diff options
Diffstat (limited to 'puppet')
| m--------- | puppet/modules/couchdb | 0 | ||||
| -rw-r--r-- | puppet/modules/leap_mx/manifests/init.pp | 24 | ||||
| -rw-r--r-- | puppet/modules/site_apt/manifests/init.pp | 16 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/remove/files.pp | 14 | ||||
| -rw-r--r-- | puppet/modules/site_sshd/manifests/init.pp | 24 |
5 files changed, 42 insertions, 36 deletions
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject d4e0579ec88e999d42c9f4ffd32489396dce63c +Subproject 016ec71359f6b1b368624c6c94bac2b50979165 diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 284662d2..5561e326 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -41,13 +41,7 @@ class leap_mx { notify => Service['leap-mx']; } - file { '/etc/default/leap_mx': - content => 'LOGFILE=/var/log/leap/mx.log', - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['leap-mx']; - } + leap::logfile { 'mx': } # # LEAP-MX CODE AND DEPENDENCIES @@ -75,20 +69,4 @@ class leap_mx { hasrestart => true, require => [ Package['leap-mx'] ]; } - - augeas { - 'logrotate_mx': - context => '/files/etc/logrotate.d/leap-mx/rule', - changes => [ - 'set file /var/log/leap/mx.log', - 'set rotate 5', - 'set schedule daily', - 'clear nocreate', - 'rm create', - 'rm ifempty', - 'set compress compress', - 'set missingok missingok', - 'set copytruncate copytruncate' - ] - } } diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index cf49f870..635ba975 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -7,11 +7,19 @@ class site_apt { $apt_url_security = $apt_config['security'] $apt_url_backports = $apt_config['backports'] + # needed on jessie hosts for getting pnp4nagios from testing + if ( $::operatingsystemmajrelease == '8' ) { + $use_next_release = true + } else { + $use_next_release = false + } + class { 'apt': - custom_key_dir => 'puppet:///modules/site_apt/keys', - debian_url => $apt_url_basic, - security_url => $apt_url_security, - backports_url => $apt_url_backports + custom_key_dir => 'puppet:///modules/site_apt/keys', + debian_url => $apt_url_basic, + security_url => $apt_url_security, + backports_url => $apt_url_backports, + use_next_release => $use_next_release } # enable http://deb.leap.se debian package repository diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 466f50c8..67171259 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -11,6 +11,12 @@ class site_config::remove::files { + # Platform 0.8 removals + tidy { + '/etc/default/leap_mx':; + '/etc/logrotate.d/leap-mx':; + } + # # Platform 0.7 removals # @@ -20,13 +26,19 @@ class site_config::remove::files { '/etc/rsyslog.d/99-leap-mx.conf':; '/etc/rsyslog.d/01-webapp.conf':; '/etc/rsyslog.d/50-stunnel.conf':; - '/etc/logrotate.d/mx':; '/etc/logrotate.d/stunnel':; '/var/log/stunnel4/stunnel.log':; 'leap_mx': path => '/var/log/', recurse => true, matches => 'leap_mx*'; + # We rotate 5 logs, so we should only have mx.log, mx.log.[1-5], with an + # optional .gz suffix. The following will remove any logs that are out + # of this range + 'leap_mx_rotate': + path => '/var/log/leap/', + recurse => true, + matches => [ 'mx.log.[6-9](.gz)?', 'mx.log.[0-9][0-9]']; '/srv/leap/webapp/public/provider.json':; '/srv/leap/couchdb/designs/tmp_users': recurse => true, diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index e92a6af7..5efd459f 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -50,6 +50,21 @@ class site_sshd { } } + # we cannot use the 'hardened' parameter because leap_cli uses an + # old net-ssh gem that is incompatible with the included + # "KexAlgorithms curve25519-sha256@libssh.org", + # see https://leap.se/code/issues/7591 + # therefore we don't use it here, but include all other options + # that would be applied by the 'hardened' parameter + # not all options are available on wheezy + if ( $::lsbdistcodename == 'wheezy' ) { + $tail_additional_options = 'Ciphers aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } else { + $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } + ## ## SSHD SERVER CONFIGURATION ## @@ -61,13 +76,6 @@ class site_sshd { tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, use_storedconfigs => true, - # we cannot use the 'hardened' parameter because leap_cli uses an - # old net-ssh gem that is incompatible with the included - # "KexAlgorithms curve25519-sha256@libssh.org", - # see https://leap.se/code/issues/7591 - # therefore we don't use it here, but include all other options - # that would be applied by the 'hardened' parameter - tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' + tail_additional_options => $tail_additional_options } } |