 'set Tapicero_Heartbeat \'/usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/leap/tapicero.log -r "tapicero" -w 300 -c 600\'',
- require => File['/etc/check_mk/mrpe.cfg'];
- }
-}
diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp
index 67519513..57f68d3e 100644
--- a/puppet/modules/site_check_mk/manifests/server.pp
+++ b/puppet/modules/site_check_mk/manifests/server.pp
@@ -54,7 +54,7 @@ class site_check_mk::server {
notify => Exec['check_mk-refresh'],
require => Package['check-mk-server'];
'/etc/check_mk/conf.d/extra_host_conf.mk':
- source => 'puppet:///modules/site_check_mk/extra_host_conf.mk',
+ content => template('site_check_mk/extra_host_conf.mk'),
notify => Exec['check_mk-refresh'],
require => Package['check-mk-server'];
diff --git a/puppet/modules/site_check_mk/templates/extra_host_conf.mk b/puppet/modules/site_check_mk/templates/extra_host_conf.mk
new file mode 100644
index 00000000..bc27b514
--- /dev/null
+++ b/puppet/modules/site_check_mk/templates/extra_host_conf.mk
@@ -0,0 +1,13 @@
+# retry 3 times before setting a host into a hard state
+# and send out notification
+extra_host_conf["max_check_attempts"] = [
+ ("4", ALL_HOSTS )
+]
+
+# Use hostnames as alias so notification mail subjects
+# are more readable and not so long. Alias defaults to
+# the fqdn of a host is not changed.
+extra_host_conf["alias"] = [
+<% @hosts.keys.sort.each do |key| -%> ( "<%= key.strip %>", ["<%= @hosts[key]['domain_internal']%>"]),
+<% end -%>
+]
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index e69e4b7b..6b10dc19 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -1,3 +1,4 @@
+# common things to set up on every node
class site_config::default {
tag 'leap_base'
@@ -29,7 +30,7 @@ class site_config::default {
# i.e. openstack/aws nodes, vagrant nodes
# fix dhclient from changing resolver information
- if $::dhcp_enabled == 'true' {
+ if $::dhcp_enabled == 'true' {
include site_config::dhclient
}
@@ -58,7 +59,9 @@ class site_config::default {
# set up core leap files and directories
include site_config::files
- include site_config::remove_files
+
+ # remove leftovers from previous deploys
+ include site_config::remove
if ! member($services, 'mx') {
include site_postfix::satellite
diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp
new file mode 100644
index 00000000..b1ad1a2b
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove.pp
@@ -0,0 +1,4 @@
+# remove leftovers from previous deploys
+class site_config::remove {
+ include site_config::remove::files
+}
diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove/files.pp
index 3f46659c..466f50c8 100644
--- a/puppet/modules/site_config/manifests/remove_files.pp
+++ b/puppet/modules/site_config/manifests/remove/files.pp
@@ -9,7 +9,7 @@
# release.
#
-class site_config::remove_files {
+class site_config::remove::files {
#
# Platform 0.7 removals
@@ -31,6 +31,7 @@ class site_config::remove_files {
'/srv/leap/couchdb/designs/tmp_users':
recurse => true,
rmdirs => true;
+ '/etc/leap/soledad-server.conf':;
}
# leax-mx logged to /var/log/leap_mx.log in the past
@@ -42,5 +43,22 @@ class site_config::remove_files {
onlyif => "/bin/grep -qe 'leap_mx.log' /etc/check_mk/logwatch.state"
}
-
+ # Don't use check_mk logwatch to watch bigcouch logs anymore
+ # see https://leap.se/code/issues/7375 for more details
+ file { '/etc/check_mk/logwatch.d/bigcouch.cfg':
+ ensure => absent,
+ notify => [
+ Exec['remove_bigcouch_logwatch_spoolfiles'],
+ Exec['remove_bigcouch_logwatch_stateline']
+ ]
+ }
+ # remove leftover bigcouch logwatch spool files
+ exec { 'remove_bigcouch_logwatch_spoolfiles':
+ command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;',
+ refreshonly => true,
+ }
+ exec { 'remove_bigcouch_logwatch_stateline':
+ command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state",
+ refreshonly => true,
+ }
}
diff --git a/puppet/modules/site_config/manifests/remove/monitoring.pp b/puppet/modules/site_config/manifests/remove/monitoring.pp
new file mode 100644
index 00000000..d7095597
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/monitoring.pp
@@ -0,0 +1,10 @@
+# remove leftovers on monitoring nodes
+class site_config::remove::monitoring {
+
+ tidy {
+ 'checkmk_logwatch_spool':
+ path => '/var/lib/check_mk/logwatch',
+ recurse => true,
+ matches => '*tapicero.log'
+ }
+}
diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp
new file mode 100644
index 00000000..4ce972d0
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/tapicero.pp
@@ -0,0 +1,69 @@
+# remove tapicero leftovers from previous deploys on couchdb nodes
+class site_config::remove::tapicero {
+
+ # remove tapicero couchdb user
+ $couchdb_config = hiera('couch')
+ $couchdb_mode = $couchdb_config['mode']
+
+ if $couchdb_mode == 'multimaster'
+ {
+ $port = 5986
+ } else {
+ $port = 5984
+ }
+
+ exec { 'remove_couchdb_user':
+ onlyif => "/usr/bin/curl -s 127.0.0.1:${port}/_users/org.couchdb.user:tapicero | grep -qv 'not_found'",
+ command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete"
+ }
+
+
+ exec { 'kill_tapicero':
+ onlyif => '/usr/bin/test -s /var/run/tapicero.pid',
+ command => '/usr/bin/pkill --pidfile /var/run/tapicero.pid'
+ }
+
+ user { 'tapicero':
+ ensure => absent;
+ }
+
+ group { 'tapicero':
+ ensure => absent,
+ require => User['tapicero'];
+ }
+
+ tidy {
+ '/srv/leap/tapicero':
+ recurse => true,
+ require => [ Exec['kill_tapicero'] ];
+ '/var/lib/leap/tapicero':
+ require => [ Exec['kill_tapicero'] ];
+ '/var/run/tapicero':
+ require => [ Exec['kill_tapicero'] ];
+ '/etc/leap/tapicero.yaml':
+ require => [ Exec['kill_tapicero'] ];
+ '/etc/init.d/tapicero':
+ require => [ Exec['kill_tapicero'] ];
+ 'tapicero_logs':
+ path => '/var/log/leap',
+ recurse => true,
+ matches => 'tapicero*',
+ require => [ Exec['kill_tapicero'] ];
+ '/etc/check_mk/logwatch.d/tapicero.cfg':;
+ }
+
+ # remove local nagios plugin checks via mrpe
+ augeas {
+ 'Tapicero_Procs':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs',
+ require => File['/etc/check_mk/mrpe.cfg'];
+ 'Tapicero_Heartbeat':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => 'rm Tapicero_Heartbeat',
+ require => File['/etc/check_mk/mrpe.cfg'];
+ }
+
+}
diff --git a/puppet/modules/site_config/manifests/remove/webapp.pp b/puppet/modules/site_config/manifests/remove/webapp.pp
