summaryrefslogtreecommitdiff
path: root/puppet
AgeCommit message (Collapse)Author
2014-11-20Make sure openvpn is restarted when cert/key change (#6405)Micah Anderson
I reformatted the section below for consistency. Change-Id: I18f5e23850e0c1ab4b1f2ee467d5af54ae9ff303
2014-11-20Make sure that stunnel restarts when cert/key change (#6181)Micah Anderson
Change-Id: I5085247a87018e18e73833119ac73225afbfea1e
2014-11-20specify the destination IP for DNAT rules for gateway addresses on port 443 ↵Micah Anderson
(#6388) Previously the DNAT rule would redirect the incoming port 443 requests to openvpn, which was the wrong thing to do on the primary IP (but the right thing to do on the openvpn gateway IPs). This manifested in the webapp not being available when it was also configured as a service on the node. Change-Id: Ic8c6b6c0389859fab168a7df687351e11263277a
2014-11-20minor lintingMicah Anderson
Change-Id: I6d04cc7e028e86ee0012d96d7ef075fdd7ecef19
2014-11-15don't enable Tor DirPort if openvpn is running on port 80 (Bug #6377)Micah Anderson
We need to check the openvpn hiera value, which may or may not be set. If it is not set, then we need to not lookup the $openvpn['ports]' values or we will get an error because it wont be the correct type. If we do have it, then $openvpn_ports gets set with the hash, otherwise it gets set to an empty hash (otherwise puppet will complain when we try to query the member() later with "member(): Requires array to work with"). Finally, if it is set to port 80, we don't include the tor::daemon::directory Change-Id: Ic366c72e966cae9d611e8fe5aa7ea7943be51241
2014-11-15Merge branch 'feature/4425' into developMicah Anderson
2014-11-13Merge remote-tracking branch 'elijah/bugfix/mtu' into developMicah Anderson
2014-11-10openvpn - support customizing --fragment, and set default to 1400elijah
2014-11-08minor linting, arrow lining upMicah Anderson
Change-Id: Ibd08529b7d1c4fc22bcd0ca36e518afa5b8f6d24
2014-11-08Only enable the tor DirPort options on an exit if the node isn't also aMicah Anderson
webapp node (#6336) Change-Id: Ib70bbd8fe7b94b7a1bfb09390d5dd1c535f2da16
2014-11-08Don't configure the tor DirPort options if the node is not an exit (#6335)Micah Anderson
Change-Id: I4c7fb20b6da6f6a5bb2dd5af70511a28d4581174
2014-11-07Merge remote-tracking branch 'gerrit/develop' into developMicah Anderson
2014-11-07Better check for tor hidden service on a webapp node.guido
Change-Id: I92f69b6fa30aae953243ae19096e2998810c9ac6
2014-11-04revert 5787c97b6f73dacae7f01adeff203287007c381d:Micah Anderson
stop using bad nist curve for ssh host key (#6294) We need to transition smoother (see #6319) Change-Id: I8bee032aef9502a7d4b701b99719fbfb3b7169da
2014-11-04Adds support for Tor hidden service on webapp (Feature #6273)guido
Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5
2014-11-04add local 50unattended-upgrades to fix unattended-upgrades not upgradingMicah Anderson
leap packages (#4425) Change-Id: I78c00c4410ff9f712206f95854d8803e43acb286
2014-11-04change ordering hints to use refresh_stunnel exec instead of service (#6287)Micah Anderson
In a multi-node couch deployment, it was observed that the Service['stunnel'] would be activated, and then later a stunnel::client was created which would trigger an Exec['refresh_stunnel']. Because of this, and the ordering hints that were in place, the service would get started, and then the couchdb databases, users, designs, etc. were being put into place and then a stunnel client was created, triggering the refresh_stunnel exec, which would cause an interruption in the connectivity and result in failures. This change replaces the Service['stunnel'] hint with the the Exec['refresh_stunnel'] to make sure that the stunnels are fully setup before attempting couch operations. Change-Id: I33ddd24884b3c23a1df5555ca53ca65cd703da50
2014-11-02add missing TLSv1 sslversion parameter to site_stunnel::serviersMicah Anderson
Change-Id: I48dc8135943393bd11c7181853985f4a5799011e
2014-11-01stop using bad nist curve for ssh host key (#6294)Micah Anderson
update port parameter in site_sshd to be an array, otherwise puppet errors about it being a Fixnum with new sshd module Change-Id: I854d042edb98817169eef5e758d04d60d3c71dd5
2014-10-31Fix deprecated dynamic lookups of variables in site_couchdb (#6286)Micah Anderson
Change-Id: I318944a6872a53ff9c533704514da339426d9401
2014-10-29added webapp.forbidden_usernames property to allow configuration of ↵elijah
usernames to block.
