diff options
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/manifests/site.pp | 114 | ||||
m--------- | puppet/modules/apache | 0 | ||||
m--------- | puppet/modules/backupninja | 0 | ||||
m--------- | puppet/modules/bundler | 0 | ||||
m--------- | puppet/modules/couchdb | 0 | ||||
m--------- | puppet/modules/nagios | 0 | ||||
m--------- | puppet/modules/rubygems | 0 | ||||
-rw-r--r-- | puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg | 4 | ||||
-rw-r--r-- | puppet/modules/site_config/lib/puppet/parser/functions/create_resources_hash_from.rb (renamed from puppet/lib/puppet/parser/functions/create_resources_hash_from.rb) | 0 | ||||
-rw-r--r-- | puppet/modules/site_config/lib/puppet/parser/functions/sorted_json.rb (renamed from puppet/lib/puppet/parser/functions/sorted_json.rb) | 0 | ||||
-rw-r--r-- | puppet/modules/site_config/lib/puppet/parser/functions/sorted_yaml.rb (renamed from puppet/lib/puppet/parser/functions/sorted_yaml.rb) | 0 | ||||
-rw-r--r-- | puppet/modules/site_couchdb/files/local.ini | 89 | ||||
-rw-r--r-- | puppet/modules/site_nagios/manifests/server.pp | 2 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 8 | ||||
m--------- | puppet/modules/tor | 0 |
15 files changed, 70 insertions, 147 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index ecda4012..3bf6a5c1 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,60 +1,62 @@ -# set a default exec path -# the logoutput exec parameter defaults to "on_error" in puppet 3, -# but to "false" in puppet 2.7, so we need to set this globally here -Exec { - logoutput => on_failure, - path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' -} - -Package <| provider == 'apt' |> { - install_options => ['--no-install-recommends'], -} - -$services = hiera('services', []) +$services = hiera('services', []) $services_str = join($services, ', ') notice("Services for ${fqdn}: ${services_str}") -# In the default deployment case, we want to run an 'apt-get dist-upgrade' -# to ensure the latest packages are installed. This is done by including the -# class 'site_config::slow' here. However, you only changed a small bit of -# the platform and want to skip this slow part of deployment, you can do that -# by using 'leap deploy --fast' which will only apply those resources that are -# tagged with 'leap_base' or 'leap_service'. -# See https://leap.se/en/docs/platform/details/under-the-hood#tags -include site_config::slow - -if member($services, 'openvpn') { - include site_openvpn -} - -if member($services, 'couchdb') { - include site_couchdb -} - -if member($services, 'webapp') { - include site_webapp -} - -if member($services, 'soledad') { - include soledad::server -} - -if member($services, 'monitor') { - include site_nagios -} - -if member($services, 'tor') { - include site_tor -} - -if member($services, 'mx') { - include site_mx -} - -if member($services, 'static') { - include site_static -} - -if member($services, 'obfsproxy') { - include site_obfsproxy +node default { + # set a default exec path + # the logoutput exec parameter defaults to "on_error" in puppet 3, + # but to "false" in puppet 2.7, so we need to set this globally here + Exec { + logoutput => on_failure, + path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' + } + + Package <| provider == 'apt' |> { + install_options => ['--no-install-recommends'], + } + + # In the default deployment case, we want to run an 'apt-get dist-upgrade' + # to ensure the latest packages are installed. This is done by including the + # class 'site_config::slow' here. However, you only changed a small bit of + # the platform and want to skip this slow part of deployment, you can do that + # by using 'leap deploy --fast' which will only apply those resources that are + # tagged with 'leap_base' or 'leap_service'. + # See https://leap.se/en/docs/platform/details/under-the-hood#tags + include site_config::slow + + if member($services, 'openvpn') { + include site_openvpn + } + + if member($services, 'couchdb') { + include site_couchdb + } + + if member($services, 'webapp') { + include site_webapp + } + + if member($services, 'soledad') { + include soledad::server + } + + if member($services, 'monitor') { + include