Age | Commit message (Collapse) | Author |
|
The existing site_config::sshd had a non-functioning 'include sshd' line
in it that was not doing what was expected (this was supposed to include
the sshd module, but due to scoping was including itself).
It seemed better to eliminate some of the unused pieces and consolidate
into one config location.
Change-Id: I79dd904e696ca646180a09abbb03b5361dfc8ab9
|
|
Change-Id: I679dfe8dff90b7c86ab0ffff43e13958f1ec2c99
|
|
into develop
|
|
|
|
|
|
Change-Id: I4e9d845f9758232f4da0d4bfbf785e52982b825b
|
|
This is done by using the include glob capability that is in the
wheezy-backports and newer unbound to include the
/etc/unbound/unbound.conf.d/* config files.
To do this, we need to transition from our /etc/unbound/conf.d directory
structure to use the one that the debian package uses.
This allows us to clean up the rather ugly way we were configuring the
resolver before.
Change-Id: I68347922f265bbd0ddf11d59d8574a612a7bd82c
|
|
Change-Id: I3f6a4db26e064a520a08822cf23fc3288b31af62
|
|
Change-Id: Ie28de8d3f7a8c8cf52ce30365379a476d48dc88b
|
|
group it with the other preferences snippets
Change-Id: I83928c6b82cd6218a80c95475729cb57f146ff85
|
|
site_mx::haproxy and site_webapp::haproxy only
included site_haproxy. They didn't do anything else.
So just include site_haproxy in manifests/init.pp and
remove the unused classes
|
|
the problem was, that both site_mx::haproxy and site_webapp::haproxy
declared the same resource.
I fixed it by moving that resource to site_haproxy.
Since that gets included by both classes, everything works like
a charm
|
|
virtualbox sends the domain with the dhcp-answer.
If the wrong domain ends up in /etc/resolv.conf bigcouch fails.
|
|
latest leap_cli.
|
|
|
|
currently impossible to entirely overwrite the service.levels hash.
|
|
|
|
|
|
|
|
|
|
|
|
We want to access service levels by means of the id stored in the user record. With a hash we don't have to loop through all elements to find the one with a given id and still can use arbitrary strings and do not rely on the order of the array.
Also it's the format the webapp is expecting right now.
|
|
This reverts commit ae50675e9095750cee9810237fb6b9f60030dae4.
Older openssl implementations (wheezy, android, others) aren't able to
parse this newer string, so reverting to the deprecated name until we
are sure the support is there
|
|
"2"; add tcp-nodelay to tcp servers.
|
|
|
|
over to the website, when necessary (#4373)
Change-Id: I296dd9d3cee1b84bd141cbf63ccaecea24916cc1
|
|
Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14
|
|
deprecation warning:
2014-05-06 18:10:23,594 - INFO - L#826 : leap.openvpn:outReceived() - Tue May 6 18:10:23 2014 Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA'
Change-Id: I159b26604993d38806fcb7c2ed8f6de8138999f7
|
|
Change-Id: I4781f0c3e1c74f5a45217a4d631603fa1a622fd6
|
|
trigger changes, make the default ipv6 firewall subscribe to shorewall6,
if it exists, and finally reject all outgoing IPv6 packets.
All of this will complete the platform-side of route IPv6 through
OpenVPN gateway, and block it. (Feature #4163)
Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810
|
|
some important things to note:
We are hard-coding the pushing of the ipv6 route '2000::/3' and
configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a
reserved ipv6 prefix that is used for documentation purposes
only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html),
and the route being pushed redirects all internet-bound traffic.
When LEAP fully supports ipv6, these network values should be turned
into variables, but for now, to make sure we are blocking any clients
that have functional ipv6, this will work.
Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5
|
|
which will provide us with proper ipv6 support
Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07
|
|
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d
|
|
Change-Id: Ic7d0f8cc8c0340fdc24cf5ffa4c7018ebac76c7f
|
|
There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.
This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).
Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
|
|
specific, to avoid catching unrelated processes (#5327)
Change-Id: I63ffcd644a85137708712daac671b92898c70b7e
|
|
|
|
including the default_service_level
|
|
that sshd will be listening to in a default setup. This needs to be
allowed so that you can have a different port configured in the
hiera and not get locked out during deployment (#5119)
Change-Id: Ie101eaaf440415ddb276621c369da7f67f409c2b
|
|
the pid file (#5577)
Change-Id: I2144e3d8c0ee18254fe3822098c87b2a8c57c2ce
|
|
"rabbitLKJYW23695JGLKJ" where rabbit is the node name). Stop shipping a
static 'family' and instead provide a comma separated list of node tor
nicknames. (#5220)
Change-Id: I479f460ab230ad440f72c78dc6362983387ce12a
|
|
cert/key. This has the same effect of 'require' because both make sure
that the mentioned resource(s) will be applied before this resource, but
subscribe will cause this resource to refresh anytime the subscribed
resources change (#4342)
Change-Id: I9470bb36f135b821b67a1da70c472d7687b08718
|
|
is run, otherwise the openvpn service is restarted before config files
are deployed (#4154)
Change-Id: Ide38615714c1978bb90237986baea530c54153c3
|
|
Change-Id: Ic0ac3a7e6c9ce0e5f95bab023dbbf890c31d9e1c
|
|
Change-Id: I7d13d9395cd70b4de6fa7c6d5a9e5132d995ade1
|
|
Conflicts:
.gitignore
Change-Id: I778f3e1f1f4832f5894bc149ead67e9a4becf304
|
|
Conflicts in certain situations (#5523)
Change-Id: I1ca67e317a7eb84f64cb7b79daa2e500f0561707
|
|
class to be more visually logical (#5269, #4590, #3712)
Change-Id: I58c28c3bc62e67b25f33da3378e8146110471613
|
|
. make the couchdb service start after the stunnels have been
setup. This may improve the cluster membership coming online
faster
. replace the two Couchdb::Create_db ordering hints (for the
'users' and 'tokens' databases) with a generic
Class['site_config::create_dbs'] hint. This makes it so we get
the ordering hint for all databases, which we were not before,
without having to individually list them
. replace the two Couchdb::Add_user ordering hints (for the
$couchdb_webapp_user and the $couchdb_soledad_user) with a
generic ordering hint for Class['site_couchdb::add_users']
ordering hint. This makes it so we get the ordering hint for all
the users, which we were not before, without having to
individually list them
Change-Id: Ia63e62d68d24e77a49d4ef928a2a8130ab7bccb9
|
|
cluster membership to settle, before attempting any operations
(#5269, #4590, #3712)
Change-Id: Ic9826dda1c242e705ce85ae218766496bdd8ecbd
|