Merge remote-tracking branch 'origin/develop' into HEAD

author: kwadronaut <kwadronaut@leap.se> 2015-11-12 10:00:27 +0100
committer: kwadronaut <kwadronaut@leap.se> 2015-11-12 10:00:27 +0100
commit: 92cc2b1118e98a4fb086d7c62a140dbfc845f4b0 (patch)
tree: 92896619c0cf4ace177cecfbdea6cbbbb9bc8419 /puppet
parent: 81467100826ad95266a4c29b11a2ecef759dd782 (diff)
parent: 7d0b6b25e49a1ccb70c4f502f7dfc58878b900cc (diff)
86 files changed, 1617 insertions, 526 deletions
diff --git a/puppet/lib/puppet/parser/functions/sorted_yaml.rb b/puppet/lib/puppet/parser/functions/sorted_yaml.rb
new file mode 100644
index 00000000..fa0db4d2
--- /dev/null
+++ b/puppet/lib/puppet/parser/functions/sorted_yaml.rb
@@ -0,0 +1,388 @@
+# encoding: UTF-8
+#
+# provides sorted_yaml() function, using Ya2YAML.
+# see https://github.com/afunai/ya2yaml
+#
+
+class Ya2YAML
+  #
+  # Author::    Akira FUNAI
+  # Copyright:: Copyright (c) 2006-2010 Akira FUNAI
+  # License::   MIT License
+  #
+
+  def initialize(opts = {})
+    options = opts.dup
+    options[:indent_size] = 2          if options[:indent_size].to_i <= 0
+    options[:minimum_block_length] = 0 if options[:minimum_block_length].to_i <= 0
+    options.update(
+      {
+        :printable_with_syck  => true,
+        :escape_b_specific    => true,
+        :escape_as_utf8       => true,
+      }
+    ) if options[:syck_compatible]
+
+    @options = options
+  end
+
+  def _ya2yaml(obj)
+    #raise 'set $KCODE to "UTF8".' if (RUBY_VERSION < '1.9.0') && ($KCODE != 'UTF8')
+    if (RUBY_VERSION < '1.9.0')
+      $KCODE = 'UTF8'
+    end
+    '--- ' + emit(obj, 1) + "\n"
+  rescue SystemStackError
+    raise ArgumentError, "ya2yaml can't handle circular references"
+  end
+
+  private
+
+  def emit(obj, level)
+    case obj
+      when Array
+        if (obj.length == 0)
+          '[]'
+        else
+          indent = "\n" + s_indent(level - 1)
+          ###
+          ### NOTE: a minor modification to normal Ya2YAML...
+          ### We want arrays to be output in sorted order, not just
+          ### Hashes.
+          ###
+          #obj.collect {|o|
+          #  indent + '- ' + emit(o, level + 1)
+          #}.join('')
+          obj.sort {|a,b| a.to_s <=> b.to_s}.collect {|o|
+            indent + '- ' + emit(o, level + 1)
+          }.join('')
+        end
+      when Hash
+        if (obj.length == 0)
+          '{}'
+        else
+          indent = "\n" + s_indent(level - 1)
+          hash_order = @options[:hash_order]
+          if (hash_order && level == 1)
+            hash_keys = obj.keys.sort {|x, y|
+              x_order = hash_order.index(x) ? hash_order.index(x) : Float::MAX
+              y_order = hash_order.index(y) ? hash_order.index(y) : Float::MAX
+              o = (x_order <=> y_order)
+              (o != 0) ? o : (x.to_s <=> y.to_s)
+            }
+          elsif @options[:preserve_order]
+            hash_keys = obj.keys
+          else
+            hash_keys = obj.keys.sort {|x, y| x.to_s <=> y.to_s }
+          end
+          hash_keys.collect {|k|
+            key = emit(k, level + 1)
+            if (
+              is_one_plain_line?(key) ||
+              key =~ /\A(#{REX_BOOL}|#{REX_FLOAT}|#{REX_INT}|#{REX_NULL})\z/x
+            )
+              indent + key + ': ' + emit(obj[k], level + 1)
+            else
+              indent + '? ' + key +
+              indent + ': ' + emit(obj[k], level + 1)
+            end
+          }.join('')
+        end
+      when NilClass
+        '~'
+      when String
+        emit_string(obj, level)
+      when TrueClass, FalseClass
+        obj.to_s
+      when Fixnum, Bignum, Float
+        obj.to_s
+      when Date
+        obj.to_s
+      when Time
+        offset = obj.gmtoff
+        off_hm = sprintf(
+          '%+.2d:%.2d',
+          (offset / 3600.0).to_i,
+          (offset % 3600.0) / 60
+        )
+        u_sec = (obj.usec != 0) ? sprintf(".%.6d", obj.usec) : ''
+        obj.strftime("%Y-%m-%d %H:%M:%S#{u_sec} #{off_hm}")
+      when Symbol
+        '!ruby/symbol ' + emit_string(obj.to_s, level)
+      when Range
+        '!ruby/range ' + obj.to_s
+      when Regexp
+        '!ruby/regexp ' + obj.inspect
+      else
+        case
+          when obj.is_a?(Struct)
+            struct_members = {}
+            obj.each_pair{|k, v| struct_members[k.to_s] = v }
+            '!ruby/struct:' + obj.class.to_s.sub(/^(Struct::(.+)|.*)$/, '\2') + ' ' +
+            emit(struct_members, level + 1)
+          else
+            # serialized as a generic object
+            object_members = {}
+            obj.instance_variables.each{|k, v|
+              object_members[k.to_s.sub(/^@/, '')] = obj.instance_variable_get(k)
+            }
+            '!ruby/object:' + obj.class.to_s + ' ' +
+            emit(object_members, level + 1)
+        end
+    end
+  end
+
+  def emit_string(str, level)
+    (is_string, is_printable, is_one_line, is_one_plain_line) = string_type(str)
+    if is_string
+      if is_printable
+        if is_one_plain_line
+          emit_simple_string(str, level)
+        else
+          (is_one_line || str.length < @options[:minimum_block_length]) ?
+            emit_quoted_string(str, level) :
+            emit_block_string(str, level)
+        end
+      else
+        emit_quoted_string(str, level)
+      end
+    else
+      emit_base64_binary(str, level)
+    end
+  end
+
+  def emit_simple_string(str, level)
+    str
+  end
+
+  def emit_block_string(str, level)
+    str = normalize_line_break(str)
+
+    indent = s_indent(level)
+    indentation_indicator = (str =~ /\A /) ? indent.size.to_s : ''
+    str =~ /(#{REX_NORMAL_LB}*)\z/
+    chomping_indicator = case $1.length
+      when 0
+        '-'
+      when 1
+        ''
+      else
+        '+'
+    end
+
+    str.chomp!
+    str.gsub!(/#{REX_NORMAL_LB}/) {
+      $1 + indent
+    }
+    '|' + indentation_indicator + chomping_indicator + "\n" + indent + str
+  end
+
+  def emit_quoted_string(str, level)
+    str = yaml_escape(normalize_line_break(str))
+    if (str.length < @options[:minimum_block_length])
+      str.gsub!(/#{REX_NORMAL_LB}/) { ESCAPE_SEQ_LB[$1] }
+    else
+      str.gsub!(/#{REX_NORMAL_LB}$/) { ESCAPE_SEQ_LB[$1] }
+      str.gsub!(/(#{REX_NORMAL_LB}+)(.)/) {
+        trail_c = $3
+        $1 + trail_c.sub(/([\t ])/) { ESCAPE_SEQ_WS[$1] }
+      }
+      indent = s_indent(level)
+      str.gsub!(/#{REX_NORMAL_LB}/) {
+        ESCAPE_SEQ_LB[$1] + "\\\n" + indent
+      }
+    end
+    '"' + str + '"'
+  end
+
+  def emit_base64_binary(str, level)
+    indent = "\n" + s_indent(level)
+    base64 = [str].pack('m')
+    '!binary |' + indent + base64.gsub(/\n(?!\z)/, indent)
+  end
+
+  def string_type(str)
+    if str.respond_to?(:encoding) && (!str.valid_encoding? || str.encoding == Encoding::ASCII_8BIT)
+      return false, false, false, false
+    end
+    (ucs_codes = str.unpack('U*')) rescue (
+      # ArgumentError -> binary data
+      return false, false, false, false
+    )
+    if (
+      @options[:printable_with_syck] &&
+      str =~ /\A#{REX_ANY_LB}* | #{REX_ANY_LB}*\z|#{REX_ANY_LB}{2}\z/
+    )
+      # detour Syck bug
+      return true, false, nil, false
+    end
+    ucs_codes.each {|ucs_code|
+      return true, false, nil, false unless is_printable?(ucs_code)
+    }
+    return true, true, is_one_line?(str), is_one_plain_line?(str)
+  end
+
+  def is_printable?(ucs_code)
+    # YAML 1.1 / 4.1.1.
+    (
+      [0x09, 0x0a, 0x0d, 0x85].include?(ucs_code)   ||
+      (ucs_code <=     0x7e && ucs_code >=    0x20) ||
+      (ucs_code <=   0xd7ff && ucs_code >=    0xa0) ||
+      (ucs_code <=   0xfffd && ucs_code >=  0xe000) ||
+      (ucs_code <= 0x10ffff && ucs_code >= 0x10000)
+    ) &&
+    !(
+      # treat LS/PS as non-printable characters
+      @options[:escape_b_specific] &&
+      (ucs_code == 0x2028 || ucs_code == 0x2029)
+    )
+  end
+
+  def is_one_line?(str)
+    str !~ /#{REX_ANY_LB}(?!\z)/
+  end
+
+  def is_one_plain_line?(str)
+    # YAML 1.1 / 4.6.11.
+    str !~ /^([\-\?:,\[\]\{\}\#&\*!\|>'"%@`\s]|---|\.\.\.)/    &&
+    str !~ /[:\#\s\[\]\{\},]/                                  &&
+    str !~ /#{REX_ANY_LB}/                                     &&
+    str !~ /^(#{REX_BOOL}|#{REX_FLOAT}|#{REX_INT}|#{REX_MERGE}
+      |#{REX_NULL}|#{REX_TIMESTAMP}|#{REX_VALUE})$/x
+  end
+
+  def s_indent(level)
+    # YAML 1.1 / 4.2.2.
+    ' ' * (level * @options[:indent_size])
+  end
+
+  def normalize_line_break(str)
+    # YAML 1.1 / 4.1.4.
+    str.gsub(/(#{REX_CRLF}|#{REX_CR}|#{REX_NEL})/, "\n")
+  end
+
+  def yaml_escape(str)
+    # YAML 1.1 / 4.1.6.
+    str.gsub(/[^a-zA-Z0-9]/u) {|c|
+      ucs_code, = (c.unpack('U') rescue [??])
+      case
+        when ESCAPE_SEQ[c]
+          ESCAPE_SEQ[c]
+        when is_printable?(ucs_code)
+          c
+        when @options[:escape_as_utf8]
+          c.respond_to?(:bytes) ?
+            c.bytes.collect {|b| '\\x%.2x' % b }.join :
+            '\\x' + c.unpack('H2' * c.size).join('\\x')
+        when ucs_code == 0x2028 || ucs_code == 0x2029
+          ESCAPE_SEQ_LB[c]
+        when ucs_code <= 0x7f
+          sprintf('\\x%.2x', ucs_code)
+        when ucs_code <= 0xffff
+          sprintf('\\u%.4x', ucs_code)
+        else
+          sprintf('\\U%.8x', ucs_code)
+      end
+    }
+  end
+
+  module Constants
+    UCS_0X85   = [0x85].pack('U')   #   c285@UTF8 Unicode next line
+    UCS_0XA0   = [0xa0].pack('U')   #   c2a0@UTF8 Unicode non-breaking space
+    UCS_0X2028 = [0x2028].pack('U') # e280a8@UTF8 Unicode line separator
+    UCS_0X2029 = [0x2029].pack('U') # e280a9@UTF8 Unicode paragraph separator
+
+    # non-break characters
+    ESCAPE_SEQ = {
+      "\x00" => '\\0',
+      "\x07" => '\\a',
+      "\x08" => '\\b',
+      "\x0b" => '\\v',
+      "\x0c" => '\\f',
+      "\x1b" => '\\e',
+      "\""   => '\\"',
+      "\\"   => '\\\\',
+    }
+
+    # non-breaking space
+    ESCAPE_SEQ_NS = {
+      UCS_0XA0 => '\\_',
+    }
+
+    # white spaces
+    ESCAPE_SEQ_WS = {
+      "\x09" => '\\t',
+      " "    => '\\x20',
+    }
+
+    # line breaks
+    ESCAPE_SEQ_LB ={
+      "\x0a"     => '\\n',
+      "\x0d"     => '\\r',
+      UCS_0X85   => '\\N',
+      UCS_0X2028 => '\\L',
+      UCS_0X2029 => '\\P',
+    }
+
+    # regexps for line breaks
+    REX_LF   = Regexp.escape("\x0a")
+    REX_CR   = Regexp.escape("\x0d")
+    REX_CRLF = Regexp.escape("\x0d\x0a")
+    REX_NEL  = Regexp.escape(UCS_0X85)
+    REX_LS   = Regexp.escape(UCS_0X2028)
+    REX_PS   = Regexp.escape(UCS_0X2029)
+
+    REX_ANY_LB    = /(#{REX_LF}|#{REX_CR}|#{REX_NEL}|#{REX_LS}|#{REX_PS})/
+    REX_NORMAL_LB = /(#{REX_LF}|#{REX_LS}|#{REX_PS})/
+
+    # regexps for language-Independent types for YAML1.1
+    REX_BOOL = /
+       y|Y|yes|Yes|YES|n|N|no|No|NO
+      |true|True|TRUE|false|False|FALSE
+      |on|On|ON|off|Off|OFF
+    /x
+    REX_FLOAT = /
+       [-+]?([0-9][0-9_]*)?\.[0-9.]*([eE][-+][0-9]+)? # (base 10)
+      |[-+]?[0-9][0-9_]*(:[0-5]?[0-9])+\.[0-9_]*      # (base 60)
+      |[-+]?\.(inf|Inf|INF)                           # (infinity)
+      |\.(nan|NaN|NAN)                                # (not a number)
+    /x
+    REX_INT = /
+       [-+]?0b[0-1_]+                   # (base 2)
+      |[-+]?0[0-7_]+                    # (base 8)
+      |[-+]?(0|[1-9][0-9_]*)            # (base 10)
+      |[-+]?0x[0-9a-fA-F_]+             # (base 16)
+      |[-+]?[1-9][0-9_]*(:[0-5]?[0-9])+ # (base 60)
+    /x
+    REX_MERGE = /
+      <<
+    /x
+    REX_NULL = /
+       ~              # (canonical)
+      |null|Null|NULL # (English)
+      |               # (Empty)
+    /x
+    REX_TIMESTAMP = /
+       [0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] # (ymd)
+      |[0-9][0-9][0-9][0-9]                       # (year)
+       -[0-9][0-9]?                               # (month)
+       -[0-9][0-9]?                               # (day)
+       ([Tt]|[ \t]+)[0-9][0-9]?                   # (hour)
+       :[0-9][0-9]                                # (minute)
+       :[0-9][0-9]                                # (second)
+       (\.[0-9]*)?                                # (fraction)
+       (([ \t]*)Z|[-+][0-9][0-9]?(:[0-9][0-9])?)? # (time zone)
+    /x
+    REX_VALUE = /
+      =
+    /x
+  end
+
+  include Constants
+end
+
+module Puppet::Parser::Functions
+  newfunction(:sorted_yaml, :type => :rvalue, :doc => "This function outputs yaml, but ensures the keys are sorted.") do |argument|
+    return Ya2YAML.new()._ya2yaml(argument)
+  end
+end
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 912234ac..91dd2d3c 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -20,7 +20,6 @@ if member($services, 'openvpn') {
 
 if member($services, 'couchdb') {
   include site_couchdb
-  include tapicero
 }
 
 if member($services, 'webapp') {
diff --git a/puppet/modules/apt b/puppet/modules/apt
-Subproject fca103484ddc1f647a54135b6a902edabf45955
+Subproject ab90d1d0fe9655d367c637e95dff59e4dbe2dd3
diff --git a/puppet/modules/clamav/files/01-leap.conf b/puppet/modules/clamav/files/01-leap.conf
new file mode 100644
index 00000000..abeeb302
--- /dev/null
+++ b/puppet/modules/clamav/files/01-leap.conf
@@ -0,0 +1,58 @@
+# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and
+# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module
+# are installed on the system, and you want to report whether clamd
+# is running or not, uncomment the "clamd_socket" variable below (you
+# will be warned if neither socat nor IO::Socket::UNIX are found, but
+# the script will still run).  You will also need to set the correct
+# path to your clamd socket file (if unsure of the path, check the
+# "LocalSocket" setting in your clamd.conf file for socket location).
+clamd_socket="/run/clamav/clamd.ctl"
+
+# If you would like to attempt to restart ClamD if detected not running,
+# uncomment the next 2 lines.  Confirm the path to the "clamd_lock" file
+# (usually can be found in the clamd init script) and also enter the clamd
+# start command for your particular distro for the "start_clamd" variable
+# (the sample start command shown below should work for most linux distros).
+# NOTE: these 2 variables are dependant on the "clamd_socket" variable
+# shown above - if not enabled, then the following 2 variables will be
+# ignored, whether enabled or not.
+clamd_lock="/run/clamav/clamd.pid"
+start_clamd="service clamav-daemon start"
+
+ss_dbs="
+   junk.ndb
+   phish.ndb
+   rogue.hdb
+   sanesecurity.ftm
+   scam.ndb
+   sigwhitelist.ign2
+   spamattach.hdb
+   spamimg.hdb
+   winnow.attachments.hdb
+   winnow_bad_cw.hdb
+   winnow_extended_malware.hdb
+   winnow_malware.hdb
+   winnow_malware_links.ndb
+   malwarehash.hsb
+   doppelstern.hdb
+   bofhland_cracked_URL.ndb
+   bofhland_malware_attach.hdb
+   bofhland_malware_URL.ndb
+   bofhland_phishing_URL.ndb
+   crdfam.clamav.hdb
+   phishtank.ndb
+   porcupine.ndb
+   spear.ndb
+   spearl.ndb
+"
+
+# ========================
+# SecuriteInfo Database(s)
+# ========================
+# Add or remove database file names between quote marks as needed.  To
+# disable any SecuriteInfo database downloads, remove the appropriate
+# lines below.  To disable all SecuriteInfo database file downloads,
+# comment all of the following lines.
+si_dbs=""
+
+mbl_dbs=""
+\ No newline at end of file
diff --git a/puppet/modules/clamav/files/clamav-daemon_default b/puppet/modules/clamav/files/clamav-daemon_default
new file mode 100644
index 00000000..b4cd6a4f
--- /dev/null
+++ b/puppet/modules/clamav/files/clamav-daemon_default
@@ -0,0 +1,8 @@
+# This is a file designed only t0 set special environment variables
+# eg TMP or TMPDIR.  It is sourced from a shell script, so anything
+# put in here must be in variable=value format, suitable for sourcing
+# from a shell script.
+# Examples:
+# export TMPDIR=/dev/shm
+export TMP=/var/tmp
+export TMPDIR=/var/tmp
diff --git a/puppet/modules/clamav/files/clamav-milter_default b/puppet/modules/clamav/files/clamav-milter_default
new file mode 100644
index 00000000..5e33e822
--- /dev/null
+++ b/puppet/modules/clamav/files/clamav-milter_default
@@ -0,0 +1,14 @@
+#
+# clamav-milter init options
+#
+
+## SOCKET_RWGROUP
+# by default, the socket created by the milter has permissions
+# clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the
+# permissions to 775 to give read-write access to that group.
+#
+# If you are using postfix to speak to the milter, you have to give permission
+# to the postfix group to write
+#
+SOCKET_RWGROUP=postfix
+export TMPDIR=/var/tmp
diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp
new file mode 100644
index 00000000..bf232e2c
--- /dev/null
+++ b/puppet/modules/clamav/manifests/daemon.pp
@@ -0,0 +1,90 @@
+class clamav::daemon {
+
+  $domain_hash           = hiera('domain')
+  $domain                = $domain_hash['full_suffix']
+
+  package { [ 'clamav-daemon', 'arj' ]:
+    ensure => installed;
+  }
+
+  service {
+    'clamav-daemon':
+      ensure     => running,
+      name       => clamav-daemon,
+      pattern    => '/usr/sbin/clamd',
+      enable     => true,
+      hasrestart => true,
+      subscribe  => File['/etc/default/clamav-daemon'],
+      require    => Package['clamav-daemon'];
+  }
+
+  file {
+    '/var/run/clamav':
+      ensure  => directory,
+      mode    => '0750',
+      owner   => clamav,
+      group   => postfix,
+      require => [Package['postfix'], Package['clamav-daemon']];
+
+    '/var/lib/clamav':
+      mode    => '0755',
+      owner   => clamav,
+      group   => clamav,
+      require => Package['clamav-daemon'];
+
+    '/etc/default/clamav-daemon':
+      source => 'puppet:///modules/clamav/clamav-daemon_default',
+      mode   => '0644',
+      owner  => root,
+      group  => root;
+
+    # this file contains additional domains that we want the clamav
+    # phishing process to look for (our domain)
+    '/var/lib/clamav/local.pdb':
+      content => template('clamav/local.pdb.erb'),
+      mode    => '0644',
+      owner   => clamav,
+      group   => clamav,
+      require => Package['clamav-daemon'];
+  }
+
+  file_line {
+    'clamav_daemon_tmp':
+      path    => '/etc/clamav/clamd.conf',
+      line    => 'TemporaryDirectory /var/tmp',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+     'enable_phishscanurls':
+      path    => '/etc/clamav/clamd.conf',
+      match   => 'PhishingScanURLs no',
+      line    => 'PhishingScanURLs yes',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+    'clamav_LogSyslog_true':
+      path    => '/etc/clamav/clamd.conf',
+      match   => '^LogSyslog false',
+      line    => 'LogSyslog true',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+    'clamav_MaxThreads':
+      path    => '/etc/clamav/clamd.conf',
+      match   => 'MaxThreads 20',
+      line    => 'MaxThreads 100',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+  }
+
+  # remove LogFile line
+  file_line {
+    'clamav_LogFile':
+      path    => '/etc/clamav/clamd.conf',
+      match   => '^LogFile .*',
+      line    => '',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp
new file mode 100644
index 00000000..80c822a4
--- /dev/null
+++ b/puppet/modules/clamav/manifests/freshclam.pp
@@ -0,0 +1,23 @@
+class clamav::freshclam {
+
+  package { 'clamav-freshclam': ensure => installed }
+
+  service {
+    'freshclam':
+      ensure     => running,
+      enable     => true,
+      name       => clamav-freshclam,
+      pattern    => '/usr/bin/freshclam',
+      hasrestart => true,
+      require    => Package['clamav-freshclam'];
+  }
+
+  file_line {
+    'freshclam_notify':
+      path    => '/etc/clamav/freshclam.conf',
+      line    => 'NotifyClamd /etc/clamav/clamd.conf',
+      require => Package['clamav-freshclam'],
+      notify  => Service['freshclam'];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp
new file mode 100644
index 00000000..de8fb4dc
--- /dev/null
+++ b/puppet/modules/clamav/manifests/init.pp
@@ -0,0 +1,8 @@
+class clamav {
+
+  include clamav::daemon
+  include clamav::milter
+  include clamav::unofficial_sigs
+  include clamav::freshclam
+
+}
diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp
new file mode 100644
index 00000000..e8a85e3f
--- /dev/null
+++ b/puppet/modules/clamav/manifests/milter.pp
@@ -0,0 +1,50 @@
+class clamav::milter {
+
+  $clamav                = hiera('clamav')
+  $whitelisted_addresses = $clamav['whitelisted_addresses']
+  $domain_hash           = hiera('domain')
+  $domain                = $domain_hash['full_suffix']
+
+  package { 'clamav-milter': ensure => installed }
+
+  service {
+    'clamav-milter':
+      ensure     => running,
+      enable     => true,
+      name       => clamav-milter,
+      pattern    => '/usr/sbin/clamav-milter',
+      hasrestart => true,
+      require    => Package['clamav-milter'],
+      subscribe  => File['/etc/default/clamav-milter'];
+  }
+
+  file {
+    '/run/clamav/milter.ctl':
+      mode    => '0666',
+      owner   => clamav,
+      group   => postfix,
+      require => Class['clamav::daemon'];
+
+    '/etc/clamav/clamav-milter.conf':
+      content   => template('clamav/clamav-milter.conf.erb'),
+      mode      => '0644',
+      owner     => root,
+      group     => root,
+      require   => Package['clamav-milter'],
+      subscribe => Service['clamav-milter'];
+
+    '/etc/default/clamav-milter':
+      source => 'puppet:///modules/clamav/clamav-milter_default',
+      mode   => '0644',
+      owner  => root,
+      group  => root;
+
+    '/etc/clamav/whitelisted_addresses':
+      content => template('clamav/whitelisted_addresses.erb'),
+      mode    => '0644',
+      owner   => root,
+      group   => root,
+      require => Package['clamav-milter'];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp
new file mode 100644
index 00000000..2d849585
--- /dev/null
+++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp
@@ -0,0 +1,23 @@
+class clamav::unofficial_sigs {
+
+  package { 'clamav-unofficial-sigs':
+    ensure => installed
+  }
+
+  ensure_packages(['wget', 'gnupg', 'socat', 'rsync', 'curl'])
+
+  file {
+    '/var/log/clamav-unofficial-sigs.log':
+      ensure  => file,
+      owner   => clamav,
+      group   => clamav,
+      require => Package['clamav-unofficial-sigs'];
+
+    '/etc/clamav-unofficial-sigs.conf.d/01-leap.conf':
+      source  => 'puppet:///modules/clamav/01-leap.conf',
+      mode    => '0755',
+      owner   => root,
+      group   => root,
+      require => Package['clamav-unofficial-sigs'];
+    }
+}
diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb
new file mode 100644
index 00000000..9bf7099e
--- /dev/null
+++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb
@@ -0,0 +1,28 @@
+# THIS FILE MANAGED BY PUPPET
+MilterSocket /var/run/clamav/milter.ctl
+FixStaleSocket true
+User clamav
+MilterSocketGroup clamav
+MilterSocketMode 666
+AllowSupplementaryGroups true
+ReadTimeout 120
+Foreground false
+PidFile /var/run/clamav/clamav-milter.pid
+ClamdSocket unix:/var/run/clamav/clamd.ctl
+OnClean Accept
+OnInfected Reject
+OnFail Defer
+AddHeader Replace
+LogSyslog true
+LogFacility LOG_LOCAL6
+LogVerbose yes
+LogInfected Basic
+LogTime true
+LogFileUnlock false
+LogClean Off
+LogRotate true
+SupportMultipleRecipients false
+MaxFileSize 10M
+TemporaryDirectory /var/tmp
+RejectMsg "Message refused due to content violation: %v - contact https://<%= @domain %>/tickets/new if this is in error"
+Whitelist /etc/clamav/whitelisted_addresses
diff --git a/puppet/modules/clamav/templates/local.pdb.erb b/puppet/modules/clamav/templates/local.pdb.erb
new file mode 100644
index 00000000..9ea0584a
--- /dev/null
+++ b/puppet/modules/clamav/templates/local.pdb.erb
@@ -0,0 +1 @@
+H:<%= @domain %>
diff --git a/puppet/modules/clamav/templates/whitelisted_addresses.erb b/puppet/modules/clamav/templates/whitelisted_addresses.erb
new file mode 100644
index 00000000..9e068ec5
--- /dev/null
+++ b/puppet/modules/clamav/templates/whitelisted_addresses.erb
@@ -0,0 +1,5 @@
+<%- if @whitelisted_addresses then -%>
+<%   @whitelisted_addresses.each do |name| -%>
+From::<%= name %>
+<%   end -%>
+<% end -%>
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject 3c20a3169e77e5a5f9abc06788c3a7730d5530c
+Subproject cdde1e172b3ed2c6c1f203341e75bcef5c3c349
diff --git a/puppet/modules/leap/manifests/cli/install.pp b/puppet/modules/leap/manifests/cli/install.pp
new file mode 100644
index 00000000..858bd7da
--- /dev/null
+++ b/puppet/modules/leap/manifests/cli/install.pp
@@ -0,0 +1,33 @@
+# installs leap_cli on node
+class leap::cli::install ( $source = false ) {
+  if $source {
+    # needed for building leap_cli from source
+    include ::git
+    include ::site_config::ruby::dev
+
+    vcsrepo { '/srv/leap/cli':
+      ensure   => present,
+      force    => true,
+      revision => 'develop',
+      provider => 'git',
+      source   => 'https://leap.se/git/leap_cli.git',
+      owner    => 'root',
+      group    => 'root',
+      notify   => Exec['install_leap_cli'],
+      require  => Package['git']
+    }
+
+    exec { 'install_leap_cli':
+      command     => '/usr/bin/rake build && /usr/bin/rake install',
+      cwd         => '/srv/leap/cli',
+      refreshonly => true,
+      require     => [ Package['ruby-dev'], File['/etc/gemrc'], Package['rake'] ]
+    }
+  }
+  else {
+    package { 'leap_cli':
+      ensure   => installed,
+      provider => gem
+    }
+  }
+}
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp
index 6bcdd19a..284662d2 100644
--- a/puppet/modules/leap_mx/manifests/init.pp
+++ b/puppet/modules/leap_mx/manifests/init.pp
@@ -77,16 +77,18 @@ class leap_mx {
   }
 
