summaryrefslogtreecommitdiff
path: root/puppet/modules
AgeCommit message (Collapse)Author
2017-01-18Remove spec_helperTulio Casagrande
2017-01-18Update how exec is runTulio Casagrande
2017-01-18Add apache auto-restart extension fileTulio Casagrande
2017-01-18git subrepo clone --force https://leap.se/git/puppet_systemd ↵varac
puppet/modules/systemd subrepo: subdir: "puppet/modules/systemd" merged: "f3c4059" upstream: origin: "https://leap.se/git/puppet_systemd" branch: "master" commit: "f3c4059" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo.git" commit: "841aa43"
2017-01-18Revert "Add systemd::enable define"varac
This commit was moved to the systemd puppet repo. This reverts commit f5db49cf6b3ca0a5830b849c0aac074e371b95d9.
2016-12-31Couchdb service should not require on soledadvarac
- Resolves: #8693
2016-12-21Merge branch 'bugfix/sans-soledad' into 'master' Varac
bugfix: couchdb nodes should not require soledad. closes #8693 See merge request !60
2016-12-20[Vagrant] Install leap_cli gem dependenciesvarac
2016-12-20bugfix: couchdb nodes should not require soledad. closes #8693elijah
2016-12-08Lint site_config::filesvarac
2016-10-24Set X-XSS-Protection HTTP response header to '1'.Micah Anderson
This HTTP response header enables the Cross-site scripting (XSS) filter built into some modern web browsers. This header is usually enabled by default anyway, so the role of this header is to re-enable the filter if it was disabled maliciously, or by accident.
2016-10-24Set X-Content-Type-Options nosniff.Micah Anderson
Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. This will prevent the browser from MIME-sniffing a response away from the declared content-type. When this is not set, older versions of Internet Explorer and Chrome perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
2016-10-20Merge branch 'twisted_backports' into developvarac
2016-10-18Setup couch for soledad before starting soledadvarac
When the soledad couch user is not present, soledad-server refuses to start, so we need to ensure that couch is setup correctly before starting soledad-server. see https://leap.se/code/issues/8535
2016-10-18Lint site_couchdb::setupvarac
2016-10-18[feat] Use twisted 16.2 from jessie-backportsvarac
New soledad packages now depend on Twisted 16.2.0 (see https://leap.se/code/issues/8412), so we need to pin twisted to get installed from jessie-backports. - Resolves: #8418
2016-10-18lint site_mx classvarac
2016-09-13[bugfix] static sites: only enable hidden service by default if one domain ↵elijah
is configured The problem is that we have a single onion address per server, so if more than one domain is configured we need to make sure they don't both try to use the same onion address.
2016-09-08Merge branch 'clamd_dependencies' into developvarac
2016-09-08Merge branch 'ensure_clamav_running' into developvarac
2016-09-08start clamav after definitions are downloadedChristoph Kluenter
freshclam might not be able to start clamav via the socket because the socket might not be there. This systemd unit watches for the definitions and then starts clamav. Resolves: #8431
2016-09-08Add systemd::enable definevarac
2016-09-07Fix dependencies for clamd servicevarac
Sometimes, after a deploy from scratch `leap test` fails because clamd could not get started (even when the deploy log says so). This fixes the dependencies of all resources needed in order to let clamd start reliable. Resolves: #8431
2016-09-06[feat] Add check_mk config values, dont set themvarac
When setting values like ignored_services = [...] this will override other `ignored_services` that might get parsed before. Instead, we use `+=` so multiple files can add sth to this config value.
2016-09-05[style] lint ::site_static classvarac
2016-09-01added support for Let's Encryptelijah
2016-09-01moved infrastructure tests run by `leap run` to tests/server-testselijah
2016-08-31Merge remote-tracking branch 'varac/remove_soledad_procs_check' into developMicah Anderson
2016-08-31[bug] Remove Nagios soledad procs checkvarac
leap_cli already checks for running procs - Resolves: #8380
2016-08-31[style] lint soledad::servervarac
2016-08-31Document site_check_mk::agent::soledadvarac
2016-08-30lint site_webapp/manifests/init.ppvarac
2016-08-30[feat] Use twisted 16.2 from jessie-backportsvarac
New soledad packages now depend on Twisted 16.2.0 (see https://leap.se/code/issues/8412), so we need to pin twisted to get installed from jessie-backports. - Resolves: #8418
2016-08-23syslog: remove duplicate messages (#8405).Micah
Change-Id: I90f8d160d2293288066847bcc199f480d06d877d
2016-08-20Fix rsyslog auth.log entries (#8381).Micah
The auth.log rsyslog entry was accidentally removed in #7863. Change-Id: I4ebffeafedbca5df902041ddd2bcb80d3f68b230
2016-08-20ignore noisy 401 errors from soledad log.Micah
Change-Id: Ia1764cb28e263353856523c11f351a39774bf3b4
2016-08-08Stricter VPN egress firewall (#8289)Micah
Change-Id: Ie09a6a34dfa8fe3d72568d2de0b208e7d947412f
2016-08-08Disallow intra-client connectivity (#8272).Micah
If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
2016-08-05Disallow intra-client connectivity (#8272).Micah
If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
2016-08-04Remove site-apache symlink.Micah
There is no need to keep this symlink around any longer, it was there for older puppet. Change-Id: Ie7a380821d478e5ad69df39f03009d773afb73f3
2016-08-02Set TCP_NODELAY option for couchdb (#8264)Micah
Mochiweb in couchdb by default sets the TCP socket option SO_NODELAY to false. This means that small data sent to the TCP socket, like the reply to a document write request (or reading a very small document), will not be sent immediately to the network - TCP will buffer it for a while hoping that it will be asked to send more data through the same socket and then send all the data at once for increased performance. Setting this increases the couchdb speed significantly. Change-Id: Ib493ef061ff62c9bdee501e44ce2b55990fe14b7
2016-07-21fix site_static's call to passengerelijah
2016-07-21fix couchdb's backupninjaelijah
2016-07-21git subrepo clone https://leap.se/git/puppet_openvpn puppet/modules/openvpnelijah
subrepo: subdir: "puppet/modules/openvpn" merged: "ba7ec7a" upstream: origin: "https://leap.se/git/puppet_openvpn" branch: "master" commit: "ba7ec7a" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "cb2995b"
2016-07-21remove openvpn submoduleelijah
2016-07-19Only use the 'main' repository for apt (#8253)Micah
Change-Id: If39222dc9ec68d1786c70c4b82b740e0a06773c4
2016-07-19Block ip-based helo at MTA (#8139).Micah
Numeric helo is a very strong indicator of spam. When this is blocked, a very significant amount of spam stops. Change-Id: Ieb340190faf37638950d1aa60b52268659e0b7f6
2016-07-19Block MTAs that claim they are 'localhost'.Micah
Nobody should be claiming that they are localhost when they are connecting over smtpd Change-Id: Ifb7df855b4e12021c58b89b2053e31fb10806096
2016-07-13Newest passenger module dont manage munin by defaultvarac
2016-07-13Notify Exec[shorewall_check] not Service[shorew..]varac
Latest shorewall module does `shorewall check` (executed by `Exec[shorewall_check]`) so every related resource change must notify this Exec instead of `Service[shorewall]` as before.