new file mode 100644
index 00000000..58f59815
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/webapp.pp
@@ -0,0 +1,7 @@
+# remove leftovers on webapp nodes
+class site_config::remove::webapp {
+ tidy {
+ '/etc/apache/sites-enabled/leap_webapp.conf':
+ notify => Service['apache'];
+ }
+}
diff --git a/puppet/modules/site_config/manifests/x509/dkim/key.pp b/puppet/modules/site_config/manifests/x509/dkim/key.pp
new file mode 100644
index 00000000..c63a7e94
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/dkim/key.pp
@@ -0,0 +1,13 @@
+class site_config::x509::dkim::key {
+
+ ##
+ ## This is for the DKIM key that is used exclusively for DKIM
+ ## signing
+
+ $x509 = hiera('x509')
+ $key = $x509['dkim_key']
+
+ x509::key { 'dkim':
+ content => $key
+ }
+}
diff --git a/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json
new file mode 100644
index 00000000..006c1ea1
--- /dev/null
+++ b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json
@@ -0,0 +1,22 @@
+{
+ "_id": "_design/InviteCode",
+ "language": "javascript",
+ "views": {
+ "by__id": {
+ "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['_id'] != null)) {\n emit(doc['_id'], 1);\n }\n }\n",
+ "reduce": "_sum"
+ },
+ "by_invite_code": {
+ "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_code'] != null)) {\n emit(doc['invite_code'], 1);\n }\n }\n",
+ "reduce": "_sum"
+ },
+ "by_invite_count": {
+ "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_count'] != null)) {\n emit(doc['invite_count'], 1);\n }\n }\n",
+ "reduce": "_sum"
+ },
+ "all": {
+ "map": " function(doc) {\n if (doc['type'] == 'InviteCode') {\n emit(doc._id, null);\n }\n }\n"
+ }
+ },
+ "couchrest-hash": "83fb8f504520b4a9c7ddbb7928cd0ce3"
+} \ No newline at end of file
diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp
index 2f734ed4..c905316b 100644
--- a/puppet/modules/site_couchdb/manifests/add_users.pp
+++ b/puppet/modules/site_couchdb/manifests/add_users.pp
@@ -1,3 +1,4 @@
+# add couchdb users for all services
class site_couchdb::add_users {
Class['site_couchdb::create_dbs']
@@ -35,16 +36,6 @@ class site_couchdb::add_users {
require => Couchdb::Query::Setup['localhost']
}
- ### tapicero couchdb user
- ### admin: needs to be able to create user-<uuid> databases
- ### read: users
- couchdb::add_user { $site_couchdb::couchdb_tapicero_user:
- roles => '["users"]',
- pw => $site_couchdb::couchdb_tapicero_pw,
- salt => $site_couchdb::couchdb_tapicero_salt,
- require => Couchdb::Query::Setup['localhost']
- }
-
## webapp couchdb user
## read/write: users, tokens, sessions, tickets, identities, customer
couchdb::add_user { $site_couchdb::couchdb_webapp_user:
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp
index 469a2783..2de3d4d0 100644
--- a/puppet/modules/site_couchdb/manifests/bigcouch.pp
+++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp
@@ -44,4 +44,7 @@ class site_couchdb::bigcouch {
require => Package['couchdb'],
notify => Service['couchdb']
}
+
+ include site_check_mk::agent::couchdb::bigcouch
+
}
diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp
index eea4bbf5..a2d1c655 100644
--- a/puppet/modules/site_couchdb/manifests/create_dbs.pp
+++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp
@@ -90,4 +90,13 @@ class site_couchdb::create_dbs {
members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
require => Couchdb::Query::Setup['localhost']
}
+
+ ## invite_codes db
+ ## store invite codes for new signups
+ ## r/w: webapp
+ couchdb::create_db { 'invite_codes':
+ members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
+ require => Couchdb::Query::Setup['localhost']
+ }
+
}
diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp
index 1ab1c6a1..e5fd94c6 100644
--- a/puppet/modules/site_couchdb/manifests/designs.pp
+++ b/puppet/modules/site_couchdb/manifests/designs.pp
@@ -12,12 +12,13 @@ class site_couchdb::designs {
}
site_couchdb::upload_design {
- 'customers': design => 'customers/Customer.json';
- 'identities': design => 'identities/Identity.json';
- 'tickets': design => 'tickets/Ticket.json';
- 'messages': design => 'messages/Message.json';
- 'users': design => 'users/User.json';
- 'tmp_users': design => 'users/User.json';
+ 'customers': design => 'customers/Customer.json';
+ 'identities': design => 'identities/Identity.json';
+ 'tickets': design => 'tickets/Ticket.json';
+ 'messages': design => 'messages/Message.json';
+ 'users': design => 'users/User.json';
+ 'tmp_users': design => 'users/User.json';
+ 'invite_codes': design => 'invite_codes/InviteCode.json';
'shared_docs':
db => 'shared',
design => 'shared/docs.json';
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 6b6ddd3a..61aa887e 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -26,11 +26,6 @@ class site_couchdb {
$couchdb_soledad_pw = $couchdb_soledad['password']
$couchdb_soledad_salt = $couchdb_soledad['salt']
- $couchdb_tapicero = $couchdb_users['tapicero']
- $couchdb_tapicero_user = $couchdb_tapicero['username']
- $couchdb_tapicero_pw = $couchdb_tapicero['password']
- $couchdb_tapicero_salt = $couchdb_tapicero['salt']
-
$couchdb_webapp = $couchdb_users['webapp']
$couchdb_webapp_user = $couchdb_webapp['username']
$couchdb_webapp_pw = $couchdb_webapp['password']
@@ -66,6 +61,8 @@ class site_couchdb {
if $couchdb_backup { include site_couchdb::backup }
include site_check_mk::agent::couchdb
- include site_check_mk::agent::tapicero
+
+ # remove tapicero leftovers on couchdb nodes
+ include site_config::remove::tapicero
}
diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp
index c28eee7d..5dab6325 100644
--- a/puppet/modules/site_couchdb/manifests/master.pp
+++ b/puppet/modules/site_couchdb/manifests/master.pp
@@ -6,4 +6,6 @@ class site_couchdb::master {
chttpd_bind_address => '127.0.0.1',
pwhash_alg => $site_couchdb::couchdb_pwhash_alg
}
+
+ include site_check_mk::agent::couchdb::master
}
diff --git a/puppet/modules/site_couchdb/manifests/setup.pp b/puppet/modules/site_couchdb/manifests/setup.pp
index 69bd1c6a..fef48505 100644
--- a/puppet/modules/site_couchdb/manifests/setup.pp
+++ b/puppet/modules/site_couchdb/manifests/setup.pp
@@ -12,27 +12,40 @@ class site_couchdb::setup {
$user = $site_couchdb::couchdb_admin_user
- # /etc/couchdb/couchdb-admin.netrc is deployed by couchdb::query::setup
- # we symlink to couchdb.netrc for puppet commands.