   augeas {
-    "logrotate_mx":
-      context => "/files/etc/logrotate.d/leap-mx/rule",
+    'logrotate_mx':
+      context => '/files/etc/logrotate.d/leap-mx/rule',
       changes => [
-        "set file /var/log/leap/mx.log",
-        'set rotate 5',
-        'set schedule daily',
-        'set compress compress',
-        'set missingok missingok',
-        'set ifempty notifempty',
-        'set copytruncate copytruncate'
-      ]
+                  'set file /var/log/leap/mx.log',
+                  'set rotate 5',
+                  'set schedule daily',
+                  'clear nocreate',
+                  'rm create',
+                  'rm ifempty',
+                  'set compress compress',
+                  'set missingok missingok',
+                  'set copytruncate copytruncate'
+                  ]
   }
 }
diff --git a/puppet/modules/nagios b/puppet/modules/nagios
-Subproject b55f23d4d90c97cec08251544aa9700df86ad0b
+Subproject 6c3ca97f1524e2b6242c27a2c97dbfb78105889
diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp
new file mode 100644
index 00000000..9e67569e
--- /dev/null
+++ b/puppet/modules/opendkim/manifests/init.pp
@@ -0,0 +1,38 @@
+# configure opendkim service (#5924)
+class opendkim {
+
+  $domain_hash = hiera('domain')
+  $domain      = $domain_hash['full_suffix']
+  $dkim        = hiera('dkim')
+  $selector    = $dkim['dkim_selector']
+
+  include site_config::x509::dkim::key
+  $dkim_key    = "${x509::variables::keys}/dkim.key"
+
+  ensure_packages(['opendkim', 'libopendkim7', 'libvbr2'])
+
+  # postfix user needs to be in the opendkim group
+  # in order to access the opendkim socket located at:
+  # local:/var/run/opendkim/opendkim.sock
+  user { 'postfix':
+    groups => 'opendkim';
+  }
+
+  service { 'opendkim':
+    ensure     => running,
+    enable     => true,
+    hasstatus  => true,
+    hasrestart => true,
+    require    => Class['Site_config::X509::Dkim::Key'],
+    subscribe  => File[$dkim_key];
+  }
+
+  file { '/etc/opendkim.conf':
+    ensure  => present,
+    content => template('opendkim/opendkim.conf'),
+    mode    => '0644',
+    owner   => root,
+    group   => root,
+    notify  => Service['opendkim'],
+    require => Package['opendkim'];
+}
diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf
new file mode 100644
index 00000000..46ddb7a8
--- /dev/null
+++ b/puppet/modules/opendkim/templates/opendkim.conf
@@ -0,0 +1,44 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog                  yes
+SyslogSuccess           yes
+LogWhy                  no
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask                   002
+
+Domain                  <%= @domain %>
+SubDomains              yes
+
+# set internal hosts to all the known hosts, like mydomains?
+
+# can we generate a larger key and get it in dns?
+KeyFile                 <%= @dkim_key %>
+
+# what selector do we use?
+Selector                <%= @selector %>
+
+# Commonly-used options; the commented-out versions show the defaults.
+Canonicalization        relaxed
+#Mode                   sv
+#ADSPDiscard            no
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders         From
+
+# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
+# (ATPS) (experimental)
+
+#ATPSDomains            example.com
+
+RemoveOldSignatures     yes
+
+Mode                    sv
+BaseDirectory           /var/tmp
diff --git a/puppet/modules/postfix b/puppet/modules/postfix
-Subproject f09cd0eff2bcab7e12c09ec67be3c918bc83fac
+Subproject 53572a8934fe5b0a3a567cdec10664f28892373
diff --git a/puppet/modules/postfwd/files/postfwd_default b/puppet/modules/postfwd/files/postfwd_default
new file mode 100644
index 00000000..79d0e3de
--- /dev/null
+++ b/puppet/modules/postfwd/files/postfwd_default
@@ -0,0 +1,19 @@
+### This file managed by Puppet
+# Global options for postfwd(8).
+
+# Set to '1' to enable startup (daemon mode)
+STARTUP=1
+
+# Config file
+CONF=/etc/postfix/postfwd.cf
+# IP where listen to
+INET=127.0.0.1
+# Port where listen to
+PORT=10040
+# run as user postfwd
+RUNAS="postfw"
+# Arguments passed on start (--daemon implied)
+# RISEUP disable summary and cache-no-size
+#ARGS="--summary=600 --cache=600 --cache-rdomain-only --cache-no-size"
+ARGS="--cache=600 --cache-rdomain-only --no-rulestats"
+
diff --git a/puppet/modules/postfwd/manifests/init.pp b/puppet/modules/postfwd/manifests/init.pp
new file mode 100644
index 00000000..1ebc1d53
--- /dev/null
+++ b/puppet/modules/postfwd/manifests/init.pp
@@ -0,0 +1,42 @@
+# This class provides rate-limiting for outgoing SMTP, using postfwd
+# it is configured with some limits that seem reasonable for a generic
+# use-case. Each of the following applies to sasl_authenticated users:
+#
+# . 150 recipients at a time
+# . no more than 50 messages in 60 minutes
+# . no more than 250 recipients in 60 minutes.
+#
+# This class could be easily extended to add overrides to these rules,
+# maximum sizes per client, or additional rules
+class postfwd {
+
+  ensure_packages(['libnet-server-perl', 'libnet-dns-perl', 'postfwd'])
+
+  file {
+    '/etc/default/postfwd':
+      source  => 'puppet:///modules/postfwd/postfwd_default',
+      mode    => '0644',
+      owner   => root,
+      group   => root,
+      require => Package['postfwd'];
+
+    '/etc/postfix/postfwd.cf':
+      content => template('postfwd/postfwd.cf.erb'),
+      mode    => '0644',
+      owner   => root,
+      group   => root,
+      require => Package['postfix'];
+  }
+
+  service {
+    'postfwd':
+      ensure     => running,
+      name       => postfwd,
+      pattern    => '/usr/sbin/postfwd',
+      enable     => true,
+      hasrestart => true,
+      hasstatus  => false,
+      require    => [ File['/etc/default/postfwd'],
+                      File['/etc/postfix/postfwd.cf']];
+  }
+}
diff --git a/puppet/modules/postfwd/templates/postfwd.cf.erb b/puppet/modules/postfwd/templates/postfwd.cf.erb
new file mode 100644
index 00000000..1c45dd03
--- /dev/null
+++ b/puppet/modules/postfwd/templates/postfwd.cf.erb
@@ -0,0 +1,28 @@
+### This file managed by Puppet
+# Before deploying a rule
+# 1. test with an additional "sender==test@domain.org;" in the rule so it
+#   only applies to your test account
+# 2. then when ready to test for all users, use WARN and watch the logs
+#   for a few days and make sure it working the way you like
+# 3. Then when ready to deploy for real set a proper error code
+
+## Overrides - make like the following example
+# id=exampleuser; sasl_username==exampleuser; action=dunno
+
+## Rules that apply to all senders
+# Recipient Per Message Limit
+# We only receive mail via smtp from sasl authenticated users
+# directly. We want to limit to a lower amount to prevent phished accounts
+# spamming
+id=RCPTSENDER; recipient_count=150; action=REJECT Too many recipients, please try again. Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:RCPTSENDER 
+
+# Message Rate Limit
+# This limits sasl authenticated users to no more than 50/60mins
+# NOTE: sasl_username needs to be set to something or this check will fail
+id=MSGRATE ; sasl_username=!!(^$); action==rate($$sasl_username/100/3600/450 4.7.1 exceeded message rate. Contact Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:MSGRATE)
+
+# Total Recipient Rate Limit
+# This adds up the recipients for all the sasl authenticated users messages
+# and can't exceed more than 250/60min
+# NOTE: sasl_username needs to be set to something or this check will fail
+id=RCPTRATE ; sasl_username=!!(^$); action==rcpt($$sasl_username/500/3600/450 4.7.1 exceeded message rate. Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:RCPTRATE)
diff --git a/puppet/modules/ruby b/puppet/modules/ruby
-Subproject e4de25d78eefc7df70a35dee22a3e0dc1b7e1d0
+Subproject 0fb2b398dbfce59c678d6f4044a55969e42c6d4
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 2b83ffa5..64beb231 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -1,27 +1,8 @@
 class site_apache::common {
-  # installs x509 cert + key and common config
-  # that both nagios + leap webapp use
-
-  $web_domain       = hiera('domain')
-  $domain_name      = $web_domain['name']
-
-  include x509::variables
-  include site_config::x509::commercial::cert
-  include site_config::x509::commercial::key
-  include site_config::x509::commercial::ca
-
-  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
 
