diff options
-rw-r--r-- | platform.rb | 1 | ||||
-rw-r--r-- | provider_base/files/service-definitions/provider.json.erb | 4 | ||||
-rw-r--r-- | provider_base/services/openvpn.json | 3 | ||||
-rw-r--r-- | provider_base/services/tor.json | 2 | ||||
-rw-r--r-- | puppet/modules/site_check_mk/manifests/agent.pp | 20 | ||||
-rw-r--r-- | puppet/modules/site_check_mk/manifests/agent/mx.pp | 5 | ||||
-rw-r--r-- | puppet/modules/site_check_mk/manifests/agent/webapp.pp | 10 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/packages/build_essential.pp | 7 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/packages/uninstall.pp | 18 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 2 | ||||
-rw-r--r-- | puppet/modules/site_static/templates/apache.conf.erb | 70 | ||||
-rw-r--r-- | tests/white-box/network.rb | 2 |
12 files changed, 58 insertions, 86 deletions
diff --git a/platform.rb b/platform.rb index 3882ed8d..689c58b7 100644 --- a/platform.rb +++ b/platform.rb @@ -1,3 +1,4 @@ +# encoding: utf-8 # # These are variables defined by this leap_platform and used by leap_cli. # diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index 97454f81..3e055e9a 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -1,13 +1,13 @@ <%= # grab some fields from provider.json hsh = provider.pick( - :languages, :description, :name, + :languages, :description, :name, :services, :enrollment_policy, :default_language, :service ) hsh['domain'] = domain.full_suffix # advertise services that are 'user services' and for which there are actually nodes - hsh['services'] = global.services[:service_type => :user_service].field(:name).select do |service| + hsh['services'] ||= global.services[:service_type => :user_service].field(:name).select do |service| nodes_like_me[:services => service].any? end diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 6d20cf3e..04e19aa2 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -22,7 +22,8 @@ "configuration": { "tls-cipher": "DHE-RSA-AES128-SHA", "auth": "SHA1", - "cipher": "AES-128-CBC" + "cipher": "AES-128-CBC", + "keepalive": "10 30" } } } diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json index ed75285c..ae4da46d 100644 --- a/provider_base/services/tor.json +++ b/provider_base/services/tor.json @@ -1,6 +1,6 @@ { "tor": { "bandwidth_rate": 6550, - "contacts": "= provider.contacts['tor'] || provider.contacts.default" + "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten" } } diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index b752182e..589041eb 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -4,7 +4,7 @@ class site_check_mk::agent { $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] - include site_apt::preferences::check_mk + class { 'site_apt::preferences::check_mk': } -> class { 'check_mk::agent': agent_package_name => 'check-mk-agent', @@ -12,17 +12,17 @@ class site_check_mk::agent { method => 'ssh', homedir => '/etc/nagios/check_mk', register_agent => false - } + } -> - file { [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]: - ensure => directory, - } + class { 'site_check_mk::agent::mrpe': } -> + class { 'site_check_mk::agent::logwatch': } -> - file { '/usr/lib/check_mk_agent/local/run_node_tests.sh': - source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh', - mode => '0755' + file { + [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]: + ensure => directory; + '/usr/lib/check_mk_agent/local/run_node_tests.sh': + source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh', + mode => '0755'; } - include site_check_mk::agent::mrpe - include site_check_mk::agent::logwatch } diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp index 2dd50400..35a4e9a5 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mx.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -15,8 +15,9 @@ class site_check_mk::agent::mx { # check stale files in queue dir file { '/usr/lib/check_mk_agent/local/check_leap_mx.sh': - source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', - mode => '0755' + source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', + mode => '0755', + require => Package['check_mk-agent'] } } diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index cb160d83..64f5ea6d 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -5,12 +5,14 @@ class site_check_mk::agent::webapp { ensure => installed } file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': - ensure => link, - target => '/srv/leap/webapp/test/nagios/webapp_login.py' + ensure => link, + target => '/srv/leap/webapp/test/nagios/webapp_login.py', + require => Package['check_mk-agent'] } file { '/usr/lib/check_mk_agent/local/soledad_sync.py': - ensure => link, - target => '/srv/leap/webapp/test/nagios/soledad_sync.py' + ensure => link, + target => '/srv/leap/webapp/test/nagios/soledad_sync.py', + require => Package['check_mk-agent'] } diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp index c9efaafb..7dfb8b03 100644 --- a/puppet/modules/site_config/manifests/packages/build_essential.pp +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -2,7 +2,10 @@ # include this whenever you want to ensure build-essential package and related compilers are installed. # class site_config::packages::build_essential { - if $install_build_essential == undef { - $install_build_essential = true + if !defined(Package['build-essential']) { + package { + ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: + ensure => present + } } }