- # we symlink this to /root/.netrc for couchdb_scripts (eg. backup)
- # and makes life easier for the admin (i.e. using curl/wget without
- # passing credentials)
+ # setup /etc/couchdb/couchdb-admin.netrc for couchdb admin access
+ couchdb::query::setup { 'localhost':
+ user => $user,
+ pw => $site_couchdb::couchdb_admin_pw
+ }
+
+ # We symlink /etc/couchdb/couchdb-admin.netrc to /etc/couchdb/couchdb.netrc
+ # for puppet commands, and to to /root/.netrc for couchdb_scripts
+ # (eg. backup) and to makes life easier for the admin on the command line
+ # (i.e. using curl/wget without passing credentials)
file {
'/etc/couchdb/couchdb.netrc':
ensure => link,
target => "/etc/couchdb/couchdb-${user}.netrc";
-
'/root/.netrc':
ensure => link,
target => '/etc/couchdb/couchdb.netrc';
+ }
- '/srv/leap/couchdb':
- ensure => directory
+ # setup /etc/couchdb/couchdb-soledad-admin.netrc file for couchdb admin
+ # access, accessible only for the soledad-admin user to create soledad
+ # userdbs
+ file { '/etc/couchdb/couchdb-soledad-admin.netrc':
+ content => "machine localhost login ${user} password ${site_couchdb::couchdb_admin_pw}",
+ mode => '0400',
+ owner => 'soledad-admin',
+ group => 'root',
+ require => [ Package['couchdb'], User['soledad-admin'] ];
}
- couchdb::query::setup { 'localhost':
- user => $user,
- pw => $site_couchdb::couchdb_admin_pw,
+ # Checkout couchdb_scripts repo
+ file {
+ '/srv/leap/couchdb':
+ ensure => directory
}
vcsrepo { '/srv/leap/couchdb/scripts':
diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
index 0d729b8c..981dc12a 100644
--- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
+++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
@@ -70,7 +70,7 @@ precached_object_file=/var/lib/nagios3/objects.precache
# defined as macros in this file and restrictive permissions (600)
# can be placed on this file.
-resource_file=/etc/nagios3/private/resource.cfg
+resource_file=/etc/nagios3/resource.cfg
diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp
index eb08cdcb..40ae4b86 100644
--- a/puppet/modules/site_nagios/manifests/init.pp
+++ b/puppet/modules/site_nagios/manifests/init.pp
@@ -1,6 +1,10 @@
+# setup nagios on monitoring node
class site_nagios {
tag 'leap_service'
Class['site_config::default'] -> Class['site_nagios']
include site_nagios::server
+
+ # remove leftovers on monitoring nodes
+ include site_config::remove::monitoring
}
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index cb6c8d95..60a471b7 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -32,6 +32,7 @@ class site_nagios::server inherits nagios::base {
}
include site_apache::common
+ include site_webapp::common_vhost
include site_apache::module::headers
File ['nagios_htpasswd'] {
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index e2a3124e..ede35a9e 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -229,6 +229,13 @@ class site_openvpn {
}
leap::logfile { 'openvpn': }
+
+ # Because we currently do not support ipv6 and instead block it (so no leaks
+ # happen), we get a large number of these messages, so we ignore them (#6540)
+ rsyslog::snippet { '01-ignore_icmpv6_send':
+ content => ':msg, contains, "icmpv6_send: no reply to icmp error" ~'
+ }
+
include site_check_mk::agent::openvpn
}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 49692d24..71d61621 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -7,7 +7,8 @@ class site_postfix::mx {
$domain = $domain_hash['full_suffix']
$host_domain = $domain_hash['full']
$cert_name = hiera('name')
- $mynetworks = join(hiera('mynetworks'), ' ')
+ $mynetworks = join(hiera('mynetworks', ''), ' ')
+ $rbls = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',')
$root_mail_recipient = hiera('contacts')
$postfix_smtp_listen = 'all'
@@ -20,16 +21,20 @@ class site_postfix::mx {
postfix::config {
'mynetworks':
value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}";
+ # Note: mydestination should not include @domain, because this is
+ # used in virtual alias maps.