   include site_apache::module::rewrite
 
   class { '::apache': no_default_site => true, ssl => true }
 
-  apache::vhost::file {
-    'common':
-      content => template('site_apache/vhosts.d/common.conf.erb')
-  }
-
-  apache::config::include{ 'ssl_common.inc': }
+  include site_apache::common::tls
 }
diff --git a/puppet/modules/site_apache/manifests/common/tls.pp b/puppet/modules/site_apache/manifests/common/tls.pp
new file mode 100644
index 00000000..040868bf
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/common/tls.pp
@@ -0,0 +1,6 @@
+class site_apache::common::tls {
+  # class to setup common SSL configurations
+
+  apache::config::include{ 'ssl_common.inc': }
+
+}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index ee5cd707..7f9fd5ab 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -4,7 +4,7 @@
   ServerAlias <%= domain %>
   ServerAlias www.<%= domain %>
   RewriteEngine On
-  RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
+  RewriteRule ^.*$ https://<%= webapp_domain -%>%{REQUEST_URI} [R=permanent,L]
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
 </VirtualHost>
 
diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
index 0c6f3b8e..2c8d5eb5 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
@@ -30,4 +30,14 @@
     ExpiresDefault "access plus 1 year"
   </Location>
 <% end -%>
+
+<% if (defined? @services) and (@services.include? 'static') -%>
+  DocumentRoot "/srv/static/root/public"
+  AccessFileName .htaccess
+
+  Alias /provider.json /srv/leap/provider.json
+  <Location /provider.json>
+    Header set X-Minimum-Client-Version 0.5
+  </Location>
+<% end -%>
 </VirtualHost>
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
index 95ddd2ca..0f378a5a 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
@@ -6,7 +6,7 @@
  I 127.0.0.1 localhost:5984 .* ok
  # https://leap.se/code/issues/5246
  I Shutting down group server
- # ignore bigcouch conflict errors, mainly coming from tapicero creating new users
+ # ignore bigcouch conflict errors
  I Error in process.*{{nocatch,conflict}
  # ignore "Uncaught error in HTTP request: {exit, normal}" error
  # it's suppressed in later versions of bigcouch anhow
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg
new file mode 100644
index 00000000..f53f0780
--- /dev/null
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg
@@ -0,0 +1,5 @@
+# on one-node bigcouch setups, we'll get this msg
+# a lot, so we ignore it here until we fix
+# https://leap.se/code/issues/5244
+ I epmd: got partial packet only on file descriptor
+
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg
index f546135a..5f8d5b95 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg
@@ -1,7 +1,2 @@
  C /usr/local/bin/couch-doc-update.*failed
  C /usr/local/bin/couch-doc-update.*ERROR
-# on one-node bigcouch setups, we'll get this msg
-# a lot, so we ignore it here until we fix
-# https://leap.se/code/issues/5244
- I epmd: got partial packet only on file descriptor
-
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg
deleted file mode 100644
index d98f5094..00000000
--- a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg
+++ /dev/null
@@ -1,11 +0,0 @@
-/var/log/leap/tapicero.log
-# Ignore transient Tapicero errors when creating a db (#6511)
- I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )?due to): (RestClient::ResourceNotFound|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error)
- C tapicero.*RestClient::InternalServerError:
-# possible race condition between multiple tapicero
-# instances, so we ignore it
-# see https://leap.se/code/issues/5168
- I tapicero.*RestClient::PreconditionFailed:
- C tapicero.*Creating database.*failed due to:
- C tapicero.*failed
- W tapicero.*Couch stream ended unexpectedly.
diff --git a/puppet/modules/site_check_mk/files/extra_host_conf.mk b/puppet/modules/site_check_mk/files/extra_host_conf.mk
deleted file mode 100644
index 2c96f97a..00000000
--- a/puppet/modules/site_check_mk/files/extra_host_conf.mk
+++ /dev/null
@@ -1,6 +0,0 @@
-# retry 3 times before setting a host into a hard state
-# and send out notification
-extra_host_conf["max_check_attempts"] = [ 
-  ("4", ALL_HOSTS ) 
-]
-
diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
index abfc7ad0..1554fd3c 100644
--- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
@@ -1,32 +1,18 @@
+# configure logwatch and nagios checks for couchdb (both bigcouch and plain
+# couchdb installations)
 class site_check_mk::agent::couchdb {
 
-  # watch logs
-  file { '/etc/check_mk/logwatch.d/bigcouch.cfg':
-    source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg',
-  }
   concat::fragment { 'syslog_couchdb':
     source  => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/couchdb.cfg',
     target  => '/etc/check_mk/logwatch.d/syslog.cfg',
     order   => '02';
   }
 
-
-  # check bigcouch processes
-  augeas {
-    'Bigcouch_epmd_procs':
-      incl    => '/etc/check_mk/mrpe.cfg',
-      lens    => 'Spacevars.lns',
-      changes => [
-        'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs',
-        'set Bigcouch_epmd_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd\'' ],
-      require => File['/etc/check_mk/mrpe.cfg'];
-    'Bigcouch_beam_procs':
-      incl    => '/etc/check_mk/mrpe.cfg',
-      lens    => 'Spacevars.lns',
-      changes => [
-        'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs',
-        'set Bigcouch_beam_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam\'' ],
-      require => File['/etc/check_mk/mrpe.cfg'];
+  # check different couchdb stats
+  file { '/usr/lib/check_mk_agent/local/leap_couch_stats.sh':
+    source  => 'puppet:///modules/site_check_mk/agent/local_checks/couchdb/leap_couch_stats.sh',
+    mode    => '0755',
+    require => Package['check_mk-agent']
   }
 
   # check open files for bigcouch proc
@@ -36,20 +22,13 @@ class site_check_mk::agent::couchdb {
     mode   => '0755'
   }
   augeas {
-    'Bigcouch_open_files':
+    'Couchdb_open_files':
       incl    => '/etc/check_mk/mrpe.cfg',
       lens    => 'Spacevars.lns',
       changes => [
-        'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files',
-        'set Bigcouch_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ],
+        'rm /files/etc/check_mk/mrpe.cfg/Couchdb_open_files',
+        'set Couchdb_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ],
       require => File['/etc/check_mk/mrpe.cfg'];
   }
 
-
-  # check different couchdb stats
-  file { '/usr/lib/check_mk_agent/local/leap_couch_stats.sh':
-    source  => 'puppet:///modules/site_check_mk/agent/local_checks/couchdb/leap_couch_stats.sh',
-    mode    => '0755',
-    require => Package['check_mk-agent']
-  }
 }
diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp
new file mode 100644
index 00000000..82c3ac72
--- /dev/null
+++ b/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp
@@ -0,0 +1,49 @@
+# configure logwatch and nagios checks for bigcouch
+class site_check_mk::agent::couchdb::bigcouch {
+
+  # watch bigcouch logs
+  # currently disabled because bigcouch is too noisy
+  # see https://leap.se/code/issues/7375 for more details
+  # and site_config::remove_files for removing leftovers
+  #file { '/etc/check_mk/logwatch.d/bigcouch.cfg':
+  #  source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg',
+  #}
+
+  # check syslog msg from:
+  # - empd
+  # - /usr/local/bin/couch-doc-update
+  concat::fragment { 'syslog_bigcouch':
+    source  => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/bigcouch.cfg',
+    target  => '/etc/check_mk/logwatch.d/syslog.cfg',
+    order   => '02';
+  }
+
+  # check bigcouch processes
+  augeas {
+    'Bigcouch_epmd_procs':
+      incl    => '/etc/check_mk/mrpe.cfg',
+      lens    => 'Spacevars.lns',
+      changes => [
+        'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs',
+        'set Bigcouch_epmd_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd\'' ],
+      require => File['/etc/check_mk/mrpe.cfg'];
+    'Bigcouch_beam_procs':
+      incl    => '/etc/check_mk/mrpe.cfg',
+      lens    => 'Spacevars.lns',
+      changes => [
+        'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs',
+        'set Bigcouch_beam_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam\'' ],
+      require => File['/etc/check_mk/mrpe.cfg'];
+  }
+
+  augeas {
+    'Bigcouch_open_files':
+      incl    => '/etc/check_mk/mrpe.cfg',
+      lens    => 'Spacevars.lns',
+      changes => [
+        'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files',
+        'set Bigcouch_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ],
+      require => File['/etc/check_mk/mrpe.cfg'];
+  }
+
+}
diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp
new file mode 100644
index 00000000..291b87d1
--- /dev/null
+++ b/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp
@@ -0,0 +1,23 @@
+# configure logwatch and nagios checks for plain single couchdb master
+class site_check_mk::agent::couchdb::master {
+
+  # remove bigcouch leftovers
+  augeas {
+    'Bigcouch_epmd_procs':
+      incl    => '/etc/check_mk/mrpe.cfg',
+      lens    => 'Spacevars.lns',
+      changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs',
+      require => File['/etc/check_mk/mrpe.cfg'];
+    'Bigcouch_beam_procs':
+      incl    => '/etc/check_mk/mrpe.cfg',
+      lens    => 'Spacevars.lns',
+      changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs',
+      require => File['/etc/check_mk/mrpe.cfg'];
+    'Bigcouch_open_files':
+      incl    => '/etc/check_mk/mrpe.cfg',
+      lens    => 'Spacevars.lns',
+      changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files',
+      require => File['/etc/check_mk/mrpe.cfg'];
+  }
+
+}
diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
deleted file mode 100644
index ad9962d4..00000000
--- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
+++ /dev/null
@@ -1,26 +0,0 @@
-# sets up tapicero monitoring
-class site_check_mk::agent::tapicero {
-
-  include ::site_nagios::plugins
-
-  # watch logs
-  file { '/etc/check_mk/logwatch.d/tapicero.cfg':
-    source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg',
-  }
-
-  # local nagios plugin checks via mrpe
-  augeas {
-    'Tapicero_Procs':
-      incl    => '/etc/check_mk/mrpe.cfg',
-      lens    => 'Spacevars.lns',
-      changes => [
-        'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs',
-        "set Tapicero_Procs \"/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 --ereg-argument-array='^tapicero$'\"" ],
-      require => File['/etc/check_mk/mrpe.cfg'];
-    'Tapicero_Heartbeat':
-      incl    => '/etc/check_mk/mrpe.cfg',
-      lens    => 'Spacevars.lns',
-      changes => 'set Tapicero_Heartbeat \'/usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/leap/tapicero.log -r "tapicero" -w 300 -c 600\'',
-      require => File['/etc/check_mk/mrpe.cfg'];
-  }
-}
diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp
index 67519513..57f68d3e 100644
--- a/puppet/modules/site_check_mk/manifests/server.pp
+++ b/puppet/modules/site_check_mk/manifests/server.pp
@@ -54,7 +54,7 @@ class site_check_mk::server {
       notify  => Exec['check_mk-refresh'],
       require => Package['check-mk-server'];
     '/etc/check_mk/conf.d/extra_host_conf.mk':
-      source  => 'puppet:///modules/site_check_mk/extra_host_conf.mk',
+      content => template('site_check_mk/extra_host_conf.mk'),
       notify  => Exec['check_mk-refresh'],
       require => Package['check-mk-server'];
 
diff --git a/puppet/modules/site_check_mk/templates/extra_host_conf.mk b/puppet/modules/site_check_mk/templates/extra_host_conf.mk
new file mode 100644
index 00000000..bc27b514
--- /dev/null
+++ b/puppet/modules/site_check_mk/templates/extra_host_conf.mk
@@ -0,0 +1,13 @@
+# retry 3 times before setting a host into a hard state
+# and send out notification
+extra_host_conf["max_check_attempts"] = [
+  ("4", ALL_HOSTS )
+]
+
+# Use hostnames as alias so notification mail subjects
+# are more readable and not so long. Alias defaults to
+# the fqdn of a host is not changed.
+extra_host_conf["alias"] = [
+<% @hosts.keys.sort.each do |key| -%>  ( "<%= key.strip %>", ["<%= @hosts[key]['domain_internal']%>"]),
+<% end -%>
+]
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index e69e4b7b..6b10dc19 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -1,3 +1,4 @@
+# common things to set up on every node
 class site_config::default {
   tag 'leap_base'
 
@@ -29,7 +30,7 @@ class site_config::default {
   # i.e. openstack/aws nodes, vagrant nodes
 
   # fix dhclient from changing resolver information
-   if $::dhcp_enabled == 'true' {
+  if $::dhcp_enabled == 'true' {
     include site_config::dhclient
   }
 
