diff options
Diffstat (limited to 'puppet')
m--------- | puppet/modules/apache | 0 | ||||
m--------- | puppet/modules/backupninja | 0 | ||||
m--------- | puppet/modules/bundler | 0 | ||||
-rw-r--r-- | puppet/modules/clamav/templates/clamav-milter.conf.erb | 1 | ||||
m--------- | puppet/modules/couchdb | 0 | ||||
m--------- | puppet/modules/nagios | 0 | ||||
m--------- | puppet/modules/rubygems | 0 | ||||
-rw-r--r-- | puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg | 4 | ||||
-rw-r--r-- | puppet/modules/site_couchdb/files/local.ini | 89 | ||||
-rw-r--r-- | puppet/modules/site_nagios/manifests/server.pp | 2 | ||||
-rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 8 | ||||
-rw-r--r-- | puppet/modules/site_static/manifests/location.pp | 13 | ||||
m--------- | puppet/modules/tor | 0 |
13 files changed, 25 insertions, 92 deletions
diff --git a/puppet/modules/apache b/puppet/modules/apache -Subproject 117bed9a9263c21d253d86b667eb165948efdc2 +Subproject 415e9504f99dca3ccaa4dfd389dde24ad9d0e01 diff --git a/puppet/modules/backupninja b/puppet/modules/backupninja -Subproject 497513547be79f9d3c8e96f1650ec43ee634b27 +Subproject 5268a87c329f895017f8ea6c6abc377a4f9a6a7 diff --git a/puppet/modules/bundler b/puppet/modules/bundler -Subproject b4a4a8434616247156e59b860b47cc6256ead8d +Subproject bacec3e072649be4ade56f7df8506b46ae9c516 diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb index 9bf7099e..50b4c620 100644 --- a/puppet/modules/clamav/templates/clamav-milter.conf.erb +++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb @@ -4,7 +4,6 @@ FixStaleSocket true User clamav MilterSocketGroup clamav MilterSocketMode 666 -AllowSupplementaryGroups true ReadTimeout 120 Foreground false PidFile /var/run/clamav/clamav-milter.pid diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject 40d2289f8e10625cd45fdccdf492b5fb6490e66 +Subproject 76ff149a095023611c05bbb00157d06f87b07c0 diff --git a/puppet/modules/nagios b/puppet/modules/nagios -Subproject 68dab01a85996e14efcccf856b623a2caf25782 +Subproject e6fee3c731f68ccf8b6add8ada2162c7ad2b840 diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems -Subproject e704c9fe1c40fea5b10fe3ca2b4f5de825341cc +Subproject 510a3693eab5dc78ed27d3728ee4d3b12334ea1 diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg index 71395c50..7daf0cac 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg @@ -15,3 +15,7 @@ # 401 Unauthorized error logged by webapp and possible other # applications C Unauthorized +# catch abnormal termination of processes (due to segfault/fpe +# signals etc). +# see https://github.com/pixelated/pixelated-user-agent/issues/683 + C systemd.*: main process exited, code=killed, status= diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index 22aa0177..b921a927 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -1,91 +1,8 @@ -; CouchDB Configuration Settings +; Puppet modified file !! ; Custom settings should be made in this file. They will override settings ; in default.ini, but unlike changes made to default.ini, this file won't be ; overwritten on server upgrade. -[couchdb] -;max_document_size = 4294967296 ; bytes - -[httpd] -;port = 5984 -;bind_address = 127.0.0.1 -; Options for the MochiWeb HTTP server. -;server_options = [{backlog, 128}, {acceptor_pool_size, 16}] -; For more socket options, consult Erlang's module 'inet' man page. -;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}] - -; Uncomment next line to trigger basic-auth popup on unauthorized requests. -;WWW-Authenticate = Basic realm="administrator" - -; Uncomment next line to set the configuration modification whitelist. Only -; whitelisted values may be changed via the /_config URLs. To allow the admin -; to change this value over HTTP, remember to include {httpd,config_whitelist} -; itself. Excluding it from the list would require editing this file to update -; the whitelist. -;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}] - -[httpd_global_handlers] -;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} - -# futon is enabled by default on bigcouch in default.ini -# we need to find another way to disable futon, it won't work disabling it here -# enable futon -#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} -# disable futon -#_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} - -[couch_httpd_auth] -; If you set this to true, you should also uncomment the WWW-Authenticate line -; above. If you don't configure a WWW-Authenticate header, CouchDB will send -; Basic realm="server" in order to prevent you getting logged