summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-08-25Disallow intra-client connectivity (#8272).Micah
If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
2016-08-25Disallow intra-client connectivity (#8272).Micah
If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
2016-08-25Set TCP_NODELAY option for couchdb (#8264)Micah
Mochiweb in couchdb by default sets the TCP socket option SO_NODELAY to false. This means that small data sent to the TCP socket, like the reply to a document write request (or reading a very small document), will not be sent immediately to the network - TCP will buffer it for a while hoping that it will be asked to send more data through the same socket and then send all the data at once for increased performance. Setting this increases the couchdb speed significantly. Change-Id: Ib493ef061ff62c9bdee501e44ce2b55990fe14b7
2016-08-25fix site_static's call to passengerelijah
2016-08-25fix couchdb's backupninjaelijah
2016-08-25Remove duplicate syslog entry (#8021).Micah
In an attempt to resolve #8021, a template error was made, causing duplicated entries to appear in the rsyslog template. Change-Id: Ic41d6ef9aec9865cf64312c1eb96e408b39d441c
2016-08-25fix static site apache configelijah
2016-08-25Make sure bind9 doesn't take over unbound (#8213).Micah
Change-Id: Icaab817870d005b7a854a3fb8c402705d0b2d77f
2016-08-25Fix for when tor is not an array.Micah
When tor is not configured, then its possible to get this error on deploy: Error: tor is not a hash or array when accessing it with hidden_service at /srv/leap/puppet/modules/site_static/manifests/init.pp:16 on node rewdevstatic1.rewire.org This commit only accesses the array when its enabled. Change-Id: Ia75ac7a51179da980966adba0cc614b9cd642b0c
2016-08-25Make static tor hidden services work (#8212).Micah
When tor hidden services were enabled for static sites, only a very basic configuration was setup and it didn't take into account the different location configurations that can be configured for a static site. This commit resolves that by making a site_static::hidden_service class similar to the site_webapp::hidden_service class, and fixes up the apache vhost template to properly create the location blocks for the hidden service vhost. Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a
2016-08-25Stop tor from restarting on every deploy (#8211).Micah
We were creating the hidden service name without a newline, and then tor would be restarted and change the hidden service hostname file to have a newline, which would then require that the next deploy would change that file to not have a newline again. This fixes that problem by making the hostname have a newline so it matches what tor wants. Change-Id: I38f450684d557cf943ec94f2f8e19cda3aefdf66
2016-08-25Reload tor if config or key is changed (#8210).Micah
Change-Id: I3d733b6645c804a5fb337ad4b8edc59a66ad50b5
2016-08-25Make sure bind9 doesn't take over unbound (#8213).Micah
Change-Id: Icaab817870d005b7a854a3fb8c402705d0b2d77f
2016-08-25Fix hidden service static template (#8203).Micah
Change-Id: Iab9597f5f0336f66df9b73fea9d79c789cbb8302
2016-06-16Disable the Trace method (#8195)0.8.1Micah
The Trace method is enabled because of the Apache module, but it is not the default in Debian, and it should not be enabled, for more information see the following: https://www.kb.cert.org/vuls/id/867593 Change-Id: I06a06ae679dbf7049f26a017125b61e5e38f6268
2016-06-16Fix matching for cleanup check.Micah
The onlyif check was incorrectly specified in the original implementation in commit id: 15b83d88dcedab496a19cef57f11c5c8e091dd4a this inverts it so it is properly detected. Change-Id: I531e206fff1ca61780adcd195e1f917011e50fb4
2016-06-16switch to two-space soft tabs to fix lint errorMicah
Change-Id: Ic12b243b195e40482a70dd70219212c3697899ba
2016-06-16make sure required x509 bits are there before stunnel is startedMicah
Change-Id: I772c3b6e489e3c1848c45c6bcaa240324fc88928
2016-06-16Ensure stunnel package, service and default ordering.Micah Anderson
2016-06-16update stunnel module for refresh_stunnel fixesMicah
Change-Id: I7675dbaba4d896a62dab9fcf4817092ea69f1298
2016-06-16refresh_stunnel sometimes doesn't run (#8168).Micah
It turns out that in some corner-cases, the script is not called: (1) start the deploy, create files in /var/lib/puppet/stunnel4/config (2) halt puppet before apply finishes (3) re-run deploy in this scenario, next time you run deploy, refresh_stunnel will never get called to populate /etc/stunnel, because the files in /var/lib/puppet/stunnel4/config haven't changed. This problem can be really confusing when it happens. To fix this, we just run refresh_stunnel every, it is pretty fast and the script has more complete logic for what to do than puppet, which has only an asymmetrical view on the situation. Change-Id: I9e5fad1d081c2fe07f3ac8f07cfb87d86b88f7c9
2016-06-16auto run bundler when needed for site_staticelijah
2016-06-16fix typo that prevented common.ENV.json from being loaded. closes #7697elijah
2016-06-16debian packages don't know AllowSupplementaryGroupsChristoph Kluenter
if this is set in the config, the deamons do not start anymore. From the debian changelog: clamav (0.99.2+dfsg-0+deb8u1) stable; urgency=medium * Import new Upstream. * Drop AllowSupplementaryGroups option which is default now (Closes: #822444).
