summaryrefslogtreecommitdiff
path: root/puppet/modules
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules')
m---------puppet/modules/check_mk0
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg8
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg3
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg8
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg2
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg8
-rw-r--r--puppet/modules/site_check_mk/files/extra_host_conf.mk6
-rw-r--r--puppet/modules/site_check_mk/files/extra_service_conf.mk13
-rw-r--r--puppet/modules/site_check_mk/files/host_contactgroups.mk3
-rw-r--r--puppet/modules/site_check_mk/files/ignored_services.mk3
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/couchdb.pp2
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/tapicero.pp6
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/webapp.pp19
-rw-r--r--puppet/modules/site_check_mk/manifests/server.pp18
-rw-r--r--puppet/modules/site_check_mk/templates/host_contactgroups.mk17
-rw-r--r--puppet/modules/site_check_mk/templates/hostgroups.mk17
-rwxr-xr-xpuppet/modules/site_nagios/files/plugins/check_last_regex_in_log85
-rw-r--r--puppet/modules/site_nagios/manifests/add_host_services.pp6
-rw-r--r--puppet/modules/site_nagios/manifests/add_service.pp13
-rw-r--r--puppet/modules/site_nagios/manifests/plugins.pp16
-rw-r--r--puppet/modules/site_nagios/manifests/server.pp12
-rw-r--r--puppet/modules/site_nagios/manifests/server/add_contacts.pp16
-rw-r--r--puppet/modules/site_nagios/manifests/server/contactgroup.pp6
-rw-r--r--puppet/modules/site_nagios/manifests/server/hostgroup.pp2
-rw-r--r--puppet/modules/site_nagios/manifests/server/icli.pp26
-rw-r--r--puppet/modules/site_nagios/templates/icli_aliases.erb7
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp4
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp4
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtp_tls.pp1
-rw-r--r--puppet/modules/site_sshd/templates/ssh_config.erb17
-rw-r--r--puppet/modules/site_static/manifests/init.pp7
-rw-r--r--puppet/modules/site_tor/manifests/init.pp4
-rw-r--r--puppet/modules/site_webapp/manifests/hidden_service.pp2
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp7
m---------puppet/modules/stunnel0
-rw-r--r--puppet/modules/tapicero/manifests/init.pp2
36 files changed, 326 insertions, 44 deletions
diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk
-Subproject 5c11597a055858b5ddc1ce8f7f8db249f5f1b33
+Subproject 205859d87884ac4ceee6d1365548e7dc55640bf
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
index 28f333b0..95ddd2ca 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg
@@ -6,11 +6,19 @@
I 127.0.0.1 localhost:5984 .* ok
# https://leap.se/code/issues/5246
I Shutting down group server
+ # ignore bigcouch conflict errors, mainly coming from tapicero creating new users
+ I Error in process.*{{nocatch,conflict}
# ignore "Uncaught error in HTTP request: {exit, normal}" error
# it's suppressed in later versions of bigcouch anhow
# see https://leap.se/code/issues/5226
I Uncaught error in HTTP request: {exit,normal}
I Uncaught error in HTTP request: {exit,
+ # Ignore rexi_EXIT bigcouch error (Bug #6512)
+ I Error in process <[0-9.]+> on node .* with exit value: {{rexi_EXIT,{(killed|noproc|shutdown),\[{couch_db,collect_results
+ # Ignore "Generic server terminating" bigcouch message (Feature #6544)
+ I Generic server <.*> terminating
+ I {error_report,<.*>,
+ I {error_info,
C Uncaught error in HTTP request: {error,
C Response abnormally terminated: {nodedown,
C rexi_DOWN,noproc
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg
index 623d1e46..3af5045b 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg
@@ -2,4 +2,5 @@
C WSGI application error
C Error
C error
- W Timing out client:
+# Removed this line because we determined it was better to ignore it (#6566)
+# W Timing out client:
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg
index d58e876d..ac17c0ca 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg
@@ -2,6 +2,12 @@
# suddenly hangup before properly establishing
# a tls connection
I ovpn-.*TLS Error: Unroutable control packet received from
- I ovpn-.*TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
+ I ovpn-.*TLS Error: TLS key negotiation failed to occur within 60 seconds \(check your network connectivity\)
I ovpn-.*TLS Error: TLS handshake failed
+ I ovpn-.*TLS Error: TLS object -> incoming plaintext read error
+ I ovpn-.*Fatal TLS error \(check_tls_errors_co\), restarting
+ I ovpn-.*TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
+
+ I ovpn-.*SIGUSR1\[soft,tls-error\] received, client-instance restarting
+ I ovpn-.*VERIFY ERROR: depth=0, error=certificate has expired
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg
index 93ce0311..e5721eea 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg
@@ -1,3 +1,5 @@
+# Ignore transient Tapicero errors when creating a db (#6511)
+ I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )?due to): (RestClient::Resource Not Found|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error)
C tapicero.*RestClient::InternalServerError:
# possible race condition between multiple tapicero
# instances, so we ignore it
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
index 450b9e90..71395c50 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
@@ -1,8 +1,14 @@
# some general patterns
+ I Error: Driver 'pcspkr' is already registered, aborting...