out. -; require_valid_user = false - -[log] -;level = debug - -[os_daemons] -; For any commands listed here, CouchDB will attempt to ensure that -; the process remains alive while CouchDB runs as well as shut them -; down when CouchDB exits. -;foo = /path/to/command -with args - -[daemons] -; enable SSL support by uncommenting the following line and supply the PEM's below. -; the default ssl port CouchDB listens on is 6984 -;httpsd = {couch_httpd, start_link, [https]} - -[ssl] -;cert_file = /etc/couchdb/server_cert.pem -;key_file = /etc/couchdb/server_key.pem -;password = somepassword -; set to true to validate peer certificates -;verify_ssl_certificates = false -; Path to file containing PEM encoded CA certificates (trusted -; certificates used for verifying a peer certificate). May be omitted if -; you do not want to verify the peer. -;cacert_file = /full/path/to/cacertf -; The verification fun (optionnal) if not specidied, the default -; verification fun will be used. -;verify_fun = {Module, VerifyFun} -;ssl_certificate_max_depth = 1 -; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to -; the Virual Host will be redirected to the path. In the example below all requests -; to http://example.com/ are redirected to /database. -; If you run CouchDB on a specific port, include the port number in the vhost: -; example.com:5984 = /database - -[vhosts] -;example.com = /database/ - -[update_notification] -;unique notifier name=/full/path/to/exe -with "cmd line arg" - -; To create an admin account uncomment the '[admins]' section below and add a -; line in the format 'username = password'. When you next start CouchDB, it -; will change the password to a hash (so that your passwords don't linger -; around in plain-text files). You can add more admin accounts with more -; 'username = password' lines. Don't forget to restart CouchDB after -; changing this. -;[admins] -;admin = mysecretpassword +[compactions] +_default = [{db_fragmentation, "70%"}, {view_fragmentation, "60%"}, {from, "03:00"}, {to, "05:00"}] diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index aa9b956e..6537124d 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -59,7 +59,7 @@ class site_nagios::server inherits nagios::base { include site_webapp::common_vhost include apache::module::headers - File ['nagios_htpasswd'] { + File['nagios_htpasswd'] { source => undef, content => "nagiosadmin:${nagiosadmin_pw}", mode => '0640', diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6decc665..15e6fb38 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -30,7 +30,7 @@ # auth SHA1 # # dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists -# a number of “digest” with names like “RSA-SHA256”, but this are legacy and +# a number of "digest" with names like "RSA-SHA256", but this are legacy and # should be avoided. # # elijah: i am not so sure that the digest algo matters for 'auth' option, because @@ -40,14 +40,14 @@ # cipher AES-128-CBC # # dkg: For the choice of cipher, we need to select an algorithm and a -# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but +# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm - but # our control channel is already relying on AES not being broken; if the # control channel is cracked, then the key material for the tunnel is exposed, # and the choice of algorithm is moot. So it makes more sense to me to rely on # the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to # me, but CBC is more well-tested, and the OpenVPN man page (at least as of -# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered -# advanced modes.” +# version 2.2.1) says "CBC is recommended and CFB and OFB should be considered +# advanced modes." # # note: the default is BF-CBC (blowfish) # diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index d116de2f..ab2b7494 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -23,6 +23,19 @@ define site_static::location($path, $format, $source) { } } + if ($format == 'rack') { + # Run bundler if there is a Gemfile + exec { 'bundler_update': + cwd => $file_path, + command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"', + unless => '/usr/bin/bundle check --path vendor/bundle', + onlyif => 'test -f Gemfile', + user => 'www-data', + timeout => 600, + require => [Class['bundler::install'], Class['site_config::ruby::dev']]; + } + } + vcsrepo { $file_path: ensure => present, force => true, diff --git a/puppet/modules/tor b/puppet/modules/tor -Subproject 8c936c166b6da1ebd0e8d95e56ceee5167357d6 +Subproject 9981a70f7ba1f9e4fe33e4eb46654295287c1fc |