2014-10-29Merge "upgrade unattended-upgrades on deploy (#6245)" into developmicah anderson
2014-10-28upgrade unattended-upgrades on deploy (#6245)Micah Anderson
unattended-upgrades is not able to upgrade itself in certain situations, such as when the conffile prompt is generated due to the config being changed. We want to set this package as latest in the platform so that it is upgraded on every deploy (we deploy the config anyway). Change-Id: I8c99bfb1b001079f0e1a4ffbf048e0e867633335
2014-10-27Change stunnel default sslversion to be TLSv1, instead of the defaultMicah Anderson
SSLv3 (#6261) Change-Id: I7ab5a6455e434f8359169d31febed8b92f84bbcc
2014-10-22Merge "modify the leap repository contents so they pick the correct ↵Varac
repository, based on the hiera value 'major_version' (#6251)" into develop
2014-10-21modify the leap repository contents so they pick the correct repository,Micah Anderson
based on the hiera value 'major_version' (#6251) Change-Id: I10532ef83e3aa2d35d9c0be241952a35e366bba4
2014-10-21implement custom puppet support (#6201, #6226)Micah Anderson
change puppet command to include in the --modulepath /srv/leap/files/puppet/modules If a provider places puppet code under files/puppet it will be sync'd over to all the nodes, once leap cli #6225 is merged. The custom puppet entry point is in class 'custom' which can be put into files/puppet/modules/custom/manifests/init.pp Change-Id: I74879c6ee056b03cd4691aa81a7668b60383bdad
2014-10-15Disable SSLv3, and RC4 ciphersMicah Anderson
Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d
2014-10-08include different nagios::defaults classes manually (#5216)varac
nagios::defaults will include nagios::defaults::hostgroups which add "all" and "centos_servers" hostgroups which we don't want. Change-Id: If42faa11c167fb7305ebbb21dc358a8813afaa25
2014-10-08every environment is defined as nagios hostsgroup (#5216)varac
Change-Id: I6508ce0d06b37a1c5601a0e981a59f7fda47f76a
2014-10-05Merge remote-tracking branch 'cz8s/fix_iptables_proxy_forbidden' into developMicah Anderson
2014-09-25allow all outgoing trafficChristoph Kluenter
as discussed on #leap
2014-09-25Use member function instead of regexp to check services arrayirregulator
2014-09-25remove /etc/apt/preferences.d/fixed_rsyslog_anon_package (#6138)varac
This was a leftover from earlier versions, where we installed rsyslog from the leap debian package repo. Change-Id: I88a852f08b5aff3bd7b591b6220ac354463a9786
2014-09-25stop logging user-agent in apache, fixes #6129Micah Anderson
Change-Id: I66384ae4a723be063790362f70e57228a0f1539b
2014-09-17allow outgoing port 3142 for apt-cacher proxyChristoph
2014-09-17update rsyslog module to fix #6019Micah Anderson
Change-Id: I8c64a0c530d44e55963060d52d31a0da1a88615c
2014-09-17Increase wait-for-couch timeout (Bug #3735)varac
Site_couchdb::Bigcouch::Settle_cluster/Exec[wait_for_couch_nodes] waits 60s for all nodes to be member of the cluster. Because we deploy to multiple nodes in parallel, not all nodes are ready at the same time, so we increased the timeout from 60s to 120s.
2014-09-03Merge branch 'master' into developvarac
Conflicts: platform.rb puppet/modules/site_config/manifests/hosts.pp
2014-08-28syslog logs everything but webapp FIX #6020guido
2014-08-26Fix Tapicero not starting after first deploy (#6004)varac
Added a dependency on the couchdb "tapicero" user to get created before starting the tapicero daemon.
2014-08-22FQDN should come first in /etc/hostsvarac
fixes /etc/hosts: wrong order (Bug #5835) (now for real) before, /etc/hosts contained i.e. 127.0.1.1 plain1 plain1.bitmask.net plain1.bitmask.i which resulted in no fqdn reported both by "hostname -f" and "facter fqdn" this fix produces this order which is needed to report a fqdn: 127.0.1.1 plain1.bitmask.net plain1 plain1.bitmask.i
2014-08-21Fix starting tapicero when it is not running (#6004)0.5.3Micah Anderson
Due to how tapicero's initscript is made, it is not possible to check for a valid exit code for the status (it returns a zero when it is not running). So we disable the puppet 'hasstatus' parameter and instead puppet will look in the process table for 'tapicero' Change-Id: I9b017ea8055c0207e43876dd4e3bbc2619c0fd35
2014-08-21Fix "Nagios ssh check is automatically added by the ssh module and cantains ↵varac
a wrong hostname on single node setup (Bug #5998)" before, the ssh module added this check, resulting in a wrong hostname and the port was always '22'. manage_nagios parameter is boolean, so we use false instead of 'no' manually add check_ssh to nagios (#5998)
2014-08-05Fixes: #5952 Webapp now logs to it's own file instead of syslog and user.logguido
2014-08-01Merge branch 'feature/replication-in-tapicero-security' into developAzul
2014-08-01minor: fix typo in webapp configAzul
@provider -> @webapp
2014-07-30add replication role to user databases with tapiceroAzul
This way the replication has read access on the source and write access on the target.
2014-07-29Merge remote-tracking branch 'fbernitt/issue_5217_allow_registration' into ↵Azul
develop
2014-07-15haproxy default to couch_write, couch_read on GETAzul
METH_POST probably does not catch PUT, DESTROY etc. So instead we now use the master as the default and only use the replications for GET and HEAD requests.