Age | Commit message (Collapse) | Author |
|
the problem was following:
if a host has the webapp service, the template for /etc/hosts adds some stuff.
But setup.pp did not ask hiera about the services so
"/srv/leap/bin/puppet_command set_hostname" always resets the hostname.
Since that gets triggered every time you run "leap deploy" the
hostname changes, some services restart, then the hostname changes back and
the services restart again.
The solution is to get the hiera data before every run.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
and were missing .conf suffix
|
|
for configuration (#3108)
Change-Id: I4f94a47d47a40bfc6835359e7781707f96e91db0
|
|
Change-Id: I3b6a87c9d6a2c349392e5bc98a68b800645fde92
|
|
The existing site_config::sshd had a non-functioning 'include sshd' line
in it that was not doing what was expected (this was supposed to include
the sshd module, but due to scoping was including itself).
It seemed better to eliminate some of the unused pieces and consolidate
into one config location.
Change-Id: I79dd904e696ca646180a09abbb03b5361dfc8ab9
|
|
Change-Id: I679dfe8dff90b7c86ab0ffff43e13958f1ec2c99
|
|
into develop
|
|
|
|
|
|
Change-Id: I4e9d845f9758232f4da0d4bfbf785e52982b825b
|
|
This is done by using the include glob capability that is in the
wheezy-backports and newer unbound to include the
/etc/unbound/unbound.conf.d/* config files.
To do this, we need to transition from our /etc/unbound/conf.d directory
structure to use the one that the debian package uses.
This allows us to clean up the rather ugly way we were configuring the
resolver before.
Change-Id: I68347922f265bbd0ddf11d59d8574a612a7bd82c
|
|
Change-Id: I3f6a4db26e064a520a08822cf23fc3288b31af62
|
|
Change-Id: Ie28de8d3f7a8c8cf52ce30365379a476d48dc88b
|
|
group it with the other preferences snippets
Change-Id: I83928c6b82cd6218a80c95475729cb57f146ff85
|
|
site_mx::haproxy and site_webapp::haproxy only
included site_haproxy. They didn't do anything else.
So just include site_haproxy in manifests/init.pp and
remove the unused classes
|
|
the problem was, that both site_mx::haproxy and site_webapp::haproxy
declared the same resource.
I fixed it by moving that resource to site_haproxy.
Since that gets included by both classes, everything works like
a charm
|
|
virtualbox sends the domain with the dhcp-answer.
If the wrong domain ends up in /etc/resolv.conf bigcouch fails.
|
|
latest leap_cli.
|
|
|
|
currently impossible to entirely overwrite the service.levels hash.
|
|
|
|
|
|
|
|
|
|
|
|
We want to access service levels by means of the id stored in the user record. With a hash we don't have to loop through all elements to find the one with a given id and still can use arbitrary strings and do not rely on the order of the array.
Also it's the format the webapp is expecting right now.
|
|
This reverts commit ae50675e9095750cee9810237fb6b9f60030dae4.
Older openssl implementations (wheezy, android, others) aren't able to
parse this newer string, so reverting to the deprecated name until we
are sure the support is there
|
|
"2"; add tcp-nodelay to tcp servers.
|
|
|
|
over to the website, when necessary (#4373)
Change-Id: I296dd9d3cee1b84bd141cbf63ccaecea24916cc1
|
|
Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14
|
|
deprecation warning:
2014-05-06 18:10:23,594 - INFO - L#826 : leap.openvpn:outReceived() - Tue May 6 18:10:23 2014 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA'
Change-Id: I159b26604993d38806fcb7c2ed8f6de8138999f7
|
|
Change-Id: I4781f0c3e1c74f5a45217a4d631603fa1a622fd6
|
|
trigger changes, make the default ipv6 firewall subscribe to shorewall6,
if it exists, and finally reject all outgoing IPv6 packets.
All of this will complete the platform-side of route IPv6 through
OpenVPN gateway, and block it. (Feature #4163)
Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810
|
|
some important things to note:
We are hard-coding the pushing of the ipv6 route '2000::/3' and
configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a
reserved ipv6 prefix that is used for documentation purposes
only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html),
and the route being pushed redirects all internet-bound traffic.
When LEAP fully supports ipv6, these network values should be turned
into variables, but for now, to make sure we are blocking any clients
that have functional ipv6, this will work.
Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5
|
|
which will provide us with proper ipv6 support
Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07
|
|
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d
|
|
Change-Id: Ic7d0f8cc8c0340fdc24cf5ffa4c7018ebac76c7f
|
|
There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.
This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).
Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
|
|
specific, to avoid catching unrelated processes (#5327)
Change-Id: I63ffcd644a85137708712daac671b92898c70b7e
|
|
|
|
including the default_service_level
|
|
that sshd will be listening to in a default setup. This needs to be
allowed so that you can have a different port configured in the
hiera and not get locked out during deployment (#5119)
Change-Id: Ie101eaaf440415ddb276621c369da7f67f409c2b
|