summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/manifests/site.pp12
-rw-r--r--puppet/modules/haproxy/.fixtures.yml5
-rw-r--r--puppet/modules/haproxy/.gemfile5
-rw-r--r--puppet/modules/haproxy/.gitrepo11
-rw-r--r--puppet/modules/haproxy/.travis.yml23
-rw-r--r--puppet/modules/haproxy/CHANGELOG5
-rw-r--r--puppet/modules/haproxy/Modulefile12
-rw-r--r--puppet/modules/haproxy/README.md87
-rw-r--r--puppet/modules/haproxy/Rakefile1
-rw-r--r--puppet/modules/haproxy/manifests/balancermember.pp95
-rw-r--r--puppet/modules/haproxy/manifests/init.pp149
-rw-r--r--puppet/modules/haproxy/manifests/listen.pp95
-rw-r--r--puppet/modules/haproxy/manifests/params.pp65
-rw-r--r--puppet/modules/haproxy/spec/classes/haproxy_spec.rb138
-rw-r--r--puppet/modules/haproxy/spec/defines/balancermember_spec.rb82
-rw-r--r--puppet/modules/haproxy/spec/defines/listen_spec.rb53
-rw-r--r--puppet/modules/haproxy/spec/spec.opts6
-rw-r--r--puppet/modules/haproxy/spec/spec_helper.rb1
-rw-r--r--puppet/modules/haproxy/templates/haproxy-base.cfg.erb21
-rw-r--r--puppet/modules/haproxy/templates/haproxy_balancermember.erb3
-rw-r--r--puppet/modules/haproxy/templates/haproxy_listen_block.erb10
-rw-r--r--puppet/modules/haproxy/tests/init.pp69
-rw-r--r--puppet/modules/leap/manifests/cli/install.pp16
-rw-r--r--puppet/modules/leap_mx/manifests/init.pp16
-rw-r--r--puppet/modules/site_apache/files/autorestart.conf2
-rw-r--r--puppet/modules/site_apache/manifests/common.pp17
-rw-r--r--puppet/modules/site_apache/manifests/common/autorestart.pp30
-rw-r--r--puppet/modules/site_apache/spec/classes/autorestart_spec.rb7
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb2
-rw-r--r--puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap6
-rw-r--r--puppet/modules/site_apt/manifests/init.pp29
-rw-r--r--puppet/modules/site_apt/manifests/leap_repo.pp19
-rw-r--r--puppet/modules/site_apt/manifests/preferences/passenger.pp14
-rw-r--r--puppet/modules/site_apt/manifests/preferences/python_cryptography.pp12
-rw-r--r--puppet/modules/site_apt/manifests/preferences/rsyslog.pp13
-rw-r--r--puppet/modules/site_apt/manifests/unattended_upgrades.pp3
-rw-r--r--puppet/modules/site_apt/templates/51unattended-upgrades-leap5
-rw-r--r--puppet/modules/site_apt/templates/Debian/preferences_jessie.erb19
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg4
-rw-r--r--puppet/modules/site_check_mk/files/extra_service_conf.mk6
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/haproxy.pp15
-rw-r--r--puppet/modules/site_config/lib/facter/vagrant.rb8
-rw-r--r--puppet/modules/site_config/manifests/files.pp8
-rw-r--r--puppet/modules/site_config/manifests/packages/build_essential.pp6
-rw-r--r--puppet/modules/site_config/manifests/params.pp14
-rw-r--r--puppet/modules/site_config/manifests/remove.pp5
-rw-r--r--puppet/modules/site_config/manifests/remove/jessie.pp5
-rw-r--r--puppet/modules/site_config/manifests/remove/webapp.pp12
-rw-r--r--puppet/modules/site_config/manifests/setup.pp2
-rw-r--r--puppet/modules/site_config/manifests/syslog.pp30
-rw-r--r--puppet/modules/site_config/manifests/vagrant.pp14
-rw-r--r--puppet/modules/site_couchdb/files/designs/identities/Identity.json8
-rw-r--r--puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json44
-rw-r--r--puppet/modules/site_couchdb/files/designs/messages/Message.json8
-rw-r--r--puppet/modules/site_couchdb/files/designs/shared/docs.json8
-rw-r--r--puppet/modules/site_couchdb/files/designs/shared/syncs.json11
-rw-r--r--puppet/modules/site_couchdb/files/designs/shared/transactions.json13
-rw-r--r--puppet/modules/site_couchdb/files/designs/tickets/Ticket.json16
-rw-r--r--puppet/modules/site_couchdb/manifests/designs.pp17
-rw-r--r--puppet/modules/site_haproxy/files/haproxy-stats.cfg6
-rw-r--r--puppet/modules/site_haproxy/manifests/init.pp41
-rw-r--r--puppet/modules/site_haproxy/templates/couch.erb32
-rw-r--r--puppet/modules/site_haproxy/templates/haproxy.cfg.erb11
-rw-r--r--puppet/modules/site_mx/manifests/init.pp3
-rw-r--r--puppet/modules/site_nagios/files/configs/Debian/nagios.cfg3
-rw-r--r--puppet/modules/site_nagios/manifests/server/apache.pp5
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp75
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp2
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp23
-rw-r--r--puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb14
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp12
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp7
-rw-r--r--puppet/modules/site_static/manifests/domain.pp13
-rw-r--r--puppet/modules/site_static/manifests/hidden_service.pp36
-rw-r--r--puppet/modules/site_static/manifests/init.pp30
-rw-r--r--puppet/modules/site_static/templates/apache.conf.erb14
-rw-r--r--puppet/modules/site_stunnel/manifests/init.pp10
-rw-r--r--puppet/modules/site_tor/manifests/disable_exit.pp6
-rw-r--r--puppet/modules/site_tor/manifests/hidden_service.pp13
-rw-r--r--puppet/modules/site_tor/manifests/init.pp49
-rw-r--r--puppet/modules/site_tor/manifests/relay.pp45
-rw-r--r--puppet/modules/site_webapp/manifests/couchdb.pp9
-rw-r--r--puppet/modules/site_webapp/manifests/hidden_service.pp33
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp11
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb1
-rw-r--r--puppet/modules/soledad/manifests/server.pp5
-rw-r--r--puppet/modules/systemd/.fixtures.yml4
-rw-r--r--puppet/modules/systemd/.gitrepo4
-rw-r--r--puppet/modules/systemd/.puppet-lint.rc2
-rw-r--r--puppet/modules/systemd/.travis.yml22
-rw-r--r--puppet/modules/systemd/CHANGELOG.md20
-rw-r--r--puppet/modules/systemd/Gemfile18
-rw-r--r--puppet/modules/systemd/HISTORY.md15
-rw-r--r--puppet/modules/systemd/LICENSE201
-rw-r--r--puppet/modules/systemd/README.md51
-rw-r--r--puppet/modules/systemd/Rakefile10
-rw-r--r--puppet/modules/systemd/lib/facter/systemd.rb35
-rw-r--r--puppet/modules/systemd/manifests/init.pp8
-rw-r--r--puppet/modules/systemd/manifests/service_limits.pp50
-rw-r--r--puppet/modules/systemd/manifests/tmpfile.pp20
-rw-r--r--puppet/modules/systemd/manifests/unit_file.pp22
-rw-r--r--puppet/modules/systemd/metadata.json2
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/centos-5.yml16
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/centos-6.yml17
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/centos-7.yml15
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/debian-6.yml15
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/debian-7.yml15
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/debian-8.yml16
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-12.04.yml16
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.04.yml18
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.10.yml18
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.04.yml16
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.10.yml16
-rw-r--r--puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-16.04.yml16
-rw-r--r--puppet/modules/systemd/spec/defines/tmpfile_spec.rb48
-rw-r--r--puppet/modules/systemd/spec/defines/unit_file_spec.rb50
-rw-r--r--puppet/modules/systemd/spec/unit/facter/systemd_spec.rb41
-rw-r--r--puppet/modules/systemd/spec/unit/facter/systemd_version_spec.rb31
-rw-r--r--puppet/modules/systemd/templates/limits.erb26
-rw-r--r--puppet/modules/tor/.gitrepo6
-rw-r--r--puppet/modules/tor/README2
-rw-r--r--puppet/modules/tor/manifests/daemon/base.pp14
-rw-r--r--puppet/modules/tor/manifests/daemon/bridge.pp3
-rw-r--r--puppet/modules/tor/manifests/daemon/control.pp18
-rw-r--r--puppet/modules/tor/manifests/daemon/directory.pp3
-rw-r--r--puppet/modules/tor/manifests/daemon/dns.pp3
-rw-r--r--puppet/modules/tor/manifests/daemon/exit_policy.pp3
-rw-r--r--puppet/modules/tor/manifests/daemon/hidden_service.pp19
-rw-r--r--puppet/modules/tor/manifests/daemon/map_address.pp3
-rw-r--r--puppet/modules/tor/manifests/daemon/relay.pp3
-rw-r--r--puppet/modules/tor/manifests/daemon/snippet.pp3
-rw-r--r--puppet/modules/tor/manifests/daemon/socks.pp3
-rw-r--r--puppet/modules/tor/manifests/daemon/transparent.pp3
-rw-r--r--puppet/modules/tor/manifests/munin.pp2
-rw-r--r--puppet/modules/tor/manifests/repo.pp3
-rw-r--r--puppet/modules/tor/manifests/repo/debian.pp2
-rw-r--r--puppet/modules/tor/templates/torrc.directory.erb6
-rw-r--r--puppet/modules/tor/templates/torrc.global.erb4
-rw-r--r--puppet/modules/tor/templates/torrc.hidden_service.erb14
139 files changed, 1389 insertions, 1523 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 3bf6a5c1..1f80c47c 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -44,8 +44,16 @@ node default {
include site_nagios
}
- if member($services, 'tor') {
- include site_tor
+ if member($services, 'tor_relay') {
+ include site_tor::relay
+ }
+
+ if member($services, 'tor_exit') {
+ include site_tor::relay
+ }
+
+ if member($services, 'tor_hidden_service') {
+ include site_tor::hidden_service
}
if member($services, 'mx') {
diff --git a/puppet/modules/haproxy/.fixtures.yml b/puppet/modules/haproxy/.fixtures.yml
deleted file mode 100644
index 8d6f22d6..00000000
--- a/puppet/modules/haproxy/.fixtures.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-fixtures:
- repositories:
- concat: "git://github.com/ripienaar/puppet-concat.git"
- symlinks:
- haproxy: "#{source_dir}"
diff --git a/puppet/modules/haproxy/.gemfile b/puppet/modules/haproxy/.gemfile
deleted file mode 100644
index 9aad840c..00000000
--- a/puppet/modules/haproxy/.gemfile
+++ /dev/null
@@ -1,5 +0,0 @@
-source :rubygems
-
-puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 2.7']
-gem 'puppet', puppetversion
-gem 'puppetlabs_spec_helper', '>= 0.1.0'
diff --git a/puppet/modules/haproxy/.gitrepo b/puppet/modules/haproxy/.gitrepo
deleted file mode 100644
index ed92831a..00000000
--- a/puppet/modules/haproxy/.gitrepo
+++ /dev/null
@@ -1,11 +0,0 @@
-; DO NOT EDIT (unless you know what you are doing)
-;
-; This subdirectory is a git "subrepo", and this file is maintained by the
-; git-subrepo command. See https://github.com/git-commands/git-subrepo#readme
-;
-[subrepo]
- remote = https://leap.se/git/puppet_haproxy
- branch = master
- commit = af322a73c013f80a958ab7d5d31d0c75cf6d0523
- parent = 04279dd8d1390d61d696d2c14817199304ccd4d8
- cmdver = 0.3.0
diff --git a/puppet/modules/haproxy/.travis.yml b/puppet/modules/haproxy/.travis.yml
deleted file mode 100644
index fdbc95dc..00000000
--- a/puppet/modules/haproxy/.travis.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-language: ruby
-rvm:
- - 1.8.7
- - 1.9.3
-script: "rake spec"
-branches:
- only:
- - master
-env:
- - PUPPET_VERSION=2.6.17
- - PUPPET_VERSION=2.7.19
- #- PUPPET_VERSION=3.0.1 # Breaks due to rodjek/rspec-puppet#58
-notifications:
- email: false
-gemfile: .gemfile
-matrix:
- exclude:
- - rvm: 1.9.3
- gemfile: .gemfile
- env: PUPPET_VERSION=2.6.17
- - rvm: 1.8.7
- gemfile: .gemfile
- env: PUPPET_VERSION=3.0.1
diff --git a/puppet/modules/haproxy/CHANGELOG b/puppet/modules/haproxy/CHANGELOG
deleted file mode 100644
index 0b6d670f..00000000
--- a/puppet/modules/haproxy/CHANGELOG
+++ /dev/null
@@ -1,5 +0,0 @@
-2012-10-12 - Version 0.2.0
-- Initial public release
-- Backwards incompatible changes all around
-- No longer needs ordering passed for more than one listener
-- Accepts multiple listen ips/ports/server_names
diff --git a/puppet/modules/haproxy/Modulefile b/puppet/modules/haproxy/Modulefile
deleted file mode 100644
index e729739b..00000000
--- a/puppet/modules/haproxy/Modulefile
+++ /dev/null
@@ -1,12 +0,0 @@
-name 'puppetlabs-haproxy'
-version '0.2.0'
-source 'git://github.com/puppetlabs/puppetlabs-haproxy'
-author 'Puppet Labs'
-license 'Apache License, Version 2.0'
-summary 'Haproxy Module'
-description 'An Haproxy module for Redhat family OSes using Storeconfigs'
-project_page 'http://github.com/puppetlabs/puppetlabs-haproxy'
-
-## Add dependencies, if any:
-# dependency 'username/name', '>= 1.2.0'
-dependency 'ripienaar/concat', '>= 0.1.0'
diff --git a/puppet/modules/haproxy/README.md b/puppet/modules/haproxy/README.md
deleted file mode 100644
index d209e9ab..00000000
--- a/puppet/modules/haproxy/README.md
+++ /dev/null
@@ -1,87 +0,0 @@
-PuppetLabs Module for haproxy
-=============================
-
-HAProxy is an HA proxying daemon for load-balancing to clustered services. It
-can proxy TCP directly, or other kinds of traffic such as HTTP.
-
-Dependencies
-------------
-
-Tested and built on Debian, Ubuntu and CentOS
-
-Currently requires the ripienaar/concat module on the Puppet Forge and uses storeconfigs on the Puppet Master to export/collect resources
-from all balancer members.
-
-Basic Usage
------------
-
-This haproxy uses storeconfigs to collect and realize balancer member servers
-on a load balancer server.
-
-*To install and configure HAProxy server listening on port 8140*
-
-```puppet
-node 'haproxy-server' {
- class { 'haproxy': }
- haproxy::listen { 'puppet00':
- ipaddress => $::ipaddress,
- ports => '8140',
- }
-}
-```
-
-*To add backend loadbalance members*
-
-```puppet
-node 'webserver01' {
- @@haproxy::balancermember { $fqdn:
- listening_service => 'puppet00',
- server_names => $::hostname,
- ipaddresses => $::ipaddress,
- ports => '8140',
- options => 'check'
- }
-}
-```
-
-Configuring haproxy options
----------------------------
-
-The base `haproxy` class can accept two parameters which will configure basic
-behaviour of the haproxy server daemon:
-
-- `global_options` to configure the `global` section in `haproxy.cfg`
-- `defaults_options` to configure the `defaults` section in `haproxy.cfg`
-
-Configuring haproxy daemon listener
------------------------------------
-
-One `haproxy::listen` defined resource should be defined for each HAProxy loadbalanced set of backend servers. The title of the `haproxy::listen` resource is the key to which balancer members will be proxied to. The `ipaddress` field should be the public ip address which the loadbalancer will be contacted on. The `ports` attribute can accept an array or comma-separated list of ports which should be proxied to the `haproxy::balancermemeber` nodes.
-
-Configuring haproxy loadbalanced member nodes
----------------------------------------------
-
-The `haproxy::balacemember` defined resource should be exported from each node
-which is serving loadbalanced traffic. the `listening_service` attribute will
-associate it with `haproxy::listen` directives on the haproxy node.
-`ipaddresses` and `ports` will be assigned to the member to be contacted on. If an array of `ipaddresses` and `server_names` are provided then they will be added to the config in lock-step.
-
-
-Copyright and License
----------------------
-
-Copyright (C) 2012 [Puppet Labs](https://www.puppetlabs.com/) Inc
-
-Puppet Labs can be contacted at: info@puppetlabs.com
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
diff --git a/puppet/modules/haproxy/Rakefile b/puppet/modules/haproxy/Rakefile
deleted file mode 100644
index cd3d3799..00000000
--- a/puppet/modules/haproxy/Rakefile
+++ /dev/null
@@ -1 +0,0 @@
-require 'puppetlabs_spec_helper/rake_tasks'
diff --git a/puppet/modules/haproxy/manifests/balancermember.pp b/puppet/modules/haproxy/manifests/balancermember.pp
deleted file mode 100644
index a0e27539..00000000
--- a/puppet/modules/haproxy/manifests/balancermember.pp
+++ /dev/null
@@ -1,95 +0,0 @@
-# == Define Resource Type: haproxy::balancermember
-#
-# This type will setup a balancer member inside a listening service
-# configuration block in /etc/haproxy/haproxy.cfg on the load balancer.
-# currently it only has the ability to specify the instance name,
-# ip address, port, and whether or not it is a backup. More features
-# can be added as needed. The best way to implement this is to export
-# this resource for all haproxy balancer member servers, and then collect
-# them on the main haproxy load balancer.
-#
-# === Requirement/Dependencies:
-#
-# Currently requires the ripienaar/concat module on the Puppet Forge and
-# uses storeconfigs on the Puppet Master to export/collect resources
-# from all balancer members.
-#
-# === Parameters
-#
-# [*name*]
-# The title of the resource is arbitrary and only utilized in the concat
-# fragment name.
-#
-# [*listening_service*]
-# The haproxy service's instance name (or, the title of the
-# haproxy::listen resource). This must match up with a declared
-# haproxy::listen resource.
-#
-# [*ports*]
-# An array or commas-separated list of ports for which the balancer member
-# will accept connections from the load balancer. Note that cookie values
-# aren't yet supported, but shouldn't be difficult to add to the
-# configuration. If you use an array in server_names and ipaddresses, the
-# same port is used for all balancermembers.
-#
-# [*server_names*]
-# The name of the balancer member server as known to haproxy in the
-# listening service's configuration block. This defaults to the
-# hostname. Can be an array of the same length as ipaddresses,
-# in which case a balancermember is created for each pair of
-# server_names and ipaddresses (in lockstep).
