5 files changed, 95 insertions, 9 deletions
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index 8bf465c1..4da13d9c 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -1,20 +1,33 @@
 # deploy local caching resolver
 class site_config::caching_resolver {
   tag 'leap_base'
+  $domain          = hiera('domain')
+  $internal_domain = $domain['internal_suffix']
+
+  # We need to make sure Package['bind9'] isn't installed because when it is, it
+  # keeps unbound from running. Some base debian installs will install bind9,
+  # and then start it, so unbound will never get properly started. So this will
+  # make sure bind9 is removed before.
+  package { 'bind9':
+    ensure => purged
+  }
 
   class { 'unbound':
     root_hints => false,
     anchor     => false,
     ssl        => false,
+    require    => Package['bind9'],
     settings   => {
       server => {
-        verbosity      => '1',
-        interface      => [ '127.0.0.1', '::1' ],
-        port           => '53',
-        hide-identity  => 'yes',
-        hide-version   => 'yes',
-        harden-glue    => 'yes',
-        access-control => [ '127.0.0.0/8 allow', '::1 allow' ]
+        verbosity       => '1',
+        interface       => [ '127.0.0.1', '::1' ],
+        port            => '53',
+        hide-identity   => 'yes',
+        hide-version    => 'yes',
+        harden-glue     => 'yes',
+        access-control  => [ '127.0.0.0/8 allow', '::1 allow' ],
+        module-config   => '"validator iterator"',
+        domain-insecure => $internal_domain
       }
     }
   }
diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp
index 3535c3c1..9fd3e7ee 100644
--- a/puppet/modules/site_config/manifests/remove/bigcouch.pp
+++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp
@@ -10,6 +10,33 @@ class site_config::remove::bigcouch {
     ]
   }
 
+  tidy {
+    '/etc/logrotate/bigcouch':;
+    '/srv/leap/nagios/plugins/check_unix_open_fds.pl':;
+  }
+
+  augeas {
+    'Couchdb_open_files':
+      incl    => '/etc/check_mk/mrpe.cfg',
+      lens    => 'Spacevars.lns',
+      changes => [
+                  'rm /files/etc/check_mk/mrpe.cfg/Couchdb_open_files',
+                  'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs',
+                  'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs',
+                  'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files' ],
+      require => File['/etc/check_mk/mrpe.cfg'];
+  }
+
+  # check syslog msg from:
+  # - empd
+  # - /usr/local/bin/couch-doc-update
+  concat::fragment { 'syslog_bigcouch':
+    ensure  => absent,
+    source  => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/bigcouch.cfg',
+    target  => '/etc/check_mk/logwatch.d/syslog.cfg',
+    order   => '02';
+  }
+
   exec { 'remove_bigcouch_logwatch_stateline':
     command     => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state",
     refreshonly => true,
diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp
index 41d6462e..ac2350a0 100644
--- a/puppet/modules/site_config/manifests/remove/files.pp
+++ b/puppet/modules/site_config/manifests/remove/files.pp
@@ -11,7 +11,35 @@
 
 class site_config::remove::files {
 
+  #
+  # Platform 0.9 removals
+  #
+
+  tidy {
+    # moved to /srv/static/public/provider.json
+    # for permissions reasons.
+    '/srv/leap/provider.json':;
+
+    # tests are moved to /srv/leap/tests/server-tests
+    # by rsync is not able to clean up the old location,
+    # so, we do it here:
+    '/srv/leap/tests/order.rb':;
+    '/srv/leap/tests/README.md':;
+    '/srv/leap/tests/helpers':
+      recurse => true,
+      rmdirs => true;
+    '/srv/leap/tests/puppet':
+      recurse => true,
+      rmdirs => true;
+    '/srv/leap/tests/white-box':
+      recurse => true,
+      rmdirs => true;
+  }
+
+  #
   # Platform 0.8 removals
+  #
+
   tidy {
     '/etc/default/leap_mx':;
     '/etc/logrotate.d/mx':;
diff --git a/puppet/modules/site_config/manifests/remove/soledad.pp b/puppet/modules/site_config/manifests/remove/soledad.pp
new file mode 100644
index 00000000..46c23f26
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/soledad.pp
@@ -0,0 +1,12 @@
+# remove possible leftovers on soledad nodes
+class site_config::remove::soledad {
+
+  # remove soledad procs check because leap_cli already checks for them
+  augeas { 'Soledad_Procs':
+    incl    => '/etc/check_mk/mrpe.cfg',
+    lens    => 'Spacevars.lns',
+    changes => [ 'rm /files/etc/check_mk/mrpe.cfg/Soledad_Procs' ],
+    require => File['/etc/check_mk/mrpe.cfg'];
+  }
+
+}
diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp
index c76a9dbb..21d57445 100644
--- a/puppet/modules/site_config/manifests/x509/commercial/ca.pp
+++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp
@@ -5,7 +5,13 @@ class site_config::x509::commercial::ca {
   $x509      = hiera('x509')
   $ca        = $x509['commercial_ca_cert']
 
-  x509::ca { $site_config::params::commercial_ca_name:
-    content => $ca
+  #
+  # CA cert might be empty, if it was bundled with 'commercial_cert'
+  # instead of specified separately.
+  #
+  if ($ca) {
+    x509::ca { $site_config::params::commercial_ca_name:
+      content => $ca
+    }
   }
 }