diff options
Diffstat (limited to 'puppet')
| m--------- | puppet/modules/apt | 0 | ||||
| m--------- | puppet/modules/couchdb | 0 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/files.pp | 7 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/remove.pp | 7 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/remove/jessie.pp | 9 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/remove/tapicero.pp | 5 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/resolvconf.pp | 2 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/syslog.pp | 37 | ||||
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 17 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 |
10 files changed, 66 insertions, 20 deletions
diff --git a/puppet/modules/apt b/puppet/modules/apt -Subproject e12c5bfd6c9ff5d1dc5e14c227e8c15388ecb04 +Subproject d459567bf246eee85cd101c2e2f17f451e6230b diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject 84b1d857b0ea8a9987be0748dab9f6a3ddaba94 +Subproject b2dada713dd3486dec8eaf9bdcd1e223c9297f6 diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp index 684d3ad0..d2ef8a98 100644 --- a/puppet/modules/site_config/manifests/files.pp +++ b/puppet/modules/site_config/manifests/files.pp @@ -1,3 +1,4 @@ +# set up core leap files and directories class site_config::files { file { @@ -7,15 +8,15 @@ class site_config::files { group => 'root', mode => '0711'; - '/var/lib/leap': + [ '/etc/leap', '/var/lib/leap']: ensure => directory, - owner => root, + owner => 'root', group => 'root', mode => '0755'; '/var/log/leap': ensure => directory, - owner => root, + owner => 'root', group => 'adm', mode => '0750'; } diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp index b1ad1a2b..443df9c2 100644 --- a/puppet/modules/site_config/manifests/remove.pp +++ b/puppet/modules/site_config/manifests/remove.pp @@ -1,4 +1,11 @@ # remove leftovers from previous deploys class site_config::remove { include site_config::remove::files + + case $::operatingsystemrelease { + /^8.*/: { + include site_config::remove::jessie + } + default: { } + } } diff --git a/puppet/modules/site_config/manifests/remove/jessie.pp b/puppet/modules/site_config/manifests/remove/jessie.pp new file mode 100644 index 00000000..cbeaae05 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/jessie.pp @@ -0,0 +1,9 @@ +# remove possible leftovers after upgrading from wheezy to jessie +class site_config::remove::jessie { + + tidy { + '/etc/apt/preferences.d/rsyslog_anon_depends': + notify => Exec['refresh_apt']; + } + +} diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp index 4ce972d0..07c3c6c6 100644 --- a/puppet/modules/site_config/manifests/remove/tapicero.pp +++ b/puppet/modules/site_config/manifests/remove/tapicero.pp @@ -1,6 +1,8 @@ # remove tapicero leftovers from previous deploys on couchdb nodes class site_config::remove::tapicero { + ensure_packages('curl') + # remove tapicero couchdb user $couchdb_config = hiera('couch') $couchdb_mode = $couchdb_config['mode'] @@ -14,7 +16,8 @@ class site_config::remove::tapicero { exec { 'remove_couchdb_user': onlyif => "/usr/bin/curl -s 127.0.0.1:${port}/_users/org.couchdb.user:tapicero | grep -qv 'not_found'", - command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete" + command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete", + require => Package['curl'] } diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 05990c67..09f0b405 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -8,7 +8,7 @@ class site_config::resolvconf { nameservers => [ '127.0.0.1 # local caching-only, unbound', '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', - '77.109.138.45 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' + '172.81.176.146 # OpenNIC (https://servers.opennicproject.org/edit.php?srv=ns1.tor.ca.dns.opennic.glue)' ] } } diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 83b49c8e..c397dc15 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,6 +1,13 @@ +# configure rsyslog on all nodes class site_config::syslog { - include site_apt::preferences::rsyslog + # only pin rsyslog packages to backports on wheezy + case $::operatingsystemrelease { + /^7.*/: { + include site_apt::preferences::rsyslog + } + default: { } + } class { 'rsyslog::client': log_remote => false, @@ -15,12 +22,13 @@ action(type="mmanon" ipv4.bits="32" mode="rewrite")' augeas { 'logrotate_leap_deploy': context => '/files/etc/logrotate.d/leap_deploy/rule', - changes => [ 'set file /var/log/leap/deploy.log', - 'set rotate 5', - 'set size 1M', - 'set compress compress', - 'set missingok missingok', - 'set copytruncate copytruncate' ]; + changes => [ + 'set file /var/log/leap/deploy.log', + 'set rotate 5', + 'set size 1M', + 'set compress compress', + 'set missingok missingok', + 'set copytruncate copytruncate' ]; # NOTE: # the puppet_command script requires the option delaycompress @@ -28,12 +36,13 @@ action(type="mmanon" ipv4.bits="32" mode="rewrite")' 'logrotate_leap_deploy_summary': context => '/files/etc/logrotate.d/leap_deploy_summary/rule', - changes => [ 'set file /var/log/leap/deploy-summary.log', - 'set rotate 5', - 'set size 100k', - 'set delaycompress delaycompress', - 'set compress compress', - 'set missingok missingok', - 'set copytruncate copytruncate' ] + changes => [ + 'set file /var/log/leap/deploy-summary.log', + 'set rotate 5', + 'set size 100k', + 'set delaycompress delaycompress', + 'set compress compress', + 'set missingok missingok', + 'set copytruncate copytruncate' ] } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 221c79a7..ca9926cc 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -204,4 +204,21 @@ define site_openvpn::server_config( value => '3', server => $openvpn_configname; } + + # register openvpn services at systemd on nodes newer than wheezy + # see https://leap.se/code/issues/7798 + case $::operatingsystemrelease { + /^7.*/: { } + default: { + exec { "enable_systemd_${openvpn_configname}": + refreshonly => true, + command => "/bin/systemctl enable openvpn@${openvpn_configname}", + subscribe => File["/etc/openvpn/${openvpn_configname}.conf"], + notify => Service["openvpn@${openvpn_configname}"]; + } + service { "openvpn@${openvpn_configname}": + ensure => running + } + } + } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index f2bd571b..0ea452ee 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks { 'checks_dir': value => '$config_directory/checks'; 'smtpd_client_restrictions': - value => "${site_postfix::mx::rbls}permit_mynetworks,permit"; + value => "permit_mynetworks,${site_postfix::mx::rbls},permit"; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': |