summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
m---------puppet/modules/apache0
m---------puppet/modules/backupninja0
m---------puppet/modules/bundler0
-rw-r--r--puppet/modules/clamav/templates/clamav-milter.conf.erb1
m---------puppet/modules/couchdb0
m---------puppet/modules/nagios0
m---------puppet/modules/rubygems0
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg4
-rw-r--r--puppet/modules/site_couchdb/files/local.ini89
-rw-r--r--puppet/modules/site_nagios/manifests/server.pp2
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp8
-rw-r--r--puppet/modules/site_static/manifests/location.pp13
m---------puppet/modules/tor0
13 files changed, 25 insertions, 92 deletions
diff --git a/puppet/modules/apache b/puppet/modules/apache
-Subproject 117bed9a9263c21d253d86b667eb165948efdc2
+Subproject 415e9504f99dca3ccaa4dfd389dde24ad9d0e01
diff --git a/puppet/modules/backupninja b/puppet/modules/backupninja
-Subproject 497513547be79f9d3c8e96f1650ec43ee634b27
+Subproject 5268a87c329f895017f8ea6c6abc377a4f9a6a7
diff --git a/puppet/modules/bundler b/puppet/modules/bundler
-Subproject b4a4a8434616247156e59b860b47cc6256ead8d
+Subproject bacec3e072649be4ade56f7df8506b46ae9c516
diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb
index 9bf7099e..50b4c620 100644
--- a/puppet/modules/clamav/templates/clamav-milter.conf.erb
+++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb
@@ -4,7 +4,6 @@ FixStaleSocket true
User clamav
MilterSocketGroup clamav
MilterSocketMode 666
-AllowSupplementaryGroups true
ReadTimeout 120
Foreground false
PidFile /var/run/clamav/clamav-milter.pid
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject 40d2289f8e10625cd45fdccdf492b5fb6490e66
+Subproject 76ff149a095023611c05bbb00157d06f87b07c0
diff --git a/puppet/modules/nagios b/puppet/modules/nagios
-Subproject 68dab01a85996e14efcccf856b623a2caf25782
+Subproject e6fee3c731f68ccf8b6add8ada2162c7ad2b840
diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems
-Subproject e704c9fe1c40fea5b10fe3ca2b4f5de825341cc
+Subproject 510a3693eab5dc78ed27d3728ee4d3b12334ea1
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
index 71395c50..7daf0cac 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg
@@ -15,3 +15,7 @@
# 401 Unauthorized error logged by webapp and possible other
# applications
C Unauthorized
+# catch abnormal termination of processes (due to segfault/fpe
+# signals etc).
+# see https://github.com/pixelated/pixelated-user-agent/issues/683
+ C systemd.*: main process exited, code=killed, status=
diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini
index 22aa0177..b921a927 100644
--- a/puppet/modules/site_couchdb/files/local.ini
+++ b/puppet/modules/site_couchdb/files/local.ini
@@ -1,91 +1,8 @@
-; CouchDB Configuration Settings
+; Puppet modified file !!
; Custom settings should be made in this file. They will override settings
; in default.ini, but unlike changes made to default.ini, this file won't be
; overwritten on server upgrade.
-[couchdb]
-;max_document_size = 4294967296 ; bytes
-
-[httpd]
-;port = 5984
-;bind_address = 127.0.0.1
-; Options for the MochiWeb HTTP server.
-;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
-; For more socket options, consult Erlang's module 'inet' man page.
-;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
-
-; Uncomment next line to trigger basic-auth popup on unauthorized requests.
-;WWW-Authenticate = Basic realm="administrator"
-
-; Uncomment next line to set the configuration modification whitelist. Only
-; whitelisted values may be changed via the /_config URLs. To allow the admin
-; to change this value over HTTP, remember to include {httpd,config_whitelist}
-; itself. Excluding it from the list would require editing this file to update
-; the whitelist.
-;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
-
-[httpd_global_handlers]
-;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
-
-# futon is enabled by default on bigcouch in default.ini
-# we need to find another way to disable futon, it won't work disabling it here
-# enable futon
-#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}
-# disable futon
-#_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>}
-
-[couch_httpd_auth]
-; If you set this to true, you should also uncomment the WWW-Authenticate line
-; above. If you don't configure a WWW-Authenticate header, CouchDB will send
-; Basic realm="server" in order to prevent you getting logged out.
-; require_valid_user = false
-
-[log]
-;level = debug
-
-[os_daemons]
-; For any commands listed here, CouchDB will attempt to ensure that
-; the process remains alive while CouchDB runs as well as shut them
-; down when CouchDB exits.
