summaryrefslogtreecommitdiff
path: root/puppet
AgeCommit message (Collapse)Author
2015-10-06[feat] Remove tapicero from more placesvarac
Remove from: - platform white-box tests (couchdb user ACLs, tapicero daemon test) - provider_base/ dir that handles the compilation of the hiera config file - Resolves: #7501
2015-10-06[feat] remove tapicero leftoversvarac
Soledad now creates user-dbs, which has been done by tapicero in the past. we need to remove any leftovers from tapicero.
2015-10-05Merge branch 'bugfix/virtualaliases' into developelijah
2015-10-05Merge branch 'soledad_userdb_creation' into developvarac
2015-10-05[feat] Create-user-db: use couchdb admin rightsvarac
- create soledad-admin user - deploy netrc file for userdb creation - Move soledad-server.conf from /etc/leap to /etc/soledad - make soledad-server.conf group-accessible for the soledad group, so the soledad-admin user can read it - Resolves: #7502
2015-10-01Merge remote-tracking branch 'alster-hamburgers/invite_codes' into developvarac
2015-09-30fix missing service dependency errorMicah
this tidy should only happen on webapp nodes Change-Id: I56faac4fa28fde9dcad7ce9a6ed0d684630a556e
2015-09-30Fix server-status availability to tor hidden services (#7456)Micah Anderson
Make the server-status information unavailable by putting the vhost on a port that isn't configured as available to the tor hidden-service. Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb
2015-09-28Create invite code db and design docsankonym
2015-09-28Modify config.yml.erb to include the invite code optionankonym
2015-09-24do not remove /var/log/leap/mx.log.*, this is where leap_mx is logging.elijah
2015-09-24allow certain aliases, like 'abuse', to be publicly forwardable.elijah
2015-09-24Remove no longer used vhost for leap_webapp (#7475)Micah
The configuration /etc/apache/sites-enabled/leap_webapp.conf was never removed after 6255e58bf9ff3489bf2707bc2be9759ec5c7db68 made it obsolete, and because it exists on older systems, it is being used instead of the correct common.conf. This removes it and reloads apache. Change-Id: Ic4c9901f4bba869ecb3dfe5362dfd1971570f89a
2015-09-20automatic update of submodule aptkwadronaut
2015-09-15Merge branch 'feature/rewrite_openpgp_header_7413' into developMicah Anderson
Change-Id: I42a1ef661dc55fb8110e82e930f67679c3dff1f8
2015-09-15make couchdb.admin.yml only readable by root, make non-admin cron run as ↵elijah
webapp user.
2015-09-15minor lintingMicah Anderson
Change-Id: If92faee5f877301bf23564d5b6e71c4b1263de54
2015-09-14Merge remote-tracking branch 'micah/hiera_defaults_7443' into developvarac
2015-09-11Merge branch 'bugfix/mxaliases' into developelijah
2015-09-11switch aliases to use virtual_alias_mapselijah
2015-09-11Merge remote-tracking branch 'elijah/feature/sshconfig' into developMicah Anderson
2015-09-10sshd: let nodes change default AllowTcpForwardingelijah
2015-09-10fix various problems with webapp config generationelijah
2015-09-10Make sure hiera values have valid defaults if they are not specified (#7443)Micah Anderson
Change-Id: Ib701886ad26c5e39ccd669fadca81404b5c0426a
2015-09-10Fix clients being blocked by RBLs (#7431)Micah Anderson
Valid users submitting mail to be delivered should not be blocked by configured RBLs. Settings in main.cf are valid and used globally, unless they are overridden in master.cf for specific Postfix daemons. We have set in main.cf the smtp_client_restrictions parameter to check for configured rbls, so we need to override that and empty it in order to allow valid clients to send mail, even when their IP is listed in an RBL. Note: most users will typically be connecting via VPN, so their IP would typically be replaced by the VPN gateway one, but there are cases where this is still useful. Change-Id: Ie4171113c78ae2814402a1ed9b5343280cbf79d1
2015-09-10moved leap_cli installation to leap modulevarac
Change-Id: I385f7877d0816456e7c57179511604645a4740bc
2015-09-08rewrite openpgp header to be always correct (#7413)Micah Anderson
The openpgp header added by the client is sometimes incorrect, because the client doesn't actually know what the proper URL is for the webapp. The server knows, however. Change-Id: I2243b19a6337d8e0be97590e2ca9c9c0b0fffdac
2015-09-03make couchdb.admin.yml only readable by root, make non-admin cron run as ↵elijah
webapp user.
