13 files changed, 25 insertions, 92 deletions

diff --git a/puppet/modules/apache b/puppet/modules/apache
-Subproject 117bed9a9263c21d253d86b667eb165948efdc2
+Subproject 415e9504f99dca3ccaa4dfd389dde24ad9d0e01
diff --git a/puppet/modules/backupninja b/puppet/modules/backupninja
-Subproject 497513547be79f9d3c8e96f1650ec43ee634b27
+Subproject 5268a87c329f895017f8ea6c6abc377a4f9a6a7
diff --git a/puppet/modules/bundler b/puppet/modules/bundler
-Subproject b4a4a8434616247156e59b860b47cc6256ead8d
+Subproject bacec3e072649be4ade56f7df8506b46ae9c516
diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb
index 9bf7099e..50b4c620 100644
--- a/puppet/modules/clamav/templates/clamav-milter.conf.erb
+++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb
@@ -4,7 +4,6 @@ FixStaleSocket true
 User clamav
 MilterSocketGroup clamav
 MilterSocketMode 666
-AllowSupplementaryGroups true
 ReadTimeout 120
 Foreground false
 PidFile /var/run/clamav/clamav-milter.pid
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject 40d2289f8e10625cd45fdccdf492b5fb6490e66
+Subproject 76ff149a095023611c05bbb00157d06f87b07c0
diff --git a/puppet/modules/nagios b/puppet/modules/nagios
-Subproject 68dab01a85996e14efcccf856b623a2caf25782
+Subproject e6fee3c731f68ccf8b6add8ada2162c7ad2b840
diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems
-Subproject e704c9fe1c40fea5b10fe3ca2b4f5de825341cc
+Subproject 510a3693eab5dc78ed27d3728ee4d3b12334ea1
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
index 71395c50..7daf0cac 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
@@ -15,3 +15,7 @@
 # 401 Unauthorized error logged by webapp and possible other
 # applications
  C Unauthorized
+# catch abnormal termination of processes (due to segfault/fpe
+# signals etc).
+# see https://github.com/pixelated/pixelated-user-agent/issues/683
+ C systemd.*: main process exited, code=killed, status=
diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini
index 22aa0177..b921a927 100644
--- a/puppet/modules/site_couchdb/files/local.ini
+++ b/puppet/modules/site_couchdb/files/local.ini
@@ -1,91 +1,8 @@
-; CouchDB Configuration Settings
+; Puppet modified file !!
 
 ; Custom settings should be made in this file. They will override settings
 ; in default.ini, but unlike changes made to default.ini, this file won't be
 ; overwritten on server upgrade.
 