-;foo = /path/to/command -with args
-
-[daemons]
-; enable SSL support by uncommenting the following line and supply the PEM's below.
-; the default ssl port CouchDB listens on is 6984
-;httpsd = {couch_httpd, start_link, [https]}
-
-[ssl]
-;cert_file = /etc/couchdb/server_cert.pem
-;key_file = /etc/couchdb/server_key.pem
-;password = somepassword
-; set to true to validate peer certificates
-;verify_ssl_certificates = false
-; Path to file containing PEM encoded CA certificates (trusted
-; certificates used for verifying a peer certificate). May be omitted if
-; you do not want to verify the peer.
-;cacert_file = /full/path/to/cacertf
-; The verification fun (optionnal) if not specidied, the default
-; verification fun will be used.
-;verify_fun = {Module, VerifyFun}
-;ssl_certificate_max_depth = 1
-; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
-; the Virual Host will be redirected to the path. In the example below all requests
-; to http://example.com/ are redirected to /database.
-; If you run CouchDB on a specific port, include the port number in the vhost:
-; example.com:5984 = /database
-
-[vhosts]
-;example.com = /database/
-
-[update_notification]
-;unique notifier name=/full/path/to/exe -with "cmd line arg"
-
-; To create an admin account uncomment the '[admins]' section below and add a
-; line in the format 'username = password'. When you next start CouchDB, it
-; will change the password to a hash (so that your passwords don't linger
-; around in plain-text files). You can add more admin accounts with more
-; 'username = password' lines. Don't forget to restart CouchDB after
-; changing this.
-;[admins]
-;admin = mysecretpassword
+[compactions]
+_default = [{db_fragmentation, "70%"}, {view_fragmentation, "60%"}, {from, "03:00"}, {to, "05:00"}]
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index aa9b956e..6537124d 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -59,7 +59,7 @@ class site_nagios::server inherits nagios::base {
include site_webapp::common_vhost
include apache::module::headers
- File ['nagios_htpasswd'] {
+ File['nagios_htpasswd'] {
source => undef,
content => "nagiosadmin:${nagiosadmin_pw}",
mode => '0640',
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 6decc665..15e6fb38 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -30,7 +30,7 @@
# auth SHA1
#
# dkg: For HMAC digest to authenticate packets, we just want SHA256. OpenVPN lists
-# a number of “digest” with names like “RSA-SHA256”, but this are legacy and
+# a number of "digest" with names like "RSA-SHA256", but this are legacy and
# should be avoided.
#
# elijah: i am not so sure that the digest algo matters for 'auth' option, because
@@ -40,14 +40,14 @@
# cipher AES-128-CBC
#
# dkg: For the choice of cipher, we need to select an algorithm and a
-# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm — but
+# cipher mode. OpenVPN defaults to Blowfish, which is a fine algorithm - but
# our control channel is already relying on AES not being broken; if the
# control channel is cracked, then the key material for the tunnel is exposed,
# and the choice of algorithm is moot. So it makes more sense to me to rely on
# the same cipher here: AES128. As for the cipher mode, OFB seems cleaner to
# me, but CBC is more well-tested, and the OpenVPN man page (at least as of
-# version 2.2.1) says “CBC is recommended and CFB and OFB should be considered
-# advanced modes.”
+# version 2.2.1) says "CBC is recommended and CFB and OFB should be considered
+# advanced modes."
#
# note: the default is BF-CBC (blowfish)
#
diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp
index d116de2f..ab2b7494 100644
--- a/puppet/modules/site_static/manifests/location.pp
+++ b/puppet/modules/site_static/manifests/location.pp
@@ -23,6 +23,19 @@ define site_static::location($path, $format, $source) {
}
}
+ if ($format == 'rack') {
+ # Run bundler if there is a Gemfile
+ exec { 'bundler_update':
+ cwd => $file_path,
+ command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"',
+ unless => '/usr/bin/bundle check --path vendor/bundle',
+ onlyif => 'test -f Gemfile',
+ user => 'www-data',
+ timeout => 600,
+ require => [Class['bundler::install'], Class['site_config::ruby::dev']];
+ }
+ }
+
vcsrepo { $file_path:
ensure => present,
force => true,
diff --git a/puppet/modules/tor b/puppet/modules/tor
-Subproject 8c936c166b6da1ebd0e8d95e56ceee5167357d6
+Subproject 9981a70f7ba1f9e4fe33e4eb46654295287c1fc