diff options
| -rw-r--r-- | CHANGES.md | 19 | ||||
| -rw-r--r-- | provider_base/services/soledad.json | 1 | ||||
| -rw-r--r-- | provider_base/services/soledad.rb | 3 | ||||
| -rw-r--r-- | puppet/modules/journald/manifests/init.pp | 7 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/syslog.pp | 19 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 21 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/checks.pp | 18 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/received_anon.pp | 13 | ||||
| -rw-r--r-- | puppet/modules/site_sshd/manifests/init.pp | 3 |
9 files changed, 72 insertions, 32 deletions
@@ -1,3 +1,22 @@ +Platform 0.8 +----------------------- + +This release focuses on many improvements to email service. + +* It is possible to require invite codes for new users signing up. +* Admins can now suspect/enable users and block/enable their ability to send + and receive email. +* Bigcouch is now officially deprecated. New nodes created with `leap node add + services:couchdb` will default to using plain CouchDB. +* Support for SPF and DKIM. + +Compatibility: + +* Tapicero has been removed. Now, soledad and couchdb must be on the same node. +* Requires Debian Jessie. Wheezy is no longer supported. +* Includes: + * webapp 0.8 + Platform 0.7.1 ----------------------- diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index 99390d17..169588c8 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -1,7 +1,6 @@ { "soledad": { "port": 2323, - "require_couchdb": "=> assert %(services.include? 'couchdb')", "couchdb_soledad_user": { "username": "= global.services[:couchdb].couch.users[:soledad].username", "password": "= secret :couch_soledad_password", diff --git a/provider_base/services/soledad.rb b/provider_base/services/soledad.rb new file mode 100644 index 00000000..b55e90b6 --- /dev/null +++ b/provider_base/services/soledad.rb @@ -0,0 +1,3 @@ +unless self.services.include? "couchdb" + LeapCli.log :error, "service `soledad` requires service `couchdb` on the same node (node #{self.name})." +end
\ No newline at end of file diff --git a/puppet/modules/journald/manifests/init.pp b/puppet/modules/journald/manifests/init.pp new file mode 100644 index 00000000..879baba4 --- /dev/null +++ b/puppet/modules/journald/manifests/init.pp @@ -0,0 +1,7 @@ +class journald { + + service { 'systemd-journald': + ensure => running, + enable => true, + } +} diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index c397dc15..d1deefcd 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -4,12 +4,25 @@ class site_config::syslog { # only pin rsyslog packages to backports on wheezy case $::operatingsystemrelease { /^7.*/: { - include site_apt::preferences::rsyslog + include ::site_apt::preferences::rsyslog + } + # on jessie+ systems, systemd and journald are enabled, + # and journald logs IP addresses, so we need to disable + # it until a solution is found, (#7863): + # https://github.com/systemd/systemd/issues/2447 + default: { + include ::journald + augeas { + 'disable_journald': + incl => '/etc/systemd/journald.conf', + lens => 'Puppet.lns', + changes => 'set /files/etc/systemd/journald.conf/Journal/Storage \'none\'', + notify => Service['systemd-journald']; + } } - default: { } } - class { 'rsyslog::client': + class { '::rsyslog::client': log_remote => false, log_local => true } diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 59a02598..2ea54d0a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -80,20 +80,23 @@ class site_postfix::mx { value => 'smtp'; 'mailbox_command': value => ''; + 'header_checks': + value => ''; 'postscreen_access_list': value => 'permit_mynetworks'; 'postscreen_greet_action': value => 'enforce'; } - include site_postfix::mx::smtpd_checks - include site_postfix::mx::checks - include site_postfix::mx::smtp_tls - include site_postfix::mx::smtpd_tls - include site_postfix::mx::static_aliases - include site_postfix::mx::rewrite_openpgp_header - include clamav - include postfwd + include ::site_postfix::mx::smtpd_checks + include ::site_postfix::mx::checks + include ::site_postfix::mx::smtp_tls + include ::site_postfix::mx::smtpd_tls + include ::site_postfix::mx::static_aliases + include ::site_postfix::mx::rewrite_openpgp_header + include ::site_postfix::mx::received_anon + include ::clamav + include ::postfwd # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -116,7 +119,7 @@ ${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_r -o smtpd_client_restrictions= -o cleanup_service_name=clean_smtps clean_smtps unix n - n - 0 cleanup - -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers" + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers,pcre:/etc/postfix/checks/received_anon" class { 'postfix': preseed => true, diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 5d75a5e5..f406ad34 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -20,22 +20,4 @@ class site_postfix::mx::checks { refreshonly => true, subscribe => File['/etc/postfix/checks/helo_checks']; } - - # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } - - file { '/etc/postfix/checks/received_anon': - source => 'puppet:///modules/site_postfix/checks/received_anon', - mode => '0644', - owner => root, - group => root, - notify => Service['postfix'] - } - - postfix::config { - 'header_checks': - value => 'pcre:/etc/postfix/checks/received_anon', - require => File['/etc/postfix/checks/received_anon']; - } - } diff --git a/puppet/modules/site_postfix/manifests/mx/received_anon.pp b/puppet/modules/site_postfix/manifests/mx/received_anon.pp new file mode 100644 index 00000000..51ba3faa --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/received_anon.pp @@ -0,0 +1,13 @@ +# Anonymize the user's home IP from the email headers (Feature #3866) +class site_postfix::mx::received_anon { + + package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index be0d3368..a9202da4 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -76,6 +76,7 @@ MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, use_storedconfigs => false, - tail_additional_options => $tail_additional_options + tail_additional_options => $tail_additional_options, + hostkey_type => [ 'rsa', 'dsa', 'ecdsa' ] } } |