summaryrefslogtreecommitdiff
path: root/puppet
AgeCommit message (Collapse)Author
2016-02-23We are rotating the mx logs 5 times, but we originally thought we shouldMicah
only have the following logfiles in that directory ever: mx.log, mx.log.[1-5], with an optional .gz suffix. However, we were wrong about the 'optional' part of the compression, we use the 'compress' option, so the logs will always be compressed. So there should never be the log files mx.log.1, mx.log.2, etc. This change adjusts the clean-up to deal with that. (#7058) https://github.com/leapcode/leap_platform/pull/97 Change-Id: I109d08ac063fe094c54e93be91893a67d7fbb51b
2016-02-23use pbkdf2 pwhash for plain couch.elijah
2016-02-23default to plain couchdb, unless otherwise specified.elijah
# Conflicts: # puppet/modules/site_couchdb/manifests/plain.pp
2016-02-23get dkim working, closes #5924elijah
2016-02-23Update submodule vcsrepovarac
2016-02-23Update submodule postfixvarac
2016-02-16remove pinning of openvpn package to backportselijah
2016-02-12update postfix submodule for postscreen (Resolves: 2303)0.8.0rc1kwadronaut
2016-02-12add postscreen greeter (Resolves: 2303)kwadronaut
Conflicts: puppet/modules/site_postfix/manifests/mx.pp
2016-02-11Allow ecdsa hostkeys (#7642) until we can safely transition providers toMicah
better key algorithm choices. Change-Id: I6b9ec83dbfbf15d1b65e14145bf625db6517f6b7
2016-02-11Disable journald in order to resolve IP logging subversion (#7863)Micah
Change-Id: I9cee85c19d86dc7c8d70c4cdeb2e7426191b57a5
2016-02-11Due to the smtps transport specifying a header_check, the received_anonMicah
replacement wasn't being done. (#7890) This moves that replacement into its own class, clears the old value and sets it properly in the smtps transport. Change-Id: I27c02730597df4943761d8bcb61014aeded9dc75
2016-02-10add postscreen greeter (Resolves: 2303)kwadronaut
2016-02-04fix postfix Received anonymizing header regexp to properly match ClientMicah
CN entries (#7867) Change-Id: Ie33277a62e90f9dc0602bb963dbb96a61cebed1d
2016-02-02Merge branch 'bugfix/mxlog' into developelijah
2016-02-02[bug] Add smtpd_relay_restrictions to postfix confvarac
smtpd_relay_restrictions was added in postfix 2.10 (jessie has 2.11 atm). Without this, outbound mails are rejected to be relayed. from http://www.postfix.org/SMTPD_ACCESS_README.html: NOTE: Postfix versions before 2.10 did not have smtpd_relay_restrictions. They combined the mail relay and spam blocking policies, under smtpd_recipient_restrictions. This could lead to unexpected results. For example, a permissive spam blocking policy could unexpectedly result in a permissive mail relay policy. An example of this is documented under "Dangerous use of smtpd_recipient_restrictions". smtpd_relay_restrictions defaults to 'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination' and is configured here to check for a valid client cert. see http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions - Resolves: #7856
2016-02-02[bug] Fix bigcouch spoolfile removalvarac
- Resolves: #7641
2016-02-02[refactor] Dont duplicate Package resource overridevarac
`site_apt` aready ensures for installing packages after Exec[update_apt] is run, so we don't need to duplicate this in `site_config::default.pp`.
2016-02-02[refactor] Use Exec[apt_updated] instead of Exec[refresh_apt]varac
Because this is the recommended way of depnending in the apt README.
2016-02-02[bug] Fix duplicate definition error for Class[Apt]varac
We need to include class `site_config::default` in class `site_config::slow` so we don't get this duplicate definition: - [local1.bitmask.local] Error: Duplicate declaration: Class[Apt] is already declared; cannot redeclare at /srv/leap/puppet/modules/site_apt/manifests/init.pp:29 on node local1.bitmask.local To be honest, i didn't figuered out the real cause of this, but it works with this.
2016-02-02[refactor] Remove atomic apt package dependecyvarac
`site_config::default.pp` takes care the all packages are installed before `Exec['refresh_apt']`, so we don't need to add it here for a single package.
2016-02-02[refactor] Don't declare dependencies for apt resourcesvarac
The apt module now takes care of all the dependencies removed from `site_apt`. Also, the dependency to install the `lsb` package after `refresh_apt` is unnesseccary because lsb facts won't work anyway on the first run if `lsb` is not installed before, so we can safely remove it.