-#
-# [*ipaddresses*]
-# The ip address used to contact the balancer member server.
-# Can be an array, see documentation to server_names.
-#
-# [*options*]
-# An array of options to be specified after the server declaration
-# in the listening service's configuration block.
-#
-#
-# === Examples
-#
-# Exporting the resource for a balancer member:
-#
-# @@haproxy::balancermember { 'haproxy':
-# listening_service => 'puppet00',
-# ports => '8140',
-# server_names => $::hostname,
-# ipaddresses => $::ipaddress,
-# options => 'check',
-# }
-#
-#
-# Collecting the resource on a load balancer
-#
-# Haproxy::Balancermember <<| listening_service == 'puppet00' |>>
-#
-# Creating the resource for multiple balancer members at once
-# (for single-pass installation of haproxy without requiring a first
-# pass to export the resources if you know the members in advance):
-#
-# haproxy::balancermember { 'haproxy':
-# listening_service => 'puppet00',
-# ports => '8140',
-# server_names => ['server01', 'server02'],
-# ipaddresses => ['192.168.56.200', '192.168.56.201'],
-# options => 'check',
-# }
-#
-# (this resource can be declared anywhere)
-#
-define haproxy::balancermember (
- $listening_service,
- $ports,
- $server_names = $::hostname,
- $ipaddresses = $::ipaddress,
- $options = ''
-) {
- # Template uses $ipaddresses, $server_name, $ports, $option
- concat::fragment { "${listening_service}_balancermember_${name}":
- order => "20-${listening_service}-${name}",
- target => '/etc/haproxy/haproxy.cfg',
- content => template('haproxy/haproxy_balancermember.erb'),
- }
-}
diff --git a/puppet/modules/haproxy/manifests/init.pp b/puppet/modules/haproxy/manifests/init.pp
deleted file mode 100644
index b91591a3..00000000
--- a/puppet/modules/haproxy/manifests/init.pp
+++ /dev/null
@@ -1,149 +0,0 @@
-# == Class: haproxy
-#
-# A Puppet module, using storeconfigs, to model an haproxy configuration.
-# Currently VERY limited - Pull requests accepted!
-#
-# === Requirement/Dependencies:
-#
-# Currently requires the ripienaar/concat module on the Puppet Forge and
-# uses storeconfigs on the Puppet Master to export/collect resources
-# from all balancer members.
-#
-# === Parameters
-#
-# [*enable*]
-# Chooses whether haproxy should be installed or ensured absent.
-# Currently ONLY accepts valid boolean true/false values.
-#
-# [*version*]
-# Allows you to specify what version of the package to install.
-# Default is simply 'present'
-#
-# [*global_options*]
-# A hash of all the haproxy global options. If you want to specify more
-# than one option (i.e. multiple timeout or stats options), pass those
-# options as an array and you will get a line for each of them in the
-# resultant haproxy.cfg file.
-#
-# [*defaults_options*]
-# A hash of all the haproxy defaults options. If you want to specify more
-# than one option (i.e. multiple timeout or stats options), pass those
-# options as an array and you will get a line for each of them in the
-# resultant haproxy.cfg file.
-#
-#
-# === Examples
-#
-# class { 'haproxy':
-# enable => true,
-# global_options => {
-# 'log' => "${::ipaddress} local0",
-# 'chroot' => '/var/lib/haproxy',
-# 'pidfile' => '/var/run/haproxy.pid',
-# 'maxconn' => '4000',
-# 'user' => 'haproxy',
-# 'group' => 'haproxy',
-# 'daemon' => '',
-# 'stats' => 'socket /var/lib/haproxy/stats'
-# },
-# defaults_options => {
-# 'log' => 'global',
-# 'stats' => 'enable',
-# 'option' => 'redispatch',
-# 'retries' => '3',
-# 'timeout' => [
-# 'http-request 10s',
-# 'queue 1m',
-# 'connect 10s',
-# 'client 1m',
-# 'server 1m',
-# 'check 10s'
-# ],
-# 'maxconn' => '8000'
-# },
-# }
-#
-class haproxy (
- $manage_service = true,
- $enable = true,
- $version = 'present',
- $global_options = $haproxy::params::global_options,
- $defaults_options = $haproxy::params::defaults_options
-) inherits haproxy::params {
- include concat::setup
-
- package { 'haproxy':
- ensure => $enable ? {
- true => $version,
- false => absent,
- },
- name => 'haproxy',
- }
-
- if $enable {
- concat { '/etc/haproxy/haproxy.cfg':
- owner => '0',
- group => '0',
- mode => '0644',
- require => Package['haproxy'],
- notify => $manage_service ? {
- true => Service['haproxy'],
- false => undef,
- },
- }
-
- # Simple Header
- concat::fragment { '00-header':
- target => '/etc/haproxy/haproxy.cfg',
- order => '01',
- content => "# This file managed by Puppet\n",
- }
-
- # Template uses $global_options, $defaults_options
- concat::fragment { 'haproxy-base':
- target => '/etc/haproxy/haproxy.cfg',
- order => '10',
- content => template('haproxy/haproxy-base.cfg.erb'),
- }
-
- if ($::osfamily == 'Debian') {
- file { '/etc/default/haproxy':
- content => 'ENABLED=1',
- require => Package['haproxy'],
- before => $manage_service ? {
- true => Service['haproxy'],
- false => undef,
- },
- }
- }
-
- file { $global_options['chroot']:
- ensure => directory,
- owner => $global_options['user'],
- group => $global_options['group'],
- mode => '0550',
- require => Package['haproxy']
- }
-
- }
-
- if $manage_service {
- service { 'haproxy':
- ensure => $enable ? {
- true => running,
- false => stopped,
- },
- enable => $enable ? {
- true => true,
- false => false,
- },
- name => 'haproxy',
- hasrestart => true,
- hasstatus => true,
- require => [
- Concat['/etc/haproxy/haproxy.cfg'],
- File[$global_options['chroot']],
- ],
- }
- }
-}
diff --git a/puppet/modules/haproxy/manifests/listen.pp b/puppet/modules/haproxy/manifests/listen.pp
deleted file mode 100644
index 00636e3d..00000000
--- a/puppet/modules/haproxy/manifests/listen.pp
+++ /dev/null
@@ -1,95 +0,0 @@
-# == Define Resource Type: haproxy::listen
-#
-# This type will setup a listening service configuration block inside
-# the haproxy.cfg file on an haproxy load balancer. Each listening service
-# configuration needs one or more load balancer member server (that can be
-# declared with the haproxy::balancermember defined resource type). Using
-# storeconfigs, you can export the haproxy::balancermember resources on all
-# load balancer member servers, and then collect them on a single haproxy
-# load balancer server.
-#
-# === Requirement/Dependencies:
-#
-# Currently requires the ripienaar/concat module on the Puppet Forge and
-# uses storeconfigs on the Puppet Master to export/collect resources
-# from all balancer members.
-#
-# === Parameters
-#
-# [*name*]
-# The namevar of the defined resource type is the listening service's name.
-# This name goes right after the 'listen' statement in haproxy.cfg
-#
-# [*ports*]
-# Ports on which the proxy will listen for connections on the ip address
-# specified in the virtual_ip parameter. Accepts either a single
-# comma-separated string or an array of strings which may be ports or
-# hyphenated port ranges.
-#
-# [*ipaddress*]
-# The ip address the proxy binds to. Empty addresses, '*', and '0.0.0.0'
-# mean that the proxy listens to all valid addresses on the system.
-#
-# [*mode*]
-# The mode of operation for the listening service. Valid values are 'tcp',
-# HTTP', and 'health'.
-#
-# [*options*]
-# A hash of options that are inserted into the listening service
-# configuration block.
-#
-# [*collect_exported*]
-# Boolean, default 'true'. True means 'collect exported @@balancermember resources'
-# (for the case when every balancermember node exports itself), false means
-# 'rely on the existing declared balancermember resources' (for the case when you
-# know the full set of balancermembers in advance and use haproxy::balancermember
-# with array arguments, which allows you to deploy everything in 1 run)
-#
-#
-# === Examples
-#
-# Exporting the resource for a balancer member:
-#
-# haproxy::listen { 'puppet00':
-# ipaddress => $::ipaddress,
-# ports => '18140',
-# mode => 'tcp',
-# options => {
-# 'option' => [
-# 'tcplog',
-# 'ssl-hello-chk'
-# ],
-# 'balance' => 'roundrobin'
-# },
-# }
-#
-# === Authors
-#
-# Gary Larizza <gary@puppetlabs.com>
-#
-define haproxy::listen (
- $ports,
- $ipaddress = [$::ipaddress],
- $mode = 'tcp',
- $collect_exported = true,
- $options = {
- 'option' => [
- 'tcplog',
- 'ssl-hello-chk'
- ],
- 'balance' => 'roundrobin'
- }
-) {
- # Template uses: $name, $ipaddress, $ports, $options
- concat::fragment { "${name}_listen_block":
- order => "20-${name}-00",
- target => '/etc/haproxy/haproxy.cfg',
- content => template('haproxy/haproxy_listen_block.erb'),
- }
-
- if $collect_exported {
- Haproxy::Balancermember <<| listening_service == $name |>>
- }
- # else: the resources have been created and they introduced their
- # concat fragments. We don't have to do anything about them.
-}
diff --git a/puppet/modules/haproxy/manifests/params.pp b/puppet/modules/haproxy/manifests/params.pp
deleted file mode 100644
index 53442ddc..00000000
--- a/puppet/modules/haproxy/manifests/params.pp
+++ /dev/null
@@ -1,65 +0,0 @@
-# == Class: haproxy::params
-#
-# This is a container class holding default parameters for for haproxy class.
-# currently, only the Redhat family is supported, but this can be easily
-# extended by changing package names and configuration file paths.
-#
-class haproxy::params {
- case $osfamily {
- Redhat: {
- $global_options = {
- 'log' => "${::ipaddress} local0",
- 'chroot' => '/var/lib/haproxy',
- 'pidfile' => '/var/run/haproxy.pid',
- 'maxconn' => '4000',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'stats' => 'socket /var/lib/haproxy/stats'
- }
- $defaults_options = {
- 'log' => 'global',
- 'stats' => 'enable',
- 'option' => 'redispatch',
- 'retries' => '3',
- 'timeout' => [
- 'http-request 10s',
- 'queue 1m',
- 'connect 10s',
- 'client 1m',
- 'server 1m',
- 'check 10s',
- ],
- 'maxconn' => '8000'
- }
- }
- Debian: {
- $global_options = {
- 'log' => "${::ipaddress} local0",
- 'chroot' => '/var/lib/haproxy',
- 'pidfile' => '/var/run/haproxy.pid',
- 'maxconn' => '4000',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'stats' => 'socket /var/lib/haproxy/stats'
- }
- $defaults_options = {
- 'log' => 'global',
- 'stats' => 'enable',
- 'option' => 'redispatch',
- 'retries' => '3',
- 'timeout' => [
- 'http-request 10s',
- 'queue 1m',
- 'connect 10s',
- 'client 1m',
- 'server 1m',
- 'check 10s',
- ],
- 'maxconn' => '8000'
- }
- }
- default: { fail("The $::osfamily operating system is not supported with the haproxy module") }
- }
-}
diff --git a/puppet/modules/haproxy/spec/classes/haproxy_spec.rb b/puppet/modules/haproxy/spec/classes/haproxy_spec.rb
deleted file mode 100644
index 4b5902ce..00000000
--- a/puppet/modules/haproxy/spec/classes/haproxy_spec.rb
+++ /dev/null
@@ -1,138 +0,0 @@
-require 'spec_helper'
-
-describe 'haproxy', :type => :class do
- let(:default_facts) do
- {
- :concat_basedir => '/dne',
- :ipaddress => '10.10.10.10'
- }
- end
- context 'on supported platforms' do
- describe 'for OS-agnostic configuration' do
- ['Debian', 'RedHat'].each do |osfamily|
- context "on #{osfamily} family operatingsystems" do
- let(:facts) do
- { :osfamily => osfamily }.merge default_facts
- end
- let(:params) do
- {'enable' => true}
- end
- it { should include_class('concat::setup') }
- it 'should install the haproxy package' do
- subject.should contain_package('haproxy').with(
- 'ensure' => 'present'
- )
- end
- it 'should install the haproxy service' do
- subject.should contain_service('haproxy').with(
- 'ensure' => 'running',
- 'enable' => 'true',
- 'hasrestart' => 'true',
- 'hasstatus' => 'true',
- 'require' => [
- 'Concat[/etc/haproxy/haproxy.cfg]',
- 'File[/var/lib/haproxy]'
- ]
- )
- end
- it 'should set up /etc/haproxy/haproxy.cfg as a concat resource' do
- subject.should contain_concat('/etc/haproxy/haproxy.cfg').with(
- 'owner' => '0',
- 'group' => '0',
- 'mode' => '0644'
- )
- end
- it 'should manage the chroot directory' do
- subject.should contain_file('/var/lib/haproxy').with(
- 'ensure' => 'directory'
- )
- end
- it 'should contain a header concat fragment' do
- subject.should contain_concat__fragment('00-header').with(
- 'target' => '/etc/haproxy/haproxy.cfg',
- 'order' => '01',
- 'content' => "# This file managed by Puppet\n"
- )
- end
- it 'should contain a haproxy-base concat fragment' do
- subject.should contain_concat__fragment('haproxy-base').with(
- 'target' => '/etc/haproxy/haproxy.cfg',
- 'order' => '10'
- )
- end
- describe 'Base concat fragment contents' do
- let(:contents) { param_value(subject, 'concat::fragment', 'haproxy-base', 'content').split("\n") }
- it 'should contain global and defaults sections' do
- contents.should include('global')
- contents.should include('defaults')
- end
- it 'should log to an ip address for local0' do
- contents.should be_any { |match| match =~ / log \d+(\.\d+){3} local0/ }
- end
- it 'should specify the default chroot' do
- contents.should include(' chroot /var/lib/haproxy')
- end
- it 'should specify the correct user' do
- contents.should include(' user haproxy')
- end
- it 'should specify the correct group' do
- contents.should include(' group haproxy')
- end
- it 'should specify the correct pidfile' do
- contents.should include(' pidfile /var/run/haproxy.pid')
- end
- end
- end
- context "on #{osfamily} family operatingsystems without managing the service" do
- let(:facts) do
- { :osfamily => osfamily }.merge default_facts
- end
- let(:params) do
- {
- 'enable' => true,
- 'manage_service' => false,
- }
- end
- it { should include_class('concat::setup') }
- it 'should install the haproxy package' do
- subject.should contain_package('haproxy').with(
- 'ensure' => 'present'
- )
- end
- it 'should install the haproxy service' do
- subject.should_not contain_service('haproxy')
- end
- end
- end
- end
- describe 'for OS-specific configuration' do
- context 'only on Debian family operatingsystems' do
- let(:facts) do
- { :osfamily => 'Debian' }.merge default_facts
- end
- it 'should manage haproxy service defaults' do
- subject.should contain_file('/etc/default/haproxy').with(
- 'before' => 'Service[haproxy]',
- 'require' => 'Package[haproxy]'
- )
- verify_contents(subject, '/etc/default/haproxy', ['ENABLED=1'])
- end
- end
- context 'only on RedHat family operatingsystems' do
- let(:facts) do
- { :osfamily => 'RedHat' }.merge default_facts
- end
- end
- end
- end
- context 'on unsupported operatingsystems' do
- let(:facts) do
- { :osfamily => 'RainbowUnicorn' }.merge default_facts
- end
- it do
- expect {
- should contain_service('haproxy')
- }.to raise_error(Puppet::Error, /operating system is not supported with the haproxy module/)
- end
- end
-end
diff --git a/puppet/modules/haproxy/spec/defines/balancermember_spec.rb b/puppet/modules/haproxy/spec/defines/balancermember_spec.rb
deleted file mode 100644
index 74bc7a8b..00000000
--- a/puppet/modules/haproxy/spec/defines/balancermember_spec.rb
+++ /dev/null
@@ -1,82 +0,0 @@
-require 'spec_helper'
-
-describe 'haproxy::balancermember' do
- let(:title) { 'tyler' }
- let(:facts) do
- {
- :ipaddress => '1.1.1.1',
- :hostname => 'dero'
- }
- end
-
- context 'with a single balancermember option' do
- let(:params) do
- {
- :name => 'tyler',
- :listening_service => 'croy',
- :ports => '18140',
- :options => 'check'
- }
- end
-
- it { should contain_concat__fragment('croy_balancermember_tyler').with(
- 'order' => '20-croy-tyler',
- 'target' => '/etc/haproxy/haproxy.cfg',
- 'content' => " server dero 1.1.1.1:18140 check\n\n"
- ) }
- end
-
- context 'with multiple balancermember options' do
- let(:params) do
- {
- :name => 'tyler',
- :listening_service => 'croy',
- :ports => '18140',
- :options => ['check', 'close']
- }
- end
-
- it { should contain_concat__fragment('croy_balancermember_tyler').with(
- 'order' => '20-croy-tyler',
- 'target' => '/etc/haproxy/haproxy.cfg',
- 'content' => " server dero 1.1.1.1:18140 check close\n\n"
- ) }
- end
-
- context 'with multiple servers' do
- let(:params) do
- {
- :name => 'tyler',
- :listening_service => 'croy',
- :ports => '18140',
- :server_names => ['server01', 'server02'],
- :ipaddresses => ['192.168.56.200', '192.168.56.201'],
- :options => ['check']
- }
- end
-
- it { should contain_concat__fragment('croy_balancermember_tyler').with(
- 'order' => '20-croy-tyler',
- 'target' => '/etc/haproxy/haproxy.cfg',
- 'content' => " server server01 192.168.56.200:18140 check\n server server02 192.168.56.201:18140 check\n\n"
- ) }
- end
- context 'with multiple servers and multiple ports' do
- let(:params) do
- {
- :name => 'tyler',
- :listening_service => 'croy',
- :ports => ['18140','18150'],
- :server_names => ['server01', 'server02'],
- :ipaddresses => ['192.168.56.200', '192.168.56.201'],
- :options => ['check']
- }
- end
-
- it { should contain_concat__fragment('croy_balancermember_tyler').with(
- 'order' => '20-croy-tyler',
- 'target' => '/etc/haproxy/haproxy.cfg',
