summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2015-06-11 12:10:09 -0400
committerMicah Anderson <micah@leap.se>2015-06-11 12:10:09 -0400
commitb429b30bda4dafc78cb02f6ece5d82f08e35de1f (patch)
tree37efc30a4fcb642dec583c3accea76f7a7de9c39 /puppet
parent67b2bea2dfcfb06191bf5ed562309f264c6aed8c (diff)
parentd9146415db0e6b7dd0c945039c0a4ed4fd054a7d (diff)
Merge tag '0.7.0'
Releasing 0.7.0
Diffstat (limited to 'puppet')
-rw-r--r--puppet/lib/puppet/parser/functions/sorted_json.rb47
-rw-r--r--puppet/manifests/setup.pp5
-rw-r--r--puppet/manifests/site.pp7
m---------puppet/modules/apt0
m---------puppet/modules/augeas0
m---------puppet/modules/common0
m---------puppet/modules/couchdb0
-rw-r--r--puppet/modules/haveged/manifests/init.pp16
-rw-r--r--puppet/modules/leap/manifests/init.pp3
-rw-r--r--puppet/modules/leap/manifests/logfile.pp25
-rw-r--r--puppet/modules/leap/templates/rsyslog.erb5
-rw-r--r--puppet/modules/leap_mx/manifests/init.pp34
m---------puppet/modules/nagios0
m---------puppet/modules/postfix0
-rw-r--r--puppet/modules/site_apache/files/include.d/ssl_common.inc7
-rw-r--r--puppet/modules/site_apache/manifests/common.pp1
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/api.conf.erb8
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/common.conf.erb17
-rw-r--r--puppet/modules/site_apt/manifests/init.pp21
-rw-r--r--puppet/modules/site_apt/manifests/unattended_upgrades.pp9
-rw-r--r--puppet/modules/site_apt/templates/50unattended-upgrades (renamed from puppet/modules/site_apt/files/Debian/50unattended-upgrades)2
-rwxr-xr-xpuppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh119
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg2
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg (renamed from puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg)1
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/stunnel.cfg (renamed from puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg)1
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg (renamed from puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg)3
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg (renamed from puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg)1
-rw-r--r--puppet/modules/site_check_mk/files/extra_service_conf.mk11
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/couchdb.pp35
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/haproxy.pp11
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/haveged.pp15
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/mrpe.pp12
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/mx.pp11
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/openvpn.pp2
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/soledad.pp13
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/stunnel.pp2
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/tapicero.pp25
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/webapp.pp8
-rw-r--r--puppet/modules/site_config/lib/facter/dhcp_enabled.rb22
-rw-r--r--puppet/modules/site_config/manifests/default.pp17
-rw-r--r--puppet/modules/site_config/manifests/dhclient.pp4
-rw-r--r--puppet/modules/site_config/manifests/packages/base.pp2
-rw-r--r--puppet/modules/site_config/manifests/remove_files.pp46
-rw-r--r--puppet/modules/site_config/manifests/syslog.pp25
-rw-r--r--puppet/modules/site_couchdb/lib/puppet/parser/functions/rotated_db_name.rb24
-rw-r--r--puppet/modules/site_couchdb/manifests/bigcouch.pp1
-rw-r--r--puppet/modules/site_couchdb/manifests/create_dbs.pp28
-rw-r--r--puppet/modules/site_couchdb/manifests/designs.pp33
-rw-r--r--puppet/modules/site_couchdb/manifests/upload_design.pp13
-rw-r--r--puppet/modules/site_nagios/files/configs/Debian/nagios.cfg11
-rwxr-xr-xpuppet/modules/site_nagios/files/plugins/check_last_regex_in_log2
-rw-r--r--puppet/modules/site_nagios/manifests/server.pp13
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp9
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb8
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp1
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp4
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp9
-rw-r--r--puppet/modules/site_static/manifests/domain.pp15
-rw-r--r--puppet/modules/site_static/manifests/init.pp2
-rw-r--r--puppet/modules/site_static/templates/apache.conf.erb8
-rw-r--r--puppet/modules/site_stunnel/manifests/client.pp19
-rw-r--r--puppet/modules/site_stunnel/manifests/init.pp14
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp3
-rw-r--r--puppet/modules/site_webapp/manifests/couchdb.pp9
-rw-r--r--puppet/modules/site_webapp/manifests/cron.pp17
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp14
-rw-r--r--puppet/modules/site_webapp/manifests/logging.pp16
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb4
-rw-r--r--puppet/modules/site_webapp/templates/couchdb.admin.yml.erb9
-rw-r--r--puppet/modules/soledad/manifests/server.pp6
m---------puppet/modules/stdlib0
-rw-r--r--puppet/modules/tapicero/manifests/init.pp27
-rw-r--r--puppet/modules/tapicero/templates/tapicero.yaml.erb6
73 files changed, 748 insertions, 172 deletions
diff --git a/puppet/lib/puppet/parser/functions/sorted_json.rb b/puppet/lib/puppet/parser/functions/sorted_json.rb
new file mode 100644
index 00000000..605da00e
--- /dev/null
+++ b/puppet/lib/puppet/parser/functions/sorted_json.rb
@@ -0,0 +1,47 @@
+#
+# Written by Gavin Mogan, from https://gist.github.com/halkeye/2287885
+# Put in the public domain by the author.
+#
+
+require 'json'
+
+def sorted_json(obj)
+ case obj
+ when String, Fixnum, Float, TrueClass, FalseClass, NilClass
+ return obj.to_json
+ when Array
+ arrayRet = []
+ obj.each do |a|
+ arrayRet.push(sorted_json(a))
+ end
+ return "[" << arrayRet.join(',') << "]";
+ when Hash
+ ret = []
+ obj.keys.sort.each do |k|
+ ret.push(k.to_json << ":" << sorted_json(obj[k]))
+ end
+ return "{" << ret.join(",") << "}";
+ else
+ raise Exception("Unable to handle object of type <%s>" % obj.class.to_s)
+ end
+end
+
+module Puppet::Parser::Functions
+ newfunction(:sorted_json, :type => :rvalue, :doc => <<-EOS
+This function takes data, outputs making sure the hash keys are sorted
+
+*Examples:*
+
+ sorted_json({'key'=>'value'})
+
+Would return: {'key':'value'}
+ EOS
+ ) do |arguments|
+ raise(Puppet::ParseError, "sorted_json(): Wrong number of arguments " +
+ "given (#{arguments.size} for 1)") if arguments.size != 1
+
+ json = arguments[0]
+ return sorted_json(json)
+ end
+end
+
diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp
deleted file mode 100644
index 4dd03203..00000000
--- a/puppet/manifests/setup.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# this is applied before each run of site.pp
-#
-
-include ::site_config::setup
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 57942d99..912234ac 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -1,5 +1,10 @@
# set a default exec path
-Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' }
+# the logoutput exec parameter defaults to "on_error" in puppet 3,
+# but to "false" in puppet 2.7, so we need to set this globally here
+Exec {
+ logoutput => on_failure,
+ path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin'
+}
include site_config::setup
include site_config::default
diff --git a/puppet/modules/apt b/puppet/modules/apt
-Subproject 64fb988c0e37d64fb3e241dc95f156072e43bf2
+Subproject fca103484ddc1f647a54135b6a902edabf45955
diff --git a/puppet/modules/augeas b/puppet/modules/augeas
-Subproject 4d8c8ba362cc57c12451e581f27feea97797e8c
+Subproject 58ab2b90c52a5d951fa41596827bc3b6f52310e
diff --git a/puppet/modules/common b/puppet/modules/common
-Subproject 0961ad453b8befb4ea61bbd19f6ecea32b9619c
+Subproject ae149624f9bc551865b93b9b7155af2de8deeb7
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject 4c0d5673df02fe42e1bbadfee7d4ea1ca1f88e9
+Subproject 23b557c6fb07929a9b04e5fb75375a85a473437
diff --git a/puppet/modules/haveged/manifests/init.pp b/puppet/modules/haveged/manifests/init.pp
new file mode 100644
index 00000000..8f901937
--- /dev/null
+++ b/puppet/modules/haveged/manifests/init.pp
@@ -0,0 +1,16 @@
+class haveged {
+
+ package { 'haveged':
+ ensure => present,
+ }
+
+ service { 'haveged':
+ ensure => running,
+ hasrestart => true,
+ hasstatus => true,
+ enable => true,
+ require => Package['haveged'];
+ }
+
+ include site_check_mk::agent::haveged
+}
diff --git a/puppet/modules/leap/manifests/init.pp b/puppet/modules/leap/manifests/init.pp
new file mode 100644
index 00000000..bbae3781
--- /dev/null
+++ b/puppet/modules/leap/manifests/init.pp
@@ -0,0 +1,3 @@
+class leap {
+
+} \ No newline at end of file
diff --git a/puppet/modules/leap/manifests/logfile.pp b/puppet/modules/leap/manifests/logfile.pp
new file mode 100644
index 00000000..63dbd16b
--- /dev/null
+++ b/puppet/modules/leap/manifests/logfile.pp
@@ -0,0 +1,25 @@
+#
+# make syslog log to a particular file for a particular process.