'mydestination':
- value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
+ value => "\$myorigin, localhost, localhost.\$mydomain";
'myhostname':
value => $host_domain;
'mailbox_size_limit':
value => '0';
'home_mailbox':
value => 'Maildir/';
+ # Note: virtual-aliases map will take precedence over leap_mx
+ # lookup (tcp:localhost)
'virtual_alias_maps':
- value => 'tcp:localhost:4242';
+ value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242';
'luser_relay':
value => 'vmail';
'smtpd_tls_received_header':
@@ -44,13 +49,20 @@ class site_postfix::mx {
# alias map
'local_recipient_maps':
value => '$alias_maps';
+ 'smtpd_milters':
+ value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock';
+ 'milter_default_action':
+ value => 'accept';
}
include site_postfix::mx::smtpd_checks
include site_postfix::mx::checks
include site_postfix::mx::smtp_tls
include site_postfix::mx::smtpd_tls
- include site_postfix::mx::reserved_aliases
+ include site_postfix::mx::static_aliases
+ include site_postfix::mx::rewrite_openpgp_header
+ include clamav
+ include postfwd
# greater verbosity for debugging, take out for production
#include site_postfix::debug
@@ -72,7 +84,11 @@ class site_postfix::mx {
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
- -o smtpd_helo_restrictions=\$smtps_helo_restrictions",
+ -o smtpd_helo_restrictions=\$smtps_helo_restrictions
+ -o smtpd_client_restrictions=
+ -o cleanup_service_name=clean_smtps
+clean_smtps unix n - n - 0 cleanup
+ -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers",
require => [
Class['Site_config::X509::Key'],
Class['Site_config::X509::Cert'],
diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
deleted file mode 100644
index 83e27376..00000000
--- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
+++ /dev/null
@@ -1,15 +0,0 @@
-# Defines which mail addresses shouldn't be available and where they should fwd
-class site_postfix::mx::reserved_aliases {
-
- postfix::mailalias {
- [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron',
- 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp',
- 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql',
- 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www',
- 'www-data',
- ]:
- ensure => present,
- recipient => 'root'
- }
-
-}
diff --git a/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp
new file mode 100644
index 00000000..71f945b8
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp
@@ -0,0 +1,11 @@
+class site_postfix::mx::rewrite_openpgp_header {
+ $mx = hiera('mx')
+ $correct_domain = $mx['key_lookup_domain']
+
+ file { '/etc/postfix/checks/rewrite_openpgp_headers':
+ content => template('site_postfix/checks/rewrite_openpgp_headers.erb'),
+ mode => '0644',
+ owner => root,
+ group => root;
+ }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 0ec40277..1c3e5c92 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks {
'checks_dir':
value => '$config_directory/checks';
'smtpd_client_restrictions':
- value => 'permit_mynetworks,permit';
+ value => "${site_postfix::mx::rbls}permit_mynetworks,permit";
'smtpd_data_restrictions':
value => 'permit_mynetworks, reject_unauth_pipelining, permit';
'smtpd_delay_reject':
diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
new file mode 100644
index 00000000..71c0555a
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
@@ -0,0 +1,88 @@
+#
+# Defines static, hard coded aliases that are not in the database.
+# These aliases take precedence over the database aliases.
+#
+# There are three classes of reserved names:
+#
+# (1) forbidden_usernames:
+# Some usernames are forbidden and cannot be registered.
+# this is defined in node property webapp.forbidden_usernames
+# This is enforced by the webapp.
+#
+# (2) public aliases:
+# Some aliases for root, and are publicly exposed so that anyone
+# can deliver mail to them. For example, postmaster.
+# These are implemented in the virtual alias map, which takes
+# precedence over the local alias map.
+#
+# (3) local aliases:
+# Some aliases are only available locally: mail can be delivered
+# to the alias if the mail originates from the local host, or is
+# hostname qualified, but otherwise it will be rejected.
+# These are implemented in the local alias map.
+#
+# The alias for local 'root' is defined elsewhere. In this file, we
+# define the virtual 'root@domain' (which can be overwritten by
+# defining an entry for root in node property mx.aliases).
+#
+
+class site_postfix::mx::static_aliases {
+
+ $mx = hiera('mx')
+ $root_recipients = hiera('contacts')
+
+ #
+ # LOCAL ALIASES
+ #
+
+ # NOTE: if you remove one of these, they will still appear in the
+ # /etc/aliases file
+ $local_aliases = [
+ 'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop',
+ 'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys',
+ 'usenet', 'uucp', 'www', 'www-data'
+ ]
+
+ postfix::mailalias {
+ $local_aliases:
+ ensure => present,
+ recipient => 'root'
+ }
+
+ #
+ # PUBLIC ALIASES
+ #
+
+ $public_aliases = $mx['aliases']
+
+ $default_public_aliases = {
+ 'root' => $root_recipients,
+ 'abuse' => 'postmaster',
+ 'arin-admin' => 'root',
+ 'certmaster' => 'hostmaster',
+ 'domainadmin' => 'hostmaster',
+ 'hostmaster' => 'root',
+ 'mailer-daemon' => 'postmaster',
+ 'postmaster' => 'root',
+ 'security' => 'root',
+ 'webmaster' => 'hostmaster',
+ }
+
+ $aliases = merge($default_public_aliases, $public_aliases)
+
+ exec { 'postmap_virtual_aliases':
+ command => '/usr/sbin/postmap /etc/postfix/virtual-aliases',
+ refreshonly => true,
+ user => root,
+ group => root,
+ require => Package['postfix'],
+ subscribe => File['/etc/postfix/virtual-aliases']
+ }
+ file { '/etc/postfix/virtual-aliases':
+ content => template('site_postfix/virtual-aliases.erb'),
+ owner => root,
+ group => root,
+ mode => '0600',
+ require => Package['postfix']
+ }
+}
diff --git a/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb
new file mode 100644
index 00000000..7af14f7d
--- /dev/null
+++ b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb
@@ -0,0 +1,13 @@
+# THIS FILE IS MANAGED BY PUPPET
+#
+# This will replace the OpenPGP header that the client adds, because it is
+# sometimes incorrect (due to the client not always knowing what the proper URL
+# is for the webapp).
+# e.g. This will rewrite this header:
+# OpenPGP: id=4C0E01CD50E2F653; url="https://leap.se/key/elijah"; preference="signencrypt
+# with this replacement:
+# OpenPGP: id=4C0E01CD50E2F653; url="https://user.leap.se/key/elijah"; preference="signencrypt
+#
+# Note: whitespace in the pattern is represented by [[:space:]] to avoid these warnings from postmap:
+# "record is in "key: value" format; is this an alias file?" and "duplicate entry"
+/^(OpenPGP:[[:space:]]id=[[:alnum:]]+;[[:space:]]url="https:\/\/)<%= @domain %>(\/key\/[[:alpha:]]+";.*)/i REPLACE ${1}<%= @correct_domain %>${2}
diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb
new file mode 100644
index 00000000..8373de97
--- /dev/null
+++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb
@@ -0,0 +1,21 @@
+#
+# This file is managed by puppet.