- 'content' => " server server01 192.168.56.200:18140,192.168.56.200:18150 check\n server server02 192.168.56.201:18140,192.168.56.201:18150 check\n\n"
- ) }
- end
-end
diff --git a/puppet/modules/haproxy/spec/defines/listen_spec.rb b/puppet/modules/haproxy/spec/defines/listen_spec.rb
deleted file mode 100644
index 31dd4c85..00000000
--- a/puppet/modules/haproxy/spec/defines/listen_spec.rb
+++ /dev/null
@@ -1,53 +0,0 @@
-require 'spec_helper'
-
-describe 'haproxy::listen' do
- let(:title) { 'tyler' }
- let(:facts) {{ :ipaddress => '1.1.1.1' }}
- context "when only one port is provided" do
- let(:params) do
- {
- :name => 'croy',
- :ports => '18140'
- }
- end
-
- it { should contain_concat__fragment('croy_listen_block').with(
- 'order' => '20-croy-00',
- 'target' => '/etc/haproxy/haproxy.cfg',
- 'content' => "listen croy\n\n bind 1.1.1.1:18140\n\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n"
- ) }
- end
- context "when an array of ports is provided" do
- let(:params) do
- {
- :name => 'apache',
- :ipaddress => '23.23.23.23',
- :ports => [
- '80',
- '443',
- ]
- }
- end
-
- it { should contain_concat__fragment('apache_listen_block').with(
- 'order' => '20-apache-00',
- 'target' => '/etc/haproxy/haproxy.cfg',
- 'content' => "listen apache\n\n bind 23.23.23.23:80\n\n bind 23.23.23.23:443\n\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n"
- ) }
- end
- context "when a comma-separated list of ports is provided" do
- let(:params) do
- {
- :name => 'apache',
- :ipaddress => '23.23.23.23',
- :ports => '80,443'
- }
- end
-
- it { should contain_concat__fragment('apache_listen_block').with(
- 'order' => '20-apache-00',
- 'target' => '/etc/haproxy/haproxy.cfg',
- 'content' => "listen apache\n\n bind 23.23.23.23:80\n\n bind 23.23.23.23:443\n\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n"
- ) }
- end
-end
diff --git a/puppet/modules/haproxy/spec/spec.opts b/puppet/modules/haproxy/spec/spec.opts
deleted file mode 100644
index 91cd6427..00000000
--- a/puppet/modules/haproxy/spec/spec.opts
+++ /dev/null
@@ -1,6 +0,0 @@
---format
-s
---colour
---loadby
-mtime
---backtrace
diff --git a/puppet/modules/haproxy/spec/spec_helper.rb b/puppet/modules/haproxy/spec/spec_helper.rb
deleted file mode 100644
index 2c6f5664..00000000
--- a/puppet/modules/haproxy/spec/spec_helper.rb
+++ /dev/null
@@ -1 +0,0 @@
-require 'puppetlabs_spec_helper/module_spec_helper'
diff --git a/puppet/modules/haproxy/templates/haproxy-base.cfg.erb b/puppet/modules/haproxy/templates/haproxy-base.cfg.erb
deleted file mode 100644
index f25d5c34..00000000
--- a/puppet/modules/haproxy/templates/haproxy-base.cfg.erb
+++ /dev/null
@@ -1,21 +0,0 @@
-global
-<% @global_options.sort.each do |key,val| -%>
-<% if val.is_a?(Array) -%>
-<% val.each do |item| -%>
- <%= key %> <%= item %>
-<% end -%>
-<% else -%>
- <%= key %> <%= val %>
-<% end -%>
-<% end -%>
-
-defaults
-<% @defaults_options.sort.each do |key,val| -%>
-<% if val.is_a?(Array) -%>
-<% val.each do |item| -%>
- <%= key %> <%= item %>
-<% end -%>
-<% else -%>
- <%= key %> <%= val %>
-<% end -%>
-<% end -%>
diff --git a/puppet/modules/haproxy/templates/haproxy_balancermember.erb b/puppet/modules/haproxy/templates/haproxy_balancermember.erb
deleted file mode 100644
index 1d03f565..00000000
--- a/puppet/modules/haproxy/templates/haproxy_balancermember.erb
+++ /dev/null
@@ -1,3 +0,0 @@
-<% Array(ipaddresses).zip(Array(server_names)).each do |ipaddress,host| -%>
- server <%= host %> <%= ipaddress %>:<%= Array(ports).collect {|x|x.split(',')}.flatten.join(",#{ipaddress}:") %> <%= Array(options).join(" ") %>
-<% end %>
diff --git a/puppet/modules/haproxy/templates/haproxy_listen_block.erb b/puppet/modules/haproxy/templates/haproxy_listen_block.erb
deleted file mode 100644
index 129313f1..00000000
--- a/puppet/modules/haproxy/templates/haproxy_listen_block.erb
+++ /dev/null
@@ -1,10 +0,0 @@
-listen <%= name %>
- mode <%= mode %>
-<% Array(ipaddress).uniq.each do |virtual_ip| (ports.is_a?(Array) ? ports : Array(ports.split(","))).each do |port| %>
- bind <%= virtual_ip %>:<%= port %>
-<% end end %>
-<% options.sort.each do |key, val| -%>
-<% Array(val).each do |item| -%>
- <%= key %> <%= item %>
-<% end -%>
-<% end -%>
diff --git a/puppet/modules/haproxy/tests/init.pp b/puppet/modules/haproxy/tests/init.pp
deleted file mode 100644
index 77590ac8..00000000
--- a/puppet/modules/haproxy/tests/init.pp
+++ /dev/null
@@ -1,69 +0,0 @@
-# Declare haproxy base class with configuration options
-class { 'haproxy':
- enable => true,
- global_options => {
- 'log' => "${::ipaddress} local0",
- 'chroot' => '/var/lib/haproxy',
- 'pidfile' => '/var/run/haproxy.pid',
- 'maxconn' => '4000',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'stats' => 'socket /var/lib/haproxy/stats',
- },
- defaults_options => {
- 'log' => 'global',
- 'stats' => 'enable',
- 'option' => 'redispatch',
- 'retries' => '3',
- 'timeout' => [
- 'http-request 10s',
- 'queue 1m',
- 'connect 10s',
- 'client 1m',
- 'server 1m',
- 'check 10s',
- ],
- 'maxconn' => '8000',
- },
-}
-
-# Export a balancermember server, note that the listening_service parameter
-# will/must correlate with an haproxy::listen defined resource type.
-@@haproxy::balancermember { $fqdn:
- order => '21',
- listening_service => 'puppet00',
- server_name => $::hostname,
- balancer_ip => $::ipaddress,
- balancer_port => '8140',
- balancermember_options => 'check'
-}
-
-# Declare a couple of Listening Services for haproxy.cfg
-# Note that the balancermember server resources are being collected in
-# the haproxy::config defined resource type with the following line:
-# Haproxy::Balancermember <<| listening_service == $name |>>
-haproxy::listen { 'puppet00':
- order => '20',
- ipaddress => $::ipaddress,
- ports => '18140',
- options => {
- 'option' => [
- 'tcplog',
- 'ssl-hello-chk',
- ],
- 'balance' => 'roundrobin',
- },
-}
-haproxy::listen { 'stats':
- order => '30',
- ipaddress => '',
- ports => '9090',
- options => {
- 'mode' => 'http',
- 'stats' => [
- 'uri /',
- 'auth puppet:puppet'
- ],
- },
-}
diff --git a/puppet/modules/leap/manifests/cli/install.pp b/puppet/modules/leap/manifests/cli/install.pp
index 25e87033..d009316b 100644
--- a/puppet/modules/leap/manifests/cli/install.pp
+++ b/puppet/modules/leap/manifests/cli/install.pp
@@ -1,13 +1,20 @@
# installs leap_cli on node
class leap::cli::install ( $source = false ) {
+
+ # nokogiri is a dependency gem of leap_cli and
+ # needs build tools in order to get compiled
+ ensure_packages (['gcc', 'make', 'zlib1g-dev'])
+ class { '::ruby':
+ install_dev => true,
+ require => [ Package['gcc'], Package['make'], Package['zlib1g-dev'] ]
+ }
+
+
if $source {
# needed for building leap_cli from source
include ::git
include ::rubygems
- class { '::ruby':
- install_dev => true
- }
class { 'bundler::install': install_method => 'package' }
@@ -40,7 +47,8 @@ class leap::cli::install ( $source = false ) {
else {
package { 'leap_cli':
ensure => installed,
- provider => gem
+ provider => gem,
+ require => Class['ruby']
}
}
}
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp
index d758e3ab..f26448e2 100644
--- a/puppet/modules/leap_mx/manifests/init.pp
+++ b/puppet/modules/leap_mx/manifests/init.pp
@@ -6,7 +6,7 @@ class leap_mx {
$couchdb_password = $leap_mx['password']
$couchdb_host = 'localhost'
- $couchdb_port = '4096'
+ $couchdb_port = hiera('couchdb_port')
$sources = hiera('sources')
@@ -94,15 +94,11 @@ class leap_mx {
# LEAP-MX CODE AND DEPENDENCIES
#
- package {
- $sources['leap-mx']['package']:
- ensure => $sources['leap-mx']['revision'],
- require => [
- Class['site_apt::leap_repo'],
- User['leap-mx'] ];
-
- 'leap-keymanager':
- ensure => latest;
+ package { $sources['leap-mx']['package']:
+ ensure => $sources['leap-mx']['revision'],
+ require => [
+ Class['site_apt::leap_repo'],
+ User['leap-mx'] ];
}
#
diff --git a/puppet/modules/site_apache/files/autorestart.conf b/puppet/modules/site_apache/files/autorestart.conf
new file mode 100644
index 00000000..8a764e34
--- /dev/null
+++ b/puppet/modules/site_apache/files/autorestart.conf
@@ -0,0 +1,2 @@
+[Service]
+Restart=always
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 208c15d5..74116575 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -13,20 +13,13 @@ class site_apache::common {
# needed for the mod_ssl config
include apache::module::mime
- # load mods depending on apache version
- if ( $::lsbdistcodename == 'jessie' ) {
- # apache >= 2.4, debian jessie
- # needed for mod_ssl config
- include apache::module::socache_shmcb
- # generally needed
- include apache::module::mpm_prefork
- } else {
- # apache < 2.4, debian wheezy
- # for "Order" directive, i.e. main apache2.conf
- include apache::module::authz_host
- }
+ # needed for mod_ssl config
+ include apache::module::socache_shmcb
+ # generally needed
+ include apache::module::mpm_prefork
include site_apache::common::tls
include site_apache::common::acme
+ include site_apache::common::autorestart
}
diff --git a/puppet/modules/site_apache/manifests/common/autorestart.pp b/puppet/modules/site_apache/manifests/common/autorestart.pp
new file mode 100644
index 00000000..8b7b590d
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/common/autorestart.pp
@@ -0,0 +1,30 @@
+#
+# Adds autorestart extension to apache on crash
+#
+class site_apache::common::autorestart {
+
+ file {
+ '/etc/systemd/system/apache2.service.d':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755';
+
+ # Add .placeholder file so directory doesn't get removed by
+ # deb-systemd-helper in a package removal postrm, see
+ # issue #8841 for more details.
+ '/etc/systemd/system/apache2.service.d/.placeholder':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0755';
+ }
+
+ ::systemd::unit_file { 'apache2.service.d/autorestart.conf':
+ source => 'puppet:///modules/site_apache/autorestart.conf',
+ require => [
+ File['/etc/systemd/system/apache2.service.d'],
+ Service['apache'],
+ ]
+ }
+}
diff --git a/puppet/modules/site_apache/spec/classes/autorestart_spec.rb b/puppet/modules/site_apache/spec/classes/autorestart_spec.rb
new file mode 100644
index 00000000..ad9c9f2e
--- /dev/null
+++ b/puppet/modules/site_apache/spec/classes/autorestart_spec.rb
@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe 'site_apache::common::autorestart' do
+ it "should include apache autorestart" do
+ should contain_file('apache2.service.d/autorestart.conf').with_source('puppet:///modules/site_apache/autorestart.conf')
+ end
+end
diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
index 1d19094e..ddf69a42 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
@@ -1,5 +1,5 @@
<VirtualHost 127.0.0.1:80>
- ServerName <%= @tor_domain %>
+ ServerName <%= @onion_domain %>
<IfModule mod_headers.c>
Header always unset X-Powered-By
diff --git a/puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap b/puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap
deleted file mode 100644
index bbaac6a2..00000000
--- a/puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap
+++ /dev/null
@@ -1,6 +0,0 @@
-// this file is managed by puppet !
-
-Unattended-Upgrade::Allowed-Origins {
- "leap.se:stable";
-}
-
diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp
index 26bd2c6a..60fe0483 100644
--- a/puppet/modules/site_apt/manifests/init.pp
+++ b/puppet/modules/site_apt/manifests/init.pp
@@ -12,21 +12,32 @@ class site_apt {
# leap repo url
$platform_sources = $sources['platform']
$apt_url_platform_basic = $platform_sources['apt']['basic']
+ $apt_platform_component = $platform_sources['apt']['component']
- # needed on jessie hosts for getting pnp4nagios from testing
+ if ( $platform_sources['apt']['codename'] == '') {
+ $apt_platform_codename = $::lsbdistcodename
+ } else {
+ $apt_platform_codename = $platform_sources['apt']['codename']
+ }
+
+ # needed on jessie hosts for getting python-treq from stretch
+ # see https://0xacab.org/leap/platform/issues/8836
if ( $::operatingsystemmajrelease == '8' ) {
- $use_next_release = true
+ $use_next_release = true
+ $custom_preferences = template("site_apt/${::operatingsystem}/preferences_jessie.erb")
} else {
- $use_next_release = false
+ $use_next_release = false
+ $custom_preferences = ''
}
class { 'apt':
- custom_key_dir => 'puppet:///modules/site_apt/keys',
- debian_url => $apt_url_basic,
- security_url => $apt_url_security,
- backports_url => $apt_url_backports,
- use_next_release => $use_next_release,
- repos => 'main'
+ custom_key_dir => 'puppet:///modules/site_apt/keys',
+ debian_url => $apt_url_basic,
+ security_url => $apt_url_security,
+ backports_url => $apt_url_backports,
+ use_next_release => $use_next_release,
+ custom_preferences => $custom_preferences,
+ repos => 'main'
}
# enable http://deb.leap.se debian package repository
diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp
index 5eedce45..1e18b441 100644
--- a/puppet/modules/site_apt/manifests/leap_repo.pp
+++ b/puppet/modules/site_apt/manifests/leap_repo.pp
@@ -4,8 +4,25 @@ class site_apt::leap_repo {
$platform = hiera_hash('platform')
$major_version = $platform['major_version']
+ # on jessie, keys need to be in /etc/apt/...
+ # see https://0xacab.org/leap/platform/issues/8862
+ if ( $::operatingsystemmajrelease == '8' ) {
+ if $::site_apt::apt_platform_component =~ /.*(staging|master).*/ {
+ $archive_key = 'CE433F407BAB443AFEA196C1837C1AD5367429D9'
+ } else {
+ $archive_key = '1E453B2CE87BEE2F7DFE99661E34A1828E207901'
+ }
+ }
+ if ( $::operatingsystemmajrelease != '8' ) {
+ if $::site_apt::apt_platform_component =~ /.*(staging|master).*/ {
+ $archive_key = '/usr/share/keyrings/leap-experimental-archive.gpg'
+ } else {
+ $archive_key = '/usr/share/keyrings/leap-archive.gpg'
+ }
+ }
+
apt::sources_list { 'leap.list':
- content => "deb ${::site_apt::apt_url_platform_basic} ${::lsbdistcodename} main\n",
+ content => "deb [signed-by=${archive_key}] ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_component} ${::site_apt::apt_platform_codename}\n",
before => Exec[refresh_apt]
}
diff --git a/puppet/modules/site_apt/manifests/preferences/passenger.pp b/puppet/modules/site_apt/manifests/preferences/passenger.pp
deleted file mode 100644
index 8cd41f91..00000000
--- a/puppet/modules/site_apt/manifests/preferences/passenger.pp
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# currently, this is only used by static_site to get passenger v4.
-#
-# UPGRADE: this is not needed for jessie.
-#
-class site_apt::preferences::passenger {
-
- apt::preferences_snippet { 'passenger':
- package => 'libapache2-mod-passenger',
- release => "${::lsbdistcodename}-backports",
- priority => 999;
- }
-
-}
diff --git a/puppet/modules/site_apt/manifests/preferences/python_cryptography.pp b/puppet/modules/site_apt/manifests/preferences/python_cryptography.pp
new file mode 100644
index 00000000..d725c1af
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/python_cryptography.pp
@@ -0,0 +1,12 @@
+# Pin python-cryptography to jessie-backports in order to
+# satisfy leap-mx dependency (>=17.0)
+# see https://0xacab.org/leap/platform/issues/8837
+class site_apt::preferences::python_cryptography {
+
+ apt::preferences_snippet { 'python_cryptography':
+ package => 'python-cryptography python-openssl python-pyasn1 python-setuptools python-pkg-resources python-cffi',
+ release => "${::lsbdistcodename}-backports",
+ priority => 999;
+ }
+
+}
diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp
deleted file mode 100644
index bfeaa7da..00000000
--- a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp
+++ /dev/null
@@ -1,13 +0,0 @@
-class site_apt::preferences::rsyslog {
-
- apt::preferences_snippet {
- 'rsyslog_anon_depends':
- package => 'libestr0 librelp0 rsyslog*',
- priority => '999',
- pin => 'release a=wheezy-backports',
- before => Class['rsyslog::install'];
-
- 'fixed_rsyslog_anon_package':
- ensure => absent;
- }
-}
diff --git a/puppet/modules/site_apt/manifests/unattended_upgrades.pp b/puppet/modules/site_apt/manifests/unattended_upgrades.pp
index 42f1f4c6..ddadd35a 100644
--- a/puppet/modules/site_apt/manifests/unattended_upgrades.pp
+++ b/puppet/modules/site_apt/manifests/unattended_upgrades.pp
@@ -11,8 +11,7 @@ class site_apt::unattended_upgrades {
# configure LEAP upgrades
apt::apt_conf { '51unattended-upgrades-leap':
- source => [
- "puppet:///modules/site_apt/${::lsbdistid}/51unattended-upgrades-leap"],
+ content => template('site_apt/51unattended-upgrades-leap'),
require => Package['unattended-upgrades'],
refresh_apt => false,
}
diff --git a/puppet/modules/site_apt/templates/51unattended-upgrades-leap b/puppet/modules/site_apt/templates/51unattended-upgrades-leap
new file mode 100644
index 00000000..2a3494ef
--- /dev/null
+++ b/puppet/modules/site_apt/templates/51unattended-upgrades-leap
@@ -0,0 +1,5 @@
+// this file is managed by puppet !
