summaryrefslogtreecommitdiff
path: root/puppet
AgeCommit message (Collapse)Author
2017-10-05Feat: Refactor tor servicesMicah Anderson
In order to refactor the tor services, we need to split them out into three different services. This adds the hidden service class that is necessary to support the previous commits. Fixes #8864.
2017-10-05Bug: Ensure tor exit is disabled properlyMicah Anderson
Simply disabling exit policies is not enough to disable an exit node, it also needs to be explicitly disabled. This may change in future versions of tor, but for now, explicitly adding 'ExitRelay 0' to the configuration is needed. This fixes #8863.
2017-10-05Feat: split tor service into threeelijah
The 'tor' service is now three separate services, 'tor_exit', 'tor_relay', or 'hidden_service'.
2017-09-28Bug: jessie apt keys must be in /etc/apt/trusted.gpg.dkwadronaut
For newer than jessie the 'old' code was enough. This bug didn't show up because our testing images had the keys and sources lines already included within /etc/apt… solves #8862
2017-09-28Lint: site_config/manifests/setup.ppVarac
2017-09-08Bug: remove shared couchdb design docskwadronaut
Soledad is now taking care of the design of said database. Closes #8428
2017-09-05Bug: fix vpn network problem caused by vagrant factelijah
Boolean facts must be escaped with str2bool. This commit includes new tests to catch VPN problems like this in the future.
2017-08-23Bug: fix hidden service for staticelijah
hidden service should be activated iff tor is among the active services and tor.hidden_service.active == true
2017-07-13bug: Set .placeholder to fix removalMicah Anderson
Add a .placeholder file so the directory doesn't get removed by deb-systemd-helper when a package runs a purge in its postrm. This is a work-around and fixes #8841. It probably wont be needed post-jessie.
2017-07-13Ensure directory has proper owner/group (#8841)Micah Anderson
2017-06-27Pin python-cryptography to jessie-backportsVarac
Needed to satisfy leap-mx dependency (>=17.0) - Resolves: #8837
2017-06-27Install python-treq from strech on jessie nodesVarac
New soledad-common depends on `python-treq`, which is only available in debian stretch. We pin all stretch packages to 1 (same as for sid), which means (from `man apt_preferences`): "causes a version to be installed only if there is no installed version of the package" - Resolves: #8836
2017-06-27Merge branch 'remove_keymanager_dep'Varac
2017-06-27Don't depend on leap-keymanager anymoreVarac
leap-mx is now independent of leap-keymanager and we can remove this dependency now. see https://0xacab.org/leap/leap_mx/issues/8558
2017-06-24Add configured apt component to the unattended-upgrades whitelistVarac
Resolves: #8792
2017-06-22Merge branch 'delay_apt_hardstate'Varac
2017-06-22Delay hard state of the nagios APT checkVarac
Delay a hard state of the APT check for 1 day so unattended_upgrades has time to upgrade packages. Resolves: #8748
2017-06-17Stop sending mails for nagios alertsVarac
It's just too much mail... And there are other tools like nagstamon that are better suited to get an overview what's failing. Resolves: #8772
2017-05-30static - support for renewing certs with let's encrypt for static siteselijah
2017-05-23[vagrant] Don't block eth0 if eth1 is configuredvarac
Eth0 is vagrant's main interface to access the box
2017-05-23Include site_config::vagrant on vagrant nodesvarac
2017-05-23[vagrant] Lint vagrant.ppvarac
2017-05-23[vagrant] Use eth1 on vagrant if presentvarac
Virtualbox adds eth1 as second interface when private networking is enabled. - Related: #7769
2017-05-10Nickserver direct access to couchdb on same nodevarac
Depending whether couchdb is running on the same node as nickserver, couchdb is available on localhost: - When couchdb is running on a different node: Via stunnel, which is bound to 4000. - When couchdb is running on the same node: On port 5984 Resolves: #8793
2017-05-10Depend soledad-server on ssl-cert packagevarac
We should include this in soledad-server package as dependency but until we sorted out this, we depend soledad-server on ssl-cert in the platform. see https://0xacab.org/leap/soledad/issues/8849 for
2017-05-06Install tor from backports (fixes #8783).Micah Anderson
The newer version is needed for the single-hop functionality.
