summaryrefslogtreecommitdiff
path: root/puppet/modules
AgeCommit message (Collapse)Author
2015-09-11Merge remote-tracking branch 'elijah/feature/sshconfig' into developMicah Anderson
2015-09-10sshd: let nodes change default AllowTcpForwardingelijah
2015-09-10fix various problems with webapp config generationelijah
2015-09-10Fix clients being blocked by RBLs (#7431)Micah Anderson
Valid users submitting mail to be delivered should not be blocked by configured RBLs. Settings in main.cf are valid and used globally, unless they are overridden in master.cf for specific Postfix daemons. We have set in main.cf the smtp_client_restrictions parameter to check for configured rbls, so we need to override that and empty it in order to allow valid clients to send mail, even when their IP is listed in an RBL. Note: most users will typically be connecting via VPN, so their IP would typically be replaced by the VPN gateway one, but there are cases where this is still useful. Change-Id: Ie4171113c78ae2814402a1ed9b5343280cbf79d1
2015-09-10moved leap_cli installation to leap modulevarac
Change-Id: I385f7877d0816456e7c57179511604645a4740bc
2015-09-03make couchdb.admin.yml only readable by root, make non-admin cron run as ↵elijah
webapp user.
2015-08-31Merge branch 'feature/mxalias' into developelijah
2015-08-27updated nagios submodulevarac
Change-Id: Iae76f9ca03baf459ae8ea044ea6aecfc73a41b3a
2015-08-27Merge branch '6847_improve_nagios_mail_subject' into developvarac
2015-08-21add support for configurable mail alias mapselijah
2015-08-13Increase readability of nagios notification mail subjects (#6847)varac
Change-Id: Ic9af9ef3602abbb51edf1c9d71d4d264b4ace714
2015-08-12Don't use check_mk logwatch to watch bigcouch logs anymore (#7375)varac
The rationale here is: - bigcouch/its included erlang version is incredibly noisy and spits out warnings/error msgs all the time - it uses the worst logging format i ever saw, multiple lines directly to a file (couch 2.0 uses lager as logging backend which can log to syslog) - trying to sort out the false positives will take too much time, and who knows which of them will be resolved in couch 1.6/2.0 Change-Id: Idbe6b37a19cd65ce31a50d4c28eedb4cf15ba3b5
2015-08-03webapp: add support for customizing localeselijah
2015-07-28Support RBL blocking of incoming mail (#5923)Micah Anderson
Set zen.spamhaus as the default rbl Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158
2015-07-21Merge remote-tracking branch 'kwadrolab/static-amber-7231' into developMicah Anderson
Conflicts: puppet/modules/site_static/manifests/init.pp Change-Id: I090b1cb3cbe3c4d01a2c640ae3a370b17e722e12
2015-07-21Increase tapicero heatbeat nagios checks (#7275)Micah Anderson
Increase warning/critical thresholds for time between tapicero heartbeat checks so it will emit less false positives Change-Id: I0f97373d88658b7f17b2c4e8c1963198dc3f66ed
2015-07-21Fix leap-mx logrotation to work with twistd (#7058)Micah Anderson
We don't want to try and create the log file, twistd will do that. Don’t rename the log file from mx.log to mx.log.0, instead just copy it to mx.log.1, and then clear out mx.log so it’s empty (this is needed because leap-mx might assume that its file descriptor is still valid and continue trying to write to it, without this, leap-mx might lose data because it’ll assume the original log file is still around and continue to write to it, even though it’s gone)It’s a little dangerous because it’s possible that you might lose some logged data between the time that logrotate copies the new log file and truncates the old file (Caveat administrator). Finally, we don't want logrotate to complain if it finds mx.log, its ok if its there. Change-Id: I9952627f4d47e7a89a2915f6b72d82f9e6ca0d8b
2015-07-21minor lintingMicah Anderson
fix double quotes and indentation Change-Id: I79c28159d17e6256db3094f413d61dcdc9520dc6
2015-07-14bump amber version, taking care of puppet ordering with require.kwadronaut
2015-07-09Merge branch 'develop' of ssh://leap.se/leap_platform into developelijah
2015-07-09use latest amber for static nodes.elijah
2015-07-07Clean up left-over files from old way of leap-mx logging, this shouldMicah Anderson
stop the logrotate cron errors from happening. (#7058) Change-Id: Iceaeb8c17600fc23d2b1ca075546f8573c145760