+
+Unattended-Upgrade::Origins-Pattern {
+ "site=deb.leap.se,codename=<%= @apt_platform_component %>";
+}
diff --git a/puppet/modules/site_apt/templates/Debian/preferences_jessie.erb b/puppet/modules/site_apt/templates/Debian/preferences_jessie.erb
new file mode 100644
index 00000000..879885dd
--- /dev/null
+++ b/puppet/modules/site_apt/templates/Debian/preferences_jessie.erb
@@ -0,0 +1,19 @@
+Explanation: Debian jessie
+Package: *
+Pin: release o=Debian,n=jessie
+Pin-Priority: 990
+
+Explanation: Debian stretch
+Package: *
+Pin: release o=Debian,n=stretch
+Pin-Priority: 1
+
+Explanation: Debian sid
+Package: *
+Pin: release o=Debian,n=sid
+Pin-Priority: 1
+
+Explanation: Debian fallback
+Package: *
+Pin: release o=Debian
+Pin-Priority: -10
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg
index 337d9ec6..a5375cc8 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg
@@ -1,6 +1,10 @@
/var/log/leap/webapp.log
# check for webapp errors
C Completed 500
+# also alert conflicts. They might be meaningful response codes
+# but so far we were just handing them on from couch and they
+# indicated some actual problem.
+ C Completed 409
# couch connection issues
C webapp.*Could not connect to couch database messages due to 401 Unauthorized: {"error":"unauthorized","reason":"You are not a server admin."}
# ignore RoutingErrors that rails throw when it can't handle a url
diff --git a/puppet/modules/site_check_mk/files/extra_service_conf.mk b/puppet/modules/site_check_mk/files/extra_service_conf.mk
index c7120a96..9212af95 100644
--- a/puppet/modules/site_check_mk/files/extra_service_conf.mk
+++ b/puppet/modules/site_check_mk/files/extra_service_conf.mk
@@ -1,6 +1,9 @@
# retry 3 times before setting a service into a hard state
-# and send out notification
+# Delay a hard state of the APT check for 1 day
+# so unattended_upgrades has time to upgrade packages.
+#
extra_service_conf["max_check_attempts"] = [
+ ("360", ALL_HOSTS , ["APT"] ),
("4", ALL_HOSTS , ALL_SERVICES )
]
@@ -11,4 +14,3 @@ extra_service_conf["max_check_attempts"] = [
extra_service_conf["normal_check_interval"] = [
("4", ALL_HOSTS , "Check_MK" )
]
-
diff --git a/puppet/modules/site_check_mk/manifests/agent/haproxy.pp b/puppet/modules/site_check_mk/manifests/agent/haproxy.pp
deleted file mode 100644
index 6d52efba..00000000
--- a/puppet/modules/site_check_mk/manifests/agent/haproxy.pp
+++ /dev/null
@@ -1,15 +0,0 @@
-class site_check_mk::agent::haproxy {
-
- include site_check_mk::agent::package::nagios_plugins_contrib
-
- # local nagios plugin checks via mrpe
- augeas { 'haproxy':
- incl => '/etc/check_mk/mrpe.cfg',
- lens => 'Spacevars.lns',
- changes => [
- 'rm /files/etc/check_mk/mrpe.cfg/Haproxy',
- 'set Haproxy \'/usr/lib/nagios/plugins/check_haproxy -u "http://localhost:8000/haproxy;csv"\'' ],
- require => File['/etc/check_mk/mrpe.cfg'];
- }
-
-}
diff --git a/puppet/modules/site_config/lib/facter/vagrant.rb b/puppet/modules/site_config/lib/facter/vagrant.rb
new file mode 100644
index 00000000..29a218dd
--- /dev/null
+++ b/puppet/modules/site_config/lib/facter/vagrant.rb
@@ -0,0 +1,8 @@
+# Checks if systems runs inside vagrant
+require 'facter'
+
+Facter.add(:vagrant) do
+ setcode do
+ FileTest.exists?('/vagrant')
+ end
+end
diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp
index d2ef8a98..e74ad567 100644
--- a/puppet/modules/site_config/manifests/files.pp
+++ b/puppet/modules/site_config/manifests/files.pp
@@ -3,10 +3,10 @@ class site_config::files {
file {
'/srv/leap':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0711';
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0711';
[ '/etc/leap', '/var/lib/leap']:
ensure => directory,
diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp
index 2b3e13b9..5b9a2602 100644
--- a/puppet/modules/site_config/manifests/packages/build_essential.pp
+++ b/puppet/modules/site_config/manifests/packages/build_essential.pp
@@ -16,12 +16,6 @@ class site_config::packages::build_essential inherits ::site_config::packages {
}
}
- /^7.*/: {
- Package[ 'gcc-4.7','g++-4.7', 'cpp-4.7' ] {
- ensure => present
- }
- }
-
default: { }
}
diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp
index 012b3ce0..2c9687a3 100644
--- a/puppet/modules/site_config/manifests/params.pp
+++ b/puppet/modules/site_config/manifests/params.pp
@@ -1,3 +1,4 @@
+# Default parameters
class site_config::params {
$ip_address = hiera('ip_address')
@@ -5,9 +6,16 @@ class site_config::params {
$ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}")
$environment = hiera('environment', undef)
-
- if $environment == 'local' {
- $interface = 'eth1'
+ if str2bool("$::vagrant") {
+ # Depending on the backend hypervisor networking is setup differently.
+ if $::interfaces =~ /eth1/ {
+ # Virtualbox: Private networking creates a second interface eth1
+ $interface = 'eth1'
+ }
+ else {
+ # KVM/Libvirt: Private networking is done by defauly on first interface
+ $interface = 'eth0'
+ }
include site_config::packages::build_essential
}
elsif hiera('interface','') != '' {
diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp
index 443df9c2..be6cdfd8 100644
--- a/puppet/modules/site_config/manifests/remove.pp
+++ b/puppet/modules/site_config/manifests/remove.pp
@@ -2,6 +2,11 @@
class site_config::remove {
include site_config::remove::files
+ package { 'leap-keyring':
+ ensure => purged,
+ }
+
+
case $::operatingsystemrelease {
/^8.*/: {
include site_config::remove::jessie
diff --git a/puppet/modules/site_config/manifests/remove/jessie.pp b/puppet/modules/site_config/manifests/remove/jessie.pp
index e9497baf..2fdc4794 100644
--- a/puppet/modules/site_config/manifests/remove/jessie.pp
+++ b/puppet/modules/site_config/manifests/remove/jessie.pp
@@ -7,8 +7,9 @@ class site_config::remove::jessie {
}
apt::preferences_snippet {
- [ 'facter', 'obfsproxy', 'python-twisted', 'unbound' ]:
- ensure => absent;
+ [ 'facter', 'obfsproxy', 'python-twisted', 'unbound', 'passenger',
+ 'rsyslog_anon_depends' ]:
+ ensure => absent;
}
}
diff --git a/puppet/modules/site_config/manifests/remove/webapp.pp b/puppet/modules/site_config/manifests/remove/webapp.pp
index 58f59815..963eb705 100644
--- a/puppet/modules/site_config/manifests/remove/webapp.pp
+++ b/puppet/modules/site_config/manifests/remove/webapp.pp
@@ -4,4 +4,16 @@ class site_config::remove::webapp {
'/etc/apache/sites-enabled/leap_webapp.conf':
notify => Service['apache'];
}
+
+ # Ensure haproxy is removed
+ package { 'haproxy':
+ ensure => purged,
+ }
+ augeas { 'haproxy':
+ incl => '/etc/check_mk/mrpe.cfg',
+ lens => 'Spacevars.lns',
+ changes => [ 'rm /files/etc/check_mk/mrpe.cfg/Haproxy' ],
+ require => File['/etc/check_mk/mrpe.cfg'];
+ }
+
}
diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp
index 82dfe76d..ce0f91d4 100644
--- a/puppet/modules/site_config/manifests/setup.pp
+++ b/puppet/modules/site_config/manifests/setup.pp
@@ -37,7 +37,7 @@ class site_config::setup {
# we need to include shorewall::interface{eth0} in setup.pp so
# packages can be installed during main puppetrun, even before shorewall
# is configured completly
- if ( $::site_config::params::environment == 'local' ) {
+ if str2bool($::vagrant) {
include site_config::vagrant
}
diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp
index 591e0601..096d5d77 100644
--- a/puppet/modules/site_config/manifests/syslog.pp
+++ b/puppet/modules/site_config/manifests/syslog.pp
@@ -1,25 +1,17 @@
# configure rsyslog on all nodes
class site_config::syslog {
- # only pin rsyslog packages to backports on wheezy
- case $::operatingsystemrelease {
- /^7.*/: {
- include ::site_apt::preferences::rsyslog
- }
- # on jessie+ systems, systemd and journald are enabled,
- # and journald logs IP addresses, so we need to disable
- # it until a solution is found, (#7863):
- # https://github.com/systemd/systemd/issues/2447
- default: {
- include ::journald
- augeas {
- 'disable_journald':
- incl => '/etc/systemd/journald.conf',
- lens => 'Puppet.lns',
- changes => 'set /files/etc/systemd/journald.conf/Journal/Storage \'none\'',
- notify => Service['systemd-journald'];
- }
- }
+ # on jessie+ systems, systemd and journald are enabled,
+ # and journald logs IP addresses, so we need to disable
+ # it until a solution is found, (#7863):
+ # https://github.com/systemd/systemd/issues/2447
+ include ::journald
+ augeas {
+ 'disable_journald':
+ incl => '/etc/systemd/journald.conf',
+ lens => 'Puppet.lns',
+ changes => 'set /files/etc/systemd/journald.conf/Journal/Storage \'none\'',
+ notify => Service['systemd-journald'];
}
class { '::rsyslog::client':
diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp
index 8f50b305..1682de8b 100644
--- a/puppet/modules/site_config/manifests/vagrant.pp
+++ b/puppet/modules/site_config/manifests/vagrant.pp
@@ -1,11 +1,15 @@
+# Gets included on vagrant nodes
class site_config::vagrant {
- # class for vagrant nodes
include site_shorewall::defaults
- # eth0 on vagrant nodes is the uplink if
- shorewall::interface { 'eth0':
- zone => 'net',
- options => 'tcpflags,blacklist,nosmurfs';
+
+ if ( $::site_config::params::interface == 'eth1' ) {
+ # Don't block eth0 even if eth1 is configured, because
+ # it's vagrant's main interface to access the box
+ shorewall::interface { 'eth0':
+ zone => 'net',
+ options => 'tcpflags,blacklist,nosmurfs';
+ }
}
}
diff --git a/puppet/modules/site_couchdb/files/designs/identities/Identity.json b/puppet/modules/site_couchdb/files/designs/identities/Identity.json
index b1c567c1..c099ae4a 100644
--- a/puppet/modules/site_couchdb/files/designs/identities/Identity.json
+++ b/puppet/modules/site_couchdb/files/designs/identities/Identity.json
@@ -9,14 +9,14 @@
"all": {
"map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n"
},
- "cert_fingerprints_by_expiry": {
- "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.cert_fingerprints === \"object\") {\n for (fp in doc.cert_fingerprints) {\n if (doc.cert_fingerprints.hasOwnProperty(fp)) {\n emit(doc.cert_fingerprints[fp], fp);\n }\n }\n }\n}\n"
+ "disabled": {
+ "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n}\n"
},
"cert_expiry_by_fingerprint": {
"map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.cert_fingerprints === \"object\") {\n for (fp in doc.cert_fingerprints) {\n if (doc.cert_fingerprints.hasOwnProperty(fp)) {\n emit(fp, doc.cert_fingerprints[fp]);\n }\n }\n }\n}\n"
},
- "disabled": {
- "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n}\n"
+ "cert_fingerprints_by_expiry": {
+ "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.cert_fingerprints === \"object\") {\n for (fp in doc.cert_fingerprints) {\n if (doc.cert_fingerprints.hasOwnProperty(fp)) {\n emit(doc.cert_fingerprints[fp], fp);\n }\n }\n }\n}\n"
},
"pgp_key_by_email": {
"map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.keys === \"object\") {\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n}\n"
diff --git a/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json
index 006c1ea1..d6e1e9d5 100644
--- a/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json
+++ b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json
@@ -1,22 +1,26 @@
{
- "_id": "_design/InviteCode",
- "language": "javascript",
- "views": {
- "by__id": {
- "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['_id'] != null)) {\n emit(doc['_id'], 1);\n }\n }\n",
- "reduce": "_sum"
- },
- "by_invite_code": {
- "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_code'] != null)) {\n emit(doc['invite_code'], 1);\n }\n }\n",
- "reduce": "_sum"
- },
- "by_invite_count": {
- "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_count'] != null)) {\n emit(doc['invite_count'], 1);\n }\n }\n",
- "reduce": "_sum"
- },
- "all": {
- "map": " function(doc) {\n if (doc['type'] == 'InviteCode') {\n emit(doc._id, null);\n }\n }\n"
- }
- },
- "couchrest-hash": "83fb8f504520b4a9c7ddbb7928cd0ce3"
+ "_id": "_design/InviteCode",
+ "language": "javascript",
+ "views": {
+ "by_invite_code": {
+ "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_code'] != null)) {\n emit(doc['invite_code'], 1);\n }\n }\n",
+ "reduce": "_sum"
+ },
+ "by_invite_count": {
+ "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_count'] != null)) {\n emit(doc['invite_count'], 1);\n }\n }\n",
+ "reduce": "_sum"
+ },
+ "by_created_at": {
+ "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n",
+ "reduce": "_sum"
+ },
+ "by_updated_at": {
+ "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['updated_at'] != null)) {\n emit(doc['updated_at'], 1);\n }\n }\n",
+ "reduce": "_sum"
+ },
+ "all": {
+ "map": " function(doc) {\n if (doc['type'] == 'InviteCode') {\n emit(doc._id, null);\n }\n }\n"
+ }
+ },
+ "couchrest-hash": "2d1883c83164a0be127c3a569d9c1902"
} \ No newline at end of file
diff --git a/puppet/modules/site_couchdb/files/designs/messages/Message.json b/puppet/modules/site_couchdb/files/designs/messages/Message.json
index 6a48fc4d..2cb031c6 100644
--- a/puppet/modules/site_couchdb/files/designs/messages/Message.json
+++ b/puppet/modules/site_couchdb/files/designs/messages/Message.json
@@ -2,14 +2,14 @@
"_id": "_design/Message",
"language": "javascript",
"views": {
- "by_user_ids_to_show": {
- "map": "function (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit(userId, 1);\n });\n }\n}\n",
- "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n"
- },
"by_user_ids_to_show_and_created_at": {
"map": "// not using at moment\n// call with something like Message.by_user_ids_to_show_and_created_at.startkey([user_id, start_date]).endkey([user_id,end_date])\nfunction (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit([userId, doc.created_at], 1);\n });\n }\n}\n",
"reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n"
},
+ "by_user_ids_to_show": {
+ "map": "function (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit(userId, 1);\n });\n }\n}\n",
+ "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n"
+ },
"all": {
"map": " function(doc) {\n if (doc['type'] == 'Message') {\n emit(doc._id, null);\n }\n }\n"
}
diff --git a/puppet/modules/site_couchdb/files/designs/shared/docs.json b/puppet/modules/site_couchdb/files/designs/shared/docs.json
deleted file mode 100644
index 004180cd..00000000
--- a/puppet/modules/site_couchdb/files/designs/shared/docs.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
- "_id": "_design/docs",
- "views": {
- "get": {
- "map": "function(doc) {\n if (doc.u1db_rev) {\n var is_tombstone = true;\n var has_conflicts = false;\n if (doc._attachments) {\n if (doc._attachments.u1db_content)\n is_tombstone = false;\n if (doc._attachments.u1db_conflicts)\n has_conflicts = true;\n }\n emit(doc._id,\n {\n \"couch_rev\": doc._rev,\n \"u1db_rev\": doc.u1db_rev,\n \"is_tombstone\": is_tombstone,\n \"has_conflicts\": has_conflicts,\n }\n );\n }\n}\n"
- }
- }
-} \ No newline at end of file
diff --git a/puppet/modules/site_couchdb/files/designs/shared/syncs.json b/puppet/modules/site_couchdb/files/designs/shared/syncs.json
deleted file mode 100644
index bab5622f..00000000
--- a/puppet/modules/site_couchdb/files/designs/shared/syncs.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
- "_id": "_design/syncs",
- "updates": {
- "put": "function(doc, req){\n if (!doc) {\n doc = {}\n doc['_id'] = 'u1db_sync_log';\n doc['syncs'] = [];\n }\n body = JSON.parse(req.body);\n // remove outdated info\n doc['syncs'] = doc['syncs'].filter(\n function (entry) {\n return entry[0] != body['other_replica_uid'];\n }\n );\n // store u1db rev\n doc['syncs'].push([\n body['other_replica_uid'],\n body['other_generation'],\n body['other_transaction_id']\n ]);\n return [doc, 'ok'];\n}\n\n"
- },
- "views": {
- "log": {
- "map": "function(doc) {\n if (doc._id == 'u1db_sync_log') {\n if (doc.syncs)\n doc.syncs.forEach(function (entry) {\n emit(entry[0],\n {\n 'known_generation': entry[1],\n 'known_transaction_id': entry[2]\n });\n });\n }\n}\n"
- }
- }
-} \ No newline at end of file
diff --git a/puppet/modules/site_couchdb/files/designs/shared/transactions.json b/puppet/modules/site_couchdb/files/designs/shared/transactions.json
deleted file mode 100644
index 106ad46c..00000000
--- a/puppet/modules/site_couchdb/files/designs/shared/transactions.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
- "_id": "_design/transactions",
- "lists": {
- "generation": "function(head, req) {\n var row;\n var rows=[];\n // fetch all rows\n while(row = getRow()) {\n rows.push(row);\n }\n if (rows.length > 0)\n send(JSON.stringify({\n \"generation\": rows.length,\n \"doc_id\": rows[rows.length-1]['id'],\n \"transaction_id\": rows[rows.length-1]['value']\n }));\n else\n send(JSON.stringify({\n \"generation\": 0,\n \"doc_id\": \"\",\n \"transaction_id\": \"\",\n }));\n}\n",
- "trans_id_for_gen": "function(head, req) {\n var row;\n var rows=[];\n var i = 1;\n var gen = 1;\n if (req.query.gen)\n gen = parseInt(req.query['gen']);\n // fetch all rows\n while(row = getRow())\n rows.push(row);\n if (gen <= rows.length)\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": rows[gen-1]['id'],\n \"transaction_id\": rows[gen-1]['value'],\n }));\n else\n send('{}');\n}\n",
- "whats_changed": "function(head, req) {\n var row;\n var gen = 1;\n var old_gen = 0;\n if (req.query.old_gen)\n old_gen = parseInt(req.query['old_gen']);\n send('{\"transactions\":[\\n');\n // fetch all rows\n while(row = getRow()) {\n if (gen > old_gen) {\n if (gen > old_gen+1)\n send(',\\n');\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": row[\"id\"],\n \"transaction_id\": row[\"value\"]\n }));\n }\n gen++;\n }\n send('\\n]}');\n}\n"
- },
- "views": {
- "log": {
- "map": "function(doc) {\n if (doc.u1db_transactions)\n doc.u1db_transactions.forEach(function(t) {\n emit(t[0], // use timestamp as key so the results are ordered\n t[1]); // value is the transaction_id\n });\n}\n"
- }
- }
-} \ No newline at end of file
diff --git a/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json
index 578f632b..7ec24634 100644
--- a/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json
+++ b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json
@@ -22,8 +22,12 @@
"map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['updated_at'] != null)) {\n emit([doc['is_open'], doc['updated_at']], 1);\n }\n }\n",
"reduce": "_sum"
},
- "by_includes_post_by_and_is_open_and_created_at": {
- "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n",
+ "by_includes_post_by_and_updated_at": {
+ "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n",
+ "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n"
+ },
+ "by_includes_post_by_and_created_at": {
+ "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n",
"reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n"
},
"by_includes_post_by": {
@@ -34,12 +38,8 @@
"map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n",
"reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n"
},
- "by_includes_post_by_and_created_at": {
- "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n",
- "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n"
- },
- "by_includes_post_by_and_updated_at": {
- "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n",
+ "by_includes_post_by_and_is_open_and_created_at": {
+ "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n",
"reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n"
},
"all": {
diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp
index e5fd94c6..33687999 100644
--- a/puppet/modules/site_couchdb/manifests/designs.pp
+++ b/puppet/modules/site_couchdb/manifests/designs.pp
@@ -11,6 +11,14 @@ class site_couchdb::designs {
mode => '0755'
}
+ #cleanup leftovers from before soledad created its db
+ file {
+ '/srv/leap/couchdb/designs/shared/':
+ ensure => absent,
+ recurse => true,
+ force => true,
+ }
+
site_couchdb::upload_design {
'customers': design => 'customers/Customer.json';
'identities': design => 'identities/Identity.json';
@@ -19,15 +27,6 @@ class site_couchdb::designs {
'users': design => 'users/User.json';
'tmp_users': design => 'users/User.json';
'invite_codes': design => 'invite_codes/InviteCode.json';
- 'shared_docs':
- db => 'shared',
- design => 'shared/docs.json';
- 'shared_syncs':
- db => 'shared',
- design => 'shared/syncs.json';
- 'shared_transactions':
- db => 'shared',
- design => 'shared/transactions.json';
}
$sessions_db = rotated_db_name('sessions', 'monthly')
diff --git a/puppet/modules/site_haproxy/files/haproxy-stats.cfg b/puppet/modules/site_haproxy/files/haproxy-stats.cfg
deleted file mode 100644
index e6335ba2..00000000
--- a/puppet/modules/site_haproxy/files/haproxy-stats.cfg
+++ /dev/null
@@ -1,6 +0,0 @@
-# provide access to stats for the nagios plugin
-listen stats 127.0.0.1:8000
- mode http
- stats enable
- stats uri /haproxy
-
diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp
deleted file mode 100644
index b28ce80e..00000000
--- a/puppet/modules/site_haproxy/manifests/init.pp
+++ /dev/null
@@ -1,41 +0,0 @@
-class site_haproxy {
- $haproxy = hiera('haproxy')
-
- class { 'haproxy':
- enable => true,
- manage_service => true,
- global_options => {
- 'log' => '127.0.0.1 local0',
- 'maxconn' => '4096',
- 'stats' => 'socket /var/run/haproxy.sock user haproxy group haproxy',
- 'chroot' => '/usr/share/haproxy',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => ''
- },
- defaults_options => {
- 'log' => 'global',
- 'retries' => '3',
- 'option' => 'redispatch',
- 'timeout connect' => '4000',
- 'timeout client' => '20000',
- 'timeout server' => '20000'
- }
- }
-
- # monitor haproxy
- concat::fragment { 'stats':
- target => '/etc/haproxy/haproxy.cfg',
- order => '90',
- source => 'puppet:///modules/site_haproxy/haproxy-stats.cfg';
- }
-
- # Template uses $haproxy
- concat::fragment { 'leap_haproxy_webapp_couchdb':
- target => '/etc/haproxy/haproxy.cfg',
- order => '20',
- content => template('site_haproxy/haproxy.cfg.erb'),
- }
-
- include site_check_mk::agent::haproxy
-}
diff --git a/puppet/modules/site_haproxy/templates/couch.erb b/puppet/modules/site_haproxy/templates/couch.erb
deleted file mode 100644
index f42e8368..00000000
--- a/puppet/modules/site_haproxy/templates/couch.erb
+++ /dev/null
@@ -1,32 +0,0 @@
-frontend couch
- bind localhost:<%= @listen_port %>
- mode http
- option httplog
- option dontlognull
- option http-server-close # use client keep-alive, but close server connection.