+#
+
+define leap::logfile($process=$name) {
+ $logfile = "/var/log/leap/${name}.log"
+
+ rsyslog::snippet { "50-${name}":
+ content => template('leap/rsyslog.erb')
+ }
+
+ augeas {
+ "logrotate_${name}":
+ context => "/files/etc/logrotate.d/${name}/rule",
+ changes => [
+ "set file ${logfile}",
+ 'set rotate 5',
+ 'set schedule daily',
+ 'set compress compress',
+ 'set missingok missingok',
+ 'set ifempty notifempty',
+ 'set copytruncate copytruncate'
+ ]
+ }
+}
diff --git a/puppet/modules/leap/templates/rsyslog.erb b/puppet/modules/leap/templates/rsyslog.erb
new file mode 100644
index 00000000..7bb5316f
--- /dev/null
+++ b/puppet/modules/leap/templates/rsyslog.erb
@@ -0,0 +1,5 @@
+if $programname startswith '<%= @process %>' then {
+ action(type="omfile" file="<%= @logfile %>" template="RSYSLOG_TraditionalFileFormat")
+ stop
+}
+
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp
index c90fc231..6bcdd19a 100644
--- a/puppet/modules/leap_mx/manifests/init.pp
+++ b/puppet/modules/leap_mx/manifests/init.pp
@@ -7,6 +7,8 @@ class leap_mx {
$couchdb_host = 'localhost'
$couchdb_port = '4096'
+ $sources = hiera('sources')
+
include soledad::common
include site_apt::preferences::twisted
@@ -39,16 +41,26 @@ class leap_mx {
notify => Service['leap-mx'];
}
+ file { '/etc/default/leap_mx':
+ content => 'LOGFILE=/var/log/leap/mx.log',
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ notify => Service['leap-mx'];
+ }
+
#
# LEAP-MX CODE AND DEPENDENCIES
#
package {
- 'leap-mx':
- ensure => latest,
- require => Class['site_apt::preferences::twisted'];
+ $sources['leap-mx']['package']:
+ ensure => $sources['leap-mx']['revision'],
+ require => [
+ Class['site_apt::preferences::twisted'],
+ Class['site_apt::leap_repo'] ];
- [ 'leap-keymanager' ]:
+ 'leap-keymanager':
ensure => latest;
}
@@ -63,4 +75,18 @@ class leap_mx {
hasrestart => true,
require => [ Package['leap-mx'] ];
}
+
+ augeas {
+ "logrotate_mx":
+ context => "/files/etc/logrotate.d/leap-mx/rule",
+ changes => [
+ "set file /var/log/leap/mx.log",
+ 'set rotate 5',
+ 'set schedule daily',
+ 'set compress compress',
+ 'set missingok missingok',
+ 'set ifempty notifempty',
+ 'set copytruncate copytruncate'
+ ]
+ }
}
diff --git a/puppet/modules/nagios b/puppet/modules/nagios
-Subproject 57a1140b437a8cfb9cfd5d94a5759b1e3ed86d4
+Subproject b55f23d4d90c97cec08251544aa9700df86ad0b
diff --git a/puppet/modules/postfix b/puppet/modules/postfix
-Subproject 1103a73ab4253712c6446bba7a443619fe51671
+Subproject f09cd0eff2bcab7e12c09ec67be3c918bc83fac
diff --git a/puppet/modules/site_apache/files/include.d/ssl_common.inc b/puppet/modules/site_apache/files/include.d/ssl_common.inc
new file mode 100644
index 00000000..2d282c84
--- /dev/null
+++ b/puppet/modules/site_apache/files/include.d/ssl_common.inc
@@ -0,0 +1,7 @@
+SSLEngine on
+SSLProtocol all -SSLv2 -SSLv3
+SSLHonorCipherOrder on
+SSLCompression off
+SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+
+RequestHeader set X_FORWARDED_PROTO 'https' \ No newline at end of file
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 72f24838..2b83ffa5 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -23,4 +23,5 @@ class site_apache::common {
content => template('site_apache/vhosts.d/common.conf.erb')
}
+ apache::config::include{ 'ssl_common.inc': }
}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index e4732289..0396f54b 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -11,18 +11,12 @@ Listen 0.0.0.0:<%= api_port %>
ServerName <%= api_domain %>
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
- SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLHonorCipherOrder on
- SSLCompression off
- SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
-
SSLCACertificatePath /etc/ssl/certs
SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
- RequestHeader set X_FORWARDED_PROTO 'https'
+ Include include.d/ssl_common.inc
<IfModule mod_headers.c>
<% if @webapp['secure'] -%>
diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index a9733a97..ee5cd707 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -1,5 +1,7 @@
<VirtualHost *:80>
- ServerName <%= domain %>
+ ServerName <%= webapp_domain %>
+ ServerAlias <%= domain_name %>
+ ServerAlias <%= domain %>
ServerAlias www.<%= domain %>
RewriteEngine On
RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
@@ -7,23 +9,18 @@
</VirtualHost>
<VirtualHost *:443>
- ServerName <%= domain_name %>
+ ServerName <%= webapp_domain %>
+ ServerAlias <%= domain_name %>
ServerAlias <%= domain %>
ServerAlias www.<%= domain %>
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
- SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLHonorCipherOrder on
- SSLCompression off
- SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
-
SSLCACertificatePath /etc/ssl/certs
SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key
SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt
- RequestHeader set X_FORWARDED_PROTO 'https'
+ Include include.d/ssl_common.inc
<IfModule mod_headers.c>
<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
@@ -60,7 +57,7 @@
<% if (defined? @services) and (@services.include? 'monitor') -%>
- <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+ <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets|/usr/share/pnp4nagios)>
<% if (defined? @services) and (@services.include? 'webapp') -%>
PassengerEnabled off
<% end -%>
diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp
index 633ccf1e..cf49f870 100644
--- a/puppet/modules/site_apt/manifests/init.pp
+++ b/puppet/modules/site_apt/manifests/init.pp
@@ -1,7 +1,17 @@
+# setup apt on all nodes
class site_apt {
+ $sources = hiera('sources')
+ $apt_config = $sources['apt']
+ $apt_url_basic = $apt_config['basic']
+ $apt_url_security = $apt_config['security']
+ $apt_url_backports = $apt_config['backports']
+
class { 'apt':
- custom_key_dir => 'puppet:///modules/site_apt/keys'
+ custom_key_dir => 'puppet:///modules/site_apt/keys',
+ debian_url => $apt_url_basic,
+ security_url => $apt_url_security,
+ backports_url => $apt_url_backports
}
# enable http://deb.leap.se debian package repository
@@ -22,12 +32,19 @@ class site_apt {
priority => 999
}
+ apt::preferences_snippet { 'leap':
+ priority => 999,
+ package => '*',
+ pin => 'origin "deb.leap.se"'
+ }
+
# All packages should be installed _after_ refresh_apt is called,
# which does an apt-get update.
# There is one exception:
# The creation of sources.list depends on the lsb package
File['/etc/apt/preferences'] ->
+ Apt::Preferences_snippet <| |> ->
Exec['refresh_apt'] ->
- Package <| ( title != 'lsb' ) |>
+ Package <| ( title != 'lsb' ) |>
}
diff --git a/puppet/modules/site_apt/manifests/unattended_upgrades.pp b/puppet/modules/site_apt/manifests/unattended_upgrades.pp
index daebffab..40111deb 100644
--- a/puppet/modules/site_apt/manifests/unattended_upgrades.pp
+++ b/puppet/modules/site_apt/manifests/unattended_upgrades.pp
@@ -1,10 +1,9 @@
-class site_apt::unattended_upgrades inherits apt::unattended_upgrades {
+class site_apt::unattended_upgrades {
# override unattended-upgrades package resource to make sure
# that it is upgraded on every deploy (#6245)
- include ::apt::unattended_upgrades
-
- Package['unattended-upgrades'] {
- ensure => latest
+ class { 'apt::unattended_upgrades':
+ config_content => template('site_apt/50unattended-upgrades'),
+ ensure_version => latest
}
}
diff --git a/puppet/modules/site_apt/files/Debian/50unattended-upgrades b/puppet/modules/site_apt/templates/50unattended-upgrades
index f2f574fc..9ae3ab84 100644
--- a/puppet/modules/site_apt/files/Debian/50unattended-upgrades
+++ b/puppet/modules/site_apt/templates/50unattended-upgrades
@@ -1,7 +1,7 @@
// this file is managed by puppet !
