From 0e7b47380edb2af6683a0cdc871eaa60a4101f5c Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 10 Jul 2013 21:45:51 -0700 Subject: ensure that /etc/hosts is output deterministically, so that content does not change each time you deploy. --- puppet/modules/site_config/templates/hosts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 2c784b05..c0a2740f 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -4,7 +4,8 @@ 127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> <%- if @hosts then -%> -<% @hosts.each do |name, props| -%> +<% @hosts.keys.sort.each do |name| -%> +<%- props = @hosts[name] -%> <%= props["ip_address"] %> <%= props["domain_full"] %> <%= props["domain_internal"] %> <%= name %> <% end -%> <% end -%> -- cgit v1.2.3 From 8478e8613ded138b5d68b122cb82f5418a199764 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 11 Jul 2013 10:04:21 -0700 Subject: changes to support restrictive permissions for /etc/leap. this is required to work with the latest leap_cli. --- puppet/modules/site_config/manifests/default.pp | 3 +++ puppet/modules/site_config/manifests/files.pp | 10 ++++++++++ 2 files changed, 13 insertions(+) create mode 100644 puppet/modules/site_config/manifests/files.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 00eee9d0..e299a0f4 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -41,4 +41,7 @@ class site_config::default { # include basic shell config include site_config::shell + + # set up core leap files and directories + include site_config::files } diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp new file mode 100644 index 00000000..03c9aff8 --- /dev/null +++ b/puppet/modules/site_config/manifests/files.pp @@ -0,0 +1,10 @@ +class site_config::files { + + file { '/srv/leap': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0711' + } + +} \ No newline at end of file -- cgit v1.2.3 From 3bfa6a7bd1cc9155155c50468a9bbe0769986920 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 17 Jul 2013 00:58:07 -0700 Subject: default to false for $hosts --- puppet/modules/site_config/manifests/hosts.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index ccedf036..a3ce0c1f 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,5 +1,5 @@ class site_config::hosts() { - $hosts = hiera('hosts','') + $hosts = hiera('hosts', false) $hostname = hiera('name') $domain_hash = hiera('domain') $domain_public = $domain_hash['full_suffix'] -- cgit v1.2.3 From 9e83de3497ec55f4910de099917387d500b8f4b4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 14:37:17 +0200 Subject: Site_webapp/Try::File: Could not find command 'git' (Bug #3202) --- puppet/modules/site_config/manifests/base_packages.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp index 3d40f7a2..98a138ee 100644 --- a/puppet/modules/site_config/manifests/base_packages.pp +++ b/puppet/modules/site_config/manifests/base_packages.pp @@ -1,7 +1,7 @@ class site_config::base_packages { # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: + package { [ 'etckeeper', 'git', 'less', 'screen' ]: ensure => installed, } -- cgit v1.2.3 From 3272876226dafc7256dbf2ed056cbac5e63a7380 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 14:47:36 +0200 Subject: Revert "Site_webapp/Try::File: Could not find command 'git' (Bug #3202)" This reverts commit 9e83de3497ec55f4910de099917387d500b8f4b4. --- puppet/modules/site_config/manifests/base_packages.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp index 98a138ee..3d40f7a2 100644 --- a/puppet/modules/site_config/manifests/base_packages.pp +++ b/puppet/modules/site_config/manifests/base_packages.pp @@ -1,7 +1,7 @@ class site_config::base_packages { # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'git', 'less', 'screen' ]: + package { [ 'etckeeper', 'screen', 'less' ]: ensure => installed, } -- cgit v1.2.3 From 2530cd5fa6dbf39dc964b158d79d6d5c60babc4e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Jul 2013 22:48:22 +0200 Subject: vagrant: Install squid-deb-proxy on clients (optional) (Feature #3330) squashed commits: site_squid_deb_proxy::client: include shorewall::rules::mdns for avahi discovery added submodule squid_deb_proxy from git://code.leap.se/puppet_squid_deb_proxy updated submodule squid_deb_proxy use squid_deb_proxy::client --- puppet/modules/site_config/manifests/default.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index e299a0f4..0a4e75b6 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -44,4 +44,15 @@ class site_config::default { # set up core leap files and directories include site_config::files + + # redundant declarations, remove if + # "Move setup.pp to a subclass (site_config::setup) (Feature #2993)" + # is solved. + + # if squid_deb_proxy_client is set to true, install and configure + # squid_deb_proxy_client for apt caching + if hiera('squid_deb_proxy_client', false) { + include site_squid_deb_proxy::client + } + } -- cgit v1.2.3 From 3cdebf3ebe73cb2859dc852dcc73a8ee2d60e976 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 19:45:56 -0400 Subject: install a preliminary firewall that blocks everything, except ssh for the cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38 --- puppet/modules/site_config/manifests/firewall.pp | 62 ++++++++++++++++++++++ .../templates/ipv4firewall_up.rules.erb | 20 +++++++ .../templates/ipv6firewall_up.rules.erb | 7 +++ 3 files changed, 89 insertions(+) create mode 100644 puppet/modules/site_config/manifests/firewall.pp create mode 100644 puppet/modules/site_config/templates/ipv4firewall_up.rules.erb create mode 100644 puppet/modules/site_config/templates/ipv6firewall_up.rules.erb (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/firewall.pp b/puppet/modules/site_config/manifests/firewall.pp new file mode 100644 index 00000000..b9fc5ffe --- /dev/null +++ b/puppet/modules/site_config/manifests/firewall.pp @@ -0,0 +1,62 @@ +class site_config::initial_firewall { + + # This class is intended to setup an initial firewall, before shorewall is + # configured. The purpose of this is for the rare case where shorewall fails + # to start, we should not expose services to the public. + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + package { 'iptables': + ensure => present + } + + file { + # This firewall enables ssh access, dns lookups and web lookups (for + # package installation) but otherwise restricts all outgoing and incoming + # ports + '/etc/network/ipv4firewall_up.rules': + content => template('site_config/ipv4firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # This firewall denys all ipv6 traffic - we will need to change this + # when we begin to support ipv6 + '/etc/network/ipv6firewall_up.rules': + content => template('site_config/ipv6firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # Run the iptables-restore in if-pre-up so that the network is locked down + # until the correct interfaces and ips are connected + '/etc/network/if-pre-up.d/ipv4tables': + content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + + # Same as above for IPv6 + '/etc/network/if-pre-up.d/ipv6tables': + content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + } + + # Immediately setup these firewall rules, but only if shorewall is not running + exec { + 'default_ipv4_firewall': + command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; + + 'default_ipv6_firewall': + command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; + } +} diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb new file mode 100644 index 00000000..c03716f3 --- /dev/null +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -0,0 +1,20 @@ +# Generated by iptables-save v1.4.14 on Tue Aug 20 14:40:40 2013 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT +-A INPUT -p udp -m udp --sport 53 -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 +-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT +-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT +-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT +-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 +COMMIT diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb new file mode 100644 index 00000000..e7fae52e --- /dev/null +++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb @@ -0,0 +1,7 @@ +# Generated by ip6tables-save v1.4.20 on Tue Aug 20 12:19:43 2013 +*filter +:INPUT DROP [24:1980] +:FORWARD DROP [0:0] +:OUTPUT DROP [14:8030] +COMMIT +# Completed on Tue Aug 20 12:19:43 2013 -- cgit v1.2.3 From 14cee35e55c999663dbd8ac34197b6ce7382e35d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 14:55:33 -0400 Subject: fix name of initial_firewall.pp file (#3339) Change-Id: I341628d0f36225ce49ae301246e7c152553efcae --- puppet/modules/site_config/manifests/firewall.pp | 62 ---------------------- .../site_config/manifests/initial_firewall.pp | 62 ++++++++++++++++++++++ 2 files changed, 62 insertions(+), 62 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/firewall.pp create mode 100644 puppet/modules/site_config/manifests/initial_firewall.