From 46af641b65a530a6afc238d554d0b71e5d99f9d5 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 31 May 2016 13:45:36 -0400 Subject: Disable puppet-agent daemon from running. The agent wakes up every two minutes and tries to connect to the default server, failing with a certificate warning. We don't use the agent, so we can safely disable it (#8032) Change-Id: I707f42b59205993325431aba283552b1b73a0ad1 --- puppet/modules/site_config/manifests/default.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 256de1a1..9bc8c30d 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -7,8 +7,9 @@ class site_config::default { include site_config::params include site_config::setup - # default class, used by all hosts + service { 'puppet': ensure => stopped } + # default class, used by all hosts include lsb, git # configure sysctl parameters -- cgit v1.2.3 From b21a3e9126a1734b2cea975e57b5c9e8206f12fa Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 27 Jun 2016 15:49:30 -0700 Subject: Fix the permissions on the DOMAIN/provider.json file for static sites. --- puppet/modules/site_config/manifests/remove/files.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 41d6462e..3de8d695 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -11,7 +11,18 @@ class site_config::remove::files { + # + # Platform X removals + # + + tidy { + '/srv/leap/provider.json':; + } + + # # Platform 0.8 removals + # + tidy { '/etc/default/leap_mx':; '/etc/logrotate.d/mx':; -- cgit v1.2.3 From c7e0864ccb00c67f2dfe7cd8d5a1665c08dd6033 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 23 Jun 2016 14:05:20 -0400 Subject: Make sure bind9 doesn't take over unbound (#8213). Change-Id: Icaab817870d005b7a854a3fb8c402705d0b2d77f --- puppet/modules/site_config/manifests/caching_resolver.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 8bf465c1..59b135a3 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -2,10 +2,22 @@ class site_config::caching_resolver { tag 'leap_base' + # We need to make sure Package['bind9'] isn't installed because when it is, it + # keeps unbound from running. Some base debian installs will install bind9, + # and then start it, so unbound will never get properly started. So this will + # make sure bind9 is removed before. + package { 'bind9': + ensure => absent + } + file { [ '/etc/default/bind9', '/etc/bind/named.conf.options' ]: + ensure => absent + } + class { 'unbound': root_hints => false, anchor => false, ssl => false, + require => Package['bind9'], settings => { server => { verbosity => '1', -- cgit v1.2.3 From d0ff379fe2a43d7968b8828c8b31af5254f6f85b Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 28 Jun 2016 13:16:47 -0400 Subject: Remove bigcouch (#8056) Change-Id: I0c6e27298c63bd37de1410985d054799818c22a4 --- .../site_config/manifests/remove/bigcouch.pp | 27 ++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp index 3535c3c1..9fd3e7ee 100644 --- a/puppet/modules/site_config/manifests/remove/bigcouch.pp +++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp @@ -10,6 +10,33 @@ class site_config::remove::bigcouch { ] } + tidy { + '/etc/logrotate/bigcouch':; + '/srv/leap/nagios/plugins/check_unix_open_fds.pl':; + } + + augeas { + 'Couchdb_open_files': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => [ + 'rm /files/etc/check_mk/mrpe.cfg/Couchdb_open_files', + 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs', + 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs', + 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files' ], + require => File['/etc/check_mk/mrpe.cfg']; + } + + # check syslog msg from: + # - empd + # - /usr/local/bin/couch-doc-update + concat::fragment { 'syslog_bigcouch': + ensure => absent, + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/bigcouch.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + exec { 'remove_bigcouch_logwatch_stateline': command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state", refreshonly => true, -- cgit v1.2.3 From 8b4547d844ef904d9591a2a9fe71989e85197714 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 23 Jun 2016 14:05:20 -0400 Subject: Make sure bind9 doesn't take over unbound (#8213). Change-Id: Icaab817870d005b7a854a3fb8c402705d0b2d77f --- puppet/modules/site_config/manifests/caching_resolver.pp | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 59b135a3..5541472d 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -7,10 +7,7 @@ class site_config::caching_resolver { # and then start it, so unbound will never get properly started. So this will # make sure bind9 is removed before. package { 'bind9': - ensure => absent - } - file { [ '/etc/default/bind9', '/etc/bind/named.conf.options' ]: - ensure => absent + ensure => purged } class { 'unbound': -- cgit v1.2.3 From 428f5c4f839650dac8898746ff395fcf50b658bb Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 23 Jun 2016 16:21:02 -0400 Subject: Enable DNSSEC validation in unbound (#8214). Change-Id: Ibdf39a721162b4a5663ef27c27b2db0261c6e8a5 --- puppet/modules/site_config/manifests/caching_resolver.