summaryrefslogtreecommitdiff
path: root/puppet/modules
AgeCommit message (Collapse)Author
2017-06-22Delay hard state of the nagios APT checkVarac
Delay a hard state of the APT check for 1 day so unattended_upgrades has time to upgrade packages. Resolves: #8748
2017-05-30static - support for renewing certs with let's encrypt for static siteselijah
2017-05-23[vagrant] Don't block eth0 if eth1 is configuredvarac
Eth0 is vagrant's main interface to access the box
2017-05-23Include site_config::vagrant on vagrant nodesvarac
2017-05-23[vagrant] Lint vagrant.ppvarac
2017-05-23[vagrant] Use eth1 on vagrant if presentvarac
Virtualbox adds eth1 as second interface when private networking is enabled. - Related: #7769
2017-05-10Nickserver direct access to couchdb on same nodevarac
Depending whether couchdb is running on the same node as nickserver, couchdb is available on localhost: - When couchdb is running on a different node: Via stunnel, which is bound to 4000. - When couchdb is running on the same node: On port 5984 Resolves: #8793
2017-05-10Depend soledad-server on ssl-cert packagevarac
We should include this in soledad-server package as dependency but until we sorted out this, we depend soledad-server on ssl-cert in the platform. see https://0xacab.org/leap/soledad/issues/8849 for
2017-05-06Install tor from backports (fixes #8783).Micah Anderson
The newer version is needed for the single-hop functionality.
2017-05-06Restructure site_tor to be more clear and re-usable (fixes #8784).Micah Anderson
This makes a more clear site_tor::relay class that the leap service includes, and a more generic site_tor class that other classes can depend on for setting up the initial install.
2017-05-02Add signed-by option to sources.list (Closes: #8425)Micah Anderson
This gets us a simple apt repository privilege separation: (a) our key can't be used to forge other repos (b) other keys can't be used to forge our repo. From sources.list(5): · Signed-By (signed-by) is either an absolute path to a keyring file (has to be accessible and readable for the _apt user, so ensure everyone has read-permissions on the file) or one or more fingerprints of keys either in the trusted.gpg keyring or in the keyrings in the trusted.gpg.d/ directory (see apt-key fingerprint). If the option is set, only the key(s) in this keyring or only the keys with these fingerprints are used for the apt-secure(8) verification of this repository. Defaults to the value of the option with the same name if set in the previously acquired Release file. Otherwise all keys in the trusted keyrings are considered valid signers for this repository.
2017-04-27Merge remote-tracking branch 'origin/merge-requests/77'varac
2017-04-25Add single-hop hidden service capability.Micah Anderson
This cuts the number of hops for a tor onion service from 6 to 3, speeding it up considerably. This removes the anonymity aspect of the service, so it must be enabled intentionally, knowing that the server's location no longer is hidden.
2017-04-25LintMicah Anderson
2017-04-25git subrepo pull (merge) puppet/modules/torMicah Anderson
subrepo: subdir: "puppet/modules/tor" merged: "5ef29012" upstream: origin: "https://leap.se/git/puppet_tor" branch: "master" commit: "5ef29012" git-subrepo: version: "0.4.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "2e78d5d"
2017-03-22webapp: add secret_key_base to configAzul
This replaces the secret_token from rails 4.1 on. Both are used for securing cookies in the browser. The secret_key_base will also encrypt the cookies while the token will only sign them. Keeping the token in there for now allows us to migrate existing sessions / cookies to the new secrets. We can remove it in the next version once all providers have run with secret_key_base for a while.
2017-03-16Make platform apt dist/component configurablevarac
2017-03-16Direct couch connection if running on same hostvarac
2017-03-15Direct connection when couch runs locallyvarac
2017-03-15[8144] Remove Haproxyvarac
We used haproxy because we had multiple bigcouch nodes but now with a single couchdb node this is not needed anymore. - Resolves: #8144
2017-03-15Linted couchdb.ppvarac
2017-02-27Install stunnel4 from jessie-backportsvarac
The jessie version randonly closes the connection prematurely see https://0xacab.org/leap/platform/issues/8746 - Resolves: #8746
2017-02-23Cleanup modified Gemfile.lock before pulling nickserver vcsrepovarac
Resolves: #8492
2017-02-23Dont apply specific ssh parameters for wheezyvarac
2017-02-23[feat] always set smtpd_relay_restrictionsvarac
now that we deprecate wheezy, we can always set smtpd_relay_restrictions
2017-02-23no build_essential packages for wheeyz anymorevarac
2017-02-23assume systemd is always present nowvarac
2017-02-23[feat] only care for apache >= 2.4varac
2017-02-23[feat] dont use backports for rsyslog anymorevarac
2017-02-23[feat] dont use backports for passenger anymorevarac
2017-02-23Remove old leap-keyring packagevarac
2017-01-18Use systemd unit file for nickserver [#8578]varac
2017-01-17Ensure the directory exists before creating the fileTulio Casagrande
with @aarni
2017-01-17Change autorestart to use systemd::unit_fileTulio Casagrande
2017-01-17Rename extensions module to autorestartTulio Casagrande
2017-01-17Remove spec_helperTulio Casagrande
2017-01-17Update how exec is runTulio Casagrande
2017-01-17Add apache auto-restart extension fileTulio Casagrande
2017-01-16git subrepo clone --force https://leap.se/git/puppet_systemd ↵varac
puppet/modules/systemd subrepo: subdir: "puppet/modules/systemd" merged: "f3c4059" upstream: origin: "https://leap.se/git/puppet_systemd" branch: "master" commit: "f3c4059" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo.git" commit: "841aa43"
2017-01-16Revert "Add systemd::enable define"varac
This commit was moved to the systemd puppet repo. This reverts commit f5db49cf6b3ca0a5830b849c0aac074e371b95d9.
2016-12-31Couchdb service should not require on soledadvarac
- Resolves: #8693
2016-12-21Merge branch 'bugfix/sans-soledad' into 'master' Varac
bugfix: couchdb nodes should not require soledad. closes #8693 See merge request !60
2016-12-20[Vagrant] Install leap_cli gem dependenciesvarac
2016-12-20bugfix: couchdb nodes should not require soledad. closes #8693elijah
2016-12-08Lint site_config::filesvarac
2016-10-24Set X-XSS-Protection HTTP response header to '1'.Micah Anderson
This HTTP response header enables the Cross-site scripting (XSS) filter built into some modern web browsers. This header is usually enabled by default anyway, so the role of this header is to re-enable the filter if it was disabled maliciously, or by accident.
2016-10-24Set X-Content-Type-Options nosniff.Micah Anderson
Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. This will prevent the browser from MIME-sniffing a response away from the declared content-type. When this is not set, older versions of Internet Explorer and Chrome perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
2016-10-20Merge branch 'twisted_backports' into developvarac
2016-10-18Setup couch for soledad before starting soledadvarac
When the soledad couch user is not present, soledad-server refuses to start, so we need to ensure that couch is setup correctly before starting soledad-server. see https://leap.se/code/issues/8535
2016-10-18Lint site_couchdb::setupvarac