@@ -58,7 +59,9 @@ class site_config::default {
 
   # set up core leap files and directories
   include site_config::files
-  include site_config::remove_files
+
+  # remove leftovers from previous deploys
+  include site_config::remove
 
   if ! member($services, 'mx') {
     include site_postfix::satellite
diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp
new file mode 100644
index 00000000..b1ad1a2b
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove.pp
@@ -0,0 +1,4 @@
+# remove leftovers from previous deploys
+class site_config::remove {
+  include site_config::remove::files
+}
diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove/files.pp
index 3f46659c..466f50c8 100644
--- a/puppet/modules/site_config/manifests/remove_files.pp
+++ b/puppet/modules/site_config/manifests/remove/files.pp
@@ -9,7 +9,7 @@
 # release.
 #
 
-class site_config::remove_files {
+class site_config::remove::files {
 
   #
   # Platform 0.7 removals
@@ -31,6 +31,7 @@ class site_config::remove_files {
     '/srv/leap/couchdb/designs/tmp_users':
       recurse => true,
       rmdirs => true;
+    '/etc/leap/soledad-server.conf':;
   }
 
   # leax-mx logged to /var/log/leap_mx.log in the past
@@ -42,5 +43,22 @@ class site_config::remove_files {
       onlyif  => "/bin/grep -qe 'leap_mx.log' /etc/check_mk/logwatch.state"
   }
 
-
+  # Don't use check_mk logwatch to watch bigcouch logs anymore
+  # see https://leap.se/code/issues/7375 for more details
+  file { '/etc/check_mk/logwatch.d/bigcouch.cfg':
+    ensure => absent,
+    notify => [
+      Exec['remove_bigcouch_logwatch_spoolfiles'],
+      Exec['remove_bigcouch_logwatch_stateline']
+    ]
+  }
+  # remove leftover bigcouch logwatch spool files
+  exec { 'remove_bigcouch_logwatch_spoolfiles':
+    command     => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;',
+    refreshonly => true,
+  }
+  exec { 'remove_bigcouch_logwatch_stateline':
+    command     => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state",
+    refreshonly => true,
+  }
 }
diff --git a/puppet/modules/site_config/manifests/remove/monitoring.pp b/puppet/modules/site_config/manifests/remove/monitoring.pp
new file mode 100644
index 00000000..d7095597
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/monitoring.pp
@@ -0,0 +1,10 @@
+# remove leftovers on monitoring nodes
+class site_config::remove::monitoring {
+
+  tidy {
+    'checkmk_logwatch_spool':
+      path    => '/var/lib/check_mk/logwatch',
+      recurse => true,
+      matches => '*tapicero.log'
+  }
+}
diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp
new file mode 100644
index 00000000..4ce972d0
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/tapicero.pp
@@ -0,0 +1,69 @@
+# remove tapicero leftovers from previous deploys on couchdb nodes
+class site_config::remove::tapicero {
+
+  # remove tapicero couchdb user
+  $couchdb_config = hiera('couch')
+  $couchdb_mode   = $couchdb_config['mode']
+
+  if $couchdb_mode == 'multimaster'
+  {
+    $port = 5986
+  } else {
+    $port = 5984
+  }
+
+  exec { 'remove_couchdb_user':
+    onlyif  => "/usr/bin/curl -s 127.0.0.1:${port}/_users/org.couchdb.user:tapicero | grep -qv 'not_found'",
+    command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete"
+  }
+
+
+  exec { 'kill_tapicero':
+    onlyif  => '/usr/bin/test -s /var/run/tapicero.pid',
+    command => '/usr/bin/pkill --pidfile /var/run/tapicero.pid'
+  }
+
+  user { 'tapicero':
+    ensure  => absent;
+  }
+
+  group { 'tapicero':
+    ensure => absent,
+    require => User['tapicero'];
+  }
+
+  tidy {
+    '/srv/leap/tapicero':
+      recurse => true,
+      require   => [ Exec['kill_tapicero'] ];
+    '/var/lib/leap/tapicero':
+      require   => [ Exec['kill_tapicero'] ];
+    '/var/run/tapicero':
+      require   => [ Exec['kill_tapicero'] ];
+    '/etc/leap/tapicero.yaml':
+      require   => [ Exec['kill_tapicero'] ];
+    '/etc/init.d/tapicero':
+      require   => [ Exec['kill_tapicero'] ];
+    'tapicero_logs':
+      path    => '/var/log/leap',
+      recurse => true,
+      matches => 'tapicero*',
+      require   => [ Exec['kill_tapicero'] ];
+    '/etc/check_mk/logwatch.d/tapicero.cfg':;
+  }
+
+  # remove local nagios plugin checks via mrpe
+  augeas {
+    'Tapicero_Procs':
+      incl    => '/etc/check_mk/mrpe.cfg',
+      lens    => 'Spacevars.lns',
+      changes => 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs',
+      require => File['/etc/check_mk/mrpe.cfg'];
+    'Tapicero_Heartbeat':
+      incl    => '/etc/check_mk/mrpe.cfg',
+      lens    => 'Spacevars.lns',
+      changes => 'rm Tapicero_Heartbeat',
+      require => File['/etc/check_mk/mrpe.cfg'];
+  }
+
+}
diff --git a/puppet/modules/site_config/manifests/remove/webapp.pp b/puppet/modules/site_config/manifests/remove/webapp.pp
new file mode 100644
index 00000000..58f59815
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/webapp.pp
@@ -0,0 +1,7 @@
+# remove leftovers on webapp nodes
+class site_config::remove::webapp {
+  tidy {
+    '/etc/apache/sites-enabled/leap_webapp.conf':
+      notify => Service['apache'];
+  }
+}
diff --git a/puppet/modules/site_config/manifests/x509/dkim/key.pp b/puppet/modules/site_config/manifests/x509/dkim/key.pp
new file mode 100644
index 00000000..c63a7e94
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/dkim/key.pp
@@ -0,0 +1,13 @@
+class site_config::x509::dkim::key {
+
+  ##
+  ## This is for the DKIM key that is used exclusively for DKIM
+  ## signing
+
+  $x509 = hiera('x509')
+  $key  = $x509['dkim_key']
+
+  x509::key { 'dkim':
+    content => $key
+  }
+}
diff --git a/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json
new file mode 100644
index 00000000..006c1ea1
--- /dev/null
+++ b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json
@@ -0,0 +1,22 @@
+{
+   "_id": "_design/InviteCode",
+   "language": "javascript",
+   "views": {
+       "by__id": {
+           "map": "                function(doc) {\n                  if ((doc['type'] == 'InviteCode') && (doc['_id'] != null)) {\n                    emit(doc['_id'], 1);\n                  }\n                }\n",
+           "reduce": "_sum"
+       },
+       "by_invite_code": {
+           "map": "                function(doc) {\n                  if ((doc['type'] == 'InviteCode') && (doc['invite_code'] != null)) {\n                    emit(doc['invite_code'], 1);\n                  }\n                }\n",
+           "reduce": "_sum"
+       },
+       "by_invite_count": {
+           "map": "                function(doc) {\n                  if ((doc['type'] == 'InviteCode') && (doc['invite_count'] != null)) {\n                    emit(doc['invite_count'], 1);\n                  }\n                }\n",
+           "reduce": "_sum"
+       },
+       "all": {
+           "map": "                function(doc) {\n                  if (doc['type'] == 'InviteCode') {\n                    emit(doc._id, null);\n                  }\n                }\n"
+       }
+   },
+   "couchrest-hash": "83fb8f504520b4a9c7ddbb7928cd0ce3"
+}
+\ No newline at end of file
diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp
index 2f734ed4..c905316b 100644
--- a/puppet/modules/site_couchdb/manifests/add_users.pp
+++ b/puppet/modules/site_couchdb/manifests/add_users.pp
@@ -1,3 +1,4 @@
+# add couchdb users for all services
 class site_couchdb::add_users {
 
   Class['site_couchdb::create_dbs']
@@ -35,16 +36,6 @@ class site_couchdb::add_users {
     require => Couchdb::Query::Setup['localhost']
   }
 
-  ### tapicero couchdb user
-  ### admin: needs to be able to create user-<uuid> databases
-  ### read: users
-  couchdb::add_user { $site_couchdb::couchdb_tapicero_user:
-    roles   => '["users"]',
-    pw      => $site_couchdb::couchdb_tapicero_pw,
-    salt    => $site_couchdb::couchdb_tapicero_salt,
-    require => Couchdb::Query::Setup['localhost']
-  }
-
   ## webapp couchdb user
   ## read/write: users, tokens, sessions, tickets, identities, customer
   couchdb::add_user { $site_couchdb::couchdb_webapp_user:
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp
index 469a2783..2de3d4d0 100644
--- a/puppet/modules/site_couchdb/manifests/bigcouch.pp
+++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp
@@ -44,4 +44,7 @@ class site_couchdb::bigcouch {
     require => Package['couchdb'],
     notify  => Service['couchdb']
   }
+
+  include site_check_mk::agent::couchdb::bigcouch
+
 }
diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp
index eea4bbf5..a2d1c655 100644
--- a/puppet/modules/site_couchdb/manifests/create_dbs.pp
+++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp
@@ -90,4 +90,13 @@ class site_couchdb::create_dbs {
     members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
     require => Couchdb::Query::Setup['localhost']
   }
+
+  ## invite_codes db
+  ## store invite codes for new signups
+  ## r/w: webapp
+  couchdb::create_db { 'invite_codes':
+    members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
+    require => Couchdb::Query::Setup['localhost']
+  }
+
 }
diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp
index 1ab1c6a1..e5fd94c6 100644
--- a/puppet/modules/site_couchdb/manifests/designs.pp
+++ b/puppet/modules/site_couchdb/manifests/designs.pp
@@ -12,12 +12,13 @@ class site_couchdb::designs {
   }
 
   site_couchdb::upload_design {
-    'customers':   design => 'customers/Customer.json';
-    'identities':  design => 'identities/Identity.json';
-    'tickets':     design => 'tickets/Ticket.json';
-    'messages':    design => 'messages/Message.json';
-    'users':       design => 'users/User.json';
-    'tmp_users':   design => 'users/User.json';
+    'customers':    design => 'customers/Customer.json';
+    'identities':   design => 'identities/Identity.json';
+    'tickets':      design => 'tickets/Ticket.json';
+    'messages':     design => 'messages/Message.json';
+    'users':        design => 'users/User.json';
+    'tmp_users':    design => 'users/User.json';
+    'invite_codes': design => 'invite_codes/InviteCode.json';
     'shared_docs':
       db => 'shared',
       design => 'shared/docs.json';
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 6b6ddd3a..61aa887e 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -26,11 +26,6 @@ class site_couchdb {
   $couchdb_soledad_pw       = $couchdb_soledad['password']
   $couchdb_soledad_salt     = $couchdb_soledad['salt']
 
-  $couchdb_tapicero         = $couchdb_users['tapicero']
-  $couchdb_tapicero_user    = $couchdb_tapicero['username']
-  $couchdb_tapicero_pw      = $couchdb_tapicero['password']
-  $couchdb_tapicero_salt    = $couchdb_tapicero['salt']
-
   $couchdb_webapp           = $couchdb_users['webapp']
   $couchdb_webapp_user      = $couchdb_webapp['username']
   $couchdb_webapp_pw        = $couchdb_webapp['password']
@@ -66,6 +61,8 @@ class site_couchdb {
   if $couchdb_backup   { include site_couchdb::backup }
 
   include site_check_mk::agent::couchdb
-  include site_check_mk::agent::tapicero
+
+  # remove tapicero leftovers on couchdb nodes
+  include site_config::remove::tapicero
 
 }
diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp
index c28eee7d..5dab6325 100644
--- a/puppet/modules/site_couchdb/manifests/master.pp
+++ b/puppet/modules/site_couchdb/manifests/master.pp
@@ -6,4 +6,6 @@ class site_couchdb::master {
     chttpd_bind_address => '127.0.0.1',
     pwhash_alg          => $site_couchdb::couchdb_pwhash_alg
   }
+
+  include site_check_mk::agent::couchdb::master
 }
diff --git a/puppet/modules/site_couchdb/manifests/setup.pp b/puppet/modules/site_couchdb/manifests/setup.pp
index 69bd1c6a..fef48505 100644
--- a/puppet/modules/site_couchdb/manifests/setup.pp
+++ b/puppet/modules/site_couchdb/manifests/setup.pp
@@ -12,27 +12,40 @@ class site_couchdb::setup {
 