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 5541472d..2b08ab4c 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -23,7 +23,8 @@ class site_config::caching_resolver { hide-identity => 'yes', hide-version => 'yes', harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ] + access-control => [ '127.0.0.0/8 allow', '::1 allow' ], + module-config => '"validator iterator"' } } } -- cgit v1.2.3 From 2cfcb6d073973025f73f37183a0fa21570a922df Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 5 Jul 2016 11:43:59 -0400 Subject: set domain-secure to internal domain. Without this set, dnssec will fail validation for internal domains, which should not be validated Change-Id: I8589332598fe97ad5218dd23825ac77af2d8def6 --- .../modules/site_config/manifests/caching_resolver.pp | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 2b08ab4c..4da13d9c 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,6 +1,8 @@ # deploy local caching resolver class site_config::caching_resolver { tag 'leap_base' + $domain = hiera('domain') + $internal_domain = $domain['internal_suffix'] # We need to make sure Package['bind9'] isn't installed because when it is, it # keeps unbound from running. Some base debian installs will install bind9, @@ -17,14 +19,15 @@ class site_config::caching_resolver { require => Package['bind9'], settings => { server => { - verbosity => '1', - interface => [ '127.0.0.1', '::1' ], - port => '53', - hide-identity => 'yes', - hide-version => 'yes', - harden-glue => 'yes', - access-control => [ '127.0.0.0/8 allow', '::1 allow' ], - module-config => '"validator iterator"' + verbosity => '1', + interface => [ '127.0.0.1', '::1' ], + port => '53', + hide-identity => 'yes', + hide-version => 'yes', + harden-glue => 'yes', + access-control => [ '127.0.0.0/8 allow', '::1 allow' ], + module-config => '"validator iterator"', + domain-insecure => $internal_domain } } } -- cgit v1.2.3 From 9ef0d00b4302b7ddfc9d5620eeb4fad90d3a15aa Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Aug 2016 22:11:49 +0200 Subject: [bug] Remove Nagios soledad procs check leap_cli already checks for running procs - Resolves: #8380 --- puppet/modules/site_config/manifests/remove/soledad.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 puppet/modules/site_config/manifests/remove/soledad.pp (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/remove/soledad.pp b/puppet/modules/site_config/manifests/remove/soledad.pp new file mode 100644 index 00000000..46c23f26 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/soledad.pp @@ -0,0 +1,12 @@ +# remove possible leftovers on soledad nodes +class site_config::remove::soledad { + + # remove soledad procs check because leap_cli already checks for them + augeas { 'Soledad_Procs': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => [ 'rm /files/etc/check_mk/mrpe.cfg/Soledad_Procs' ], + require => File['/etc/check_mk/mrpe.cfg']; + } + +} -- cgit v1.2.3 From 07c0e60e6bdc5b8bfe1f42f76dae9f0a79e7abb0 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Aug 2016 16:35:14 -0700 Subject: moved infrastructure tests run by `leap run` to tests/server-tests --- puppet/modules/site_config/manifests/remove/files.pp | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 3de8d695..ac2350a0 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -12,11 +12,28 @@ class site_config::remove::files { # - # Platform X removals + # Platform 0.9 removals # tidy { + # moved to /srv/static/public/provider.json + # for permissions reasons. '/srv/leap/provider.json':; + + # tests are moved to /srv/leap/tests/server-tests + # by rsync is not able to clean up the old location, + # so, we do it here: + '/srv/leap/tests/order.rb':; + '/srv/leap/tests/README.md':; + '/srv/leap/tests/helpers': + recurse => true, + rmdirs => true; + '/srv/leap/tests/puppet': + recurse => true, + rmdirs => true; + '/srv/leap/tests/white-box': + recurse => true, + rmdirs => true; } # -- cgit v1.2.3 From 8116e007cfd4dbee8282247348cf45473dcde45e Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 31 Aug 2016 14:54:46 -0700 Subject: added support for Let's Encrypt --- puppet/modules/site_config/manifests/x509/commercial/ca.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_config/manifests') diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp index c76a9dbb..21d57445 100644 --- a/puppet/modules/site_config/manifests/x509/commercial/ca.pp +++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp @@ -5,7 +5,13 @@ class site_config::x509::commercial::ca { $x509 = hiera('x509') $ca = $x509['commercial_ca_cert'] - x509::ca { $site_config::params::commercial_ca_name: - content => $ca + # + # CA cert might be empty, if it was bundled with 'commercial_cert' + # instead of specified separately. + # + if ($ca) { + x509::ca { $site_config::params::commercial_ca_name: + content => $ca + } } } -- cgit v1.2.3