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/firewall.pp b/puppet/modules/site_config/manifests/firewall.pp deleted file mode 100644 index b9fc5ffe..00000000 --- a/puppet/modules/site_config/manifests/firewall.pp +++ /dev/null @@ -1,62 +0,0 @@ -class site_config::initial_firewall { - - # This class is intended to setup an initial firewall, before shorewall is - # configured. The purpose of this is for the rare case where shorewall fails - # to start, we should not expose services to the public. - - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] - - package { 'iptables': - ensure => present - } - - file { - # This firewall enables ssh access, dns lookups and web lookups (for - # package installation) but otherwise restricts all outgoing and incoming - # ports - '/etc/network/ipv4firewall_up.rules': - content => template('site_config/ipv4firewall_up.rules.erb'), - owner => root, - group => 0, - mode => '0644'; - - # This firewall denys all ipv6 traffic - we will need to change this - # when we begin to support ipv6 - '/etc/network/ipv6firewall_up.rules': - content => template('site_config/ipv6firewall_up.rules.erb'), - owner => root, - group => 0, - mode => '0644'; - - # Run the iptables-restore in if-pre-up so that the network is locked down - # until the correct interfaces and ips are connected - '/etc/network/if-pre-up.d/ipv4tables': - content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", - owner => root, - group => 0, - mode => '0744'; - - # Same as above for IPv6 - '/etc/network/if-pre-up.d/ipv6tables': - content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", - owner => root, - group => 0, - mode => '0744'; - } - - # Immediately setup these firewall rules, but only if shorewall is not running - exec { - 'default_ipv4_firewall': - command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', - logoutput => true, - unless => '/sbin/shorewall status', - require => File['/etc/network/ipv4firewall_up.rules']; - - 'default_ipv6_firewall': - command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', - logoutput => true, - unless => '/sbin/shorewall status', - require => File['/etc/network/ipv6firewall_up.rules']; - } -} diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp new file mode 100644 index 00000000..b9fc5ffe --- /dev/null +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -0,0 +1,62 @@ +class site_config::initial_firewall { + + # This class is intended to setup an initial firewall, before shorewall is + # configured. The purpose of this is for the rare case where shorewall fails + # to start, we should not expose services to the public. + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + package { 'iptables': + ensure => present + } + + file { + # This firewall enables ssh access, dns lookups and web lookups (for + # package installation) but otherwise restricts all outgoing and incoming + # ports + '/etc/network/ipv4firewall_up.rules': + content => template('site_config/ipv4firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # This firewall denys all ipv6 traffic - we will need to change this + # when we begin to support ipv6 + '/etc/network/ipv6firewall_up.rules': + content => template('site_config/ipv6firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # Run the iptables-restore in if-pre-up so that the network is locked down + # until the correct interfaces and ips are connected + '/etc/network/if-pre-up.d/ipv4tables': + content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + + # Same as above for IPv6 + '/etc/network/if-pre-up.d/ipv6tables': + content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + } + + # Immediately setup these firewall rules, but only if shorewall is not running + exec { + 'default_ipv4_firewall': + command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; + + 'default_ipv6_firewall': + command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; + } +} -- cgit v1.2.3 From 9e66f8128274a8c82d3af50597b8a61061153186 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:54:28 -0400 Subject: require that shorewall has been installed before execs are run (#3339) Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf --- puppet/modules/site_config/manifests/initial_firewall.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index b9fc5ffe..9178a5f2 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -51,12 +51,14 @@ class site_config::initial_firewall { command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, unless => '/sbin/shorewall status', - require => File['/etc/network/ipv4firewall_up.rules']; + require => [ Package['shorewall'], + File['/etc/network/ipv4firewall_up.rules'] ]; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, unless => '/sbin/shorewall status', - require => File['/etc/network/ipv6firewall_up.rules']; + require => [ Package['shorewall'], + File['/etc/network/ipv6firewall_up.rules'] ]; } } -- cgit v1.2.3 From 94cdd54caa0cfabb80dab35ebfe9ae02d68ddfb3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 15:47:18 -0400 Subject: Work around for shorewall not being available at the site_config stage (#3339) Change-Id: Id3138cb967f76380b7f4e22ce862a099cb47669e --- puppet/modules/site_config/manifests/initial_firewall.pp | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 9178a5f2..6bef0032 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -50,15 +50,13 @@ class site_config::initial_firewall { 'default_ipv4_firewall': command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, - unless => '/sbin/shorewall status', - require => [ Package['shorewall'], - File['/etc/network/ipv4firewall_up.rules'] ]; + unless => '/etc/init.d/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => '/sbin/shorewall status', - require => [ Package['shorewall'], - File['/etc/network/ipv6firewall_up.rules'] ]; + unless => '/etc/init.d/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; } } -- cgit v1.2.3 From 99ffaf7ab6fb4ee39b1e2bb4977a9101cdfebec6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Sep 2013 14:56:27 -0400 Subject: need to test that /etc/init.d/shorewall exists before attempting to call it, otherwise puppet complains (#3339) Change-Id: I7c8cc235817fe3d898157de4c4fdd8f1fe74f05a --- puppet/modules/site_config/manifests/initial_firewall.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 6bef0032..51cceb31 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -50,13 +50,13 @@ class site_config::initial_firewall { 'default_ipv4_firewall': command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, - unless => '/etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => '/etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', require => File['/etc/network/ipv6firewall_up.rules']; } } -- cgit v1.2.3 From f9ee40f2fca2396c1ef7d85a9c44b97fe834671a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Sep 2013 22:46:56 -0400 Subject: fix initial firewall to allow outgoing lo traffic and outgoing port 443 (#3736) this allows nameserver queries to the local resolver to work and clones to the leap https repository to work Change-Id: I575d08405a0c28e12c8d201a8dbc79585a5a9a48 --- puppet/modules/site_config/templates/ipv4firewall_up.rules.erb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb index c03716f3..524ae308 100644 --- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -10,10 +10,12 @@ -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 +-A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -- cgit v1.2.3 From 4d58a02c83baf0ce0a9ecb349d998aa3dad9493f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 14:17:20 +0200 Subject: deploy default x509::ca leap_ca in site_config::default (#3817) --- puppet/modules/site_config/manifests/default.