summaryrefslogtreecommitdiff
path: root/puppet/modules/site_config/manifests
AgeCommit message (Collapse)Author
2014-01-24swiss privacy foundation changed their nameserver IPs: ↵varac
http://www.privacyfoundation.ch/de/service/server.html
2014-01-06install ntp on all platform nodes (Feature #4913)varac
2013-12-18Fix for openvpn/unbound not starting at boot (#4506)Micah Anderson
This change sets the sysctl net.ipv4.ip_nonlocal_bind to allow applications to bind to an address, even when the link is down. This is necessary because applications like unbound and openvpn fail to start on boot in some situations because interfaces are not fully up (due to a combination of non-deterministic booting because of the likely potential setting of allow-hotplug in the interfaces file and the LSB boot dependency on $network not being sufficient. The only down-side to setting this is a daemon could bind to an incorrect ip and we wouldn't get an error, but this would be a configuration mistake, rather than a fatal condition. Change-Id: I5c03083e8c20bb25afad85a1230f4555808d341c
2013-11-27setup some common leap system directories: /var/lib/leap and /var/log/leapMicah Anderson
Change-Id: I18aa0ee635d7166676e4bb4384e2b517784a68b0
2013-11-25fix bug when 'environment' is nil in hiera.yamlelijah
2013-10-20Possibility to include local puppet recipes (Feature #3976)varac
2013-10-17syslog: fix apt_preferences snippet to glob on both rsyslog and rsyslog-relp ↵Micah Anderson
(#4161) Change-Id: I7eaa35897da3b24833be3b2c14db99cd66b547c0
2013-10-16fix for rsyslog-relp being installed first, resulting in dependency errors ↵Micah Anderson
(#4161) Change-Id: I2f0bcc5b4cb5effae57051f04251aeb8b09a4c6d
2013-10-16syslog: add rsyslog::snippet to anonymize logsMicah Anderson
it is necessary to install the fixed package from the leap.se repository until it is available in wheezy-backports, so install the apt preferences to pull it from there, and add its necessary library dependency from wheezy-backports Change-Id: I379ff2ceaac1a978143715d3a7ced0011ca0d747
2013-10-16rsyslog: setup default local config that gets us the same config as default ↵Micah Anderson
from debian Change-Id: If07ee200e2ae0d9cfaf8e405d6354c80d77330ca
2013-10-16vagrant: support other providers besides virtualbox (Bug #4158)varac
2013-10-15new fallback nameservers (#4113)varac
* the german privacy foundation has dissolved itself and shut down their public nameserver. we are now using the public nameserver by Digitalcourage, a german privacy organisation (https://en.wikipedia.org/wiki/Digitalcourage) * the IP for the server of the swiss privacy foundation has changed (http://www.privacyfoundation.ch/de/service/server.html)
2013-10-11fixed issues from https://review.leap.se/r/98/varac
2013-10-11install ruby-dev for nickserver/webapp (#4079 + #4080)varac
2013-10-11don't remove dev-packages on webapp nodevarac
they are needed for building gems
2013-10-11deploy postfix satellites on all nodes (Bug #1683)varac
2013-10-03fix name of base class fileMicah Anderson
Change-Id: I844970f1c8f895d5a460d5082bfa1a2a88b32ecd
2013-09-26create a site_config::packages directory, move site_config::base_packages to ↵Micah Anderson
site_config::packages::base add site_config::packages::gnutls for inclusion (#3955) Change-Id: I9599eb26844503613c16f57ee17d6ea7bd0cf6fb
2013-09-24added site_config::x509::client_ca::cert and ↵varac
site_config::x509::client_ca::key for client_ca deployment (#3917)
2013-09-24move commercial x509 deployment to site_x509 (Feature #3889)varac
2013-09-24seperate cert and key deployment (#3918)varac
2013-09-20Merge branch 'feature/3782_Discuss_run_stages_on_deploy' into developvarac
2013-09-20move all resources that are applied on every node into site_config::default ↵varac
(#3782) in commit 338833, we established a relationship between all resources that have a leap_service tag, that are called in site.pp. But we had some resources as default on every node in site.pp (apt::update, Package { require => Exec['apt_updated'] }, site_config::slow and stdlib), that were still lacking any relationship to the leap_service tag. By moving them into default.pp they automatically are executed before resources with a leap_service tag.