Unattended-Upgrade::Allowed-Origins {
- "${distro_id}:stable";
+ "${distro_id}:oldstable";
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
"${distro_id} Backports:${distro_codename}-backports";
diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh
new file mode 100755
index 00000000..95474ccb
--- /dev/null
+++ b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh
@@ -0,0 +1,119 @@
+#!/bin/bash
+#
+# todo:
+# - thresholds
+# - couch response time
+# - make CURL/URL/DBLIST_EXCLUDE vars configurable
+# - move load_nagios_utils() to helper library so we can use it from multiple scripts
+
+start_time=$(date +%s.%N)
+
+CURL='curl -s --netrc-file /etc/couchdb/couchdb.netrc'
+URL='http://127.0.0.1:5984'
+TMPFILE=$(mktemp)
+DBLIST_EXCLUDE='(user-|sessions_|tokens_)'
+PREFIX='Couchdb_'
+
+
+load_nagios_utils () {
+ # load the nagios utils
+ # in debian, the package nagios-plugins-common installs utils.sh to /usr/lib/nagios/plugins/utils.sh
+ utilsfn=
+ for d in $PROGPATH /usr/lib/nagios/plugins /usr/lib64/nagios/plugins /usr/local/nagios/libexec /opt/nagios-plugins/libexec . ; do
+ if [ -f "$d/utils.sh" ]; then
+ utilsfn=$d/utils.sh;
+ fi
+ done
+ if [ "$utilsfn" = "" ]; then
+ echo "UNKNOWN - cannot find utils.sh (part of nagios plugins)";
+ exit 3;
+ fi
+ . "$utilsfn";
+ STATE[$STATE_OK]='OK'
+ STATE[$STATE_WARNING]='Warning'
+ STATE[$STATE_CRITICAL]='Critical'
+ STATE[$STATE_UNKNOWN]='Unknown'
+ STATE[$STATE_DEPENDENT]='Dependend'
+}
+
+get_global_stats_perf () {
+ trap "localexit=3" ERR
+ local localexit db_count
+ localexit=0
+
+ # get a list of all dbs
+ $CURL -X GET $URL/_all_dbs | json_pp | egrep -v '(\[|\])' > $TMPFILE
+
+ db_count=$( wc -l < $TMPFILE)
+ excluded_db_count=$( egrep -c "$DBLIST_EXCLUDE" $TMPFILE )
+
+ echo "db_count=$db_count|excluded_db_count=$excluded_db_count"
+ return ${localexit}
+}
+
+db_stats () {
+ trap "localexit=3" ERR
+ local db db_stats doc_count del_doc_count localexit
+ localexit=0
+
+ db="$1"
+ name="$2"
+
+ if [ -z "$name" ]
+ then
+ name="$db"
+ fi
+
+ perf="$perf|${db}_docs=$( $CURL -s -X GET ${URL}/$db | json_pp |grep 'doc_count' | sed 's/[^0-9]//g' )"
+ db_stats=$( $CURL -s -X GET ${URL}/$db | json_pp )
+
+ doc_count=$( echo "$db_stats" | grep 'doc_count' | grep -v 'deleted_doc_count' | sed 's/[^0-9]//g' )
+ del_doc_count=$( echo "$db_stats" | grep 'doc_del_count' | sed 's/[^0-9]//g' )
+
+ # don't divide by zero
+ if [ $del_doc_count -eq 0 ]
+ then
+ del_doc_perc=0
+ else
+ del_doc_perc=$(( del_doc_count * 100 / doc_count ))
+ fi
+
+ bytes=$( echo "$db_stats" | grep disk_size | sed 's/[^0-9]//g' )
+ disk_size=$( echo "scale = 2; $bytes / 1024 / 1024" | bc -l )
+
+ echo -n "${localexit} ${PREFIX}${name}_database ${name}_docs=$doc_count|${name}_deleted_docs=$del_doc_count|${name}_deleted_docs_percentage=${del_doc_perc}%"
+ printf "|${name}_disksize_mb=%02.2fmb ${STATE[localexit]}: database $name\n" "$disk_size"
+
+ return ${localexit}
+}
+
+# main
+
+load_nagios_utils
+
+# per-db stats
+# get a list of all dbs
+$CURL -X GET $URL/_all_dbs | json_pp | egrep -v '(\[|\])' > $TMPFILE
+
+# get list of dbs to check
+dbs=$( egrep -v "${DBLIST_EXCLUDE}" $TMPFILE | tr -d '\n"' | sed 's/,/ /g' )
+
+for db in $dbs
+do
+ db_stats "$db"
+done
+
+# special handling for rotated dbs
+suffix=$(($(date +'%s') / (60*60*24*30) + 1))
+db_stats "sessions_${suffix}" "sessions"
+db_stats "tokens_${suffix}" "tokens"
+
+
+# show global couchdb stats
+global_stats_perf=$(get_global_stats_perf)
+exitcode=$?
+
+end_time=$(date +%s.%N)
+duration=$( echo "scale = 2; $end_time - $start_time" | bc -l )
+
+printf "${exitcode} ${PREFIX}global_stats ${global_stats_perf}|script_duration=%02.2fs ${STATE[exitcode]}: global couchdb status\n" "$duration"
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg
index c71c5392..166d0230 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg
@@ -1,4 +1,4 @@
-/var/log/leap_mx.log
+/var/log/leap/mx.log
W Don't know how to deliver mail
W No public key, stopping the processing chain
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg
index ac17c0ca..ed50f420 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg
@@ -1,3 +1,4 @@
+/var/log/leap/openvpn.log
# ignore openvpn TLS initialization errors when clients
# suddenly hangup before properly establishing
# a tls connection
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/stunnel.cfg
index eb3131f2..b1e6cf2f 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/stunnel.cfg
@@ -1,3 +1,4 @@
+/var/log/leap/stunnel.log
# check for stunnel failures
#
# these are temporary failures and happen very often, so we
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg
index e5721eea..d98f5094 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg
@@ -1,5 +1,6 @@
+/var/log/leap/tapicero.log
# Ignore transient Tapicero errors when creating a db (#6511)
- I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )?due to): (RestClient::Resource Not Found|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error)
+ I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )?due to): (RestClient::ResourceNotFound|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error)
C tapicero.*RestClient::InternalServerError:
# possible race condition between multiple tapicero
# instances, so we ignore it
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg
index 00f9c7fd..008e9e09 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg
@@ -1,3 +1,4 @@
+/var/log/leap/webapp.log
# check for webapp errors
C webapp.*Could not connect to couch database messages due to 401 Unauthorized: {"error":"unauthorized","reason":"You are not a server admin."}
# ignore RoutingErrors that rails throw when it can't handle a url
diff --git a/puppet/modules/site_check_mk/files/extra_service_conf.mk b/puppet/modules/site_check_mk/files/extra_service_conf.mk
index 03d1ea76..c7120a96 100644
--- a/puppet/modules/site_check_mk/files/extra_service_conf.mk
+++ b/puppet/modules/site_check_mk/files/extra_service_conf.mk
@@ -1,13 +1,14 @@
# retry 3 times before setting a service into a hard state
# and send out notification
-extra_service_conf["max_check_attempts"] = [
- ("4", ALL_HOSTS , ALL_SERVICES )
+extra_service_conf["max_check_attempts"] = [
+ ("4", ALL_HOSTS , ALL_SERVICES )
]
-# run check_mk_agent every 2 minutes if it terminates
-# successfully.
