summaryrefslogtreecommitdiff
path: root/puppet/modules
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules')
m---------puppet/modules/couchdb0
-rw-r--r--puppet/modules/leap_mx/manifests/init.pp24
-rw-r--r--puppet/modules/site_apt/manifests/init.pp16
-rw-r--r--puppet/modules/site_config/manifests/remove/files.pp14
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp24
5 files changed, 42 insertions, 36 deletions
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject d4e0579ec88e999d42c9f4ffd32489396dce63c
+Subproject 016ec71359f6b1b368624c6c94bac2b50979165
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp
index 284662d2..5561e326 100644
--- a/puppet/modules/leap_mx/manifests/init.pp
+++ b/puppet/modules/leap_mx/manifests/init.pp
@@ -41,13 +41,7 @@ class leap_mx {
notify => Service['leap-mx'];
}
- file { '/etc/default/leap_mx':
- content => 'LOGFILE=/var/log/leap/mx.log',
- owner => 'root',
- group => 'root',
- mode => '0644',
- notify => Service['leap-mx'];
- }
+ leap::logfile { 'mx': }
#
# LEAP-MX CODE AND DEPENDENCIES
@@ -75,20 +69,4 @@ class leap_mx {
hasrestart => true,
require => [ Package['leap-mx'] ];
}
-
- augeas {
- 'logrotate_mx':
- context => '/files/etc/logrotate.d/leap-mx/rule',
- changes => [
- 'set file /var/log/leap/mx.log',
- 'set rotate 5',
- 'set schedule daily',
- 'clear nocreate',
- 'rm create',
- 'rm ifempty',
- 'set compress compress',
- 'set missingok missingok',
- 'set copytruncate copytruncate'
- ]
- }
}
diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp
index cf49f870..635ba975 100644
--- a/puppet/modules/site_apt/manifests/init.pp
+++ b/puppet/modules/site_apt/manifests/init.pp
@@ -7,11 +7,19 @@ class site_apt {
$apt_url_security = $apt_config['security']
$apt_url_backports = $apt_config['backports']
+ # needed on jessie hosts for getting pnp4nagios from testing
+ if ( $::operatingsystemmajrelease == '8' ) {
+ $use_next_release = true
+ } else {
+ $use_next_release = false
+ }
+
class { 'apt':
- custom_key_dir => 'puppet:///modules/site_apt/keys',
- debian_url => $apt_url_basic,
- security_url => $apt_url_security,
- backports_url => $apt_url_backports
+ custom_key_dir => 'puppet:///modules/site_apt/keys',
+ debian_url => $apt_url_basic,
+ security_url => $apt_url_security,
+ backports_url => $apt_url_backports,
+ use_next_release => $use_next_release
}
# enable http://deb.leap.se debian package repository
diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp
index 466f50c8..67171259 100644
--- a/puppet/modules/site_config/manifests/remove/files.pp
+++ b/puppet/modules/site_config/manifests/remove/files.pp
@@ -11,6 +11,12 @@
class site_config::remove::files {
+ # Platform 0.8 removals
+ tidy {
+ '/etc/default/leap_mx':;
+ '/etc/logrotate.d/leap-mx':;
+ }
+
#
# Platform 0.7 removals
#
@@ -20,13 +26,19 @@ class site_config::remove::files {
'/etc/rsyslog.d/99-leap-mx.conf':;
'/etc/rsyslog.d/01-webapp.conf':;
'/etc/rsyslog.d/50-stunnel.conf':;
- '/etc/logrotate.d/mx':;
'/etc/logrotate.d/stunnel':;
'/var/log/stunnel4/stunnel.log':;
'leap_mx':
path => '/var/log/',
recurse => true,
matches => 'leap_mx*';
+ # We rotate 5 logs, so we should only have mx.log, mx.log.[1-5], with an
+ # optional .gz suffix. The following will remove any logs that are out
+ # of this range
+ 'leap_mx_rotate':
+ path => '/var/log/leap/',
+ recurse => true,
+ matches => [ 'mx.log.[6-9](.gz)?', 'mx.log.[0-9][0-9]'];
'/srv/leap/webapp/public/provider.json':;
'/srv/leap/couchdb/designs/tmp_users':
recurse => true,
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index e92a6af7..5efd459f 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -50,6 +50,21 @@ class site_sshd {
}
}
+ # we cannot use the 'hardened' parameter because leap_cli uses an
+ # old net-ssh gem that is incompatible with the included
+ # "KexAlgorithms curve25519-sha256@libssh.org",
+ # see https://leap.se/code/issues/7591
+ # therefore we don't use it here, but include all other options
+ # that would be applied by the 'hardened' parameter
+ # not all options are available on wheezy
+ if ( $::lsbdistcodename == 'wheezy' ) {
+ $tail_additional_options = 'Ciphers aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+ } else {
+ $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
+ }
+
##
## SSHD SERVER CONFIGURATION
##
@@ -61,13 +76,6 @@ class site_sshd {
tcp_forwarding => $ssh_config['AllowTcpForwarding'],
manage_client => false,
use_storedconfigs => true,
- # we cannot use the 'hardened' parameter because leap_cli uses an
- # old net-ssh gem that is incompatible with the included
- # "KexAlgorithms curve25519-sha256@libssh.org",
- # see https://leap.se/code/issues/7591
- # therefore we don't use it here, but include all other options
- # that would be applied by the 'hardened' parameter
- tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'
+ tail_additional_options => $tail_additional_options
}
}