7 files changed, 121 insertions, 78 deletions
diff --git a/puppet/modules/leap/manifests/cli/install.pp b/puppet/modules/leap/manifests/cli/install.pp
new file mode 100644
index 00000000..858bd7da
--- /dev/null
+++ b/puppet/modules/leap/manifests/cli/install.pp
@@ -0,0 +1,33 @@
+# installs leap_cli on node
+class leap::cli::install ( $source = false ) {
+  if $source {
+    # needed for building leap_cli from source
+    include ::git
+    include ::site_config::ruby::dev
+
+    vcsrepo { '/srv/leap/cli':
+      ensure   => present,
+      force    => true,
+      revision => 'develop',
+      provider => 'git',
+      source   => 'https://leap.se/git/leap_cli.git',
+      owner    => 'root',
+      group    => 'root',
+      notify   => Exec['install_leap_cli'],
+      require  => Package['git']
+    }
+
+    exec { 'install_leap_cli':
+      command     => '/usr/bin/rake build && /usr/bin/rake install',
+      cwd         => '/srv/leap/cli',
+      refreshonly => true,
+      require     => [ Package['ruby-dev'], File['/etc/gemrc'], Package['rake'] ]
+    }
+  }
+  else {
+    package { 'leap_cli':
+      ensure   => installed,
+      provider => gem
+    }
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 2b311e06..42313d1a 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -7,8 +7,8 @@ class site_postfix::mx {
   $domain              = $domain_hash['full_suffix']
   $host_domain         = $domain_hash['full']
   $cert_name           = hiera('name')
-  $mynetworks          = join(hiera('mynetworks'), ' ')
-  $rbls                = suffix(prefix(hiera('rbls'), 'reject_rbl_client '), ',')
+  $mynetworks          = join(hiera('mynetworks', ''), ' ')
+  $rbls                = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',')
 
   $root_mail_recipient = hiera('contacts')
   $postfix_smtp_listen = 'all'
@@ -21,16 +21,20 @@ class site_postfix::mx {
   postfix::config {
     'mynetworks':
       value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}";
+    # Note: mydestination should not include @domain, because this is
+    # used in virtual alias maps.
     'mydestination':
-      value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
+      value => "\$myorigin, localhost, localhost.\$mydomain";
     'myhostname':
       value => $host_domain;
     'mailbox_size_limit':
       value => '0';
     'home_mailbox':
       value => 'Maildir/';
+    # Note: virtual-aliases map will take precedence over leap_mx
+    # lookup (tcp:localhost)
     'virtual_alias_maps':
-      value => 'tcp:localhost:4242';
+      value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242';
     'luser_relay':
       value => 'vmail';
     'smtpd_tls_received_header':
@@ -69,13 +73,13 @@ class site_postfix::mx {
     preseed             => true,
     root_mail_recipient => $root_mail_recipient,
     smtp_listen         => 'all',
-    default_alias_maps  => false,
     mastercf_tail       =>
     "smtps     inet  n       -       -       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_tls_security_level=encrypt
   -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
   -o smtpd_helo_restrictions=\$smtps_helo_restrictions
+  -o smtpd_client_restrictions=
   -o cleanup_service_name=clean_smtps
 clean_smtps	  unix	n	-	n	-	0	cleanup
   -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers",
diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
index 786d74c1..e9118470 100644
--- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
+++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
@@ -30,29 +30,21 @@ class site_postfix::mx::static_aliases {
   }
 
   #
-  # Custom aliases.
-  #
-  # This does not use the puppet mailalias resource because we want to be able
-  # to guarantee the contents of the alias file. This is needed so if you
-  # remove an alias from the node's config, it will get removed from the alias
-  # file.
-  #
-
-  # both alias files must be listed under "alias_database", because once you
-  # specify one, then `newaliases` no longer will default to updating
-  # "/etc/aliases.db".
-  postfix::config {
-    'alias_database':
-      value => "/etc/aliases, /etc/postfix/custom-aliases";
-    'alias_maps':
-      value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases";
+  # Custom static virtual aliases.
+  #
+  exec { 'postmap_virtual_aliases':
+    command     => '/usr/sbin/postmap /etc/postfix/virtual-aliases',
+    refreshonly => true,
+    user        => root,
+    group       => root,
+    require     => Package['postfix'],
+    subscribe   => File['/etc/postfix/virtual-aliases']
   }
-
-  file { '/etc/postfix/custom-aliases':
-    content => template('site_postfix/custom-aliases.erb'),
+  file { '/etc/postfix/virtual-aliases':
+    content => template('site_postfix/virtual-aliases.erb'),
     owner   => root,
     group   => root,
-    mode    => 0600,
-    notify  => Exec['newaliases']
+    mode    => '0600',
+    require => Package['postfix']
   }
 }
diff --git a/puppet/modules/site_postfix/templates/custom-aliases.erb b/puppet/modules/site_postfix/templates/custom-aliases.erb
deleted file mode 100644
index f261514b..00000000
--- a/puppet/modules/site_postfix/templates/custom-aliases.erb
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# This file is managed by puppet.
-#
-# This is a map of custom, non-standard aliases. The contents of this file
-# are derived from the node property `mx.aliases`.
-#
-
-<%- @aliases.keys.sort.each do |from| -%>
-"<%= from %>": "<%= [@aliases[from]].flatten.join('", "') %>"
-<%- end -%>
-
diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb
new file mode 100644
index 00000000..c474e734
--- /dev/null
+++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb
@@ -0,0 +1,22 @@
+#
+# This file is managed by puppet.
+#
+# This is a map of custom, non-standard aliases. The contents of this file
+# are derived from the node property `mx.aliases`.
+#
+
+#
+# enable these virtual domains:
+#
+<%= @domain %> enabled
+<%- @aliases.keys.map {|addr| addr.split('@')[1] }.compact.sort.uniq.each do |virt_domain| -%>
+<%= virt_domain %> enabled
+<%- end %>
+
+#
+# virtual aliases:
+#
+<%- @aliases.keys.sort.each do |from| -%>
+<%-   full_address = from =~ /@/ ? from : from + "@" + @domain -%>
+<%= full_address %> <%= [@aliases[from]].flatten.map{|a| a =~ /@/ ? a : a + "@" + @domain}.join(', ') %>
+<%- end -%>
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 1da2f1d5..170be32c 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,6 +1,7 @@
 class site_sshd {
-  $ssh   = hiera_hash('ssh')
-  $hosts = hiera('hosts', '')
+  $ssh        = hiera_hash('ssh')
+  $ssh_config = $ssh['config']
+  $hosts      = hiera('hosts', '')
 
