summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitmodules3
m---------puppet/modules/couchdb0
m---------puppet/modules/rsyslog0
-rw-r--r--puppet/modules/site_apt/manifests/init.pp9
-rw-r--r--puppet/modules/site_config/manifests/default.pp6
-rw-r--r--puppet/modules/site_config/manifests/packages/base.pp4
-rw-r--r--puppet/modules/site_config/manifests/params.pp4
-rw-r--r--puppet/modules/site_config/manifests/resolvconf.pp9
-rw-r--r--puppet/modules/site_config/manifests/syslog.pp28
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp6
-rw-r--r--puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb8
11 files changed, 57 insertions, 20 deletions
diff --git a/.gitmodules b/.gitmodules
index 070cb517..0ab46323 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -79,3 +79,6 @@
[submodule "puppet/modules/vcsrepo"]
path = puppet/modules/vcsrepo
url = https://leap.se/git/puppet_vcsrepo
+[submodule "puppet/modules/rsyslog"]
+ path = puppet/modules/rsyslog
+ url = https://leap.se/git/puppet_rsyslog
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject e5bbb903159a94dc3357344d78060343ef47bac
+Subproject d84dfddb0dfc2e5207c90380fb1f7fcf7bc7a72
diff --git a/puppet/modules/rsyslog b/puppet/modules/rsyslog
new file mode 160000
+Subproject 20fbda6b91472e656331a9c64630fb207e9f578
diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp
index 3fa9a2b7..9facf4cc 100644
--- a/puppet/modules/site_apt/manifests/init.pp
+++ b/puppet/modules/site_apt/manifests/init.pp
@@ -1,15 +1,6 @@
class site_apt {
- # on couchdb we need to include squeeze in apt preferences,
- # so the cloudant package can pull some packages from squeeze
- # template() must be unquoted !
- if 'couchdb' in $::services {
- $custom_preferences = template("site_apt/preferences.include_squeeze")
- } else {
- $custom_preferences = ''
- }
class { 'apt':
- custom_preferences => $custom_preferences,
custom_key_dir => 'puppet:///modules/site_apt/keys'
}
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index a645cb1a..2380066a 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -2,6 +2,7 @@ class site_config::default {
tag 'leap_base'
$domain_hash = hiera('domain')
+ include site_config::params
# make sure apt is updated before any packages are installed
include apt::update
@@ -32,7 +33,7 @@ class site_config::default {
include site_config::dhclient
}
- if ( $::virtual == 'virtualbox' ) {
+ if ( $::site_config::params::environment == 'local' ) {
include site_config::vagrant
}
@@ -47,6 +48,9 @@ class site_config::default {
stage => setup,
}
+ # install/configure syslog
+ include site_config::syslog
+
# install/remove base packages
include site_config::packages::base
diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp
index 94ff679b..3e1d4a67 100644
--- a/puppet/modules/site_config/manifests/packages/base.pp
+++ b/puppet/modules/site_config/manifests/packages/base.pp
@@ -1,5 +1,7 @@
class site_config::packages::base {
+ include site_config::params
+
# base set of packages that we want to have installed everywhere
package { [ 'etckeeper', 'screen', 'less' ]:
ensure => installed,
@@ -15,7 +17,7 @@ class site_config::packages::base {
ensure => absent;
}
- if $::virtual == 'virtualbox' or $::services =~ /\bwebapp\b/ {
+ if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ {
$dev_packages_ensure = present
} else {
$dev_packages_ensure = absent
diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp
index 59a161e8..2ef391db 100644
--- a/puppet/modules/site_config/manifests/params.pp
+++ b/puppet/modules/site_config/manifests/params.pp
@@ -3,8 +3,10 @@ class site_config::params {
$ip_address = hiera('ip_address')
$ip_address_interface = getvar("interface_${ip_address}")
$ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}")
+ $environment = hiera('environment')
- if $::virtual == 'virtualbox' {
+
+ if $environment == 'local' {
$interface = 'eth1'
}
elsif hiera('interface','') != '' {
diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp
index 271c5043..b307f18b 100644
--- a/puppet/modules/site_config/manifests/resolvconf.pp
+++ b/puppet/modules/site_config/manifests/resolvconf.pp
@@ -2,12 +2,13 @@ class site_config::resolvconf {
$domain_public = $site_config::default::domain_hash['full_suffix']
- # 127.0.0.1: caching-only local bind
- # 87.118.100.175: http://server.privacyfoundation.de
- # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html
class { '::resolvconf':
domain => $domain_public,
search => $domain_public,
- nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ]
+ nameservers => [
+ '127.0.0.1 # local caching-only, unbound',
+ '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)',
+ '62.141.58.13 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)'
+ ]
}
}
diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp
new file mode 100644
index 00000000..73d4f58f
--- /dev/null
+++ b/puppet/modules/site_config/manifests/syslog.pp
@@ -0,0 +1,28 @@
+class site_config::syslog {
+
+ # we need to pull in rsyslog from the leap repository until it is availbale in
+ # wheezy-backports
+ apt::preferences_snippet { 'fixed_rsyslog_anon_package':
+ package => 'rsyslog-*',
+ priority => '999',
+ pin => 'release o=leap.se',
+ before => Class['rsyslog::install']
+ }
+
+ apt::preferences_snippet { 'rsyslog_anon_depends':
+ package => 'libestr0 librelp0',
+ priority => '999',
+ pin => 'release a=wheezy-backports',
+ before => Class['rsyslog::install']
+ }
+
+ class { 'rsyslog::client':
+ log_remote => false,
+ log_local => true
+ }
+
+ rsyslog::snippet { '00-anonymize_logs':
+ content => '$ModLoad mmanon
+action(type="mmanon" ipv4.bits="32" mode="rewrite")'
+ }
+}
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 61fefd0a..42146741 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -62,6 +62,12 @@ class site_openvpn {
$openvpn_limited_udp_cidr = '21'
}
+ # find out the netmask in cidr format of the primary IF
+ # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/
+ # we can do this using an inline_template:
+ $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}"
+ $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>')
+
# deploy dh keys
include site_openvpn::dh_key
diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
index 05f3d16b..e76b756b 100644
--- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
+++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
@@ -1,11 +1,11 @@
#!/bin/sh
-ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 ||
- ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %>
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/<%= @primary_netmask %> ||
+ ip addr add <%= @openvpn_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %>
<% if @openvpn_second_gateway_address %>
-ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 ||
- ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %>
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> ||
+ ip addr add <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %>
<% end %>
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward