From ffd23f263d15ce04d1610e87abbdca3554dadd75 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 8 Dec 2016 23:26:04 +0100 Subject: Lint site_config::files --- puppet/modules/site_config/manifests/files.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp index d2ef8a98..e74ad567 100644 --- a/puppet/modules/site_config/manifests/files.pp +++ b/puppet/modules/site_config/manifests/files.pp @@ -3,10 +3,10 @@ class site_config::files { file { '/srv/leap': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0711'; + ensure => directory, + owner => 'root', + group => 'root', + mode => '0711'; [ '/etc/leap', '/var/lib/leap']: ensure => directory, -- cgit v1.2.3 From 866af737a3e641008c05a210d04a4dc5e5bcfbc4 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 20 Dec 2016 10:12:39 -0800 Subject: bugfix: couchdb nodes should not require soledad. closes #8693 --- puppet/modules/site_couchdb/manifests/create_dbs.pp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index ddfb7d65..1c594bb6 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -1,5 +1,6 @@ # creates neccesary databases class site_couchdb::create_dbs { + $services = hiera('services', []) Class['site_couchdb::setup'] -> Class['site_couchdb::create_dbs'] @@ -42,10 +43,12 @@ class site_couchdb::create_dbs { ## shared database ## r/w: soledad - couchdb::create_db { 'shared': - members => "{ \"names\": [\"${site_couchdb::couchdb_soledad_user}\"], \"roles\": [\"replication\"] }", - require => Couchdb::Query::Setup['localhost'], - notify => Service['soledad-server']; + if member($services, 'soledad') { + couchdb::create_db { 'shared': + members => "{ \"names\": [\"${site_couchdb::couchdb_soledad_user}\"], \"roles\": [\"replication\"] }", + require => Couchdb::Query::Setup['localhost'], + notify => Service['soledad-server']; + } } ## tickets database -- cgit v1.2.3 From 3d254dcd1899fa266d0170f18da7b556a8114302 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 20 Dec 2016 22:36:47 +0100 Subject: [Vagrant] Install leap_cli gem dependencies --- puppet/modules/leap/manifests/cli/install.pp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap/manifests/cli/install.pp b/puppet/modules/leap/manifests/cli/install.pp index 25e87033..d009316b 100644 --- a/puppet/modules/leap/manifests/cli/install.pp +++ b/puppet/modules/leap/manifests/cli/install.pp @@ -1,13 +1,20 @@ # installs leap_cli on node class leap::cli::install ( $source = false ) { + + # nokogiri is a dependency gem of leap_cli and + # needs build tools in order to get compiled + ensure_packages (['gcc', 'make', 'zlib1g-dev']) + class { '::ruby': + install_dev => true, + require => [ Package['gcc'], Package['make'], Package['zlib1g-dev'] ] + } + + if $source { # needed for building leap_cli from source include ::git include ::rubygems - class { '::ruby': - install_dev => true - } class { 'bundler::install': install_method => 'package' } @@ -40,7 +47,8 @@ class leap::cli::install ( $source = false ) { else { package { 'leap_cli': ensure => installed, - provider => gem + provider => gem, + require => Class['ruby'] } } } -- cgit v1.2.3 From c1f23241deb1f94eb35e6ef21e623d804fa2770e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 30 Dec 2016 18:44:27 +0100 Subject: Couchdb service should not require on soledad - Resolves: #8693 --- puppet/modules/site_couchdb/manifests/add_users.pp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index f12c5a5e..5c32c1e3 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -1,6 +1,8 @@ # add couchdb users for all services class site_couchdb::add_users { + $services = hiera('services', []) + Class['site_couchdb::create_dbs'] -> Class['site_couchdb::add_users'] @@ -29,12 +31,14 @@ class site_couchdb::add_users { ## soledad couchdb user ## r/w: user-, shared ## read: tokens - couchdb::add_user { $site_couchdb::couchdb_soledad_user: - roles => '["tokens"]', - pw => $site_couchdb::couchdb_soledad_pw, - salt => $site_couchdb::couchdb_soledad_salt, - require => Couchdb::Query::Setup['localhost'], - notify => Service['soledad-server']; + if member($services, 'soledad') { + couchdb::add_user { $site_couchdb::couchdb_soledad_user: + roles => '["tokens"]', + pw => $site_couchdb::couchdb_soledad_pw, + salt => $site_couchdb::couchdb_soledad_salt, + require => Couchdb::Query::Setup['localhost'], + notify => Service['soledad-server']; + } } ## webapp couchdb user -- cgit v1.2.3 From 77d11c7ddeaeb123bf871bd2bfce0e5ace0c158e Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 16 Jan 2017 11:48:53 +0100 Subject: Revert "Add systemd::enable define" This commit was moved to the systemd puppet repo. This reverts commit f5db49cf6b3ca0a5830b849c0aac074e371b95d9. --- puppet/modules/systemd/manifests/enable.pp | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 puppet/modules/systemd/manifests/enable.pp (limited to 'puppet/modules') diff --git a/puppet/modules/systemd/manifests/enable.pp b/puppet/modules/systemd/manifests/enable.pp deleted file mode 100644 index e1bee18a..00000000 --- a/puppet/modules/systemd/manifests/enable.pp +++ /dev/null @@ -1,8 +0,0 @@ -# enables a systemd resource -define systemd::enable () { - - exec { "enable_systemd_${name}": - refreshonly => true, - command => "/bin/systemctl enable ${name}" - } -} -- cgit v1.2.3 From e9a3d71fd1c9fbdb1b468c633a6cbe310e3d6880 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 16 Jan 2017 14:39:14 +0100 Subject: git subrepo clone --force https://leap.se/git/puppet_systemd puppet/modules/systemd subrepo: subdir: "puppet/modules/systemd" merged: "f3c4059" upstream: origin: "https://leap.se/git/puppet_systemd" branch: "master" commit: "f3c4059" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo.git" commit: "841aa43" --- puppet/modules/systemd/.fixtures.yml | 4 + puppet/modules/systemd/.gitrepo | 4 +- puppet/modules/systemd/.puppet-lint.rc | 2 +- puppet/modules/systemd/.travis.yml | 22 +-- puppet/modules/systemd/CHANGELOG.md | 20 +- puppet/modules/systemd/Gemfile | 18 +- puppet/modules/systemd/HISTORY.md | 15 +- puppet/modules/systemd/LICENSE | 201 +++++++++++++++++++++ puppet/modules/systemd/README.md | 51 +++++- puppet/modules/systemd/Rakefile | 10 +- puppet/modules/systemd/lib/facter/systemd.rb | 35 ++++ puppet/modules/systemd/manifests/enable.pp | 8 + puppet/modules/systemd/manifests/init.pp | 8 +- puppet/modules/systemd/manifests/service_limits.pp | 50 +++++ puppet/modules/systemd/manifests/tmpfile.pp | 20 ++ puppet/modules/systemd/manifests/unit_file.pp | 22 +++ puppet/modules/systemd/metadata.json | 2 +- .../systemd/spec/acceptance/nodesets/centos-5.yml | 16 ++ .../systemd/spec/acceptance/nodesets/centos-6.yml | 17 ++ .../systemd/spec/acceptance/nodesets/centos-7.yml | 15 ++ .../systemd/spec/acceptance/nodesets/debian-6.yml | 15 ++ .../systemd/spec/acceptance/nodesets/debian-7.yml | 15 ++ .../systemd/spec/acceptance/nodesets/debian-8.yml | 16 ++ .../spec/acceptance/nodesets/ubuntu-12.04.yml | 16 ++ .../spec/acceptance/nodesets/ubuntu-14.04.yml | 18 ++ .../spec/acceptance/nodesets/ubuntu-14.10.yml | 18 ++ .../spec/acceptance/nodesets/ubuntu-15.04.yml | 16 ++ .../spec/acceptance/nodesets/ubuntu-15.10.yml | 16 ++ .../spec/acceptance/nodesets/ubuntu-16.04.yml | 16 ++ .../modules/systemd/spec/defines/tmpfile_spec.rb | 48 +++++ .../modules/systemd/spec/defines/unit_file_spec.rb | 50 +++++ .../systemd/spec/unit/facter/systemd_spec.rb | 41 +++++ .../spec/unit/facter/systemd_version_spec.rb | 31 ++++ puppet/modules/systemd/templates/limits.erb | 26 +++ 34 files changed, 839 insertions(+), 43 deletions(-) create mode 100644 puppet/modules/systemd/.fixtures.yml create mode 100644 puppet/modules/systemd/LICENSE create mode 100644 puppet/modules/systemd/lib/facter/systemd.rb create mode 100644 puppet/modules/systemd/manifests/enable.pp create mode 100644 puppet/modules/systemd/manifests/service_limits.pp create mode 100644 puppet/modules/systemd/manifests/tmpfile.pp create mode 100644 puppet/modules/systemd/manifests/unit_file.pp create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/centos-5.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/centos-6.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/centos-7.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/debian-6.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/debian-7.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/debian-8.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-12.04.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.04.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.10.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.04.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.10.yml create mode 100644 puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-16.04.yml create mode 100644 puppet/modules/systemd/spec/defines/tmpfile_spec.rb create mode 100644 puppet/modules/systemd/spec/defines/unit_file_spec.rb create mode 100644 puppet/modules/systemd/spec/unit/facter/systemd_spec.rb create mode 100644 puppet/modules/systemd/spec/unit/facter/systemd_version_spec.rb create mode 100644 puppet/modules/systemd/templates/limits.erb (limited to 'puppet/modules') diff --git a/puppet/modules/systemd/.fixtures.yml b/puppet/modules/systemd/.fixtures.yml new file mode 100644 index 00000000..1d455a31 --- /dev/null +++ b/puppet/modules/systemd/.fixtures.yml @@ -0,0 +1,4 @@ +--- +fixtures: + symlinks: + systemd: "#{source_dir}" \ No newline at end of file diff --git a/puppet/modules/systemd/.gitrepo b/puppet/modules/systemd/.gitrepo index 1548a815..ea68e478 100644 --- a/puppet/modules/systemd/.gitrepo +++ b/puppet/modules/systemd/.gitrepo @@ -6,6 +6,6 @@ [subrepo] remote = https://leap.se/git/puppet_systemd branch = master - commit = 6d47fd4999fe03eba6fb11c4490dcbb90d937900 - parent = 56a771a3008d10720dd05fd815aeafbacdd1e08e + commit = f3c4059603a6ac19f132b0dc47b95e49d9ddc4ba + parent = 77d11c7ddeaeb123bf871bd2bfce0e5ace0c158e cmdver = 0.3.0 diff --git a/puppet/modules/systemd/.puppet-lint.rc b/puppet/modules/systemd/.puppet-lint.rc index d8f5c59e..e09d52f4 100644 --- a/puppet/modules/systemd/.puppet-lint.rc +++ b/puppet/modules/systemd/.puppet-lint.rc @@ -1,5 +1,5 @@ --fail-on-warnings --relative ---no-80chars +--no-140chars --no-documentation --no-class_inherits_from_params_class-check diff --git a/puppet/modules/systemd/.travis.yml b/puppet/modules/systemd/.travis.yml index 467045c5..1d1bedfc 100644 --- a/puppet/modules/systemd/.travis.yml +++ b/puppet/modules/systemd/.travis.yml @@ -1,22 +1,22 @@ --- language: ruby sudo: false +addons: + apt: + packages: + - libaugeas-dev + sources: + - augeas cache: bundler bundler_args: --without system_tests -script: ["bundle exec rake validate", "bundle exec rake lint", "bundle exec rake spec SPEC_OPTS='--format documentation'", "bundle exec rake metadata"] +script: ["bundle exec rake validate", "bundle exec rake lint", "bundle exec rake spec SPEC_OPTS='--format documentation'"] matrix: fast_finish: true include: - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.0" FACTER_GEM_VERSION="~> 1.7.0" - - rvm: 1.9.3 - env: PUPPET_GEM_VERSION="~> 3.0" - - rvm: 2.0.0 - env: PUPPET_GEM_VERSION="~> 3.0" - - rvm: 2.0.0 - env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes" - - rvm: 2.1.6 + - rvm: 2.1.9 env: PUPPET_GEM_VERSION="~> 4.0" + - rvm: 2.3.1 + env: PUPPET_GEM_VERSION="~> 4" notifications: email: false deploy: @@ -29,4 +29,4 @@ deploy: # all_branches is required to use tags all_branches: true # Only publish if our main Ruby target builds - rvm: 1.9.3 + rvm: 2.1.9 diff --git a/puppet/modules/systemd/CHANGELOG.md b/puppet/modules/systemd/CHANGELOG.md index 11e84399..79b9e646 100644 --- a/puppet/modules/systemd/CHANGELOG.md +++ b/puppet/modules/systemd/CHANGELOG.md @@ -1,5 +1,22 @@ # Change Log +## [0.4.0](https://forge.puppetlabs.com/camptocamp/systemd/0.4.0) (2016-08-18) +[Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.3.0...0.4.0) + +- Deprecate Ruby 1.8 tests +- Only use awk instead of grep and awk [\#9](https://github.com/camptocamp/puppet-systemd/pull/9) ([igalic](https://github.com/igalic)) +- Add LICENSE (fix #11) +- Add target param for the unit file [\#10](https://github.com/camptocamp/puppet-systemd/pull/10) ([tampakrap](https://github.com/tampakrap)) + +## [0.3.0](https://forge.puppetlabs.com/camptocamp/systemd/0.3.0) (2016-05-16) +[Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.2...0.3.0) + +**Implemented enhancements:** + +- Shortcut for creating unit files / tmpfiles [\#4](https://github.com/camptocamp/puppet-systemd/pull/4) ([felixb](https://github.com/felixb)) +- Add systemd facts [\#6](https://github.com/camptocamp/puppet-systemd/pull/6) ([roidelapluie](https://github.com/roidelapluie)) + + ## [0.2.2](https://forge.puppetlabs.com/camptocamp/systemd/0.2.2) (2015-08-25) [Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.1...0.2.2) @@ -60,6 +77,3 @@ \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* - - -\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file diff --git a/puppet/modules/systemd/Gemfile b/puppet/modules/systemd/Gemfile index 0cb59337..377d0c16 100644 --- a/puppet/modules/systemd/Gemfile +++ b/puppet/modules/systemd/Gemfile @@ -2,7 +2,7 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org" group :development, :unit_tests do gem 'rake', :require => false - gem 'rspec', '< 3.2', :require => false if RUBY_VERSION =~ /^1.8/ + gem 'rspec', :require => false gem 'rspec-puppet', :require => false gem 'puppetlabs_spec_helper', :require => false gem 'metadata-json-lint', :require => false @@ -10,26 +10,26 @@ group :development, :unit_tests do gem 'puppet-lint-unquoted_string-check', :require => false gem 'puppet-lint-empty_string-check', :require => false gem 'puppet-lint-spaceship_operator_without_tag-check', :require => false - gem 'puppet-lint-variable_contains_upcase', :require => false gem 'puppet-lint-absolute_classname-check', :require => false gem 'puppet-lint-undef_in_function-check', :require => false gem 'puppet-lint-leading_zero-check', :require => false gem 'puppet-lint-trailing_comma-check', :require => false gem 'puppet-lint-file_ensure-check', :require => false gem 'puppet-lint-version_comparison-check', :require => false - gem 'puppet-lint-fileserver-check', :require => false gem 'puppet-lint-file_source_rights-check', :require => false gem 'puppet-lint-alias-check', :require => false gem 'rspec-puppet-facts', :require => false - gem 'github_changelog_generator', :require => false, :git => 'https://github.com/raphink/github-changelog-generator.git', :branch => 'dev/all_patches' if RUBY_VERSION !~ /^1.8/ - gem 'puppet-blacksmith', :require => false if RUBY_VERSION !~ /^1.8/ + gem 'ruby-augeas', :require => false + gem 'puppet-blacksmith', :require => false if RUBY_VERSION !~ /^1\./ + gem 'json_pure', '< 2.0.2', :require => false end group :system_tests do - gem 'beaker', :require => false - gem 'beaker-rspec', :require => false - gem 'beaker_spec_helper', :require => false - gem 'serverspec', :require => false + gem 'beaker', :require => false + gem 'beaker-rspec', '> 5', :require => false + gem 'beaker_spec_helper', :require => false + gem 'serverspec', :require => false + gem 'specinfra', :require => false end if facterversion = ENV['FACTER_GEM_VERSION'] diff --git a/puppet/modules/systemd/HISTORY.md b/puppet/modules/systemd/HISTORY.md index c7bf2b4e..aee8ad5e 100644 --- a/puppet/modules/systemd/HISTORY.md +++ b/puppet/modules/systemd/HISTORY.md @@ -1,3 +1,14 @@ +# Change Log + +## [0.3.0](https://forge.puppetlabs.com/camptocamp/systemd/0.3.0) (2016-05-16) +[Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.2...0.3.0) + +**Implemented enhancements:** + +- Shortcut for creating unit files / tmpfiles [\#4](https://github.com/camptocamp/puppet-systemd/pull/4) ([felixb](https://github.com/felixb)) +- Add systemd facts [\#6](https://github.com/camptocamp/puppet-systemd/pull/6) ([roidelapluie](https://github.com/roidelapluie)) + + ## [0.2.2](https://forge.puppetlabs.com/camptocamp/systemd/0.2.2) (2015-08-25) [Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.1...0.2.2) @@ -5,6 +16,7 @@ - Add 'systemd-tmpfiles-create' [\#1](https://github.com/camptocamp/puppet-systemd/pull/1) ([roidelapluie](https://github.com/roidelapluie)) + ## [0.2.1](https://forge.puppetlabs.com/camptocamp/systemd/0.2.1) (2015-08-21) [Full Changelog](https://github.com/camptocamp/puppet-systemd/compare/0.2.0...0.2.1) @@ -56,7 +68,4 @@ - Confine rspec pinning to ruby 1.8 -\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* - - \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* diff --git a/puppet/modules/systemd/LICENSE b/puppet/modules/systemd/LICENSE new file mode 100644 index 00000000..8d968b6c --- /dev/null +++ b/puppet/modules/systemd/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/puppet/modules/systemd/README.md b/puppet/modules/systemd/README.md index f70bcb0c..51bf5cde 100644 --- a/puppet/modules/systemd/README.md +++ b/puppet/modules/systemd/README.md @@ -5,11 +5,23 @@ ## Overview -This module declares exec resources that you can use when you change systemd units or configuration files. +This module declares exec resources to create global sync points for reloading systemd. -## Examples +## Usage and examples -### systemctl --daemon-reload +There are two ways to use this module. + +### unit files + +Let this module handle file creation and systemd reloading. + +```puppet +::systemd::unit_file { 'foo.service': + source => "puppet:///modules/${module_name}/foo.service", +} +``` + +Or handle file creation yourself and trigger systemd. ```puppet include ::systemd @@ -23,7 +35,17 @@ file { '/usr/lib/systemd/system/foo.service': Exec['systemctl-daemon-reload'] ``` -### systemd-tmpfiles --create +### tmpfiles + +Let this module handle file creation and systemd reloading + +```puppet +::systemd::tmpfile { 'foo.conf': + source => "puppet:///modules/${module_name}/foo.conf", +} +``` + +Or