27 files changed, 128 insertions, 65 deletions

diff --git a/puppet/lib/puppet/parser/functions/sorted_yaml.rb b/puppet/lib/puppet/parser/functions/sorted_yaml.rb
index fa0db4d2..46cd46ce 100644
--- a/puppet/lib/puppet/parser/functions/sorted_yaml.rb
+++ b/puppet/lib/puppet/parser/functions/sorted_yaml.rb
@@ -382,7 +382,19 @@ class Ya2YAML
 end
 
 module Puppet::Parser::Functions
-  newfunction(:sorted_yaml, :type => :rvalue, :doc => "This function outputs yaml, but ensures the keys are sorted.") do |argument|
-    return Ya2YAML.new()._ya2yaml(argument)
+  newfunction(:sorted_yaml,
+    :type => :rvalue,
+    :doc => "This function outputs yaml, but ensures the keys are sorted."
+    ) do |arguments|
+
+    if arguments.is_a?(Array)
+      if arguments.size != 1
+        raise(Puppet::ParseError, "sorted_yaml(): Wrong number of arguments given (#{arguments.size} for 1)")
+      end
+      yaml = arguments.first
+    else
+      yaml = arguments
+    end
+    return Ya2YAML.new()._ya2yaml(yaml)
   end
 end
diff --git a/puppet/modules/apache b/puppet/modules/apache
-Subproject c3e92a9b3cb02f1546b6b1570f10a968d380005
+Subproject fcd2a84e535e5d280d5299a8ff489920e1ea230
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject cdde1e172b3ed2c6c1f203341e75bcef5c3c349
+Subproject d4e0579ec88e999d42c9f4ffd32489396dce63c
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 64beb231..6d63f5e1 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -1,8 +1,26 @@
+# install basic apache modules needed for all services (nagios, webapp)
 class site_apache::common {
 
-  include site_apache::module::rewrite
+  include apache::module::rewrite
+  include apache::module::env
 
   class { '::apache': no_default_site => true, ssl => true }
 
+  # needed for the mod_ssl config
+  include apache::module::mime
+
+  # load mods depending on apache version
+  if ( versioncmp($::apache_version, '2.4') >= 0 ) {
+    # apache >= 2.4, debian jessie
+    # needed for mod_ssl config
+    include apache::module::socache_shmcb
+    # generally needed
+    include apache::module::mpm_prefork
+  } else {
+    # apache < 2.4, debian wheezy
+    # for "Order" directive, i.e. main apache2.conf
+    include apache::module::authz_host
+  }
+
   include site_apache::common::tls
 }
diff --git a/puppet/modules/site_apache/manifests/module/alias.pp b/puppet/modules/site_apache/manifests/module/alias.pp
deleted file mode 100644
index c1f5e185..00000000
--- a/puppet/modules/site_apache/manifests/module/alias.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::alias ( $ensure = present )
-{
-
-  apache::module { 'alias': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/expires.pp b/puppet/modules/site_apache/manifests/module/expires.pp
deleted file mode 100644
index f73a5607..00000000
--- a/puppet/modules/site_apache/manifests/module/expires.pp
+++ /dev/null
@@ -1,4 +0,0 @@
-class site_apache::module::expires ( $ensure = present )
-{
-  apache::module { 'expires': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/headers.pp b/puppet/modules/site_apache/manifests/module/headers.pp
deleted file mode 100644
index f7caa28c..00000000
--- a/puppet/modules/site_apache/manifests/module/headers.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::headers ( $ensure = present )
-{
-
-  apache::module {'headers': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/removeip.pp b/puppet/modules/site_apache/manifests/module/removeip.pp
deleted file mode 100644
index f106167a..00000000
--- a/puppet/modules/site_apache/manifests/module/removeip.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::removeip ( $ensure = present )
-{
-  package { 'libapache2-mod-removeip': ensure => $ensure }
-  apache::module { 'removeip': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/manifests/module/rewrite.pp b/puppet/modules/site_apache/manifests/module/rewrite.pp
deleted file mode 100644
index 7ad00a0c..00000000
--- a/puppet/modules/site_apache/manifests/module/rewrite.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class site_apache::module::rewrite ( $ensure = present )
-{
-
-  apache::module { 'rewrite': ensure => $ensure }
-}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 0396f54b..a54112f8 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -27,6 +27,12 @@ Listen 0.0.0.0:<%= api_port %>
   </IfModule>
 