+#
+# run check_mk_agent every 4 minutes if it terminates successfully.
# see https://leap.se/code/issues/6539 for the rationale
+#
extra_service_conf["normal_check_interval"] = [
- ("2", ALL_HOSTS , "Check_MK" )
+ ("4", ALL_HOSTS , "Check_MK" )
]
diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
index ee0268a3..abfc7ad0 100644
--- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
@@ -12,13 +12,21 @@ class site_check_mk::agent::couchdb {
# check bigcouch processes
- file_line {
+ augeas {
'Bigcouch_epmd_procs':
- line => 'Bigcouch_epmd_procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd',
- path => '/etc/check_mk/mrpe.cfg';
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs',
+ 'set Bigcouch_epmd_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
'Bigcouch_beam_procs':
- line => 'Bigcouch_beam_procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam',
- path => '/etc/check_mk/mrpe.cfg';
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs',
+ 'set Bigcouch_beam_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
}
# check open files for bigcouch proc
@@ -27,10 +35,21 @@ class site_check_mk::agent::couchdb {
source => 'puppet:///modules/site_check_mk/agent/nagios_plugins/check_unix_open_fds.pl',
mode => '0755'
}
- file_line {
+ augeas {
'Bigcouch_open_files':
- line => 'Bigcouch_open_files /srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720',
- path => '/etc/check_mk/mrpe.cfg';
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files',
+ 'set Bigcouch_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
}
+
+ # check different couchdb stats
+ file { '/usr/lib/check_mk_agent/local/leap_couch_stats.sh':
+ source => 'puppet:///modules/site_check_mk/agent/local_checks/couchdb/leap_couch_stats.sh',
+ mode => '0755',
+ require => Package['check_mk-agent']
+ }
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/haproxy.pp b/puppet/modules/site_check_mk/manifests/agent/haproxy.pp
index e7986db1..6d52efba 100644
--- a/puppet/modules/site_check_mk/manifests/agent/haproxy.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/haproxy.pp
@@ -3,10 +3,13 @@ class site_check_mk::agent::haproxy {
include site_check_mk::agent::package::nagios_plugins_contrib
# local nagios plugin checks via mrpe
- file_line {
- 'haproxy':
- line => 'Haproxy /usr/lib/nagios/plugins/check_haproxy -u "http://localhost:8000/haproxy;csv"',
- path => '/etc/check_mk/mrpe.cfg';
+ augeas { 'haproxy':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Haproxy',
+ 'set Haproxy \'/usr/lib/nagios/plugins/check_haproxy -u "http://localhost:8000/haproxy;csv"\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
}
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/haveged.pp b/puppet/modules/site_check_mk/manifests/agent/haveged.pp
new file mode 100644
index 00000000..cacbea8c
--- /dev/null
+++ b/puppet/modules/site_check_mk/manifests/agent/haveged.pp
@@ -0,0 +1,15 @@
+class site_check_mk::agent::haveged {
+
+# check haveged process
+ augeas {
+ 'haveged_proc':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/haveged_proc',
+ 'set haveged_proc \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /usr/sbin/haveged\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
+
+ }
+
+}
diff --git a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp
index 6921574f..5e1f087a 100644
--- a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp
@@ -11,8 +11,14 @@ class site_check_mk::agent::mrpe {
ensure => present,
require => Package['check-mk-agent']
} ->
- file_line { 'Apt':
- line => 'APT /usr/lib/nagios/plugins/check_apt',
- path => '/etc/check_mk/mrpe.cfg',
+
+ augeas {
+ 'Apt':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/APT',
+ 'set APT \'/usr/lib/nagios/plugins/check_apt\'' ];
}
+
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp
index 1e370125..98757b59 100644
--- a/puppet/modules/site_check_mk/manifests/agent/mx.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp
@@ -6,13 +6,16 @@ class site_check_mk::agent::mx {
}
# local nagios plugin checks via mrpe
- file_line {
+ augeas {
'Leap_MX_Procs':
- line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap_mx.log\'',
- path => '/etc/check_mk/mrpe.cfg';
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Leap_MX_Procs',
+ 'set Leap_MX_Procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a "/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap/mx.log"\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
}
-
# check stale files in queue dir
file { '/usr/lib/check_mk_agent/local/check_leap_mx.sh':
source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh',
diff --git a/puppet/modules/site_check_mk/manifests/agent/openvpn.pp b/puppet/modules/site_check_mk/manifests/agent/openvpn.pp
index 919a408d..0596a497 100644
--- a/puppet/modules/site_check_mk/manifests/agent/openvpn.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/openvpn.pp
@@ -2,7 +2,7 @@ class site_check_mk::agent::openvpn {
# check syslog
concat::fragment { 'syslog_openpvn':
- source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/openvpn.cfg',
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/openvpn.cfg',
target => '/etc/check_mk/logwatch.d/syslog.cfg',
order => '02';
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp
index 512d1a3d..f4a3f3a6 100644
--- a/puppet/modules/site_check_mk/manifests/agent/soledad.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp
@@ -5,10 +5,13 @@ class site_check_mk::agent::soledad {
}
# local nagios plugin checks via mrpe
- file_line {
- 'Soledad_Procs':
- line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a \'/usr/bin/python /usr/bin/twistd --pidfile=/var/run/soledad.pid --logfile=/var/log/soledad.log web --wsgi=leap.soledad.server.application\'',
- path => '/etc/check_mk/mrpe.cfg';
- }
+ augeas { 'Soledad_Procs':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Soledad_Procs',
+ 'set Soledad_Procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a "/usr/bin/python /usr/bin/twistd --uid=soledad --gid=soledad --pidfile=/var/run/soledad.pid --logfile=/var/log/soledad.log web --wsgi=leap.soledad.server.application --port=ssl:2323:privateKey=/etc/x509/keys/leap.key:certKey=/etc/x509/certs/leap.crt:sslmethod=SSLv23_METHOD"\'' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
+ }
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/stunnel.pp b/puppet/modules/site_check_mk/manifests/agent/stunnel.pp
index 64022824..7f765771 100644
--- a/puppet/modules/site_check_mk/manifests/agent/stunnel.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/stunnel.pp
@@ -1,7 +1,7 @@
class site_check_mk::agent::stunnel {
concat::fragment { 'syslog_stunnel':
- source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/stunnel.cfg',
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/stunnel.cfg',
target => '/etc/check_mk/logwatch.d/syslog.cfg',
order => '02';
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
index ffd11100..4a5ec68e 100644
--- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
@@ -2,21 +2,24 @@ class site_check_mk::agent::tapicero {
include ::site_nagios::plugins
- concat::fragment { 'syslog_tapicero':
- source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/tapicero.cfg',
- target => '/etc/check_mk/logwatch.d/syslog.cfg',
- order => '02';
+ # watch logs
+ file { '/etc/check_mk/logwatch.d/tapicero.cfg':
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg',
}
# local nagios plugin checks via mrpe
- file_line {
+ augeas {
'Tapicero_Procs':
- line => 'Tapicero_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero',
- path => '/etc/check_mk/mrpe.cfg';
-
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [
+ 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs',
+ 'set Tapicero_Procs "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero"' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