handle file creation yourself and trigger systemd. ```puppet include ::systemd @@ -36,3 +58,24 @@ file { '/etc/tmpfiles.d/foo.conf': } ~> Exec['systemd-tmpfiles-create'] ``` + +### service limits + +Manage soft and hard limits on various resources for executed processes. + +```puppet +::systemd::service_limits { 'foo.service': + limits => { + LimitNOFILE => 8192, + LimitNPROC => 16384 + } +} +``` + +Or provide the configuration file yourself. Systemd reloading and restarting of the service are handled by the module. + +```puppet +::systemd::service_limits { 'foo.service': + source => "puppet:///modules/${module_name}/foo.conf", +} +``` diff --git a/puppet/modules/systemd/Rakefile b/puppet/modules/systemd/Rakefile index adcac180..aa7b8a15 100644 --- a/puppet/modules/systemd/Rakefile +++ b/puppet/modules/systemd/Rakefile @@ -4,20 +4,14 @@ require 'puppet-lint/tasks/puppet-lint' Rake::Task[:lint].clear PuppetLint::RakeTask.new :lint do |config| config.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp", "vendor/**/*.pp"] - config.disable_checks = ['80chars'] + config.disable_checks = ['140chars'] config.fail_on_warnings = true end PuppetSyntax.exclude_paths = ["spec/fixtures/**/*.pp", "vendor/**/*"] # Publishing tasks -unless RUBY_VERSION =~ /^1\.8/ +unless RUBY_VERSION =~ /^1\./ require 'puppet_blacksmith' require 'puppet_blacksmith/rake_tasks' - require 'github_changelog_generator/task' - GitHubChangelogGenerator::RakeTask.new :changelog do |config| - m = Blacksmith::Modulefile.new - config.future_release = m.version - config.release_url = "https://forge.puppetlabs.com/#{m.author}/#{m.name}/%s" - end end diff --git a/puppet/modules/systemd/lib/facter/systemd.rb b/puppet/modules/systemd/lib/facter/systemd.rb new file mode 100644 index 00000000..4361f775 --- /dev/null +++ b/puppet/modules/systemd/lib/facter/systemd.rb @@ -0,0 +1,35 @@ +# Fact: systemd +# +# Purpose: +# Determine whether SystemD is the init system on the node +# +# Resolution: +# Check the name of the process 1 (ps -p 1) +# +# Caveats: +# + +# Fact: systemd-version +# +# Purpose: +# Determine the version of systemd installed +# +# Resolution: +# Check the output of systemctl --version +# +# Caveats: +# + +Facter.add(:systemd) do + confine :kernel => :linux + setcode do + Facter::Util::Resolution.exec('ps -p 1 -o comm=') == 'systemd' + end +end + +Facter.add(:systemd_version) do + confine :systemd => true + setcode do + Facter::Util::Resolution.exec("systemctl --version | awk '/systemd/{ print $2 }'") + end +end diff --git a/puppet/modules/systemd/manifests/enable.pp b/puppet/modules/systemd/manifests/enable.pp new file mode 100644 index 00000000..e1bee18a --- /dev/null +++ b/puppet/modules/systemd/manifests/enable.pp @@ -0,0 +1,8 @@ +# enables a systemd resource +define systemd::enable () { + + exec { "enable_systemd_${name}": + refreshonly => true, + command => "/bin/systemctl enable ${name}" + } +} diff --git a/puppet/modules/systemd/manifests/init.pp b/puppet/modules/systemd/manifests/init.pp index 5e6ad792..e669f093 100644 --- a/puppet/modules/systemd/manifests/init.pp +++ b/puppet/modules/systemd/manifests/init.pp @@ -1,4 +1,8 @@ -class systemd { +# -- Class systemd +# This module allows triggering systemd commands once for all modules +class systemd ( + $service_limits = {} +){ Exec { refreshonly => true, @@ -15,4 +19,6 @@ class systemd { command => 'systemd-tmpfiles --create', } + create_resources('systemd::service_limits', $service_limits, {}) + } diff --git a/puppet/modules/systemd/manifests/service_limits.pp b/puppet/modules/systemd/manifests/service_limits.pp new file mode 100644 index 00000000..a9cdc25a --- /dev/null +++ b/puppet/modules/systemd/manifests/service_limits.pp @@ -0,0 +1,50 @@ +# -- Define: systemd::service_limits +# Creates a custom config file and reloads systemd +define systemd::service_limits( + $ensure = file, + $path = '/etc/systemd/system', + $limits = undef, + $source = undef, + $restart_service = true +) { + include ::systemd + + if $limits { + validate_hash($limits) + $content = template('systemd/limits.erb') + } + else { + $content = undef + } + + if $limits and $source { + fail('You may not supply both limits and source parameters to systemd::service_limits') + } elsif $limits == undef and $source == undef { + fail('You must supply either the limits or source parameter to systemd::service_limits') + } + + file { "${path}/${title}.d/": + ensure => 'directory', + owner => 'root', + group => 'root', + } + -> + file { "${path}/${title}.d/limits.conf": + ensure => $ensure, + content => $content, + source => $source, + owner => 'root', + group => 'root', + mode => '0444', + notify => Exec['systemctl-daemon-reload'], + } + + if $restart_service { + exec { "systemctl restart ${title}": + path => $::path, + refreshonly => true, + subscribe => File["${path}/${title}.d/limits.conf"], + require => Exec['systemctl-daemon-reload'], + } + } +} diff --git a/puppet/modules/systemd/manifests/tmpfile.pp b/puppet/modules/systemd/manifests/tmpfile.pp new file mode 100644 index 00000000..c4d1a05f --- /dev/null +++ b/puppet/modules/systemd/manifests/tmpfile.pp @@ -0,0 +1,20 @@ +# -- Define: systemd::tmpfile +# Creates a tmpfile and reloads systemd +define systemd::tmpfile( + $ensure = file, + $path = '/etc/tmpfiles.d', + $content = undef, + $source = undef, +) { + include ::systemd + + file { "${path}/${title}": + ensure => $ensure, + content => $content, + source => $source, + owner => 'root', + group => 'root', + mode => '0444', + notify => Exec['systemd-tmpfiles-create'], + } +} \ No newline at end of file diff --git a/puppet/modules/systemd/manifests/unit_file.pp b/puppet/modules/systemd/manifests/unit_file.pp new file mode 100644 index 00000000..94bc845b --- /dev/null +++ b/puppet/modules/systemd/manifests/unit_file.pp @@ -0,0 +1,22 @@ +# -- Define: systemd::unit_file +# Creates a unit file and reloads systemd +define