7 files changed, 51 insertions, 81 deletions
diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp
index b752182e..589041eb 100644
--- a/puppet/modules/site_check_mk/manifests/agent.pp
+++ b/puppet/modules/site_check_mk/manifests/agent.pp
@@ -4,7 +4,7 @@ class site_check_mk::agent {
   $pubkey   = $ssh_hash['authorized_keys']['monitor']['key']
   $type     = $ssh_hash['authorized_keys']['monitor']['type']
 
-  include site_apt::preferences::check_mk
+  class { 'site_apt::preferences::check_mk': } ->
 
   class { 'check_mk::agent':
     agent_package_name          => 'check-mk-agent',
@@ -12,17 +12,17 @@ class site_check_mk::agent {
     method                      => 'ssh',
     homedir                     => '/etc/nagios/check_mk',
     register_agent              => false
-  }
+  } ->
 
-  file { [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]:
-    ensure  => directory,
-  }
+  class { 'site_check_mk::agent::mrpe': } ->
+  class { 'site_check_mk::agent::logwatch': } ->
 
-  file { '/usr/lib/check_mk_agent/local/run_node_tests.sh':
-    source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh',
-    mode   => '0755'
+  file {
+    [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]:
+      ensure  => directory;
+    '/usr/lib/check_mk_agent/local/run_node_tests.sh':
+      source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh',
+      mode   => '0755';
   }
 
-  include site_check_mk::agent::mrpe
-  include site_check_mk::agent::logwatch
 }
diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp
index 2dd50400..35a4e9a5 100644
--- a/puppet/modules/site_check_mk/manifests/agent/mx.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp
@@ -15,8 +15,9 @@ class site_check_mk::agent::mx {
 
   # check stale files in queue dir
   file { '/usr/lib/check_mk_agent/local/check_leap_mx.sh':
-    source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh',
-    mode   => '0755'
+    source  => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh',
+    mode    => '0755',
+    require => Package['check_mk-agent']
   }
 
 }
diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp
index cb160d83..64f5ea6d 100644
--- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp
@@ -5,12 +5,14 @@ class site_check_mk::agent::webapp {
     ensure => installed
   }
   file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py':
-    ensure => link,
-    target => '/srv/leap/webapp/test/nagios/webapp_login.py'
+    ensure  => link,
+    target  => '/srv/leap/webapp/test/nagios/webapp_login.py',
+    require => Package['check_mk-agent']
   }
   file { '/usr/lib/check_mk_agent/local/soledad_sync.py':
-    ensure => link,
-    target => '/srv/leap/webapp/test/nagios/soledad_sync.py'
+    ensure  => link,
+    target  => '/srv/leap/webapp/test/nagios/soledad_sync.py',
+    require => Package['check_mk-agent']
   }
 
 
diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp
index c9efaafb..7dfb8b03 100644
--- a/puppet/modules/site_config/manifests/packages/build_essential.pp
+++ b/puppet/modules/site_config/manifests/packages/build_essential.pp
@@ -2,7 +2,10 @@
 # include this whenever you want to ensure build-essential package and related compilers are installed.
 #
 class site_config::packages::build_essential {
-  if $install_build_essential == undef {
-    $install_build_essential = true
+  if !defined(Package['build-essential']) {
+    package {
+      ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']:
+        ensure => present
+    }
   }
 }
 \ No newline at end of file
diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp
index 2919cc96..12f527d9 100644
--- a/puppet/modules/site_config/manifests/packages/uninstall.pp
+++ b/puppet/modules/site_config/manifests/packages/uninstall.pp
@@ -1,20 +1,16 @@
 #
-# this should be included last to allow other modules to set $::install_build_packages
+# Uninstall build-essential and compilers, unless they have been explicitly installed elsewhere.
 #
 class site_config::packages::uninstall {
-
-  if $site_config::packages::build_essential::install_essential == true {
-    $dev_packages_ensure = present
-  } else {
-    $dev_packages_ensure = absent
-  }
+  tag 'leap_base'
 