-[couchdb]
-;max_document_size = 4294967296 ; bytes
-
-[httpd]
-;port = 5984
-;bind_address = 127.0.0.1
-; Options for the MochiWeb HTTP server.
-;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
-; For more socket options, consult Erlang's module 'inet' man page.
-;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
-
-; Uncomment next line to trigger basic-auth popup on unauthorized requests.
-;WWW-Authenticate = Basic realm="administrator"
-
-; Uncomment next line to set the configuration modification whitelist. Only
-; whitelisted values may be changed via the /_config URLs. To allow the admin
-; to change this value over HTTP, remember to include {httpd,config_whitelist}
-; itself. Excluding it from the list would require editing this file to update
-; the whitelist.
-;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
-
-[httpd_global_handlers]
-;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
-
-# futon is enabled by default on bigcouch in default.ini
-# we need to find another way to disable futon, it won't work disabling it here
-# enable futon
-#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}
-# disable futon
-#_utils =  {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>}
-
-[couch_httpd_auth]
-; If you set this to true, you should also uncomment the WWW-Authenticate line
-; above. If you don't configure a WWW-Authenticate header, CouchDB will send
-; Basic realm="server" in order to prevent you getting logged out.
-; require_valid_user = false
-
-[log]
-;level = debug
-
-[os_daemons]
-; For any commands listed here, CouchDB will attempt to ensure that
-; the process remains alive while CouchDB runs as well as shut them
-; down when CouchDB exits.
-;foo = /path/to/command -with args
-
-[daemons]
-; enable SSL support by uncommenting the following line and supply the PEM's below.
-; the default ssl port CouchDB listens on is 6984
-;httpsd = {couch_httpd, start_link, [https]}
-
-[ssl]
-;cert_file = /etc/couchdb/server_cert.pem
-;key_file  = /etc/couchdb/server_key.pem
-;password = somepassword
-; set to true to validate peer certificates
-;verify_ssl_certificates = false
-; Path to file containing PEM encoded CA certificates (trusted
-; certificates used for verifying a peer certificate). May be omitted if
-; you do not want to verify the peer.
-;cacert_file = /full/path/to/cacertf
-; The verification fun (optionnal) if not specidied, the default
-; verification fun will be used.
-;verify_fun = {Module, VerifyFun}
-;ssl_certificate_max_depth = 1
-; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
-; the Virual Host will be redirected to the path. In the example below all requests
-; to http://example.com/ are redirected to /database.
-; If you run CouchDB on a specific port, include the port number in the vhost:
-; example.com:5984 = /database
-
-[vhosts]
-;example.com = /database/
-
-[update_notification]
-;unique notifier name=/full/path/to/exe -with "cmd line arg"
-
-; To create an admin account uncomment the '[admins]' section below and add a
-; line in the format 'username = password'. When you next start CouchDB, it
-; will change the password to a hash (so that your passwords don't linger
-; around in plain-text files). You can add more admin accounts with more
-; 'username = password' lines. Don't forget to restart CouchDB after
-; changing this.
-;[admins]
-;admin = mysecretpassword
+[compactions]
+_default = [{db_fragmentation, "70%"}, {view_fragmentation, "60%"}, {from, "03:00"}, {to, "05:00"}]
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index aa9b956e..6537124d 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -59,7 +59,7 @@ class site_nagios::server inherits nagios::base {
   include site_webapp::common_vhost
   include apache::module::headers
 
-  File ['nagios_htpasswd'] {
+  File['nagios_htpasswd'] {
     source  => undef,
     content => "nagiosadmin:${nagiosadmin_pw}",
     mode    => '0640',
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 6decc665..15e6fb38 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -30,7 +30,7 @@
 # auth SHA1
 #
 #   dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists
-#   a number of “digest” with names like “RSA-SHA256”, but this are legacy and
+#   a number of "digest" with names like "RSA-SHA256", but this are legacy and
 #   should be avoided.
 #
 #   elijah: i am not so sure that the digest algo matters for 'auth' option, because
@@ -40,14 +40,14 @@
 # cipher AES-128-CBC
 #
 #   dkg: For the choice of cipher, we need to select an algorithm and a
-#   cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but
+#   cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm - but
 #   our control channel is already relying on AES not being broken; if the
 #   control channel is cracked, then the key material for the tunnel is exposed,
 #   and the choice of algorithm is moot. So it makes more sense to me to rely on
 #   the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to
 #   me, but CBC is more well-tested, and the OpenVPN man page (at least as of
-#   version 2.2.1) says “CBC is recommended and CFB and OFB should be considered
-#   advanced modes.”
+#   version 2.2.1) says "CBC is recommended and CFB and OFB should be considered
+#   advanced modes."
 #
 #   note: the default is BF-CBC (blowfish)
 #
diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp
index d116de2f..ab2b7494 100644
--- a/puppet/modules/site_static/manifests/location.pp
+++ b/puppet/modules/site_static/manifests/location.pp
@@ -23,6 +23,19 @@ define site_static::location($path, $format, $source) {
     }
   }
 
+  if ($format == 'rack') {
+    # Run bundler if there is a Gemfile
+    exec { 'bundler_update':
+      cwd     => $file_path,
+      command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"',
+      unless  => '/usr/bin/bundle check --path vendor/bundle',
+      onlyif  => 'test -f Gemfile',
+      user    => 'www-data',
+      timeout => 600,
+      require => [Class['bundler::install'], Class['site_config::ruby::dev']];
+    }
+  }
+
   vcsrepo { $file_path:
     ensure   => present,
     force    => true,
diff --git a/puppet/modules/tor b/puppet/modules/tor
-Subproject 8c936c166b6da1ebd0e8d95e56ceee5167357d6
+Subproject 9981a70f7ba1f9e4fe33e4eb46654295287c1fc