systemd::unit_file( + $ensure = file, + $path = '/etc/systemd/system', + $content = undef, + $source = undef, + $target = undef, +) { + include ::systemd + + file { "${path}/${title}": + ensure => $ensure, + content => $content, + source => $source, + target => $target, + owner => 'root', + group => 'root', + mode => '0444', + notify => Exec['systemctl-daemon-reload'], + } +} diff --git a/puppet/modules/systemd/metadata.json b/puppet/modules/systemd/metadata.json index abdd481e..08951efb 100644 --- a/puppet/modules/systemd/metadata.json +++ b/puppet/modules/systemd/metadata.json @@ -1,6 +1,6 @@ { "name": "camptocamp-systemd", - "version": "0.2.2", + "version": "0.4.0", "author": "camptocamp", "summary": "Puppet Systemd module", "license": "Apache-2.0", diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/centos-5.yml b/puppet/modules/systemd/spec/acceptance/nodesets/centos-5.yml new file mode 100644 index 00000000..a26f27fc --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/centos-5.yml @@ -0,0 +1,16 @@ +HOSTS: + centos-5-x64: + default_apply_opts: + order: random + strict_variables: + platform: el-5-x86_64 + hypervisor : docker + image: tianon/centos:5.10 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'yum install -y crontabs tar wget which' + - 'sed -i -e "/mingetty/d" /etc/inittab' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/centos-6.yml b/puppet/modules/systemd/spec/acceptance/nodesets/centos-6.yml new file mode 100644 index 00000000..71e23cd8 --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/centos-6.yml @@ -0,0 +1,17 @@ +HOSTS: + centos-6-x64: + default_apply_opts: + order: random + strict_variables: + platform: el-6-x86_64 + hypervisor : docker + image: centos:6 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'rm -rf /var/run/network/*' + - 'yum install -y crontabs tar wget' + - 'rm /etc/init/tty.conf' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/centos-7.yml b/puppet/modules/systemd/spec/acceptance/nodesets/centos-7.yml new file mode 100644 index 00000000..a8fa4686 --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/centos-7.yml @@ -0,0 +1,15 @@ +HOSTS: + centos-7-x64: + default_apply_opts: + order: random + strict_variables: + platform: el-7-x86_64 + hypervisor : docker + image: centos:7 + docker_preserve_image: true + docker_cmd: '["/usr/sbin/init"]' + docker_image_commands: + - 'yum install -y crontabs tar wget iproute' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/debian-6.yml b/puppet/modules/systemd/spec/acceptance/nodesets/debian-6.yml new file mode 100644 index 00000000..d7b02756 --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/debian-6.yml @@ -0,0 +1,15 @@ +HOSTS: + debian-6-x64: + default_apply_opts: + order: random + strict_variables: + platform: debian-6-amd64 + hypervisor : docker + image: debian/eol:squeeze + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get install -y cron locales-all net-tools wget' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/debian-7.yml b/puppet/modules/systemd/spec/acceptance/nodesets/debian-7.yml new file mode 100644 index 00000000..9591ea77 --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/debian-7.yml @@ -0,0 +1,15 @@ +HOSTS: + debian-7-x64: + default_apply_opts: + order: random + strict_variables: + platform: debian-7-amd64 + hypervisor : docker + image: debian:7 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get install -y cron locales-all net-tools wget' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/debian-8.yml b/puppet/modules/systemd/spec/acceptance/nodesets/debian-8.yml new file mode 100644 index 00000000..5fb24c61 --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/debian-8.yml @@ -0,0 +1,16 @@ +HOSTS: + debian-8-x64: + default_apply_opts: + order: random + strict_variables: + platform: debian-8-amd64 + hypervisor : docker + image: debian:8 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get install -y cron locales-all net-tools wget' + - 'rm -f /usr/sbin/policy-rc.d' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-12.04.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-12.04.yml new file mode 100644 index 00000000..594e1771 --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-12.04.yml @@ -0,0 +1,16 @@ +HOSTS: + ubuntu-1204-x64: + default_apply_opts: + order: random + strict_variables: + platform: ubuntu-12.04-amd64 + hypervisor : docker + image: ubuntu:12.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get install -y net-tools wget' + - 'locale-gen en_US.UTF-8' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.04.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.04.yml new file mode 100644 index 00000000..2b293c99 --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.04.yml @@ -0,0 +1,18 @@ +HOSTS: + ubuntu-1404-x64: + default_apply_opts: + order: random + strict_variables: + platform: ubuntu-14.04-amd64 + hypervisor : docker + image: ubuntu:14.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'rm /usr/sbin/policy-rc.d' + - 'rm /sbin/initctl; dpkg-divert --rename --remove /sbin/initctl' + - 'apt-get install -y net-tools wget' + - 'locale-gen en_US.UTF-8' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.10.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.10.yml new file mode 100644 index 00000000..7ce09b2a --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-14.10.yml @@ -0,0 +1,18 @@ +HOSTS: + ubuntu-1410-x64: + default_apply_opts: + order: random + strict_variables: + platform: ubuntu-14.10-amd64 + hypervisor : docker + image: ubuntu:14.10 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'rm /usr/sbin/policy-rc.d' + - 'rm /sbin/initctl; dpkg-divert --rename --remove /sbin/initctl' + - 'apt-get install -y net-tools wget' + - 'locale-gen en_US.UTF-8' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.04.