- use_backend couch_read if METH_GET
- default_backend couch_write
-
-backend couch_write
- mode http
- balance roundrobin
- option httpchk GET / # health check using simple get to root
- option allbackups # balance among all backups, not just one.
- default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1
-<%- @servers.sort.each do |name,server| -%>
-<%- next unless server['writable'] -%>
- # <%=name%>
- server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%='backup' if server['backup']%> weight <%=server['weight']%> check
-<%- end -%>
-
-backend couch_read
- mode http
- balance roundrobin
- option httpchk GET / # health check using simple get to root
- option allbackups # balance among all backups, not just one.
- default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1
-<%- @servers.sort.each do |name,server| -%>
- # <%=name%>
- server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%='backup' if server['backup']%> weight <%=server['weight']%> check
-<%- end -%>
-
diff --git a/puppet/modules/site_haproxy/templates/haproxy.cfg.erb b/puppet/modules/site_haproxy/templates/haproxy.cfg.erb
deleted file mode 100644
index 8311b1a5..00000000
--- a/puppet/modules/site_haproxy/templates/haproxy.cfg.erb
+++ /dev/null
@@ -1,11 +0,0 @@
-<%- @haproxy.each do |frontend, options| -%>
-<%- if options['servers'] -%>
-
-##
-## <%= frontend %>
-##
-
-<%= scope.function_templatewlv(["site_haproxy/#{frontend}.erb", options]) %>
-<%- end -%>
-<%- end -%>
-
diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
index c910a45a..28a01d4a 100644
--- a/puppet/modules/site_mx/manifests/init.pp
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -13,11 +13,12 @@ class site_mx {
include ::site_stunnel
include ::site_postfix::mx
- include ::site_haproxy
include ::site_shorewall::mx
include ::site_shorewall::service::smtp
include ::leap_mx
include ::site_check_mk::agent::mx
# install twisted from jessie backports
include ::site_apt::preferences::twisted
+ # install python-cryptography from jessie backports
+ include ::site_apt::preferences::python_cryptography
}
diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
index 62f26f2c..1a9f266e 100644
--- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
+++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
@@ -773,7 +773,7 @@ accept_passive_host_checks=1
# service notifications when it is initially (re)started.
# Values: 1 = enable notifications, 0 = disable notifications
-enable_notifications=1
+enable_notifications=0
@@ -1299,4 +1299,3 @@ host_perfdata_file_template=DATATYPE::HOSTPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$H
host_perfdata_file_mode=a
host_perfdata_file_processing_interval=15
host_perfdata_file_processing_command=process-host-perfdata-file-pnp4nagios-bulk-npcd
-
diff --git a/puppet/modules/site_nagios/manifests/server/apache.pp b/puppet/modules/site_nagios/manifests/server/apache.pp
index 82962e89..98d38122 100644
--- a/puppet/modules/site_nagios/manifests/server/apache.pp
+++ b/puppet/modules/site_nagios/manifests/server/apache.pp
@@ -17,9 +17,6 @@ class site_nagios::server::apache {
include apache::module::php5
include apache::module::cgi
- # apache >= 2.4, debian jessie
- if ( $::lsbdistcodename == 'jessie' ) {
- include apache::module::authn_core
- }
+ include apache::module::authn_core
}
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
index ad97f829..48f7b73d 100644
--- a/puppet/modules/site_nickserver/manifests/init.pp
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -1,9 +1,8 @@
#
-# TODO: currently, this is dependent on some things that are set up in
+# TODO: currently, this is dependent on one thing that is set up in
# site_webapp
#
-# (1) HAProxy -> couchdb
-# (2) Apache
+# (1) Apache
#
# It would be good in the future to make nickserver installable independently of
# site_webapp.
@@ -29,10 +28,11 @@ class site_nickserver {
# the port that nickserver is actually running on
$nickserver_local_port = '64250'
- # couchdb is available on localhost via haproxy, which is bound to 4096.
+ # couchdb is available on localhost:
+ # - When couchdb is running on a different node: Via stunnel, which is bound to 4000.
+ # - When couchdb is running on the same node: On port 5984
$couchdb_host = 'localhost'
- # See site_webapp/templates/haproxy_couchdb.cfg.erg
- $couchdb_port = '4096'
+ $couchdb_port = $nickserver['couchdb_port']
$sources = hiera('sources')
@@ -61,21 +61,30 @@ class site_nickserver {
require => Group['nickserver'];
}
+ # Eariler we used bundle install without --deployment
+ exec { 'clean_git_repo':
+ cwd => '/srv/leap/nickserver',
+ user => 'nickserver',
+ command => '/usr/bin/git checkout Gemfile.lock',
+ onlyif => '/usr/bin/git status | /bin/grep -q "modified: *Gemfile.lock"',
+ require => Package['git']
+ }
+
vcsrepo { '/srv/leap/nickserver':
- ensure => present,
+ ensure => latest,
revision => $sources['nickserver']['revision'],
provider => $sources['nickserver']['type'],
source => $sources['nickserver']['source'],
owner => 'nickserver',
group => 'nickserver',
- require => [ User['nickserver'], Group['nickserver'] ],
+ require => [ User['nickserver'], Group['nickserver'], Exec['clean_git_repo'] ],
notify => Exec['nickserver_bundler_update'];
}
exec { 'nickserver_bundler_update':
cwd => '/srv/leap/nickserver',
- command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
- unless => '/usr/bin/bundle check',
+ command => '/usr/bin/bundle install --deployment',
+ unless => '/bin/bash -c "/usr/bin/bundle config --local frozen 1; /usr/bin/bundle check"',
user => 'nickserver',
timeout => 600,
require => [
@@ -101,42 +110,26 @@ class site_nickserver {
# NICKSERVER DAEMON
#
- file {
- '/usr/bin/nickserver':
- ensure => link,
- target => '/srv/leap/nickserver/bin/nickserver',
- require => Vcsrepo['/srv/leap/nickserver'];
-
- '/etc/init.d/nickserver':
- owner => root,
- group => 0,
- mode => '0755',
- source => '/srv/leap/nickserver/dist/debian-init-script',
- require => Vcsrepo['/srv/leap/nickserver'];
+ file { '/usr/bin/nickserver':
+ ensure => link,
+ target => '/srv/leap/nickserver/bin/nickserver',
+ require => Vcsrepo['/srv/leap/nickserver'];
}
- # register initscript at systemd on nodes newer than wheezy
- # see https://leap.se/code/issues/7614
- case $::operatingsystemrelease {
- /^7.*/: { }
- default: {
- exec { 'register_systemd_nickserver':
- refreshonly => true,
- command => '/bin/systemctl enable nickserver',
- subscribe => File['/etc/init.d/nickserver'],
- before => Service['nickserver'];
- }
- }
+ ::systemd::unit_file {'nickserver.service':
+ ensure => present,
+ source => '/srv/leap/nickserver/dist/nickserver.service',
+ subscribe => Vcsrepo['/srv/leap/nickserver'],
+ require => File['/usr/bin/nickserver'];
}
service { 'nickserver':
- ensure => running,
- enable => true,
- hasrestart => true,
- hasstatus => true,
- require => [
- File['/etc/init.d/nickserver'],
- File['/usr/bin/nickserver'],
+ ensure => running,
+ provider => 'systemd',
+ enable => true,
+ require => [
+ Systemd::Unit_file['nickserver.service'],
+ Exec['systemctl-daemon-reload'],
Class['Site_config::X509::Key'],
Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca'] ];
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index f1ecefb9..ee7d6840 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -68,7 +68,7 @@ class site_openvpn {
# find out the netmask in cidr format of the primary IF
# thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/
# we can do this using an inline_template:
- $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}"
+ $factname_primary_netmask = "netmask_${::site_config::params::interface}"
$primary_netmask = inline_template('<%= scope.lookupvar(@factname_primary_netmask) %>')
# deploy dh keys
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 15e6fb38..f33ab17c 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -209,20 +209,15 @@ define site_openvpn::server_config(
server => $openvpn_configname;
}
- # register openvpn services at systemd on nodes newer than wheezy
+ # register openvpn services at systemd
# see https://leap.se/code/issues/7798
- case $::operatingsystemrelease {
- /^7.*/: { }
- default: {
- exec { "enable_systemd_${openvpn_configname}":
- refreshonly => true,
- command => "/bin/systemctl enable openvpn@${openvpn_configname}",
- subscribe => File["/etc/openvpn/${openvpn_configname}.conf"],
- notify => Service["openvpn@${openvpn_configname}"];
- }
- service { "openvpn@${openvpn_configname}":
- ensure => running
- }
- }
+ exec { "enable_systemd_${openvpn_configname}":
+ refreshonly => true,
+ command => "/bin/systemctl enable openvpn@${openvpn_configname}",
+ subscribe => File["/etc/openvpn/${openvpn_configname}.conf"],
+ notify => Service["openvpn@${openvpn_configname}"];
+ }
+ service { "openvpn@${openvpn_configname}":
+ ensure => running
}
}
diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
index e76b756b..f2d2bc70 100644
--- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
+++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb
@@ -1,11 +1,21 @@
#!/bin/sh
-ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/<%= @primary_netmask %> ||
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q "inet <%= @openvpn_gateway_address %>/" ||
ip addr add <%= @openvpn_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %>
+EXITCODE=$?
+if [ $EXITCODE != 0 ]; then
+ exit $EXITCODE
+fi
+
<% if @openvpn_second_gateway_address %>
-ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> ||
+ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q "<%= @openvpn_second_gateway_address %>/" ||
ip addr add <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %>
+
+EXITCODE=$?
+if [ $EXITCODE != 0 ]; then
+ exit $EXITCODE
+fi
<% end %>
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 2dac85f5..e94320c9 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -140,21 +140,13 @@ class site_postfix::mx {
# greater verbosity for debugging, take out for production
#include site_postfix::debug
- case $::operatingsystemrelease {
- /^7.*/: {
- $smtpd_relay_restrictions=''
- }
- default: {
- $smtpd_relay_restrictions=" -o smtpd_relay_restrictions=\$smtps_relay_restrictions\n"
- }
- }
-
$mastercf_tail = "
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
-o tls_preempt_cipherlist=yes
-${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
+ -o smtpd_relay_restrictions=\$smtps_relay_restrictions
+ -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions
-o smtpd_helo_restrictions=\$smtps_helo_restrictions
-o smtpd_client_restrictions=
-o cleanup_service_name=clean_smtps
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index a9202da4..7d5c728a 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -57,13 +57,8 @@ class site_sshd {
# therefore we don't use it here, but include all other options
# that would be applied by the 'hardened' parameter
# not all options are available on wheezy
- if ( $::lsbdistcodename == 'wheezy' ) {
- $tail_additional_options = 'Ciphers aes256-ctr
+ $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
- } else {
- $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'
- }
##
## SSHD SERVER CONFIGURATION
diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp
index 6cf2c653..e456c94e 100644
--- a/puppet/modules/site_static/manifests/domain.pp
+++ b/puppet/modules/site_static/manifests/domain.pp
@@ -1,25 +1,30 @@
# configure static service for domain
define site_static::domain (
- $ca_cert,
+ $ca_cert=undef,
$key,
$cert,
$tls_only=true,
$use_hidden_service=false,
$locations=undef,
$aliases=undef,
- $apache_config=undef) {
+ $apache_config=undef,
+ $www_alias=false) {
$domain = $name
$base_dir = '/srv/static'
- $cafile = "${cert}\n${ca_cert}"
+ if ($ca_cert) {
+ $certfile = "${cert}\n${ca_cert}"
+ } else {
+ $certfile = $cert
+ }
if is_hash($locations) {
create_resources(site_static::location, $locations)
}
x509::cert { $domain:
- content => $cafile,
+ content => $certfile,
notify => Service[apache]
}
x509::key { $domain:
diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp
index f1f15f8e..c5d12c34 100644
--- a/puppet/modules/site_static/manifests/hidden_service.pp
+++ b/puppet/modules/site_static/manifests/hidden_service.pp
@@ -1,26 +1,32 @@
# create hidden service for static sites
-class site_static::hidden_service {
+class site_static::hidden_service ( $single_hop = false, $v3 = false ) {
+ Class['site_tor::hidden_service'] -> Class['site_static::hidden_service']
+ include site_tor::hidden_service
+
+ tor::daemon::hidden_service { 'static':
+ ports => [ '80 127.0.0.1:80'],
+ single_hop => $single_hop,
+ v3 => $v3
+ }
- include tor::daemon
- tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'] }
file {
- '/var/lib/tor/webapp/':
- ensure => directory,
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '2700';
+ '/var/lib/tor/static/':
+ ensure => directory,
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '2700';
'/var/lib/tor/static/private_key':
- ensure => present,
- source => "/srv/leap/files/nodes/${::hostname}/tor.key",
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0600',
- notify => Service['tor'];
+ ensure => present,
+ source => "/srv/leap/files/nodes/${::hostname}/tor.key",
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0600',
+ notify => Service['tor'];
'/var/lib/tor/static/hostname':
ensure => present,
- content => "${::site_static::tor_domain}\n",
+ content => "${::site_static::onion_domain}\n",
owner => 'debian-tor',
group => 'debian-tor',
mode => '0600',
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index dd3f912d..fdc5782f 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -7,11 +7,17 @@ class site_static {
include site_config::x509::key
include site_config::x509::ca_bundle
- $static = hiera('static')
- $domains = $static['domains']
- $formats = $static['formats']
- $bootstrap = $static['bootstrap_files']
- $tor = hiera('tor', false)
+ $services = hiera('services', [])
+ $static = hiera('static')
+ $domains = $static['domains']
+ $formats = $static['formats']
+ $bootstrap = $static['bootstrap_files']
+ $tor = hiera('tor', false)
+ if $tor and member($services, 'tor_hidden_service') {
+ $onion_active = true
+ } else {
+ $onion_active = false
+ }
file {
'/srv/static/':
@@ -54,10 +60,8 @@ class site_static {
include site_config::ruby::dev
if (member($formats, 'rack')) {
- include site_apt::preferences::passenger
class { 'passenger':
manage_munin => false,
- require => Class['site_apt::preferences::passenger']
}
}
@@ -67,16 +71,18 @@ class site_static {
}
package { 'zlib1g-dev':
- ensure => installed
+ ensure => installed
}
}
- if $tor {
+ if $onion_active {
$hidden_service = $tor['hidden_service']
- $tor_domain = "${hidden_service['address']}.onion"
- if $hidden_service['active'] {
- include site_static::hidden_service
+ $onion_domain = "${hidden_service['address']}.onion"
+ class { 'site_static::hidden_service':
+ single_hop => $hidden_service['single_hop'],
+ v3 => $hidden_service['v3']
