summaryrefslogtreecommitdiff
path: root/puppet/modules
AgeCommit message (Collapse)Author
2017-05-06Restructure site_tor to be more clear and re-usable (fixes #8784).Micah Anderson
This makes a more clear site_tor::relay class that the leap service includes, and a more generic site_tor class that other classes can depend on for setting up the initial install.
2017-05-02Add signed-by option to sources.list (Closes: #8425)Micah Anderson
This gets us a simple apt repository privilege separation: (a) our key can't be used to forge other repos (b) other keys can't be used to forge our repo. From sources.list(5): · Signed-By (signed-by) is either an absolute path to a keyring file (has to be accessible and readable for the _apt user, so ensure everyone has read-permissions on the file) or one or more fingerprints of keys either in the trusted.gpg keyring or in the keyrings in the trusted.gpg.d/ directory (see apt-key fingerprint). If the option is set, only the key(s) in this keyring or only the keys with these fingerprints are used for the apt-secure(8) verification of this repository. Defaults to the value of the option with the same name if set in the previously acquired Release file. Otherwise all keys in the trusted keyrings are considered valid signers for this repository.
2017-04-27Merge remote-tracking branch 'origin/merge-requests/77'varac
2017-04-25Add single-hop hidden service capability.Micah Anderson
This cuts the number of hops for a tor onion service from 6 to 3, speeding it up considerably. This removes the anonymity aspect of the service, so it must be enabled intentionally, knowing that the server's location no longer is hidden.
2017-04-25LintMicah Anderson
2017-04-25git subrepo pull (merge) puppet/modules/torMicah Anderson
subrepo: subdir: "puppet/modules/tor" merged: "5ef29012" upstream: origin: "https://leap.se/git/puppet_tor" branch: "master" commit: "5ef29012" git-subrepo: version: "0.4.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "2e78d5d"
2017-03-22webapp: add secret_key_base to configAzul
This replaces the secret_token from rails 4.1 on. Both are used for securing cookies in the browser. The secret_key_base will also encrypt the cookies while the token will only sign them. Keeping the token in there for now allows us to migrate existing sessions / cookies to the new secrets. We can remove it in the next version once all providers have run with secret_key_base for a while.
2017-03-16Make platform apt dist/component configurablevarac
2017-03-16Direct couch connection if running on same hostvarac
2017-03-15Direct connection when couch runs locallyvarac
2017-03-15[8144] Remove Haproxyvarac
We used haproxy because we had multiple bigcouch nodes but now with a single couchdb node this is not needed anymore. - Resolves: #8144
2017-03-15Linted couchdb.ppvarac
2017-02-27Install stunnel4 from jessie-backportsvarac
The jessie version randonly closes the connection prematurely see https://0xacab.org/leap/platform/issues/8746 - Resolves: #8746
2017-02-23Cleanup modified Gemfile.lock before pulling nickserver vcsrepovarac
Resolves: #8492
2017-02-23Dont apply specific ssh parameters for wheezyvarac
2017-02-23[feat] always set smtpd_relay_restrictionsvarac
now that we deprecate wheezy, we can always set smtpd_relay_restrictions
2017-02-23no build_essential packages for wheeyz anymorevarac
2017-02-23assume systemd is always present nowvarac
2017-02-23[feat] only care for apache >= 2.4varac
2017-02-23[feat] dont use backports for rsyslog anymorevarac
2017-02-23[feat] dont use backports for passenger anymorevarac
2017-02-23Remove old leap-keyring packagevarac
2017-01-18Use systemd unit file for nickserver [#8578]varac
2017-01-17Ensure the directory exists before creating the fileTulio Casagrande
with @aarni
2017-01-17Change autorestart to use systemd::unit_fileTulio Casagrande
2017-01-17Rename extensions module to autorestartTulio Casagrande
2017-01-17Remove spec_helperTulio Casagrande
2017-01-17Update how exec is runTulio Casagrande
2017-01-17Add apache auto-restart extension fileTulio Casagrande
2017-01-16git subrepo clone --force https://leap.se/git/puppet_systemd ↵varac
puppet/modules/systemd subrepo: subdir: "puppet/modules/systemd" merged: "f3c4059" upstream: origin: "https://leap.se/git/puppet_systemd" branch: "master" commit: "f3c4059" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo.git" commit: "841aa43"
2017-01-16Revert "Add systemd::enable define"varac
This commit was moved to the systemd puppet repo. This reverts commit f5db49cf6b3ca0a5830b849c0aac074e371b95d9.
2016-12-31Couchdb service should not require on soledadvarac
- Resolves: #8693
2016-12-21Merge branch 'bugfix/sans-soledad' into 'master' Varac
bugfix: couchdb nodes should not require soledad. closes #8693 See merge request !60
2016-12-20[Vagrant] Install leap_cli gem dependenciesvarac
2016-12-20bugfix: couchdb nodes should not require soledad. closes #8693elijah
2016-12-08Lint site_config::filesvarac
2016-10-24Set X-XSS-Protection HTTP response header to '1'.Micah Anderson
This HTTP response header enables the Cross-site scripting (XSS) filter built into some modern web browsers. This header is usually enabled by default anyway, so the role of this header is to re-enable the filter if it was disabled maliciously, or by accident.
2016-10-24Set X-Content-Type-Options nosniff.Micah Anderson
Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. This will prevent the browser from MIME-sniffing a response away from the declared content-type. When this is not set, older versions of Internet Explorer and Chrome perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
2016-10-20Merge branch 'twisted_backports' into developvarac
2016-10-18Setup couch for soledad before starting soledadvarac
When the soledad couch user is not present, soledad-server refuses to start, so we need to ensure that couch is setup correctly before starting soledad-server. see https://leap.se/code/issues/8535
2016-10-18Lint site_couchdb::setupvarac
2016-10-18[feat] Use twisted 16.2 from jessie-backportsvarac
New soledad packages now depend on Twisted 16.2.0 (see https://leap.se/code/issues/8412), so we need to pin twisted to get installed from jessie-backports. - Resolves: #8418
2016-10-18lint site_mx classvarac
2016-09-13[bugfix] static sites: only enable hidden service by default if one domain ↵elijah
is configured The problem is that we have a single onion address per server, so if more than one domain is configured we need to make sure they don't both try to use the same onion address.
2016-09-08Merge branch 'clamd_dependencies' into developvarac
2016-09-08Merge branch 'ensure_clamav_running' into developvarac
2016-09-08start clamav after definitions are downloadedChristoph Kluenter
freshclam might not be able to start clamav via the socket because the socket might not be there. This systemd unit watches for the definitions and then starts clamav. Resolves: #8431
2016-09-08Add systemd::enable definevarac
2016-09-07Fix dependencies for clamd servicevarac
Sometimes, after a deploy from scratch `leap test` fails because clamd could not get started (even when the deploy log says so). This fixes the dependencies of all resources needed in order to let clamd start reliable. Resolves: #8431
2016-09-06[feat] Add check_mk config values, dont set themvarac
When setting values like ignored_services = [...] this will override other `ignored_services` that might get parsed before. Instead, we use `+=` so multiple files can add sth to this config value.