   DocumentRoot /srv/leap/webapp/public
+  <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %>
+  <Directory /srv/leap/webapp/public>
+    AllowOverride None
+    Require all granted
+  </Directory>
+  <% end %>
 
   # Check for maintenance file and redirect all requests
   RewriteEngine On
diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index 7f9fd5ab..cbb08c30 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -1,18 +1,18 @@
 <VirtualHost *:80>
-  ServerName <%= webapp_domain %>
-  ServerAlias <%= domain_name %>
-  ServerAlias <%= domain %>
-  ServerAlias www.<%= domain %>
+  ServerName <%= @webapp_domain %>
+  ServerAlias <%= @domain_name %>
+  ServerAlias <%= @domain %>
+  ServerAlias www.<%= @domain %>
   RewriteEngine On
-  RewriteRule ^.*$ https://<%= webapp_domain -%>%{REQUEST_URI} [R=permanent,L]
+  RewriteRule ^.*$ https://<%= @webapp_domain -%>%{REQUEST_URI} [R=permanent,L]
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
 </VirtualHost>
 
 <VirtualHost *:443>
-  ServerName <%= webapp_domain %>
-  ServerAlias <%= domain_name %>
-  ServerAlias <%= domain %>
-  ServerAlias www.<%= domain %>
+  ServerName <%= @webapp_domain %>
+  ServerAlias <%= @domain_name %>
+  ServerAlias <%= @domain %>
+  ServerAlias www.<%= @domain %>
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
 
   SSLCACertificatePath /etc/ssl/certs
@@ -32,6 +32,12 @@
 
 <% if (defined? @services) and (@services.include? 'webapp') -%>
   DocumentRoot /srv/leap/webapp/public
+  <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %>
+  <Directory /srv/leap/webapp/public>
+    AllowOverride None
+    Require all granted
+  </Directory>
+  <% end %>
 
   RewriteEngine On
   # Check for maintenance file and redirect all requests
@@ -69,4 +75,3 @@
   </DirectoryMatch>
 <% end -%>
 </VirtualHost>
-
diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp
index 2d4ba0e1..462b2686 100644
--- a/puppet/modules/site_apt/manifests/leap_repo.pp
+++ b/puppet/modules/site_apt/manifests/leap_repo.pp
@@ -1,9 +1,11 @@
+# install leap deb repo together with leap-keyring package
+# containing the apt signing key
 class site_apt::leap_repo {
   $platform = hiera_hash('platform')
   $major_version = $platform['major_version']
 
   apt::sources_list { 'leap.list':
-    content => "deb http://deb.leap.se/${major_version} wheezy main\n",
+    content => "deb http://deb.leap.se/${major_version} ${::lsbdistcodename} main\n",
     before  => Exec[refresh_apt]
   }
 
diff --git a/puppet/modules/site_apt/manifests/sid_repo.pp b/puppet/modules/site_apt/manifests/sid_repo.pp
new file mode 100644
index 00000000..7c1d8783
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/sid_repo.pp
@@ -0,0 +1,11 @@
+# configure debian unstable aka "sid"
+# currently only used for installations that
+# use plain couchdb instead of bigcouch
+class site_apt::sid_repo {
+
+  apt::sources_list { 'debian_sid.list':
+    content => "deb http://httpredir.debian.org/debian/ sid main\n",
+    before  => Exec[refresh_apt]
+  }
+
+}
diff --git a/puppet/modules/site_apt/templates/jessie/postfix.seeds b/puppet/modules/site_apt/templates/jessie/postfix.seeds
new file mode 100644
index 00000000..1a878ccc
--- /dev/null
+++ b/puppet/modules/site_apt/templates/jessie/postfix.seeds
@@ -0,0 +1 @@
+postfix	postfix/main_mailer_type	select	No configuration
diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp
index 98757b59..20cbcade 100644
--- a/puppet/modules/site_check_mk/manifests/agent/mx.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp
@@ -1,3 +1,4 @@
+# check check_mk agent checks for mx service
 class site_check_mk::agent::mx {
 
