summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-06-02static site: better message for wrong location type.elijah
2014-06-02remove superfluous RackBaseURI directiveelijah
2014-06-02work around hiera's inability to escape '%' by using ':percent:'elijah
2014-06-02static site: added rack support, added custom apache configelijah
2014-06-02added templatewlv function (allows passing local variables to templates)elijah
2014-06-02added support for /provider.json served from static site.elijah
2014-06-02fix unbound: configs in /etc/unbound/unbound.conf.d contained a syntax error ↵elijah
and were missing .conf suffix
2014-05-27Add missing scope to top-level sshd class, passing necessary parametersMicah Anderson
for configuration (#3108) Change-Id: I4f94a47d47a40bfc6835359e7781707f96e91db0
2014-05-27Update sshd submodule to get necessary fixes to enable us to change sshd portMicah Anderson
Change-Id: I3b6a87c9d6a2c349392e5bc98a68b800645fde92
2014-05-27Switch away from site_config::sshd and instead just include site_sshdMicah Anderson
The existing site_config::sshd had a non-functioning 'include sshd' line in it that was not doing what was expected (this was supposed to include the sshd module, but due to scoping was including itself). It seemed better to eliminate some of the unused pieces and consolidate into one config location. Change-Id: I79dd904e696ca646180a09abbb03b5361dfc8ab9
2014-05-27clarify comments in site_sshd::authorized_keysMicah Anderson
Change-Id: I679dfe8dff90b7c86ab0ffff43e13958f1ec2c99
2014-05-24Merge remote-tracking branch 'cz8s/feature/allow_webapp_and_mx_on_one_host' ↵Micah Anderson
into develop
2014-05-24move haproxy-template to modules/site_haproxyChristoph
2014-05-24remove unused variable local_portsChristoph
2014-05-22Implement #2328: unbound.conf: content changed on every puppetrunMicah Anderson
This is done by using the include glob capability that is in the wheezy-backports and newer unbound to include the /etc/unbound/unbound.conf.d/* config files. To do this, we need to transition from our /etc/unbound/conf.d directory structure to use the one that the debian package uses. This allows us to clean up the rather ugly way we were configuring the resolver before. Change-Id: I68347922f265bbd0ddf11d59d8574a612a7bd82c
2014-05-22lint cleanup of site_config::caching_resolverMicah Anderson
Change-Id: I3f6a4db26e064a520a08822cf23fc3288b31af62
2014-05-22Install wheezy-backports version of unbound, this is necessary to solve #2328Micah Anderson
Change-Id: Ie28de8d3f7a8c8cf52ce30365379a476d48dc88b
2014-05-22Move rsyslog preferences snippet to site_apt::preferences::rsyslog, toMicah Anderson
group it with the other preferences snippets Change-Id: I83928c6b82cd6218a80c95475729cb57f146ff85
2014-05-22remove old classesChristoph
site_mx::haproxy and site_webapp::haproxy only included site_haproxy. They didn't do anything else. So just include site_haproxy in manifests/init.pp and remove the unused classes
2014-05-22fix haproxy config if webapp and mx run on the same hostChristoph
the problem was, that both site_mx::haproxy and site_webapp::haproxy declared the same resource. I fixed it by moving that resource to site_haproxy. Since that gets included by both classes, everything works like a charm
2014-05-21fix resolv.conf on virtualboxChristoph
virtualbox sends the domain with the dhcp-answer. If the wrong domain ends up in /etc/resolv.conf bigcouch fails.
2014-05-20added support for environmentally scoped services and tags, when using ↵elijah
latest leap_cli.
2014-05-20add support for webapp on subdomainelijah
2014-05-20changed the default service levels to be more minimal, because it is ↵elijah
currently impossible to entirely overwrite the service.levels hash.
2014-05-17fix bug with empty tor familieselijah
2014-05-17static: pin amber version to 0.3.0elijah
2014-05-17fixes #5533 and updates rsyslog Merge branch 'rsyslog_backport' into developkwadronaut
2014-05-17change rsyslog pin from leaps debian repo to backports (fixes #5533)kwadronaut
2014-05-14revert accidental change to webapp config templateAzul
2014-05-14use hash for provider service levelsAzul
We want to access service levels by means of the id stored in the user record. With a hash we don't have to loop through all elements to find the one with a given id and still can use arbitrary strings and do not rely on the order of the array. Also it's the format the webapp is expecting right now.
