Age | Commit message (Collapse) | Author |
|
If you connect to the VPN with a client, you can make direct network
connections to the other connected clients.
This allows communication to the eip gateways, but disallows any other
connections.
Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
|
|
Mochiweb in couchdb by default sets the TCP socket option SO_NODELAY to
false. This means that small data sent to the TCP socket, like the reply
to a document write request (or reading a very small document), will not
be sent immediately to the network - TCP will buffer it for a while
hoping that it will be asked to send more data through the same socket
and then send all the data at once for increased performance.
Setting this increases the couchdb speed significantly.
Change-Id: Ib493ef061ff62c9bdee501e44ce2b55990fe14b7
|
|
|
|
|
|
In an attempt to resolve #8021, a template error was made, causing
duplicated entries to appear in the rsyslog template.
Change-Id: Ic41d6ef9aec9865cf64312c1eb96e408b39d441c
|
|
|
|
Change-Id: Icaab817870d005b7a854a3fb8c402705d0b2d77f
|
|
When tor is not configured, then its possible to get this error on
deploy:
Error: tor is not a hash or array when accessing it with hidden_service
at /srv/leap/puppet/modules/site_static/manifests/init.pp:16 on node
rewdevstatic1.rewire.org
This commit only accesses the array when its enabled.
Change-Id: Ia75ac7a51179da980966adba0cc614b9cd642b0c
|
|
When tor hidden services were enabled for static sites, only a very
basic configuration was setup and it didn't take into account the
different location configurations that can be configured for a
static site.
This commit resolves that by making a site_static::hidden_service class
similar to the site_webapp::hidden_service class, and fixes up the
apache vhost template to properly create the location blocks for the
hidden service vhost.
Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a
|
|
We were creating the hidden service name without a newline, and then tor
would be restarted and change the hidden service hostname file to have a
newline, which would then require that the next deploy would change that
file to not have a newline again.
This fixes that problem by making the hostname have a newline so it
matches what tor wants.
Change-Id: I38f450684d557cf943ec94f2f8e19cda3aefdf66
|
|
Change-Id: I3d733b6645c804a5fb337ad4b8edc59a66ad50b5
|
|
Change-Id: Icaab817870d005b7a854a3fb8c402705d0b2d77f
|
|
Change-Id: Iab9597f5f0336f66df9b73fea9d79c789cbb8302
|
|
The Trace method is enabled because of the Apache module, but it is not the
default in Debian, and it should not be enabled, for more information see the
following:
https://www.kb.cert.org/vuls/id/867593
Change-Id: I06a06ae679dbf7049f26a017125b61e5e38f6268
|
|
The onlyif check was incorrectly specified in the original implementation in
commit id: 15b83d88dcedab496a19cef57f11c5c8e091dd4a this inverts it so it
is properly detected.
Change-Id: I531e206fff1ca61780adcd195e1f917011e50fb4
|
|
Change-Id: Ic12b243b195e40482a70dd70219212c3697899ba
|
|
Change-Id: I772c3b6e489e3c1848c45c6bcaa240324fc88928
|
|
|
|
Change-Id: I7675dbaba4d896a62dab9fcf4817092ea69f1298
|
|
It turns out that in some corner-cases, the script is not called:
(1) start the deploy, create files in /var/lib/puppet/stunnel4/config
(2) halt puppet before apply finishes
(3) re-run deploy
in this scenario, next time you run deploy, refresh_stunnel will never
get called to populate /etc/stunnel, because the files in
/var/lib/puppet/stunnel4/config haven't changed.
This problem can be really confusing when it happens.
To fix this, we just run refresh_stunnel every, it is pretty fast and
the script has more complete logic for what to do than puppet, which has
only an asymmetrical view on the situation.
Change-Id: I9e5fad1d081c2fe07f3ac8f07cfb87d86b88f7c9
|
|
|
|
|
|
if this is set in the config, the deamons do not
start anymore. From the debian changelog:
clamav (0.99.2+dfsg-0+deb8u1) stable; urgency=medium
* Import new Upstream.
* Drop AllowSupplementaryGroups option which is default now
(Closes: #822444).
|
|
The unix socket method for connecting to the milter was incorrectly
reverted, this puts it back to how it should be.
Change-Id: Ifde669c920a249c782f577a112f4d45e60a889a2
|
|
|
|
The agent wakes up every two minutes and tries to connect to the default
server, failing with a certificate warning. We don't use the agent, so
we can safely disable it (#8032)
Change-Id: I707f42b59205993325431aba283552b1b73a0ad1
|
|
check_mk operations can take a long time (such as when doing a
re-inventory using "check_mk -II") when multiple hosts are down. This
decreases the connect timeout to 5 seconds.
Change-Id: I1eac5f14bad2afc2ffc4cbf8c950c24b052a0d6e
|
|
Change-Id: I5d5595d2da8770d61cc2328e3e9b7ac482527e89
|
|
Change-Id: I696af649806a7321f92baaf55dc5d404ce5c3d93
|
|
|
|
Otherwise, the nagios config will get regenerated and nagios gets
reloaded before all checks are registered by a check_mk inventory.
- Related: #6873
|
|
After upgrading the platform, there might be old check_mk checks
registered on the monitor hosts. We now run a check_mk inventory
on every run that also purged old non-existng checks.
- Resolves: #6873
|
|
|
|
Change-Id: I20a28ae77c98071aefc1933e0ea73e5f3b895acb
|
|
Shorewall in jessie doesn't come with a proper unit file, and
as a result, it doesn't properly start with systemd.
To solve this, we provide the systemd unit file that comes with stretch,
add a systemd submodule that provides the exec resources needed for when
systemd units or configuration files are changed
Change-Id: I861fa951835928b4741abfbf969adcee4b8f147b
|
|
|
|
|
|
- ignore puppet lint error about inheriting from different namespace
|
|
If clamd is not running, the helpful cronjob tries to start it again,
but the way it is being started can only be run as root, and the cronjob
is run as the clamav user, so you get an error on each cron run. This
fixes that problem
Change-Id: I4cdb29dc651bee8a2eef1655ad4748d885afae0f
|
|
|
|
I used `puppet-lint -f FILE` to fix most issues, while
finishing with manual intervention.
|
|
|
|
|
|
|
|
Change-Id: I23d7fcea3755e9ecab561ecf69d8a6ecb8bdeca4
|
|
Have openvpn logs go to /var/log/leap/openvpn_$protocol, instead of to
/var/log/daemon.log.
Change-Id: I1fc33de660648ab0dba1ce98de2864649c104719
|
|
stunnel server logs were not going to /var/log/stunnel4/*, but to
/var/log/syslog instead. This was different from stunnel client
logging, now its the same.
Change-Id: I2dc2024b77dbb65554fc7865b0e46aedf930c6d8
|
|
Add a site_rsyslog config that removes duplicate mail logging.
Previously mail logs would be copied to /var/log/syslog, mail.log,
mail.err, mail.info, maillog and to the console. This removes those and
only puts them in /var/log/mail.log.
It also removes other superfluous configurations, either because they
are commented out already, or because they are uucp or nntp.
Change-Id: Ib05036787d2c818bf8802c22a4b8050f945a6e6d
|
|
In order for postfix to access the opendkim milter socket, we need to
remove the chroot option for the cleanup service.
See e97a9d3800b173375a630e18e4b1aa0894eb96e1 for opendkim
implementation.
Change-Id: I2742650965e61273fb804ebe9ce3f9bd38796582
|
|
a thing.
|