summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/manifests/site.pp114
m---------puppet/modules/apache0
m---------puppet/modules/backupninja0
m---------puppet/modules/bundler0
m---------puppet/modules/couchdb0
m---------puppet/modules/nagios0
m---------puppet/modules/rubygems0
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg4
-rw-r--r--puppet/modules/site_config/lib/puppet/parser/functions/create_resources_hash_from.rb (renamed from puppet/lib/puppet/parser/functions/create_resources_hash_from.rb)0
-rw-r--r--puppet/modules/site_config/lib/puppet/parser/functions/sorted_json.rb (renamed from puppet/lib/puppet/parser/functions/sorted_json.rb)0
-rw-r--r--puppet/modules/site_config/lib/puppet/parser/functions/sorted_yaml.rb (renamed from puppet/lib/puppet/parser/functions/sorted_yaml.rb)0
-rw-r--r--puppet/modules/site_couchdb/files/local.ini89
-rw-r--r--puppet/modules/site_nagios/manifests/server.pp2
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp8
m---------puppet/modules/tor0
15 files changed, 70 insertions, 147 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index ecda4012..3bf6a5c1 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -1,60 +1,62 @@
-# set a default exec path
-# the logoutput exec parameter defaults to "on_error" in puppet 3,
-# but to "false" in puppet 2.7, so we need to set this globally here
-Exec {
- logoutput => on_failure,
- path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin'
-}
-
-Package <| provider == 'apt' |> {
- install_options => ['--no-install-recommends'],
-}
-
-$services = hiera('services', [])
+$services = hiera('services', [])
$services_str = join($services, ', ')
notice("Services for ${fqdn}: ${services_str}")
-# In the default deployment case, we want to run an 'apt-get dist-upgrade'
-# to ensure the latest packages are installed. This is done by including the
-# class 'site_config::slow' here. However, you only changed a small bit of
-# the platform and want to skip this slow part of deployment, you can do that
-# by using 'leap deploy --fast' which will only apply those resources that are
-# tagged with 'leap_base' or 'leap_service'.
-# See https://leap.se/en/docs/platform/details/under-the-hood#tags
-include site_config::slow
-
-if member($services, 'openvpn') {
- include site_openvpn
-}
-
-if member($services, 'couchdb') {
- include site_couchdb
-}
-
-if member($services, 'webapp') {
- include site_webapp
-}
-
-if member($services, 'soledad') {
- include soledad::server
-}
-
-if member($services, 'monitor') {
- include site_nagios
-}
-
-if member($services, 'tor') {
- include site_tor
-}
-
-if member($services, 'mx') {
- include site_mx
-}
-
-if member($services, 'static') {
- include site_static
-}
-
-if member($services, 'obfsproxy') {
- include site_obfsproxy
+node default {
+ # set a default exec path
+ # the logoutput exec parameter defaults to "on_error" in puppet 3,
+ # but to "false" in puppet 2.7, so we need to set this globally here
+ Exec {
+ logoutput => on_failure,
+ path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin'
+ }
+
+ Package <| provider == 'apt' |> {
+ install_options => ['--no-install-recommends'],
+ }
+
+ # In the default deployment case, we want to run an 'apt-get dist-upgrade'
+ # to ensure the latest packages are installed. This is done by including the
+ # class 'site_config::slow' here. However, you only changed a small bit of
+ # the platform and want to skip this slow part of deployment, you can do that
+ # by using 'leap deploy --fast' which will only apply those resources that are
+ # tagged with 'leap_base' or 'leap_service'.
