summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/journald/manifests/init.pp7
-rw-r--r--puppet/modules/site_config/manifests/syslog.pp19
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp21
-rw-r--r--puppet/modules/site_postfix/manifests/mx/checks.pp18
-rw-r--r--puppet/modules/site_postfix/manifests/mx/received_anon.pp13
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp3
6 files changed, 50 insertions, 31 deletions
diff --git a/puppet/modules/journald/manifests/init.pp b/puppet/modules/journald/manifests/init.pp
new file mode 100644
index 00000000..879baba4
--- /dev/null
+++ b/puppet/modules/journald/manifests/init.pp
@@ -0,0 +1,7 @@
+class journald {
+
+ service { 'systemd-journald':
+ ensure => running,
+ enable => true,
+ }
+}
diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp
index c397dc15..d1deefcd 100644
--- a/puppet/modules/site_config/manifests/syslog.pp
+++ b/puppet/modules/site_config/manifests/syslog.pp
@@ -4,12 +4,25 @@ class site_config::syslog {
# only pin rsyslog packages to backports on wheezy
case $::operatingsystemrelease {
/^7.*/: {
- include site_apt::preferences::rsyslog
+ include ::site_apt::preferences::rsyslog
+ }
+ # on jessie+ systems, systemd and journald are enabled,
+ # and journald logs IP addresses, so we need to disable
+ # it until a solution is found, (#7863):
+ # https://github.com/systemd/systemd/issues/2447
+ default: {
+ include ::journald
+ augeas {
+ 'disable_journald':
+ incl => '/etc/systemd/journald.conf',
+ lens => 'Puppet.lns',
+ changes => 'set /files/etc/systemd/journald.conf/Journal/Storage \'none\'',
+ notify => Service['systemd-journald'];
+ }
}
- default: { }
}
- class { 'rsyslog::client':
+ class { '::rsyslog::client':
log_remote => false,
log_local => true
}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 59a02598..2ea54d0a 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -80,20 +80,23 @@ class site_postfix::mx {
value => 'smtp';
'mailbox_command':
value => '';
+ 'header_checks':
+ value => '';
'postscreen_access_list':
value => 'permit_mynetworks';
'postscreen_greet_action':
value => 'enforce';
}
- include site_postfix::mx::smtpd_checks
- include site_postfix::mx::checks
- include site_postfix::mx::smtp_tls
- include site_postfix::mx::smtpd_tls
- include site_postfix::mx::static_aliases
- include site_postfix::mx::rewrite_openpgp_header
- include clamav
- include postfwd
+ include ::site_postfix::mx::smtpd_checks
+ include ::site_postfix::mx::checks
+ include ::site_postfix::mx::smtp_tls
+ include ::site_postfix::mx::smtpd_tls
+ include ::site_postfix::mx::static_aliases
+ include ::site_postfix::mx::rewrite_openpgp_header
+ include ::site_postfix::mx::received_anon
+ include ::clamav
+ include ::postfwd
# greater verbosity for debugging, take out for production
#include site_postfix::debug
@@ -116,7 +119,7 @@ ${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_r
-o smtpd_client_restrictions=
-o cleanup_service_name=clean_smtps
clean_smtps unix n - n - 0 cleanup
- -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers"
+ -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers,pcre:/etc/postfix/checks/received_anon"
class { 'postfix':
preseed => true,
diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp
index 5d75a5e5..f406ad34 100644
--- a/puppet/modules/site_postfix/manifests/mx/checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/checks.pp
@@ -20,22 +20,4 @@ class site_postfix::mx::checks {
refreshonly => true,
subscribe => File['/etc/postfix/checks/helo_checks'];
}
-
- # Anonymize the user's home IP from the email headers (Feature #3866)
- package { 'postfix-pcre': ensure => installed, require => Package['postfix'] }
-
- file { '/etc/postfix/checks/received_anon':
- source => 'puppet:///modules/site_postfix/checks/received_anon',
- mode => '0644',
- owner => root,
- group => root,
- notify => Service['postfix']
- }
-
- postfix::config {
- 'header_checks':
- value => 'pcre:/etc/postfix/checks/received_anon',
- require => File['/etc/postfix/checks/received_anon'];
- }
-
}
diff --git a/puppet/modules/site_postfix/manifests/mx/received_anon.pp b/puppet/modules/site_postfix/manifests/mx/received_anon.pp
new file mode 100644
index 00000000..51ba3faa
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/received_anon.pp
@@ -0,0 +1,13 @@
+# Anonymize the user's home IP from the email headers (Feature #3866)
+class site_postfix::mx::received_anon {
+
+ package { 'postfix-pcre': ensure => installed, require => Package['postfix'] }
+
+ file { '/etc/postfix/checks/received_anon':
+ source => 'puppet:///modules/site_postfix/checks/received_anon',
+ mode => '0644',
+ owner => root,
+ group => root,
+ notify => Service['postfix']
+ }
+}
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index be0d3368..a9202da4 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -76,6 +76,7 @@ MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
tcp_forwarding => $ssh_config['AllowTcpForwarding'],
manage_client => false,
use_storedconfigs => false,
- tail_additional_options => $tail_additional_options
+ tail_additional_options => $tail_additional_options,
+ hostkey_type => [ 'rsa', 'dsa', 'ecdsa' ]
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-17 15:45:21 +0000