summaryrefslogtreecommitdiff
path: root/puppet
AgeCommit message (Collapse)Author
2016-01-22[bug] refactor build-essential package installationvarac
In certain node setups, the webapp gems cannot get built because `build-essential` and dependent packages were not present. I refactored the `site_config::packages::build_essential` class, which now inherits `site_config::packages`. The latter class removes all unneccessary (development) packages, but when the `site_config::packages::build_essential` class is included, some dev packages are overridden to be installed. - Tested: [local] - Resolves: #7834
2016-01-22linted puppet/modules/site_openvpn/manifests/init.ppvarac
2016-01-22Include site_config::params in all x509 subclasses (#6851)varac
After restructuring site.pp to only include site_config::default and the service-specific classes, we got this: Duplicate declaration: X509::Cert[undef] is already declared in file /srv/leap/puppet/modules/site_config/manifests/x509/commercial/cert.pp at line 8; cannot redeclare at /srv/leap/puppet/modules/site_config/manifests/x509/cert.pp:8 on node rewcitestweb1.rewire.org So i included site_config::params in all site_config::x509 clases. Change-Id: Ib8387abfdc68b36c73a45fd2dd1f3a159eaec4a5
2016-01-22restructured site.pp, now only one class gets included in site.pp per ↵varac
service (Bug #6851) Also, moved global Exec{} defaults to site.pp Change-Id: I9ae91b77afde944d2f1312613b9d9030e32239dd
2016-01-21Make sure the certs are installed for all smtp tls clients, thusMicah
ensuring the satellite hosts are setup properly (#7611) Change-Id: I9dce57c305a6fd6a39596a941174fe1879af5e4f
2016-01-20Merge remote-tracking branch 'micah/bug/7822' into developvarac
2016-01-19Make the reject parameter an array to fix the following (#7822):Micah
failed to parse template tor/torrc.exit_policy.erb, undefined method `each' for "*:*":String Change-Id: I2b7b444187376dbc2f3cc5095391ae54bf8321b3
2016-01-19Merge branch 'remove_double_apt_get_update' into developvarac
2016-01-19Ensure openvpn services are running on jessievarac
2016-01-19Swiss privacy foundation nameserver is not responding, switch secondaryMicah
fall-back to an OpenNIC resolver that does not log (#7781) Change-Id: I290321927c8188c82e95e2cd4b93cd01bd2258c2
2016-01-19Merge branch '7802_rsyslog_jessie' into developvarac
2016-01-19Make sure machines in mynetworks are able to send mail through us,Micah
without getting blocked by the rbl (#7819) Change-Id: Ib7a00f810b6c49528e5f99a1d83296553a81e65e
2016-01-19Ensure curl is installed before it is called (#7803)Micah
Change-Id: Iedd464a397e9944159991241cd84caad6a2a40d6
2016-01-16[bug] Enable openvpn services on jessievarac
- Tested: [unstable.bitmask.net] - Resolves: #7798
2016-01-15[bug] Only pin rsyslog debs to backports on wheezyvarac
- Resolves: #7802
2016-01-15linted site_config::syslogvarac
2016-01-08[bug] Make /etc/leap world-readablevarac
Under jessie, leap-mx is started by systemd now, not as a forked proc by twistd anymore. Therefore leap-mx (the user the mx proc runs as) needs direct access to it's config file under /etc/leap/mx.conf. Before, twistd would start as root, read the config and then fork an mx proc as unprivileged leap-mx user. - Tested: [quetzal] - Resolves: #7782
2016-01-07updated submodule couchdbvarac
2016-01-06Update submodule aptvarac
2016-01-05[style] Lint site_apt::dist_upgradevarac
2016-01-05[feat] Remove double run of apt-get updatevarac
2016-01-04Fix status module invocation for hidden service enabled webapps (#7776)Micah
Change-Id: I101e4c9791102123d4334e1b84a48dacea99ac52
2016-01-01revert 4ff763c sorrykwadronaut
2015-12-31update postfix modulekwadronaut
2015-12-23[bug] Fix leap::cli::install on jessievarac
leap_cli could not get installed from source on jessie
2015-12-17Make sure values that might get set incorrectly, due to preseed orMicah
debconf selections, are set correctly (#7478) Change-Id: I3bd261fd6fe27bbf10b8994ffff9f8b7be5b9de0
2015-12-15add fingerprint map configuration section (#7725)Micah
Change-Id: I895c25daca65c19916c47267e61a4f04a6489a84
2015-12-16Merge branch '7681_apache_2_4_auth_error' into developvarac
2015-12-15Make sure /var/mail/leap-mx/Maildir and its associated common maildirMicah
directories are managed by the platform (#6936) Change-Id: I1836eb728c0379b6175ae6d54231a6f6a7ae1033
2015-12-15Merge branch 'dont_remove_nfs_client_on_vagrant' into developvarac
2015-12-15Merge branch 'remove_run_stages' into developvarac
2015-12-15Have leap-mx log with the process name 'leap-mx', but log toMicah
/var/log/leap/mx.log, and clean up the files associated with the previous configuration (#7691) Change-Id: Id08c97980292968e8e89f128afb5fa78bda30069
2015-12-12[bug] Use guess_apache_version in apache templatesvarac
The apache_version() fact only works if apache is already installed. So we use the guess_apache_version() function from the apache module to determine which apache version is to be installed. - Resolves: #7681
2015-12-10[feat] Dont remove nfs client on local vagrant nodesvarac
2015-12-10[bug] Configure default sources.platform.apt.basicvarac
Providing a custom sources.platform.apt.basic value worked with the last commit, but without that the platform would fail. So we provide a default value now in provider_base/common.json, which can get overridden.