+#
+# These virtual aliases take precedence over all other aliases.
+#
+
+#
+# enable these virtual domains:
+#
+<%= @domain %> enabled
+<%- @aliases.keys.map {|addr| addr.split('@')[1] }.compact.sort.uniq.each do |virt_domain| -%>
+<%= virt_domain %> enabled
+<%- end %>
+
+#
+# virtual aliases:
+#
+<%- @aliases.keys.sort.each do |from| -%>
+<%- full_address = from =~ /@/ ? from : from + "@" + @domain -%>
+<%= full_address %> <%= [@aliases[from]].flatten.map{|a| a =~ /@/ ? a : a + "@" + @domain}.join(', ') %>
+<%- end -%>
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 1da2f1d5..170be32c 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,6 +1,7 @@
class site_sshd {
- $ssh = hiera_hash('ssh')
- $hosts = hiera('hosts', '')
+ $ssh = hiera_hash('ssh')
+ $ssh_config = $ssh['config']
+ $hosts = hiera('hosts', '')
##
## SETUP AUTHORIZED KEYS
@@ -52,11 +53,12 @@ class site_sshd {
## SSHD SERVER CONFIGURATION
##
class { '::sshd':
- manage_nagios => false,
- ports => [ $ssh['port'] ],
- use_pam => 'yes',
- hardened_ssl => 'yes',
- print_motd => 'no',
- manage_client => false
+ manage_nagios => false,
+ ports => [ $ssh['port'] ],
+ use_pam => 'yes',
+ hardened_ssl => 'yes',
+ print_motd => 'no',
+ tcp_forwarding => $ssh_config['AllowTcpForwarding'],
+ manage_client => false
}
}
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index e37d5ad2..8df53075 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -9,6 +9,7 @@ class site_static {
$domains = $static['domains']
$formats = $static['formats']
$bootstrap = $static['bootstrap_files']
+ $tor = hiera('tor', false)
if $bootstrap['enabled'] {
$bootstrap_domain = $bootstrap['domain']
@@ -27,14 +28,11 @@ class site_static {
}
}
- class { '::apache': no_default_site => true, ssl => true }
include site_apache::module::headers
include site_apache::module::alias
include site_apache::module::expires
include site_apache::module::removeip
- include site_apache::module::rewrite
- apache::config::include{ 'ssl_common.inc': }
-
+ include site_apache::common
include site_config::ruby::dev
if (member($formats, 'rack')) {
@@ -46,14 +44,24 @@ class site_static {
}
if (member($formats, 'amber')) {
+ rubygems::gem{'amber-0.3.8':
+ require => Package['zlib1g-dev']
+ }
+
package { 'zlib1g-dev':
- ensure => installed
+ ensure => installed
}
- rubygems::gem{'amber-0.3.4': }
}
create_resources(site_static::domain, $domains)
+ if $tor {
+ $hidden_service = $tor['hidden_service']
+ if $hidden_service['active'] {
+ include site_webapp::hidden_service
+ }
+ }
+
include site_shorewall::defaults
include site_shorewall::service::http
include site_shorewall::service::https
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 4d61cc08..2853c5c7 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -48,7 +48,7 @@
Include include.d/ssl_common.inc
<%- if @tls_only -%>
- Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+ Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
<%- end -%>
Header set X-Frame-Options "deny"
Header always unset X-Powered-By
diff --git a/puppet/modules/site_webapp/files/server-status.conf b/puppet/modules/site_webapp/files/server-status.conf
new file mode 100644
index 00000000..84cb9ae0
--- /dev/null
+++ b/puppet/modules/site_webapp/files/server-status.conf
@@ -0,0 +1,28 @@
+# Keep track of extended status information for each request
+ExtendedStatus On
+
+# Determine if mod_status displays the first 63 characters of a request or
+# the last 63, assuming the request itself is greater than 63 chars.
+# Default: Off
+#SeeRequestTail On
+
+Listen 127.0.0.1:8162
+NameVirtualHost 127.0.0.1:8162
+
+<VirtualHost 127.0.0.1:8162>
+
+<Location /server-status>
+ SetHandler server-status
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.1
+</Location>
+
+</VirtualHost>
+
+
+<IfModule mod_proxy.c>
+ # Show Proxy LoadBalancer status in mod_status
+ ProxyStatus On
+</IfModule>
+
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 93e172a0..ddd04a91 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -15,12 +15,13 @@ class site_webapp::apache {
include site_apache::module::alias
include site_apache::module::expires
include site_apache::module::removeip
+ include site_webapp::common_vhost
class { 'passenger': use_munin => false }
apache::vhost::file {
'api':
- content => template('site_apache/vhosts.d/api.conf.erb')
+ content => template('site_apache/vhosts.d/api.conf.erb');
}
}
diff --git a/puppet/modules/site_webapp/manifests/common_vhost.pp b/puppet/modules/site_webapp/manifests/common_vhost.pp
new file mode 100644
index 00000000..c57aad57
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/common_vhost.pp
@@ -0,0 +1,18 @@
+class site_webapp::common_vhost {
+ # installs x509 cert + key and common config
+ # that both nagios + leap webapp use
+
+ include x509::variables
+ include site_config::x509::commercial::cert
+ include site_config::x509::commercial::key
+ include site_config::x509::commercial::ca
+
+ Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
+
+ apache::vhost::file {
+ 'common':
+ content => template('site_apache/vhosts.d/common.conf.erb')
+ }
+}
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 1dbc745d..5cf7f953 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -14,29 +14,29 @@ class site_webapp::couchdb {
file {
'/srv/leap/webapp/config/couchdb.yml':
content => template('site_webapp/couchdb.yml.erb'),
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'leap-webapp',
+ group => 'leap-webapp',
mode => '0600',
require => Vcsrepo['/srv/leap/webapp'];
'/srv/leap/webapp/config/couchdb.admin.yml':
content => template('site_webapp/couchdb.admin.yml.erb'),
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'root',
+ group => 'root',
mode => '0600',
require => Vcsrepo['/srv/leap/webapp'];
'/srv/leap/webapp/log':
ensure => directory,