2017-05-06Restructure site_tor to be more clear and re-usable (fixes #8784).Micah Anderson
This makes a more clear site_tor::relay class that the leap service includes, and a more generic site_tor class that other classes can depend on for setting up the initial install.
2017-05-02Add signed-by option to sources.list (Closes: #8425)Micah Anderson
This gets us a simple apt repository privilege separation: (a) our key can't be used to forge other repos (b) other keys can't be used to forge our repo. From sources.list(5): · Signed-By (signed-by) is either an absolute path to a keyring file (has to be accessible and readable for the _apt user, so ensure everyone has read-permissions on the file) or one or more fingerprints of keys either in the trusted.gpg keyring or in the keyrings in the trusted.gpg.d/ directory (see apt-key fingerprint). If the option is set, only the key(s) in this keyring or only the keys with these fingerprints are used for the apt-secure(8) verification of this repository. Defaults to the value of the option with the same name if set in the previously acquired Release file. Otherwise all keys in the trusted keyrings are considered valid signers for this repository.
2017-04-27Merge remote-tracking branch 'origin/merge-requests/77'varac
2017-04-25Add single-hop hidden service capability.Micah Anderson
This cuts the number of hops for a tor onion service from 6 to 3, speeding it up considerably. This removes the anonymity aspect of the service, so it must be enabled intentionally, knowing that the server's location no longer is hidden.
2017-04-25LintMicah Anderson
2017-04-25git subrepo pull (merge) puppet/modules/torMicah Anderson
subrepo: subdir: "puppet/modules/tor" merged: "5ef29012" upstream: origin: "https://leap.se/git/puppet_tor" branch: "master" commit: "5ef29012" git-subrepo: version: "0.4.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "2e78d5d"
2017-03-22webapp: add secret_key_base to configAzul
This replaces the secret_token from rails 4.1 on. Both are used for securing cookies in the browser. The secret_key_base will also encrypt the cookies while the token will only sign them. Keeping the token in there for now allows us to migrate existing sessions / cookies to the new secrets. We can remove it in the next version once all providers have run with secret_key_base for a while.
2017-03-16Make platform apt dist/component configurablevarac
2017-03-16Direct couch connection if running on same hostvarac
2017-03-15Direct connection when couch runs locallyvarac
2017-03-15[8144] Remove Haproxyvarac
We used haproxy because we had multiple bigcouch nodes but now with a single couchdb node this is not needed anymore. - Resolves: #8144
2017-03-15Linted couchdb.ppvarac
2017-02-27Install stunnel4 from jessie-backportsvarac
The jessie version randonly closes the connection prematurely see https://0xacab.org/leap/platform/issues/8746 - Resolves: #8746
2017-02-23Cleanup modified Gemfile.lock before pulling nickserver vcsrepovarac
Resolves: #8492
2017-02-23Dont apply specific ssh parameters for wheezyvarac
2017-02-23[feat] always set smtpd_relay_restrictionsvarac
now that we deprecate wheezy, we can always set smtpd_relay_restrictions
2017-02-23no build_essential packages for wheeyz anymorevarac
2017-02-23assume systemd is always present nowvarac
2017-02-23[feat] only care for apache >= 2.4varac
2017-02-23[feat] dont use backports for rsyslog anymorevarac
2017-02-23[feat] dont use backports for passenger anymorevarac
2017-02-23Remove old leap-keyring packagevarac
2017-01-18Use systemd unit file for nickserver [#8578]varac
2017-01-17Ensure the directory exists before creating the fileTulio Casagrande
with @aarni