   ##
   ## SETUP AUTHORIZED KEYS
@@ -52,11 +53,12 @@ class site_sshd {
   ## SSHD SERVER CONFIGURATION
   ##
   class { '::sshd':
-    manage_nagios => false,
-    ports         => [ $ssh['port'] ],
-    use_pam       => 'yes',
-    hardened_ssl  => 'yes',
-    print_motd    => 'no',
-    manage_client => false
+    manage_nagios  => false,
+    ports          => [ $ssh['port'] ],
+    use_pam        => 'yes',
+    hardened_ssl   => 'yes',
+    print_motd     => 'no',
+    tcp_forwarding => $ssh_config['AllowTcpForwarding'],
+    manage_client  => false
   }
 }
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index e8853ade..5cb436fc 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,33 +1,34 @@
-<%- require 'json' -%>
-<%- cert_options = @webapp['client_certificates'] -%>
-production:
-  admins: <%= @webapp['admins'].inspect %>
-  default_locale: :<%= @webapp['default_locale'] %>
-  available_locales:
-<%- @webapp['locales'].each do |locale| -%>
-    - :<%= locale %>
-<%- end -%>
-  domain: <%= @provider_domain %>
-  force_ssl: <%= @webapp['secure'] %>
-  client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key
-  client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt
-  secret_token: "<%= @secret_token %>"
-  client_cert_lifespan: <%= cert_options['life_span'] %>
-  client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
-  client_cert_hash: <%= cert_options['digest'] %>
-  allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %>
-  allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %>
-  allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %>
-  limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
-  unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
-  minimum_client_version: "<%= @webapp['client_version']['min'] %>"
-  default_service_level: "<%= @webapp['default_service_level'] %>"
-  service_levels: <%= scope.function_sorted_json([@webapp['service_levels']]) %>
-  allow_registration: <%= @webapp['allow_registration'].inspect %>
-  handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %>
-<%- if @webapp['engines'] && @webapp['engines'].any? -%>
-  engines:
-<%-   @webapp['engines'].each do |engine| -%>
-    - <%= engine %>
-<%-   end -%>
-<%- end -%>
+<%-
+cert_options = @webapp['client_certificates']
+production = {
+  "admins" => @webapp['admins'],
+  "default_locale" => @webapp['default_locale'],
+  "available_locales" => @webapp['locales'],
+  "domain" => @provider_domain,
+  "force_ssl" => @webapp['secure'],
+  "client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')],
+  "client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')],
+  "secret_token" => @secret_token,
+  "client_cert_lifespan" => cert_options['life_span'],
+  "client_cert_bit_size" => cert_options['bit_size'].to_i,
+  "client_cert_hash" => cert_options['digest'],
+  "allow_limited_certs" => @webapp['allow_limited_certs'],
+  "allow_unlimited_certs" => @webapp['allow_unlimited_certs'],
+  "allow_anonymous_certs" => @webapp['allow_anonymous_certs'],
+  "limited_cert_prefix" => cert_options['limited_prefix'],
+  "unlimited_cert_prefix" => cert_options['unlimited_prefix'],
+  "minimum_client_version" => @webapp['client_version']['min'],
+  "default_service_level" => @webapp['default_service_level'],
+  "service_levels" => @webapp['service_levels'],
+  "allow_registration" => @webapp['allow_registration'],
+  "handle_blacklist" => @webapp['forbidden_usernames']
+}
+
+if @webapp['engines'] && @webapp['engines'].any?
+  production["engines"] = @webapp['engines']
+end
+-%>
+#
+# This file is generated by puppet. This file inherits from defaults.yml.
+#
+<%= scope.function_sorted_yaml({"production" => production}) %>