   # generally, dev packages are needed for installing ruby gems with native extensions.
   # (nickserver, webapp, etc)
 
-  package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc',
-              'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]:
-    ensure => $dev_packages_ensure
+  if !defined(Package['build-essential']) {
+    package {
+      ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']:
+        ensure => purged
+    }
   }
-
 }
 \ No newline at end of file
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 6246a836..b1f4997c 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -115,7 +115,7 @@ define site_openvpn::server_config(
         server => $openvpn_configname;
     "keepalive ${openvpn_configname}":
         key    => 'keepalive',
-        value  => '5 20',
+        value  => $config['keepalive'],
         server => $openvpn_configname;
     "local ${openvpn_configname}":
         key    => 'local',
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 76534911..2abe1a98 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -15,6 +15,7 @@
       document_root = location_directory(name, location)
     end
   end
+  document_root = document_root.gsub(%r{^/|/$}, '')
 -%>
 
 <VirtualHost *:80>
@@ -32,9 +33,10 @@
   #RewriteLogLevel 3
 
   SSLEngine on
-  SSLProtocol -all +SSLv3 +TLSv1
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+  SSLProtocol all -SSLv2
   SSLHonorCipherOrder on
+  SSLCompression off
+  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
 
   Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
   Header set X-Frame-Options "deny"
@@ -45,64 +47,30 @@
 
   RequestHeader set X_FORWARDED_PROTO 'https'
 
-  DocumentRoot <%= document_root %>
+  DocumentRoot "/<%= document_root %>/"
+  AccessFileName .htaccess
 
 <%- @locations.each do |name, location| -%>
+  <%- path = location['path'].gsub(%r{^/|/$}, '') -%>
+  <%- directory = location_directory(name, location) -%>
   ##
   ## <%= name %>
   ##
-  <%- if location['path'] == '/' -%>
-  # Location /
-  <%- else -%>
-  Alias <%= location['path'] %> <%= location_directory(name, location) %>
-  <Location <%= location['path'] %>>
-  <%- end -%>
-    # remove trailing slashes
-    RewriteEngine On
-    RewriteRule ^(.+)/$ /$1 [R=301,L]
-
-    # e.g. /de/blah => /blah/index.de.html
-    RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f
-    RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L]
-
-    # e.g. /de/foo/bar => /foo/bar.de.html
-    RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f
-    RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L]
-
-    # e.g. /de => /index.de.html
-    RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f
-    RewriteRule ^/([a-z]{2})$ /index.$1.html [L]
-
-    # e.g. /de/img.png => /img.png
-    RewriteCond %{DOCUMENT_ROOT}/$2 -f
-    RewriteRule ^/([a-z]{2})/(.*) /$2 [L]
-
-    # Simulate "DirectorySlash On"
-    # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file)
-    RewriteCond %{DOCUMENT_ROOT}/$1 -d
-    RewriteRule ^/(.*[^/])$ /$1/ [PT]
-  <%- if location['path'] == '/' -%>
-  # end Location /
+  <%- if path == '' -%>
+  <Directory "/<%= document_root %>/">
+    AllowOverride FileInfo Indexes Options=All,MultiViews
+    Order deny,allow
+    Allow from all
+  </Directory>
   <%- else -%>
-  </Location>
-  <%- end -%>
-  <Directory <%= location_directory(name, location) %>>
-    ##
-    ## PERMISSIONS
-    ##
-    AllowOverride None
+  AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1"
+  Alias /<%=path%> "/<%=directory%>/"
+  <Directory "/<%=directory%>/">
+    AllowOverride FileInfo Indexes Options=All,MultiViews
     Order deny,allow
     Allow from all
-
-    ##
-    ## LOCALE SUPPORT (e.g. index.en.html)
-    ##
-    LanguagePriority en
-    ForceLanguagePriority Prefer Fallback
-    DirectoryIndex index
-    DirectorySlash Off
-    Options +MultiViews
   </Directory>
+  <%- end -%>
 
 <%- end -%>