summaryrefslogtreecommitdiff
path: root/puppet
AgeCommit message (Collapse)Author
2013-08-29Make TLS-required smtps (465) be port for sending SMTP. This is preferred ↵Micah Anderson
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
2013-08-29change the name of the couch_database in the nickserver.yaml to the new oneMicah Anderson
Change-Id: I5fe6912f3774ae87c595ca1dcac60a61e24de9e5
2013-08-29updated submodule couchdb, fixed merge resolution error from last mergevarac
2013-08-29updated submodule couchdb, fix puppet couchdb module doesn't create ↵varac
necessary databases anymore (Bug #3594)
2013-08-29fix smtpd mail restrictions (Feature #3166)varac
2013-08-29Deploy postfix with an empty main.cf as beginning (Feature #3584)varac
2013-08-29re-added submodule postfix from git://code.leap.se/puppet_postfix (#3584)varac
2013-08-29removed submodule "puppet/modules/postfix" (url: ↵varac
git://labs.riseup.net/shared-postfix)
2013-08-28SMTP checks (Feature #2304)varac
2013-08-28Merge branch 'feature/3579' into developMicah Anderson
2013-08-28Merge branch 'bug/3491' into developMicah Anderson
2013-08-28apache headers module needs to be enabled on the monitor server (#3462)Micah Anderson
Change-Id: Ia4e36e9cb2b37172a148c209c5c07b9eca59d89e
2013-08-28Merge branch 'feature/clean-webapp-deploy' into developAzul
2013-08-28updated submodule stdlib to obtain facts that show netmask in cidr notationvarac
2013-08-28require VCS repo before git assume-unchanged (feature #1608)Azul
2013-08-28integrate manual postfix config changes in puppet (Feature #3538)varac
2013-08-28added site_postfix::debug for debugging (#3538)varac
2013-08-27setup bigcouch logrotation (#3491)Micah Anderson
Change-Id: Ia35cf7a9fc1d0fad6a57bbae73968ab6b8f0c847
2013-08-27now that soledad has been split we can better organize things (#3579)Micah Anderson
. create a soledad::common class . leap-mx now only needs to include soledad-common . move the site_apt::preferences::twisted to a preferences block inside the soledad server class . make sure that the packages are doing 'ensure => latest' instead of installed Change-Id: Ifa978e831cdc8835666b27322a6e068d67251f5d
2013-08-27fix name of initial_firewall.pp file (#3339)Micah Anderson
Change-Id: I341628d0f36225ce49ae301246e7c152553efcae
2013-08-27Merge branch 'develop' of ssh://code.leap.se/leap_platform into developvarac
2013-08-27tor service:obfuscate contact email addr (Feature #3479)varac
2013-08-27updated submodule stdlib to obtain 'obfuscate_email' function (#3479)varac
2013-08-27move git::changes into git module, whitespace fixAzul
2013-08-27specify cwd when using git:changesAzul
2013-08-27git:changes expect changes to certain filesAzul
You can either ensure assume-unchanged or ensure those changes are tracked. Used to keep the git status clean.
2013-08-27make git forget about the changes due to symlinking filesAzul
Git normally tracks the dummy files we replace with symlinks. So we tell it to ignore these changes on deploy.
2013-08-27updated submodule couchdbvarac
2013-08-27updated submodule couchdbvarac
2013-08-22Merge branch 'bug/3339' into developMicah Anderson
2013-08-22install a preliminary firewall that blocks everything, except ssh for the ↵Micah Anderson
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38
2013-08-22add HSTS if hiera value for webapp['secure'] is set (#3514)Micah Anderson
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
2013-08-21Set apache header X-Frame-Options: "DENY"Micah Anderson
The LEAP web application can be displayed inside other pages using an HTML iframe. Therefore, an attacker can embed parts of the LEAP application inside of a webpage they control. They can then use special style properties to disguise the embedded page. By tricking a user in to clicking in the iframe, the attacker can coerce the user in to performing unintended actions within the LEAP web application. An attacker creates a website that embeds the LEAP web application in an iframe. They then create an HTML /JavaScript game on the same page that involves clicking and dragging sprites. When a user plays the game, they are in fact dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app, which is hidden behind the game using As long as iframe embedding is not required in the normal usage of the application, the X-Frame-Options header should be added to prevent browsers from displaying the web application in frames on other origins. This has also been set in the webapp Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d
2013-08-21Disable verbose, identifying apache headers (#3462):Micah Anderson
. Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
2013-08-21update couchdb module to resolve #3459Micah Anderson
Change-Id: Icad17de812392d7c587e5bcbf60cd5242c1241e9
2013-08-16update couchdb submodule to fix #3481Micah Anderson
Change-Id: I474cc691fcfc892b7aff4a3a0e3954155bf5ee30
2013-08-15Because both soledad and leap-mx do not function with twisted 12, we had to ↵Micah Anderson
backport twisted 13. In order to install the backported dependencies we need an apt preferences_snippet installed for the backported twisted packages Change-Id: I886bb735eeb3abe7955c7cf054b749554ab84746
2013-08-14add START=yes to /etc/default/soledad to start the daemon, new package ↵Micah Anderson
requires this to start. Closes: #3474 Change-Id: I921dcf0d6571cd60d2705ae4925d0a4318c84fa2
2013-08-14Merge branch 'feature/webapp_production_log' into developMicah Anderson
2013-08-14require that the couchdb::query::setup has been run before any attempts are ↵Micah Anderson
made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0
2013-08-14update couchdb submodule to the latest version - fixes #3447Micah Anderson
Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7
2013-08-14Fix problem where webapp production.log had the wrong permissions - #3471Micah Anderson
Change-Id: I20a6ecc43e36fc1e8416c46f7e4d14726995d2f2
2013-08-14vagrant: Install squid-deb-proxy on clients (optional) (Feature #3330)varac
squashed commits: site_squid_deb_proxy::client: include shorewall::rules::mdns for avahi discovery added submodule squid_deb_proxy from git://code.leap.se/puppet_squid_deb_proxy updated submodule squid_deb_proxy use squid_deb_proxy::client
2013-08-13require that the couchdb::query::setup has been run before any attempts are ↵Micah Anderson
made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0
2013-08-13update couchdb submodule to the latest version - fixes #3447Micah Anderson
Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7
2013-08-01run soledad daemon using the configured port.elijah
2013-08-01make site_shorewall::soledad use the hiera value for the soledad portMicah Anderson
Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920
2013-08-01For now, soledad will only exist on couchdb nodes (but not every couchdb hasMicah Anderson
soledad), so fix the port to be the local couchdb port. In the future, we may want to separate them out. There is no need to do haproxy with soledad, because the client is supposed to try a different soledad node if it can't connect Change-Id: I87e2c5079ba361634336316721c4358a0917fb09
2013-08-01fix #3291: set the soledad port properly in the json and as a temporary ↵Micah Anderson
work-around, use the couchdb admin/passwd Change-Id: Ibb1cd8416d00552f8ca1716e42a08137a4b461aa
2013-08-01Merge branch 'feature/issue/3347' into developvarac