Age | Commit message (Collapse) | Author |
|
When tor hidden services were enabled for static sites, only a very
basic configuration was setup and it didn't take into account the
different location configurations that can be configured for a
static site.
This commit resolves that by making a site_static::hidden_service class
similar to the site_webapp::hidden_service class, and fixes up the
apache vhost template to properly create the location blocks for the
hidden service vhost.
Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a
|
|
We were creating the hidden service name without a newline, and then tor
would be restarted and change the hidden service hostname file to have a
newline, which would then require that the next deploy would change that
file to not have a newline again.
This fixes that problem by making the hostname have a newline so it
matches what tor wants.
Change-Id: I38f450684d557cf943ec94f2f8e19cda3aefdf66
|
|
Change-Id: I3d733b6645c804a5fb337ad4b8edc59a66ad50b5
|
|
Change-Id: Icaab817870d005b7a854a3fb8c402705d0b2d77f
|
|
|
|
|
|
Change-Id: Iab9597f5f0336f66df9b73fea9d79c789cbb8302
|
|
The Trace method is enabled because of the Apache module, but it is not the
default in Debian, and it should not be enabled, for more information see the
following:
https://www.kb.cert.org/vuls/id/867593
Change-Id: I06a06ae679dbf7049f26a017125b61e5e38f6268
|
|
The onlyif check was incorrectly specified in the original implementation in
commit id: 15b83d88dcedab496a19cef57f11c5c8e091dd4a this inverts it so it
is properly detected.
Change-Id: I531e206fff1ca61780adcd195e1f917011e50fb4
|
|
After including everything into a `node default` scope
in puppet/manifests/site.pp to make puppet-catalog-test happy
(see commit 62ea45d47), we get this error:
Error: member(): Requires array to work with at
/srv/leap/puppet/modules/site_obfsproxy/manifests/init.pp:14
Moving the `services` hiera avaluation out of the node scope back
to top level scope will solve this.
|
|
Change-Id: Ic12b243b195e40482a70dd70219212c3697899ba
|
|
Change-Id: I772c3b6e489e3c1848c45c6bcaa240324fc88928
|
|
|
|
Change-Id: I7675dbaba4d896a62dab9fcf4817092ea69f1298
|
|
|
|
|
|
It turns out that in some corner-cases, the script is not called:
(1) start the deploy, create files in /var/lib/puppet/stunnel4/config
(2) halt puppet before apply finishes
(3) re-run deploy
in this scenario, next time you run deploy, refresh_stunnel will never
get called to populate /etc/stunnel, because the files in
/var/lib/puppet/stunnel4/config haven't changed.
This problem can be really confusing when it happens.
To fix this, we just run refresh_stunnel every, it is pretty fast and
the script has more complete logic for what to do than puppet, which has
only an asymmetrical view on the situation.
Change-Id: I9e5fad1d081c2fe07f3ac8f07cfb87d86b88f7c9
|
|
|
|
|
|
Fix opendkim milter location (#8163).
The unix socket method for connecting to the milter was incorrectly
reverted, this puts it back to how it should be.
Change-Id: Ifde669c920a249c782f577a112f4d45e60a889a2
See merge request !4
|
|
if this is set in the config, the deamons do not
start anymore. From the debian changelog:
clamav (0.99.2+dfsg-0+deb8u1) stable; urgency=medium
* Import new Upstream.
* Drop AllowSupplementaryGroups option which is default now
(Closes: #822444).
|
|
|
|
The unix socket method for connecting to the milter was incorrectly
reverted, this puts it back to how it should be.
Change-Id: Ifde669c920a249c782f577a112f4d45e60a889a2
|
|
|
|
|
|
Disable puppet-agent daemon from running.
The agent wakes up every two minutes and tries to connect to the default
server, failing with a certificate warning. We don't use the agent, so
we can safely disable it (#8032)
Change-Id: I707f42b59205993325431aba283552b1b73a0ad1
See merge request !1
|
|
check_mk operations can take a long time (such as when doing a
re-inventory using "check_mk -II") when multiple hosts are down. This
decreases the connect timeout to 5 seconds.
Change-Id: I1eac5f14bad2afc2ffc4cbf8c950c24b052a0d6e
|
|
The agent wakes up every two minutes and tries to connect to the default
server, failing with a certificate warning. We don't use the agent, so
we can safely disable it (#8032)
Change-Id: I707f42b59205993325431aba283552b1b73a0ad1
|
|
Automatic background couchdb db compaction frees a huge
amount of diskspace.
- Resolves: #8118
|
|
|
|
|
|
Sometimes a floating point exception or segfault of
a process results in systemd restarting it, we want
to recognize this from the syslog
i.e.:
systemd[1]: pixelated-server.service: main process exited,
code=killed, status=8/FPE
systemd[1]: Unit pixelated-server.service entered failed state.
- Related: https://github.com/pixelated/pixelated-user-agent/issues/683
|
|
|
|
Otherwise, the nagios config will get regenerated and nagios gets
reloaded before all checks are registered by a check_mk inventory.
- Related: #6873
|
|
After upgrading the platform, there might be old check_mk checks
registered on the monitor hosts. We now run a check_mk inventory
on every run that also purged old non-existng checks.
- Resolves: #6873
|
|
|
|
Change-Id: I20a28ae77c98071aefc1933e0ea73e5f3b895acb
|
|
Shorewall in jessie doesn't come with a proper unit file, and
as a result, it doesn't properly start with systemd.
To solve this, we provide the systemd unit file that comes with stretch,
add a systemd submodule that provides the exec resources needed for when
systemd units or configuration files are changed
Change-Id: I861fa951835928b4741abfbf969adcee4b8f147b
|
|
|
|
- ignore puppet lint error about inheriting from different namespace
|
|
If clamd is not running, the helpful cronjob tries to start it again,
but the way it is being started can only be run as root, and the cronjob
is run as the clamav user, so you get an error on each cron run. This
fixes that problem
Change-Id: I4cdb29dc651bee8a2eef1655ad4748d885afae0f
|
|
|
|
I used `puppet-lint -f FILE` to fix most issues, while
finishing with manual intervention.
|
|
Change-Id: I23d7fcea3755e9ecab561ecf69d8a6ecb8bdeca4
|
|
Have openvpn logs go to /var/log/leap/openvpn_$protocol, instead of to
/var/log/daemon.log.
Change-Id: I1fc33de660648ab0dba1ce98de2864649c104719
|
|
stunnel server logs were not going to /var/log/stunnel4/*, but to
/var/log/syslog instead. This was different from stunnel client
logging, now its the same.
Change-Id: I2dc2024b77dbb65554fc7865b0e46aedf930c6d8
|
|
Add a site_rsyslog config that removes duplicate mail logging.
Previously mail logs would be copied to /var/log/syslog, mail.log,
mail.err, mail.info, maillog and to the console. This removes those and
only puts them in /var/log/mail.log.
It also removes other superfluous configurations, either because they
are commented out already, or because they are uucp or nntp.
Change-Id: Ib05036787d2c818bf8802c22a4b8050f945a6e6d
|
|
In order for postfix to access the opendkim milter socket, we need to
remove the chroot option for the cleanup service.
See e97a9d3800b173375a630e18e4b1aa0894eb96e1 for opendkim
implementation.
Change-Id: I2742650965e61273fb804ebe9ce3f9bd38796582
|
|
|
|
|