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 0a4e75b6..dd0d37f7 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -55,4 +55,15 @@ class site_config::default { include site_squid_deb_proxy::client } + # Set up leap ca + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + $ca_name = 'leap_ca' + + x509::ca { $ca_name: + content => $ca, + before => [ + Class['Site_openvpn::Keys'], + Class['Site_stunnel'] ] + } } -- cgit v1.2.3 From 3a9569ca027dccef87509323f08407e60039d9a9 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 15:55:09 +0200 Subject: Deploy default x509 cert + key that services can use (Feature #3836) --- puppet/modules/site_config/manifests/default.pp | 13 ++----------- puppet/modules/site_config/manifests/params.pp | 3 +++ puppet/modules/site_config/manifests/x509.pp | 19 +++++++++++++++++++ 3 files changed, 24 insertions(+), 11 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index dd0d37f7..b315044a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -55,15 +55,6 @@ class site_config::default { include site_squid_deb_proxy::client } - # Set up leap ca - $x509 = hiera('x509') - $ca = $x509['ca_cert'] - $ca_name = 'leap_ca' - - x509::ca { $ca_name: - content => $ca, - before => [ - Class['Site_openvpn::Keys'], - Class['Site_stunnel'] ] - } + include site_config::x509 + } diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 237ee454..20697042 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -22,4 +22,7 @@ class site_config::params { else { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } + + $ca_name = 'leap_ca' + $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp new file mode 100644 index 00000000..879285dd --- /dev/null +++ b/puppet/modules/site_config/manifests/x509.pp @@ -0,0 +1,19 @@ +class site_config::x509 { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + + x509::key { $site_config::params::cert_name: + content => $key + } + + x509::cert { $site_config::params::cert_name: + content => $cert + } + + x509::ca { $site_config::params::ca_name: + content => $ca + } +} -- cgit v1.2.3 From f1ad11887a65b94f101e0d99363daeba93020d2a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 14 Sep 2013 13:00:15 -0400 Subject: ensure site_config::caching_resolver runs with tag leap_base (#3757) Change-Id: I593602ff9d3486dee39227673147e137045c55c5 --- puppet/modules/site_config/manifests/caching_resolver.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 922c394f..3d7b9206 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,4 +1,5 @@ class site_config::caching_resolver { + tag 'leap_base' # Setup a conf.d directory to place additional unbound configuration files. # There must be at least one file in the directory, or unbound will not start, -- cgit v1.2.3 From ecb3727ad43ee55f07db067e80b9d74308296582 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 18:00:32 +0200 Subject: site_config::params::interface should contain eth1 for vagrant cause it's the main interface we use (#2399, #2401) --- puppet/modules/site_config/manifests/params.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 20697042..a4657457 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -5,7 +5,7 @@ class site_config::params { $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") if $::virtual == 'virtualbox' { - $interface = [ 'eth0', 'eth1' ] + $interface = 'eth1' } elsif hiera('interface','') != '' { $interface = hiera('interface') @@ -17,7 +17,7 @@ class site_config::params { $interface = $ec2_local_ipv4_interface } elsif $::interfaces =~ /eth0/ { - $interface = eth0 + $interface = 'eth0' } else { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") -- cgit v1.2.3 From 5ca8f6f9d26a2c2abfa9f1752aad6b8d91020074 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 18:37:00 +0200 Subject: shorewall: #2399 blocks uplink (Bug #2866) --- puppet/modules/site_config/manifests/default.pp | 7 +++++++ puppet/modules/site_config/manifests/vagrant.pp | 10 ++++++++++ 2 files changed, 17 insertions(+) create mode 100644 puppet/modules/site_config/manifests/vagrant.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index b315044a..83a344a2 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -15,11 +15,18 @@ class site_config::default { # configure ssh and include ssh-keys include site_config::sshd + # include classes for special environments + # i.e. openstack/aws nodes, vagrant nodes + # fix dhclient from changing resolver information if $::ec2_instance_id { include site_config::dhclient } + if ( $::virtual == 'virtualbox' ) { + include site_config::vagrant + } + # configure /etc/resolv.conf include site_config::resolvconf diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp new file mode 100644 index 00000000..04266735 --- /dev/null +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -0,0 +1,10 @@ +class site_config::vagrant { + # class for vagrant nodes + + # eth0 on vagrant nodes is the uplink if + shorewall::interface { 'eth0': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + +} -- cgit v1.2.3 From bdfef97e49f17c74158084e10e7d0121cc70dd42 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 19:11:39 +0200 Subject: openvpn should use /usr/local/share/ca-certificates/leap_ca.crt (Feature #3831) --- puppet/modules/site_config/manifests/params.pp | 5 +++-- puppet/modules/site_config/manifests/x509.pp | 5 +++++ 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index a4657457..b434af90 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,6 +23,7 @@ class site_config::params { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } - $ca_name = 'leap_ca' - $cert_name = 'leap' + $ca_name = 'leap_ca' + $ca_bundle_name = 'leap_ca_bundle' + $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp index 879285dd..2660c523 100644 --- a/puppet/modules/site_config/manifests/x509.pp +++ b/puppet/modules/site_config/manifests/x509.pp @@ -4,6 +4,7 @@ class site_config::x509 { $key = $x509['key'] $cert = $x509['cert'] $ca = $x509['ca_cert'] + $client_ca = $x509['client_ca_cert'] x509::key { $site_config::params::cert_name: content => $key @@ -16,4 +17,8 @@ class site_config::x509 { x509::ca { $site_config::params::ca_name: content => $ca } + + x509::ca { $site_config::params::ca_bundle_name: + content => "${ca}${client_ca}" + } } -- cgit v1.2.3 From 869b9e26475180d41513d036a0600ee433da1b77 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 18 Sep 2013 16:50:15 +0200 Subject: deploy client_ca (#3833) --- puppet/modules/site_config/manifests/params.pp | 1 + puppet/modules/site_config/manifests/x509.pp | 4 ++++ 2 files changed, 5 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index b434af90..008a4e1f 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -24,6 +24,7 @@ class site_config::params { } $ca_name = 'leap_ca' + $client_ca_name = 'leap_client_ca' $ca_bundle_name = 'leap_ca_bundle' $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp index 2660c523..8eca97e7 100644 --- a/puppet/modules/site_config/manifests/x509.pp +++ b/puppet/modules/site_config/manifests/x509.pp @@ -18,6 +18,10 @@ class site_config::x509 { content => $ca } + x509::ca { $site_config::params::client_ca_name: + content => $client_ca + } + x509::ca { $site_config::params::ca_bundle_name: content => "${ca}${client_ca}" } -- cgit v1.2.3 From 1ce6cb5a30c5ee73d6474ac9c1bbd4c7819d9a73 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:19:00 +0200 Subject: only deploy x509 stuff for nodes if it existes in hiera (Feature #3875) --- puppet/modules/site_config/manifests/default.pp | 2 -- puppet/modules/site_config/manifests/x509.pp | 28 ---------------------- puppet/modules/site_config/manifests/x509/ca.pp | 9 +++++++ .../site_config/manifests/x509/ca_bundle.pp | 10 ++++++++ .../modules/site_config/manifests/x509/cert_key.pp | 15 ++++++++++++ .../site_config/manifests/x509/client_ca.pp | 9 +++++++ 6 files changed, 43 insertions(+), 30 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/x509.pp create mode 100644 puppet/modules/site_config/manifests/x509/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/ca_bundle.pp create mode 100644 puppet/modules/site_config/manifests/x509/cert_key.pp create mode 100644 puppet/modules/site_config/manifests/x509/client_ca.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 83a344a2..b27e99af 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -62,6 +62,4 @@ class site_config::default { include site_squid_deb_proxy::client } - include site_config::x509 - } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp deleted file mode 100644 index 8eca97e7..00000000 --- a/puppet/modules/site_config/manifests/x509.