+ # See https://leap.se/en/docs/platform/details/under-the-hood#tags
+ include site_config::slow
+
+ if member($services, 'openvpn') {
+ include site_openvpn
+ }
+
+ if member($services, 'couchdb') {
+ include site_couchdb
+ }
+
+ if member($services, 'webapp') {
+ include site_webapp
+ }
+
+ if member($services, 'soledad') {
+ include soledad::server
+ }
+
+ if member($services, 'monitor') {
+ include site_nagios
+ }
+
+ if member($services, 'tor') {
+ include site_tor
+ }
+
+ if member($services, 'mx') {
+ include site_mx
+ }
+
+ if member($services, 'static') {
+ include site_static
+ }
+
+ if member($services, 'obfsproxy') {
+ include site_obfsproxy
+ }
}
diff --git a/puppet/modules/apache b/puppet/modules/apache
-Subproject 117bed9a9263c21d253d86b667eb165948efdc2
+Subproject 415e9504f99dca3ccaa4dfd389dde24ad9d0e01
diff --git a/puppet/modules/backupninja b/puppet/modules/backupninja
-Subproject 497513547be79f9d3c8e96f1650ec43ee634b27
+Subproject 5268a87c329f895017f8ea6c6abc377a4f9a6a7
diff --git a/puppet/modules/bundler b/puppet/modules/bundler
-Subproject b4a4a8434616247156e59b860b47cc6256ead8d
+Subproject bacec3e072649be4ade56f7df8506b46ae9c516
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject 40d2289f8e10625cd45fdccdf492b5fb6490e66
+Subproject 76ff149a095023611c05bbb00157d06f87b07c0
diff --git a/puppet/modules/nagios b/puppet/modules/nagios
-Subproject 68dab01a85996e14efcccf856b623a2caf25782
+Subproject e6fee3c731f68ccf8b6add8ada2162c7ad2b840
diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems
-Subproject e704c9fe1c40fea5b10fe3ca2b4f5de825341cc
+Subproject 510a3693eab5dc78ed27d3728ee4d3b12334ea1
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
index 71395c50..7daf0cac 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
@@ -15,3 +15,7 @@
# 401 Unauthorized error logged by webapp and possible other
# applications
C Unauthorized
+# catch abnormal termination of processes (due to segfault/fpe
+# signals etc).
+# see https://github.com/pixelated/pixelated-user-agent/issues/683
+ C systemd.*: main process exited, code=killed, status=
diff --git a/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb b/puppet/modules/site_config/lib/puppet/parser/functions/create_resources_hash_from.rb
index 47d0df9c..47d0df9c 100644
--- a/puppet/lib/puppet/parser/functions/create_resources_hash_from.rb
+++ b/puppet/modules/site_config/lib/puppet/parser/functions/create_resources_hash_from.rb
diff --git a/puppet/lib/puppet/parser/functions/sorted_json.rb b/puppet/modules/site_config/lib/puppet/parser/functions/sorted_json.rb
index 605da00e..605da00e 100644
--- a/puppet/lib/puppet/parser/functions/sorted_json.rb
+++ b/puppet/modules/site_config/lib/puppet/parser/functions/sorted_json.rb
diff --git a/puppet/lib/puppet/parser/functions/sorted_yaml.rb b/puppet/modules/site_config/lib/puppet/parser/functions/sorted_yaml.rb
index 46cd46ce..46cd46ce 100644
--- a/puppet/lib/puppet/parser/functions/sorted_yaml.rb
+++ b/puppet/modules/site_config/lib/puppet/parser/functions/sorted_yaml.rb
diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini
index 22aa0177..b921a927 100644
--- a/puppet/modules/site_couchdb/files/local.ini
+++ b/puppet/modules/site_couchdb/files/local.ini
@@ -1,91 +1,8 @@
-; CouchDB Configuration Settings
+; Puppet modified file !!
; Custom settings should be made in this file. They will override settings
; in default.ini, but unlike changes made to default.ini, this file won't be
; overwritten on server upgrade.
-[couchdb]
-;max_document_size = 4294967296 ; bytes
-
-[httpd]
-;port = 5984
-;bind_address = 127.0.0.1
-; Options for the MochiWeb HTTP server.
-;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
-; For more socket options, consult Erlang's module 'inet' man page.
-;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
-
-; Uncomment next line to trigger basic-auth popup on unauthorized requests.
-;WWW-Authenticate = Basic realm="administrator"
-
-; Uncomment next line to set the configuration modification whitelist. Only
-; whitelisted values may be changed via the /_config URLs. To allow the admin
-; to change this value over HTTP, remember to include {httpd,config_whitelist}
-; itself. Excluding it from the list would require editing this file to update
-; the whitelist.