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.04.yml new file mode 100644 index 00000000..329f3319 --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.04.yml @@ -0,0 +1,16 @@ +HOSTS: + ubuntu-1504-x64: + default_apply_opts: + order: random + strict_variables: + platform: ubuntu-15.04-amd64 + hypervisor : docker + image: ubuntu:15.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get install -y net-tools wget' + - 'locale-gen en_US.UTF-8' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.10.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.10.yml new file mode 100644 index 00000000..487795a3 --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-15.10.yml @@ -0,0 +1,16 @@ +HOSTS: + ubuntu-1510-x64: + default_apply_opts: + order: random + strict_variables: + platform: ubuntu-15.10-amd64 + hypervisor : docker + image: ubuntu:15.10 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get install -y net-tools wget' + - 'locale-gen en_US.UTF-8' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-16.04.yml b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-16.04.yml new file mode 100644 index 00000000..6c32b96d --- /dev/null +++ b/puppet/modules/systemd/spec/acceptance/nodesets/ubuntu-16.04.yml @@ -0,0 +1,16 @@ +HOSTS: + ubuntu-1604-x64: + default_apply_opts: + order: random + strict_variables: + platform: ubuntu-16.04-amd64 + hypervisor : docker + image: ubuntu:16.04 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'apt-get install -y net-tools wget' + - 'locale-gen en_US.UTF-8' +CONFIG: + type: aio + log_level: debug diff --git a/puppet/modules/systemd/spec/defines/tmpfile_spec.rb b/puppet/modules/systemd/spec/defines/tmpfile_spec.rb new file mode 100644 index 00000000..4eb22acd --- /dev/null +++ b/puppet/modules/systemd/spec/defines/tmpfile_spec.rb @@ -0,0 +1,48 @@ +require 'spec_helper' + +describe 'systemd::tmpfile' do + + let(:facts) { { + :path => '/usr/bin', + } } + + context 'default params' do + + let(:title) { 'fancy.conf' } + + it 'creates the tmpfile' do + should contain_file('/etc/tmpfiles.d/fancy.conf').with({ + 'ensure' => 'file', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0444', + }) + end + + it 'triggers systemd daemon-reload' do + should contain_class('systemd') + should contain_file('/etc/tmpfiles.d/fancy.conf').with_notify("Exec[systemd-tmpfiles-create]") + end + end + + context 'with params' do + let(:title) { 'fancy.conf' } + + let(:params) { { + :ensure => 'absent', + :path => '/etc/tmpfiles.d/foo', + :content => 'some-content', + :source => 'some-source', + } } + + it 'creates the unit file' do + should contain_file('/etc/tmpfiles.d/foo/fancy.conf').with({ + 'ensure' => 'absent', + 'content' => 'some-content', + 'source' => 'some-source', + }) + end + + end + +end diff --git a/puppet/modules/systemd/spec/defines/unit_file_spec.rb b/puppet/modules/systemd/spec/defines/unit_file_spec.rb new file mode 100644 index 00000000..88a0122c --- /dev/null +++ b/puppet/modules/systemd/spec/defines/unit_file_spec.rb @@ -0,0 +1,50 @@ +require 'spec_helper' + +describe 'systemd::unit_file' do + + let(:facts) { { + :path => '/usr/bin', + } } + + context 'default params' do + + let(:title) { 'fancy.service' } + + it 'creates the unit file' do + should contain_file('/etc/systemd/system/fancy.service').with({ + 'ensure' => 'file', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0444', + }) + end + + it 'triggers systemd daemon-reload' do + should contain_class('systemd') + should contain_file('/etc/systemd/system/fancy.service').with_notify("Exec[systemctl-daemon-reload]") + end + end + + context 'with params' do + let(:title) { 'fancy.service' } + + let(:params) { { + :ensure => 'absent', + :path => '/usr/lib/systemd/system', + :content => 'some-content', + :source => 'some-source', + :target => 'some-target', + } } + + it 'creates the unit file' do + should contain_file('/usr/lib/systemd/system/fancy.service').with({ + 'ensure' => 'absent', + 'content' => 'some-content', + 'source' => 'some-source', + 'target' => 'some-target', + }) + end + + end + +end diff --git a/puppet/modules/systemd/spec/unit/facter/systemd_spec.rb b/puppet/modules/systemd/spec/unit/facter/systemd_spec.rb new file mode 100644 index 00000000..a7b62410 --- /dev/null +++ b/puppet/modules/systemd/spec/unit/facter/systemd_spec.rb @@ -0,0 +1,41 @@ +require "spec_helper" + +describe Facter::Util::Fact do + before { + Facter.clear + } + + describe "systemd" do + context 'returns true when systemd present' do + before do + Facter.fact(:kernel).stubs(:value).returns(:linux) + end + let(:facts) { {:kernel => :linux} } + it do + Facter::Util::Resolution.expects(:exec).with('ps -p 1 -o comm=').returns('systemd') + expect(Facter.value(:systemd)).to eq(true) + end + end + context 'returns false when systemd not present' do + before do + Facter.fact(:kernel).stubs(:value).returns(:linux) + end + let(:facts) { {:kernel => :linux} } + it do + Facter::Util::Resolution.expects(:exec).with('ps -p 1 -o comm=').returns('init') + expect(Facter.value(:systemd)).to eq(false) + end + end + + context 'returns nil when kernel is not linux' do + before do + Facter.fact(:kernel).stubs(:value).returns(:windows) + end + let(:facts) { {:kernel => :windows} } + it do + Facter::Util::Resolution.expects(:exec).with('ps -p 1 -o comm=').never + expect(Facter.value(:systemd)).to be_nil + end + end + end +end diff --git a/puppet/modules/systemd/spec/unit/facter/systemd_version_spec.rb b/puppet/modules/systemd/spec/unit/facter/systemd_version_spec.rb new file mode 100644 index 00000000..5007dc69 --- /dev/null +++ b/puppet/modules/systemd/spec/unit/facter/systemd_version_spec.rb @@ -0,0 +1,31 @@ +require "spec_helper" + +describe Facter::Util::Fact do + before { + Facter.clear + } + + describe "systemd_version" do + context 'returns version when systemd fact present' do + before do + Facter.fact(:systemd).stubs(:value).returns(true) + end + let(:facts) { {:systemd => true} } + it do + Facter::Util::Resolution.expects(:exec).with("systemctl --version | awk '/systemd/{ print $2 }'").returns('229') + expect(Facter.value(:systemd_version)).to