2015-07-07check_mk should not falsely report multiple instances running (#6866)varac
Change-Id: Ie7943c9a541c3cd2feac7686ed1092aadc5a7c7a
2015-07-07Ignore openvpn logwatch warnings (#6867)varac
These are warnings that might have different origins, each of them we don't want to alarm the admin: - A bitmask client bug (user will poke the client devs if things break, and they will go after it) - A simple network failure, packets might get cut of - Malicious user tries to temper with TLS handshakes - this gets more interesting, but still (like ssh bruteforce attacs) an admin would not want to get annoyed by this by default, but they still have the option to use log analysers of their choice if they want to investigate this. Change-Id: I23ca3b700e41f22f34ad3346ed4e647b86000bb2
2015-07-07moved removal of leap_couch_stats.sh TMPFILE to end of script (#7217)varac
Change-Id: If844b95c44e697f480df8ee2ae6607709b9942f7
2015-07-07remove leap_couch_stats.sh TMPFILE so /tmp/ won't fill with tmp files (#7217)varac
Change-Id: I7b778e1e1af2784bd79840f20453ca8718927e25
2015-07-06Don't monitor disabled nodes (#7235)varac
Change-Id: I51ce8a9e8773d267c270a1725a497f9a43f2e9ff Sidenote: $nagios_hosts was never used
2015-07-05zlib1g-dev needed for amber gem fixes #7231kwadronaut
2015-07-01Don't remove acpid and acpi-support-base packagesvarac
Those packages are needed by libvirt to reboot/shutdown a VM by the virsh command. Change-Id: I3eb7b113d11e3034f41d09d51c203b93275ae3c9
2015-06-29updated submodule couchdb to remove debugging leftover notice()varac
Change-Id: I9c901a21c2ae3cd0164ca9bd3b4aab63d6a239c7
2015-06-24remove static site circular dependency (closes #7145)elijah
2015-06-23cleanup no longer used unbound conf.d pieces (#7187)Micah Anderson
Change-Id: Ie0b1f22c49462bd5c4ee3290f100e5d3e14ccb03
2015-06-23update unbound module to change hasstatus parameter to true (#6885)Micah Anderson
Change-Id: I532263ffe6679ff6c2249926086098dc8b4877f5
2015-06-23Remove old clean-up, this is no longer necessaryMicah Anderson
Change-Id: I4e8fe3355a2d55193ebf745de1f932a6dcd6121c
2015-06-22Merge branch '6067_plain_couchdb' into developvarac
2015-06-22Merge branch 'use_pbkdf2_for_newer_couchdb_versions' into developvarac
2015-06-21Support plain couchdb (#6067)varac
The bigcouch specific class ordering from site_couchdb::create_dbs needed to move to site_couchdb::bigcouch, otherwise a plain couchdb setup would try to include bigcouch classes and fail. Change-Id: I06742d4a12c5b40c9c9faa90441734e6926d422d
2015-06-21linted create_dbs.ppvarac
Change-Id: I9e46286c402adc06f3f815f8a1eea11fe82c7c39
2015-06-17bugfix: site_static module was not including ssl_common.incelijah
2015-06-11use couch.pwhash_alg hiera variable for hashing couchdb admin pwvarac
use this to run a single, plain couchdb node, using couchdb 1.6 from the leap repo: "couch": { "master": true, "pwhash_alg": "pbkdf2" } Change-Id: Ie4f34c2c5cb9feca7a10450bcf0bc260c8aa9d33
2015-06-11updated submodule couchdbvarac
Change-Id: Id5bc16d8466c3407e9f7c4015c1e3a96129daf0a
2015-06-11updated submodule couchdb (Couchdb >=1.3 uses pbkdf2 as pw hashing ↵varac
algorhythm, #7120) Change-Id: I97560f4134a700579d1523ddd8ba173bfb1f0659
2015-06-09Merge branch '0.7.0' into developvarac
2015-06-07deploy check_openvpn_server.pl after nagios-plugins-standard package is ↵0.7.0rc2varac
installed Change-Id: I272b30fd79e89ddf968c0a6e453d53a1f0540397
2015-06-06Configure apt preferences before installing any packagesvarac
Change-Id: Iac4dc8428ff5e663870ed4dd6a2b840e0904e5be
2015-06-04add preferences snippet for leap repository (#7090)Micah Anderson
Change-Id: Ia7a35c8613350ad75ff1ebbdda0a09efa0960ba6
2015-06-02ensure the enterhooks directory is presentChristoph Kluenter
2015-05-27Merge remote-tracking branch 'gitlab/0.7.0' into 0.7.0Micah Anderson
2015-05-27leap_couch_stats.sh handles rotated dbs (#6987)varac
Change-Id: I115ebdefd7365bf15a30c4a3ce7a4543ad757cec
2015-05-26Implement weakdh recommendations for cipher suites (#7024)Micah Anderson
This is a first step mitigation until we can have a newer apache that will allow us to specify dh parameters other than the default. Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d