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::x509 { - - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $client_ca = $x509['client_ca_cert'] - - x509::key { $site_config::params::cert_name: - content => $key - } - - x509::cert { $site_config::params::cert_name: - content => $cert - } - - x509::ca { $site_config::params::ca_name: - content => $ca - } - - x509::ca { $site_config::params::client_ca_name: - content => $client_ca - } - - x509::ca { $site_config::params::ca_bundle_name: - content => "${ca}${client_ca}" - } -} diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp new file mode 100644 index 00000000..b16d0eeb --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::ca { + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + + x509::ca { $site_config::params::ca_name: + content => $ca + } +} diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp new file mode 100644 index 00000000..204f0a5e --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -0,0 +1,10 @@ +class site_config::x509::ca_bundle { + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::ca_bundle_name: + content => "${ca}${client_ca}" + } +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp new file mode 100644 index 00000000..d55c6cf2 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert_key.pp @@ -0,0 +1,15 @@ +class site_config::x509::cert_key { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + + x509::key { $site_config::params::cert_name: + content => $key + } + + x509::cert { $site_config::params::cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp new file mode 100644 index 00000000..f91ea970 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::client_ca { + + $x509 = hiera('x509') + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::client_ca_name: + content => $client_ca + } +} -- cgit v1.2.3 From c68399c019d09a4c8ba44f47936b4b3842802177 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:29:15 +0200 Subject: tidy openvpn x509 definitions (#3831) --- puppet/modules/site_config/manifests/x509/ca_bundle.pp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp index 204f0a5e..4cbe574a 100644 --- a/puppet/modules/site_config/manifests/x509/ca_bundle.pp +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -1,5 +1,11 @@ class site_config::x509::ca_bundle { + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + + $x509 = hiera('x509') $ca = $x509['ca_cert'] $client_ca = $x509['client_ca_cert'] -- cgit v1.2.3 From b798d716e5219d00b5b94ce8b80566e4b3bf0899 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:11:24 +0200 Subject: webapp: Depend services on deployment of default key, cert and ca (Feature #3838) --- puppet/modules/site_config/manifests/x509/client_ca.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp index f91ea970..3e914cf5 100644 --- a/puppet/modules/site_config/manifests/x509/client_ca.pp +++ b/puppet/modules/site_config/manifests/x509/client_ca.pp @@ -1,5 +1,10 @@ class site_config::x509::client_ca { + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + $x509 = hiera('x509') $client_ca = $x509['client_ca_cert'] -- cgit v1.2.3 From 98d8a337930d5afaf78d88c23adb985a7060f66b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 18:31:51 +0200 Subject: move all resources that are applied on every node into site_config::default (#3782) in commit 338833, we established a relationship between all resources that have a leap_service tag, that are called in site.pp. But we had some resources as default on every node in site.pp (apt::update, Package { require => Exec['apt_updated'] }, site_config::slow and stdlib), that were still lacking any relationship to the leap_service tag. By moving them into default.pp they automatically are executed before resources with a leap_service tag. --- puppet/modules/site_config/manifests/default.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 83a344a2..13de82af 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -3,6 +3,15 @@ class site_config::default { $domain_hash = hiera('domain') + # make sure apt is updated before any packages are installed + include apt::update + Package { require => Exec['apt_updated'] } + + include stdlib + + include site_config::slow + + include concat::setup # default class, used by all hosts -- cgit v1.2.3 From ffa4504f81c0abecc62b068951ec147741028128 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:09:30 +0200 Subject: seperate cert and key deployment (#3918) --- puppet/modules/site_config/manifests/x509/cert.pp | 10 ++++++++++ puppet/modules/site_config/manifests/x509/cert_key.pp | 15 --------------- puppet/modules/site_config/manifests/x509/key.pp | 9 +++++++++ 3 files changed, 19 insertions(+), 15 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509/cert.pp delete mode 100644 puppet/modules/site_config/manifests/x509/cert_key.pp create mode 100644 puppet/modules/site_config/manifests/x509/key.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/x509/cert.pp b/puppet/modules/site_config/manifests/x509/cert.pp new file mode 100644 index 00000000..7ed42959 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert.pp @@ -0,0 +1,10 @@ +class site_config::x509::cert { + + $x509 = hiera('x509') + $cert = $x509['cert'] + + x509::cert { $site_config::params::cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp deleted file mode 100644 index d55c6cf2..00000000 --- a/puppet/modules/site_config/manifests/x509/cert_key.pp +++ /dev/null @@ -1,15 +0,0 @@ -class site_config::x509::cert_key { - - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - - x509::key { $site_config::params::cert_name: - content => $key - } - - x509::cert { $site_config::params::cert_name: - content => $cert - } - -} diff --git a/puppet/modules/site_config/manifests/x509/key.pp b/puppet/modules/site_config/manifests/x509/key.pp new file mode 100644 index 00000000..32b59726 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::key { + + $x509 = hiera('x509') + $key = $x509['key'] + + x509::key { $site_config::params::cert_name: + content => $key + } +} -- cgit v1.2.3 From 9fae612bd8d147321e0cb553610fcaf0140e84eb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:23:54 +0200 Subject: move commercial x509 deployment to site_x509 (Feature #3889) --- puppet/modules/site_config/manifests/params.pp | 10 ++++++---- puppet/modules/site_config/manifests/x509/commercial/ca.pp | 9 +++++++++ puppet/modules/site_config/manifests/x509/commercial/cert.pp | 10 ++++++++++ puppet/modules/site_config/manifests/x509/commercial/key.pp | 9 +++++++++ 4 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509/commercial/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/commercial/cert.pp create mode 100644 puppet/modules/site_config/manifests/x509/commercial/key.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 008a4e1f..59a161e8 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,8 +23,10 @@ class site_config::params { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } - $ca_name = 'leap_ca' - $client_ca_name = 'leap_client_ca' - $ca_bundle_name = 'leap_ca_bundle' - $cert_name = 'leap' + $ca_name = 'leap_ca' + $client_ca_name = 'leap_client_ca' + $ca_bundle_name = 'leap_ca_bundle' + $cert_name = 'leap' + $commercial_ca_name = 'leap_commercial_ca' + $commercial_cert_name = 'leap_commercial' } diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp new file mode 100644 index 00000000..8f35759f --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::ca { + + $x509 = hiera('x509') + $ca = $x509['commercial_ca_cert'] + + x509::ca { $site_config::params::commercial_ca_name: + content => $ca + } +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/cert.pp b/puppet/modules/site_config/manifests/x509/commercial/cert.pp new file mode 100644 index 00000000..0c71a705 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/cert.pp @@ -0,0 +1,10 @@ +class site_config::x509::commercial::cert { + + $x509 = hiera('x509') + $cert = $x509['commercial_cert'] + + x509::cert { $site_config::params::commercial_cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/key.pp b/puppet/modules/site_config/manifests/x509/commercial/key.pp new file mode 100644 index 00000000..d32e85ef --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::key { + + $x509 = hiera('x509') + $key = $x509['commercial_key'] + + x509::key { $site_config::params::commercial_cert_name: + content => $key + } +} -- cgit v1.2.3 From 0447e92ab5dcc3d8a07613a765c60db23252f278 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 17:55:22 +0200 Subject: added site_config::x509::client_ca::cert and site_config::x509::client_ca::key for client_ca deployment (#3917) --- puppet/modules/site_config/manifests/x509/client_ca.pp | 14 -------------- puppet/modules/site_config/manifests/x509/client_ca/ca.pp | 14 ++++++++++++++ puppet/modules/site_config/manifests/x509/client_ca/key.pp | 14 ++++++++++++++ 3 files changed, 28 insertions(+), 14 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/x509/client_ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/client_ca/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/client_ca/key.