Age | Commit message (Collapse) | Author | |
---|---|---|---|
2014-06-02 | fix unbound: configs in /etc/unbound/unbound.conf.d contained a syntax error ↵ | elijah | |
and were missing .conf suffix | |||
2014-05-22 | Implement #2328: unbound.conf: content changed on every puppetrun | Micah Anderson | |
This is done by using the include glob capability that is in the wheezy-backports and newer unbound to include the /etc/unbound/unbound.conf.d/* config files. To do this, we need to transition from our /etc/unbound/conf.d directory structure to use the one that the debian package uses. This allows us to clean up the rather ugly way we were configuring the resolver before. Change-Id: I68347922f265bbd0ddf11d59d8574a612a7bd82c | |||
2014-05-13 | openvpn server config: script-security should be "1", since we don't need ↵ | elijah | |
"2"; add tcp-nodelay to tcp servers. | |||
2014-05-07 | openvpn package resource needs to be ensure => latest to accommodate upgrades | Micah Anderson | |
Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14 | |||
2014-05-06 | set the ipv6 configuration options on the server | Micah Anderson | |
some important things to note: We are hard-coding the pushing of the ipv6 route '2000::/3' and configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a reserved ipv6 prefix that is used for documentation purposes only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html), and the route being pushed redirects all internet-bound traffic. When LEAP fully supports ipv6, these network values should be turned into variables, but for now, to make sure we are blocking any clients that have functional ipv6, this will work. Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5 | |||
2014-05-06 | install openvpn from wheezy-backports, this will bring in openvpn 2.3, | Micah Anderson | |
which will provide us with proper ipv6 support Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07 | |||
2014-04-24 | make sure concat fragments are put together before the openvpn service | Micah Anderson | |
is run, otherwise the openvpn service is restarted before config files are deployed (#4154) Change-Id: Ide38615714c1978bb90237986baea530c54153c3 | |||
2014-04-24 | update indentation to be standard | Micah Anderson | |
Change-Id: Ic0ac3a7e6c9ce0e5f95bab023dbbf890c31d9e1c | |||
2014-04-05 | openvpn: allow for configurable keepalive (aka ping & ping-restart) closes ↵ | elijah | |
https://leap.se/code/issues/4127 | |||
2014-04-02 | Merge pull request #20 from elijh/feature/openvpn-config | varac | |
allow ability to customize openvpn security options | |||
2014-03-25 | ignore openvpn TLS initialization errors (Feature #5374) | varac | |
2014-03-20 | allow ability to customize openvpn security stuff: tls-cipher, auth, and ↵ | elijah | |
cipher config options. | |||
2013-10-15 | puppet - openvpn gateway address is hard coded as a /24 network (Bug #1863) | varac | |
2013-10-02 | only add vpn_(un)?limited_udp_resolver and vpn_(un)?limited_tcp_resolver ↵ | Micah Anderson | |
lines to unbound.conf if the openvpn package is installed (#3868) Change-Id: I65852660a606ccea7569b2207bd535bd8aa3867c | |||
2013-09-25 | openvpn is restarted before package is installed (Bug #3904) | varac | |
2013-09-24 | seperate cert and key deployment (#3918) | varac | |
2013-09-19 | Depend services on deployment of default key, cert and ca (Feature #3838) | varac | |
2013-09-19 | tidy openvpn x509 definitions (#3831) | varac | |
2013-09-19 | only deploy x509 stuff for nodes if it existes in hiera (Feature #3875) | varac | |
2013-09-19 | Merge branch 'develop' of ssh://code.leap.se/leap_platform into develop | varac | |
2013-09-18 | Setup a class dependency for every tag 'leap_service' to make sure that ↵ | Micah Anderson | |
shorewall is setup before the service is setup. This is necessary due to the strict initial firewall that stops various service setup operations from happening, but is relaxed once shorewall is setup properly (#3782) Change-Id: Ia9640c4118aa0053cdb99e7bc11860fed5527501 | |||
