summaryrefslogtreecommitdiff
path: root/puppet/modules
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules')
-rw-r--r--puppet/modules/leap/manifests/cli/install.pp33
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp14
-rw-r--r--puppet/modules/site_postfix/manifests/mx/static_aliases.pp34
-rw-r--r--puppet/modules/site_postfix/templates/custom-aliases.erb11
-rw-r--r--puppet/modules/site_postfix/templates/virtual-aliases.erb22
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp18
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb67
7 files changed, 121 insertions, 78 deletions
diff --git a/puppet/modules/leap/manifests/cli/install.pp b/puppet/modules/leap/manifests/cli/install.pp
new file mode 100644
index 00000000..858bd7da
--- /dev/null
+++ b/puppet/modules/leap/manifests/cli/install.pp
@@ -0,0 +1,33 @@
+# installs leap_cli on node
+class leap::cli::install ( $source = false ) {
+ if $source {
+ # needed for building leap_cli from source
+ include ::git
+ include ::site_config::ruby::dev
+
+ vcsrepo { '/srv/leap/cli':
+ ensure => present,
+ force => true,
+ revision => 'develop',
+ provider => 'git',
+ source => 'https://leap.se/git/leap_cli.git',
+ owner => 'root',
+ group => 'root',
+ notify => Exec['install_leap_cli'],
+ require => Package['git']
+ }
+
+ exec { 'install_leap_cli':
+ command => '/usr/bin/rake build && /usr/bin/rake install',
+ cwd => '/srv/leap/cli',
+ refreshonly => true,
+ require => [ Package['ruby-dev'], File['/etc/gemrc'], Package['rake'] ]
+ }
+ }
+ else {
+ package { 'leap_cli':
+ ensure => installed,
+ provider => gem
+ }
+ }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 2b311e06..42313d1a 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -7,8 +7,8 @@ class site_postfix::mx {
$domain = $domain_hash['full_suffix']
$host_domain = $domain_hash['full']
$cert_name = hiera('name')
- $mynetworks = join(hiera('mynetworks'), ' ')
- $rbls = suffix(prefix(hiera('rbls'), 'reject_rbl_client '), ',')
+ $mynetworks = join(hiera('mynetworks', ''), ' ')
+ $rbls = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',')
$root_mail_recipient = hiera('contacts')
$postfix_smtp_listen = 'all'
@@ -21,16 +21,20 @@ class site_postfix::mx {
postfix::config {
'mynetworks':
value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}";
+ # Note: mydestination should not include @domain, because this is
+ # used in virtual alias maps.
'mydestination':
- value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
+ value => "\$myorigin, localhost, localhost.\$mydomain";
'myhostname':
value => $host_domain;
'mailbox_size_limit':
value => '0';
'home_mailbox':
value => 'Maildir/';
+ # Note: virtual-aliases map will take precedence over leap_mx
+ # lookup (tcp:localhost)
'virtual_alias_maps':
- value => 'tcp:localhost:4242';
+ value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242';
'luser_relay':
value => 'vmail';
'smtpd_tls_received_header':
@@ -69,13 +73,13 @@ class site_postfix::mx {
preseed => true,
root_mail_recipient => $root_mail_recipient,
smtp_listen => 'all',
- default_alias_maps => false,
mastercf_tail =>
"smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
-o smtpd_helo_restrictions=\$smtps_helo_restrictions
+ -o smtpd_client_restrictions=
-o cleanup_service_name=clean_smtps
clean_smtps unix n - n - 0 cleanup
-o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers",
diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
index 786d74c1..e9118470 100644
--- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
+++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp
@@ -30,29 +30,21 @@ class site_postfix::mx::static_aliases {
}
#
- # Custom aliases.
- #
- # This does not use the puppet mailalias resource because we want to be able
- # to guarantee the contents of the alias file. This is needed so if you
- # remove an alias from the node's config, it will get removed from the alias
- # file.
- #
-
- # both alias files must be listed under "alias_database", because once you
- # specify one, then `newaliases` no longer will default to updating
- # "/etc/aliases.db".
- postfix::config {
- 'alias_database':
- value => "/etc/aliases, /etc/postfix/custom-aliases";
- 'alias_maps':
- value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases";
+ # Custom static virtual aliases.
+ #
+ exec { 'postmap_virtual_aliases':
+ command => '/usr/sbin/postmap /etc/postfix/virtual-aliases',
+ refreshonly => true,
+ user => root,
+ group => root,
+ require => Package['postfix'],
+ subscribe => File['/etc/postfix/virtual-aliases']
}
-
- file { '/etc/postfix/custom-aliases':
- content => template('site_postfix/custom-aliases.erb'),
+ file { '/etc/postfix/virtual-aliases':
+ content => template('site_postfix/virtual-aliases.erb'),
owner => root,
group => root,
- mode => 0600,
- notify => Exec['newaliases']
+ mode => '0600',
+ require => Package['postfix']
}
}
diff --git a/puppet/modules/site_postfix/templates/custom-aliases.erb b/puppet/modules/site_postfix/templates/custom-aliases.erb
deleted file mode 100644
index f261514b..00000000
--- a/puppet/modules/site_postfix/templates/custom-aliases.erb
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# This file is managed by puppet.