+# ignore postfix errors on lost connection (Bug #6476)
+ I postfix/smtpd.*SSL_accept error from.*lost connection
+# ignore postfix too many errors after DATA (#6545)
+ I postfix/smtpd.*too many errors after DATA from
C panic
C Oops
- I Error: Driver 'pcspkr' is already registered, aborting...
C Error
+# ignore ipv6 icmp errors for now (Bug #6540)
+ I kernel: .*icmpv6_send: no reply to icmp error
C error
W generic protection rip
W .*Unrecovered read error - auto reallocate failed
diff --git a/puppet/modules/site_check_mk/files/extra_host_conf.mk b/puppet/modules/site_check_mk/files/extra_host_conf.mk
new file mode 100644
index 00000000..2c96f97a
--- /dev/null
+++ b/puppet/modules/site_check_mk/files/extra_host_conf.mk
@@ -0,0 +1,6 @@
+# retry 3 times before setting a host into a hard state
+# and send out notification
+extra_host_conf["max_check_attempts"] = [
+ ("4", ALL_HOSTS )
+]
+
diff --git a/puppet/modules/site_check_mk/files/extra_service_conf.mk b/puppet/modules/site_check_mk/files/extra_service_conf.mk
new file mode 100644
index 00000000..03d1ea76
--- /dev/null
+++ b/puppet/modules/site_check_mk/files/extra_service_conf.mk
@@ -0,0 +1,13 @@
+# retry 3 times before setting a service into a hard state
+# and send out notification
+extra_service_conf["max_check_attempts"] = [
+ ("4", ALL_HOSTS , ALL_SERVICES )
+]
+
+# run check_mk_agent every 2 minutes if it terminates
+# successfully.
+# see https://leap.se/code/issues/6539 for the rationale
+extra_service_conf["normal_check_interval"] = [
+ ("2", ALL_HOSTS , "Check_MK" )
+]
+
diff --git a/puppet/modules/site_check_mk/files/host_contactgroups.mk b/puppet/modules/site_check_mk/files/host_contactgroups.mk
deleted file mode 100644
index e89323fb..00000000
--- a/puppet/modules/site_check_mk/files/host_contactgroups.mk
+++ /dev/null
@@ -1,3 +0,0 @@
-host_contactgroups = [
- ( "admins", ALL_HOSTS ),
-]
diff --git a/puppet/modules/site_check_mk/files/ignored_services.mk b/puppet/modules/site_check_mk/files/ignored_services.mk
new file mode 100644
index 00000000..35dc4433
--- /dev/null
+++ b/puppet/modules/site_check_mk/files/ignored_services.mk
@@ -0,0 +1,3 @@
+ignored_services = [
+ ( ALL_HOSTS, [ "NTP Time" ] )
+]
diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
index 01e2b886..ee0268a3 100644
--- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp
@@ -29,7 +29,7 @@ class site_check_mk::agent::couchdb {
}
file_line {
'Bigcouch_open_files':
- line => 'Bigcouch_open_files /srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 750,750 -c 1000,1000',
+ line => 'Bigcouch_open_files /srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720',
path => '/etc/check_mk/mrpe.cfg';
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
index 369ed00b..ffd11100 100644
--- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
@@ -1,5 +1,7 @@
class site_check_mk::agent::tapicero {
+ include ::site_nagios::plugins
+
concat::fragment { 'syslog_tapicero':
source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/tapicero.cfg',
target => '/etc/check_mk/logwatch.d/syslog.cfg',
@@ -11,6 +13,10 @@ class site_check_mk::agent::tapicero {
'Tapicero_Procs':
line => 'Tapicero_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero',
path => '/etc/check_mk/mrpe.cfg';
+
+ 'Tapicero_Heartbeat':
+ line => 'Tapicero_Heartbeat /usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/syslog -r "tapicero" -w 300 -c 600',
+ path => '/etc/check_mk/mrpe.cfg';
}
}
diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp
index 64f5ea6d..88c3da30 100644
--- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp
@@ -1,20 +1,11 @@
class site_check_mk::agent::webapp {
- # check webapp login + soledad sync