'Tapicero_Heartbeat':
- line => 'Tapicero_Heartbeat /usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/syslog -r "tapicero" -w 300 -c 600',
- path => '/etc/check_mk/mrpe.cfg';
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => 'set Tapicero_Heartbeat \'/usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/leap/tapicero.log -r "tapicero" -w 300 -c 600\'',
+ require => File['/etc/check_mk/mrpe.cfg'];
}
-
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp
index 88c3da30..9bf3b197 100644
--- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp
@@ -7,11 +7,9 @@ class site_check_mk::agent::webapp {
ensure => absent
}
- # check syslog
- concat::fragment { 'syslog_webapp':
- source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/webapp.cfg',
- target => '/etc/check_mk/logwatch.d/syslog.cfg',
- order => '02';
+ # watch logs
+ file { '/etc/check_mk/logwatch.d/webapp.cfg':
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/webapp.cfg',
}
}
diff --git a/puppet/modules/site_config/lib/facter/dhcp_enabled.rb b/puppet/modules/site_config/lib/facter/dhcp_enabled.rb
new file mode 100644
index 00000000..33220da3
--- /dev/null
+++ b/puppet/modules/site_config/lib/facter/dhcp_enabled.rb
@@ -0,0 +1,22 @@
+require 'facter'
+def dhcp_enabled?(ifs, recurse=true)
+ dhcp = false
+ included_ifs = []
+ if FileTest.exists?(ifs)
+ File.open(ifs) do |file|
+ dhcp = file.enum_for(:each_line).any? do |line|
+ if recurse && line =~ /^\s*source\s+([^\s]+)/
+ included_ifs += Dir.glob($1)
+ end
+ line =~ /inet\s+dhcp/
+ end
+ end
+ end
+ dhcp || included_ifs.any? { |ifs| dhcp_enabled?(ifs, false) }
+end
+Facter.add(:dhcp_enabled) do
+ confine :osfamily => 'Debian'
+ setcode do
+ dhcp_enabled?('/etc/network/interfaces')
+ end
+end
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index 790b5a16..e69e4b7b 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -1,6 +1,10 @@
class site_config::default {
tag 'leap_base'
+ # the logoutput exec parameter defaults to "on_error" in puppet 3,
+ # but to "false" in puppet 2.7, so we need to set this globally here
+ Exec<||> { logoutput => on_failure }
+
$services = hiera('services', [])
$domain_hash = hiera('domain')
include site_config::params
@@ -25,10 +29,7 @@ class site_config::default {
# i.e. openstack/aws nodes, vagrant nodes
# fix dhclient from changing resolver information
- if $::ec2_instance_id {
- include site_config::dhclient
- }
- if $::virtual == 'virtualbox' {
+ if $::dhcp_enabled == 'true' {
include site_config::dhclient
}
@@ -38,22 +39,26 @@ class site_config::default {
# configure caching, local resolver
include site_config::caching_resolver
- # install/configure syslog
+ # install/configure syslog and core log rotations
include site_config::syslog
+ # provide a basic level of quality entropy
+ include haveged
+
# install/remove base packages
include site_config::packages::base
# include basic shorewall config
include site_shorewall::defaults
- Class['git'] -> Vcsrepo<||>
+ Package['git'] -> Vcsrepo<||>
# include basic shell config
include site_config::shell
# set up core leap files and directories
include site_config::files
+ include site_config::remove_files
if ! member($services, 'mx') {
include site_postfix::satellite
diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp
index 7ac0caf3..dbe2ef1c 100644
--- a/puppet/modules/site_config/manifests/dhclient.pp
+++ b/puppet/modules/site_config/manifests/dhclient.pp
@@ -17,7 +17,9 @@ class site_config::dhclient {
exec { 'reload_dhclient':
refreshonly => true,
- command => '/usr/local/sbin/reload_dhclient';
+ command => '/usr/local/sbin/reload_dhclient',
+ before => Class['site_config::resolvconf'],
+ require => File['/usr/local/sbin/reload_dhclient'],
}
file { '/etc/dhcp/dhclient-enter-hooks.d/disable_resolvconf':
diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp
index ae47963c..f20d04a4 100644
--- a/puppet/modules/site_config/manifests/packages/base.pp
+++ b/puppet/modules/site_config/manifests/packages/base.pp
@@ -7,7 +7,7 @@ class site_config::packages::base {
}
# base set of packages that we want to remove everywhere
- package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', 'fontconfig-config',
+ package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp',
'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server',
'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind',
'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5',
diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp
new file mode 100644
index 00000000..3f46659c
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove_files.pp
@@ -0,0 +1,46 @@
+#
+# Sometimes when we upgrade the platform, we need to ensure that files that
+# the platform previously created will get removed.
+#
+# These file removals don't need to be kept forever: we only need to remove
+# files that are present in the prior platform release.
+#
+# We can assume that the every node is upgraded from the previous platform
+# release.
+#
+
+class site_config::remove_files {
+
+ #
+ # Platform 0.7 removals
+ #
+
+ tidy {
+ '/etc/rsyslog.d/99-tapicero.conf':;
+ '/etc/rsyslog.d/99-leap-mx.conf':;
+ '/etc/rsyslog.d/01-webapp.conf':;
+ '/etc/rsyslog.d/50-stunnel.conf':;
+ '/etc/logrotate.d/mx':;
+ '/etc/logrotate.d/stunnel':;
+ '/var/log/stunnel4/stunnel.log':;
+ 'leap_mx':
+ path => '/var/log/',
+ recurse => true,
+ matches => 'leap_mx*';
+ '/srv/leap/webapp/public/provider.json':;
+ '/srv/leap/couchdb/designs/tmp_users':
+ recurse => true,
+ rmdirs => true;
+ }
+
+ # leax-mx logged to /var/log/leap_mx.log in the past
+ # we need to use a dumb exec here because file_line doesn't
+ # allow removing lines that match a regex in the current version
+ # of stdlib, see https://tickets.puppetlabs.com/browse/MODULES-1903
+ exec { 'rm_old_leap_mx_log_destination':
+ command => "/bin/sed -i '/leap_mx.log/d' /etc/check_mk/logwatch.state",
+ onlyif => "/bin/grep -qe 'leap_mx.log' /etc/check_mk/logwatch.state"
+ }
+
+
+}
diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp
index 26c65f02..83b49c8e 100644
--- a/puppet/modules/site_config/manifests/syslog.pp
+++ b/puppet/modules/site_config/manifests/syslog.pp
@@ -11,4 +11,29 @@ class site_config::syslog {
content => '$ModLoad mmanon
action(type="mmanon" ipv4.bits="32" mode="rewrite")'
}
+
+ augeas {
+ 'logrotate_leap_deploy':
+ context => '/files/etc/logrotate.d/leap_deploy/rule',
+ changes => [ 'set file /var/log/leap/deploy.log',
+ 'set rotate 5',
+ 'set size 1M',
+ 'set compress compress',
+ 'set missingok missingok',
+ 'set copytruncate copytruncate' ];
+
+ # NOTE:
+ # the puppet_command script requires the option delaycompress
+ # be set on the summary log file.
+
+ 'logrotate_leap_deploy_summary':
+ context => '/files/etc/logrotate.d/leap_deploy_summary/rule',
+ changes => [ 'set file /var/log/leap/deploy-summary.log',
+ 'set rotate 5',
+ 'set size 100k',
+ 'set delaycompress delaycompress',
+ 'set compress compress',
+ 'set missingok missingok',
+ 'set copytruncate copytruncate' ]
+ }
}
diff --git a/puppet/modules/site_couchdb/lib/puppet/parser/functions/rotated_db_name.rb b/puppet/modules/site_couchdb/lib/puppet/parser/functions/rotated_db_name.rb
new file mode 100644
index 00000000..6458ae81
--- /dev/null
+++ b/puppet/modules/site_couchdb/lib/puppet/parser/functions/rotated_db_name.rb
@@ -0,0 +1,24 @@
+module Puppet::Parser::Functions
+ newfunction(:rotated_db_name, :type => :rvalue, :doc => <<-EOS
+This function takes a database name string and returns a database name with the current rotation stamp appended.
+The first argument is the base name of the database. Subsequent arguments may contain these options:
+ * 'next' -- return the db name for the next rotation, not the current one.
