summaryrefslogtreecommitdiff
path: root/puppet/modules
AgeCommit message (Collapse)Author
2013-10-09setup email account 'blacklist' by configuring reserved aliases, effectively ↵Micah Anderson
implementing RFC2142 and more (#3602) Change-Id: Ic2765b25ff9e1560def4900a1bf38dc8023b0ffa
2013-10-06It turns out postfix's variable for 1024bit DH parameters can actually take ↵0.3.0rc3Micah Anderson
a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5
2013-10-06implement stripping user's home IPs from Received headers (#3866)Micah Anderson
Change-Id: I6d78286f84144bba5fd3166cc0264570e4fd3ee0
2013-10-06only use TLSv1 or later for smtp (Feature #4011)Micah Anderson
Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems. Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f
2013-10-03fix name of base class fileMicah Anderson
Change-Id: I844970f1c8f895d5a460d5082bfa1a2a88b32ecd
2013-10-03Merge branch 'feature/3953' into developMicah Anderson
2013-10-03It turns out postfix's variable for 1024bit DH parameters can actually take ↵Micah Anderson
a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5
2013-10-02setup smtpd_tls_eecdh_grade to 'ultra' and configure the ↵Micah Anderson
smtpd_tls_dh1024_param file, after generating it (#3953) Change-Id: I8e88a4862cda052c2f0ca0149f1d0753c7c83cb5
2013-10-02Merge branch 'bug/3869' into developMicah Anderson
2013-10-02Merge branch 'bug/3959' into developMicah Anderson
2013-10-02Merge branch 'feature/3955' into developMicah Anderson
2013-10-02only add vpn_(un)?limited_udp_resolver and vpn_(un)?limited_tcp_resolver ↵Micah Anderson
lines to unbound.conf if the openvpn package is installed (#3868) Change-Id: I65852660a606ccea7569b2207bd535bd8aa3867c
2013-09-26set myhostname in postfix the internet hostname of this mail system. The ↵Micah Anderson
default would otherwise be set to be something like starfish.local instead of the fully qualified domain (#3869) Change-Id: I4a537402de08b41446d344d8c21973b8d09e7ad6
2013-09-26Merge branch 'bug/3868' into developMicah Anderson
2013-09-26create a site_config::packages directory, move site_config::base_packages to ↵Micah Anderson
site_config::packages::base add site_config::packages::gnutls for inclusion (#3955) Change-Id: I9599eb26844503613c16f57ee17d6ea7bd0cf6fb
2013-09-26Add client-side TLS configuration (#3868)Micah Anderson
Change-Id: I0b82930f6f6a453e57f1d57fd8b5df78d464e206
2013-09-26Merge branch 'bug/3868' into developMicah Anderson
2013-09-26properly set the $smtps_recipient_restrictions variable in master.cf (#3935)Micah Anderson
Change-Id: Ia5f35977b3dad08c10256f0281ab36ffb230c9fd
2013-09-25add smtp_tls_received_header to include information about the protocol and ↵Micah Anderson
cipher used as well as the client and issuer CommonName into the "Received:" header Also, clean up the parameters to standardize them Change-Id: Ib6be27f0f93e0a9e20fbdffa1d42220a25fc8ed4
2013-09-25openvpn is restarted before package is installed (Bug #3904)varac
2013-09-25recent couchdb puppet - requires git submodule updateAzul
2013-09-24deploy client_ca on webapp nodevarac
2013-09-24webapp leftover for seperate cert and key deployment (Feature #3918)varac
2013-09-24fix client_ca cert+key for mx service (Feature #3921)varac
2013-09-24added site_config::x509::client_ca::cert and ↵varac
site_config::x509::client_ca::key for client_ca deployment (#3917)
2013-09-24https://bitmask.net/ca.crt gives 403 Forbidden (Bug #3919)varac
2013-09-24Webapp doesn't serve commercial cert (Bug #3916)varac
2013-09-24move commercial x509 deployment to site_x509 (Feature #3889)varac
2013-09-24seperate cert and key deployment (#3918)varac
2013-09-22Merge branch 'api-crt-3384' into develop fixes #3384kwadronaut
2013-09-22adding fqdn as default servername and moving service.domain to ServerAlias ↵kwadronaut
(fixing #3384) node name and dns fqdn could be different Also note that on local deploys that warning from #3384 will continue to exist (because of dns)
2013-09-20use newer haproxy_servers macro in order to allow couchdb and webapp to be ↵elijah
on the same node (requires latest leap_cli)
2013-09-20Merge branch 'feature/3782_Discuss_run_stages_on_deploy' into developvarac
2013-09-20move all resources that are applied on every node into site_config::default ↵varac
(#3782) in commit 338833, we established a relationship between all resources that have a leap_service tag, that are called in site.pp. But we had some resources as default on every node in site.pp (apt::update, Package { require => Exec['apt_updated'] }, site_config::slow and stdlib), that were still lacking any relationship to the leap_service tag. By moving them into default.pp they automatically are executed before resources with a leap_service tag.
2013-09-20fix whitespace issues from https://review.leap.se/r/82varac
2013-09-19fix x509 path in webapp config.yml.erb (#3894)varac
2013-09-19tidy soledad x509 definitions (#3841)varac
2013-09-19tidy webapp api x509 definitions (#3840)varac
2013-09-19tidy nickserver x509 definitions (#3842)varac
2013-09-19webapp: Depend services on deployment of default key, cert and ca (Feature ↵varac
#3838)
2013-09-19Depend services on deployment of default key, cert and ca (Feature #3838)varac
2013-09-19soledad should use default key, cert and ca (Feature #3841)varac
2013-09-19tidy openvpn x509 definitions (#3831)varac
2013-09-19only deploy x509 stuff for nodes if it existes in hiera (Feature #3875)varac
2013-09-19Merge branch 'develop' of ssh://code.leap.se/leap_platform into developvarac
2013-09-18Setup a class dependency for every tag 'leap_service' to make sure that ↵Micah Anderson
shorewall is setup before the service is setup. This is necessary due to the strict initial firewall that stops various service setup operations from happening, but is relaxed once shorewall is setup properly (#3782) Change-Id: Ia9640c4118aa0053cdb99e7bc11860fed5527501
2013-09-18use x509 for postfix ca and fix names for cert+key (Feature #3833)varac
2013-09-18deploy client_ca (#3833)varac
2013-09-18openvpn should use /usr/local/share/ca-certificates/leap_ca.crt (Feature #3831)varac
2013-09-17fix stunnel module so that code was not removed accidentallyMicah Anderson
Change-Id: Ia236eb5b7609d9f96970230fce4d0051d832e3cb