   $user = $site_couchdb::couchdb_admin_user
 
-  # /etc/couchdb/couchdb-admin.netrc is deployed by couchdb::query::setup
-  # we symlink to couchdb.netrc for puppet commands.
-  # we symlink this to /root/.netrc for couchdb_scripts (eg. backup)
-  # and makes life easier for the admin (i.e. using curl/wget without
-  # passing credentials)
+  # setup /etc/couchdb/couchdb-admin.netrc for couchdb admin access
+  couchdb::query::setup { 'localhost':
+    user => $user,
+    pw   => $site_couchdb::couchdb_admin_pw
+  }
+
+  # We symlink /etc/couchdb/couchdb-admin.netrc to /etc/couchdb/couchdb.netrc
+  # for puppet commands, and to to /root/.netrc for couchdb_scripts
+  # (eg. backup) and to makes life easier for the admin on the command line
+  # (i.e. using curl/wget without passing credentials)
   file {
     '/etc/couchdb/couchdb.netrc':
       ensure  => link,
       target  => "/etc/couchdb/couchdb-${user}.netrc";
-
     '/root/.netrc':
       ensure  => link,
       target  => '/etc/couchdb/couchdb.netrc';
+  }
 
-    '/srv/leap/couchdb':
-      ensure => directory
+  # setup /etc/couchdb/couchdb-soledad-admin.netrc file for couchdb admin
+  # access, accessible only for the soledad-admin user to create soledad
+  # userdbs
+  file { '/etc/couchdb/couchdb-soledad-admin.netrc':
+    content => "machine localhost login ${user} password ${site_couchdb::couchdb_admin_pw}",
+    mode    => '0400',
+    owner   => 'soledad-admin',
+    group   => 'root',
+    require => [ Package['couchdb'], User['soledad-admin'] ];
   }
 
-  couchdb::query::setup { 'localhost':
-    user  => $user,
-    pw    => $site_couchdb::couchdb_admin_pw,
+  # Checkout couchdb_scripts repo
+  file {
+    '/srv/leap/couchdb':
+      ensure => directory
   }
 
   vcsrepo { '/srv/leap/couchdb/scripts':
diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
index 0d729b8c..981dc12a 100644
--- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
+++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
@@ -70,7 +70,7 @@ precached_object_file=/var/lib/nagios3/objects.precache
 # defined as macros in this file and restrictive permissions (600)
 # can be placed on this file.
 
-resource_file=/etc/nagios3/private/resource.cfg
+resource_file=/etc/nagios3/resource.cfg
 
 
 
diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp
index eb08cdcb..40ae4b86 100644
--- a/puppet/modules/site_nagios/manifests/init.pp
+++ b/puppet/modules/site_nagios/manifests/init.pp
@@ -1,6 +1,10 @@
+# setup nagios on monitoring node
 class site_nagios  {
   tag 'leap_service'
   Class['site_config::default'] -> Class['site_nagios']
 
   include site_nagios::server
+
+  # remove leftovers on monitoring nodes
+  include site_config::remove::monitoring
 }
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index cb6c8d95..60a471b7 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -32,6 +32,7 @@ class site_nagios::server inherits nagios::base {
   }
 
   include site_apache::common
+  include site_webapp::common_vhost
   include site_apache::module::headers
 
   File ['nagios_htpasswd'] {
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index e2a3124e..ede35a9e 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -229,6 +229,13 @@ class site_openvpn {
   }
 
   leap::logfile { 'openvpn': }
+
+  # Because we currently do not support ipv6 and instead block it (so no leaks
+  # happen), we get a large number of these messages, so we ignore them (#6540)
+  rsyslog::snippet { '01-ignore_icmpv6_send':
+    content => ':msg, contains, "icmpv6_send: no reply to icmp error" ~'
+  }
+
   include site_check_mk::agent::openvpn
 
 }
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 49692d24..71d61621 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -7,7 +7,8 @@ class site_postfix::mx {
   $domain              = $domain_hash['full_suffix']
   $host_domain         = $domain_hash['full']
   $cert_name           = hiera('name')
-  $mynetworks          = join(hiera('mynetworks'), ' ')
+  $mynetworks          = join(hiera('mynetworks', ''), ' ')
+  $rbls                = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',')
 
   $root_mail_recipient = hiera('contacts')
   $postfix_smtp_listen = 'all'
@@ -20,16 +21,20 @@ class site_postfix::mx {
   postfix::config {
     'mynetworks':
       value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}";
+    # Note: mydestination should not include @domain, because this is
+    # used in virtual alias maps.
     'mydestination':
-      value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
+      value => "\$myorigin, localhost, localhost.\$mydomain";
     'myhostname':
       value => $host_domain;
     'mailbox_size_limit':
       value => '0';
     'home_mailbox':
       value => 'Maildir/';
+    # Note: virtual-aliases map will take precedence over leap_mx
+    # lookup (tcp:localhost)
     'virtual_alias_maps':
-      value => 'tcp:localhost:4242';
+      value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242';
     'luser_relay':
       value => 'vmail';
     'smtpd_tls_received_header':
@@ -44,13 +49,20 @@ class site_postfix::mx {
     # alias map
     'local_recipient_maps':
       value => '$alias_maps';
+    'smtpd_milters':
+      value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock';
+    'milter_default_action':
+      value => 'accept';
   }
 
   include site_postfix::mx::smtpd_checks
   include site_postfix::mx::checks
   include site_postfix::mx::smtp_tls
   include site_postfix::mx::smtpd_tls
-  include site_postfix::mx::reserved_aliases
+  include site_postfix::mx::static_aliases
+  include site_postfix::mx::rewrite_openpgp_header
+  include clamav
+  include postfwd
 
   # greater verbosity for debugging, take out for production
   #include site_postfix::debug
@@ -72,7 +84,11 @@ class site_postfix::mx {
   -o smtpd_tls_wrappermode=yes
   -o smtpd_tls_security_level=encrypt
   -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
-  -o smtpd_helo_restrictions=\$smtps_helo_restrictions",
+  -o smtpd_helo_restrictions=\$smtps_helo_restrictions
+  -o smtpd_client_restrictions=
+  -o cleanup_service_name=clean_smtps
+clean_smtps	  unix	n	-	n	-	0	cleanup
+  -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers",
     require             => [
       Class['Site_config::X509::Key'],
       Class['Site_config::X509::Cert'],
diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
deleted file mode 100644
index 83e27376..00000000
--- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
+++ /dev/null
@@ -1,15 +0,0 @@
-# Defines which mail addresses shouldn't be available and where they should fwd
-class site_postfix::mx::reserved_aliases {
-
-  postfix::mailalias {
-    [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron',
-      'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp',
-      'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql',
-      'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www',
-      'www-data',
-    ]:
-      ensure    => present,
-      recipient => 'root'
-  }
-
-}
diff --git a/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp
new file mode 100644
index 00000000..71f945b8
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp
@@ -0,0 +1,11 @@
+class site_postfix::mx::rewrite_openpgp_header {
+  $mx             = hiera('mx')
+  $correct_domain = $mx['key_lookup_domain']
+
+  file { '/etc/postfix/checks/rewrite_openpgp_headers':
+    content => template('site_postfix/checks/rewrite_openpgp_headers.erb'),
+    mode    => '0644',
+    owner   => root,
+    group   => root;
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 0ec40277..1c3e5c92 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks {
     'checks_dir':
       value => '$config_directory/checks';
     'smtpd_client_restrictions':
-      value => 'permit_mynetworks,permit';
+      value => "${site_postfix::mx::rbls}permit_mynetworks,permit";
     'smtpd_data_restrictions':
       value => 'permit_mynetworks, reject_unauth_pipelining, permit';
     'smtpd_delay_reject':
diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
new file mode 100644
index 00000000..71c0555a
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
@@ -0,0 +1,88 @@
+#
+# Defines static, hard coded aliases that are not in the database.
+# These aliases take precedence over the database aliases.
+#
+# There are three classes of reserved names:
+#
+# (1) forbidden_usernames:
+#     Some usernames are forbidden and cannot be registered.
+#     this is defined in node property webapp.forbidden_usernames
+#     This is enforced by the webapp.
+#
+# (2) public aliases:
+#     Some aliases for root, and are publicly exposed so that anyone
+#     can deliver mail to them. For example, postmaster.
+#     These are implemented in the virtual alias map, which takes
+#     precedence over the local alias map.
+#
+# (3) local aliases:
+#     Some aliases are only available locally: mail can be delivered
+#     to the alias if the mail originates from the local host, or is
+#     hostname qualified, but otherwise it will be rejected.
+#     These are implemented in the local alias map.
+#
+# The alias for local 'root' is defined elsewhere. In this file, we
+# define the virtual 'root@domain' (which can be overwritten by
+# defining an entry for root in node property mx.aliases).
+#
+
+class site_postfix::mx::static_aliases {
+
+  $mx = hiera('mx')
+  $root_recipients = hiera('contacts')
+
+  #
+  # LOCAL ALIASES
+  #
+
+  # NOTE: if you remove one of these, they will still appear in the
+  # /etc/aliases file
+  $local_aliases = [
+    'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop',
+    'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys',
+    'usenet', 'uucp', 'www', 'www-data'
+  ]
+
+  postfix::mailalias {
+    $local_aliases:
+      ensure    => present,
+      recipient => 'root'
+  }
+
+  #
+  # PUBLIC ALIASES
+  #
+
+  $public_aliases = $mx['aliases']
+
+  $default_public_aliases = {
+    'root'          => $root_recipients,
+    'abuse'         => 'postmaster',
+    'arin-admin'    => 'root',
+    'certmaster'    => 'hostmaster',
+    'domainadmin'   => 'hostmaster',
+    'hostmaster'    => 'root',
+    'mailer-daemon' => 'postmaster',
+    'postmaster'    => 'root',
+    'security'      => 'root',
+    'webmaster'     => 'hostmaster',
+  }
+
+  $aliases = merge($default_public_aliases, $public_aliases)
+
+  exec { 'postmap_virtual_aliases':
+    command     => '/usr/sbin/postmap /etc/postfix/virtual-aliases',
+    refreshonly => true,
+    user        => root,
+    group       => root,
+    require     => Package['postfix'],
+    subscribe   => File['/etc/postfix/virtual-aliases']
+  }
+  file { '/etc/postfix/virtual-aliases':
+    content => template('site_postfix/virtual-aliases.erb'),
+    owner   => root,
+    group   => root,
+    mode    => '0600',
+    require => Package['postfix']
+  }
+}
diff --git a/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb
new file mode 100644
index 00000000..7af14f7d
--- /dev/null
+++ b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb
@@ -0,0 +1,13 @@
+# THIS FILE IS MANAGED BY PUPPET
+#
+# This will replace the OpenPGP header that the client adds, because it is
+# sometimes incorrect (due to the client not always knowing what the proper URL
+# is for the webapp).
+# e.g. This will rewrite this header:
+# OpenPGP: id=4C0E01CD50E2F653; url="https://leap.se/key/elijah"; preference="signencrypt
+# with this replacement:
+# OpenPGP: id=4C0E01CD50E2F653; url="https://user.leap.se/key/elijah"; preference="signencrypt
+#
+# Note: whitespace in the pattern is represented by [[:space:]] to avoid these warnings from postmap:
+# "record is in "key: value" format; is this an alias file?" and "duplicate entry"
+/^(OpenPGP:[[:space:]]id=[[:alnum:]]+;[[:space:]]url="https:\/\/)<%= @domain %>(\/key\/[[:alpha:]]+";.*)/i REPLACE ${1}<%= @correct_domain %>${2}
diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb
new file mode 100644
index 00000000..8373de97
--- /dev/null
+++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb
@@ -0,0 +1,21 @@
+#
+# This file is managed by puppet.
+#
+# These virtual aliases take precedence over all other aliases.
+#
+
+#
+# enable these virtual domains:
+#
+<%= @domain %> enabled
+<%- @aliases.keys.map {|addr| addr.split('@')[1] }.compact.sort.uniq.each do |virt_domain| -%>
+<%= virt_domain %> enabled
+<%- end %>
+
+#
+# virtual aliases:
+#
+<%- @aliases.keys.sort.each do |from| -%>
+<%-   full_address = from =~ /@/ ? from : from + "@" + @domain -%>
+<%= full_address %> <%= [@aliases[from]].flatten.map{|a| a =~ /@/ ? a : a + "@" + @domain}.join(', ') %>
+<%- end -%>
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 1da2f1d5..170be32c 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,6 +1,7 @@
 class site_sshd {
-  $ssh   = hiera_hash('ssh')
-  $hosts = hiera('hosts', '')
+  $ssh        = hiera_hash('ssh')
+  $ssh_config = $ssh['config']
+  $hosts      = hiera('hosts', '')
 