\ No newline at end of file diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp index 2919cc96..12f527d9 100644 --- a/puppet/modules/site_config/manifests/packages/uninstall.pp +++ b/puppet/modules/site_config/manifests/packages/uninstall.pp @@ -1,20 +1,16 @@ # -# this should be included last to allow other modules to set $::install_build_packages +# Uninstall build-essential and compilers, unless they have been explicitly installed elsewhere. # class site_config::packages::uninstall { - - if $site_config::packages::build_essential::install_essential == true { - $dev_packages_ensure = present - } else { - $dev_packages_ensure = absent - } + tag 'leap_base' # generally, dev packages are needed for installing ruby gems with native extensions. # (nickserver, webapp, etc) - package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $dev_packages_ensure + if !defined(Package['build-essential']) { + package { + ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: + ensure => purged + } } - }
\ No newline at end of file diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6246a836..b1f4997c 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -115,7 +115,7 @@ define site_openvpn::server_config( server => $openvpn_configname; "keepalive ${openvpn_configname}": key => 'keepalive', - value => '5 20', + value => $config['keepalive'], server => $openvpn_configname; "local ${openvpn_configname}": key => 'local', diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 76534911..2abe1a98 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -15,6 +15,7 @@ document_root = location_directory(name, location) end end + document_root = document_root.gsub(%r{^/|/$}, '') -%> <VirtualHost *:80> @@ -32,9 +33,10 @@ #RewriteLogLevel 3 SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" Header set X-Frame-Options "deny" @@ -45,64 +47,30 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot <%= document_root %> + DocumentRoot "/<%= document_root %>/" + AccessFileName .htaccess <%- @locations.each do |name, location| -%> + <%- path = location['path'].gsub(%r{^/|/$}, '') -%> + <%- directory = location_directory(name, location) -%> ## ## <%= name %> ## - <%- if location['path'] == '/' -%> - # Location / - <%- else -%> - Alias <%= location['path'] %> <%= location_directory(name, location) %> - <Location <%= location['path'] %>> - <%- end -%> - # remove trailing slashes - RewriteEngine On - RewriteRule ^(.+)/$ /$1 [R=301,L] - - # e.g. /de/blah => /blah/index.de.html - RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L] - - # e.g. /de/foo/bar => /foo/bar.de.html - RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L] - - # e.g. /de => /index.de.html - RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f - RewriteRule ^/([a-z]{2})$ /index.$1.html [L] - - # e.g. /de/img.png => /img.png - RewriteCond %{DOCUMENT_ROOT}/$2 -f - RewriteRule ^/([a-z]{2})/(.*) /$2 [L] - - # Simulate "DirectorySlash On" - # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file) - RewriteCond %{DOCUMENT_ROOT}/$1 -d - RewriteRule ^/(.*[^/])$ /$1/ [PT] - <%- if location['path'] == '/' -%> - # end Location / + <%- if path == '' -%> + <Directory "/<%= document_root %>/"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + </Directory> <%- else -%> - </Location> - <%- end -%> - <Directory <%= location_directory(name, location) %>> - ## - ## PERMISSIONS - ## - AllowOverride None + AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" + Alias /<%=path%> "/<%=directory%>/" + <Directory "/<%=directory%>/"> + AllowOverride FileInfo Indexes Options=All,MultiViews Order deny,allow Allow from all - - ## - ## LOCALE SUPPORT (e.g. index.en.html) - ## - LanguagePriority en - ForceLanguagePriority Prefer Fallback - DirectoryIndex index - DirectorySlash Off - Options +MultiViews </Directory> + <%- end -%> <%- end -%> diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb index 14de2eac..955857dc 100644 --- a/tests/white-box/network.rb +++ b/tests/white-box/network.rb @@ -53,8 +53,8 @@ class Network < LeapTest end all_stunnel_pids = pgrep('/usr/bin/stunnel').collect{|process| process[:pid]}.uniq assert_equal good_stunnel_pids.sort, all_stunnel_pids.sort, "There should not be any extra stunnel processes that are not configured in /etc/stunnel" + pass end - pass end end |