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'leap-webapp',
+ group => 'leap-webapp',
mode => '0755',
require => Vcsrepo['/srv/leap/webapp'];
'/srv/leap/webapp/log/production.log':
ensure => present,
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'leap-webapp',
+ group => 'leap-webapp',
mode => '0666',
require => Vcsrepo['/srv/leap/webapp'];
}
diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp
index d26ee312..7147a0d2 100644
--- a/puppet/modules/site_webapp/manifests/cron.pp
+++ b/puppet/modules/site_webapp/manifests/cron.pp
@@ -5,12 +5,14 @@ class site_webapp::cron {
'rotate_databases':
command => 'cd /srv/leap/webapp && bundle exec rake db:rotate',
environment => 'RAILS_ENV=production',
+ user => 'root',
hour => [0,6,12,18],
minute => 0;
'delete_tmp_databases':
command => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp',
environment => 'RAILS_ENV=production',
+ user => 'root',
hour => 1,
minute => 1;
@@ -19,6 +21,7 @@ class site_webapp::cron {
'remove_expired_sessions':
command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions',
environment => 'RAILS_ENV=production',
+ user => 'leap-webapp',
hour => 2,
minute => 30,
ensure => absent;
@@ -26,6 +29,7 @@ class site_webapp::cron {
'remove_expired_tokens':
command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens',
environment => 'RAILS_ENV=production',
+ user => 'leap-webapp',
hour => 3,
minute => 0;
}
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 16b6e2e7..99a756ca 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -32,12 +32,18 @@ class site_webapp::hidden_service {
owner => 'debian-tor',
group => 'debian-tor',
mode => '0600';
+
+ '/etc/apache2/mods-enabled/status.conf':
+ ensure => absent,
+ notify => Service['apache'];
}
apache::vhost::file {
'hidden_service':
- content => template('site_apache/vhosts.d/hidden_service.conf.erb')
+ content => template('site_apache/vhosts.d/hidden_service.conf.erb');
+ 'server_status':
+ vhost_source => 'modules/site_webapp/server-status.conf';
}
include site_shorewall::tor
-} \ No newline at end of file
+}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index ec94c090..837950a8 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -1,3 +1,4 @@
+# configure webapp service
class site_webapp {
tag 'leap_service'
$definition_files = hiera('definition_files')
@@ -26,6 +27,9 @@ class site_webapp {
include site_config::x509::client_ca::ca
include site_config::x509::client_ca::key
+ # remove leftovers from previous installations on webapp nodes
+ include site_config::remove::webapp
+
group { 'leap-webapp':
ensure => present,
allowdupe => false;
@@ -163,10 +167,8 @@ class site_webapp {
# needed for the soledad-sync check which is run on the
- # webapp node (#6520)
- package { 'python-u1db':
- ensure => latest,
- }
+ # webapp node
+ include soledad::client
leap::logfile { 'webapp': }
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index ccde2d2e..19ed6b7b 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,28 +1,35 @@
-<%- require 'json' -%>
-<%- cert_options = @webapp['client_certificates'] -%>
-production:
- admins: <%= @webapp['admins'].inspect %>
- domain: <%= @provider_domain %>
- force_ssl: <%= @webapp['secure'] %>
- client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key
- client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt
- secret_token: "<%= @secret_token %>"
- client_cert_lifespan: <%= cert_options['life_span'] %>
- client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
- client_cert_hash: <%= cert_options['digest'] %>
- allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %>
- allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %>
- allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %>
- limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
- unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
- minimum_client_version: "<%= @webapp['client_version']['min'] %>"
- default_service_level: "<%= @webapp['default_service_level'] %>"
- service_levels: <%= scope.function_sorted_json([@webapp['service_levels']]) %>
- allow_registration: <%= @webapp['allow_registration'].inspect %>
- handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %>
-<%- if @webapp['engines'] && @webapp['engines'].any? -%>
- engines:
-<%- @webapp['engines'].each do |engine| -%>
- - <%= engine %>
-<%- end -%>
-<%- end -%>
+<%-
+cert_options = @webapp['client_certificates']
+production = {
+ "admins" => @webapp['admins'],
+ "default_locale" => @webapp['default_locale'],
+ "available_locales" => @webapp['locales'],
+ "domain" => @provider_domain,
+ "force_ssl" => @webapp['secure'],
+ "client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')],
+ "client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')],
+ "secret_token" => @secret_token,
+ "client_cert_lifespan" => cert_options['life_span'],
+ "client_cert_bit_size" => cert_options['bit_size'].to_i,
+ "client_cert_hash" => cert_options['digest'],
+ "allow_limited_certs" => @webapp['allow_limited_certs'],
+ "allow_unlimited_certs" => @webapp['allow_unlimited_certs'],
+ "allow_anonymous_certs" => @webapp['allow_anonymous_certs'],
+ "limited_cert_prefix" => cert_options['limited_prefix'],
+ "unlimited_cert_prefix" => cert_options['unlimited_prefix'],
+ "minimum_client_version" => @webapp['client_version']['min'],
+ "default_service_level" => @webapp['default_service_level'],
+ "service_levels" => @webapp['service_levels'],
+ "allow_registration" => @webapp['allow_registration'],
+ "handle_blacklist" => @webapp['forbidden_usernames'],
+ "invite_required" => @webapp['invite_required']
+}
+
+if @webapp['engines'] && @webapp['engines'].any?
+ production["engines"] = @webapp['engines']
+end
+-%>
+#
+# This file is generated by puppet. This file inherits from defaults.yml.