-#
-# This is a map of custom, non-standard aliases. The contents of this file
-# are derived from the node property `mx.aliases`.
-#
-
-<%- @aliases.keys.sort.each do |from| -%>
-"<%= from %>": "<%= [@aliases[from]].flatten.join('", "') %>"
-<%- end -%>
-
diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb
new file mode 100644
index 00000000..c474e734
--- /dev/null
+++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb
@@ -0,0 +1,22 @@
+#
+# This file is managed by puppet.
+#
+# This is a map of custom, non-standard aliases. The contents of this file
+# are derived from the node property `mx.aliases`.
+#
+
+#
+# enable these virtual domains:
+#
+<%= @domain %> enabled
+<%- @aliases.keys.map {|addr| addr.split('@')[1] }.compact.sort.uniq.each do |virt_domain| -%>
+<%= virt_domain %> enabled
+<%- end %>
+
+#
+# virtual aliases:
+#
+<%- @aliases.keys.sort.each do |from| -%>
+<%- full_address = from =~ /@/ ? from : from + "@" + @domain -%>
+<%= full_address %> <%= [@aliases[from]].flatten.map{|a| a =~ /@/ ? a : a + "@" + @domain}.join(', ') %>
+<%- end -%>
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 1da2f1d5..170be32c 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,6 +1,7 @@
class site_sshd {
- $ssh = hiera_hash('ssh')
- $hosts = hiera('hosts', '')
+ $ssh = hiera_hash('ssh')
+ $ssh_config = $ssh['config']
+ $hosts = hiera('hosts', '')
##
## SETUP AUTHORIZED KEYS
@@ -52,11 +53,12 @@ class site_sshd {
## SSHD SERVER CONFIGURATION
##
class { '::sshd':
- manage_nagios => false,
- ports => [ $ssh['port'] ],
- use_pam => 'yes',
- hardened_ssl => 'yes',
- print_motd => 'no',
- manage_client => false
+ manage_nagios => false,
+ ports => [ $ssh['port'] ],
+ use_pam => 'yes',
+ hardened_ssl => 'yes',
+ print_motd => 'no',
+ tcp_forwarding => $ssh_config['AllowTcpForwarding'],
+ manage_client => false
}
}
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index e8853ade..5cb436fc 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,33 +1,34 @@
-<%- require 'json' -%>
-<%- cert_options = @webapp['client_certificates'] -%>
-production:
- admins: <%= @webapp['admins'].inspect %>
- default_locale: :<%= @webapp['default_locale'] %>
- available_locales:
-<%- @webapp['locales'].each do |locale| -%>
- - :<%= locale %>
-<%- end -%>
- domain: <%= @provider_domain %>
- force_ssl: <%= @webapp['secure'] %>
- client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key
- client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt
- secret_token: "<%= @secret_token %>"
- client_cert_lifespan: <%= cert_options['life_span'] %>
- client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
- client_cert_hash: <%= cert_options['digest'] %>
- allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %>
- allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %>
- allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %>
- limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
- unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
- minimum_client_version: "<%= @webapp['client_version']['min'] %>"
- default_service_level: "<%= @webapp['default_service_level'] %>"
- service_levels: <%= scope.function_sorted_json([@webapp['service_levels']]) %>
- allow_registration: <%= @webapp['allow_registration'].inspect %>
- handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %>
-<%- if @webapp['engines'] && @webapp['engines'].any? -%>
- engines:
-<%- @webapp['engines'].each do |engine| -%>
- - <%= engine %>
-<%- end -%>
-<%- end -%>
+<%-
+cert_options = @webapp['client_certificates']
+production = {
+ "admins" => @webapp['admins'],
+ "default_locale" => @webapp['default_locale'],
+ "available_locales" => @webapp['locales'],
+ "domain" => @provider_domain,
+ "force_ssl" => @webapp['secure'],
+ "client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')],
+ "client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')],
+ "secret_token" => @secret_token,
+ "client_cert_lifespan" => cert_options['life_span'],
+ "client_cert_bit_size" => cert_options['bit_size'].to_i,
+ "client_cert_hash" => cert_options['digest'],
+ "allow_limited_certs" => @webapp['allow_limited_certs'],
+ "allow_unlimited_certs" => @webapp['allow_unlimited_certs'],
+ "allow_anonymous_certs" => @webapp['allow_anonymous_certs'],
+ "limited_cert_prefix" => cert_options['limited_prefix'],
+ "unlimited_cert_prefix" => cert_options['unlimited_prefix'],
+ "minimum_client_version" => @webapp['client_version']['min'],
+ "default_service_level" => @webapp['default_service_level'],
+ "service_levels" => @webapp['service_levels'],
+ "allow_registration" => @webapp['allow_registration'],
+ "handle_blacklist" => @webapp['forbidden_usernames']
+}
+
+if @webapp['engines'] && @webapp['engines'].any?
+ production["engines"] = @webapp['engines']
+end
+-%>
+#
+# This file is generated by puppet. This file inherits from defaults.yml.
+#
+<%= scope.function_sorted_yaml({"production" => production}) %>