- package { [ 'python-srp', 'python-requests', 'python-yaml', 'python-u1db' ]:
- ensure => installed
+ # remove leftovers of webapp python checks
+ file {
+ [ '/usr/lib/check_mk_agent/local/nagios-webapp_login.py',
+ '/usr/lib/check_mk_agent/local/soledad_sync.py' ]:
+ ensure => absent
}
- file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py':
- ensure => link,
- target => '/srv/leap/webapp/test/nagios/webapp_login.py',
- require => Package['check_mk-agent']
- }
- file { '/usr/lib/check_mk_agent/local/soledad_sync.py':
- ensure => link,
- target => '/srv/leap/webapp/test/nagios/soledad_sync.py',
- require => Package['check_mk-agent']
- }
-
# check syslog
concat::fragment { 'syslog_webapp':
diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp
index 388ae94b..171f1576 100644
--- a/puppet/modules/site_check_mk/manifests/server.pp
+++ b/puppet/modules/site_check_mk/manifests/server.pp
@@ -11,6 +11,7 @@ class site_check_mk::server {
$hosts = hiera_hash('hosts')
$all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>')
$domains_internal = $nagios_hiera['domains_internal']
+ $environments = $nagios_hiera['environments']
package { 'check-mk-server':
ensure => installed,
@@ -41,13 +42,27 @@ class site_check_mk::server {
notify => Exec['check_mk-refresh'],
require => Package['check-mk-server'];
'/etc/check_mk/conf.d/host_contactgroups.mk':
- source => 'puppet:///modules/site_check_mk/host_contactgroups.mk',
+ content => template('site_check_mk/host_contactgroups.mk'),
notify => Exec['check_mk-refresh'],
require => Package['check-mk-server'];
+ '/etc/check_mk/conf.d/ignored_services.mk':
+ source => 'puppet:///modules/site_check_mk/ignored_services.mk',
+ notify => Exec['check_mk-refresh'],
+ require => Package['check-mk-server'];
+ '/etc/check_mk/conf.d/extra_service_conf.mk':
+ source => 'puppet:///modules/site_check_mk/extra_service_conf.mk',
+ notify => Exec['check_mk-refresh'],
+ require => Package['check-mk-server'];
+ '/etc/check_mk/conf.d/extra_host_conf.mk':
+ source => 'puppet:///modules/site_check_mk/extra_host_conf.mk',
+ notify => Exec['check_mk-refresh'],
+ require => Package['check-mk-server'];
+
'/etc/check_mk/all_hosts_static':
content => $all_hosts,
notify => Exec['check_mk-refresh'],
require => Package['check-mk-server'];
+
'/etc/check_mk/.ssh':
ensure => directory,
require => Package['check-mk-server'];
@@ -61,6 +76,7 @@ class site_check_mk::server {
owner => 'nagios',
mode => '0644',
require => Package['check-mk-server'];
+
# check_icmp must be suid root or called by sudo
# see https://leap.se/code/issues/5171
'/usr/lib/nagios/plugins/check_icmp':
diff --git a/puppet/modules/site_check_mk/templates/host_contactgroups.mk b/puppet/modules/site_check_mk/templates/host_contactgroups.mk
new file mode 100644
index 00000000..6a534967
--- /dev/null
+++ b/puppet/modules/site_check_mk/templates/host_contactgroups.mk
@@ -0,0 +1,17 @@
+<%
+ contact_groups = []
+ @environments.keys.sort.each do |env_name|
+ hosts = ""
+ @nagios_hosts.keys.sort.each do |hostname|
+ hostdata = @nagios_hosts[hostname]
+ domain_internal = hostdata['domain_internal']
+ if hostdata['environment'] == env_name
+ hosts << '"' + domain_internal + '", '
+ end
+ end
+ contact_groups << ' ( "%s", [%s] )' % [env_name, hosts]
+ end
+%>
+host_contactgroups = [
+<%= contact_groups.join(",\n") %>
+]
diff --git a/puppet/modules/site_check_mk/templates/hostgroups.mk b/puppet/modules/site_check_mk/templates/hostgroups.mk
index 79b7f92f..7158dcd1 100644
--- a/puppet/modules/site_check_mk/templates/hostgroups.mk
+++ b/puppet/modules/site_check_mk/templates/hostgroups.mk
@@ -1,4 +1,17 @@
+<%
+ host_groups = []
+ @environments.keys.sort.each do |env_name|
+ hosts = ""
+ @nagios_hosts.keys.sort.each do |hostname|