   ##
   ## SETUP AUTHORIZED KEYS
@@ -52,11 +53,12 @@ class site_sshd {
   ## SSHD SERVER CONFIGURATION
   ##
   class { '::sshd':
-    manage_nagios => false,
-    ports         => [ $ssh['port'] ],
-    use_pam       => 'yes',
-    hardened_ssl  => 'yes',
-    print_motd    => 'no',
-    manage_client => false
+    manage_nagios  => false,
+    ports          => [ $ssh['port'] ],
+    use_pam        => 'yes',
+    hardened_ssl   => 'yes',
+    print_motd     => 'no',
+    tcp_forwarding => $ssh_config['AllowTcpForwarding'],
+    manage_client  => false
   }
 }
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index e37d5ad2..8df53075 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -9,6 +9,7 @@ class site_static {
   $domains       = $static['domains']
   $formats       = $static['formats']
   $bootstrap     = $static['bootstrap_files']
+  $tor           = hiera('tor', false)
 
   if $bootstrap['enabled'] {
     $bootstrap_domain  = $bootstrap['domain']
@@ -27,14 +28,11 @@ class site_static {
     }
   }
 
-  class { '::apache': no_default_site => true, ssl => true }
   include site_apache::module::headers
   include site_apache::module::alias
   include site_apache::module::expires
   include site_apache::module::removeip
-  include site_apache::module::rewrite
-  apache::config::include{ 'ssl_common.inc': }
-
+  include site_apache::common
   include site_config::ruby::dev
 
   if (member($formats, 'rack')) {
@@ -46,14 +44,24 @@ class site_static {
   }
 
   if (member($formats, 'amber')) {
+    rubygems::gem{'amber-0.3.8':
+       require =>  Package['zlib1g-dev']
+     }
+
     package { 'zlib1g-dev':
-      ensure => installed
+        ensure => installed
     }
-    rubygems::gem{'amber-0.3.4': }
   }
 
   create_resources(site_static::domain, $domains)
 
+  if $tor {
+    $hidden_service = $tor['hidden_service']
+    if $hidden_service['active'] {
+      include site_webapp::hidden_service
+    }
+  }
+
   include site_shorewall::defaults
   include site_shorewall::service::http
   include site_shorewall::service::https
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 4d61cc08..2853c5c7 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -48,7 +48,7 @@
   Include include.d/ssl_common.inc
   
 <%- if @tls_only -%>
-  Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+  Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
 <%- end -%>
   Header set X-Frame-Options "deny"
   Header always unset X-Powered-By
diff --git a/puppet/modules/site_webapp/files/server-status.conf b/puppet/modules/site_webapp/files/server-status.conf
new file mode 100644
index 00000000..84cb9ae0
--- /dev/null
+++ b/puppet/modules/site_webapp/files/server-status.conf
@@ -0,0 +1,28 @@
+# Keep track of extended status information for each request
+ExtendedStatus On
+
+# Determine if mod_status displays the first 63 characters of a request or
+# the last 63, assuming the request itself is greater than 63 chars.
+# Default: Off
+#SeeRequestTail On
+
+Listen 127.0.0.1:8162
+NameVirtualHost 127.0.0.1:8162
+
+<VirtualHost 127.0.0.1:8162>
+
+<Location /server-status>
+    SetHandler server-status
+    Order deny,allow
+    Deny from all
+    Allow from 127.0.0.1
+</Location>
+
+</VirtualHost>
+
+
+<IfModule mod_proxy.c>
+    # Show Proxy LoadBalancer status in mod_status
+    ProxyStatus On
+</IfModule>
+
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 93e172a0..ddd04a91 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -15,12 +15,13 @@ class site_webapp::apache {
   include site_apache::module::alias
   include site_apache::module::expires
   include site_apache::module::removeip
+  include site_webapp::common_vhost
 
   class { 'passenger': use_munin => false }
 
   apache::vhost::file {
     'api':
-      content => template('site_apache/vhosts.d/api.conf.erb')
+      content => template('site_apache/vhosts.d/api.conf.erb');
   }
 
 }
diff --git a/puppet/modules/site_webapp/manifests/common_vhost.pp b/puppet/modules/site_webapp/manifests/common_vhost.pp
new file mode 100644
index 00000000..c57aad57
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/common_vhost.pp
@@ -0,0 +1,18 @@
+class site_webapp::common_vhost {
+  # installs x509 cert + key and common config
+  # that both nagios + leap webapp use
+
+  include x509::variables
+  include site_config::x509::commercial::cert
+  include site_config::x509::commercial::key
+  include site_config::x509::commercial::ca
+
+  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
+
+  apache::vhost::file {
+  'common':
+    content => template('site_apache/vhosts.d/common.conf.erb')
+  }
+}
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 1dbc745d..5cf7f953 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -14,29 +14,29 @@ class site_webapp::couchdb {
   file {
     '/srv/leap/webapp/config/couchdb.yml':
       content => template('site_webapp/couchdb.yml.erb'),
-      owner   => leap-webapp,
-      group   => leap-webapp,
+      owner   => 'leap-webapp',
+      group   => 'leap-webapp',
       mode    => '0600',
       require => Vcsrepo['/srv/leap/webapp'];
 
     '/srv/leap/webapp/config/couchdb.admin.yml':
       content => template('site_webapp/couchdb.admin.yml.erb'),
-      owner   => leap-webapp,
-      group   => leap-webapp,
+      owner   => 'root',
+      group   => 'root',
       mode    => '0600',
       require => Vcsrepo['/srv/leap/webapp'];
 
     '/srv/leap/webapp/log':
       ensure  => directory,
-      owner   => leap-webapp,
-      group   => leap-webapp,
+      owner   => 'leap-webapp',
+      group   => 'leap-webapp',
       mode    => '0755',
       require => Vcsrepo['/srv/leap/webapp'];
 
     '/srv/leap/webapp/log/production.log':
       ensure  => present,
-      owner   => leap-webapp,
-      group   => leap-webapp,
+      owner   => 'leap-webapp',
+      group   => 'leap-webapp',
       mode    => '0666',
       require => Vcsrepo['/srv/leap/webapp'];
   }
diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp
index d26ee312..7147a0d2 100644
--- a/puppet/modules/site_webapp/manifests/cron.pp
+++ b/puppet/modules/site_webapp/manifests/cron.pp
@@ -5,12 +5,14 @@ class site_webapp::cron {
     'rotate_databases':
       command     => 'cd /srv/leap/webapp && bundle exec rake db:rotate',
       environment => 'RAILS_ENV=production',
+      user        => 'root',
       hour        => [0,6,12,18],
       minute      => 0;
 
     'delete_tmp_databases':
       command     => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp',
       environment => 'RAILS_ENV=production',
+      user        => 'root',
       hour        => 1,
       minute      => 1;
 
@@ -19,6 +21,7 @@ class site_webapp::cron {
     'remove_expired_sessions':
       command     => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions',
       environment => 'RAILS_ENV=production',
+      user        => 'leap-webapp',
       hour        => 2,
       minute      => 30,
       ensure      => absent;
@@ -26,6 +29,7 @@ class site_webapp::cron {
     'remove_expired_tokens':
       command     => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens',
       environment => 'RAILS_ENV=production',
+      user        => 'leap-webapp',
       hour        => 3,
       minute      => 0;
   }
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 16b6e2e7..99a756ca 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -32,12 +32,18 @@ class site_webapp::hidden_service {
       owner   => 'debian-tor',
       group   => 'debian-tor',
       mode    => '0600';
+
+    '/etc/apache2/mods-enabled/status.conf':
+      ensure => absent,
+      notify => Service['apache'];
   }
 
   apache::vhost::file {
     'hidden_service':
-      content => template('site_apache/vhosts.d/hidden_service.conf.erb')
+      content => template('site_apache/vhosts.d/hidden_service.conf.erb');
+    'server_status':
+      vhost_source => 'modules/site_webapp/server-status.conf';
   }
 
   include site_shorewall::tor
-}
-\ No newline at end of file
+}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index ec94c090..837950a8 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -1,3 +1,4 @@
+# configure webapp service
 class site_webapp {
   tag 'leap_service'
   $definition_files = hiera('definition_files')
@@ -26,6 +27,9 @@ class site_webapp {
   include site_config::x509::client_ca::ca
   include site_config::x509::client_ca::key
 
+  # remove leftovers from previous installations on webapp nodes
+  include site_config::remove::webapp
+
   group { 'leap-webapp':
     ensure    => present,
     allowdupe => false;
@@ -163,10 +167,8 @@ class site_webapp {
 
 
   # needed for the soledad-sync check which is run on the
-  # webapp node (#6520)
-  package { 'python-u1db':
-    ensure => latest,
-  }
+  # webapp node
+  include soledad::client
 
   leap::logfile { 'webapp': }
 
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index ccde2d2e..19ed6b7b 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,28 +1,35 @@
-<%- require 'json' -%>
-<%- cert_options = @webapp['client_certificates'] -%>
-production:
-  admins: <%= @webapp['admins'].inspect %>
-  domain: <%= @provider_domain %>
-  force_ssl: <%= @webapp['secure'] %>
-  client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key
-  client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt
-  secret_token: "<%= @secret_token %>"
-  client_cert_lifespan: <%= cert_options['life_span'] %>
-  client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
-  client_cert_hash: <%= cert_options['digest'] %>
-  allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %>
-  allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %>
-  allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %>
-  limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
-  unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
-  minimum_client_version: "<%= @webapp['client_version']['min'] %>"
-  default_service_level: "<%= @webapp['default_service_level'] %>"
-  service_levels: <%= scope.function_sorted_json([@webapp['service_levels']]) %>
-  allow_registration: <%= @webapp['allow_registration'].inspect %>
-  handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %>
-<%- if @webapp['engines'] && @webapp['engines'].any? -%>
-  engines:
-<%-   @webapp['engines'].each do |engine| -%>
-    - <%= engine %>
-<%-   end -%>
-<%- end -%>
+<%-
+cert_options = @webapp['client_certificates']
+production = {
+  "admins" => @webapp['admins'],
+  "default_locale" => @webapp['default_locale'],
+  "available_locales" => @webapp['locales'],
+  "domain" => @provider_domain,
+  "force_ssl" => @webapp['secure'],
+  "client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')],
+  "client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')],
+  "secret_token" => @secret_token,
+  "client_cert_lifespan" => cert_options['life_span'],
+  "client_cert_bit_size" => cert_options['bit_size'].to_i,
+  "client_cert_hash" => cert_options['digest'],
+  "allow_limited_certs" => @webapp['allow_limited_certs'],
+  "allow_unlimited_certs" => @webapp['allow_unlimited_certs'],
+  "allow_anonymous_certs" => @webapp['allow_anonymous_certs'],
+  "limited_cert_prefix" => cert_options['limited_prefix'],
+  "unlimited_cert_prefix" => cert_options['unlimited_prefix'],
+  "minimum_client_version" => @webapp['client_version']['min'],
+  "default_service_level" => @webapp['default_service_level'],
+  "service_levels" => @webapp['service_levels'],
+  "allow_registration" => @webapp['allow_registration'],
+  "handle_blacklist" => @webapp['forbidden_usernames'],
+  "invite_required" => @webapp['invite_required']
+}
+
+if @webapp['engines'] && @webapp['engines'].any?
+  production["engines"] = @webapp['engines']
+end
+-%>
+#
+# This file is generated by puppet. This file inherits from defaults.yml.
+#
+<%= scope.function_sorted_yaml({"production" => production}) %>
diff --git a/puppet/modules/soledad/manifests/client.pp b/puppet/modules/soledad/manifests/client.pp
new file mode 100644
index 00000000..5700cb09
--- /dev/null
+++ b/puppet/modules/soledad/manifests/client.pp
@@ -0,0 +1,18 @@
+# setup soledad-client
+# currently needed on webapp node to run the soledad-sync test
+class soledad::client {
+
+  tag 'leap_service'
+  include soledad::common
+
+  package {
+    'soledad-client':
+      ensure  => latest,
+      require => [
+        Class['site_apt::preferences::twisted'],
+        Class['site_apt::leap_repo'] ];
+    'python-u1db':
+      ensure => latest;
+  }
+
+}
diff --git a/puppet/modules/soledad/manifests/common.pp b/puppet/modules/soledad/manifests/common.pp
index 8a1d664a..d66e943c 100644
--- a/puppet/modules/soledad/manifests/common.pp
+++ b/puppet/modules/soledad/manifests/common.pp
@@ -1,10 +1,10 @@
+# install soledad-common, both needed both soledad-client and soledad-server
 class soledad::common {
 
-  include soledad
+  include site_apt::preferences::twisted
 
   package { 'soledad-common':
-    ensure  => latest,
-    require => User['soledad']
+    ensure  => latest;
   }
 