2016-02-02don't deploy bundler debug to serverskwadronaut
2016-02-02finally fix leap-mx logging, for the last time, hopefully.elijah
2016-02-01updated submodule aptvarac
2016-01-28[feat] Fix fast deploy using 'leap deploy --fast'varac
This worked before, but somehow stopped working. We need to include 'site_config::slow' top-level scope instead of including it in 'site_config::default', because otherwise it would get tagged with 'leap_base', and would be included always. This way 'site_config::slow' gets included by default, but can be excluded by using 'leap deploy --fast'. See https://leap.se/en/docs/platform/details/under-the-hood#tags - Resolves: #7844
2016-01-28[bug] Fix removing of bigcouch logwatch spoolfilesvarac
The problem was that puppet tried to remove them on the couch node, but they need to get removed on monitor node. - Resolves: #7641
2016-01-27[bug] [jessie] Fix apache 2.4 auth directivesvarac
- Resolves: #7853
2016-01-27[refactor] Optimize static apache vhost templatesvarac
- Related: #7853
2016-01-27[feat] Cronjob to delete orphaned userdbsvarac
- Resolves: #7418
2016-01-26[bug] Fix unattended-upgrades on jessievarac
- Resolves: #7842
2016-01-26[bug] remove bigcouch compaction cronjobvarac
- Resolves: #7629
2016-01-26[feat] Move bigcouch removals to own classvarac
We now include "site_config::remove::bigcouch" in class "site_couchdb::master", which sets up plain couchdb.
2016-01-26[bug] Use ruby::devel to install ruby-dev debvarac
Ruby itself is a parameterized class, and parameters cannot get overridden (see https://projects.puppetlabs.com/issues/9259). The webapp node didn't install the ruby-dev package (we never noticed because our vagrant images as probably other debian images had ruby-dev preinstalled). We now use the ruby::devel class to install ruby-dev. - Tested: [citest-jessie] - Resolves: #7838
2016-01-26[feat] Don't install rubygems package on every runvarac
I merged immerda's changes to the `rubygems` module, which remove the installation of the `rubygems` package from jessie on, because it's a dependency of the `ruby2.1` package, which is a dep of puppet, and therefore installed on every node. - Tested: [local singlenode] - Resolves: #7619
2016-01-23[feat] Don't remove portmap on vagrantvarac
Vagrant uses portmap and nfs-common for mounting shared folders using nfs.
2016-01-22[bug] refactor build-essential package installationvarac
In certain node setups, the webapp gems cannot get built because `build-essential` and dependent packages were not present. I refactored the `site_config::packages::build_essential` class, which now inherits `site_config::packages`. The latter class removes all unneccessary (development) packages, but when the `site_config::packages::build_essential` class is included, some dev packages are overridden to be installed. - Tested: [local] - Resolves: #7834
2016-01-22linted puppet/modules/site_openvpn/manifests/init.ppvarac
2016-01-22Include site_config::params in all x509 subclasses (#6851)varac
After restructuring site.pp to only include site_config::default and the service-specific classes, we got this: Duplicate declaration: X509::Cert[undef] is already declared in file /srv/leap/puppet/modules/site_config/manifests/x509/commercial/cert.pp at line 8; cannot redeclare at /srv/leap/puppet/modules/site_config/manifests/x509/cert.pp:8 on node rewcitestweb1.rewire.org So i included site_config::params in all site_config::x509 clases. Change-Id: Ib8387abfdc68b36c73a45fd2dd1f3a159eaec4a5
2016-01-22restructured site.pp, now only one class gets included in site.pp per ↵varac
service (Bug #6851) Also, moved global Exec{} defaults to site.pp Change-Id: I9ae91b77afde944d2f1312613b9d9030e32239dd
2016-01-21Make sure the certs are installed for all smtp tls clients, thusMicah
ensuring the satellite hosts are setup properly (#7611) Change-Id: I9dce57c305a6fd6a39596a941174fe1879af5e4f
2016-01-20Merge remote-tracking branch 'micah/bug/7822' into developvarac
2016-01-19Make the reject parameter an array to fix the following (#7822):Micah
failed to parse template tor/torrc.exit_policy.erb, undefined method `each' for "*:*":String Change-Id: I2b7b444187376dbc2f3cc5095391ae54bf8321b3
2016-01-19Merge branch 'remove_double_apt_get_update' into developvarac
2016-01-19Ensure openvpn services are running on jessievarac
2016-01-19Swiss privacy foundation nameserver is not responding, switch secondaryMicah
fall-back to an OpenNIC resolver that does not log (#7781) Change-Id: I290321927c8188c82e95e2cd4b93cd01bd2258c2
2016-01-19Merge branch '7802_rsyslog_jessie' into developvarac
2016-01-19Make sure machines in mynetworks are able to send mail through us,Micah
without getting blocked by the rbl (#7819) Change-Id: Ib7a00f810b6c49528e5f99a1d83296553a81e65e
2016-01-19Ensure curl is installed before it is called (#7803)Micah
Change-Id: Iedd464a397e9944159991241cd84caad6a2a40d6
2016-01-16[bug] Enable openvpn services on jessievarac
- Tested: [unstable.bitmask.net] - Resolves: #7798