site_nagios + } + + if member($services, 'tor') { + include site_tor + } + + if member($services, 'mx') { + include site_mx + } + + if member($services, 'static') { + include site_static + } + + if member($services, 'obfsproxy') { + include site_obfsproxy + } } diff --git a/puppet/modules/apache b/puppet/modules/apache -Subproject 117bed9a9263c21d253d86b667eb165948efdc2 +Subproject 415e9504f99dca3ccaa4dfd389dde24ad9d0e01 diff --git a/puppet/modules/backupninja b/puppet/modules/backupninja -Subproject 497513547be79f9d3c8e96f1650ec43ee634b27 +Subproject 5268a87c329f895017f8ea6c6abc377a4f9a6a7 diff --git a/puppet/modules/bundler b/puppet/modules/bundler -Subproject b4a4a8434616247156e59b860b47cc6256ead8d +Subproject bacec3e072649be4ade56f7df8506b46ae9c516 diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject 40d2289f8e10625cd45fdccdf492b5fb6490e66 +Subproject 76ff149a095023611c05bbb00157d06f87b07c0 diff --git a/puppet/modules/nagios b/puppet/modules/nagios -Subproject 68dab01a85996e14efcccf856b623a2caf25782 +Subproject e6fee3c731f68ccf8b6add8ada2162c7ad2b840 diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems -Subproject e704c9fe1c40fea5b10fe3ca2b4f5de825341cc +Subproject 510a3693eab5dc78ed27d3728ee4d3b12334ea1 diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg index 71395c50..7daf0cac 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg @@ -15,3 +15,7 @@ # 401 Unauthorized error logged by webapp and possible other # applications C Unauthorized +# catch abnormal termination of processes (due to segfault/fpe +# signals etc). +# see https://github.com/pixelated/pixelated-user-agent/issues/683 + C systemd.*: main process exited, code=killed, status= diff --git a/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb b/puppet/modules/site_config/lib/puppet/parser/functions/create_resources_hash_from.rb index 47d0df9c..47d0df9c 100644 --- a/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb +++ b/puppet/modules/site_config/lib/puppet/parser/functions/create_resources_hash_from.rb diff --git a/puppet/lib/puppet/parser/functions/sorted_json.rb b/puppet/modules/site_config/lib/puppet/parser/functions/sorted_json.rb index 605da00e..605da00e 100644 --- a/puppet/lib/puppet/parser/functions/sorted_json.rb +++ b/puppet/modules/site_config/lib/puppet/parser/functions/sorted_json.rb diff --git a/puppet/lib/puppet/parser/functions/sorted_yaml.rb b/puppet/modules/site_config/lib/puppet/parser/functions/sorted_yaml.rb index 46cd46ce..46cd46ce 100644 --- a/puppet/lib/puppet/parser/functions/sorted_yaml.rb +++ b/puppet/modules/site_config/lib/puppet/parser/functions/sorted_yaml.rb diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 22aa0177..b921a927 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -1,91 +1,8 @@ -; CouchDB Configuration Settings +; Puppet modified file !! ; Custom settings should be made in this file. They will override settings ; in default.ini, but unlike changes made to default.ini, this file won't be ; overwritten on server upgrade. -[couchdb] -;max_document_size = 4294967296 ; bytes - -[httpd] -;port = 5984 -;bind_address = 127.0.0.1 -; Options for the MochiWeb HTTP server. -;server_options = [{backlog, 128}, {acceptor_pool_size, 16}] -; For more socket options, consult Erlang's module 'inet' man page. -;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}] - -; Uncomment next line to trigger basic-auth popup on unauthorized requests. -;WWW-Authenticate = Basic realm="administrator" - -; Uncomment next line to set the configuration modification whitelist. Only -; whitelisted values may be changed via the /_config URLs. To allow the admin -; to change this value over HTTP, remember to include {httpd,config_whitelist} -; itself. Excluding it from the list would require editing this file to update -; the whitelist. -;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}] - -[httpd_global_handlers] -;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} - -# futon is enabled by default on bigcouch in default.ini -# we need to find another way to disable futon, it won't work disabling it here -# enable futon -#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} -# disable futon -#_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} - -[couch_httpd_auth] -; If you set this to true, you should also uncomment the WWW-Authenticate line -; above. If you don't configure a WWW-Authenticate header, CouchDB will send -; Basic realm="server" in order to prevent you getting logged out. -; require_valid_user = false - -[log] -;level = debug - -[os_daemons] -; For any commands listed here, CouchDB will attempt to ensure that -; the process remains alive while CouchDB runs as well as shut them -; down when CouchDB exits. -;foo = /path/to/command -with args - -[daemons] -; enable SSL support by uncommenting the following line and supply the PEM's below. -; the default ssl port CouchDB listens on is 6984 -;httpsd = {couch_httpd, start_link, [https]} - -[ssl] -;cert_file = /etc/couchdb/server_cert.pem -;key_file = /etc/couchdb/server_key.pem -;password = somepassword -; set to true to validate peer certificates -;verify_ssl_certificates = false -; Path to file containing PEM encoded CA certificates (trusted -; certificates used for verifying a peer certificate). May be omitted if -; you do not want to verify the peer. -;cacert_file = /full/path/to/cacertf -; The verification fun (optionnal) if not specidied, the default -; verification fun will be used. -;verify_fun = {Module, VerifyFun} -;ssl_certificate_max_depth = 1 -; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to -; the Virual Host will be redirected to the path. In the example below all requests -; to http://example.com/ are redirected to /database. -; If you run CouchDB on a specific port, include the port number in the vhost: -; example.com:5984 = /database - -[vhosts] -;example.com = /database/ - -[update_notification] -;unique notifier name=/full/path/to/exe -with "cmd line arg" - -; To create an admin account uncomment the '[admins]' section below and add a -; line in the format 'username = password'. When you next start CouchDB, it -; will change the password to a hash (so that your passwords don't linger -; around in plain-text files). You can add more admin accounts with more -; 'username = password' lines. Don't forget to restart CouchDB after -; changing this. -;[admins] -;admin = mysecretpassword +[compactions] +_default = [{db_fragmentation, "70%"}, {view_fragmentation, "60%"}, {from, "03:00"}, {to, "05:00"}] diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index aa9b956e..6537124d 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -59,7 +59,7 @@ class site_nagios::server inherits nagios::base { include site_webapp::common_vhost include apache::module::headers - File ['nagios_htpasswd'] { + File['nagios_htpasswd'] { source => undef, content => "nagiosadmin:${nagiosadmin_pw}", mode => '0640', diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6decc665..15e6fb38 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -30,7 +30,7 @@ # auth SHA1 # # dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists -# a number of “digest” with names like “RSA-SHA256”, but this are legacy and +# a number of "digest" with names like "RSA-SHA256", but this are legacy and # should be avoided. # # elijah: i am not so sure that the digest algo matters for 'auth' option, because @@ -40,14 +40,14 @@ # cipher AES-128-CBC # # dkg: For the choice of cipher, we need to select an algorithm and a -# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but +# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm - but # our control channel is already relying on AES not being broken; if the # control channel is cracked, then the key material for the tunnel is exposed, # and the choice of algorithm is moot. So it makes more sense to me to rely on # the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to # me, but CBC is more well-tested, and the OpenVPN man page (at least as of -# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered -# advanced modes.” +# version 2.2.1) says "CBC is recommended and CFB and OFB should be considered +# advanced modes." # # note: the default is BF-CBC (blowfish) # diff --git a/puppet/modules/tor b/puppet/modules/tor -Subproject 8c936c166b6da1ebd0e8d95e56ceee5167357d6 +Subproject 9981a70f7ba1f9e4fe33e4eb46654295287c1fc |