   # watch logs
@@ -6,13 +7,13 @@ class site_check_mk::agent::mx {
   }
 
   # local nagios plugin checks via mrpe
+  # removed because leap_cli integrates a check for running mx procs already,
+  # which is also integrated into nagios (called "Mx/Are_MX_daemons_running")
   augeas {
     'Leap_MX_Procs':
       incl    => '/etc/check_mk/mrpe.cfg',
       lens    => 'Spacevars.lns',
-      changes => [
-        'rm /files/etc/check_mk/mrpe.cfg/Leap_MX_Procs',
-        'set Leap_MX_Procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a "/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap/mx.log"\'' ],
+      changes => 'rm /files/etc/check_mk/mrpe.cfg/Leap_MX_Procs',
       require => File['/etc/check_mk/mrpe.cfg'];
   }
 
diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp
index 57f68d3e..0159a050 100644
--- a/puppet/modules/site_check_mk/manifests/server.pp
+++ b/puppet/modules/site_check_mk/manifests/server.pp
@@ -17,6 +17,19 @@ class site_check_mk::server {
     ensure => installed,
   }
 
+  # we don't use check-mk-multisite, and the jessie version
+  # of this config file breaks with apache 2.4
+  # until https://gitlab.com/shared-puppet-modules-group/apache/issues/11
+  # is not fixed, we need to use a generic file type here
+  #apache::config::global { 'check-mk-multisite.conf':
+  #  ensure => absent
+  #}
+
+  file { '/etc/apache2/conf-enabled/check-mk-multisite.conf':
+    ensure  => absent,
+    require => Package['check-mk-server'];
+  }
+
   # override paths to use the system check_mk rather than OMD
   class { 'check_mk::config':
     site              => '',
diff --git a/puppet/modules/site_check_mk/templates/use_ssh.mk b/puppet/modules/site_check_mk/templates/use_ssh.mk
index 0bebebcf..55269536 100644
--- a/puppet/modules/site_check_mk/templates/use_ssh.mk
+++ b/puppet/modules/site_check_mk/templates/use_ssh.mk
@@ -1,6 +1,6 @@
 # http://mathias-kettner.de/checkmk_datasource_programs.html
 datasource_programs = [
-<% nagios_hosts.sort.each do |name,config| %>
+<% @nagios_hosts.sort.each do |name,config| %>
  ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa -p <%=config['ssh_port']%> <%=config['domain_internal']%> check_mk_agent", [ "<%=config['domain_internal']%>" ], ),<%- end -%>
 
 ]
diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp
index 7dfb8b03..8f3b2641 100644
--- a/puppet/modules/site_config/manifests/packages/build_essential.pp
+++ b/puppet/modules/site_config/manifests/packages/build_essential.pp
@@ -4,8 +4,8 @@
 class site_config::packages::build_essential {
   if !defined(Package['build-essential']) {
     package {
-      ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']:
+      ['build-essential', 'cpp']:
         ensure => present
     }
   }
-}
\ No newline at end of file
+}
diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp
index 2a720114..5c13233d 100644
--- a/puppet/modules/site_config/manifests/ruby.pp
+++ b/puppet/modules/site_config/manifests/ruby.pp
@@ -1,14 +1,8 @@
+# install ruby, rubygems and bundler
+# configure ruby settings common to all servers
 class site_config::ruby {
   Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
-  class { '::ruby': ruby_version => '1.9.3' }
+  class { '::ruby': }
   class { 'bundler::install': install_method => 'package' }
   include rubygems
 }
-
-
-#
-# Ruby settings common to all servers
-#
-# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors.
-# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/
-#
diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp
index 3ea6ca96..e6eb2f8a 100644
--- a/puppet/modules/site_config/manifests/ruby/dev.pp
+++ b/puppet/modules/site_config/manifests/ruby/dev.pp
@@ -1,6 +1,6 @@
+# install ruby dev packages needed for building some gems
 class site_config::ruby::dev inherits site_config::ruby {
   Class['::ruby'] {
-    ruby_version => '1.9.3',
     install_dev  => true
   }
   # building gems locally probably requires build-essential and gcc:
diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp
index 5dab6325..c50ed364 100644
--- a/puppet/modules/site_couchdb/manifests/master.pp
+++ b/puppet/modules/site_couchdb/manifests/master.pp
@@ -7,5 +7,10 @@ class site_couchdb::master {
     pwhash_alg          => $site_couchdb::couchdb_pwhash_alg
   }
 