 }
diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp
deleted file mode 100644
index 7cf0b729..00000000
--- a/puppet/modules/soledad/manifests/init.pp
+++ /dev/null
@@ -1,29 +0,0 @@
-class soledad {
-
-  group { 'soledad':
-    ensure    => present,
-    allowdupe => false;
-  }
-
-  user { 'soledad':
-    ensure    => present,
-    allowdupe => false,
-    gid       => 'soledad',
-    home      => '/srv/leap/soledad',
-    require   => Group['soledad'];
-  }
-
-  file {
-    '/srv/leap/soledad':
-      ensure  => directory,
-      owner   => 'soledad',
-      group   => 'soledad',
-      require => User['soledad'];
-
-    '/var/lib/soledad':
-      ensure  => directory,
-      owner   => 'soledad',
-      group   => 'soledad',
-      require => User['soledad'];
-  }
-}
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index b71fab69..5c5a1bb7 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -1,11 +1,12 @@
+# setup soledad-server
 class soledad::server {
   tag 'leap_service'
-  include soledad
-  include site_apt::preferences::twisted
+  include soledad::common
 
-  $soledad           = hiera('soledad')
-  $couchdb_user      = $soledad['couchdb_soledad_user']['username']
-  $couchdb_password  = $soledad['couchdb_soledad_user']['password']
+  $soledad              = hiera('soledad')
+  $couchdb_user         = $soledad['couchdb_soledad_user']['username']
+  $couchdb_password     = $soledad['couchdb_soledad_user']['password']
+  $couchdb_leap_mx_user = $soledad['couchdb_leap_mx_user']['username']
 
   $couchdb_host = 'localhost'
   $couchdb_port = '5984'
@@ -22,13 +23,29 @@ class soledad::server {
   # SOLEDAD CONFIG
   #
 
-  file { '/etc/leap/soledad-server.conf':
-    content => template('soledad/soledad-server.conf.erb'),
-    owner   => 'soledad',
-    group   => 'soledad',
-    mode    => '0600',
-    notify  => Service['soledad-server'],
-    require => Class['soledad'];
+  file {
+    '/etc/soledad':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755';
+    '/etc/soledad/soledad-server.conf':
+      content => template('soledad/soledad-server.conf.erb'),
+      owner   => 'soledad',
+      group   => 'soledad',
+      mode    => '0640',
+      notify  => Service['soledad-server'],
+      require => [ User['soledad'], Group['soledad'] ];
+    '/srv/leap/soledad':
+      ensure  => directory,
+      owner   => 'soledad',
+      group   => 'soledad',
+      require => [ User['soledad'], Group['soledad'] ];
+    '/var/lib/soledad':
+      ensure  => directory,
+      owner   => 'soledad',
+      group   => 'soledad',
+      require => [ User['soledad'], Group['soledad'] ];
   }
 
   package { $sources['soledad']['package']:
@@ -44,7 +61,7 @@ class soledad::server {
     group   => 'soledad',
     mode    => '0600',
     notify  => Service['soledad-server'],
-    require => Class['soledad'];
+    require => [ User['soledad'], Group['soledad'] ];
   }
 
   service { 'soledad-server':
@@ -52,7 +69,7 @@ class soledad::server {
     enable     => true,
     hasstatus  => true,
     hasrestart => true,
-    require    => Class['soledad'],
+    require    => [ User['soledad'], Group['soledad'] ],
     subscribe  => [
       Package['soledad-server'],
       Class['Site_config::X509::Key'],
@@ -62,4 +79,26 @@ class soledad::server {
 
   include site_shorewall::soledad
   include site_check_mk::agent::soledad
+
+  # set up users, group and directories for soledad-server
+  # although the soledad users are already created by the
+  # soledad-server package
+  group { 'soledad':
+    ensure => present,
+    system => true,
+  }
+  user {
+    'soledad':
+      ensure    => present,
+      system    => true,
+      gid       => 'soledad',
+      home      => '/srv/leap/soledad',
+      require   => Group['soledad'];
+    'soledad-admin':
+      ensure  => present,
+      system  => true,
+      gid     => 'soledad',
+      home    => '/srv/leap/soledad',
+      require => Group['soledad'];
+  }
 }
diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb
index 47d1f6e4..1c6a0d19 100644
--- a/puppet/modules/soledad/templates/soledad-server.conf.erb
+++ b/puppet/modules/soledad/templates/soledad-server.conf.erb
@@ -1,3 +1,12 @@
 [soledad-server]
-couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %>
+couch_url   = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %>
+create_cmd  = sudo -u soledad-admin /usr/bin/create-user-db
+admin_netrc = /etc/couchdb/couchdb-soledad-admin.netrc
+
+[database-security]
+members = <%= @couchdb_user %>, <%= @couchdb_leap_mx_user %>
+# not needed, but for documentation:
+# members_roles = replication
+# admins = admin
+# admins_roles = replication
 
diff --git a/puppet/modules/tapicero/files/tapicero.init b/puppet/modules/tapicero/files/tapicero.init
deleted file mode 100755
index 7a9af45f..00000000
--- a/puppet/modules/tapicero/files/tapicero.init
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides:          tapicero
-# Required-Start:    $remote_fs $syslog
-# Required-Stop:     $remote_fs $syslog
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: tapicero initscript
-# Description:       Controls tapicero daemon
-### END INIT INFO
-
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
-BUNDLER=/usr/bin/bundle
-NAME=tapicero
-HOME="/srv/leap"
-DAEMON="${HOME}/${NAME}/bin/${NAME}"
-BUNDLE_GEMFILE="${HOME}/${NAME}/Gemfile"
-
-export BUNDLE_GEMFILE
-
-# exit if the daemon doesn't exist
-[ -x "$DAEMON" ] || exit 0
-
-. /lib/init/vars.sh
-. /lib/lsb/init-functions
-
-if [ "$VERBOSE" != no ]; then
-    OPTIONS="--verbose"
-else
-    OPTIONS=""
-fi
-
-case "$1" in
-    start)
-        $BUNDLER exec $DAEMON start $OPTIONS
-        exit $?
-        ;;
-    stop)
-        $BUNDLER exec $DAEMON stop $OPTIONS
-        exit $?
-        ;;
-    restart)
-        $BUNDLER exec $DAEMON restart $OPTIONS
-        exit $?
-        ;;
-    reload)
-        $BUNDLER exec $DAEMON reload $OPTIONS
-        exit $?
-        ;;
-    status)
-        $BUNDLER exec $DAEMON status $OPTIONS
-        exit $?
-        ;;
-    *)
-        echo "Usage: /etc/init.d/$NAME {start|stop|reload|restart|status}"
-        exit 1
-esac
-
-exit 0
diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp
deleted file mode 100644
index ca8488c8..00000000
--- a/puppet/modules/tapicero/manifests/init.pp
+++ /dev/null
@@ -1,137 +0,0 @@
-class tapicero {
-  tag 'leap_service'
-
-  $couchdb                 = hiera('couch')
-  $couchdb_port            = $couchdb['port']
-
-  $couchdb_users           = $couchdb['users']
-
-  $couchdb_admin_user      = $couchdb_users['admin']['username']
-  $couchdb_admin_password  = $couchdb_users['admin']['password']
-
-  $couchdb_soledad_user    = $couchdb_users['soledad']['username']
-  $couchdb_leap_mx_user    = $couchdb_users['leap_mx']['username']
-
-  $couchdb_mode            = $couchdb['mode']
-  $couchdb_replication     = $couchdb['replication']
-
-  $sources                 = hiera('sources')
-
-  Class['site_config::default'] -> Class['tapicero']
-
-  include site_config::ruby::dev
-
-  #
-  # USER AND GROUP
-  #
-
-  group { 'tapicero':
-    ensure    => present,
-    allowdupe => false;
-  }
-
-  user { 'tapicero':
-    ensure    => present,
-    allowdupe => false,
-    gid       => 'tapicero',
-    home      => '/srv/leap/tapicero',
-    require   => Group['tapicero'];
-  }
-
-  #
-  # TAPICERO FILES
-  #
-
-  file {
-
-    #
-    # TAPICERO DIRECTORIES
-    #
-
-    '/srv/leap/tapicero':
-      ensure  => directory,
-      owner   => 'tapicero',
-      group   => 'tapicero',
-      require => User['tapicero'];
-
-    '/var/lib/leap/tapicero':
-      ensure  => directory,
-      owner   => 'tapicero',
-      group   => 'tapicero',
-      require => User['tapicero'];
-
-    # for pid file
-    '/var/run/tapicero':
-      ensure  => directory,
-      owner   => 'tapicero',
-      group   => 'tapicero',
-      require => User['tapicero'];
-
-    #
-    # TAPICERO CONFIG
-    #
-
-    '/etc/leap/tapicero.yaml':
-      content => template('tapicero/tapicero.yaml.erb'),
-      owner   => 'tapicero',
-      group   => 'tapicero',
-      mode    => '0600',
-      notify  => Service['tapicero'];
-
-    #
-    # TAPICERO INIT
-    #
-
-    '/etc/init.d/tapicero':
-      source  => 'puppet:///modules/tapicero/tapicero.init',
-      owner   => root,
-      group   => 0,
-      mode    => '0755',
-      require => Vcsrepo['/srv/leap/tapicero'];
-  }
-
-  #
-  # TAPICERO CODE
-  #
-
-  vcsrepo { '/srv/leap/tapicero':
-    ensure   => present,
-    force    => true,
-    revision => $sources['tapicero']['revision'],
-    provider => $sources['tapicero']['type'],
-    source   => $sources['tapicero']['source'],
-    owner    => 'tapicero',
-    group    => 'tapicero',
-    require  => [ User['tapicero'], Group['tapicero'] ],
-    notify   => Exec['tapicero_bundler_update']
-  }
-
-  exec { 'tapicero_bundler_update':
-    cwd     => '/srv/leap/tapicero',
-    command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"',
-    unless  => '/usr/bin/bundle check',
-    user    => 'tapicero',
-    timeout => 600,
-    require => [
-                Class['bundler::install'],
-                Vcsrepo['/srv/leap/tapicero'],
-                Class['site_config::ruby::dev'] ],
-    notify  => Service['tapicero'];
-  }
-
-  #
-  # TAPICERO DAEMON
-  #
-
-  service { 'tapicero':
-    ensure     => running,
-    enable     => true,
-    hasstatus  => false,
-    hasrestart => true,
-    require    => [ File['/etc/init.d/tapicero'],
-                    File['/var/run/tapicero'],
-                    Couchdb::Add_user[$::site_couchdb::couchdb_tapicero_user] ];
-  }
-
-  leap::logfile { 'tapicero': }
-}
diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb
deleted file mode 100644
index 8b08b49c..00000000
--- a/puppet/modules/tapicero/templates/tapicero.yaml.erb
+++ /dev/null
@@ -1,52 +0,0 @@
-<%- require 'json' -%>
-
-#
-# Default configuration options for Tapicero
-#
-
-# couch connection configuration
-connection:
-  protocol: "http"
-  host: "localhost"
-  port: <%= @couchdb_port %>
-  username: <%= @couchdb_admin_user %>
-  password: <%= @couchdb_admin_password %>
-  prefix : ""
-  suffix : ""
-  netrc: "/etc/couchdb/couchdb.netrc"
-
-# file to store the last processed user record in so we can resume after
-# a restart:
-seq_dir: "/var/lib/leap/tapicero/"
-
-# Configure log_file like this if you want to log to a file instead of syslog:
-#log_file: "/var/log/leap/tapicero.log"
-#log_level: debug
-log_level: info
-
-# tapicero specific options
-options:
-  # prefix for per user databases:
-  db_prefix: "user-"
-  mode: <%= @couchdb_mode %>
-<%- if @couchdb_replication %>
-  replication: <%= @couchdb_replication.to_json %>
-<%- end -%>
-
-  # security settings to be used for the per user databases
-  security:
-    admins:
-      names:
-        # We explicitly allow the admin user to access per user databases, even
-        # though admin access ignores per database security we just do this to be
-        # explicit about this
-        - <%= @couchdb_admin_user %>
-      roles: []
-    members:
-      names:
-        - <%= @couchdb_soledad_user %>
-        - <%= @couchdb_leap_mx_user %>
-      roles:
-        - replication
-
-
diff --git a/puppet/modules/unbound b/puppet/modules/unbound
-Subproject 00646b0ffc71a86981b05f983c86ace0979d1b6
+Subproject 9997485b8a31abbe0cd1943d09995705c2c8146
author	kwadronaut <kwadronaut@leap.se>	2015-11-12 10:00:27 +0100
committer	kwadronaut <kwadronaut@leap.se>	2015-11-12 10:00:27 +0100
commit	92cc2b1118e98a4fb086d7c62a140dbfc845f4b0 (patch)
tree	92896619c0cf4ace177cecfbdea6cbbbb9bc8419 /puppet
parent	81467100826ad95266a4c29b11a2ecef759dd782 (diff)
parent	7d0b6b25e49a1ccb70c4f502f7dfc58878b900cc (diff)