diff options
Diffstat (limited to 'puppet')
17 files changed, 73 insertions, 52 deletions
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject 23b557c6fb07929a9b04e5fb75375a85a473437 +Subproject 3c20a3169e77e5a5f9abc06788c3a7730d5530c diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 6bcdd19a..284662d2 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -77,16 +77,18 @@ class leap_mx { } augeas { - "logrotate_mx": - context => "/files/etc/logrotate.d/leap-mx/rule", + 'logrotate_mx': + context => '/files/etc/logrotate.d/leap-mx/rule', changes => [ - "set file /var/log/leap/mx.log", - 'set rotate 5', - 'set schedule daily', - 'set compress compress', - 'set missingok missingok', - 'set ifempty notifempty', - 'set copytruncate copytruncate' - ] + 'set file /var/log/leap/mx.log', + 'set rotate 5', + 'set schedule daily', + 'clear nocreate', + 'rm create', + 'rm ifempty', + 'set compress compress', + 'set missingok missingok', + 'set copytruncate copytruncate' + ] } } diff --git a/puppet/modules/site_apt/manifests/preferences/passenger.pp b/puppet/modules/site_apt/manifests/preferences/passenger.pp index af501b6b..8cd41f91 100644 --- a/puppet/modules/site_apt/manifests/preferences/passenger.pp +++ b/puppet/modules/site_apt/manifests/preferences/passenger.pp @@ -1,10 +1,14 @@ +# +# currently, this is only used by static_site to get passenger v4. +# +# UPGRADE: this is not needed for jessie. +# class site_apt::preferences::passenger { apt::preferences_snippet { 'passenger': package => 'libapache2-mod-passenger', release => "${::lsbdistcodename}-backports", - priority => 999, - require => [Package['apache'], Class['ruby']]; + priority => 999; } } diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh index 95474ccb..83b407e0 100755 --- a/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh +++ b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh @@ -117,3 +117,6 @@ end_time=$(date +%s.%N) duration=$( echo "scale = 2; $end_time - $start_time" | bc -l ) printf "${exitcode} ${PREFIX}global_stats ${global_stats_perf}|script_duration=%02.2fs ${STATE[exitcode]}: global couchdb status\n" "$duration" + +rm "$TMPFILE" + diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg index ed50f420..d99dcde9 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg @@ -8,6 +8,11 @@ I ovpn-.*TLS Error: TLS object -> incoming plaintext read error I ovpn-.*Fatal TLS error \(check_tls_errors_co\), restarting I ovpn-.*TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate + I ovpn-.*TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate + I ovpn-.*TLS Error: unknown opcode received from + I ovpn-.*Authenticate/Decrypt packet error: packet HMAC authentication failed + I ovpn-.*TLS Error: reading acknowledgement record from packet + I ovpn-.*TLS Error: session-id not found in packet from I ovpn-.*SIGUSR1\[soft,tls-error\] received, client-instance restarting I ovpn-.*VERIFY ERROR: depth=0, error=certificate has expired diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp index 4a5ec68e..8505b34a 100644 --- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -1,3 +1,4 @@ +# sets up tapicero monitoring class site_check_mk::agent::tapicero { include ::site_nagios::plugins @@ -14,12 +15,12 @@ class site_check_mk::agent::tapicero { lens => 'Spacevars.lns', changes => [ 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs', - 'set Tapicero_Procs "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero"' ], + "set Tapicero_Procs \"/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 --ereg-argument-array='^tapicero$'\"" ], require => File['/etc/check_mk/mrpe.cfg']; 'Tapicero_Heartbeat': incl => '/etc/check_mk/mrpe.cfg', lens => 'Spacevars.lns', - changes => 'set Tapicero_Heartbeat \'/usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/leap/tapicero.log -r "tapicero" -w 300 -c 600\'', + changes => 'set Tapicero_Heartbeat \'/usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/leap/tapicero.log -r "tapicero" -w 1200 -c 2400\'', require => File['/etc/check_mk/mrpe.cfg']; } } diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 171f1576..67519513 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -1,3 +1,4 @@ +# setup check_mk on the monitoring server class site_check_mk::server { $ssh_hash = hiera('ssh') @@ -6,10 +7,9 @@ class site_check_mk::server { $seckey = $ssh_hash['monitor']['private_key'] $nagios_hiera = hiera_hash('nagios') - $nagios_hosts = $nagios_hiera['hosts'] + $hosts = $nagios_hiera['hosts'] - $hosts = hiera_hash('hosts') - $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') + $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%><% if @hosts[key]["environment"] != "disabled" %>"<%= @hosts[key]["domain_internal"] %>", <% end -%><% end -%>') $domains_internal = $nagios_hiera['domains_internal'] $environments = $nagios_hiera['environments'] diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 1b8bd1a2..cdebbad0 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,32 +1,12 @@ class site_config::caching_resolver { tag 'leap_base' - # Setup a conf.d directory to place additional unbound configuration files. - # There must be at least one file in the directory, or unbound will not start, - # so create an empty placeholder to ensure this. - - # Note: the version of unbound we are working with does not accept a wildcard - # for an include directive, so we are not able to use this. When we can use - # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the - # configuration file - include site_apt::preferences::unbound - file { - # cleanup from how we used to do it - '/etc/unbound/conf.d': - force => true, - ensure => absent; - - '/etc/unbound/conf.d/placeholder': - ensure => absent; - } - class { 'unbound': root_hints => false, anchor => false, ssl => false, - require => File['/etc/unbound/conf.d/placeholder'], settings => { server => { verbosity => '1', diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp index dbe2ef1c..7755413b 100644 --- a/puppet/modules/site_config/manifests/dhclient.pp +++ b/puppet/modules/site_config/manifests/dhclient.pp @@ -22,11 +22,19 @@ class site_config::dhclient { require => File['/usr/local/sbin/reload_dhclient'], } + file { '/etc/dhcp/dhclient-enter-hooks.d': + ensure => directory, + mode => '0755', + owner => 'root', + group => 'root', + } + file { '/etc/dhcp/dhclient-enter-hooks.d/disable_resolvconf': content => 'make_resolv_conf() { : ; } ; set_hostname() { : ; }', mode => '0644', owner => 'root', group => 'root', + require => File['/etc/dhcp/dhclient-enter-hooks.d'], notify => Exec['reload_dhclient']; } } diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index f20d04a4..c23495fc 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -1,3 +1,4 @@ +# install default packages and remove unwanted packages class site_config::packages::base { @@ -7,7 +8,7 @@ class site_config::packages::base { } # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + package { [ 'acpi', 'eject', 'ftp', 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index 3f46659c..b339e6af 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -27,6 +27,10 @@ class site_config::remove_files { path => '/var/log/', recurse => true, matches => 'leap_mx*'; + 'leap_mx_rotate': + path => '/var/log/leap/', + recurse => true, + matches => [ 'mx.log.[0-9]', 'mx.log.[0-9]?', 'mx.log.[6-9]?gz']; '/srv/leap/webapp/public/provider.json':; '/srv/leap/couchdb/designs/tmp_users': recurse => true, diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index 82c85b52..469a2783 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -1,3 +1,4 @@ +# sets up bigcouch on couchdb node class site_couchdb::bigcouch { $config = $::site_couchdb::couchdb_config['bigcouch'] @@ -24,6 +25,7 @@ class site_couchdb::bigcouch { -> Class['site_couchdb::setup'] -> Class['site_couchdb::bigcouch::add_nodes'] -> Class['site_couchdb::bigcouch::settle_cluster'] + -> Class['site_couchdb::create_dbs'] include site_couchdb::bigcouch::add_nodes include site_couchdb::bigcouch::settle_cluster diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index b743127a..eea4bbf5 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -1,13 +1,13 @@ +# creates neccesary databases class site_couchdb::create_dbs { Class['site_couchdb::setup'] - -> Class['site_couchdb::bigcouch::settle_cluster'] -> Class['site_couchdb::create_dbs'] ### customer database ### r/w: webapp, couchdb::create_db { 'customers': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }", + members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } @@ -30,27 +30,27 @@ class site_couchdb::create_dbs { ## r/w: webapp $sessions_db = rotated_db_name('sessions', 'monthly') couchdb::create_db { $sessions_db: - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }", + members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } $sessions_next_db = rotated_db_name('sessions', 'monthly', 'next') couchdb::create_db { $sessions_next_db: - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }", + members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } ## shared database ## r/w: soledad couchdb::create_db { 'shared': - members => "{ \"names\": [\"$site_couchdb::couchdb_soledad_user\"], \"roles\": [\"replication\"] }", + members => "{ \"names\": [\"${site_couchdb::couchdb_soledad_user}\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } ## tickets database ## r/w: webapp couchdb::create_db { 'tickets': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }", + members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } @@ -87,7 +87,7 @@ class site_couchdb::create_dbs { ## store messages to the clients such as payment reminders ## r/w: webapp couchdb::create_db { 'messages': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }", + members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index a11f6309..6b6ddd3a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,3 +1,5 @@ +# entry class for configuring couchdb/bigcouch node +# couchdb node class site_couchdb { tag 'leap_service' @@ -41,6 +43,7 @@ class site_couchdb { $couchdb_backup = $couchdb_config['backup'] $couchdb_mode = $couchdb_config['mode'] + $couchdb_pwhash_alg = $couchdb_config['pwhash_alg'] if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch } if $couchdb_mode == 'master' { include site_couchdb::master } diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp index a0a6633d..c28eee7d 100644 --- a/puppet/modules/site_couchdb/manifests/master.pp +++ b/puppet/modules/site_couchdb/manifests/master.pp @@ -1,9 +1,9 @@ +# this class sets up a single, plain couchdb node class site_couchdb::master { - class { 'couchdb': admin_pw => $site_couchdb::couchdb_admin_pw, admin_salt => $site_couchdb::couchdb_admin_salt, - chttpd_bind_address => '127.0.0.1' + chttpd_bind_address => '127.0.0.1', + pwhash_alg => $site_couchdb::couchdb_pwhash_alg } - -}
\ No newline at end of file +} diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index ce79c00f..1efc510b 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -33,6 +33,9 @@ class site_static { include site_apache::module::expires include site_apache::module::removeip include site_apache::module::rewrite + apache::config::include{ 'ssl_common.inc': } + + include site_config::ruby::dev if (member($formats, 'rack')) { include site_apt::preferences::passenger @@ -43,8 +46,13 @@ class site_static { } if (member($formats, 'amber')) { - include site_config::ruby::dev - rubygems::gem{'amber-0.3.4': } + rubygems::gem{'amber-0.3.7': + require => Package['zlib1g-dev'] + } + + package { 'zlib1g-dev': + ensure => installed + } } create_resources(site_static::domain, $domains) @@ -52,4 +60,4 @@ class site_static { include site_shorewall::defaults include site_shorewall::service::http include site_shorewall::service::https -}
\ No newline at end of file +} diff --git a/puppet/modules/unbound b/puppet/modules/unbound -Subproject ca7eb732064ce29fc83d4c32a4df7d9512d4580 +Subproject 00646b0ffc71a86981b05f983c86ace0979d1b6 |