}
+
# Currently, we only support a single hidden service address per server.
# So if there is more than one domain configured, then we need to make sure
# we don't enable the hidden service for every domain.
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index dd04ca43..716df437 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -74,13 +74,15 @@
Require all granted
</Directory>
-<%- if @tor && (@always_use_hidden_service || @use_hidden_service) -%>
+<%- if @onion_active && (@always_use_hidden_service || @use_hidden_service) -%>
##
-## Tor
+## Hidden Service
##
<VirtualHost 127.0.0.1:80>
- ServerName <%= @tor_domain %>
- ServerAlias www.<%= @tor_domain %>
+ ServerName <%= @onion_domain %>
+<%- if @www_alias -%>
+ ServerAlias www.<%= @onion_domain %>
+<%- end -%>
<IfModule mod_headers.c>
Header set X-Frame-Options "deny"
@@ -102,7 +104,9 @@
##
<VirtualHost *:80>
ServerName <%= @domain %>
+<%- if @www_alias -%>
ServerAlias www.<%= @domain %>
+<%- end -%>
<%- @aliases && @aliases.each do |domain_alias| -%>
ServerAlias <%= domain_alias %>
<%- end -%>
@@ -122,7 +126,9 @@
##
<VirtualHost *:443>
ServerName <%= @domain %>
+<%- if @www_alias -%>
ServerAlias www.<%= @domain %>
+<%- end -%>
<%- @aliases && @aliases.each do |domain_alias| -%>
ServerAlias <%= domain_alias %>
<%- end -%>
diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp
index a874721f..5f53d576 100644
--- a/puppet/modules/site_stunnel/manifests/init.pp
+++ b/puppet/modules/site_stunnel/manifests/init.pp
@@ -5,6 +5,15 @@
class site_stunnel {
+ # Install stunnel4 from jessie-backports because the
+ # jessie version randonly closes the connection prematurely
+ # see https://0xacab.org/leap/platform/issues/8746
+ apt::preferences_snippet { 'stunnel4':
+ package => 'stunnel4',
+ release => "${::lsbdistcodename}-backports",
+ priority => 999;
+ }
+
# include the generic stunnel module
# increase the number of open files to allow for 800 connections
class { 'stunnel': default_extra => 'ulimit -n 4096' }
@@ -45,4 +54,3 @@ class site_stunnel {
include site_stunnel::override_service
}
-
diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp
index 078f80ae..85c24bfc 100644
--- a/puppet/modules/site_tor/manifests/disable_exit.pp
+++ b/puppet/modules/site_tor/manifests/disable_exit.pp
@@ -1,7 +1,13 @@
+# ensure that the tor relay is not configured as an exit node
class site_tor::disable_exit {
tor::daemon::exit_policy {
'no_exit_at_all':
reject => [ '*:*' ];
}
+# In a future version of Tor, ExitRelay 0 may become the default when no ExitPolicy is given.
+ tor::daemon::snippet {
+ 'disable_exit':
+ content => 'ExitRelay 0';
+ }
}
diff --git a/puppet/modules/site_tor/manifests/hidden_service.pp b/puppet/modules/site_tor/manifests/hidden_service.pp
new file mode 100644
index 00000000..87a7b696
--- /dev/null
+++ b/puppet/modules/site_tor/manifests/hidden_service.pp
@@ -0,0 +1,13 @@
+# This class simply makes sure a base tor is installed and configured
+# It doesn't configure any specific hidden service functionality,
+# instead that is configured in site_webapp::hidden_service and
+# site_static::hidden_service.
+#
+# Those could be factored out to make them more generic.
+class site_tor::hidden_service {
+ tag 'leap_service'
+ Class['site_config::default'] -> Class['site_tor::hidden_service']
+
+ include site_config::default
+ include site_tor
+}
diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp
index 2207a5a9..5e209ba8 100644
--- a/puppet/modules/site_tor/manifests/init.pp
+++ b/puppet/modules/site_tor/manifests/init.pp
@@ -1,45 +1,14 @@
+# generic configuration needed for tor
class site_tor {
- tag 'leap_service'
- Class['site_config::default'] -> Class['site_tor']
- $tor = hiera('tor')
- $bandwidth_rate = $tor['bandwidth_rate']
- $tor_type = $tor['type']
- $nickname = $tor['nickname']
- $contact_emails = join($tor['contacts'],', ')
- $family = $tor['family']
+ # Ensure the tor version is the latest from backports
+ # see https://0xacab.org/leap/platform/issues/8783
+ apt::preferences_snippet { 'tor':
+ package => 'tor',
+ release => "${::lsbdistcodename}-backports",
+ priority => 999,
+ before => Class['tor::daemon'] }
- $address = hiera('ip_address')
-
- $openvpn = hiera('openvpn', undef)
- if $openvpn {
- $openvpn_ports = $openvpn['ports']
- }
- else {
- $openvpn_ports = []
- }
-
- include site_config::default
- include tor::daemon
- tor::daemon::relay { $nickname:
- port => 9001,
- address => $address,
- contact_info => obfuscate_email($contact_emails),
- bandwidth_rate => $bandwidth_rate,
- my_family => $family
- }
-
- if ( $tor_type == 'exit'){
- # Only enable the daemon directory if the node isn't also a webapp node
- # or running openvpn on port 80
- if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') {
- tor::daemon::directory { $::hostname: port => 80 }
- }
- }
- else {
- include site_tor::disable_exit
- }
-
- include site_shorewall::tor
+ class { 'tor::daemon': ensure_version => latest }
}
diff --git a/puppet/modules/site_tor/manifests/relay.pp b/puppet/modules/site_tor/manifests/relay.pp
new file mode 100644
index 00000000..fcb83bc1
--- /dev/null
+++ b/puppet/modules/site_tor/manifests/relay.pp
@@ -0,0 +1,45 @@
+class site_tor::relay {
+ tag 'leap_service'
+ Class['site_config::default'] -> Class['site_tor::relay']
+
+ $tor = hiera('tor')
+ $bandwidth_rate = $tor['bandwidth_rate']
+ $tor_type = $tor['type']
+ $nickname = $tor['nickname']
+ $contact_emails = join($tor['contacts'],', ')
+ $family = $tor['family']
+
+ $address = hiera('ip_address')
+
+ $openvpn = hiera('openvpn', undef)
+ if $openvpn {
+ $openvpn_ports = $openvpn['ports']
+ }
+ else {
+ $openvpn_ports = []
+ }
+
+ include site_config::default
+ include site_tor
+
+ tor::daemon::relay { $nickname:
+ port => 9001,
+ address => $address,
+ contact_info => obfuscate_email($contact_emails),
+ bandwidth_rate => $bandwidth_rate,
+ my_family => $family
+ }
+
+ if ( $tor_type == 'exit'){
+ # Only enable the daemon directory if the node isn't also a webapp node
+ # or running openvpn on port 80
+ if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') {
+ tor::daemon::directory { $::hostname: port => 80 }
+ }
+ }
+ else {
+ include site_tor::disable_exit
+ }
+
+ include site_shorewall::tor
+}
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 71450370..e1947048 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -1,9 +1,10 @@
+# Configures webapp couchdb config
class site_webapp::couchdb {
$webapp = hiera('webapp')
- # haproxy listener on port localhost:4096, see site_webapp::haproxy
+ # stunnel endpoint on port localhost:4000
$couchdb_host = 'localhost'
- $couchdb_port = '4096'
+ $couchdb_port = $webapp['couchdb_port']
$couchdb_webapp_user = $webapp['couchdb_webapp_user']['username']
$couchdb_webapp_password = $webapp['couchdb_webapp_user']['password']
$couchdb_admin_user = $webapp['couchdb_admin_user']['username']
@@ -22,8 +23,8 @@ class site_webapp::couchdb {
# couchdb.admin.yml is a symlink to prevent the vcsrepo resource
# from changing its user permissions every time.
'/srv/leap/webapp/config/couchdb.admin.yml':
- ensure => 'link',
- target => '/etc/leap/couchdb.admin.yml',
+ ensure => 'link',
+ target => '/etc/leap/couchdb.admin.yml',
require => Vcsrepo['/srv/leap/webapp'];
'/etc/leap/couchdb.admin.yml':
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index d2662b65..290f9665 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -1,8 +1,10 @@
# Configure tor hidden service for webapp
class site_webapp::hidden_service {
+ Class['site_tor::hidden_service'] -> Class['site_webapp::hidden_service']
+ include site_tor::hidden_service
$tor = hiera('tor')
$hidden_service = $tor['hidden_service']
- $tor_domain = "${hidden_service['address']}.onion"
+ $onion_domain = "${hidden_service['address']}.onion"
include site_apache::common
include apache::module::headers
@@ -10,27 +12,30 @@ class site_webapp::hidden_service {
include apache::module::expires
include apache::module::removeip
- include tor::daemon
- tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'] }
+ tor::daemon::hidden_service { 'webapp':
+ ports => [ '80 127.0.0.1:80'],
+ single_hop => $hidden_service['single_hop'],
+ v3 => $hidden_service['v3']
+ }
file {
'/var/lib/tor/webapp/':
- ensure => directory,
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '2700';
+ ensure => directory,
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '2700';
'/var/lib/tor/webapp/private_key':
- ensure => present,
- source => "/srv/leap/files/nodes/${::hostname}/tor.key",
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0600',
- notify => Service['tor'];
+ ensure => present,
+ source => "/srv/leap/files/nodes/${::hostname}/tor.key",
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0600',
+ notify => Service['tor'];
'/var/lib/tor/webapp/hostname':
ensure => present,
- content => "${tor_domain}\n",
+ content => "${onion_domain}\n",
owner => 'debian-tor',
group => 'debian-tor',
mode => '0600',
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 83cf99a9..605d71b3 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -1,6 +1,7 @@
# configure webapp service
class site_webapp {
tag 'leap_service'
+ $services = hiera('services', [])
$definition_files = hiera('definition_files')
$provider = $definition_files['provider']
$eip_service = $definition_files['eip_service']
@@ -10,6 +11,7 @@ class site_webapp {
$provider_domain = $node_domain['full_suffix']
$webapp = hiera('webapp')
$api_version = $webapp['api_version']
+ $secret_key_base = $webapp['secret_key_base']
$secret_token = $webapp['secret_token']
$tor = hiera('tor', false)
$sources = hiera('sources')
@@ -19,7 +21,6 @@ class site_webapp {
include ::site_config::ruby::dev
include ::site_webapp::apache
include ::site_webapp::couchdb
- include ::site_haproxy
include ::site_webapp::cron
include ::site_config::default
include ::site_config::x509::cert
@@ -106,7 +107,9 @@ class site_webapp {
'/srv/leap/webapp/public/ca.crt':
ensure => link,
require => Vcsrepo['/srv/leap/webapp'],
+ # lint:ignore:variable_is_lowercase
target => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt";
+ # lint:endignore
"/srv/leap/webapp/public/${api_version}":
ensure => directory,
@@ -175,11 +178,9 @@ class site_webapp {
notify => Service['apache'];
}
- if $tor {
+ if $tor and member($services, 'tor_hidden_service') {
$hidden_service = $tor['hidden_service']
- if $hidden_service['active'] {
- include ::site_webapp::hidden_service
- }
+ include ::site_webapp::hidden_service
}
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index dd55d3e9..1a802f4c 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -8,6 +8,7 @@ production = {
"force_ssl" => @webapp['secure'],
"client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')],
"client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')],
+ "secret_key_base" => @secret_key_base,
"secret_token" => @secret_token,
"client_cert_lifespan" => cert_options['life_span'],
"client_cert_bit_size" => cert_options['bit_size'].to_i,
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index 81f51188..3b6a2314 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -54,7 +54,10 @@ class soledad::server {
package { $sources['soledad']['package']:
ensure => $sources['soledad']['revision'],
- require => Class['site_apt::leap_repo'];
+ require => [
+ Class['site_apt::leap_repo'],
+ Package['ssl-cert']
+ ];
}
file { '/etc/default/soledad':
diff --git a/puppet/modules/systemd/.fixtures.yml b/puppet/modules/systemd/.fixtures.yml
new file mode 100644
index 00000000..1d455a31
--- /dev/null
+++ b/puppet/modules/systemd/.fixtures.yml
@@ -0,0 +1,4 @@
+---
+fixtures:
+ symlinks:
+ systemd: "#{source_dir}" \ No newline at end of file
diff --git a/puppet/modules/systemd/.gitrepo b/puppet/modules/systemd/.gitrepo
index 1548a815..ea68e478 100644
--- a/puppet/modules/systemd/.gitrepo
+++ b/puppet/modules/systemd/.gitrepo
@@ -6,6 +6,6 @@
[subrepo]
remote = https://leap.se/git/puppet_systemd
branch = master
- commit = 6d47fd4999fe03eba6fb11c4490dcbb90d937900
- parent = 56a771a3008d10720dd05fd815aeafbacdd1e08e
+ commit = f3c4059603a6ac19f132b0dc47b95e49d9ddc4ba
+ parent = 77d11c7ddeaeb123bf871bd2bfce0e5ace0c158e
cmdver = 0.3.0
diff --git a/puppet/modules/systemd/.puppet-lint.rc b/puppet/modules/systemd/.puppet-lint.rc
index d8f5c59e..e09d52f4 100644
--- a/puppet/modules/systemd/.puppet-lint.rc
+++ b/puppet/modules/systemd/.puppet-lint.rc
@@ -1,5 +1,5 @@
--fail-on-warnings
--relative
---no-80chars
+--no-140chars
--no-documentation
--no-class_inherits_from_params_class-check
diff --git a/puppet/modules/systemd/.travis.yml b/puppet/modules/systemd/.travis.yml
index 467045c5..1d1bedfc 100644
--- a/puppet/modules/systemd/.travis.yml
+++ b/puppet/modules/systemd/.travis.yml
@@ -1,22 +1,22 @@
---
language: ruby
sudo: false
+addons:
+ apt:
+ packages:
+ - libaugeas-dev
+ sources:
+ - augeas
cache: bundler
bundler_args: --without system_tests
-script: ["bundle exec rake validate", "bundle exec rake lint", "bundle exec rake spec SPEC_OPTS='--format documentation'", "bundle exec rake metadata"]
+script: ["bundle exec rake validate", "bundle exec rake lint", "bundle exec rake spec SPEC_OPTS='--format documentation'"]
matrix:
fast_finish: true
include:
- - rvm: 1.8.7
- env: PUPPET_GEM_VERSION="~> 3.0" FACTER_GEM_VERSION="~> 1.7.0"
- - rvm: 1.9.3
- env: PUPPET_GEM_VERSION="~> 3.0"
- - rvm: 2.0.0
- env: PUPPET_GEM_VERSION="~> 3.0"
- - rvm: 2.0.0
- env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes"
- - rvm: 2.1.6
+ - rvm: 2.1.9
env: PUPPET_GEM_VERSION="~> 4.0"
+ - rvm: 2.3.1
+ env: PUPPET_GEM_VERSION="~> 4"
notifications:
email: false
deploy:
@@ -29,4 +29,4 @@ deploy:
# all_branches is required to use tags
all_branches: true
# Only publish if our main Ruby target builds
- rvm: 1.9.3
+ rvm: 2.1.9
diff --git a/puppet/modules/systemd/CHANGELOG.md b/puppet/modules/systemd/CHANGELOG.md
index 11e84399..79b9e646 100644
--- a/puppet/modules/systemd/CHANGELOG.md
+++ b/puppet/modules/systemd/CHANGELOG.md
@@ -1,5 +1,22 @@
# Change Log
+## [0.4.0](https://forge.puppetlabs.com/camptocamp/systemd/0.4.0) (2016-08-18)
+[Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.3.0...0.4.0)
+
+- Deprecate Ruby 1.8 tests
+- Only use awk instead of grep and awk [\#9](https://github.com/camptocamp/puppet-systemd/pull/9) ([igalic](https://github.com/igalic))
+- Add LICENSE (fix #11)
+- Add target param for the unit file [\#10](https://github.com/camptocamp/puppet-systemd/pull/10) ([tampakrap](https://github.com/tampakrap))
+
+## [0.3.0](https://forge.puppetlabs.com/camptocamp/systemd/0.3.0) (2016-05-16)
+[Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.2...0.3.0)
+
+**Implemented enhancements:**
+
+- Shortcut for creating unit files / tmpfiles [\#4](https://github.com/camptocamp/puppet-systemd/pull/4) ([felixb](https://github.com/felixb))
+- Add systemd facts [\#6](https://github.com/camptocamp/puppet-systemd/pull/6) ([roidelapluie](https://github.com/roidelapluie))
+
+
## [0.2.2](https://forge.puppetlabs.com/camptocamp/systemd/0.2.2) (2015-08-25)
[Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.1...0.2.2)
@@ -60,6 +77,3 @@
\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
-
-
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file
diff --git a/puppet/modules/systemd/Gemfile b/puppet/modules/systemd/Gemfile
index 0cb59337..377d0c16 100644
--- a/puppet/modules/systemd/Gemfile
+++ b/puppet/modules/systemd/Gemfile
@@ -2,7 +2,7 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org"
group :development, :unit_tests do
gem 'rake', :require => false
- gem 'rspec', '< 3.2', :require => false if RUBY_VERSION =~ /^1.8/
+ gem 'rspec', :require => false
gem 'rspec-puppet', :require => false
gem 'puppetlabs_spec_helper', :require => false
gem 'metadata-json-lint', :require => false
@@ -10,26 +10,26 @@ group :development, :unit_tests do
gem 'puppet-lint-unquoted_string-check', :require => false
gem 'puppet-lint-empty_string-check', :require => false
gem 'puppet-lint-spaceship_operator_without_tag-check', :require => false
- gem 'puppet-lint-variable_contains_upcase', :require => false
gem 'puppet-lint-absolute_classname-check', :require => false
gem 'puppet-lint-undef_in_function-check', :require => false
gem 'puppet-lint-leading_zero-check', :require => false
gem 'puppet-lint-trailing_comma-check', :require => false
gem 'puppet-lint-file_ensure-check', :require => false
gem 'puppet-lint-version_comparison-check', :require => false
- gem 'puppet-lint-fileserver-check', :require => false
gem 'puppet-lint-file_source_rights-check', :require => false
gem 'puppet-lint-alias-check', :require => false
gem 'rspec-puppet-facts', :require => false
- gem 'github_changelog_generator', :require => false, :git => 'https://github.com/raphink/github-changelog-generator.git', :branch => 'dev/all_patches' if RUBY_VERSION !~ /^1.8/
- gem 'puppet-blacksmith', :require => false if RUBY_VERSION !~ /^1.8/
+ gem 'ruby-augeas', :require => false
+ gem 'puppet-blacksmith', :require => false if RUBY_VERSION !~ /^1\./
+ gem 'json_pure', '< 2.0.2', :require => false
end
group :system_tests do
- gem 'beaker', :require => false
- gem 'beaker-rspec', :require => false
- gem 'beaker_spec_helper', :require => false
- gem 'serverspec', :require => false
+ gem 'beaker', :require => false
+ gem 'beaker-rspec', '> 5', :require => false
+ gem 'beaker_spec_helper', :require => false
+ gem 'serverspec', :require => false
+ gem 'specinfra', :require => false
end
if facterversion = ENV['FACTER_GEM_VERSION']
diff --git a/puppet/modules/systemd/HISTORY.md b/puppet/modules/systemd/HISTORY.md
index c7bf2b4e..aee8ad5e 100644
--- a/puppet/modules/systemd/HISTORY.md
+++ b/puppet/modules/systemd/HISTORY.md
@@ -1,3 +1,14 @@
+# Change Log
+
+## [0.3.0](https://forge.puppetlabs.com/camptocamp/systemd/0.3.0) (2016-05-16)
+[Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.2...0.3.0)
+
+**Implemented enhancements:**
+
+- Shortcut for creating unit files / tmpfiles [\#4](https://github.com/camptocamp/puppet-systemd/pull/4) ([felixb](https://github.com/felixb))
+- Add systemd facts [\#6](https://github.com/camptocamp/puppet-systemd/pull/6) ([roidelapluie](https://github.com/roidelapluie))
+
+
## [0.2.2](https://forge.puppetlabs.com/camptocamp/systemd/0.2.2) (2015-08-25)
[Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.1...0.2.2)
@@ -5,6 +16,7 @@
- Add 'systemd-tmpfiles-create' [\#1](https://github.com/camptocamp/puppet-systemd/pull/1) ([roidelapluie](https://github.com/roidelapluie))
+
## [0.2.1](https://forge.puppetlabs.com/camptocamp/systemd/0.2.1) (2015-08-21)
[Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.0...0.2.1)
@@ -57,6 +69,3 @@
\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
-
-
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
diff --git a/puppet/modules/systemd/LICENSE b/puppet/modules/systemd/LICENSE
new file mode 100644
index 00000000..8d968b6c
--- /dev/null
+++ b/puppet/modules/systemd/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/puppet/modules/systemd/README.md b/puppet/modules/systemd/README.md
index f70bcb0c..51bf5cde 100644
--- a/puppet/modules/systemd/README.md
+++ b/puppet/modules/systemd/README.md
@@ -5,11 +5,23 @@
## Overview
-This module declares exec resources that you can use when you change systemd units or configuration files.