+ * 'monthly' -- rotate monthly (default)
+ * 'weekly' -- rotate weekly
+*Examples:*
+ rotated_db_name('tokens') => 'tokens_551'
+ EOS
+ ) do |arguments|
+ if arguments.include?('weekly')
+ rotation_period = 604800 # 1 week
+ else
+ rotation_period = 2592000 # 1 month
+ end
+ suffix = Time.now.utc.to_i / rotation_period
+ if arguments.include?('next')
+ suffix += 1
+ end
+ "#{arguments.first}_#{suffix}"
+ end
+end
+
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp
index 16593ec7..82c85b52 100644
--- a/puppet/modules/site_couchdb/manifests/bigcouch.pp
+++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp
@@ -17,6 +17,7 @@ class site_couchdb::bigcouch {
# stunnel must running correctly before bigcouch dbs can be set up.
#
Class['site_config::default']
+ -> Class['site_config::resolvconf']
-> Class['couchdb::bigcouch::package::cloudant']
-> Service['shorewall']
-> Exec['refresh_stunnel']
diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp
index 4322f773..b743127a 100644
--- a/puppet/modules/site_couchdb/manifests/create_dbs.pp
+++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp
@@ -1,10 +1,9 @@
class site_couchdb::create_dbs {
Class['site_couchdb::setup']
+ -> Class['site_couchdb::bigcouch::settle_cluster']
-> Class['site_couchdb::create_dbs']
- # Couchdb databases
-
### customer database
### r/w: webapp,
couchdb::create_db { 'customers':
@@ -29,7 +28,14 @@ class site_couchdb::create_dbs {
## sessions database
## r/w: webapp
- couchdb::create_db { 'sessions':
+ $sessions_db = rotated_db_name('sessions', 'monthly')
+ couchdb::create_db { $sessions_db:
+ members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }",
+ require => Couchdb::Query::Setup['localhost']
+ }
+
+ $sessions_next_db = rotated_db_name('sessions', 'monthly', 'next')
+ couchdb::create_db { $sessions_next_db:
members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }",
require => Couchdb::Query::Setup['localhost']
}
@@ -51,7 +57,14 @@ class site_couchdb::create_dbs {
## tokens database
## r: soledad - needs to be restricted with a design document
## r/w: webapp
- couchdb::create_db { 'tokens':
+ $tokens_db = rotated_db_name('tokens', 'monthly')
+ couchdb::create_db { $tokens_db:
+ members => "{ \"names\": [], \"roles\": [\"replication\", \"tokens\"] }",
+ require => Couchdb::Query::Setup['localhost']
+ }
+
+ $tokens_next_db = rotated_db_name('tokens', 'monthly', 'next')
+ couchdb::create_db { $tokens_next_db:
members => "{ \"names\": [], \"roles\": [\"replication\", \"tokens\"] }",
require => Couchdb::Query::Setup['localhost']
}
@@ -63,6 +76,13 @@ class site_couchdb::create_dbs {
require => Couchdb::Query::Setup['localhost']
}
+ ## tmp_users database
+ ## r/w: webapp
+ couchdb::create_db { 'tmp_users':
+ members => "{ \"names\": [], \"roles\": [\"replication\", \"users\"] }",
+ require => Couchdb::Query::Setup['localhost']
+ }
+
## messages db
## store messages to the clients such as payment reminders
## r/w: webapp
diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp
index 9e88de64..1ab1c6a1 100644
--- a/puppet/modules/site_couchdb/manifests/designs.pp
+++ b/puppet/modules/site_couchdb/manifests/designs.pp
@@ -11,10 +11,35 @@ class site_couchdb::designs {
mode => '0755'
}
- exec { '/srv/leap/couchdb/scripts/load_design_documents.sh':
- require => Vcsrepo['/srv/leap/couchdb/scripts'],
- refreshonly => false
+ site_couchdb::upload_design {
+ 'customers': design => 'customers/Customer.json';
+ 'identities': design => 'identities/Identity.json';
+ 'tickets': design => 'tickets/Ticket.json';
+ 'messages': design => 'messages/Message.json';
+ 'users': design => 'users/User.json';
+ 'tmp_users': design => 'users/User.json';
+ 'shared_docs':
+ db => 'shared',
+ design => 'shared/docs.json';
+ 'shared_syncs':
+ db => 'shared',
+ design => 'shared/syncs.json';
+ 'shared_transactions':
+ db => 'shared',
+ design => 'shared/transactions.json';
}
-}
+ $sessions_db = rotated_db_name('sessions', 'monthly')
+ $sessions_next_db = rotated_db_name('sessions', 'monthly', 'next')
+ site_couchdb::upload_design {
+ $sessions_db: design => 'sessions/Session.json';
+ $sessions_next_db: design => 'sessions/Session.json';
+ }
+ $tokens_db = rotated_db_name('tokens', 'monthly')
+ $tokens_next_db = rotated_db_name('tokens', 'monthly', 'next')
+ site_couchdb::upload_design {
+ $tokens_db: design => 'tokens/Token.json';
+ $tokens_next_db: design => 'tokens/Token.json';
+ }
+}
diff --git a/puppet/modules/site_couchdb/manifests/upload_design.pp b/puppet/modules/site_couchdb/manifests/upload_design.pp
new file mode 100644
index 00000000..7b0cabd7
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/upload_design.pp
@@ -0,0 +1,13 @@
+define site_couchdb::upload_design($db = $title, $design) {
+ $design_name = regsubst($design, '^.*\/(.*)\.json$', '\1')
+ $id = "_design/${design_name}"
+ $file = "/srv/leap/couchdb/designs/${design}"
+ exec {
+ "upload_design_${name}":
+ command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:5984 --db '${db}' --id '${id}' --data '{}' --file '${file}'",
+ refreshonly => false,
+ loglevel => debug,
+ logoutput => on_failure,
+ require => File['/srv/leap/couchdb/designs'];
+ }
+}
diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
index e46ebf62..0d729b8c 100644
--- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
+++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
@@ -1273,4 +1273,15 @@ debug_file=/var/lib/nagios3/nagios.debug
max_debug_file_size=1000000
+process_performance_data=1
+service_perfdata_file=/var/lib/nagios3/service-perfdata
+service_perfdata_file_template=DATATYPE::SERVICEPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tSERVICEDESC::$SERVICEDESC$\tSERVICEPERFDATA::$SERVICEPERFDATA$\tSERVICECHECKCOMMAND::$SERVICECHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$\tSERVICESTATE::$SERVICESTATE$\tSERVICESTATETYPE::$SERVICESTATETYPE$
+service_perfdata_file_mode=a
+service_perfdata_file_processing_interval=15
+service_perfdata_file_processing_command=process-service-perfdata-file-pnp4nagios-bulk-npcd
+host_perfdata_file=/var/lib/nagios3/host-perfdata
+host_perfdata_file_template=DATATYPE::HOSTPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tHOSTPERFDATA::$HOSTPERFDATA$\tHOSTCHECKCOMMAND::$HOSTCHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$
+host_perfdata_file_mode=a
+host_perfdata_file_processing_interval=15
+host_perfdata_file_processing_command=process-host-perfdata-file-pnp4nagios-bulk-npcd
diff --git a/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log b/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log
index cf7c03e5..47569388 100755
--- a/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log
+++ b/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log
@@ -50,7 +50,7 @@ done
[ $warn -eq 0 -o $crit -eq 0 -o -z "$regex" -o -z "$log" ] && ( usage; exit $STATE_UNKNOWN)
[ -f "$log" ] || (echo "$log doesn't exist"; exit $STATE_UNKNOWN)
-lastmsg=$(tac $log | grep -i $regex | head -1 | cut -d' ' -f 1-3)
+lastmsg=$(tac $log | grep -i $regex | head -1 | sed 's/ / /g' | cut -d' ' -f 1-3)
if [ -z "$lastmsg" ]
then
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index 092ca503..cb6c8d95 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -1,3 +1,4 @@
+# configures nagios on monitoring node
class site_nagios::server inherits nagios::base {
# First, purge old nagios config (see #1467)
@@ -13,7 +14,8 @@ class site_nagios::server inherits nagios::base {
include nagios::defaults::commands
include nagios::defaults::templates
include nagios::defaults::timeperiods
- include nagios::defaults::plugins
+ include nagios::pnp4nagios
+ include nagios::pnp4nagios::popup
class { 'nagios':
# don't manage apache class from nagios, cause we already include
@@ -41,10 +43,11 @@ class site_nagios::server inherits nagios::base {
# deploy serverside plugins
file { '/usr/lib/nagios/plugins/check_openvpn_server.pl':
- source => 'puppet:///modules/nagios/plugins/check_openvpn_server.pl',
- mode => '0755',
- owner => 'nagios',
- group => 'nagios',
+ source => 'puppet:///modules/nagios/plugins/check_openvpn_server.pl',
+ mode => '0755',
+ owner => 'nagios',
+ group => 'nagios',
+ require => Package['nagios-plugins'];
}
create_resources ( site_nagios::add_host_services, $nagios_hosts )
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
index eaf90d55..c2deab0f 100644
--- a/puppet/modules/site_nickserver/manifests/init.pp
