summaryrefslogtreecommitdiff
path: root/puppet/modules
AgeCommit message (Collapse)Author
2013-09-05require that shorewall is up before running bundler commands, it needs to ↵0.3.0rc1Micah Anderson
pull things from git (#3756) Change-Id: If404452c54dedb7a39a910994dc68309257d351d
2013-09-05updated submodule apt: unattended-upgrades package cannot be installed (Bug ↵varac
#3098)
2013-09-05Some packages are installed before refresh_apt is called (Bug #2988)varac
2013-09-04fix initial firewall to allow outgoing lo traffic and outgoing port 443 (#3736)Micah Anderson
this allows nameserver queries to the local resolver to work and clones to the leap https repository to work Change-Id: I575d08405a0c28e12c8d201a8dbc79585a5a9a48
2013-09-04change git repository clone URIs from git:// to https:// (#3732)Micah Anderson
Change-Id: Ic700fec9cfb8e8474fb65dbdd4a1a537bf586ec9
2013-09-04need to test that /etc/init.d/shorewall exists before attempting to call it, ↵Micah Anderson
otherwise puppet complains (#3339) Change-Id: I7c8cc235817fe3d898157de4c4fdd8f1fe74f05a
2013-09-04updated couchdb submodule: bigcouch nodes doesn't get registered as cluster ↵varac
members (Bug #3703)
2013-09-04Merge branch 'bug/3339' into developMicah Anderson
2013-09-04fix soledad-server not being available before the leap repository has been ↵Micah Anderson
configured (#3702) Change-Id: I8a86a241c52d88b4b681a800647d7c9c7c574b8e
2013-09-04make sure that the shorewall package is installed before trying to change ↵Micah Anderson
its configuration file (#3701) Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed
2013-09-04updated submodule couchdb: don't use couchdb::document for creating ↵varac
_security, cause this special doc doesn't have and _id (#3706)
2013-09-03Work around for shorewall not being available at the site_config stage (#3339)Micah Anderson
Change-Id: Id3138cb967f76380b7f4e22ce862a099cb47669e
2013-09-03use check_helo_access hash:/helo_checks also for $submission_helo_restrictionsvarac
2013-09-03fix $master_cf_tail formatvarac
2013-09-03Sending mail fails when relaying using non-fully-qualified hostname (Feature ↵varac
#3667)
2013-09-03Merge branch 'feature/helo_access' into developMicah Anderson
Conflicts: puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp Change-Id: I51555935f9d9409e45809d6df021b10e926ea520
2013-09-03add /etc/postfix/checks directory and setup a check_helo_access that allows ↵Micah Anderson
admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694) Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4
2013-09-03require that shorewall has been installed before execs are run (#3339)Micah Anderson
Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf
2013-09-03Without smtpd_helo_required, the helo restrictions are easily bypassed by ↵Micah Anderson
not sending a HELO (#3693) Change-Id: I6a7338136a53e16962a070826493139fa3307df7
2013-09-02disable postfix debugging by defaultvarac
2013-09-02create all webapp databases so _security is set (fixes 3517)Azul
2013-09-02specify RAILS_ENV when calling bundle assets-precompile (fixes #3638)Azul
We currently disable the billing gem in production while it's on in development and test. Therefore bundler will not install its dependencies - in particular the braintree gem when deploying. Since the RAILS_ENV was not specified rake was called with the default of 'development'. It therefore tried to load the development gems and failed when looking for 'braintree'. Specifying the production RAILS_ENV fixes this. It looks like we'll always need to specify RAILS_ENV when calling rake or we might want to export it to the environment in a separate task or the user config files such as .bashrc
2013-08-31postfix enable submission port using starttls, so the client can transition ↵Micah Anderson
to the more restrictive TLS wrapper mode Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
2013-08-31change the master.cf_tail to pull in -o ↵Micah Anderson
smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions make a note about the permit_tls_all_clientcerts being something that we don't want in the future remove check_sender_access check which was doing an unnecessary lookup Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc
2013-08-30updated submodule couchdb: couchdb: update_user_webapp fails (Bug #3611)varac
2013-08-30create sessions db with puppet (Bug #3597)varac
2013-08-29Merge branch 'feature/3604' into developMicah Anderson
2013-08-29Merge branch 'bug/3612' into developMicah Anderson
2013-08-29Make TLS-required smtps (465) be port for sending SMTP. This is preferred ↵Micah Anderson
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
2013-08-29create individual classes for the apache modules so they can be included ↵Micah Anderson
more than once in different locations, depending on what services are configured on a node (#3612) Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770
2013-08-29change the name of the couch_database in the nickserver.yaml to the new oneMicah Anderson
Change-Id: I5fe6912f3774ae87c595ca1dcac60a61e24de9e5
2013-08-29updated submodule couchdb, fixed merge resolution error from last mergevarac
2013-08-29updated submodule couchdb, fix puppet couchdb module doesn't create ↵varac
necessary databases anymore (Bug #3594)
2013-08-29fix smtpd mail restrictions (Feature #3166)varac
2013-08-29Deploy postfix with an empty main.cf as beginning (Feature #3584)varac
2013-08-29re-added submodule postfix from git://code.leap.se/puppet_postfix (#3584)varac
2013-08-29removed submodule "puppet/modules/postfix" (url: ↵varac
git://labs.riseup.net/shared-postfix)
2013-08-28SMTP checks (Feature #2304)varac
2013-08-28Merge branch 'feature/3579' into developMicah Anderson
2013-08-28Merge branch 'bug/3491' into developMicah Anderson
2013-08-28apache headers module needs to be enabled on the monitor server (#3462)Micah Anderson
Change-Id: Ia4e36e9cb2b37172a148c209c5c07b9eca59d89e
2013-08-28Merge branch 'feature/clean-webapp-deploy' into developAzul
2013-08-28updated submodule stdlib to obtain facts that show netmask in cidr notationvarac
2013-08-28require VCS repo before git assume-unchanged (feature #1608)Azul
2013-08-28integrate manual postfix config changes in puppet (Feature #3538)varac
2013-08-28added site_postfix::debug for debugging (#3538)varac
2013-08-27setup bigcouch logrotation (#3491)Micah Anderson
Change-Id: Ia35cf7a9fc1d0fad6a57bbae73968ab6b8f0c847
2013-08-27now that soledad has been split we can better organize things (#3579)Micah Anderson
. create a soledad::common class . leap-mx now only needs to include soledad-common . move the site_apt::preferences::twisted to a preferences block inside the soledad server class . make sure that the packages are doing 'ensure => latest' instead of installed Change-Id: Ifa978e831cdc8835666b27322a6e068d67251f5d
2013-08-27fix name of initial_firewall.pp file (#3339)Micah Anderson
Change-Id: I341628d0f36225ce49ae301246e7c152553efcae
2013-08-27Merge branch 'develop' of ssh://code.leap.se/leap_platform into developvarac