2013-09-19webapp: Depend services on deployment of default key, cert and ca (Feature ↵varac
#3838)
2013-09-19tidy openvpn x509 definitions (#3831)varac
2013-09-19only deploy x509 stuff for nodes if it existes in hiera (Feature #3875)varac
2013-09-18deploy client_ca (#3833)varac
2013-09-18openvpn should use /usr/local/share/ca-certificates/leap_ca.crt (Feature #3831)varac
2013-09-17shorewall: #2399 blocks uplink (Bug #2866)varac
2013-09-17site_config::params::interface should contain eth1 for vagrant cause it's ↵varac
the main interface we use (#2399, #2401)
2013-09-17Merge branch 'bug/3757' into developMicah Anderson
2013-09-14ensure site_config::caching_resolver runs with tag leap_base (#3757)Micah Anderson
Change-Id: I593602ff9d3486dee39227673147e137045c55c5
2013-09-13Deploy default x509 cert + key that services can use (Feature #3836)varac
2013-09-13deploy default x509::ca leap_ca in site_config::default (#3817)varac
2013-09-04need to test that /etc/init.d/shorewall exists before attempting to call it, ↵Micah Anderson
otherwise puppet complains (#3339) Change-Id: I7c8cc235817fe3d898157de4c4fdd8f1fe74f05a
2013-09-03Work around for shorewall not being available at the site_config stage (#3339)Micah Anderson
Change-Id: Id3138cb967f76380b7f4e22ce862a099cb47669e
2013-09-03require that shorewall has been installed before execs are run (#3339)Micah Anderson
Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf
2013-08-27fix name of initial_firewall.pp file (#3339)Micah Anderson
Change-Id: I341628d0f36225ce49ae301246e7c152553efcae
2013-08-22install a preliminary firewall that blocks everything, except ssh for the ↵Micah Anderson
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38
2013-08-14vagrant: Install squid-deb-proxy on clients (optional) (Feature #3330)varac
squashed commits: site_squid_deb_proxy::client: include shorewall::rules::mdns for avahi discovery added submodule squid_deb_proxy from git://code.leap.se/puppet_squid_deb_proxy updated submodule squid_deb_proxy use squid_deb_proxy::client
2013-07-31Revert "Site_webapp/Try::File: Could not find command 'git' (Bug #3202)"varac
This reverts commit 9e83de3497ec55f4910de099917387d500b8f4b4.
2013-07-31Site_webapp/Try::File: Could not find command 'git' (Bug #3202)varac
2013-07-17default to false for $hostselijah
2013-07-11changes to support restrictive permissions for /etc/leap. this is required ↵elijah
to work with the latest leap_cli.
2013-07-03Merge branch 'bug/1983' into leapMicah Anderson
2013-07-02create a site_config subclass for package installation and removal add ↵Micah Anderson
packages that we want to make sure are installed remove packages that were found on vagrant and PC installations that have no business being there Change-Id: I4887a327ca89eb60945ad817a75ff199859824d3
2013-07-02deleted bind9 purging, it was only needed for the transition from bind to ↵varac
unbound
2013-07-01restart stunnels if /etc/hosts is changed (#3031)Micah Anderson
Due to the fact that /etc/hosts is modified in the early stage setup.pp run and the stunnel service is not deployed on an initial puppet run, we cannot simply override the Service['stunnel'] but instead need to trigger a restart through an exec calling the init script that first tests to see if it is present. Change-Id: I6bf5dfece9ecbdb8319747774185dec50d5a55f6
2013-06-30modularize and standardize site_sshd:Micah Anderson
. move the setting of the xterm title to site_config::shell . change the xterm file resource to use standard source lines, switch to single quotes, quote mode, and line up parameters . move the mosh pieces into a site_ssh::mosh class and only include it if the right mosh variable is enabled, passing into the class the necessary hiera parameters . lint the site_ssh::mosh resources . change the authorized_keys class to accept the key parameter which is passed in from the main ssh class (but allow for out of scope variable lookup when the tag is passed) Change-Id: Ieec5a3932de9bad1b98633032b28f88e91e46604
2013-06-19disable dhclient from modifying the /etc/resolv.conf file on ↵Micah Anderson
openstack/amazon instances The dhclient in these environments is quite aggressive and overwrites the nameservers we've deliberately chosen to use with google's nameservers. This commit attempts to fix that. The dhclient methodology for altering these things is particularly unpleasant. We effectively redefine the functions that mess with this file to be noops in the /etc/dhcp/dhclient-enter-hooks.d directory and then we are forced to restart dhclient by shipping a script that tries to determine the correct PID and arguments that it was running as before killing and restarting it with the same arguments. See debian bugs #681698, #712796 for further discussion about how to make this less difficult Change-Id: I51cf40cf98eaddcefd8180e157b6e3ca824173f0