2013-09-18 | openvpn should use /usr/local/share/ca-certificates/leap_ca.crt (Feature #3831) | varac | |
2013-09-13 | remove x509::ca for leap_ca in site_openvpn::keys and site_stunnel::stunnel ↵ | varac | |
(#3817) | |||
2013-07-23 | fix linting error | Micah Anderson | |
Change-Id: I975e1bd480d756a85e556b440a0e28e3899c9af8 | |||
2013-07-16 | lint site_openvpn manifests | Micah Anderson | |
Change-Id: I314031d93aa9f4a0f217680870678e39c096d46a | |||
2013-07-09 | use file_line from stdlib instead of line, now both ↵ | varac | |
vpn_unlimited_tcp_resolver and vpn_unlimited_udp_resolver are included | |||
2013-07-04 | more robust openvpn restarting | Micah Anderson | |
this ensures that an actual restart is run on the service when config files are added or removed, instead of relying on the status parameter of the initscript, which can be confused if config files are removed out from under it Change-Id: I1c69fff26933338b707acf7dc4593547f32f92e3 | |||
2013-05-16 | special casing for pistoncloud/openstack/ec2 | Micah Anderson | |
2013-04-30 | setup a site_config::params class that can be used to set some common ↵ | Micah Anderson | |
variables that are used in different places to start with we setup the $interface variable, based on logic as defined in #2213 change the various places that were looking up this value to use site_config::params::interface instead | |||
2013-03-29 | fixed site_openvpn bug with redefined variable. | elijah | |
2013-03-17 | added support for "limited" service levels (although vpn is not yet actually ↵ | elijah | |
rate limited). | |||
2013-02-27 | openvpn -- added support for optional "free" rate-limited service via ↵ | elijah | |
special client certificates with the FREE prefix in the common name. | |||
2013-02-26 | require that the package unbound be installed before trying to write to its | Micah Anderson | |
configuration file, this addresses issue #1853 - [vpn1] err: /Stage[main]/Site_openvpn::Resolver/Line[add_tcp_resolver]/Exec[echo 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver' >> '/etc/unbound/unbound.conf']/returns: change from notrun to 0 failed: echo 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver' >> '/etc/unbound/unbound.conf' returned 2 instead of one of [0] at /srv/leap/puppet/modules/common/manifests/defines/line.pp:45 | |||
2013-02-21 | linted a bit | varac | |
2013-02-21 | linted | varac | |
2013-02-21 | linted | varac | |
2013-01-31 | tag 'base' is a bad idea because it invokes apache::base as well | varac | |
2013-01-31 | Merge branch 'develop' of ssh://leap.se/leap_platform into develop | elijah | |
2013-01-31 | added /etc/openvpn/ca_bundle.pem in order to allow multiple CA certs to be used. | elijah | |
2013-01-31 | tag 'service' for all service classes | varac | |
2013-01-30 | linted | varac | |
2013-01-29 | added support for client ca cert in site openvpn. | elijah | |
2013-01-29 | fix variable name for re-ordered fact | Micah Anderson | |
2013-01-29 | fix variable scoping | Micah Anderson | |
2013-01-29 | fix syntax error from enclosing variables in curly | Micah Anderson | |
2013-01-29 | enclose the variables in curly braces, as recommended by puppet-lint | Micah Anderson | |
2013-01-29 | add a new fact that provides a fact for each configured ip address, telling you | Micah Anderson | |
which interface has it (essentially the inverse of the ipaddress_${interface} fact). Switch the hiera lookups of the $interface, which was pulling from the .json to pull instead from the above fact, see #1547 and #1548 | |||
2013-01-17 | notify unbound when these configuration files change | Micah Anderson | |
2013-01-17 | fix typo in cidr variable name | Micah Anderson | |
2013-01-17 | change to using the CIDR notation for unbound access list | Micah Anderson | |