Age | Commit message (Collapse) | Author |
|
Simply disabling exit policies is not enough to disable an exit node, it also
needs to be explicitly disabled. This may change in future versions of tor, but
for now, explicitly adding 'ExitRelay 0' to the configuration is needed. This
fixes #8863.
|
|
The 'tor' service is now three separate services, 'tor_exit', 'tor_relay', or 'hidden_service'.
|
|
For newer than jessie the 'old' code was enough. This bug didn't show up
because our testing images had the keys and sources lines already
included within /etc/apt…
solves #8862
|
|
|
|
Soledad is now taking care of the design of said database.
Closes #8428
|
|
Boolean facts must be escaped with str2bool. This commit includes
new tests to catch VPN problems like this in the future.
|
|
hidden service should be activated iff tor is among the active services and
tor.hidden_service.active == true
|
|
Add a .placeholder file so the directory doesn't get removed by
deb-systemd-helper when a package runs a purge in its postrm. This is a
work-around and fixes #8841. It probably wont be needed post-jessie.
|
|
|
|
Needed to satisfy leap-mx dependency (>=17.0)
- Resolves: #8837
|
|
New soledad-common depends on `python-treq`, which
is only available in debian stretch.
We pin all stretch packages to 1 (same as for sid), which
means (from `man apt_preferences`):
"causes a version to be installed only if there is no
installed version of the package"
- Resolves: #8836
|
|
|
|
leap-mx is now independent of leap-keymanager and
we can remove this dependency now.
see https://0xacab.org/leap/leap_mx/issues/8558
|
|
Resolves: #8792
|
|
|
|
Delay a hard state of the APT check for 1 day
so unattended_upgrades has time to upgrade packages.
Resolves: #8748
|
|
It's just too much mail...
And there are other tools like nagstamon that are better suited to get
an overview what's failing.
Resolves: #8772
|
|
|
|
Eth0 is vagrant's main interface to access the box
|
|
|
|
|
|
Virtualbox adds eth1 as second interface when private networking
is enabled.
- Related: #7769
|
|
Depending whether couchdb is running on the same node as
nickserver, couchdb is available on localhost:
- When couchdb is running on a different node: Via stunnel, which is
bound to 4000.
- When couchdb is running on the same node: On port 5984
Resolves: #8793
|
|
We should include this in soledad-server package as
dependency but until we sorted out this, we depend
soledad-server on ssl-cert in the platform.
see https://0xacab.org/leap/soledad/issues/8849 for
|
|
The newer version is needed for the single-hop functionality.
|
|
This makes a more clear site_tor::relay class that the leap service
includes, and a more generic site_tor class that other classes can
depend on for setting up the initial install.
|
|
This gets us a simple apt repository privilege separation:
(a) our key can't be used to forge other repos
(b) other keys can't be used to forge our repo.
From sources.list(5):
· Signed-By (signed-by) is either an absolute path to a keyring
file (has to be accessible and readable for the _apt user, so ensure
everyone has read-permissions on the file) or one or more
fingerprints of keys either in the trusted.gpg keyring or in the
keyrings in the trusted.gpg.d/ directory (see apt-key
fingerprint). If the option is set, only the key(s) in this keyring
or only the keys with these fingerprints are used for the
apt-secure(8) verification of this repository. Defaults to the value
of the option with the same name if set in the previously acquired
Release file. Otherwise all keys in the trusted keyrings are
considered valid signers for this repository.
|
|
|
|
This cuts the number of hops for a tor onion service from 6 to 3,
speeding it up considerably. This removes the anonymity aspect of the
service, so it must be enabled intentionally, knowing that the server's
location no longer is hidden.
|
|
|
|
subrepo:
subdir: "puppet/modules/tor"
merged: "5ef29012"
upstream:
origin: "https://leap.se/git/puppet_tor"
branch: "master"
commit: "5ef29012"
git-subrepo:
version: "0.4.0"
origin: "https://github.com/ingydotnet/git-subrepo"
commit: "2e78d5d"
|
|
This replaces the secret_token from rails 4.1 on.
Both are used for securing cookies in the browser. The secret_key_base
will also encrypt the cookies while the token will only sign them.
Keeping the token in there for now allows us to migrate existing sessions
/ cookies to the new secrets. We can remove it in the next version once
all providers have run with secret_key_base for a while.
|
|
|
|
|
|
|
|
We used haproxy because we had multiple bigcouch nodes but now
with a single couchdb node this is not needed anymore.
- Resolves: #8144
|
|
|
|
The jessie version randonly closes the connection prematurely
see https://0xacab.org/leap/platform/issues/8746
- Resolves: #8746
|
|
Resolves: #8492
|
|
|
|
now that we deprecate wheezy, we can always set
smtpd_relay_restrictions
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
with @aarni
|
|
|