+#
+<%= scope.function_sorted_yaml({"production" => production}) %>
diff --git a/puppet/modules/soledad/manifests/client.pp b/puppet/modules/soledad/manifests/client.pp
new file mode 100644
index 00000000..5700cb09
--- /dev/null
+++ b/puppet/modules/soledad/manifests/client.pp
@@ -0,0 +1,18 @@
+# setup soledad-client
+# currently needed on webapp node to run the soledad-sync test
+class soledad::client {
+
+ tag 'leap_service'
+ include soledad::common
+
+ package {
+ 'soledad-client':
+ ensure => latest,
+ require => [
+ Class['site_apt::preferences::twisted'],
+ Class['site_apt::leap_repo'] ];
+ 'python-u1db':
+ ensure => latest;
+ }
+
+}
diff --git a/puppet/modules/soledad/manifests/common.pp b/puppet/modules/soledad/manifests/common.pp
index 8a1d664a..d66e943c 100644
--- a/puppet/modules/soledad/manifests/common.pp
+++ b/puppet/modules/soledad/manifests/common.pp
@@ -1,10 +1,10 @@
+# install soledad-common, both needed both soledad-client and soledad-server
class soledad::common {
- include soledad
+ include site_apt::preferences::twisted
package { 'soledad-common':
- ensure => latest,
- require => User['soledad']
+ ensure => latest;
}
}
diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp
deleted file mode 100644
index 7cf0b729..00000000
--- a/puppet/modules/soledad/manifests/init.pp
+++ /dev/null
@@ -1,29 +0,0 @@
-class soledad {
-
- group { 'soledad':
- ensure => present,
- allowdupe => false;
- }
-
- user { 'soledad':
- ensure => present,
- allowdupe => false,
- gid => 'soledad',
- home => '/srv/leap/soledad',
- require => Group['soledad'];
- }
-
- file {
- '/srv/leap/soledad':
- ensure => directory,
- owner => 'soledad',
- group => 'soledad',
- require => User['soledad'];
-
- '/var/lib/soledad':
- ensure => directory,
- owner => 'soledad',
- group => 'soledad',
- require => User['soledad'];
- }
-}
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index b71fab69..5c5a1bb7 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -1,11 +1,12 @@
+# setup soledad-server
class soledad::server {
tag 'leap_service'
- include soledad
- include site_apt::preferences::twisted
+ include soledad::common
- $soledad = hiera('soledad')
- $couchdb_user = $soledad['couchdb_soledad_user']['username']
- $couchdb_password = $soledad['couchdb_soledad_user']['password']
+ $soledad = hiera('soledad')
+ $couchdb_user = $soledad['couchdb_soledad_user']['username']
+ $couchdb_password = $soledad['couchdb_soledad_user']['password']
+ $couchdb_leap_mx_user = $soledad['couchdb_leap_mx_user']['username']
$couchdb_host = 'localhost'
$couchdb_port = '5984'
@@ -22,13 +23,29 @@ class soledad::server {
# SOLEDAD CONFIG
#
- file { '/etc/leap/soledad-server.conf':
- content => template('soledad/soledad-server.conf.erb'),
- owner => 'soledad',
- group => 'soledad',
- mode => '0600',
- notify => Service['soledad-server'],
- require => Class['soledad'];
+ file {
+ '/etc/soledad':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755';
+ '/etc/soledad/soledad-server.conf':
+ content => template('soledad/soledad-server.conf.erb'),
+ owner => 'soledad',
+ group => 'soledad',
+ mode => '0640',
+ notify => Service['soledad-server'],
+ require => [ User['soledad'], Group['soledad'] ];
+ '/srv/leap/soledad':
+ ensure => directory,
+ owner => 'soledad',
+ group => 'soledad',
+ require => [ User['soledad'], Group['soledad'] ];
+ '/var/lib/soledad':
+ ensure => directory,
+ owner => 'soledad',
+ group => 'soledad',
+ require => [ User['soledad'], Group['soledad'] ];
}
package { $sources['soledad']['package']:
@@ -44,7 +61,7 @@ class soledad::server {
group => 'soledad',
mode => '0600',
notify => Service['soledad-server'],
- require => Class['soledad'];
+ require => [ User['soledad'], Group['soledad'] ];
}
service { 'soledad-server':
@@ -52,7 +69,7 @@ class soledad::server {
enable => true,
hasstatus => true,
hasrestart => true,
- require => Class['soledad'],
+ require => [ User['soledad'], Group['soledad'] ],
subscribe => [
Package['soledad-server'],
Class['Site_config::X509::Key'],
@@ -62,4 +79,26 @@ class soledad::server {
include site_shorewall::soledad
include site_check_mk::agent::soledad
+
+ # set up users, group and directories for soledad-server
+ # although the soledad users are already created by the
+ # soledad-server package
+ group { 'soledad':
+ ensure => present,
+ system => true,
+ }
+ user {
+ 'soledad':
+ ensure => present,
+ system => true,
+ gid => 'soledad',
+ home => '/srv/leap/soledad',
+ require => Group['soledad'];
+ 'soledad-admin':
+ ensure => present,
+ system => true,
+ gid => 'soledad',
+ home => '/srv/leap/soledad',
+ require => Group['soledad'];
+ }
}
diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb
index 47d1f6e4..1c6a0d19 100644
--- a/puppet/modules/soledad/templates/soledad-server.conf.erb
+++ b/puppet/modules/soledad/templates/soledad-server.conf.erb
@@ -1,3 +1,12 @@
[soledad-server]
-couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %>
+couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %>
+create_cmd = sudo -u soledad-admin /usr/bin/create-user-db
+admin_netrc = /etc/couchdb/couchdb-soledad-admin.netrc
+
+[database-security]
+members = <%= @couchdb_user %>, <%= @couchdb_leap_mx_user %>
+# not needed, but for documentation:
+# members_roles = replication
+# admins = admin
+# admins_roles = replication
diff --git a/puppet/modules/tapicero/files/tapicero.init b/puppet/modules/tapicero/files/tapicero.init
deleted file mode 100755
index 7a9af45f..00000000
--- a/puppet/modules/tapicero/files/tapicero.init
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides: tapicero
-# Required-Start: $remote_fs $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: tapicero initscript
-# Description: Controls tapicero daemon
-### END INIT INFO
-
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
-BUNDLER=/usr/bin/bundle
-NAME=tapicero
-HOME="/srv/leap"
-DAEMON="${HOME}/${NAME}/bin/${NAME}"
-BUNDLE_GEMFILE="${HOME}/${NAME}/Gemfile"
-
-export BUNDLE_GEMFILE
-
-# exit if the daemon doesn't exist
-[ -x "$DAEMON" ] || exit 0
-
-. /lib/init/vars.sh
-. /lib/lsb/init-functions
-
-if [ "$VERBOSE" != no ]; then
- OPTIONS="--verbose"
-else
- OPTIONS=""
-fi
-
-case "$1" in
- start)
- $BUNDLER exec $DAEMON start $OPTIONS
- exit $?