2014-05-13Revert "update cipher configuration for openvpn to use the IANA name"Micah Anderson
This reverts commit ae50675e9095750cee9810237fb6b9f60030dae4. Older openssl implementations (wheezy, android, others) aren't able to parse this newer string, so reverting to the deprecated name until we are sure the support is there
2014-05-13openvpn server config: script-security should be "1", since we don't need ↵elijah
"2"; add tcp-nodelay to tcp servers.
2014-05-13added simple shorewall whitebox test (close #5649)elijah
2014-05-08add known issues, making this the canonical place, which we will bringMicah Anderson
over to the website, when necessary (#4373) Change-Id: I296dd9d3cee1b84bd141cbf63ccaecea24916cc1
2014-05-07openvpn package resource needs to be ensure => latest to accommodate upgradesMicah Anderson
Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14
2014-05-06update cipher configuration for openvpn to use the IANA name, due toMicah Anderson
deprecation warning: 2014-05-06 18:10:23,594 - INFO - L#826 : leap.openvpn:outReceived() - Tue May 6 18:10:23 2014 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA' Change-Id: I159b26604993d38806fcb7c2ed8f6de8138999f7
2014-05-06add the tun-ipv6 configuration to the eip-service (#4163)Micah Anderson
Change-Id: I4781f0c3e1c74f5a45217a4d631603fa1a622fd6
2014-05-06Change the initial firewall to subscribe to the rule file to be able toMicah Anderson
trigger changes, make the default ipv6 firewall subscribe to shorewall6, if it exists, and finally reject all outgoing IPv6 packets. All of this will complete the platform-side of route IPv6 through OpenVPN gateway, and block it. (Feature #4163) Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810
2014-05-06set the ipv6 configuration options on the serverMicah Anderson
some important things to note: We are hard-coding the pushing of the ipv6 route '2000::/3' and configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a reserved ipv6 prefix that is used for documentation purposes only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html), and the route being pushed redirects all internet-bound traffic. When LEAP fully supports ipv6, these network values should be turned into variables, but for now, to make sure we are blocking any clients that have functional ipv6, this will work. Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5
2014-05-06install openvpn from wheezy-backports, this will bring in openvpn 2.3,Micah Anderson
which will provide us with proper ipv6 support Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07
2014-05-02fix incorrect shorewall parameter name 'protocol', should be 'proto'Micah Anderson
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d
2014-04-29fix missing semicolon, causing syntax errorMicah Anderson
Change-Id: Ic7d0f8cc8c0340fdc24cf5ffa4c7018ebac76c7f
2014-04-29block DNS traffic at the OpenVPN gateway (#4164)Micah Anderson
There are many different edge cases where mac and windows clients (and maybe android too) will revert to using a different DNS server than the one specified by openvpn. This is bad news for security reasons. The client is being designed so it doesn't leak DNS, however we don't want to put all of our eggs in one basket, so this will block outgoing port 53 (udp and tcp) on the gateway's firewall from any of the EIP interfaces (thus not blocking DNS access on the gateway itself). Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
2014-04-29nagios: make the check_procs tests for leap_mx and soledad be much moreMicah Anderson
specific, to avoid catching unrelated processes (#5327) Change-Id: I63ffcd644a85137708712daac671b92898c70b7e
2014-04-29require json so we can use it to dumpt the service levelsAzul
2014-04-24bring service_levels into webapp config - #5527Azul
including the default_service_level
2014-04-24initial firewall: allow port 22 by default. This is the most common portMicah Anderson
that sshd will be listening to in a default setup. This needs to be allowed so that you can have a different port configured in the hiera and not get locked out during deployment (#5119) Change-Id: Ie101eaaf440415ddb276621c369da7f67f409c2b
2014-04-24create a /var/run/tapicero directory, owned by tapicero:tacpiero to holdMicah Anderson
the pid file (#5577) Change-Id: I2144e3d8c0ee18254fe3822098c87b2a8c57c2ce
2014-04-24tor: provide a default 'nickname' (something likeMicah Anderson
"rabbitLKJYW23695JGLKJ" where rabbit is the node name). Stop shipping a static 'family' and instead provide a comma separated list of node tor nicknames. (#5220) Change-Id: I479f460ab230ad440f72c78dc6362983387ce12a
2014-04-24change stunnel::service to 'subscribe' instead of 'require' the X509Micah Anderson
cert/key. This has the same effect of 'require' because both make sure that the mentioned resource(s) will be applied before this resource, but subscribe will cause this resource to refresh anytime the subscribed resources change (#4342) Change-Id: I9470bb36f135b821b67a1da70c472d7687b08718