summaryrefslogtreecommitdiff
path: root/puppet
AgeCommit message (Collapse)Author
2013-09-03use check_helo_access hash:/helo_checks also for $submission_helo_restrictionsvarac
2013-09-03fix $master_cf_tail formatvarac
2013-09-03Sending mail fails when relaying using non-fully-qualified hostname (Feature ↵varac
#3667)
2013-09-03Merge branch 'feature/helo_access' into developMicah Anderson
Conflicts: puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp Change-Id: I51555935f9d9409e45809d6df021b10e926ea520
2013-09-03add /etc/postfix/checks directory and setup a check_helo_access that allows ↵Micah Anderson
admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694) Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4
2013-09-03require that shorewall has been installed before execs are run (#3339)Micah Anderson
Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf
2013-09-03Without smtpd_helo_required, the helo restrictions are easily bypassed by ↵Micah Anderson
not sending a HELO (#3693) Change-Id: I6a7338136a53e16962a070826493139fa3307df7
2013-09-02disable postfix debugging by defaultvarac
2013-09-02create all webapp databases so _security is set (fixes 3517)Azul
2013-09-02specify RAILS_ENV when calling bundle assets-precompile (fixes #3638)Azul
We currently disable the billing gem in production while it's on in development and test. Therefore bundler will not install its dependencies - in particular the braintree gem when deploying. Since the RAILS_ENV was not specified rake was called with the default of 'development'. It therefore tried to load the development gems and failed when looking for 'braintree'. Specifying the production RAILS_ENV fixes this. It looks like we'll always need to specify RAILS_ENV when calling rake or we might want to export it to the environment in a separate task or the user config files such as .bashrc
2013-08-31postfix enable submission port using starttls, so the client can transition ↵Micah Anderson
to the more restrictive TLS wrapper mode Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
2013-08-31change the master.cf_tail to pull in -o ↵Micah Anderson
smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions make a note about the permit_tls_all_clientcerts being something that we don't want in the future remove check_sender_access check which was doing an unnecessary lookup Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc
2013-08-30updated submodule couchdb: couchdb: update_user_webapp fails (Bug #3611)varac
2013-08-30create sessions db with puppet (Bug #3597)varac
2013-08-29Merge branch 'feature/3604' into developMicah Anderson
2013-08-29Merge branch 'bug/3612' into developMicah Anderson
2013-08-29Make TLS-required smtps (465) be port for sending SMTP. This is preferred ↵Micah Anderson
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
2013-08-29create individual classes for the apache modules so they can be included ↵Micah Anderson
more than once in different locations, depending on what services are configured on a node (#3612) Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770
2013-08-29change the name of the couch_database in the nickserver.yaml to the new oneMicah Anderson
Change-Id: I5fe6912f3774ae87c595ca1dcac60a61e24de9e5
2013-08-29updated submodule couchdb, fixed merge resolution error from last mergevarac
2013-08-29updated submodule couchdb, fix puppet couchdb module doesn't create ↵varac
necessary databases anymore (Bug #3594)
2013-08-29fix smtpd mail restrictions (Feature #3166)varac
2013-08-29Deploy postfix with an empty main.cf as beginning (Feature #3584)varac
2013-08-29re-added submodule postfix from git://code.leap.se/puppet_postfix (#3584)varac
2013-08-29removed submodule "puppet/modules/postfix" (url: ↵varac
git://labs.riseup.net/shared-postfix)
2013-08-28SMTP checks (Feature #2304)varac
2013-08-28Merge branch 'feature/3579' into developMicah Anderson
2013-08-28Merge branch 'bug/3491' into developMicah Anderson
2013-08-28apache headers module needs to be enabled on the monitor server (#3462)Micah Anderson
Change-Id: Ia4e36e9cb2b37172a148c209c5c07b9eca59d89e
2013-08-28Merge branch 'feature/clean-webapp-deploy' into developAzul
2013-08-28updated submodule stdlib to obtain facts that show netmask in cidr notationvarac
2013-08-28require VCS repo before git assume-unchanged (feature #1608)Azul
2013-08-28integrate manual postfix config changes in puppet (Feature #3538)varac
2013-08-28added site_postfix::debug for debugging (#3538)varac
2013-08-27setup bigcouch logrotation (#3491)Micah Anderson
Change-Id: Ia35cf7a9fc1d0fad6a57bbae73968ab6b8f0c847
2013-08-27now that soledad has been split we can better organize things (#3579)Micah Anderson
. create a soledad::common class . leap-mx now only needs to include soledad-common . move the site_apt::preferences::twisted to a preferences block inside the soledad server class . make sure that the packages are doing 'ensure => latest' instead of installed Change-Id: Ifa978e831cdc8835666b27322a6e068d67251f5d
2013-08-27fix name of initial_firewall.pp file (#3339)Micah Anderson
Change-Id: I341628d0f36225ce49ae301246e7c152553efcae
2013-08-27Merge branch 'develop' of ssh://code.leap.se/leap_platform into developvarac
2013-08-27tor service:obfuscate contact email addr (Feature #3479)varac
2013-08-27updated submodule stdlib to obtain 'obfuscate_email' function (#3479)varac
2013-08-27move git::changes into git module, whitespace fixAzul
2013-08-27specify cwd when using git:changesAzul
2013-08-27git:changes expect changes to certain filesAzul
You can either ensure assume-unchanged or ensure those changes are tracked. Used to keep the git status clean.
2013-08-27make git forget about the changes due to symlinking filesAzul
Git normally tracks the dummy files we replace with symlinks. So we tell it to ignore these changes on deploy.
2013-08-27updated submodule couchdbvarac
2013-08-27updated submodule couchdbvarac
2013-08-22Merge branch 'bug/3339' into developMicah Anderson
2013-08-22install a preliminary firewall that blocks everything, except ssh for the ↵Micah Anderson
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38
2013-08-22add HSTS if hiera value for webapp['secure'] is set (#3514)Micah Anderson
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
2013-08-21Set apache header X-Frame-Options: "DENY"Micah Anderson
The LEAP web application can be displayed inside other pages using an HTML iframe. Therefore, an attacker can embed parts of the LEAP application inside of a webpage they control. They can then use special style properties to disguise the embedded page. By tricking a user in to clicking in the iframe, the attacker can coerce the user in to performing unintended actions within the LEAP web application. An attacker creates a website that embeds the LEAP web application in an iframe. They then create an HTML /JavaScript game on the same page that involves clicking and dragging sprites. When a user plays the game, they are in fact dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app, which is hidden behind the game using As long as iframe embedding is not required in the normal usage of the application, the X-Frame-Options header should be added to prevent browsers from displaying the web application in frames on other origins. This has also been set in the webapp Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d