diff options
Diffstat (limited to 'puppet')
4 files changed, 26 insertions, 17 deletions
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index b27c0e3c..c93c3ba2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -1,3 +1,4 @@ +# configure smtp tls class site_postfix::mx::smtp_tls { include site_config::x509::ca @@ -24,7 +25,7 @@ class site_postfix::mx::smtp_tls { 'smtp_tls_fingerprint_digest': value => 'sha1'; 'smtp_tls_session_cache_database': - value => 'btree:${data_directory}/smtp_cache'; + value => "btree:\${data_directory}/smtp_cache"; # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 02a59942..66297f55 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -1,3 +1,4 @@ +# configure smtpd tls class site_postfix::mx::smtpd_tls { include x509::variables @@ -19,7 +20,7 @@ class site_postfix::mx::smtpd_tls { 'smtpd_tls_eecdh_grade': value => 'ultra'; 'smtpd_tls_session_cache_database': - value => 'btree:${data_directory}/smtpd_scache'; + value => "btree:\${data_directory}/smtpd_scache"; # see issue #4011 'smtpd_tls_mandatory_protocols': value => '!SSLv2, !SSLv3'; diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index 90a33d8d..a1fde3f6 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,20 +1,22 @@ +# We want to purge unmanaged keys from the authorized_keys file so that only +# keys added in the provider are valid. Any manually added keys will be +# overridden. +# +# In order to do this, we have to use a custom define to deploy the +# authorized_keys file because puppet's internal resource doesn't allow +# purging before populating this file. +# +# See the following for more information: +# https://tickets.puppetlabs.com/browse/PUP-1174 +# https://leap.se/code/issues/2990 +# https://leap.se/code/issues/3010 +# define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { - # We want to purge unmanaged keys from the authorized_keys file so that only - # keys added in the provider are valid. Any manually added keys will be - # overridden. - # - # In order to do this, we have to use a custom define to deploy the - # authorized_keys file because puppet's internal resource doesn't allow - # purging before populating this file. - # - # See the following for more information: - # https://tickets.puppetlabs.com/browse/PUP-1174 - # https://leap.se/code/issues/2990 - # https://leap.se/code/issues/3010 - # # This line allows default homedir based on $title variable. # If $home is empty, the default is used. $homedir = $home ? {'' => "/home/${title}", default => $home} + $owner = $ensure ? {'present' => $title, default => undef } + $group = $ensure ? {'present' => $title, default => undef } file { "${homedir}/.ssh": ensure => 'directory', @@ -23,8 +25,8 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { mode => '0700'; "${homedir}/.ssh/authorized_keys": ensure => $ensure, - owner => $ensure ? {'present' => $title, default => undef }, - group => $ensure ? {'present' => $title, default => undef }, + owner => $owner, + group => $group, mode => '0600', require => File["${homedir}/.ssh"], content => template('site_sshd/authorized_keys.erb'); diff --git a/puppet/modules/site_stunnel/manifests/override_service.pp b/puppet/modules/site_stunnel/manifests/override_service.pp index 96187048..435b9aa0 100644 --- a/puppet/modules/site_stunnel/manifests/override_service.pp +++ b/puppet/modules/site_stunnel/manifests/override_service.pp @@ -1,4 +1,9 @@ +# override stunnel::debian defaults +# +# ignore puppet lint error about inheriting from different namespace +# lint:ignore:inherits_across_namespaces class site_stunnel::override_service inherits stunnel::debian { +# lint:endignore include site_config::x509::cert include site_config::x509::key |