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -34,11 +34,12 @@ class site_nickserver {
# See site_webapp/templates/haproxy_couchdb.cfg.erg
$couchdb_port = '4096'
+ $sources = hiera('sources')
+
# temporarily for now:
$domain = hiera('domain')
$address_domain = $domain['full_suffix']
-
include site_config::x509::cert
include site_config::x509::key
include site_config::x509::ca
@@ -69,9 +70,9 @@ class site_nickserver {
vcsrepo { '/srv/leap/nickserver':
ensure => present,
- revision => 'origin/master',
- provider => git,
- source => 'https://leap.se/git/nickserver',
+ revision => $sources['nickserver']['revision'],
+ provider => $sources['nickserver']['type'],
+ source => $sources['nickserver']['source'],
owner => 'nickserver',
group => 'nickserver',
require => [ User['nickserver'], Group['nickserver'] ],
diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
index 56a8d9f6..d4e734c3 100644
--- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
+++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
@@ -8,17 +8,13 @@ Listen 0.0.0.0:<%= @nickserver_port -%>
ServerName <%= @nickserver_domain %>
ServerAlias <%= @address_domain %>
- SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLHonorCipherOrder on
- SSLCompression off
- SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
-
SSLCACertificatePath /etc/ssl/certs
SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
+ Include include.d/ssl_common.inc
+
ProxyPass / http://localhost:<%= @nickserver_local_port %>/
ProxyPreserveHost On # preserve Host header in HTTP request
</VirtualHost>
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index d6f9150b..e2a3124e 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -228,6 +228,7 @@ class site_openvpn {
order => 10;
}
+ leap::logfile { 'openvpn': }
include site_check_mk::agent::openvpn
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 466f6d00..221c79a7 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -57,6 +57,8 @@ define site_openvpn::server_config(
$management, $config, $tls_remote = undef) {
$openvpn_configname = $name
+ $shortname = regsubst(regsubst($name, '_config', ''), '_', '-')
+ $openvpn_status_filename = "/var/run/openvpn-status-${shortname}"
concat {
"/etc/openvpn/${openvpn_configname}.conf":
@@ -187,7 +189,7 @@ define site_openvpn::server_config(
server => $openvpn_configname;
"status ${openvpn_configname}":
key => 'status',
- value => '/var/run/openvpn-status 10',
+ value => "${openvpn_status_filename} 10",
server => $openvpn_configname;
"status-version ${openvpn_configname}":
key => 'status-version',
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 81f10b77..49692d24 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -1,3 +1,6 @@
+#
+# configure mx node
+#
class site_postfix::mx {
$domain_hash = hiera('domain')
@@ -35,6 +38,12 @@ class site_postfix::mx {
# because the satellites need to have a different value
'smtp_tls_security_level':
value => 'may';
+ # reject inbound mail to system users
+ # see https://leap.se/code/issues/6829
+ # this blocks *only* mails to system users, that don't appear in the
+ # alias map
+ 'local_recipient_maps':
+ value => '$alias_maps';
}
include site_postfix::mx::smtpd_checks
diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp
index 6941b1a3..b9177f25 100644
--- a/puppet/modules/site_static/manifests/domain.pp
+++ b/puppet/modules/site_static/manifests/domain.pp
@@ -12,9 +12,18 @@ define site_static::domain (
create_resources(site_static::location, $locations)
- x509::cert { $domain: content => $cert }
- x509::key { $domain: content => $key }
- x509::ca { "${domain}_ca": content => $ca_cert }
+ x509::cert { $domain:
+ content => $cert,
+ notify => Service[apache]
+ }
+ x509::key { $domain:
+ content => $key,
+ notify => Service[apache]
+ }
+ x509::ca { "${domain}_ca":
+ content => $ca_cert,
+ notify => Service[apache]
+ }
apache::vhost::file { $domain:
content => template('site_static/apache.conf.erb')
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index aed9775e..ce79c00f 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -44,7 +44,7 @@ class site_static {
if (member($formats, 'amber')) {
include site_config::ruby::dev
- rubygems::gem{'amber-0.3.0': }
+ rubygems::gem{'amber-0.3.4': }
}
create_resources(site_static::domain, $domains)
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 9b516a10..4d61cc08 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -45,12 +45,8 @@
#RewriteLog "/var/log/apache2/rewrite.log"
#RewriteLogLevel 3
- SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLHonorCipherOrder on
- SSLCompression off
- SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
-
+ Include include.d/ssl_common.inc
+
<%- if @tls_only -%>
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
<%- end -%>
diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp
index 3b10ecb8..c9e034f1 100644
--- a/puppet/modules/site_stunnel/manifests/client.pp
+++ b/puppet/modules/site_stunnel/manifests/client.pp
@@ -14,7 +14,9 @@ define site_stunnel::client (
$verify = '2',
$pid = $name,
$rndfile = '/var/lib/stunnel4/.rnd',
- $debuglevel = '4' ) {
+ $debuglevel = 'warning' ) {
+
+ $logfile = "/var/log/stunnel4/${name}.log"
include site_config::x509::cert
include site_config::x509::key
@@ -35,7 +37,20 @@ define site_stunnel::client (
pid => "/var/run/stunnel4/${pid}.pid",
rndfile => $rndfile,
debuglevel => $debuglevel,
- sslversion => 'TLSv1';
+ sslversion => 'TLSv1',
+ syslog => 'no',
+ output => $logfile;
+ }
+
+ # define the log files so that we can purge the
+ # files from /var/log/stunnel4 that are not defined.
+ file {
+ $logfile:;
+ "${logfile}.1.gz":;
+ "${logfile}.2.gz":;
+ "${logfile}.3.gz":;
+ "${logfile}.4.gz":;
+ "${logfile}.5.gz":;
}
site_shorewall::stunnel::client { $name:
diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp
index 2e0cf5b8..d919a072 100644
--- a/puppet/modules/site_stunnel/manifests/init.pp
+++ b/puppet/modules/site_stunnel/manifests/init.pp
@@ -29,6 +29,20 @@ class site_stunnel {
$client_sections = keys($clients)
site_stunnel::clients { $client_sections: }
+ # remove any old stunnel logs that are not
+ # defined by this puppet run
+ file {'/var/log/stunnel4': purge => true;}
+
+ # the default is to keep 356 log files for each stunnel.
+ # here we set a more reasonable number.
+ augeas {
+ "logrotate_stunnel":
+ context => "/files/etc/logrotate.d/stunnel4/rule",
+ changes => [
+ 'set rotate 5',
+ ]
+ }
+
include site_stunnel::override_service
}
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 21243d34..93e172a0 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -7,6 +7,9 @@ class site_webapp::apache {
$web_domain = hiera('domain')
$domain_name = $web_domain['name']
+ $webapp = hiera('webapp')
+ $webapp_domain = $webapp['domain']
+
include site_apache::common
include site_apache::module::headers
include site_apache::module::alias
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 3ae4d266..1dbc745d 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -6,6 +6,8 @@ class site_webapp::couchdb {
$couchdb_port = '4096'
$couchdb_webapp_user = $webapp['couchdb_webapp_user']['username']
$couchdb_webapp_password = $webapp['couchdb_webapp_user']['password']
+ $couchdb_admin_user = $webapp['couchdb_admin_user']['username']
+ $couchdb_admin_password = $webapp['couchdb_admin_user']['password']
include x509::variables
@@ -17,6 +19,13 @@ class site_webapp::couchdb {
mode => '0600',
require => Vcsrepo['/srv/leap/webapp'];
+ '/srv/leap/webapp/config/couchdb.admin.yml':
+ content => template('site_webapp/couchdb.admin.yml.erb'),
+ owner => leap-webapp,
+ group => leap-webapp,
+ mode => '0600',
+ require => Vcsrepo['/srv/leap/webapp'];
+
'/srv/leap/webapp/log':
ensure => directory,
owner => leap-webapp,
diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp
index 811ad11d..d26ee312 100644
--- a/puppet/modules/site_webapp/manifests/cron.pp
+++ b/puppet/modules/site_webapp/manifests/cron.pp
@@ -2,11 +2,26 @@ class site_webapp::cron {
# cron tasks that need to be performed to cleanup the database
cron {
+ 'rotate_databases':
+ command => 'cd /srv/leap/webapp && bundle exec rake db:rotate',
+ environment => 'RAILS_ENV=production',
+ hour => [0,6,12,18],
+ minute => 0;
+
+ 'delete_tmp_databases':
+ command => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp',
+ environment => 'RAILS_ENV=production',
+ hour => 1,
+ minute => 1;
+
+ # there is no longer a need to remove expired sessions, since the database
+ # will get destroyed.