+ hostdata = @nagios_hosts[hostname]
+ domain_internal = hostdata['domain_internal']
+ if hostdata['environment'] == env_name
+ hosts << '"' + domain_internal + '", '
+ end
+ end
+ host_groups << ' ( "%s", [%s] )' % [env_name, hosts]
+ end
+%>
host_groups = [
- <% @domains_internal.each do |domain| %>( '<%= domain %>', [<% @nagios_hosts.keys.sort.each do |key| -%><% if @nagios_hosts[key]['domain_internal'] == key+'.'+domain -%>'<%= key %>.<%= domain %>', <% end -%><% end -%>] ),
- <% end -%>
+<%= host_groups.join(",\n") %>
]
diff --git a/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log b/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log
new file mode 100755
index 00000000..cf7c03e5
--- /dev/null
+++ b/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log
@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# depends on nagios-plugins-common for /usr/lib/nagios/plugins/utils.sh
+# this package is installed using leap_platform by the Site_check_mk::Agent::Mrpe
+# class
+
+set -e
+
+usage()
+{
+cat << EOF
+usage: $0 -w <sec> -c <sec> -r <regexp> -f <filename>
+
+OPTIONS:
+ -h Show this message
+ -r <regex> regex to grep for
+ -f <file> logfile to search in
+ -w <sec> warning state after X seconds
+ -c <sec> critical state after x seconds
+
+example: $0 -f /var/log/syslog -r 'tapicero' -w 300 -c 600
+EOF
+}
+
+
+. /usr/lib/nagios/plugins/utils.sh
+
+
+warn=0
+crit=0
+log=''
+regex=''
+
+set -- $(getopt hr:f:w:c: "$@")
+while [ $# -gt 0 ]
+do
+ case "$1" in
+ (-h) usage; exit 0 ;;
+ (-f) log="$2"; shift;;
+ (-r) regex="$2"; shift;;
+ (-w) warn="$2"; shift;;
+ (-c) crit="$2"; shift;;
+ (--) shift; break;;
+ (-*) echo "$0: error - unrecognized option $1" 1>&2; exit 1;;
+ (*) break;;
+ esac
+ shift
+done
+
+[ $warn -eq 0 -o $crit -eq 0 -o -z "$regex" -o -z "$log" ] && ( usage; exit $STATE_UNKNOWN)
+[ -f "$log" ] || (echo "$log doesn't exist"; exit $STATE_UNKNOWN)
+
+lastmsg=$(tac $log | grep -i $regex | head -1 | cut -d' ' -f 1-3)
+
+if [ -z "$lastmsg" ]
+then
+ summary="\"$regex\" in $log was not found"
+ state=$STATE_CRITICAL
+ state_text='CRITICAL'
+ diff_sec=0
+else
+ lastmsg_sec=$(date '+%s' -d "$lastmsg")
+ now_sec=$(date '+%s')
+
+ diff_sec=$(($now_sec - $lastmsg_sec))
+
+ if [ $diff_sec -lt $warn ]; then
+ state=$STATE_OK
+ state_text='OK'
+ elif [ $diff_sec -lt $crit ]; then
+ state=$STATE_WARNING
+ state_text='WARNING'
+ else
+ state=$STATE_CRITICAL
+ state_text='CRITICAL'
+ fi
+
+ summary="Last occurrence of \"$regex\" in $log was $diff_sec sec ago"
+fi
+
+# check_mk_agent output
+# echo "$state Tapicero_Heatbeat sec=$diff_sec;$warn;$crit;0; $state_text - $summary"
+
+echo "${state_text}: $summary | seconds=${diff_sec};$warn;$crit;0;"
+exit $state
diff --git a/puppet/modules/site_nagios/manifests/add_host_services.pp b/puppet/modules/site_nagios/manifests/add_host_services.pp
index 279809d1..bd968e6f 100644
--- a/puppet/modules/site_nagios/manifests/add_host_services.pp
+++ b/puppet/modules/site_nagios/manifests/add_host_services.pp
@@ -1,10 +1,13 @@
define site_nagios::add_host_services (
$domain_full_suffix,
$domain_internal,
+ $domain_internal_suffix,
$ip_address,
$services,
$ssh_port,
- $openvpn_gateway_address='' ) {
+ $environment,
+ $openvpn_gateway_address='',
+ ) {
$nagios_hostname = $domain_internal
@@ -16,6 +19,7 @@ define site_nagios::add_host_services (
'hostname' => $nagios_hostname,
'ip_address' => $ip_address,
'openvpn_gw' => $openvpn_gateway_address,
+ 'environment' => $environment
}
$dynamic_parameters = {
'service' => '%s'
diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp
index 1b67d14e..72cd038a 100644
--- a/puppet/modules/site_nagios/manifests/add_service.pp
+++ b/puppet/modules/site_nagios/manifests/add_service.pp