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp deleted file mode 100644 index 3e914cf5..00000000 --- a/puppet/modules/site_config/manifests/x509/client_ca.pp +++ /dev/null @@ -1,14 +0,0 @@ -class site_config::x509::client_ca { - - ## - ## This is for the special CA that is used exclusively for generating - ## client certificates by the webapp. - ## - - $x509 = hiera('x509') - $client_ca = $x509['client_ca_cert'] - - x509::ca { $site_config::params::client_ca_name: - content => $client_ca - } -} diff --git a/puppet/modules/site_config/manifests/x509/client_ca/ca.pp b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp new file mode 100644 index 00000000..0f313898 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp @@ -0,0 +1,14 @@ +class site_config::x509::client_ca::ca { + + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + + $x509 = hiera('x509') + $cert = $x509['client_ca_cert'] + + x509::ca { $site_config::params::client_ca_name: + content => $cert + } +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca/key.pp b/puppet/modules/site_config/manifests/x509/client_ca/key.pp new file mode 100644 index 00000000..f9ef3f52 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca/key.pp @@ -0,0 +1,14 @@ +class site_config::x509::client_ca::key { + + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + + $x509 = hiera('x509') + $key = $x509['client_ca_key'] + + x509::key { $site_config::params::client_ca_name: + content => $key + } +} -- cgit v1.2.3 From 62271e0e067daef064dba2860a92eb6351510d3c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 15:47:03 -0400 Subject: create a site_config::packages directory, move site_config::base_packages to site_config::packages::base add site_config::packages::gnutls for inclusion (#3955) Change-Id: I9599eb26844503613c16f57ee17d6ea7bd0cf6fb --- .../modules/site_config/manifests/base_packages.pp | 28 ---------------------- puppet/modules/site_config/manifests/default.pp | 2 +- .../manifests/packages/base_packages.pp | 28 ++++++++++++++++++++++ .../site_config/manifests/packages/gnutls.pp | 5 ++++ 4 files changed, 34 insertions(+), 29 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/base_packages.pp create mode 100644 puppet/modules/site_config/manifests/packages/base_packages.pp create mode 100644 puppet/modules/site_config/manifests/packages/gnutls.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp deleted file mode 100644 index 3d40f7a2..00000000 --- a/puppet/modules/site_config/manifests/base_packages.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::base_packages { - - # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: - ensure => installed, - } - - # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', - 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', - 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', - 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', - 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', - 'x11-utils', 'xterm' ]: - ensure => absent; - } - - if $::virtual == 'virtualbox' { - $virtualbox_ensure = present - } else { - $virtualbox_ensure = absent - } - - package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $virtualbox_ensure - } -} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 16932ab2..d3bb241f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -48,7 +48,7 @@ class site_config::default { } # install/remove base packages - include site_config::base_packages + include site_config::packages::base # include basic shorewall config include site_shorewall::defaults diff --git a/puppet/modules/site_config/manifests/packages/base_packages.pp b/puppet/modules/site_config/manifests/packages/base_packages.pp new file mode 100644 index 00000000..d93e194b --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/base_packages.pp @@ -0,0 +1,28 @@ +class site_config::packages::base { + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', + 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => absent; + } + + if $::virtual == 'virtualbox' { + $virtualbox_ensure = present + } else { + $virtualbox_ensure = absent + } + + package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $virtualbox_ensure + } +} diff --git a/puppet/modules/site_config/manifests/packages/gnutls.pp b/puppet/modules/site_config/manifests/packages/gnutls.pp new file mode 100644 index 00000000..b1f17480 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/gnutls.pp @@ -0,0 +1,5 @@ +class site_config::packages::gnutls { + + package { 'gnutls-bin': ensure => installed } + +} -- cgit v1.2.3 From f7bb77c38d31021e810b1b55097fa3329bd73ce7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 15:27:33 -0400 Subject: fix name of base class file Change-Id: I844970f1c8f895d5a460d5082bfa1a2a88b32ecd --- .../modules/site_config/manifests/packages/base.pp | 28 ++++++++++++++++++++++ .../manifests/packages/base_packages.pp | 28 ---------------------- 2 files changed, 28 insertions(+), 28 deletions(-) create mode 100644 puppet/modules/site_config/manifests/packages/base.pp delete mode 100644 puppet/modules/site_config/manifests/packages/base_packages.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp new file mode 100644 index 00000000..d93e194b --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -0,0 +1,28 @@ +class site_config::packages::base { + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', + 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => absent; + } + + if $::virtual == 'virtualbox' { + $virtualbox_ensure = present + } else { + $virtualbox_ensure = absent + } + + package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $virtualbox_ensure + } +} diff --git a/puppet/modules/site_config/manifests/packages/base_packages.pp b/puppet/modules/site_config/manifests/packages/base_packages.pp deleted file mode 100644 index d93e194b..00000000 --- a/puppet/modules/site_config/manifests/packages/base_packages.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::packages::base { - - # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: - ensure => installed, - } - - # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', - 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', - 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', - 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', - 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', - 'x11-utils', 'xterm' ]: - ensure => absent; - } - - if $::virtual == 'virtualbox' { - $virtualbox_ensure = present - } else { - $virtualbox_ensure = absent - } - - package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $virtualbox_ensure - } -} -- cgit v1.2.3 From 04e270616db7d486eeacb298aed173731c9a2fe2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:49:36 +0200 Subject: deploy postfix satellites on all nodes (Bug #1683) --- puppet/modules/site_config/manifests/default.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index d3bb241f..a645cb1a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -71,4 +71,8 @@ class site_config::default { include site_squid_deb_proxy::client } + if $::services !~ /\bmx\b/ { + include site_postfix::satellite + } + } -- cgit v1.2.3 From c655713c15263848b5af8fc8d8b6b41e69cb8d1c Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 9 Oct 2013 14:55:16 +0200 Subject: don't remove dev-packages on webapp node they are needed for building gems --- puppet/modules/site_config/manifests/packages/base.pp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index d93e194b..94ff679b 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -6,7 +6,7 @@ class site_config::packages::base { } # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', 'fontconfig-config', 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', @@ -15,14 +15,17 @@ class site_config::packages::base { ensure => absent; } - if $::virtual == 'virtualbox' { - $virtualbox_ensure = present + if $::virtual == 'virtualbox' or $::services =~ /\bwebapp\b/ { + $dev_packages_ensure = present } else { - $virtualbox_ensure = absent + $dev_packages_ensure = absent } - package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079) + # dev_packages are needed for building gems on the webapp node + + package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $virtualbox_ensure + ensure => $dev_packages_ensure } } -- cgit v1.2.3 From 23304bbc281ef25b9ad2a607631aaa728e9c7b29 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 15:32:26 +0200 Subject: install ruby-dev for nickserver/webapp (#4079 + #4080) --- puppet/modules/site_config/manifests/ruby.pp | 4 +++- puppet/modules/site_config/manifests/ruby/dev.pp | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_config/manifests/ruby/dev.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp index 2a720114..9c005032 100644 --- a/puppet/modules/site_config/manifests/ruby.pp +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -1,6 +1,8 @@ class site_config::ruby { Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - class { '::ruby': ruby_version => '1.9.3' } + class { '::ruby': + ruby_version => '1.9.3', + } class { 'bundler::install': install_method => 'package' } include rubygems } diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp new file mode 100644 index 00000000..dbc77ae7 --- /dev/null +++ b/puppet/modules/site_config/manifests/ruby/dev.pp @@ -0,0 +1,6 @@ +class site_config::ruby::dev inherits site_config::ruby { + Class['::ruby'] { + ruby_version => '1.9.3', + install_dev => true + } +} -- cgit v1.2.3 From da6cb0546f91444d8c4e059eaa99f17fafe9c5a2 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 11 Oct 2013 18:02:59 +0200 Subject: fixed issues from https://review.leap.se/r/98/ --- puppet/modules/site_config/manifests/ruby.pp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp index 9c005032..2a720114 100644 --- a/puppet/modules/site_config/manifests/ruby.pp +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -1,8 +1,6 @@ class site_config::ruby { Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - class { '::ruby': - ruby_version => '1.9.3', - } + class { '::ruby': ruby_version => '1.9.3' } class { 'bundler::install': install_method => 'package' } include rubygems } -- cgit v1.2.3 From befbc71fa2af217ff89facd8e10794b60f19f66e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 15 Oct 2013 22:43:49 +0200 Subject: new fallback nameservers (#4113) * the german privacy foundation has dissolved itself and shut down their public nameserver. we are now using the public nameserver by Digitalcourage, a german privacy organisation (https://en.wikipedia.org/wiki/Digitalcourage) * the IP for the server of the swiss privacy foundation has changed (http://www.privacyfoundation.ch/de/service/server.html) --- puppet/modules/site_config/manifests/resolvconf.