2016-06-16Fix opendkim milter location (#8163).Micah
The unix socket method for connecting to the milter was incorrectly reverted, this puts it back to how it should be. Change-Id: Ifde669c920a249c782f577a112f4d45e60a889a2
2016-06-16ensure soledad server has access to x509::variableselijah
2016-06-16Disable puppet-agent daemon from running.Micah
The agent wakes up every two minutes and tries to connect to the default server, failing with a certificate warning. We don't use the agent, so we can safely disable it (#8032) Change-Id: I707f42b59205993325431aba283552b1b73a0ad1
2016-06-16Reduce check_mk timeouts (#7807).Micah
check_mk operations can take a long time (such as when doing a re-inventory using "check_mk -II") when multiple hosts are down. This decreases the connect timeout to 5 seconds. Change-Id: I1eac5f14bad2afc2ffc4cbf8c950c24b052a0d6e
2016-05-10Update CHANGES to clarify a few minor things0.8.0Micah
Change-Id: I5d5595d2da8770d61cc2328e3e9b7ac482527e89
2016-05-10update /doc directory with latest from leap docs/platformMicah
Change-Id: I696af649806a7321f92baaf55dc5d404ce5c3d93
2016-05-09update check_mk submodulevarac
2016-05-03[bug] Run check_mk-refresh-inventory-daily after check_mk-refreshvarac
Otherwise, the nagios config will get regenerated and nagios gets reloaded before all checks are registered by a check_mk inventory. - Related: #6873
2016-05-03[bug] run check_mk inventory on every puppetrunvarac
After upgrading the platform, there might be old check_mk checks registered on the monitor hosts. We now run a check_mk inventory on every run that also purged old non-existng checks. - Resolves: #6873
2016-05-03migrate from obsolete SSLCertificateChainFile apache option (#8055)kwadronaut
2016-05-03migrate from obsolete SSLCertificateChainFile apache option (#8055)Micah
Change-Id: I20a28ae77c98071aefc1933e0ea73e5f3b895acb
2016-04-27Fix shorewall not starting with systemd (#8044)Micah
Shorewall in jessie doesn't come with a proper unit file, and as a result, it doesn't properly start with systemd. To solve this, we provide the systemd unit file that comes with stretch, add a systemd submodule that provides the exec resources needed for when systemd units or configuration files are changed Change-Id: I861fa951835928b4741abfbf969adcee4b8f147b
2016-04-25[tests] better error message when identity test cannot contact api. closes #8046elijah
2016-04-25Merge branch 'linting' into developvarac
2016-04-25[style] lint further morevarac
- ignore puppet lint error about inheriting from different namespace
2016-04-18Fix clamd start configuration (#8048)Micah
If clamd is not running, the helpful cronjob tries to start it again, but the way it is being started can only be run as root, and the cronjob is run as the clamav user, so you get an error on each cron run. This fixes that problem Change-Id: I4cdb29dc651bee8a2eef1655ad4748d885afae0f
2016-04-18[style] more manual linting for custom manifestsvarac
2016-04-18[style] lint some custom manifestsvarac
I used `puppet-lint -f FILE` to fix most issues, while finishing with manual intervention.
2016-04-18Only lint custom modules, not submodulesvarac
2016-04-18initial Rakefile and Gemfile for testsvarac
2016-04-13test: ensure that checkmk always gets the same list of testselijah
2016-04-12fix incorrect template nameMicah
Change-Id: I23d7fcea3755e9ecab561ecf69d8a6ecb8bdeca4
2016-04-12Put openvpn logs into leap directory (#8021)Micah
Have openvpn logs go to /var/log/leap/openvpn_$protocol, instead of to /var/log/daemon.log. Change-Id: I1fc33de660648ab0dba1ce98de2864649c104719
2016-04-12Log stunnel server logs same as client (#8021)Micah
stunnel server logs were not going to /var/log/stunnel4/*, but to /var/log/syslog instead. This was different from stunnel client logging, now its the same. Change-Id: I2dc2024b77dbb65554fc7865b0e46aedf930c6d8
2016-04-12Remove duplicate mail logging (#8021)Micah
Add a site_rsyslog config that removes duplicate mail logging. Previously mail logs would be copied to /var/log/syslog, mail.log, mail.err, mail.info, maillog and to the console. This removes those and only puts them in /var/log/mail.log. It also removes other superfluous configurations, either because they are commented out already, or because they are uucp or nntp. Change-Id: Ib05036787d2c818bf8802c22a4b8050f945a6e6d
2016-04-12Fix postfix connection to opendkim milter (#8020)Micah
In order for postfix to access the opendkim milter socket, we need to remove the chroot option for the cleanup service. See e97a9d3800b173375a630e18e4b1aa0894eb96e1 for opendkim implementation. Change-Id: I2742650965e61273fb804ebe9ce3f9bd38796582