@@ -1,5 +1,5 @@
define site_nagios::add_service (
- $hostname, $ip_address, $openvpn_gw = '', $service) {
+ $hostname, $ip_address, $service, $environment, $openvpn_gw = '') {
$ssh = hiera_hash('ssh')
$ssh_port = $ssh['port']
@@ -9,19 +9,22 @@ define site_nagios::add_service (
nagios_service {
"${name}_ssh":
use => 'generic-service',
- check_command => "check_ssh_port!$ssh_port",
+ check_command => "check_ssh_port!${ssh_port}",
service_description => 'SSH',
- host_name => $hostname;
+ host_name => $hostname,
+ contact_groups => $environment;
"${name}_cert":
use => 'generic-service',
check_command => 'check_https_cert',
service_description => 'Website Certificate',
- host_name => $hostname;
+ host_name => $hostname,
+ contact_groups => $environment;
"${name}_website":
use => 'generic-service',
check_command => 'check_https',
service_description => 'Website',
- host_name => $hostname
+ host_name => $hostname,
+ contact_groups => $environment;
}
}
default: {}
diff --git a/puppet/modules/site_nagios/manifests/plugins.pp b/puppet/modules/site_nagios/manifests/plugins.pp
new file mode 100644
index 00000000..90a01cfb
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/plugins.pp
@@ -0,0 +1,16 @@
+# Deploy generic plugins useful to all nodes
+# nagios::plugin won't work to deploy a plugin
+# because it complains with:
+# Could not find dependency Package[nagios-plugins] …
+# at /srv/leap/puppet/modules/nagios/manifests/plugin.pp:18
+class site_nagios::plugins {
+
+ file { [
+ '/usr/local/lib', '/usr/local/lib/nagios',
+ '/usr/local/lib/nagios/plugins' ]:
+ ensure => directory;
+ '/usr/local/lib/nagios/plugins/check_last_regex_in_log':
+ source => 'puppet:///modules/site_nagios/plugins/check_last_regex_in_log',
+ mode => '0755';
+ }
+}
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index b195c880..092ca503 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -6,17 +6,16 @@ class site_nagios::server inherits nagios::base {
$nagios_hiera = hiera('nagios')
$nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw'])
$nagios_hosts = $nagios_hiera['hosts']
- $domains_internal = $nagios_hiera['domains_internal']
+ $nagios_contacts = hiera('contacts')
+ $environment = $nagios_hiera['environments']
include nagios::base
include nagios::defaults::commands
- include nagios::defaults::contactgroups
- include nagios::defaults::contacts
include nagios::defaults::templates
include nagios::defaults::timeperiods
include nagios::defaults::plugins
- class {'nagios':
+ class { 'nagios':
# don't manage apache class from nagios, cause we already include
# it in site_apache::common
httpd => 'absent',
@@ -53,6 +52,7 @@ class site_nagios::server inherits nagios::base {
include site_nagios::server::apache
include site_check_mk::server
include site_shorewall::monitor
+ include site_nagios::server::icli
augeas {
'logrotate_nagios':
@@ -63,5 +63,7 @@ class site_nagios::server inherits nagios::base {
'set copytruncate copytruncate' ]
}
- ::site_nagios::server::hostgroup { $domains_internal: }
+ create_resources ( site_nagios::server::hostgroup, $environment )
+ create_resources ( site_nagios::server::contactgroup, $environment )
+ create_resources ( site_nagios::server::add_contacts, $environment )
}
diff --git a/puppet/modules/site_nagios/manifests/server/add_contacts.pp b/puppet/modules/site_nagios/manifests/server/add_contacts.pp
new file mode 100644
index 00000000..db507abf
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/server/add_contacts.pp
@@ -0,0 +1,16 @@
+define site_nagios::server::add_contacts ($contact_emails) {
+
+ $environment = $name
+
+ nagios_contact {
+ $environment:
+ alias => $environment,
+ service_notification_period => '24x7',
+ host_notification_period => '24x7',