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 271c5043..b307f18b 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -2,12 +2,13 @@ class site_config::resolvconf { $domain_public = $site_config::default::domain_hash['full_suffix'] - # 127.0.0.1: caching-only local bind - # 87.118.100.175: http://server.privacyfoundation.de - # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html class { '::resolvconf': domain => $domain_public, search => $domain_public, - nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ] + nameservers => [ + '127.0.0.1 # local caching-only, unbound', + '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', + '62.141.58.13 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' + ] } } -- cgit v1.2.3 From 27f6e30c0096970c49efcf572227d39fe5612ed9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 00:02:27 +0200 Subject: vagrant: support other providers besides virtualbox (Bug #4158) --- puppet/modules/site_config/manifests/default.pp | 3 ++- puppet/modules/site_config/manifests/packages/base.pp | 4 +++- puppet/modules/site_config/manifests/params.pp | 4 +++- 3 files changed, 8 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index a645cb1a..c7243d5f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -2,6 +2,7 @@ class site_config::default { tag 'leap_base' $domain_hash = hiera('domain') + include site_config::params # make sure apt is updated before any packages are installed include apt::update @@ -32,7 +33,7 @@ class site_config::default { include site_config::dhclient } - if ( $::virtual == 'virtualbox' ) { + if ( $::site_config::params::environment == 'local' ) { include site_config::vagrant } diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 94ff679b..3e1d4a67 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -1,5 +1,7 @@ class site_config::packages::base { + include site_config::params + # base set of packages that we want to have installed everywhere package { [ 'etckeeper', 'screen', 'less' ]: ensure => installed, @@ -15,7 +17,7 @@ class site_config::packages::base { ensure => absent; } - if $::virtual == 'virtualbox' or $::services =~ /\bwebapp\b/ { + if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { $dev_packages_ensure = present } else { $dev_packages_ensure = absent diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 59a161e8..2ef391db 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -3,8 +3,10 @@ class site_config::params { $ip_address = hiera('ip_address') $ip_address_interface = getvar("interface_${ip_address}") $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") + $environment = hiera('environment') - if $::virtual == 'virtualbox' { + + if $environment == 'local' { $interface = 'eth1' } elsif hiera('interface','') != '' { -- cgit v1.2.3 From de8fe441e1c07b63f1c02aa231a8a56c9a9448ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 11:16:18 -0400 Subject: rsyslog: setup default local config that gets us the same config as default from debian Change-Id: If07ee200e2ae0d9cfaf8e405d6354c80d77330ca --- puppet/modules/site_config/manifests/default.pp | 3 +++ puppet/modules/site_config/manifests/syslog.pp | 6 ++++++ 2 files changed, 9 insertions(+) create mode 100644 puppet/modules/site_config/manifests/syslog.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index c7243d5f..2380066a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -48,6 +48,9 @@ class site_config::default { stage => setup, } + # install/configure syslog + include site_config::syslog + # install/remove base packages include site_config::packages::base diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp new file mode 100644 index 00000000..c7c55c34 --- /dev/null +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -0,0 +1,6 @@ +class site_config::syslog { + + class { 'rsyslog::client': log_remote => false, log_local => true } + +} + -- cgit v1.2.3 From aa86d15696245c6ded59ca51ceff8f6eaf3119c5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 12:18:15 -0400 Subject: syslog: add rsyslog::snippet to anonymize logs it is necessary to install the fixed package from the leap.se repository until it is available in wheezy-backports, so install the apt preferences to pull it from there, and add its necessary library dependency from wheezy-backports Change-Id: I379ff2ceaac1a978143715d3a7ced0011ca0d747 --- puppet/modules/site_config/manifests/syslog.pp | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index c7c55c34..6a9da460 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,6 +1,28 @@ class site_config::syslog { - class { 'rsyslog::client': log_remote => false, log_local => true } + # we need to pull in rsyslog from the leap repository until it is availbale in + # wheezy-backports + apt::preferences_snippet { 'fixed_rsyslog_anon_package': + package => 'rsyslog', + priority => '999', + pin => 'release o=leap.se', + before => Class['rsyslog::install'] + } -} + apt::preferences_snippet { 'rsyslog_anon_libestr0': + package => 'libestr0', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install'] + } + + class { 'rsyslog::client': + log_remote => false, + log_local => true + } + rsyslog::snippet { '00-anonymize_logs': + content => '$ModLoad mmanon +action(type="mmanon" ipv4.bits="32" mode="rewrite")' + } +} -- cgit v1.2.3 From a44e598c29b66bd560dbe864b70f13aa324c1437 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 15:59:26 -0400 Subject: fix for rsyslog-relp being installed first, resulting in dependency errors (#4161) Change-Id: I2f0bcc5b4cb5effae57051f04251aeb8b09a4c6d --- puppet/modules/site_config/manifests/syslog.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 6a9da460..73d4f58f 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -3,14 +3,14 @@ class site_config::syslog { # we need to pull in rsyslog from the leap repository until it is availbale in # wheezy-backports apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog', + package => 'rsyslog-*', priority => '999', pin => 'release o=leap.se', before => Class['rsyslog::install'] } - apt::preferences_snippet { 'rsyslog_anon_libestr0': - package => 'libestr0', + apt::preferences_snippet { 'rsyslog_anon_depends': + package => 'libestr0 librelp0', priority => '999', pin => 'release a=wheezy-backports', before => Class['rsyslog::install'] -- cgit v1.2.3 From c884bc04e2eb29bdaacc5c6673ed7f212dc28e88 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Oct 2013 13:48:01 -0400 Subject: syslog: fix apt_preferences snippet to glob on both rsyslog and rsyslog-relp (#4161) Change-Id: I7eaa35897da3b24833be3b2c14db99cd66b547c0 --- puppet/modules/site_config/manifests/syslog.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 73d4f58f..d3abeca1 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -3,7 +3,7 @@ class site_config::syslog { # we need to pull in rsyslog from the leap repository until it is availbale in # wheezy-backports apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog-*', + package => 'rsyslog*', priority => '999', pin => 'release o=leap.se', before => Class['rsyslog::install'] -- cgit v1.2.3 From d272b9a45b1099a17719fbe3c77b24f10b5de5cb Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Oct 2013 20:59:22 +0200 Subject: Possibility to include local puppet recipes (Feature #3976) --- puppet/modules/site_config/manifests/default.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 2380066a..33d3df05 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -79,4 +79,9 @@ class site_config::default { include site_postfix::satellite } + # if class site_custom exists, include it. + # possibility for users to define custom puppet recipes + if defined( '::site_custom') { + include ::site_custom + } } -- cgit v1.2.3 From 846728631f5247984dfa69b7e82f5014e10f4427 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 25 Nov 2013 00:43:51 -0800 Subject: fix bug when 'environment' is nil in hiera.yaml --- puppet/modules/site_config/manifests/params.