Age | Commit message (Collapse) | Author |
|
This makes a more clear site_tor::relay class that the leap service
includes, and a more generic site_tor class that other classes can
depend on for setting up the initial install.
|
|
This gets us a simple apt repository privilege separation:
(a) our key can't be used to forge other repos
(b) other keys can't be used to forge our repo.
From sources.list(5):
· Signed-By (signed-by) is either an absolute path to a keyring
file (has to be accessible and readable for the _apt user, so ensure
everyone has read-permissions on the file) or one or more
fingerprints of keys either in the trusted.gpg keyring or in the
keyrings in the trusted.gpg.d/ directory (see apt-key
fingerprint). If the option is set, only the key(s) in this keyring
or only the keys with these fingerprints are used for the
apt-secure(8) verification of this repository. Defaults to the value
of the option with the same name if set in the previously acquired
Release file. Otherwise all keys in the trusted keyrings are
considered valid signers for this repository.
|
|
|
|
This cuts the number of hops for a tor onion service from 6 to 3,
speeding it up considerably. This removes the anonymity aspect of the
service, so it must be enabled intentionally, knowing that the server's
location no longer is hidden.
|
|
|
|
subrepo:
subdir: "puppet/modules/tor"
merged: "5ef29012"
upstream:
origin: "https://leap.se/git/puppet_tor"
branch: "master"
commit: "5ef29012"
git-subrepo:
version: "0.4.0"
origin: "https://github.com/ingydotnet/git-subrepo"
commit: "2e78d5d"
|
|
This replaces the secret_token from rails 4.1 on.
Both are used for securing cookies in the browser. The secret_key_base
will also encrypt the cookies while the token will only sign them.
Keeping the token in there for now allows us to migrate existing sessions
/ cookies to the new secrets. We can remove it in the next version once
all providers have run with secret_key_base for a while.
|
|
|
|
|
|
|
|
We used haproxy because we had multiple bigcouch nodes but now
with a single couchdb node this is not needed anymore.
- Resolves: #8144
|
|
|
|
The jessie version randonly closes the connection prematurely
see https://0xacab.org/leap/platform/issues/8746
- Resolves: #8746
|
|
Resolves: #8492
|
|
|
|
now that we deprecate wheezy, we can always set
smtpd_relay_restrictions
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
with @aarni
|
|
|
|
|
|
|
|
|
|
|
|
puppet/modules/systemd
subrepo:
subdir: "puppet/modules/systemd"
merged: "f3c4059"
upstream:
origin: "https://leap.se/git/puppet_systemd"
branch: "master"
commit: "f3c4059"
git-subrepo:
version: "0.3.0"
origin: "https://github.com/ingydotnet/git-subrepo.git"
commit: "841aa43"
|
|
This commit was moved to the systemd puppet repo.
This reverts commit f5db49cf6b3ca0a5830b849c0aac074e371b95d9.
|
|
- Resolves: #8693
|
|
bugfix: couchdb nodes should not require soledad. closes #8693
See merge request !60
|
|
|
|
|
|
|
|
This HTTP response header enables the Cross-site scripting (XSS) filter
built into some modern web browsers. This header is usually enabled by
default anyway, so the role of this header is to re-enable the filter
if it was disabled maliciously, or by accident.
|
|
Setting this header will prevent the browser from interpreting files as
something else than declared by the content type in the HTTP
headers. This will prevent the browser from MIME-sniffing a response
away from the declared content-type.
When this is not set, older versions of Internet Explorer and Chrome
perform MIME-sniffing on the response body, potentially causing the
response body to be interpreted and displayed as a content type other
than the declared content type.
|
|
|
|
When the soledad couch user is not present, soledad-server
refuses to start, so we need to ensure that couch is setup correctly
before starting soledad-server.
see https://leap.se/code/issues/8535
|
|
|
|
New soledad packages now depend on Twisted 16.2.0 (see
https://leap.se/code/issues/8412), so we need to pin twisted to get
installed from jessie-backports.
- Resolves: #8418
|
|
|
|
is configured
The problem is that we have a single onion address per server, so if more
than one domain is configured we need to make sure they don't both try to
use the same onion address.
|
|
|
|
|
|
freshclam might not be able to start clamav via the socket because
the socket might not be there. This systemd unit watches for the
definitions and then starts clamav.
Resolves: #8431
|
|
|
|
Sometimes, after a deploy from scratch `leap test`
fails because clamd could not get started (even when
the deploy log says so).
This fixes the dependencies of all resources needed in
order to let clamd start reliable.
Resolves: #8431
|
|
When setting values like
ignored_services = [...]
this will override other `ignored_services` that might get parsed
before. Instead, we use `+=` so multiple files can add sth to this
config value.
|