'remove_expired_sessions':
command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions',
environment => 'RAILS_ENV=production',
hour => 2,
- minute => 30;
+ minute => 30,
+ ensure => absent;
'remove_expired_tokens':
command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens',
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 9f97d2c5..ec94c090 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -11,13 +11,13 @@ class site_webapp {
$api_version = $webapp['api_version']
$secret_token = $webapp['secret_token']
$tor = hiera('tor', false)
+ $sources = hiera('sources')
Class['site_config::default'] -> Class['site_webapp']
include site_config::ruby::dev
include site_webapp::apache
include site_webapp::couchdb
- include site_webapp::logging
include site_haproxy
include site_webapp::cron
include site_config::x509::cert
@@ -43,9 +43,9 @@ class site_webapp {
vcsrepo { '/srv/leap/webapp':
ensure => present,
force => true,
- revision => $webapp['git']['revision'],
- provider => git,
- source => $webapp['git']['source'],
+ revision => $sources['webapp']['revision'],
+ provider => $sources['webapp']['type'],
+ source => $sources['webapp']['source'],
owner => 'leap-webapp',
group => 'leap-webapp',
require => [ User['leap-webapp'], Group['leap-webapp'] ],
@@ -92,10 +92,6 @@ class site_webapp {
require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0644';
- # old provider.json location. this can be removed after everyone upgrades.
- '/srv/leap/webapp/public/provider.json':
- ensure => absent;
-
'/srv/leap/webapp/public/ca.crt':
ensure => link,
require => Vcsrepo['/srv/leap/webapp'],
@@ -172,6 +168,8 @@ class site_webapp {
ensure => latest,
}
+ leap::logfile { 'webapp': }
+
include site_shorewall::webapp
include site_check_mk::agent::webapp
}
diff --git a/puppet/modules/site_webapp/manifests/logging.pp b/puppet/modules/site_webapp/manifests/logging.pp
deleted file mode 100644
index b414b82c..00000000
--- a/puppet/modules/site_webapp/manifests/logging.pp
+++ /dev/null
@@ -1,16 +0,0 @@
-class site_webapp::logging {
-
- rsyslog::snippet { '01-webapp':
- content => 'if $programname == "webapp" then /var/log/leap/webapp.log
-&~'
- }
-
- augeas {
- 'logrotate_webapp':
- context => '/files/etc/logrotate.d/webapp/rule',
- changes => [ 'set file /var/log/leap/webapp.log', 'set rotate 7',
- 'set schedule daily', 'set compress compress',
- 'set missingok missingok', 'set ifempty notifempty',
- 'set copytruncate copytruncate' ]
- }
-}
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 0c75f3ca..ccde2d2e 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -7,7 +7,7 @@ production:
client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key
client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt
secret_token: "<%= @secret_token %>"
- client_cert_lifespan: <%= cert_options['life_span'].to_i %>
+ client_cert_lifespan: <%= cert_options['life_span'] %>
client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
client_cert_hash: <%= cert_options['digest'] %>
allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %>
@@ -17,7 +17,7 @@ production:
unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
minimum_client_version: "<%= @webapp['client_version']['min'] %>"
default_service_level: "<%= @webapp['default_service_level'] %>"
- service_levels: <%= @webapp['service_levels'].to_json %>
+ service_levels: <%= scope.function_sorted_json([@webapp['service_levels']]) %>
allow_registration: <%= @webapp['allow_registration'].inspect %>
handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %>
<%- if @webapp['engines'] && @webapp['engines'].any? -%>
diff --git a/puppet/modules/site_webapp/templates/couchdb.admin.yml.erb b/puppet/modules/site_webapp/templates/couchdb.admin.yml.erb
new file mode 100644
index 00000000..a0921add
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/couchdb.admin.yml.erb
@@ -0,0 +1,9 @@
+production:
+ prefix: ""
+ protocol: 'http'
+ host: <%= @couchdb_host %>
+ port: <%= @couchdb_port %>
+ auto_update_design_doc: false
+ username: <%= @couchdb_admin_user %>
+ password: <%= @couchdb_admin_password %>
+
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index 394e6032..b71fab69 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -12,6 +12,8 @@ class soledad::server {
$soledad_port = $soledad['port']
+ $sources = hiera('sources')
+
include site_config::x509::cert
include site_config::x509::key
include site_config::x509::ca
@@ -29,8 +31,8 @@ class soledad::server {
require => Class['soledad'];
}
- package { 'soledad-server':
- ensure => latest,
+ package { $sources['soledad']['package']:
+ ensure => $sources['soledad']['revision'],
require => [
Class['site_apt::preferences::twisted'],
Class['site_apt::leap_repo'] ];
diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib
-Subproject 71cb0f4c2c3bf95f62c9f189f5cef155b09a968
+Subproject 71123634744b9fe2ec7d6a3e38e9789fd84801e
diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp
index 28711b94..ca8488c8 100644
--- a/puppet/modules/tapicero/manifests/init.pp
+++ b/puppet/modules/tapicero/manifests/init.pp
@@ -15,6 +15,8 @@ class tapicero {
$couchdb_mode = $couchdb['mode']
$couchdb_replication = $couchdb['replication']
+ $sources = hiera('sources')
+
Class['site_config::default'] -> Class['tapicero']
include site_config::ruby::dev
@@ -42,9 +44,9 @@ class tapicero {
file {
- ##
- ## TAPICERO DIRECTORIES
- ##
+ #
+ # TAPICERO DIRECTORIES
+ #
'/srv/leap/tapicero':
ensure => directory,
@@ -65,9 +67,9 @@ class tapicero {
group => 'tapicero',
require => User['tapicero'];
- ##
- ## TAPICERO CONFIG
- ##
+ #
+ # TAPICERO CONFIG
+ #
'/etc/leap/tapicero.yaml':
content => template('tapicero/tapicero.yaml.erb'),
@@ -76,9 +78,9 @@ class tapicero {
mode => '0600',
notify => Service['tapicero'];
- ##
- ## TAPICERO INIT
- ##
+ #
+ # TAPICERO INIT
+ #
'/etc/init.d/tapicero':
source => 'puppet:///modules/tapicero/tapicero.init',
@@ -95,9 +97,9 @@ class tapicero {
vcsrepo { '/srv/leap/tapicero':
ensure => present,
force => true,
- revision => 'origin/version/0.6',
- provider => git,
- source => 'https://leap.se/git/tapicero',
+ revision => $sources['tapicero']['revision'],
+ provider => $sources['tapicero']['type'],
+ source => $sources['tapicero']['source'],
owner => 'tapicero',
group => 'tapicero',
require => [ User['tapicero'], Group['tapicero'] ],
@@ -131,4 +133,5 @@ class tapicero {
Couchdb::Add_user[$::site_couchdb::couchdb_tapicero_user] ];
}
+ leap::logfile { 'tapicero': }
}
diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb
index 510450ad..8b08b49c 100644
--- a/puppet/modules/tapicero/templates/tapicero.yaml.erb
+++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb
@@ -13,13 +13,15 @@ connection:
password: <%= @couchdb_admin_password %>
prefix : ""
suffix : ""
+ netrc: "/etc/couchdb/couchdb.netrc"
# file to store the last processed user record in so we can resume after
# a restart:
-seq_file: "/var/lib/leap/tapicero/tapicero.seq"
+seq_dir: "/var/lib/leap/tapicero/"
# Configure log_file like this if you want to log to a file instead of syslog:
-# log_file: "/var/leap/log/tapicero.log"
+#log_file: "/var/log/leap/tapicero.log"
+#log_level: debug
log_level: info
# tapicero specific options