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 2ef391db..5bdc0077 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -3,7 +3,7 @@ class site_config::params { $ip_address = hiera('ip_address') $ip_address_interface = getvar("interface_${ip_address}") $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") - $environment = hiera('environment') + $environment = hiera('environment', undef) if $environment == 'local' { -- cgit v1.2.3 From 52f64689a9db8b7300cadaa850e5d7914cef0b9d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Nov 2013 13:13:47 -0500 Subject: setup some common leap system directories: /var/lib/leap and /var/log/leap Change-Id: I18aa0ee635d7166676e4bb4384e2b517784a68b0 --- puppet/modules/site_config/manifests/files.pp | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp index 03c9aff8..684d3ad0 100644 --- a/puppet/modules/site_config/manifests/files.pp +++ b/puppet/modules/site_config/manifests/files.pp @@ -1,10 +1,23 @@ class site_config::files { - file { '/srv/leap': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0711' + file { + '/srv/leap': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0711'; + + '/var/lib/leap': + ensure => directory, + owner => root, + group => 'root', + mode => '0755'; + + '/var/log/leap': + ensure => directory, + owner => root, + group => 'adm', + mode => '0750'; } -} \ No newline at end of file +} -- cgit v1.2.3 From 88af29f3aba662aab4ca5ac3122d43139fb97004 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 15:43:58 -0500 Subject: Fix for openvpn/unbound not starting at boot (#4506) This change sets the sysctl net.ipv4.ip_nonlocal_bind to allow applications to bind to an address, even when the link is down. This is necessary because applications like unbound and openvpn fail to start on boot in some situations because interfaces are not fully up (due to a combination of non-deterministic booting because of the likely potential setting of allow-hotplug in the interfaces file and the LSB boot dependency on $network not being sufficient. The only down-side to setting this is a daemon could bind to an incorrect ip and we wouldn't get an error, but this would be a configuration mistake, rather than a fatal condition. Change-Id: I5c03083e8c20bb25afad85a1230f4555808d341c --- puppet/modules/site_config/manifests/default.pp | 4 +++- puppet/modules/site_config/manifests/sysctl.pp | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_config/manifests/sysctl.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 33d3df05..d85d9c8f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -12,7 +12,6 @@ class site_config::default { include site_config::slow - include concat::setup # default class, used by all hosts @@ -22,6 +21,9 @@ class site_config::default { # configure apt include site_apt + # configure sysctl parameters + include site_config::sysctl + # configure ssh and include ssh-keys include site_config::sshd diff --git a/puppet/modules/site_config/manifests/sysctl.pp b/puppet/modules/site_config/manifests/sysctl.pp new file mode 100644 index 00000000..99f75123 --- /dev/null +++ b/puppet/modules/site_config/manifests/sysctl.pp @@ -0,0 +1,8 @@ +class site_config::sysctl { + + sysctl::config { + 'net.ipv4.ip_nonlocal_bind': + value => 1, + comment => 'Allow applications to bind to an address when link is down (see https://leap.se/code/issues/4506)' + } +} -- cgit v1.2.3 From ec080f77f5f4d12d4a67b604a20113a79d22c28a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 6 Jan 2014 17:25:15 +0100 Subject: install ntp on all platform nodes (Feature #4913) --- puppet/modules/site_config/manifests/packages/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 3e1d4a67..9d416043 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -3,7 +3,7 @@ class site_config::packages::base { include site_config::params # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: + package { [ 'etckeeper', 'screen', 'less', 'ntp' ]: ensure => installed, } -- cgit v1.2.3 From c356125d06b8c19146f8bd6f34e31da38bfd7cc2 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 24 Jan 2014 17:36:04 +0100 Subject: swiss privacy foundation changed their nameserver IPs: http://www.privacyfoundation.ch/de/service/server.html --- puppet/modules/site_config/manifests/resolvconf.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index b307f18b..05990c67 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -8,7 +8,7 @@ class site_config::resolvconf { nameservers => [ '127.0.0.1 # local caching-only, unbound', '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', - '62.141.58.13 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' + '77.109.138.45 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' ] } } -- cgit v1.2.3 From e93ca6ae1ebb794fb72ade75ef2e5b27b86619c8 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:14:44 +0100 Subject: include site_nagios::client by default --- puppet/modules/site_config/manifests/default.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index d85d9c8f..a09a30d2 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -86,4 +86,6 @@ class site_config::default { if defined( '::site_custom') { include ::site_custom } + + include site_nagios::client } -- cgit v1.2.3 From efc3e3eaa0788271cf61155d7e9be4d46e6e9d47 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 16:26:59 +0100 Subject: moved check_mk server and client class to site_check_mk module --- puppet/modules/site_config/manifests/default.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index a09a30d2..25f9b3f8 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -87,5 +87,5 @@ class site_config::default { include ::site_custom } - include site_nagios::client + include site_check_mk::client } -- cgit v1.2.3 From 060124b047ac44f9f54573a389fea6c5b6ab18ea Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 18:14:19 +0100 Subject: renamed site_check_mk::client to site_check_mk::agent --- puppet/modules/site_config/manifests/default.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 25f9b3f8..53cc60f6 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -87,5 +87,5 @@ class site_config::default { include ::site_custom } - include site_check_mk::client + include site_check_mk::agent } -- cgit v1.2.3 From 2887bbbac9f350c0912e3b2bf8fd643994eaee84 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Feb 2014 16:41:05 +0100 Subject: include "127.0.1.1 @domain_public @api['domain']" in /etc/hosts for nagios webapp log check --- puppet/modules/site_config/manifests/hosts.pp | 1 + puppet/modules/site_config/templates/hosts | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index a3ce0c1f..e5d4dd70 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,6 +3,7 @@ class site_config::hosts() { $hostname = hiera('name') $domain_hash = hiera('domain') $domain_public = $domain_hash['full_suffix'] + $api = hiera('api', '') file { '/etc/hostname': ensure => present, diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index c0a2740f..bfcabaa5 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,7 +1,8 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> +127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> <% if (defined? @services) and (@services.include? 'webapp') -%><%= @domain_public %> <%= @api['domain'] %><% end -%> + <%- if @hosts then -%> <% @hosts.keys.sort.each do |name| -%> -- cgit v1.2.3 From 482c3d5a77d05043f5276d4f19168d2b777d3ef0 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 23 Mar 2014 16:11:32 -0700 Subject: modules/site_static: part 1 - amber --- .../modules/site_config/manifests/packages/base.pp | 16 ---------------- .../manifests/packages/build_essential.pp | 8 ++++++++ .../site_config/manifests/packages/uninstall.pp | 20 ++++++++++++++++++++ puppet/modules/site_config/manifests/params.pp | 1 + puppet/modules/site_config/manifests/ruby/dev.pp | 2 ++ 5 files changed, 31 insertions(+), 16 deletions(-) create mode 100644 puppet/modules/site_config/manifests/packages/build_essential.pp create mode 100644 puppet/modules/site_config/manifests/packages/uninstall.