+ service_notification_options => 'w,u,c,r',
+ host_notification_options => 'd,r',
+ service_notification_commands => 'notify-service-by-email',
+ host_notification_commands => 'notify-host-by-email',
+ email => join($contact_emails, ', ')
+ }
+}
diff --git a/puppet/modules/site_nagios/manifests/server/contactgroup.pp b/puppet/modules/site_nagios/manifests/server/contactgroup.pp
new file mode 100644
index 00000000..188c54f1
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/server/contactgroup.pp
@@ -0,0 +1,6 @@
+define site_nagios::server::contactgroup ($contact_emails) {
+
+ nagios_contactgroup { $name:
+ members => $name
+ }
+}
diff --git a/puppet/modules/site_nagios/manifests/server/hostgroup.pp b/puppet/modules/site_nagios/manifests/server/hostgroup.pp
index 035ba7d1..6f85ca6d 100644
--- a/puppet/modules/site_nagios/manifests/server/hostgroup.pp
+++ b/puppet/modules/site_nagios/manifests/server/hostgroup.pp
@@ -1,3 +1,3 @@
-define site_nagios::server::hostgroup {
+define site_nagios::server::hostgroup ($contact_emails) {
nagios_hostgroup { $name: }
}
diff --git a/puppet/modules/site_nagios/manifests/server/icli.pp b/puppet/modules/site_nagios/manifests/server/icli.pp
new file mode 100644
index 00000000..26fba725
--- /dev/null
+++ b/puppet/modules/site_nagios/manifests/server/icli.pp
@@ -0,0 +1,26 @@
+# Install icli package and configure ncli aliases
+class site_nagios::server::icli {
+ $nagios_hiera = hiera('nagios')
+ $environments = $nagios_hiera['environments']
+
+ package { 'icli':
+ ensure => installed;
+ }
+
+ file { '/root/.bashrc':
+ ensure => present;
+ }
+
+ file_line { 'icli aliases':
+ path => '/root/.bashrc',
+ line => 'source /root/.icli_aliases';
+ }
+
+ file { '/root/.icli_aliases':
+ content => template("${module_name}/icli_aliases.erb"),
+ mode => '0644',
+ owner => root,
+ group => 0,
+ require => Package['icli'];
+ }
+} \ No newline at end of file
diff --git a/puppet/modules/site_nagios/templates/icli_aliases.erb b/puppet/modules/site_nagios/templates/icli_aliases.erb
new file mode 100644
index 00000000..f1428f9e
--- /dev/null
+++ b/puppet/modules/site_nagios/templates/icli_aliases.erb
@@ -0,0 +1,7 @@
+alias ncli='icli -c /var/cache/nagios3/objects.cache -f /var/cache/nagios3/status.dat -F /var/lib/nagios3/rw/nagios.cmd'
+alias ncli_problems='ncli -z '!o,!A''
+
+<% @environments.keys.sort.each do |env_name| %>
+alias ncli_<%= env_name %>='ncli -z '!o,!A' -g <%= env_name %>'
+alias ncli_<%= env_name %>_recheck='ncli -s Check_MK -g <%= env_name %> -r'
+<% end -%> \ No newline at end of file
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 466f6d00..221c79a7 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -57,6 +57,8 @@ define site_openvpn::server_config(
$management, $config, $tls_remote = undef) {
$openvpn_configname = $name
+ $shortname = regsubst(regsubst($name, '_config', ''), '_', '-')
+ $openvpn_status_filename = "/var/run/openvpn-status-${shortname}"
concat {
"/etc/openvpn/${openvpn_configname}.conf":
@@ -187,7 +189,7 @@ define site_openvpn::server_config(
server => $openvpn_configname;
"status ${openvpn_configname}":
key => 'status',
- value => '/var/run/openvpn-status 10',
+ value => "${openvpn_status_filename} 10",
server => $openvpn_configname;
"status-version ${openvpn_configname}":
key => 'status-version',
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index bdfee665..81f10b77 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -1,12 +1,12 @@
class site_postfix::mx {
- $domain_hash = hiera ('domain')
+ $domain_hash = hiera('domain')
$domain = $domain_hash['full_suffix']
$host_domain = $domain_hash['full']
$cert_name = hiera('name')
$mynetworks = join(hiera('mynetworks'), ' ')
- $root_mail_recipient = hiera ('contacts')