+  # couchdb is not available in jessie, and the
+  # leap deb repo only hosts a wheeyz version.
+  # we install it therefore from unstable
+  include site_apt::sid_repo
+
   include site_check_mk::agent::couchdb::master
 }
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index 60a471b7..5c833508 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -33,7 +33,7 @@ class site_nagios::server inherits nagios::base {
 
   include site_apache::common
   include site_webapp::common_vhost
-  include site_apache::module::headers
+  include apache::module::headers
 
   File ['nagios_htpasswd'] {
     source  => undef,
diff --git a/puppet/modules/site_nagios/manifests/server/apache.pp b/puppet/modules/site_nagios/manifests/server/apache.pp
index 8dbc7e9b..7de477cd 100644
--- a/puppet/modules/site_nagios/manifests/server/apache.pp
+++ b/puppet/modules/site_nagios/manifests/server/apache.pp
@@ -1,7 +1,25 @@
+# set up apache for nagios
 class site_nagios::server::apache {
+
   include x509::variables
+
   include site_config::x509::commercial::cert
   include site_config::x509::commercial::key
   include site_config::x509::commercial::ca
 
+  include apache::module::authn_file
+  # "AuthUserFile"
+  include apache::module::authz_user
+  # "AuthType Basic"
+  include apache::module::auth_basic
+  # "DirectoryIndex"
+  include apache::module::dir
+  include apache::module::php5
+  include apache::module::cgi
+
+  # apache >= 2.4, debian jessie
+  if ( versioncmp($::apache_version, '2.4') >= 0 ) {
+    include apache::module::authn_core
+  }
+
 }
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index ddd04a91..80c7b29b 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -1,3 +1,4 @@
+# configure apache and passenger to serve the webapp
 class site_webapp::apache {
 
   $web_api          = hiera('api')
@@ -11,10 +12,10 @@ class site_webapp::apache {
   $webapp_domain    = $webapp['domain']
 
   include site_apache::common
-  include site_apache::module::headers
-  include site_apache::module::alias
-  include site_apache::module::expires
-  include site_apache::module::removeip
+  include apache::module::headers
+  include apache::module::alias
+  include apache::module::expires
+  include apache::module::removeip
   include site_webapp::common_vhost
 
   class { 'passenger': use_munin => false }
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 99a756ca..4cf7a8ca 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -4,10 +4,10 @@ class site_webapp::hidden_service {
   $tor_domain       = "${hidden_service['address']}.onion"
 
   include site_apache::common
-  include site_apache::module::headers
-  include site_apache::module::alias
-  include site_apache::module::expires
-  include site_apache::module::removeip
+  include apache::module::headers
+  include apache::module::alias
+  include apache::module::expires
+  include apache::module::removeip
 
   include tor::daemon
   tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' }
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 19ed6b7b..c2e9f3df 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,4 +1,4 @@
-<%-
+<%
 cert_options = @webapp['client_certificates']
 production = {
   "admins" => @webapp['admins'],
@@ -32,4 +32,4 @@ end
 #
 # This file is generated by puppet. This file inherits from defaults.yml.
 #
-<%= scope.function_sorted_yaml({"production" => production}) %>
+<%= scope.function_sorted_yaml([{"production" => production}]) %>
diff --git a/puppet/modules/sshd b/puppet/modules/sshd
-Subproject 750a497758d94c2f5a6cad23cecc3dbde2d2f92
+Subproject 943dd94dfab1de9316a5ed4c0751b36a6c75447