+This module declares exec resources to create global sync points for reloading systemd.
-## Examples
+## Usage and examples
-### systemctl --daemon-reload
+There are two ways to use this module.
+
+### unit files
+
+Let this module handle file creation and systemd reloading.
+
+```puppet
+::systemd::unit_file { 'foo.service':
+ source => "puppet:///modules/${module_name}/foo.service",
+}
+```
+
+Or handle file creation yourself and trigger systemd.
```puppet
include ::systemd
@@ -23,7 +35,17 @@ file { '/usr/lib/systemd/system/foo.service':
Exec['systemctl-daemon-reload']
```
-### systemd-tmpfiles --create
+### tmpfiles
+
+Let this module handle file creation and systemd reloading
+
+```puppet
+::systemd::tmpfile { 'foo.conf':
+ source => "puppet:///modules/${module_name}/foo.conf",
+}
+```
+
+Or handle file creation yourself and trigger systemd.
```puppet
include ::systemd
@@ -36,3 +58,24 @@ file { '/etc/tmpfiles.d/foo.conf':
} ~>
Exec['systemd-tmpfiles-create']
```
+
+### service limits
+
+Manage soft and hard limits on various resources for executed processes.
+
+```puppet
+::systemd::service_limits { 'foo.service':
+ limits => {
+ LimitNOFILE => 8192,
+ LimitNPROC => 16384
+ }
+}
+```
+
+Or provide the configuration file yourself. Systemd reloading and restarting of the service are handled by the module.
+
+```puppet
+::systemd::service_limits { 'foo.service':
+ source => "puppet:///modules/${module_name}/foo.conf",
+}
+```
diff --git a/puppet/modules/systemd/Rakefile b/puppet/modules/systemd/Rakefile
index adcac180..aa7b8a15 100644
--- a/puppet/modules/systemd/Rakefile
+++ b/puppet/modules/systemd/Rakefile
@@ -4,20 +4,14 @@ require 'puppet-lint/tasks/puppet-lint'
Rake::Task[:lint].clear
PuppetLint::RakeTask.new :lint do |config|
config.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp", "vendor/**/*.pp"]
- config.disable_checks = ['80chars']
+ config.disable_checks = ['140chars']
config.fail_on_warnings = true
end
PuppetSyntax.exclude_paths = ["spec/fixtures/**/*.pp", "vendor/**/*"]
# Publishing tasks
-unless RUBY_VERSION =~ /^1\.8/
+unless RUBY_VERSION =~ /^1\./
require 'puppet_blacksmith'
require 'puppet_blacksmith/rake_tasks'
- require 'github_changelog_generator/task'
- GitHubChangelogGenerator::RakeTask.new :changelog do |config|
- m = Blacksmith::Modulefile.new
- config.future_release = m.version
- config.release_url = "https://forge.puppetlabs.com/#{m.author}/#{m.name}/%s"
- end
end
diff --git a/puppet/modules/systemd/lib/facter/systemd.rb b/puppet/modules/systemd/lib/facter/systemd.rb
new file mode 100644
index 00000000..4361f775
--- /dev/null
+++ b/puppet/modules/systemd/lib/facter/systemd.rb
@@ -0,0 +1,35 @@
+# Fact: systemd
+#
+# Purpose:
+# Determine whether SystemD is the init system on the node
+#
+# Resolution:
+# Check the name of the process 1 (ps -p 1)
+#
+# Caveats:
+#
+
+# Fact: systemd-version
+#
+# Purpose:
+# Determine the version of systemd installed
+#
+# Resolution:
+# Check the output of systemctl --version
+#
+# Caveats:
+#
+
+Facter.add(:systemd) do
+ confine :kernel => :linux
+ setcode do
+ Facter::Util::Resolution.exec('ps -p 1 -o comm=') == 'systemd'
+ end
+end
+
+Facter.add(:systemd_version) do
+ confine :systemd => true
+ setcode do
+ Facter::Util::Resolution.exec("systemctl --version | awk '/systemd/{ print $2 }'")
+ end
+end
diff --git a/puppet/modules/systemd/manifests/init.pp b/puppet/modules/systemd/manifests/init.pp
index 5e6ad792..e669f093 100644
--- a/puppet/modules/systemd/manifests/init.pp
+++ b/puppet/modules/systemd/manifests/init.pp
@@ -1,4 +1,8 @@
-class systemd {
+# -- Class systemd
+# This module allows triggering systemd commands once for all modules
+class systemd (
+ $service_limits = {}
+){
Exec {
refreshonly => true,
@@ -15,4 +19,6 @@ class systemd {
command => 'systemd-tmpfiles --create',
}
+ create_resources('systemd::service_limits', $service_limits, {})
+
}
diff --git a/puppet/modules/systemd/manifests/service_limits.pp b/puppet/modules/systemd/manifests/service_limits.pp
new file mode 100644
index 00000000..a9cdc25a
--- /dev/null
+++ b/puppet/modules/systemd/manifests/service_limits.pp
@@ -0,0 +1,50 @@
+# -- Define: systemd::service_limits
+# Creates a custom config file and reloads systemd
+define systemd::service_limits(
+ $ensure = file,
+ $path = '/etc/systemd/system',
+ $limits = undef,
+ $source = undef,
+ $restart_service = true
+) {
+ include ::systemd
+
+ if $limits {
+ validate_hash($limits)
+ $content = template('systemd/limits.erb')
+ }
+ else {
+ $content = undef
+ }
+
+ if $limits and $source {
+ fail('You may not supply both limits and source parameters to systemd::service_limits')
+ } elsif $limits == undef and $source == undef {
+ fail('You must supply either the limits or source parameter to systemd::service_limits')
+ }
+
+ file { "${path}/${title}.d/":
+ ensure => 'directory',
+ owner => 'root',
+ group => 'root',
+ }
+ ->
+ file { "${path}/${title}.d/limits.conf":
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => Exec['systemctl-daemon-reload'],
+ }
+
+ if $restart_service {
+ exec { "systemctl restart ${title}":
+ path => $::path,
+ refreshonly => true,
+ subscribe => File["${path}/${title}.d/limits.conf"],
+ require => Exec['systemctl-daemon-reload'],
+ }
+ }
+}
diff --git a/puppet/modules/systemd/manifests/tmpfile.pp b/puppet/modules/systemd/manifests/tmpfile.pp
new file mode 100644
index 00000000..c4d1a05f
--- /dev/null
+++ b/puppet/modules/systemd/manifests/tmpfile.pp
@@ -0,0 +1,20 @@
+# -- Define: systemd::tmpfile
+# Creates a tmpfile and reloads systemd
+define systemd::tmpfile(
+ $ensure = file,
+ $path = '/etc/tmpfiles.d',
+ $content = undef,
+ $source = undef,
+) {
+ include ::systemd
+
+ file { "${path}/${title}":
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => Exec['systemd-tmpfiles-create'],
+ }
+} \ No newline at end of file
diff --git a/puppet/modules/systemd/manifests/unit_file.pp b/puppet/modules/systemd/manifests/unit_file.pp
new file mode 100644
index 00000000..94bc845b
--- /dev/null
+++ b/puppet/modules/systemd/manifests/unit_file.pp
@@ -0,0 +1,22 @@
+# -- Define: systemd::unit_file
+# Creates a unit file and reloads systemd
+define systemd::unit_file(
+ $ensure = file,
+ $path = '/etc/systemd/system',
+ $content = undef,
+ $source = undef,
+ $target = undef,
+) {
+ include ::systemd
+
+ file { "${path}/${title}":
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ target => $target,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ notify => Exec['systemctl-daemon-reload'],
+ }
+}
diff --git a/puppet/modules/systemd/metadata.json b/puppet/modules/systemd/metadata.json
index abdd481e..08951efb 100644
--- a/puppet/modules/systemd/metadata.json
+++ b/puppet/modules/systemd/metadata.json
@@ -1,6 +1,6 @@
{
"name": "camptocamp-systemd",
- "version": "0.2.2",
+ "version": "0.4.0",
"author": "camptocamp",
"summary": "Puppet Systemd module",
"license": "Apache-2.0",
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/centos-5.yml b/puppet/modules/systemd/spec/acceptance/nodesets/centos-5.yml
new file mode 100644
index 00000000..a26f27fc
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/centos-5.yml
@@ -0,0 +1,16 @@
+HOSTS:
+ centos-5-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: el-5-x86_64
+ hypervisor : docker
+ image: tianon/centos:5.10
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'yum install -y crontabs tar wget which'
+ - 'sed -i -e "/mingetty/d" /etc/inittab'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/centos-6.yml b/puppet/modules/systemd/spec/acceptance/nodesets/centos-6.yml
new file mode 100644
index 00000000..71e23cd8
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/centos-6.yml
@@ -0,0 +1,17 @@
+HOSTS:
+ centos-6-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: el-6-x86_64
+ hypervisor : docker
+ image: centos:6
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'rm -rf /var/run/network/*'
+ - 'yum install -y crontabs tar wget'
+ - 'rm /etc/init/tty.conf'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/centos-7.yml b/puppet/modules/systemd/spec/acceptance/nodesets/centos-7.yml
new file mode 100644
index 00000000..a8fa4686
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/centos-7.yml
@@ -0,0 +1,15 @@
+HOSTS:
+ centos-7-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: el-7-x86_64
+ hypervisor : docker
+ image: centos:7
+ docker_preserve_image: true
+ docker_cmd: '["/usr/sbin/init"]'
+ docker_image_commands:
+ - 'yum install -y crontabs tar wget iproute'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/debian-6.yml b/puppet/modules/systemd/spec/acceptance/nodesets/debian-6.yml
new file mode 100644
index 00000000..d7b02756
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/debian-6.yml
@@ -0,0 +1,15 @@
+HOSTS:
+ debian-6-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: debian-6-amd64
+ hypervisor : docker
+ image: debian/eol:squeeze
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'apt-get install -y cron locales-all net-tools wget'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/debian-7.yml b/puppet/modules/systemd/spec/acceptance/nodesets/debian-7.yml
new file mode 100644
index 00000000..9591ea77
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/debian-7.yml
@@ -0,0 +1,15 @@
+HOSTS:
+ debian-7-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: debian-7-amd64
+ hypervisor : docker
+ image: debian:7
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'apt-get install -y cron locales-all net-tools wget'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/debian-8.yml b/puppet/modules/systemd/spec/acceptance/nodesets/debian-8.yml
new file mode 100644
index 00000000..5fb24c61
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/debian-8.yml
@@ -0,0 +1,16 @@
+HOSTS:
+ debian-8-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: debian-8-amd64
+ hypervisor : docker
+ image: debian:8
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'apt-get install -y cron locales-all net-tools wget'
+ - 'rm -f /usr/sbin/policy-rc.d'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-12.04.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-12.04.yml
new file mode 100644
index 00000000..594e1771
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-12.04.yml
@@ -0,0 +1,16 @@
+HOSTS:
+ ubuntu-1204-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: ubuntu-12.04-amd64
+ hypervisor : docker
+ image: ubuntu:12.04
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'apt-get install -y net-tools wget'
+ - 'locale-gen en_US.UTF-8'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.04.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.04.yml
new file mode 100644
index 00000000..2b293c99
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.04.yml
@@ -0,0 +1,18 @@
+HOSTS:
+ ubuntu-1404-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: ubuntu-14.04-amd64
+ hypervisor : docker
+ image: ubuntu:14.04
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'rm /usr/sbin/policy-rc.d'
+ - 'rm /sbin/initctl; dpkg-divert --rename --remove /sbin/initctl'
+ - 'apt-get install -y net-tools wget'
+ - 'locale-gen en_US.UTF-8'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.10.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.10.yml
new file mode 100644
index 00000000..7ce09b2a
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.10.yml
@@ -0,0 +1,18 @@
+HOSTS:
+ ubuntu-1410-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: ubuntu-14.10-amd64
+ hypervisor : docker
+ image: ubuntu:14.10
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'rm /usr/sbin/policy-rc.d'
+ - 'rm /sbin/initctl; dpkg-divert --rename --remove /sbin/initctl'
+ - 'apt-get install -y net-tools wget'
+ - 'locale-gen en_US.UTF-8'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.04.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.04.yml
new file mode 100644
index 00000000..329f3319
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.04.yml
@@ -0,0 +1,16 @@
+HOSTS:
+ ubuntu-1504-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: ubuntu-15.04-amd64
+ hypervisor : docker
+ image: ubuntu:15.04
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'apt-get install -y net-tools wget'
+ - 'locale-gen en_US.UTF-8'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.10.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.10.yml
new file mode 100644
index 00000000..487795a3
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.10.yml
@@ -0,0 +1,16 @@
+HOSTS:
+ ubuntu-1510-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: ubuntu-15.10-amd64
+ hypervisor : docker
+ image: ubuntu:15.10
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'apt-get install -y net-tools wget'
+ - 'locale-gen en_US.UTF-8'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-16.04.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-16.04.yml
new file mode 100644
index 00000000..6c32b96d
--- /dev/null
+++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-16.04.yml
@@ -0,0 +1,16 @@
+HOSTS:
+ ubuntu-1604-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: ubuntu-16.04-amd64
+ hypervisor : docker
+ image: ubuntu:16.04
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'apt-get install -y net-tools wget'
+ - 'locale-gen en_US.UTF-8'
+CONFIG:
+ type: aio
+ log_level: debug
diff --git a/puppet/modules/systemd/spec/defines/tmpfile_spec.rb b/puppet/modules/systemd/spec/defines/tmpfile_spec.rb
new file mode 100644
index 00000000..4eb22acd
--- /dev/null
+++ b/puppet/modules/systemd/spec/defines/tmpfile_spec.rb
@@ -0,0 +1,48 @@
+require 'spec_helper'
+
+describe 'systemd::tmpfile' do
+
+ let(:facts) { {
+ :path => '/usr/bin',
+ } }
+
+ context 'default params' do
+
+ let(:title) { 'fancy.conf' }
+
+ it 'creates the tmpfile' do
+ should contain_file('/etc/tmpfiles.d/fancy.conf').with({
+ 'ensure' => 'file',
+ 'owner' => 'root',
+ 'group' => 'root',
+ 'mode' => '0444',
+ })
+ end
+
+ it 'triggers systemd daemon-reload' do
+ should contain_class('systemd')
+ should contain_file('/etc/tmpfiles.d/fancy.conf').with_notify("Exec[systemd-tmpfiles-create]")
+ end
+ end
+
+ context 'with params' do
+ let(:title) { 'fancy.conf' }
+
+ let(:params) { {
+ :ensure => 'absent',
+ :path => '/etc/tmpfiles.d/foo',
+ :content => 'some-content',
+ :source => 'some-source',
+ } }
+
+ it 'creates the unit file' do
+ should contain_file('/etc/tmpfiles.d/foo/fancy.conf').with({
+ 'ensure' => 'absent',
+ 'content' => 'some-content',
+ 'source' => 'some-source',
+ })
+ end
+
+ end
+
+end
diff --git a/puppet/modules/systemd/spec/defines/unit_file_spec.rb b/puppet/modules/systemd/spec/defines/unit_file_spec.rb
new file mode 100644
index 00000000..88a0122c
--- /dev/null
+++ b/puppet/modules/systemd/spec/defines/unit_file_spec.rb
@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'systemd::unit_file' do
+
+ let(:facts) { {
+ :path => '/usr/bin',
+ } }
+
+ context 'default params' do
+
+ let(:title) { 'fancy.service' }
+
+ it 'creates the unit file' do
+ should contain_file('/etc/systemd/system/fancy.service').with({
+ 'ensure' => 'file',
+ 'owner' => 'root',
+ 'group' => 'root',
+ 'mode' => '0444',
+ })
+ end
+
+ it 'triggers systemd daemon-reload' do
+ should contain_class('systemd')
+ should contain_file('/etc/systemd/system/fancy.service').with_notify("Exec[systemctl-daemon-reload]")
+ end
+ end
+
+ context 'with params' do
+ let(:title) { 'fancy.service' }
+
+ let(:params) { {
+ :ensure => 'absent',
+ :path => '/usr/lib/systemd/system',
+ :content => 'some-content',
