Age | Commit message (Collapse) | Author |
|
Remove from:
- platform white-box tests (couchdb user ACLs, tapicero daemon test)
- provider_base/ dir that handles the compilation of the hiera config
file
- Resolves: #7501
|
|
Soledad now creates user-dbs, which has been done by tapicero
in the past. we need to remove any leftovers from tapicero.
|
|
|
|
|
|
- create soledad-admin user
- deploy netrc file for userdb creation
- Move soledad-server.conf from /etc/leap to /etc/soledad
- make soledad-server.conf group-accessible for the soledad group, so
the soledad-admin user can read it
- Resolves: #7502
|
|
|
|
this tidy should only happen on webapp nodes
Change-Id: I56faac4fa28fde9dcad7ce9a6ed0d684630a556e
|
|
Make the server-status information unavailable by putting the vhost on a
port that isn't configured as available to the tor hidden-service.
Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb
|
|
Make the server-status information unavailable by putting the vhost on a
port that isn't configured as available to the tor hidden-service.
Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb
|
|
|
|
|
|
|
|
|
|
this tidy should only happen on webapp nodes
Change-Id: I56faac4fa28fde9dcad7ce9a6ed0d684630a556e
|
|
The configuration /etc/apache/sites-enabled/leap_webapp.conf was never
removed after 6255e58bf9ff3489bf2707bc2be9759ec5c7db68 made it obsolete,
and because it exists on older systems, it is being used instead of the
correct common.conf.
This removes it and reloads apache.
Change-Id: Ic4c9901f4bba869ecb3dfe5362dfd1971570f89a
|
|
|
|
Change-Id: I42a1ef661dc55fb8110e82e930f67679c3dff1f8
|
|
webapp user.
|
|
Change-Id: If92faee5f877301bf23564d5b6e71c4b1263de54
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Change-Id: Ib701886ad26c5e39ccd669fadca81404b5c0426a
|
|
Valid users submitting mail to be delivered should not be blocked by
configured RBLs.
Settings in main.cf are valid and used globally, unless they are
overridden in master.cf for specific Postfix daemons. We have set in
main.cf the smtp_client_restrictions parameter to check for configured
rbls, so we need to override that and empty it in order to allow valid
clients to send mail, even when their IP is listed in an RBL.
Note: most users will typically be connecting via VPN, so their IP would
typically be replaced by the VPN gateway one, but there are cases where
this is still useful.
Change-Id: Ie4171113c78ae2814402a1ed9b5343280cbf79d1
|
|
Change-Id: I385f7877d0816456e7c57179511604645a4740bc
|
|
The openpgp header added by the client is sometimes incorrect, because
the client doesn't actually know what the proper URL is for the
webapp. The server knows, however.
Change-Id: I2243b19a6337d8e0be97590e2ca9c9c0b0fffdac
|
|
webapp user.
|
|
|
|
Change-Id: Iae76f9ca03baf459ae8ea044ea6aecfc73a41b3a
|
|
|
|
|
|
Change-Id: Ic9af9ef3602abbb51edf1c9d71d4d264b4ace714
|
|
The rationale here is:
- bigcouch/its included erlang version is incredibly noisy and spits out
warnings/error msgs all the time
- it uses the worst logging format i ever saw, multiple lines directly
to a file (couch 2.0 uses lager as logging backend which can log to
syslog)
- trying to sort out the false positives will take too much time,
and who knows which of them will be resolved in couch 1.6/2.0
Change-Id: Idbe6b37a19cd65ce31a50d4c28eedb4cf15ba3b5
|
|
|
|
Set zen.spamhaus as the default rbl
Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158
|
|
Conflicts:
puppet/modules/site_static/manifests/init.pp
Change-Id: I090b1cb3cbe3c4d01a2c640ae3a370b17e722e12
|
|
Increase warning/critical thresholds for time between tapicero heartbeat
checks so it will emit less false positives
Change-Id: I0f97373d88658b7f17b2c4e8c1963198dc3f66ed
|
|
We don't want to try and create the log file, twistd will do that.
Don’t rename the log file from mx.log to mx.log.0, instead just copy it
to mx.log.1, and then clear out mx.log so it’s empty (this is needed
because leap-mx might assume that its file descriptor is still valid and
continue trying to write to it, without this, leap-mx might lose data
because it’ll assume the original log file is still around and continue
to write to it, even though it’s gone)It’s a little dangerous because
it’s possible that you might lose some logged data between the time that
logrotate copies the new log file and truncates the old file (Caveat
administrator).
Finally, we don't want logrotate to complain if it finds
mx.log, its ok if its there.
Change-Id: I9952627f4d47e7a89a2915f6b72d82f9e6ca0d8b
|
|
fix double quotes and indentation
Change-Id: I79c28159d17e6256db3094f413d61dcdc9520dc6
|
|
|
|
|
|
|
|
stop the logrotate cron errors from happening. (#7058)
Change-Id: Iceaeb8c17600fc23d2b1ca075546f8573c145760
|
|
Change-Id: Ie7943c9a541c3cd2feac7686ed1092aadc5a7c7a
|
|
These are warnings that might have different origins, each of
them we don't want to alarm the admin:
- A bitmask client bug (user will poke the client devs if things
break, and they will go after it)
- A simple network failure, packets might get cut of
- Malicious user tries to temper with TLS handshakes - this gets
more interesting, but still (like ssh bruteforce attacs) an admin
would not want to get annoyed by this by default, but they still
have the option to use log analysers of their choice if they want
to investigate this.
Change-Id: I23ca3b700e41f22f34ad3346ed4e647b86000bb2
|
|
Change-Id: If844b95c44e697f480df8ee2ae6607709b9942f7
|
|
Change-Id: I7b778e1e1af2784bd79840f20453ca8718927e25
|