2015-08-31Merge branch 'feature/mxalias' into developelijah
2015-08-27updated nagios submodulevarac
Change-Id: Iae76f9ca03baf459ae8ea044ea6aecfc73a41b3a
2015-08-27Merge branch '6847_improve_nagios_mail_subject' into developvarac
2015-08-21add support for configurable mail alias mapselijah
2015-08-13Increase readability of nagios notification mail subjects (#6847)varac
Change-Id: Ic9af9ef3602abbb51edf1c9d71d4d264b4ace714
2015-08-12Don't use check_mk logwatch to watch bigcouch logs anymore (#7375)varac
The rationale here is: - bigcouch/its included erlang version is incredibly noisy and spits out warnings/error msgs all the time - it uses the worst logging format i ever saw, multiple lines directly to a file (couch 2.0 uses lager as logging backend which can log to syslog) - trying to sort out the false positives will take too much time, and who knows which of them will be resolved in couch 1.6/2.0 Change-Id: Idbe6b37a19cd65ce31a50d4c28eedb4cf15ba3b5
2015-08-03webapp: add support for customizing localeselijah
2015-07-28Support RBL blocking of incoming mail (#5923)Micah Anderson
Set zen.spamhaus as the default rbl Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158
2015-07-21Merge remote-tracking branch 'kwadrolab/static-amber-7231' into developMicah Anderson
Conflicts: puppet/modules/site_static/manifests/init.pp Change-Id: I090b1cb3cbe3c4d01a2c640ae3a370b17e722e12
2015-07-21Increase tapicero heatbeat nagios checks (#7275)Micah Anderson
Increase warning/critical thresholds for time between tapicero heartbeat checks so it will emit less false positives Change-Id: I0f97373d88658b7f17b2c4e8c1963198dc3f66ed
2015-07-21Fix leap-mx logrotation to work with twistd (#7058)Micah Anderson
We don't want to try and create the log file, twistd will do that. Don’t rename the log file from mx.log to mx.log.0, instead just copy it to mx.log.1, and then clear out mx.log so it’s empty (this is needed because leap-mx might assume that its file descriptor is still valid and continue trying to write to it, without this, leap-mx might lose data because it’ll assume the original log file is still around and continue to write to it, even though it’s gone)It’s a little dangerous because it’s possible that you might lose some logged data between the time that logrotate copies the new log file and truncates the old file (Caveat administrator). Finally, we don't want logrotate to complain if it finds mx.log, its ok if its there. Change-Id: I9952627f4d47e7a89a2915f6b72d82f9e6ca0d8b
2015-07-21minor lintingMicah Anderson
fix double quotes and indentation Change-Id: I79c28159d17e6256db3094f413d61dcdc9520dc6
2015-07-14bump amber version, taking care of puppet ordering with require.kwadronaut
2015-07-09Merge branch 'develop' of ssh://leap.se/leap_platform into developelijah
2015-07-09use latest amber for static nodes.elijah
2015-07-07Clean up left-over files from old way of leap-mx logging, this shouldMicah Anderson
stop the logrotate cron errors from happening. (#7058) Change-Id: Iceaeb8c17600fc23d2b1ca075546f8573c145760
2015-07-07check_mk should not falsely report multiple instances running (#6866)varac
Change-Id: Ie7943c9a541c3cd2feac7686ed1092aadc5a7c7a
2015-07-07Ignore openvpn logwatch warnings (#6867)varac
These are warnings that might have different origins, each of them we don't want to alarm the admin: - A bitmask client bug (user will poke the client devs if things break, and they will go after it) - A simple network failure, packets might get cut of - Malicious user tries to temper with TLS handshakes - this gets more interesting, but still (like ssh bruteforce attacs) an admin would not want to get annoyed by this by default, but they still have the option to use log analysers of their choice if they want to investigate this. Change-Id: I23ca3b700e41f22f34ad3346ed4e647b86000bb2
2015-07-07moved removal of leap_couch_stats.sh TMPFILE to end of script (#7217)varac
Change-Id: If844b95c44e697f480df8ee2ae6607709b9942f7
2015-07-07remove leap_couch_stats.sh TMPFILE so /tmp/ won't fill with tmp files (#7217)varac
Change-Id: I7b778e1e1af2784bd79840f20453ca8718927e25
2015-07-06Don't monitor disabled nodes (#7235)varac
Change-Id: I51ce8a9e8773d267c270a1725a497f9a43f2e9ff Sidenote: $nagios_hosts was never used
2015-07-05zlib1g-dev needed for amber gem fixes #7231kwadronaut