+ :source => 'some-source',
+ :target => 'some-target',
+ } }
+
+ it 'creates the unit file' do
+ should contain_file('/usr/lib/systemd/system/fancy.service').with({
+ 'ensure' => 'absent',
+ 'content' => 'some-content',
+ 'source' => 'some-source',
+ 'target' => 'some-target',
+ })
+ end
+
+ end
+
+end
diff --git a/puppet/modules/systemd/spec/unit/facter/systemd_spec.rb b/puppet/modules/systemd/spec/unit/facter/systemd_spec.rb
new file mode 100644
index 00000000..a7b62410
--- /dev/null
+++ b/puppet/modules/systemd/spec/unit/facter/systemd_spec.rb
@@ -0,0 +1,41 @@
+require "spec_helper"
+
+describe Facter::Util::Fact do
+ before {
+ Facter.clear
+ }
+
+ describe "systemd" do
+ context 'returns true when systemd present' do
+ before do
+ Facter.fact(:kernel).stubs(:value).returns(:linux)
+ end
+ let(:facts) { {:kernel => :linux} }
+ it do
+ Facter::Util::Resolution.expects(:exec).with('ps -p 1 -o comm=').returns('systemd')
+ expect(Facter.value(:systemd)).to eq(true)
+ end
+ end
+ context 'returns false when systemd not present' do
+ before do
+ Facter.fact(:kernel).stubs(:value).returns(:linux)
+ end
+ let(:facts) { {:kernel => :linux} }
+ it do
+ Facter::Util::Resolution.expects(:exec).with('ps -p 1 -o comm=').returns('init')
+ expect(Facter.value(:systemd)).to eq(false)
+ end
+ end
+
+ context 'returns nil when kernel is not linux' do
+ before do
+ Facter.fact(:kernel).stubs(:value).returns(:windows)
+ end
+ let(:facts) { {:kernel => :windows} }
+ it do
+ Facter::Util::Resolution.expects(:exec).with('ps -p 1 -o comm=').never
+ expect(Facter.value(:systemd)).to be_nil
+ end
+ end
+ end
+end
diff --git a/puppet/modules/systemd/spec/unit/facter/systemd_version_spec.rb b/puppet/modules/systemd/spec/unit/facter/systemd_version_spec.rb
new file mode 100644
index 00000000..5007dc69
--- /dev/null
+++ b/puppet/modules/systemd/spec/unit/facter/systemd_version_spec.rb
@@ -0,0 +1,31 @@
+require "spec_helper"
+
+describe Facter::Util::Fact do
+ before {
+ Facter.clear
+ }
+
+ describe "systemd_version" do
+ context 'returns version when systemd fact present' do
+ before do
+ Facter.fact(:systemd).stubs(:value).returns(true)
+ end
+ let(:facts) { {:systemd => true} }
+ it do
+ Facter::Util::Resolution.expects(:exec).with("systemctl --version | awk '/systemd/{ print $2 }'").returns('229')
+ expect(Facter.value(:systemd_version)).to eq('229')
+ end
+ end
+ context 'returns nil when systemd fact not present' do
+ before do
+ Facter.fact(:systemd).stubs(:value).returns(false)
+ end
+ let(:facts) { {:systemd => false } }
+ it do
+ Facter::Util::Resolution.stubs(:exec)
+ Facter::Util::Resolution.expects(:exec).with("systemctl --version | awk '/systemd/{ print $2 }'").never
+ expect(Facter.value(:systemd_version)).to eq(nil)
+ end
+ end
+ end
+end
diff --git a/puppet/modules/systemd/templates/limits.erb b/puppet/modules/systemd/templates/limits.erb
new file mode 100644
index 00000000..3caf5867
--- /dev/null
+++ b/puppet/modules/systemd/templates/limits.erb
@@ -0,0 +1,26 @@
+# This file is created by Puppet
+[Service]
+<%
+[
+ 'LimitCPU',
+ 'LimitFSIZE',
+ 'LimitDATA',
+ 'LimitSTACK',
+ 'LimitCORE',
+ 'LimitRSS',
+ 'LimitNOFILE',
+ 'LimitAS',
+ 'LimitNPROC',
+ 'LimitMEMLOCK',
+ 'LimitLOCKS',
+ 'LimitSIGPENDING',
+ 'LimitMSGQUEUE',
+ 'LimitNICE',
+ 'LimitRTPRIO',
+ 'LimitRTTIME'
+].each do |d|
+if @limits[d] -%>
+<%= d %>=<%= @limits[d] %>
+<%
+end
+end %>
diff --git a/puppet/modules/tor/.gitrepo b/puppet/modules/tor/.gitrepo
index dfc1b3d9..ea3c1495 100644
--- a/puppet/modules/tor/.gitrepo
+++ b/puppet/modules/tor/.gitrepo
@@ -6,6 +6,6 @@
[subrepo]
remote = https://leap.se/git/puppet_tor
branch = master
- commit = 9981a70f7ba1f9e4fe33e4eb46654295287c1fc1
- parent = 26aac7ccf240b06d65616bdd00ae472d980aaea9
- cmdver = 0.3.0
+ commit = 4380e2eabd94d8f0df7f63c642dd46ec4783ef07
+ parent = be4182d7227d57b4da20d088b4750c756f759888
+ cmdver = 0.3.1
diff --git a/puppet/modules/tor/README b/puppet/modules/tor/README
index 7777438a..188accac 100644
--- a/puppet/modules/tor/README
+++ b/puppet/modules/tor/README
@@ -113,7 +113,7 @@ Installing torsocks
To install torsocks, simply include the 'torsocks' class in your manifests:
- class { 'torsocks': }
+ class { 'tor::torsocks': }
You can specify the $ensure_version class parameter to get a specific
version installed.
diff --git a/puppet/modules/tor/manifests/daemon/base.pp b/puppet/modules/tor/manifests/daemon/base.pp
index 63d7bc4d..c0c82ac6 100644
--- a/puppet/modules/tor/manifests/daemon/base.pp
+++ b/puppet/modules/tor/manifests/daemon/base.pp
@@ -2,7 +2,7 @@
class tor::daemon::base inherits tor::base {
# packages, user, group
Service['tor'] {
- subscribe => File[$tor::daemon::config_file],
+ subscribe => Concat[$tor::daemon::config_file],
}
Package[ 'tor' ] {
@@ -49,18 +49,15 @@ class tor::daemon::base inherits tor::base {
# tor configuration file
concat { $tor::daemon::config_file:
- mode => '0600',
- owner => 'debian-tor',
- group => 'debian-tor',
+ mode => '0600',
+ owner => 'debian-tor',
+ group => 'debian-tor',
}
# config file headers
concat::fragment { '00.header':
ensure => present,
content => template('tor/torrc.header.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => 00,
target => $tor::daemon::config_file,
}
@@ -68,9 +65,6 @@ class tor::daemon::base inherits tor::base {
# global configurations
concat::fragment { '01.global':
content => template('tor/torrc.global.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => 01,
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/bridge.pp b/puppet/modules/tor/manifests/daemon/bridge.pp
index 063f5656..83d74e07 100644
--- a/puppet/modules/tor/manifests/daemon/bridge.pp
+++ b/puppet/modules/tor/manifests/daemon/bridge.pp
@@ -8,9 +8,6 @@ define tor::daemon::bridge(
concat::fragment { "10.bridge.${name}":
ensure => $ensure,
content => template('tor/torrc.bridge.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => 10,
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/control.pp b/puppet/modules/tor/manifests/daemon/control.pp
index 01726562..ee425f33 100644
--- a/puppet/modules/tor/manifests/daemon/control.pp
+++ b/puppet/modules/tor/manifests/daemon/control.pp
@@ -7,20 +7,20 @@ define tor::daemon::control(
$cookie_auth_file_group_readable = '',
$ensure = present ) {
- if $cookie_authentication == '0' and $hashed_control_password == '' and $ensure != 'absent' {
- fail('You need to define the tor control password')
- }
+ if $cookie_authentication == '0'
+ and $hashed_control_password == ''
+ and $ensure != 'absent' {
+ fail('You need to define the tor control password')
+ }
- if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') {
- notice('You set a tor cookie authentication option, but do not have cookie_authentication on')
- }
+ if $cookie_authentication == 0
+ and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') {
+ notice('You set a tor cookie authentication option, but do not have cookie_authentication on') # lint:ignore:80chars
+ }
concat::fragment { '04.control':
ensure => $ensure,
content => template('tor/torrc.control.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0600',
order => 04,
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/directory.pp b/puppet/modules/tor/manifests/daemon/directory.pp
index d877a861..e2e405da 100644
--- a/puppet/modules/tor/manifests/daemon/directory.pp
+++ b/puppet/modules/tor/manifests/daemon/directory.pp
@@ -8,9 +8,6 @@ define tor::daemon::directory (
concat::fragment { '06.directory':
ensure => $ensure,
content => template('tor/torrc.directory.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => 06,
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/dns.pp b/puppet/modules/tor/manifests/daemon/dns.pp
index 4677f24d..e8d4fc88 100644
--- a/puppet/modules/tor/manifests/daemon/dns.pp
+++ b/puppet/modules/tor/manifests/daemon/dns.pp
@@ -7,9 +7,6 @@ define tor::daemon::dns(
concat::fragment { "08.dns.${name}":
ensure => $ensure,
content => template('tor/torrc.dns.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => '08',
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/exit_policy.pp b/puppet/modules/tor/manifests/daemon/exit_policy.pp
index f459ece7..df0fb999 100644
--- a/puppet/modules/tor/manifests/daemon/exit_policy.pp
+++ b/puppet/modules/tor/manifests/daemon/exit_policy.pp
@@ -8,9 +8,6 @@ define tor::daemon::exit_policy(
concat::fragment { "07.exit_policy.${name}":
ensure => $ensure,
content => template('tor/torrc.exit_policy.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => 07,
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/hidden_service.pp b/puppet/modules/tor/manifests/daemon/hidden_service.pp
index c8272116..d91bdc89 100644
--- a/puppet/modules/tor/manifests/daemon/hidden_service.pp
+++ b/puppet/modules/tor/manifests/daemon/hidden_service.pp
@@ -1,17 +1,22 @@
# hidden services definition
define tor::daemon::hidden_service(
- $ports = [],
- $data_dir = $tor::daemon::data_dir,
- $ensure = present ) {
+ $ports = [],
+ $single_hop = false,
+ $v3 = false,
+ $data_dir = $tor::daemon::data_dir,
+ $ensure = present ) {
+
+
+ if $single_hop {
+ file { "${$data_dir}/${$name}/onion_service_non_anonymous":
+ ensure => 'present',
+ }
+ }
concat::fragment { "05.hidden_service.${name}":
ensure => $ensure,
content => template('tor/torrc.hidden_service.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => 05,
target => $tor::daemon::config_file,
}
}
-
diff --git a/puppet/modules/tor/manifests/daemon/map_address.pp b/puppet/modules/tor/manifests/daemon/map_address.pp
index 270eac21..ac624a0a 100644
--- a/puppet/modules/tor/manifests/daemon/map_address.pp
+++ b/puppet/modules/tor/manifests/daemon/map_address.pp
@@ -7,9 +7,6 @@ define tor::daemon::map_address(
concat::fragment { "08.map_address.${name}":
ensure => $ensure,
content => template('tor/torrc.map_address.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => '08',
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/relay.pp b/puppet/modules/tor/manifests/daemon/relay.pp
index ff528937..555587cd 100644
--- a/puppet/modules/tor/manifests/daemon/relay.pp
+++ b/puppet/modules/tor/manifests/daemon/relay.pp
@@ -33,9 +33,6 @@ define tor::daemon::relay(
concat::fragment { '03.relay':
ensure => $ensure,
content => template('tor/torrc.relay.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => 03,
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/snippet.pp b/puppet/modules/tor/manifests/daemon/snippet.pp
index b9089b40..7e1494c5 100644
--- a/puppet/modules/tor/manifests/daemon/snippet.pp
+++ b/puppet/modules/tor/manifests/daemon/snippet.pp
@@ -6,9 +6,6 @@ define tor::daemon::snippet(
concat::fragment { "99.snippet.${name}":
ensure => $ensure,
content => $content,
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => 99,
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/socks.pp b/puppet/modules/tor/manifests/daemon/socks.pp
index 910461c9..54c8b6a2 100644
--- a/puppet/modules/tor/manifests/daemon/socks.pp
+++ b/puppet/modules/tor/manifests/daemon/socks.pp
@@ -6,9 +6,6 @@ define tor::daemon::socks(
concat::fragment { '02.socks':
content => template('tor/torrc.socks.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => 02,
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/daemon/transparent.pp b/puppet/modules/tor/manifests/daemon/transparent.pp
index 65d744f4..6ac7b44c 100644
--- a/puppet/modules/tor/manifests/daemon/transparent.pp
+++ b/puppet/modules/tor/manifests/daemon/transparent.pp
@@ -7,9 +7,6 @@ define tor::daemon::transparent(
concat::fragment { "09.transparent.${name}":
ensure => $ensure,
content => template('tor/torrc.transparent.erb'),
- owner => 'debian-tor',
- group => 'debian-tor',
- mode => '0644',
order => '09',
target => $tor::daemon::config_file,
}
diff --git a/puppet/modules/tor/manifests/munin.pp b/puppet/modules/tor/manifests/munin.pp
index 4412337a..2a01175c 100644
--- a/puppet/modules/tor/manifests/munin.pp
+++ b/puppet/modules/tor/manifests/munin.pp
@@ -8,7 +8,7 @@ class tor::munin {
}
Munin::Plugin::Deploy {
- config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051"
+ config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051" # lint:ignore:80chars
}
munin::plugin::deploy {
'tor_connections':
diff --git a/puppet/modules/tor/manifests/repo.pp b/puppet/modules/tor/manifests/repo.pp
index f6255995..95492191 100644
--- a/puppet/modules/tor/manifests/repo.pp
+++ b/puppet/modules/tor/manifests/repo.pp
@@ -1,3 +1,4 @@
+# setup repository for tor
class tor::repo (
$ensure = present,
$source_name = 'torproject.org',
@@ -10,7 +11,7 @@ class tor::repo (
class { 'tor::repo::debian': }
}
default: {
- fail("Unsupported managed repository for osfamily: ${::osfamily}, operatingsystem: ${::operatingsystem}, module ${module_name} currently only supports managing repos for osfamily Debian and Ubuntu")
+ fail("Unsupported managed repository for osfamily: ${::osfamily}, operatingsystem: ${::operatingsystem}, module ${module_name} currently only supports managing repos for osfamily Debian and Ubuntu") # lint:ignore:80chars
}
}
}
diff --git a/puppet/modules/tor/manifests/repo/debian.pp b/puppet/modules/tor/manifests/repo/debian.pp
index 174c3310..81976a2e 100644
--- a/puppet/modules/tor/manifests/repo/debian.pp
+++ b/puppet/modules/tor/manifests/repo/debian.pp
@@ -1,6 +1,6 @@
# PRIVATE CLASS: do not use directly
class tor::repo::debian inherits tor::repo {
- apt::source { $source_name:
+ apt::source { $tor::repo::source_name:
ensure => $::tor::repo::ensure,
location => $::tor::repo::location,
key => $::tor::repo::key,
diff --git a/puppet/modules/tor/templates/torrc.directory.erb b/puppet/modules/tor/templates/torrc.directory.erb
index 1af9f40f..23ed3392 100644
--- a/puppet/modules/tor/templates/torrc.directory.erb
+++ b/puppet/modules/tor/templates/torrc.directory.erb
@@ -1,11 +1,11 @@
# directory listing
-<% if port != '0' -%>
+<% if @port != '0' -%>
DirPort <%= @port %>
<% end -%>
-<% listen_addresses.each do |listen_address| -%>
+<% @listen_addresses.each do |listen_address| -%>
DirListenAddress <%= listen_address %>
<% end -%>
<% if @port_front_page != '' -%>
-DirPortFrontPage <%= port_front_page %>
+DirPortFrontPage <%= @port_front_page %>
<%- end -%>
diff --git a/puppet/modules/tor/templates/torrc.global.erb b/puppet/modules/tor/templates/torrc.global.erb
index f577673d..a02afc8e 100644
--- a/puppet/modules/tor/templates/torrc.global.erb
+++ b/puppet/modules/tor/templates/torrc.global.erb
@@ -12,8 +12,8 @@ Log notice syslog
Log <%= log_rule %>
<% end -%>
<% end -%>
-<%- if @safe_logging != 1 then -%>
-SafeLogging <%= @safe_logging %>
+<%- if (v=scope.lookupvar('tor::daemon::safe_logging')) != '1' then -%>
+SafeLogging <%= v %>
<%- end -%>
<% if (v=scope.lookupvar('tor::daemon::automap_hosts_on_resolve')) != '0' -%>
diff --git a/puppet/modules/tor/templates/torrc.hidden_service.erb b/puppet/modules/tor/templates/torrc.hidden_service.erb
index 4dec0b25..8a691c6b 100644
--- a/puppet/modules/tor/templates/torrc.hidden_service.erb
+++ b/puppet/modules/tor/templates/torrc.hidden_service.erb
@@ -1,6 +1,20 @@
+<% if @single_hop != false %>
+HiddenServiceSingleHopMode 1
+HiddenServiceNonAnonymousMode 1
+SOCKSPort 0
+<% end %>
+
# hidden service <%= @name %>
HiddenServiceDir <%= @data_dir %>/<%= @name %>
<% @ports.each do |port| -%>
HiddenServicePort <%= port %>
<% end -%>
+<% if @v3 != false %>
+# hidden service v3 static
+HiddenServiceDir <%= @data_dir %>/<%= @name -%>3
+HiddenServiceVersion 3
+<% @ports.each do |port| -%>
+HiddenServicePort <%= port %>
+<% end -%>
+<% end -%>