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 9d416043..28aa4dbb 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -1,7 +1,5 @@ class site_config::packages::base { - include site_config::params - # base set of packages that we want to have installed everywhere package { [ 'etckeeper', 'screen', 'less', 'ntp' ]: ensure => installed, @@ -16,18 +14,4 @@ class site_config::packages::base { 'x11-utils', 'xterm' ]: ensure => absent; } - - if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { - $dev_packages_ensure = present - } else { - $dev_packages_ensure = absent - } - - # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079) - # dev_packages are needed for building gems on the webapp node - - package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $dev_packages_ensure - } } diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp new file mode 100644 index 00000000..c9efaafb --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -0,0 +1,8 @@ +# +# include this whenever you want to ensure build-essential package and related compilers are installed. +# +class site_config::packages::build_essential { + if $install_build_essential == undef { + $install_build_essential = true + } +} \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp new file mode 100644 index 00000000..2919cc96 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/uninstall.pp @@ -0,0 +1,20 @@ +# +# this should be included last to allow other modules to set $::install_build_packages +# +class site_config::packages::uninstall { + + if $site_config::packages::build_essential::install_essential == true { + $dev_packages_ensure = present + } else { + $dev_packages_ensure = absent + } + + # generally, dev packages are needed for installing ruby gems with native extensions. + # (nickserver, webapp, etc) + + package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $dev_packages_ensure + } + +} \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 5bdc0077..012b3ce0 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -8,6 +8,7 @@ class site_config::params { if $environment == 'local' { $interface = 'eth1' + include site_config::packages::build_essential } elsif hiera('interface','') != '' { $interface = hiera('interface') diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp index dbc77ae7..3ea6ca96 100644 --- a/puppet/modules/site_config/manifests/ruby/dev.pp +++ b/puppet/modules/site_config/manifests/ruby/dev.pp @@ -3,4 +3,6 @@ class site_config::ruby::dev inherits site_config::ruby { ruby_version => '1.9.3', install_dev => true } + # building gems locally probably requires build-essential and gcc: + include site_config::packages::build_essential } -- cgit v1.2.3 From c946f47448e0b902d227492c33c5f56998a82875 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Mar 2014 22:25:08 +0100 Subject: couch node: same packages removed on every (second ?) puppetrun (Feature #5018) --- puppet/modules/site_config/manifests/packages/base.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 9d416043..9f802771 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -17,10 +17,12 @@ class site_config::packages::base { ensure => absent; } - if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { - $dev_packages_ensure = present + if $::site_config::params::environment == 'local' + or $::services =~ /\bwebapp\b/ + or $::services =~ /\bcouchdb\b/ { + $dev_packages_ensure = present } else { - $dev_packages_ensure = absent + $dev_packages_ensure = absent } # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079) -- cgit v1.2.3 From 1457c4a85ad3e7f2fbdc6f969b801542b3396581 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Mar 2014 23:42:19 +0100 Subject: Move setup.pp to a subclass (site_config::setup) (Feature #2993) --- puppet/modules/site_config/manifests/default.pp | 26 ------------- puppet/modules/site_config/manifests/setup.pp | 49 +++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 26 deletions(-) create mode 100644 puppet/modules/site_config/manifests/setup.pp (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 53cc60f6..7e421a21 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -8,19 +8,12 @@ class site_config::default { include apt::update Package { require => Exec['apt_updated'] } - include stdlib - include site_config::slow - include concat::setup - # default class, used by all hosts include lsb, git - # configure apt - include site_apt - # configure sysctl parameters include site_config::sysctl @@ -35,21 +28,12 @@ class site_config::default { include site_config::dhclient } - if ( $::site_config::params::environment == 'local' ) { - include site_config::vagrant - } - # configure /etc/resolv.conf include site_config::resolvconf # configure caching, local resolver include site_config::caching_resolver - # configure /etc/hosts - class { 'site_config::hosts': - stage => setup, - } - # install/configure syslog include site_config::syslog @@ -67,16 +51,6 @@ class site_config::default { # set up core leap files and directories include site_config::files - # redundant declarations, remove if - # "Move setup.pp to a subclass (site_config::setup) (Feature #2993)" - # is solved. - - # if squid_deb_proxy_client is set to true, install and configure - # squid_deb_proxy_client for apt caching - if hiera('squid_deb_proxy_client', false) { - include site_squid_deb_proxy::client - } - if $::services !~ /\bmx\b/ { include site_postfix::satellite } diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp new file mode 100644 index 00000000..ffe01f53 --- /dev/null +++ b/puppet/modules/site_config/manifests/setup.pp @@ -0,0 +1,49 @@ +class site_config::setup { + + # + # this is applied before each run of site.pp + # + #$services = '' + + Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } + + include site_config::params + + include concat::setup + include stdlib + + # configure /etc/hosts + class { 'site_config::hosts': + stage => setup, + } + + include site_config::initial_firewall + + include site_apt + + package { 'facter': + ensure => latest, + require => Exec['refresh_apt'] + } + + # if squid_deb_proxy_client is set to true, install and configure + # squid_deb_proxy_client for apt caching + if hiera('squid_deb_proxy_client', false) { + include site_squid_deb_proxy::client + } + + # shorewall is installed/half-configured during setup.pp (Bug #3871) + # we need to include shorewall::interface{eth0} in setup.pp so + # packages can be installed during main puppetrun, even before shorewall + # is configured completly + if ( $::site_config::params::environment == 'local' ) { + include site_config::vagrant + } + + # if class site_custom::setup exists, include it. + # possibility for users to define custom puppet recipes + if defined( '::site_custom::setup') { + include ::site_custom::setup + } + +} -- cgit v1.2.3 From bafcfdf7643bcfa5715b5517578e0d9ca2eb399e Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 5 Apr 2014 11:49:53 -0700 Subject: better system for optionally uninstalling build-essential package. closes https://leap.se/code/issues/5426 --- .../site_config/manifests/packages/build_essential.pp | 7 +++++-- .../site_config/manifests/packages/uninstall.pp | 18 +++++++----------- 2 files changed, 12 insertions(+), 13 deletions(-) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp index c9efaafb..7dfb8b03 100644 --- a/puppet/modules/site_config/manifests/packages/build_essential.pp +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -2,7 +2,10 @@ # include this whenever you want to ensure build-essential package and related compilers are installed. # class site_config::packages::build_essential { - if $install_build_essential == undef { - $install_build_essential = true + if !defined(Package['build-essential']) { + package { + ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: + ensure => present + } } } \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp index 2919cc96..12f527d9 100644 --- a/puppet/modules/site_config/manifests/packages/uninstall.pp +++ b/puppet/modules/site_config/manifests/packages/uninstall.pp @@ -1,20 +1,16 @@ # -# this should be included last to allow other modules to set $::install_build_packages +# Uninstall build-essential and compilers, unless they have been explicitly installed elsewhere. # class site_config::packages::uninstall { - - if $site_config::packages::build_essential::install_essential == true { - $dev_packages_ensure = present - } else { - $dev_packages_ensure = absent - } + tag 'leap_base' # generally, dev packages are needed for installing ruby gems with native extensions. # (nickserver, webapp, etc) - package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $dev_packages_ensure + if !defined(Package['build-essential']) { + package { + ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: + ensure => purged + } } - } \ No newline at end of file -- cgit v1.2.3 From dae324f316666f65907c02877ffd566df45641f6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 15 Apr 2014 16:54:57 +0200 Subject: fix concat::setup (#5503) --- puppet/modules/site_config/manifests/setup.pp | 1 + puppet/modules/site_config/manifests/vagrant.pp | 1 + 2 files changed, 2 insertions(+) (limited to 'puppet/modules/site_config') diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index ffe01f53..6d89be86 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -1,4 +1,5 @@ class site_config::setup { + tag 'leap_base' # # this is applied before each run of site.pp diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp index 04266735..8f50b305 100644 --- a/puppet/modules/site_config/manifests/vagrant.pp +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -1,6 +1,7 @@ class site_config::vagrant { # class for vagrant nodes + include site_shorewall::defaults # eth0 on vagrant nodes is the uplink if shorewall::interface { 'eth0': zone => 'net', -- cgit v1.2.3