summaryrefslogtreecommitdiff
path: root/puppet
AgeCommit message (Collapse)Author
2014-05-07openvpn package resource needs to be ensure => latest to accommodate upgradesMicah Anderson
Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14
2014-05-06Change the initial firewall to subscribe to the rule file to be able toMicah Anderson
trigger changes, make the default ipv6 firewall subscribe to shorewall6, if it exists, and finally reject all outgoing IPv6 packets. All of this will complete the platform-side of route IPv6 through OpenVPN gateway, and block it. (Feature #4163) Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810
2014-05-06set the ipv6 configuration options on the serverMicah Anderson
some important things to note: We are hard-coding the pushing of the ipv6 route '2000::/3' and configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a reserved ipv6 prefix that is used for documentation purposes only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html), and the route being pushed redirects all internet-bound traffic. When LEAP fully supports ipv6, these network values should be turned into variables, but for now, to make sure we are blocking any clients that have functional ipv6, this will work. Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5
2014-05-06install openvpn from wheezy-backports, this will bring in openvpn 2.3,Micah Anderson
which will provide us with proper ipv6 support Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07
2014-05-02fix incorrect shorewall parameter name 'protocol', should be 'proto'Micah Anderson
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d
2014-04-29fix missing semicolon, causing syntax errorMicah Anderson
Change-Id: Ic7d0f8cc8c0340fdc24cf5ffa4c7018ebac76c7f
2014-04-29block DNS traffic at the OpenVPN gateway (#4164)Micah Anderson
There are many different edge cases where mac and windows clients (and maybe android too) will revert to using a different DNS server than the one specified by openvpn. This is bad news for security reasons. The client is being designed so it doesn't leak DNS, however we don't want to put all of our eggs in one basket, so this will block outgoing port 53 (udp and tcp) on the gateway's firewall from any of the EIP interfaces (thus not blocking DNS access on the gateway itself). Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
2014-04-29nagios: make the check_procs tests for leap_mx and soledad be much moreMicah Anderson
specific, to avoid catching unrelated processes (#5327) Change-Id: I63ffcd644a85137708712daac671b92898c70b7e
2014-04-29require json so we can use it to dumpt the service levelsAzul
2014-04-24bring service_levels into webapp config - #5527Azul
including the default_service_level
2014-04-24initial firewall: allow port 22 by default. This is the most common portMicah Anderson
that sshd will be listening to in a default setup. This needs to be allowed so that you can have a different port configured in the hiera and not get locked out during deployment (#5119) Change-Id: Ie101eaaf440415ddb276621c369da7f67f409c2b
2014-04-24create a /var/run/tapicero directory, owned by tapicero:tacpiero to holdMicah Anderson
the pid file (#5577) Change-Id: I2144e3d8c0ee18254fe3822098c87b2a8c57c2ce
2014-04-24tor: provide a default 'nickname' (something likeMicah Anderson
"rabbitLKJYW23695JGLKJ" where rabbit is the node name). Stop shipping a static 'family' and instead provide a comma separated list of node tor nicknames. (#5220) Change-Id: I479f460ab230ad440f72c78dc6362983387ce12a
2014-04-24change stunnel::service to 'subscribe' instead of 'require' the X509Micah Anderson
cert/key. This has the same effect of 'require' because both make sure that the mentioned resource(s) will be applied before this resource, but subscribe will cause this resource to refresh anytime the subscribed resources change (#4342) Change-Id: I9470bb36f135b821b67a1da70c472d7687b08718
2014-04-24make sure concat fragments are put together before the openvpn serviceMicah Anderson
is run, otherwise the openvpn service is restarted before config files are deployed (#4154) Change-Id: Ide38615714c1978bb90237986baea530c54153c3
2014-04-24update indentation to be standardMicah Anderson
Change-Id: Ic0ac3a7e6c9ce0e5f95bab023dbbf890c31d9e1c
2014-04-17update couchdb submodule to get fix for timing issue that caused 409 ↵0.5.0Micah Anderson
Conflicts in certain situations (#5523) Change-Id: I1ca67e317a7eb84f64cb7b79daa2e500f0561707
2014-04-17change class instantiating to be includes and organizing things in theMicah Anderson
class to be more visually logical (#5269, #4590, #3712) Change-Id: I58c28c3bc62e67b25f33da3378e8146110471613
