summaryrefslogtreecommitdiff
path: root/puppet/modules
AgeCommit message (Collapse)Author
2013-09-18Setup a class dependency for every tag 'leap_service' to make sure that ↵Micah Anderson
shorewall is setup before the service is setup. This is necessary due to the strict initial firewall that stops various service setup operations from happening, but is relaxed once shorewall is setup properly (#3782) Change-Id: Ia9640c4118aa0053cdb99e7bc11860fed5527501
2013-09-17fix stunnel module so that code was not removed accidentallyMicah Anderson
Change-Id: Ia236eb5b7609d9f96970230fce4d0051d832e3cb
2013-09-17shorewall: #2399 blocks uplink (Bug #2866)varac
2013-09-17site_config::params::interface should contain eth1 for vagrant cause it's ↵varac
the main interface we use (#2399, #2401)
2013-09-17update stunnel submodule commit id to correct one for new repositoryMicah Anderson
Change-Id: I33292b9eb2a5553ac296857c99fdaf350ed52542
2013-09-17Merge branch 'bug/3757' into developMicah Anderson
2013-09-17updated submodule stunnel - include stunnel in stunnel::service ↵varac
(https://leap.se/code/issues/3861)
2013-09-17Merge branch 'feature/3817_3836_3837_Duplicate_declarations' into developvarac
2013-09-14ensure site_config::caching_resolver runs with tag leap_base (#3757)Micah Anderson
Change-Id: I593602ff9d3486dee39227673147e137045c55c5
2013-09-14moved openvpn submodule back to 25f1fe8d8, like it was beforekwadronaut
2013-09-13change vcsrepo submodule url (bug #3139)kwadronaut
2013-09-13setup stunnel config to use default x509 cert,key+ca (#3837)varac
* fix stunnel setups for couchdb, mx, webapp services
2013-09-13Deploy default x509 cert + key that services can use (Feature #3836)varac
2013-09-13remove x509::ca for leap_ca in site_openvpn::keys and site_stunnel::stunnel ↵varac
(#3817)
2013-09-13deploy default x509::ca leap_ca in site_config::default (#3817)varac
2013-09-13use define instead of class for site_stunnel::setup (#3817)varac
so it can be called multiple times
2013-09-05require that shorewall is up before running bundler commands, it needs to ↵0.3.0rc1Micah Anderson
pull things from git (#3756) Change-Id: If404452c54dedb7a39a910994dc68309257d351d
2013-09-05updated submodule apt: unattended-upgrades package cannot be installed (Bug ↵varac
#3098)
2013-09-05Some packages are installed before refresh_apt is called (Bug #2988)varac
2013-09-04fix initial firewall to allow outgoing lo traffic and outgoing port 443 (#3736)Micah Anderson
this allows nameserver queries to the local resolver to work and clones to the leap https repository to work Change-Id: I575d08405a0c28e12c8d201a8dbc79585a5a9a48
2013-09-04change git repository clone URIs from git:// to https:// (#3732)Micah Anderson
Change-Id: Ic700fec9cfb8e8474fb65dbdd4a1a537bf586ec9
2013-09-04need to test that /etc/init.d/shorewall exists before attempting to call it, ↵Micah Anderson
otherwise puppet complains (#3339) Change-Id: I7c8cc235817fe3d898157de4c4fdd8f1fe74f05a
2013-09-04updated couchdb submodule: bigcouch nodes doesn't get registered as cluster ↵varac
members (Bug #3703)
2013-09-04Merge branch 'bug/3339' into developMicah Anderson
2013-09-04fix soledad-server not being available before the leap repository has been ↵Micah Anderson
configured (#3702) Change-Id: I8a86a241c52d88b4b681a800647d7c9c7c574b8e
2013-09-04make sure that the shorewall package is installed before trying to change ↵Micah Anderson
its configuration file (#3701) Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed
2013-09-04updated submodule couchdb: don't use couchdb::document for creating ↵varac
_security, cause this special doc doesn't have and _id (#3706)
2013-09-03Work around for shorewall not being available at the site_config stage (#3339)Micah Anderson
Change-Id: Id3138cb967f76380b7f4e22ce862a099cb47669e
2013-09-03use check_helo_access hash:/helo_checks also for $submission_helo_restrictionsvarac
2013-09-03fix $master_cf_tail formatvarac
2013-09-03Sending mail fails when relaying using non-fully-qualified hostname (Feature ↵varac
#3667)
2013-09-03Merge branch 'feature/helo_access' into developMicah Anderson
Conflicts: puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp Change-Id: I51555935f9d9409e45809d6df021b10e926ea520
2013-09-03add /etc/postfix/checks directory and setup a check_helo_access that allows ↵Micah Anderson
admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694) Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4
2013-09-03require that shorewall has been installed before execs are run (#3339)Micah Anderson
Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf
2013-09-03Without smtpd_helo_required, the helo restrictions are easily bypassed by ↵Micah Anderson
not sending a HELO (#3693) Change-Id: I6a7338136a53e16962a070826493139fa3307df7
2013-09-02disable postfix debugging by defaultvarac
2013-09-02create all webapp databases so _security is set (fixes 3517)Azul
2013-09-02specify RAILS_ENV when calling bundle assets-precompile (fixes #3638)Azul
We currently disable the billing gem in production while it's on in development and test. Therefore bundler will not install its dependencies - in particular the braintree gem when deploying. Since the RAILS_ENV was not specified rake was called with the default of 'development'. It therefore tried to load the development gems and failed when looking for 'braintree'. Specifying the production RAILS_ENV fixes this. It looks like we'll always need to specify RAILS_ENV when calling rake or we might want to export it to the environment in a separate task or the user config files such as .bashrc
2013-08-31postfix enable submission port using starttls, so the client can transition ↵Micah Anderson
to the more restrictive TLS wrapper mode Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
2013-08-31change the master.cf_tail to pull in -o ↵Micah Anderson
smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions make a note about the permit_tls_all_clientcerts being something that we don't want in the future remove check_sender_access check which was doing an unnecessary lookup Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc
2013-08-30updated submodule couchdb: couchdb: update_user_webapp fails (Bug #3611)varac
2013-08-30create sessions db with puppet (Bug #3597)varac
2013-08-29Merge branch 'feature/3604' into developMicah Anderson
2013-08-29Merge branch 'bug/3612' into developMicah Anderson
2013-08-29Make TLS-required smtps (465) be port for sending SMTP. This is preferred ↵Micah Anderson
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
2013-08-29create individual classes for the apache modules so they can be included ↵Micah Anderson
more than once in different locations, depending on what services are configured on a node (#3612) Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770
2013-08-29change the name of the couch_database in the nickserver.yaml to the new oneMicah Anderson
Change-Id: I5fe6912f3774ae87c595ca1dcac60a61e24de9e5
2013-08-29updated submodule couchdb, fixed merge resolution error from last mergevarac
2013-08-29updated submodule couchdb, fix puppet couchdb module doesn't create ↵varac
necessary databases anymore (Bug #3594)
2013-08-29fix smtpd mail restrictions (Feature #3166)varac