-;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
-
-[httpd_global_handlers]
-;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
-
-# futon is enabled by default on bigcouch in default.ini
-# we need to find another way to disable futon, it won't work disabling it here
-# enable futon
-#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}
-# disable futon
-#_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>}
-
-[couch_httpd_auth]
-; If you set this to true, you should also uncomment the WWW-Authenticate line
-; above. If you don't configure a WWW-Authenticate header, CouchDB will send
-; Basic realm="server" in order to prevent you getting logged out.
-; require_valid_user = false
-
-[log]
-;level = debug
-
-[os_daemons]
-; For any commands listed here, CouchDB will attempt to ensure that
-; the process remains alive while CouchDB runs as well as shut them
-; down when CouchDB exits.
-;foo = /path/to/command -with args
-
-[daemons]
-; enable SSL support by uncommenting the following line and supply the PEM's below.
-; the default ssl port CouchDB listens on is 6984
-;httpsd = {couch_httpd, start_link, [https]}
-
-[ssl]
-;cert_file = /etc/couchdb/server_cert.pem
-;key_file = /etc/couchdb/server_key.pem
-;password = somepassword
-; set to true to validate peer certificates
-;verify_ssl_certificates = false
-; Path to file containing PEM encoded CA certificates (trusted
-; certificates used for verifying a peer certificate). May be omitted if
-; you do not want to verify the peer.
-;cacert_file = /full/path/to/cacertf
-; The verification fun (optionnal) if not specidied, the default
-; verification fun will be used.
-;verify_fun = {Module, VerifyFun}
-;ssl_certificate_max_depth = 1
-; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
-; the Virual Host will be redirected to the path. In the example below all requests
-; to http://example.com/ are redirected to /database.
-; If you run CouchDB on a specific port, include the port number in the vhost:
-; example.com:5984 = /database
-
-[vhosts]
-;example.com = /database/
-
-[update_notification]
-;unique notifier name=/full/path/to/exe -with "cmd line arg"
-
-; To create an admin account uncomment the '[admins]' section below and add a
-; line in the format 'username = password'. When you next start CouchDB, it
-; will change the password to a hash (so that your passwords don't linger
-; around in plain-text files). You can add more admin accounts with more
-; 'username = password' lines. Don't forget to restart CouchDB after
-; changing this.
-;[admins]
-;admin = mysecretpassword
+[compactions]
+_default = [{db_fragmentation, "70%"}, {view_fragmentation, "60%"}, {from, "03:00"}, {to, "05:00"}]
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index aa9b956e..6537124d 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -59,7 +59,7 @@ class site_nagios::server inherits nagios::base {
include site_webapp::common_vhost
include apache::module::headers
- File ['nagios_htpasswd'] {
+ File['nagios_htpasswd'] {
source => undef,
content => "nagiosadmin:${nagiosadmin_pw}",
mode => '0640',
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 6decc665..15e6fb38 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -30,7 +30,7 @@
# auth SHA1
#
# dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists
-# a number of “digest” with names like “RSA-SHA256”, but this are legacy and
+# a number of "digest" with names like "RSA-SHA256", but this are legacy and
# should be avoided.
#
# elijah: i am not so sure that the digest algo matters for 'auth' option, because
@@ -40,14 +40,14 @@
# cipher AES-128-CBC
#
# dkg: For the choice of cipher, we need to select an algorithm and a
-# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but
+# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm - but
# our control channel is already relying on AES not being broken; if the
# control channel is cracked, then the key material for the tunnel is exposed,
# and the choice of algorithm is moot. So it makes more sense to me to rely on
# the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to
# me, but CBC is more well-tested, and the OpenVPN man page (at least as of
-# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered
-# advanced modes.”
+# version 2.2.1) says "CBC is recommended and CFB and OFB should be considered
+# advanced modes."
#
# note: the default is BF-CBC (blowfish)
#
diff --git a/puppet/modules/tor b/puppet/modules/tor
-Subproject 8c936c166b6da1ebd0e8d95e56ceee5167357d6
+Subproject 9981a70f7ba1f9e4fe33e4eb46654295287c1fc