diff options
Diffstat (limited to 'puppet/modules')
-rw-r--r-- | puppet/modules/journald/manifests/init.pp | 7 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/syslog.pp | 19 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 21 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx/checks.pp | 18 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx/received_anon.pp | 13 | ||||
-rw-r--r-- | puppet/modules/site_sshd/manifests/init.pp | 3 |
6 files changed, 50 insertions, 31 deletions
diff --git a/puppet/modules/journald/manifests/init.pp b/puppet/modules/journald/manifests/init.pp new file mode 100644 index 00000000..879baba4 --- /dev/null +++ b/puppet/modules/journald/manifests/init.pp @@ -0,0 +1,7 @@ +class journald { + + service { 'systemd-journald': + ensure => running, + enable => true, + } +} diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index c397dc15..d1deefcd 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -4,12 +4,25 @@ class site_config::syslog { # only pin rsyslog packages to backports on wheezy case $::operatingsystemrelease { /^7.*/: { - include site_apt::preferences::rsyslog + include ::site_apt::preferences::rsyslog + } + # on jessie+ systems, systemd and journald are enabled, + # and journald logs IP addresses, so we need to disable + # it until a solution is found, (#7863): + # https://github.com/systemd/systemd/issues/2447 + default: { + include ::journald + augeas { + 'disable_journald': + incl => '/etc/systemd/journald.conf', + lens => 'Puppet.lns', + changes => 'set /files/etc/systemd/journald.conf/Journal/Storage \'none\'', + notify => Service['systemd-journald']; + } } - default: { } } - class { 'rsyslog::client': + class { '::rsyslog::client': log_remote => false, log_local => true } diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 59a02598..2ea54d0a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -80,20 +80,23 @@ class site_postfix::mx { value => 'smtp'; 'mailbox_command': value => ''; + 'header_checks': + value => ''; 'postscreen_access_list': value => 'permit_mynetworks'; 'postscreen_greet_action': value => 'enforce'; } - include site_postfix::mx::smtpd_checks - include site_postfix::mx::checks - include site_postfix::mx::smtp_tls - include site_postfix::mx::smtpd_tls - include site_postfix::mx::static_aliases - include site_postfix::mx::rewrite_openpgp_header - include clamav - include postfwd + include ::site_postfix::mx::smtpd_checks + include ::site_postfix::mx::checks + include ::site_postfix::mx::smtp_tls + include ::site_postfix::mx::smtpd_tls + include ::site_postfix::mx::static_aliases + include ::site_postfix::mx::rewrite_openpgp_header + include ::site_postfix::mx::received_anon + include ::clamav + include ::postfwd # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -116,7 +119,7 @@ ${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_r -o smtpd_client_restrictions= -o cleanup_service_name=clean_smtps clean_smtps unix n - n - 0 cleanup - -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers" + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers,pcre:/etc/postfix/checks/received_anon" class { 'postfix': preseed => true, diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 5d75a5e5..f406ad34 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -20,22 +20,4 @@ class site_postfix::mx::checks { refreshonly => true, subscribe => File['/etc/postfix/checks/helo_checks']; } - - # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } - - file { '/etc/postfix/checks/received_anon': - source => 'puppet:///modules/site_postfix/checks/received_anon', - mode => '0644', - owner => root, - group => root, - notify => Service['postfix'] - } - - postfix::config { - 'header_checks': - value => 'pcre:/etc/postfix/checks/received_anon', - require => File['/etc/postfix/checks/received_anon']; - } - } diff --git a/puppet/modules/site_postfix/manifests/mx/received_anon.pp b/puppet/modules/site_postfix/manifests/mx/received_anon.pp new file mode 100644 index 00000000..51ba3faa --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/received_anon.pp @@ -0,0 +1,13 @@ +# Anonymize the user's home IP from the email headers (Feature #3866) +class site_postfix::mx::received_anon { + + package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index be0d3368..a9202da4 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -76,6 +76,7 @@ MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, use_storedconfigs => false, - tail_additional_options => $tail_additional_options + tail_additional_options => $tail_additional_options, + hostkey_type => [ 'rsa', 'dsa', 'ecdsa' ] } } |