2014-04-17Change couchdb ordering hints (#5269, #4590, #3712):Micah Anderson
. make the couchdb service start after the stunnels have been setup. This may improve the cluster membership coming online faster . replace the two Couchdb::Create_db ordering hints (for the 'users' and 'tokens' databases) with a generic Class['site_config::create_dbs'] hint. This makes it so we get the ordering hint for all databases, which we were not before, without having to individually list them . replace the two Couchdb::Add_user ordering hints (for the $couchdb_webapp_user and the $couchdb_soledad_user) with a generic ordering hint for Class['site_couchdb::add_users'] ordering hint. This makes it so we get the ordering hint for all the users, which we were not before, without having to individually list them Change-Id: Ia63e62d68d24e77a49d4ef928a2a8130ab7bccb9
2014-04-17add exec resources to run the couchdb tests to wait for nodes andMicah Anderson
cluster membership to settle, before attempting any operations (#5269, #4590, #3712) Change-Id: Ic9826dda1c242e705ce85ae218766496bdd8ecbd
2014-04-15configure couchdb after starting shorewall (#53)varac
2014-04-15Merge branch 'develop' of ssh://code.leap.se/leap_platform into developvarac
2014-04-15fix concat::setup (#5503)varac
2014-04-12make the soledad service subscribe to package changes, cert and key changes ↵Micah Anderson
(#5499) Change-Id: Ia0efb4c129a71504a717c20e2e260a1ed83f2223
2014-04-10#5315 update soledad design docsAzul
2014-04-10Merge branch '0.6' into developvarac
2014-04-10fix check_mk resource dependency deploy errors (Bug #5272)varac
2014-04-06better system for optionally uninstalling build-essential package closes ↵kwadronaut
https://leap.se/code/issues/5426 Merge branch 'bugfix/buildessential' of https://github.com/elijh/leap_platform into elijh-bugfix/buildessential
2014-04-05openvpn: allow for configurable keepalive (aka ping & ping-restart) closes ↵elijah
https://leap.se/code/issues/4127
2014-04-05better system for optionally uninstalling build-essential package. closes ↵elijah
https://leap.se/code/issues/5426
2014-04-05update site_static to work with new amber and have better tls cipherselijah
2014-04-04Merge branch '2993_setup_subclass' into 0.6varac
2014-04-02Force satellite hosts that only speak to relayhost to have aMicah Anderson
smtp_tls_security_level of 'encrypt', so it is not optional (#1902) Change-Id: I61ad0823e3eb8df6c224767d63f0911dcba42a16
2014-04-02Update TLS apache vhost TLS configuration (#5137):Micah Anderson
. We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
2014-04-02Fix for satellite hosts that are unable to contact their relayhostMicah Anderson
because the DNS lookup is either impossible (.local domain), or incorrect (certain openstack/amazon/piston cloud configurations create this setup when the relayhost is in the same cluster as the satellite). Fixes #5225 Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1
2014-04-02Merge branch '5359_design_docs' into 0.6varac
2014-04-02Merge pull request #20 from elijh/feature/openvpn-configvarac
allow ability to customize openvpn security options
2014-04-02couch design docs should be always deployed, not only on update of the ↵varac
design docs json files (Feature #5359)
2014-04-01Include all the ips that are allowed to send mail through the relay inMicah Anderson
the mynetworks parameter. Previously we only allowed other mx servers to relay to each other, but this prevents system mail from non-mx nodes from getting out. Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343) Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b
2014-03-31Merge branch 'feature/static_site' of https://github.com/elijh/leap_platform ↵kwadronaut
into elijh-feature/static_site Conflicts: puppet/modules/site_config/manifests/packages/base.pp
2014-03-26Merge branch '0.6' of ssh://code.leap.se/leap_platform into 0.6varac
2014-03-26Merge branch '5018_dont_remove_dev_packages_on_couch_node' into 0.6varac
2014-03-25Move setup.pp to a subclass (site_config::setup) (Feature #2993)varac
2014-03-25couch node: same packages removed on every (second ?) puppetrun (Feature #5018)varac
2014-03-25 ignore openvpn TLS initialization errors (Feature #5374)varac
2014-03-24modules/site_static: part 2 - apacheelijah
2014-03-24fixes #5360 adds admin@ as reserved address + lintingkwadronaut
2014-03-23modules/site_static: part 1 - amberelijah
2014-03-20allow ability to customize openvpn security stuff: tls-cipher, auth, and ↵elijah
cipher config options.
2014-03-19Merge branch '5306_ignore_tapicero_PreconditionFailed' into 0.6varac