- ;;
- stop)
- $BUNDLER exec $DAEMON stop $OPTIONS
- exit $?
- ;;
- restart)
- $BUNDLER exec $DAEMON restart $OPTIONS
- exit $?
- ;;
- reload)
- $BUNDLER exec $DAEMON reload $OPTIONS
- exit $?
- ;;
- status)
- $BUNDLER exec $DAEMON status $OPTIONS
- exit $?
- ;;
- *)
- echo "Usage: /etc/init.d/$NAME {start|stop|reload|restart|status}"
- exit 1
-esac
-
-exit 0
diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp
deleted file mode 100644
index ca8488c8..00000000
--- a/puppet/modules/tapicero/manifests/init.pp
+++ /dev/null
@@ -1,137 +0,0 @@
-class tapicero {
- tag 'leap_service'
-
- $couchdb = hiera('couch')
- $couchdb_port = $couchdb['port']
-
- $couchdb_users = $couchdb['users']
-
- $couchdb_admin_user = $couchdb_users['admin']['username']
- $couchdb_admin_password = $couchdb_users['admin']['password']
-
- $couchdb_soledad_user = $couchdb_users['soledad']['username']
- $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username']
-
- $couchdb_mode = $couchdb['mode']
- $couchdb_replication = $couchdb['replication']
-
- $sources = hiera('sources')
-
- Class['site_config::default'] -> Class['tapicero']
-
- include site_config::ruby::dev
-
- #
- # USER AND GROUP
- #
-
- group { 'tapicero':
- ensure => present,
- allowdupe => false;
- }
-
- user { 'tapicero':
- ensure => present,
- allowdupe => false,
- gid => 'tapicero',
- home => '/srv/leap/tapicero',
- require => Group['tapicero'];
- }
-
- #
- # TAPICERO FILES
- #
-
- file {
-
- #
- # TAPICERO DIRECTORIES
- #
-
- '/srv/leap/tapicero':
- ensure => directory,
- owner => 'tapicero',
- group => 'tapicero',
- require => User['tapicero'];
-
- '/var/lib/leap/tapicero':
- ensure => directory,
- owner => 'tapicero',
- group => 'tapicero',
- require => User['tapicero'];
-
- # for pid file
- '/var/run/tapicero':
- ensure => directory,
- owner => 'tapicero',
- group => 'tapicero',
- require => User['tapicero'];
-
- #
- # TAPICERO CONFIG
- #
-
- '/etc/leap/tapicero.yaml':
- content => template('tapicero/tapicero.yaml.erb'),
- owner => 'tapicero',
- group => 'tapicero',
- mode => '0600',
- notify => Service['tapicero'];
-
- #
- # TAPICERO INIT
- #
-
- '/etc/init.d/tapicero':
- source => 'puppet:///modules/tapicero/tapicero.init',
- owner => root,
- group => 0,
- mode => '0755',
- require => Vcsrepo['/srv/leap/tapicero'];
- }
-
- #
- # TAPICERO CODE
- #
-
- vcsrepo { '/srv/leap/tapicero':
- ensure => present,
- force => true,
- revision => $sources['tapicero']['revision'],
- provider => $sources['tapicero']['type'],
- source => $sources['tapicero']['source'],
- owner => 'tapicero',
- group => 'tapicero',
- require => [ User['tapicero'], Group['tapicero'] ],
- notify => Exec['tapicero_bundler_update']
- }
-
- exec { 'tapicero_bundler_update':
- cwd => '/srv/leap/tapicero',
- command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"',
- unless => '/usr/bin/bundle check',
- user => 'tapicero',
- timeout => 600,
- require => [
- Class['bundler::install'],
- Vcsrepo['/srv/leap/tapicero'],
- Class['site_config::ruby::dev'] ],
- notify => Service['tapicero'];
- }
-
- #
- # TAPICERO DAEMON
- #
-
- service { 'tapicero':
- ensure => running,
- enable => true,
- hasstatus => false,
- hasrestart => true,
- require => [ File['/etc/init.d/tapicero'],
- File['/var/run/tapicero'],
- Couchdb::Add_user[$::site_couchdb::couchdb_tapicero_user] ];
- }
-
- leap::logfile { 'tapicero': }
-}
diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb
deleted file mode 100644
index 8b08b49c..00000000
--- a/puppet/modules/tapicero/templates/tapicero.yaml.erb
+++ /dev/null
@@ -1,52 +0,0 @@
-<%- require 'json' -%>
-
-#
-# Default configuration options for Tapicero
-#
-
-# couch connection configuration
-connection:
- protocol: "http"
- host: "localhost"
- port: <%= @couchdb_port %>
- username: <%= @couchdb_admin_user %>
- password: <%= @couchdb_admin_password %>
- prefix : ""
- suffix : ""
- netrc: "/etc/couchdb/couchdb.netrc"
-
-# file to store the last processed user record in so we can resume after
-# a restart:
-seq_dir: "/var/lib/leap/tapicero/"
-
-# Configure log_file like this if you want to log to a file instead of syslog:
-#log_file: "/var/log/leap/tapicero.log"
-#log_level: debug
-log_level: info
-
-# tapicero specific options
-options:
- # prefix for per user databases:
- db_prefix: "user-"
- mode: <%= @couchdb_mode %>
-<%- if @couchdb_replication %>
- replication: <%= @couchdb_replication.to_json %>
-<%- end -%>
-
- # security settings to be used for the per user databases
- security:
- admins:
- names:
- # We explicitly allow the admin user to access per user databases, even
- # though admin access ignores per database security we just do this to be
- # explicit about this
- - <%= @couchdb_admin_user %>
- roles: []
- members:
- names:
- - <%= @couchdb_soledad_user %>
- - <%= @couchdb_leap_mx_user %>
- roles:
- - replication
-
-
diff --git a/puppet/modules/unbound b/puppet/modules/unbound
-Subproject 00646b0ffc71a86981b05f983c86ace0979d1b6
+Subproject 9997485b8a31abbe0cd1943d09995705c2c8146