+ $root_mail_recipient = hiera('contacts')
$postfix_smtp_listen = 'all'
include site_config::x509::cert
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
index d9b59f40..d56f6b54 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -1,5 +1,6 @@
class site_postfix::mx::smtp_tls {
+ include site_config::x509::ca
include x509::variables
$ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
$cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
diff --git a/puppet/modules/site_sshd/templates/ssh_config.erb b/puppet/modules/site_sshd/templates/ssh_config.erb
index 7e967413..36c0b6d5 100644
--- a/puppet/modules/site_sshd/templates/ssh_config.erb
+++ b/puppet/modules/site_sshd/templates/ssh_config.erb
@@ -21,3 +21,20 @@ Host *
StrictHostKeyChecking no
<% end -%>
+#
+# Tell SSH what host key algorithm we should use. I don't understand why this
+# is needed, since the man page says that "if hostkeys are known for the
+# destination host then [HostKeyAlgorithms default] is modified to prefer
+# their algorithms."
+#
+
+<% @hosts.sort.each do |name, host| -%>
+Host <%= name %> <%= host['domain_full'] %> <%= host['domain_internal'] %> <%= host['ip_address'] %>
+<% if host['host_pub_key'] -%>
+HostKeyAlgorithms <%= host['host_pub_key'].split(" ").first %>
+<% end -%>
+<% if host['port'] -%>
+Port <%= host['port'] %>
+<% end -%>
+
+<% end -%>
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index 6e347d35..aed9775e 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -1,5 +1,10 @@
class site_static {
tag 'leap_service'
+
+ include site_config::x509::cert
+ include site_config::x509::key
+ include site_config::x509::ca_bundle
+
$static = hiera('static')
$domains = $static['domains']
$formats = $static['formats']
@@ -33,7 +38,7 @@ class site_static {
include site_apt::preferences::passenger
class { 'passenger':
use_munin => false,
- require => Class['site_apt::preferences::passenger']
+ require => Class['site_apt::preferences::passenger']
}
}
diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp
index d14e813d..80ccc5d3 100644
--- a/puppet/modules/site_tor/manifests/init.pp
+++ b/puppet/modules/site_tor/manifests/init.pp
@@ -18,8 +18,8 @@ class site_tor {
else {
$openvpn_ports = []
}
-
- class { 'tor::daemon': }
+
+ include tor::daemon
tor::daemon::relay { $nickname:
port => 9001,
address => $address,
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index ac0e8a37..16b6e2e7 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -21,7 +21,7 @@ class site_webapp::hidden_service {
'/var/lib/tor/webapp/private_key':
ensure => present,
- source => '/srv/leap/files/nodes/web/tor.key',
+ source => "/srv/leap/files/nodes/${::hostname}/tor.key",
owner => 'debian-tor',
group => 'debian-tor',
mode => '0600';
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 752993c1..9f97d2c5 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -165,6 +165,13 @@ class site_webapp {
}
}
+
+ # needed for the soledad-sync check which is run on the
+ # webapp node (#6520)
+ package { 'python-u1db':
+ ensure => latest,
+ }
+
include site_shorewall::webapp
include site_check_mk::agent::webapp
}
diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel
-Subproject ec49fd93c2469bc5c13f7e6a7d25468613e1b84
+Subproject b0dc7c84b5f55aec12d7d65da812037913d9dbe
diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp
index 2bf72004..28711b94 100644
--- a/puppet/modules/tapicero/manifests/init.pp
+++ b/puppet/modules/tapicero/manifests/init.pp
@@ -95,7 +95,7 @@ class tapicero {
vcsrepo { '/srv/leap/tapicero':
ensure => present,
force => true,
- revision => 'origin/master',
+ revision => 'origin/version/0.6',
provider => git,
source => 'https://leap.se/git/tapicero',
owner => 'tapicero',