diff options
| -rw-r--r-- | puppet/modules/site_apt/manifests/dist_upgrade.pp | 2 | ||||
| -rw-r--r-- | puppet/modules/site_apt/manifests/init.pp | 11 | ||||
| -rw-r--r-- | puppet/modules/site_apt/manifests/leap_repo.pp | 3 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/default.pp | 12 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/remove/bigcouch.pp | 1 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/remove/jessie.pp | 2 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/remove/monitoring.pp | 12 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/setup.pp | 3 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/slow.pp | 1 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 29 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 4 | ||||
| -rw-r--r-- | puppet/modules/site_webapp/manifests/init.pp | 2 |
12 files changed, 36 insertions, 46 deletions
diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 40e2dd58..0eb98cea 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -11,7 +11,7 @@ class site_apt::dist_upgrade { command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", refreshonly => false, timeout => 1200, - require => Exec['refresh_apt'] + require => Exec['apt_updated'] } } } diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index c809a837..447e1781 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -52,13 +52,8 @@ class site_apt { pin => 'origin "deb.leap.se"' } - # All packages should be installed _after_ refresh_apt is called, - # which does an apt-get update. - # There is one exception: - # The creation of sources.list depends on the lsb package + # All packages should be installed after 'update_apt' is called, + # which does an 'apt-get update'. + Exec['update_apt'] -> Package <||> - File['/etc/apt/preferences'] -> - Apt::Preferences_snippet <| |> -> - Exec['refresh_apt'] -> - Package <| ( title != 'lsb' ) |> } diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index a1382374..60948d91 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -13,7 +13,4 @@ class site_apt::leap_repo { ensure => latest } - # We wont be able to install the leap-keyring package unless the leap apt - # source has been added and apt has been refreshed - Exec['refresh_apt'] -> Package['leap-keyring'] } diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 96f06e6c..256de1a1 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -7,18 +7,6 @@ class site_config::default { include site_config::params include site_config::setup - # By default, the class 'site_config::slow' is included in site.pp. - # It basically does an 'apt-get update' and 'apt-get dist-upgrade'. - # This class can be excluded by using 'leap deploy --fast', - # see https://leap.se/en/docs/platform/details/under-the-hood#tags for more - # details. - # The following Package resource override makes sure that *if* an - # 'apt-get update' is executed by 'site_config::slow', it should be done - # before any packages are installed. - - Package { require => Exec['refresh_apt'] } - - # default class, used by all hosts include lsb, git diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp index f8e0ebe2..26ba8d09 100644 --- a/puppet/modules/site_config/manifests/remove/bigcouch.pp +++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp @@ -6,7 +6,6 @@ class site_config::remove::bigcouch { file { '/etc/check_mk/logwatch.d/bigcouch.cfg': ensure => absent, notify => [ - Exec['remove_bigcouch_logwatch_spoolfiles'], Exec['remove_bigcouch_logwatch_stateline'] ] } diff --git a/puppet/modules/site_config/manifests/remove/jessie.pp b/puppet/modules/site_config/manifests/remove/jessie.pp index cbeaae05..c813e46d 100644 --- a/puppet/modules/site_config/manifests/remove/jessie.pp +++ b/puppet/modules/site_config/manifests/remove/jessie.pp @@ -3,7 +3,7 @@ class site_config::remove::jessie { tidy { '/etc/apt/preferences.d/rsyslog_anon_depends': - notify => Exec['refresh_apt']; + notify => Exec['apt_updated']; } } diff --git a/puppet/modules/site_config/manifests/remove/monitoring.pp b/puppet/modules/site_config/manifests/remove/monitoring.pp index ab9f7a8f..18e2949b 100644 --- a/puppet/modules/site_config/manifests/remove/monitoring.pp +++ b/puppet/modules/site_config/manifests/remove/monitoring.pp @@ -1,17 +1,13 @@ # remove leftovers on monitoring nodes class site_config::remove::monitoring { + # Remove check_mk loggwatch spoolfiles for + # tapicero and bigcouch tidy { - 'checkmk_logwatch_spool': + 'remove_logwatch_spoolfiles': path => '/var/lib/check_mk/logwatch', recurse => true, - matches => '*tapicero.log' - } - - # remove leftover bigcouch logwatch spool files - exec { 'remove_bigcouch_logwatch_spoolfiles': - command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;', - refreshonly => true, + matches => [ '*tapicero.log', '*bigcouch.log']; } } diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index dba5fa14..82dfe76d 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -24,8 +24,7 @@ class site_config::setup { include site_apt package { 'facter': - ensure => latest, - require => Exec['refresh_apt'] + ensure => latest } # if squid_deb_proxy_client is set to true, install and configure diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp index de276bc3..8e9b7035 100644 --- a/puppet/modules/site_config/manifests/slow.pp +++ b/puppet/modules/site_config/manifests/slow.pp @@ -4,6 +4,7 @@ class site_config::slow { tag 'leap_slow' + include site_config::default include apt::update class { 'site_apt::dist_upgrade': } } diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index cd493807..02b9fbdd 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -93,20 +93,31 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug - class { 'postfix': - preseed => true, - root_mail_recipient => $root_mail_recipient, - smtp_listen => 'all', - mastercf_tail => - "smtps inet n - - - - smtpd + case $::operatingsystemrelease { + /^7.*/: { + $smtpd_relay_restrictions='' + } + default: { + $smtpd_relay_restrictions=" -o smtpd_relay_restrictions=\$smtps_relay_restrictions\n" + } + } + + $mastercf_tail = " +smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions +${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -o smtpd_helo_restrictions=\$smtps_helo_restrictions -o smtpd_client_restrictions= -o cleanup_service_name=clean_smtps -clean_smtps unix n - n - 0 cleanup - -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers", +clean_smtps unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers" + + class { 'postfix': + preseed => true, + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all', + mastercf_tail => $mastercf_tail, require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0ea452ee..291d7ee4 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,3 +1,5 @@ +# smtpd checks for incoming mail on smtp port 25 and +# mail sent via the bitmask client using smtps port 465 class site_postfix::mx::smtpd_checks { postfix::config { @@ -23,6 +25,8 @@ class site_postfix::mx::smtpd_checks { # disable a user by removing their valid client cert (#3634) 'smtps_recipient_restrictions': value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'smtps_relay_restrictions': + value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination'; 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4f3147e7..15925aba 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -60,7 +60,7 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development"', + command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"', unless => '/usr/bin/bundle check --path vendor/bundle', user => 'leap-webapp', timeout => 600, |