| Age | Commit message (Collapse) | Author |
|---|
|
|
|
This cuts the number of hops for a tor onion service from 6 to 3,
speeding it up considerably. This removes the anonymity aspect of the
service, so it must be enabled intentionally, knowing that the server's
location no longer is hidden.
|
|
|
|
subrepo:
subdir: "puppet/modules/tor"
merged: "5ef29012"
upstream:
origin: "https://leap.se/git/puppet_tor"
branch: "master"
commit: "5ef29012"
git-subrepo:
version: "0.4.0"
origin: "https://github.com/ingydotnet/git-subrepo"
commit: "2e78d5d"
|
|
This replaces the secret_token from rails 4.1 on.
Both are used for securing cookies in the browser. The secret_key_base
will also encrypt the cookies while the token will only sign them.
Keeping the token in there for now allows us to migrate existing sessions
/ cookies to the new secrets. We can remove it in the next version once
all providers have run with secret_key_base for a while.
|
|
|
|
|
|
|
|
We used haproxy because we had multiple bigcouch nodes but now
with a single couchdb node this is not needed anymore.
- Resolves: #8144
|
|
|
|
The jessie version randonly closes the connection prematurely
see https://0xacab.org/leap/platform/issues/8746
- Resolves: #8746
|
|
Resolves: #8492
|
|
|
|
now that we deprecate wheezy, we can always set
smtpd_relay_restrictions
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
with @aarni
|
|
|
|
|
|
|
|
|
|
|
|
puppet/modules/systemd
subrepo:
subdir: "puppet/modules/systemd"
merged: "f3c4059"
upstream:
origin: "https://leap.se/git/puppet_systemd"
branch: "master"
commit: "f3c4059"
git-subrepo:
version: "0.3.0"
origin: "https://github.com/ingydotnet/git-subrepo.git"
commit: "841aa43"
|
|
This commit was moved to the systemd puppet repo.
This reverts commit f5db49cf6b3ca0a5830b849c0aac074e371b95d9.
|
|
- Resolves: #8693
|
|
bugfix: couchdb nodes should not require soledad. closes #8693
See merge request !60
|
|
|
|
|
|
|
|
This HTTP response header enables the Cross-site scripting (XSS) filter
built into some modern web browsers. This header is usually enabled by
default anyway, so the role of this header is to re-enable the filter
if it was disabled maliciously, or by accident.
|
|
Setting this header will prevent the browser from interpreting files as
something else than declared by the content type in the HTTP
headers. This will prevent the browser from MIME-sniffing a response
away from the declared content-type.
When this is not set, older versions of Internet Explorer and Chrome
perform MIME-sniffing on the response body, potentially causing the
response body to be interpreted and displayed as a content type other
than the declared content type.
|
|
|
|
When the soledad couch user is not present, soledad-server
refuses to start, so we need to ensure that couch is setup correctly
before starting soledad-server.
see https://leap.se/code/issues/8535
|
|
|
|
New soledad packages now depend on Twisted 16.2.0 (see
https://leap.se/code/issues/8412), so we need to pin twisted to get
installed from jessie-backports.
- Resolves: #8418
|
|
|
|
is configured
The problem is that we have a single onion address per server, so if more
than one domain is configured we need to make sure they don't both try to
use the same onion address.
|
|
|
|
|
|
freshclam might not be able to start clamav via the socket because
the socket might not be there. This systemd unit watches for the
definitions and then starts clamav.
Resolves: #8431
|
|
|
|
Sometimes, after a deploy from scratch `leap test`
fails because clamd could not get started (even when
the deploy log says so).
This fixes the dependencies of all resources needed in
order to let clamd start reliable.
Resolves: #8431
|
|
When setting values like
ignored_services = [...]
this will override other `ignored_services` that might get parsed
before. Instead, we use `+=` so multiple files can add sth to this
config value.
|
|
|
|
|