2015-12-10[feat] Make leap apt sources url configurablevarac
So we can use the experimental-0.8 repo instead of 0.8 i.e. Use this to customize the main LEAP deb url: "sources": { "apt": { "leap": { "basic": "http://deb.leap.se/experimental-0.9" } } }
2015-12-10[feat] Add LEAP experimental apt signing keyvarac
so we can easily use the experimental-0.(8|9) deb repos, which are signed with this key
2015-12-09Use client cert fingerprint lookup to determine if the user is allowedMicah
to relay mail through us (#3634) Change-Id: I46cf3ffbef4261839c376f4c36a50d9c44eb1374
2015-12-09[feat] Remove puppet run stagesvarac
To reduce complexity, let's get rid of run stages. We used them earlier but they seem to have no purpose anymore. There was two stage leftovers: - `site_config::slow` did an `apt-get dist-upgrade` in the `setup` stage - `site_config::setup` did call the `site_config::hosts` class in the `setup` stage I checked for dependencies to to those resources, and it looks good, i tested by triggering a citest. From https://docs.puppetlabs.com/puppet/latest/reference/lang_run_stages.html#limitations-and-known-issues: ``` Due to these limitations, stages should only be used with the simplest of classes, and only when absolutely necessary. Mass dependencies like package repositories are effectively the only valid use case. ```
2015-12-08Manage the /var/mail/leap-mx directory to ensure it exists properly andMicah
has the right permissions (see #6936) Change-Id: Ib7b86d73197fecfd74b72fe5ff06d1a78d9d4432
2015-12-07Update submoule aptvarac
2015-12-03Make sure /etc/default and config file are there before service is triggered ↵Micah
(#7618) Change-Id: Ib9fa598a94e8fd41329b1c9ed4bb52281bf04992
2015-12-02[deprec] use @ in front of erb template tagsvarac
2015-12-02fix nickserver dependency for wheezyvarac
2015-12-02Update submodule postfixvarac
2015-12-01fix missing commaMicah
Change-Id: I6ab266ea4f74277f8262653c43f2b3a5a4254a79
2015-12-01Update submodule postfixvarac
2015-12-01Switch from 'vmail' to leap-mx's user/group (#6936, #7639)Micah
This change will make sure that the user/group for leap-mx exist, and it changes the mail location from /var/mail/vmail to the more helpful name /var/mail/leap-mx. This change requires: https://github.com/leapcode/leap_mx/pull/78 and it would replace merge request: https://github.com/leapcode/leap_mx/pull/65 and fix https://leap.se/code/issues/6936 and https://leap.se/code/issues/7635 Change-Id: Idbe678dc999e394232c2eeef2b2018d39ab7cc3b
2015-12-01stop delivering non-existing local user mail to leap-mx (#5431)Micah
When mail comes in to the system, a lookup is done to see if it is a valid leap user, if it is, leap_mx now returns something of the form: uuid@deliver.local (see #5959). The virtual_mailbox_domains lists deliver.local, so postfix choses to deliver to virtual_mailbox_base (/var/mail/vmail) which has been hardcoded to the 'vmail' maildir and user. We want leap related mail and leap aliases to go through the virtual alias system, all the hard-coded universal aliases we want to go through the local system and we dont want these separate. Known domains that are considered 'virtual' will be forwarded or delivered to the vmail user, the rest rejected as unknown recipient, instead of being handed off to leap-mx. Previously, the way this was done is we leaned (too heavily) on the 'luser_relay' postfix configuration which sent anything that wasn't locally configured right to the leap_mx spool. That meant everything went there, including addresses that didn't exist, and leap-mx would then have to process those and bounce them. This removes the 'luser_relay' option, so any address that doesn't resolve properly to either a local address/alias, or a leap address or alias (through tcp lookups on 2424 and 4242) will get bounced as an unknown user. Change-Id: I3c22e9383861b3794dd9adfd7aa6a0cf0a773a18
2015-12-01Merge branch 'nickserver_jessie' into developvarac