eq('229') + end + end + context 'returns nil when systemd fact not present' do + before do + Facter.fact(:systemd).stubs(:value).returns(false) + end + let(:facts) { {:systemd => false } } + it do + Facter::Util::Resolution.stubs(:exec) + Facter::Util::Resolution.expects(:exec).with("systemctl --version | awk '/systemd/{ print $2 }'").never + expect(Facter.value(:systemd_version)).to eq(nil) + end + end + end +end diff --git a/puppet/modules/systemd/templates/limits.erb b/puppet/modules/systemd/templates/limits.erb new file mode 100644 index 00000000..3caf5867 --- /dev/null +++ b/puppet/modules/systemd/templates/limits.erb @@ -0,0 +1,26 @@ +# This file is created by Puppet +[Service] +<% +[ + 'LimitCPU', + 'LimitFSIZE', + 'LimitDATA', + 'LimitSTACK', + 'LimitCORE', + 'LimitRSS', + 'LimitNOFILE', + 'LimitAS', + 'LimitNPROC', + 'LimitMEMLOCK', + 'LimitLOCKS', + 'LimitSIGPENDING', + 'LimitMSGQUEUE', + 'LimitNICE', + 'LimitRTPRIO', + 'LimitRTTIME' +].each do |d| +if @limits[d] -%> +<%= d %>=<%= @limits[d] %> +<% +end +end %> -- cgit v1.2.3 From cfd1f9ee35f7b80b17c460b77709d3d5dc880638 Mon Sep 17 00:00:00 2001 From: Tulio Casagrande Date: Mon, 16 Jan 2017 15:15:41 -0200 Subject: Add apache auto-restart extension file --- puppet/modules/site_apache/files/auto_restart.conf | 2 ++ puppet/modules/site_apache/manifests/common.pp | 1 + puppet/modules/site_apache/manifests/common/extensions.pp | 14 ++++++++++++++ puppet/modules/site_apache/spec/classes/extensions.rb | 7 +++++++ puppet/modules/site_apache/spec/spec_helper.rb | 6 ++++++ 5 files changed, 30 insertions(+) create mode 100644 puppet/modules/site_apache/files/auto_restart.conf create mode 100644 puppet/modules/site_apache/manifests/common/extensions.pp create mode 100644 puppet/modules/site_apache/spec/classes/extensions.rb create mode 100644 puppet/modules/site_apache/spec/spec_helper.rb (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/files/auto_restart.conf b/puppet/modules/site_apache/files/auto_restart.conf new file mode 100644 index 00000000..8a764e34 --- /dev/null +++ b/puppet/modules/site_apache/files/auto_restart.conf @@ -0,0 +1,2 @@ +[Service] +Restart=always diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 208c15d5..c96932dd 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -28,5 +28,6 @@ class site_apache::common { include site_apache::common::tls include site_apache::common::acme + include site_apache::common::extensions } diff --git a/puppet/modules/site_apache/manifests/common/extensions.pp b/puppet/modules/site_apache/manifests/common/extensions.pp new file mode 100644 index 00000000..ddeafae0 --- /dev/null +++ b/puppet/modules/site_apache/manifests/common/extensions.pp @@ -0,0 +1,14 @@ +class site_apache::common::extensions { + + include ::systemd + file { '/etc/systemd/system/apache2.service.d/auto_restart.conf': + source => 'puppet:///modules/site_apache/auto_restart.conf', + owner => 'root', + group => 'root', + mode => '0644', + require => [ + Service['apache'] + ] + }~> + Exec['systemctl-daemon-reload'] +} diff --git a/puppet/modules/site_apache/spec/classes/extensions.rb b/puppet/modules/site_apache/spec/classes/extensions.rb new file mode 100644 index 00000000..164034c2 --- /dev/null +++ b/puppet/modules/site_apache/spec/classes/extensions.rb @@ -0,0 +1,7 @@ +require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) + +describe 'site_apache::common::extensions' do + it "should include apache autostart" do + should contain_file('/etc/systemd/system/apache2.service.d/auto_restart.conf').with_source('puppet:///modules/site_apache/apache_auto_restart.conf') + end +end diff --git a/puppet/modules/site_apache/spec/spec_helper.rb b/puppet/modules/site_apache/spec/spec_helper.rb new file mode 100644 index 00000000..dea9e892 --- /dev/null +++ b/puppet/modules/site_apache/spec/spec_helper.rb @@ -0,0 +1,6 @@ +require 'rspec-puppet' + +RSpec.configure do |c| + c.module_path = File.expand_path(File.join(File.dirname(__FILE__), '..', '..')) + c.color = true +end -- cgit v1.2.3 From 6748ba91d4d5fb77bb9034f8fc39e6735e2ef375 Mon Sep 17 00:00:00 2001 From: Tulio Casagrande Date: Mon, 16 Jan 2017 17:24:50 -0200 Subject: Update how exec is run --- puppet/modules/site_apache/manifests/common/extensions.pp | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common/extensions.pp b/puppet/modules/site_apache/manifests/common/extensions.pp index ddeafae0..6e489ce8 100644 --- a/puppet/modules/site_apache/manifests/common/extensions.pp +++ b/puppet/modules/site_apache/manifests/common/extensions.pp @@ -6,9 +6,7 @@ class site_apache::common::extensions { owner => 'root', group => 'root', mode => '0644', - require => [ - Service['apache'] - ] - }~> - Exec['systemctl-daemon-reload'] + require => Service['apache'], + notify => Exec['systemctl-daemon-reload'] + } } -- cgit v1.2.3 From 65604b35e96c4ca6e83c2d90b1c512dfa7ff31e7 Mon Sep 17 00:00:00 2001 From: Tulio Casagrande Date: Mon, 16 Jan 2017 17:25:15 -0200 Subject: Remove spec_helper --- puppet/modules/site_apache/spec/classes/extensions.rb | 2 +- puppet/modules/site_apache/spec/spec_helper.rb | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) delete mode 100644 puppet/modules/site_apache/spec/spec_helper.rb (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/spec/classes/extensions.rb b/puppet/modules/site_apache/spec/classes/extensions.rb index 164034c2..632b2d72 100644 --- a/puppet/modules/site_apache/spec/classes/extensions.rb +++ b/puppet/modules/site_apache/spec/classes/extensions.rb @@ -1,4 +1,4 @@ -require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper')) +require 'spec_helper' describe 'site_apache::common::extensions' do it "should include apache autostart" do diff --git a/puppet/modules/site_apache/spec/spec_helper.rb b/puppet/modules/site_apache/spec/spec_helper.rb deleted file mode 100644 index dea9e892..00000000 --- a/puppet/modules/site_apache/spec/spec_helper.rb +++ /dev/null @@ -1,6 +0,0 @@ -require 'rspec-puppet' - -RSpec.configure do |c| - c.module_path = File.expand_path(File.join(File.dirname(__FILE__), '..', '..')) - c.color = true -end -- cgit v1.2.3 From 810df8983e3ada8ad4b0ebbc7e0e3cf01219e33c Mon Sep 17 00:00:00 2001 From: Tulio Casagrande Date: Tue, 17 Jan 2017 11:03:14 -0200 Subject: Rename extensions module to autorestart --- puppet/modules/site_apache/files/auto_restart.conf | 2 -- puppet/modules/site_apache/files/autorestart.conf | 2 ++ puppet/modules/site_apache/manifests/common.pp | 2 +- .../modules/site_apache/manifests/common/autorestart.pp | 15 +++++++++++++++ puppet/modules/site_apache/manifests/common/extensions.pp | 12 ------------ puppet/modules/site_apache/spec/classes/autorestart.rb | 7 +++++++ puppet/modules/site_apache/spec/classes/extensions.rb | 7 ------- 7 files changed, 25 insertions(+), 22 deletions(-) delete mode 100644 puppet/modules/site_apache/files/auto_restart.conf create mode 100644 puppet/modules/site_apache/files/autorestart.conf create mode 100644 puppet/modules/site_apache/manifests/common/autorestart.pp delete mode 100644 puppet/modules/site_apache/manifests/common/extensions.pp create mode 100644 puppet/modules/site_apache/spec/classes/autorestart.rb delete mode 100644 puppet/modules/site_apache/spec/classes/extensions.rb (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/files/auto_restart.conf b/puppet/modules/site_apache/files/auto_restart.conf deleted file mode 100644 index 8a764e34..00000000 --- a/puppet/modules/site_apache/files/auto_restart.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -Restart=always diff --git a/puppet/modules/site_apache/files/autorestart.conf b/puppet/modules/site_apache/files/autorestart.conf new file mode 100644 index 00000000..8a764e34 --- /dev/null +++ b/puppet/modules/site_apache/files/autorestart.conf @@ -0,0 +1,2 @@ +[Service] +Restart=always diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index c96932dd..4847cbe3 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -28,6 +28,6 @@ class site_apache::common { include site_apache::common::tls include site_apache::common::acme - include site_apache::common::extensions + include site_apache::common::autorestart } diff --git a/puppet/modules/site_apache/manifests/common/autorestart.pp b/puppet/modules/site_apache/manifests/common/autorestart.pp new file mode 100644 index 00000000..aa13d4ef --- /dev/null +++ b/puppet/modules/site_apache/manifests/common/autorestart.pp @@ -0,0 +1,15 @@ +# +# Adds autorestart extension to apache on crash +# +class site_apache::common::autorestart { + + include ::systemd + file { '/etc/systemd/system/apache2.service.d/autorestart.conf': + source => 'puppet:///modules/site_apache/autorestart.conf', + owner => 'root', + group => 'root', + mode => '0644', + require => Service['apache'], + notify => Exec['systemctl-daemon-reload'] + } +} diff --git a/puppet/modules/site_apache/manifests/common/extensions.pp b/puppet/modules/site_apache/manifests/common/extensions.pp deleted file mode 100644 index 6e489ce8..00000000 --- a/puppet/modules/site_apache/manifests/common/extensions.pp +++ /dev/null @@ -1,12 +0,0 @@ -class site_apache::common::extensions { - - include ::systemd - file { '/etc/systemd/system/apache2.service.d/auto_restart.conf': - source => 'puppet:///modules/site_apache/auto_restart.conf', - owner => 'root', - group => 'root', - mode => '0644', - require => Service['apache'], - notify => Exec['systemctl-daemon-reload'] - } -} diff --git a/puppet/modules/site_apache/spec/classes/autorestart.rb b/puppet/modules/site_apache/spec/classes/autorestart.rb new file mode 100644 index 00000000..afa02ec9 --- /dev/null +++ b/puppet/modules/site_apache/spec/classes/autorestart.rb @@ -0,0 +1,7 @@ +require 'spec_helper' + +describe 'site_apache::common::autorestart' do + it "should include apache autorestart" do + should contain_file('/etc/systemd/system/apache2.service.d/autorestart.conf').with_source('puppet:///modules/site_apache/autorestart.conf') + end +end diff --git a/puppet/modules/site_apache/spec/classes/extensions.rb b/puppet/modules/site_apache/spec/classes/extensions.rb deleted file mode 100644 index 632b2d72..00000000 --- a/puppet/modules/site_apache/spec/classes/extensions.rb +++ /dev/null @@ -1,7 +0,0 @@ -require 'spec_helper' - -describe 'site_apache::common::extensions' do - it "should include apache autostart" do - should contain_file('/etc/systemd/system/apache2.service.d/auto_restart.conf').with_source('puppet:///modules/site_apache/apache_auto_restart.conf') - end -end -- cgit v1.2.3 From b6e19e290eb6395ce0a12bf2307282b00e7456ea Mon Sep 17 00:00:00 2001 From: Tulio Casagrande Date: Tue, 17 Jan 2017 14:26:27 -0200 Subject: Change autorestart to use systemd::unit_file --- puppet/modules/site_apache/manifests/common/autorestart.pp | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common/autorestart.pp b/puppet/modules/site_apache/manifests/common/autorestart.pp index aa13d4ef..f8213439 100644 --- a/puppet/modules/site_apache/manifests/common/autorestart.pp +++ b/puppet/modules/site_apache/manifests/common/autorestart.pp @@ -3,13 +3,8 @@ # class site_apache::common::autorestart { - include ::systemd - file { '/etc/systemd/system/apache2.service.d/autorestart.conf': + ::systemd::unit_file { '/etc/systemd/system/apache2.service.d/autorestart.conf': source => 'puppet:///modules/site_apache/autorestart.conf', - owner => 'root', - group => 'root', - mode => '0644', require => Service['apache'], - notify => Exec['systemctl-daemon-reload'] } } -- cgit v1.2.3 From 80e0ca380e92fe435622dbd35d1a5baedb6c3f92 Mon Sep 17 00:00:00 2001 From: Tulio Casagrande Date: Tue, 17 Jan 2017 15:18:30 -0200 Subject: Ensure the directory exists before creating the file with @aarni --- puppet/modules/site_apache/manifests/common/autorestart.pp | 12 ++++++++++-- puppet/modules/site_apache/spec/classes/autorestart.rb | 7 ------- puppet/modules/site_apache/spec/classes/autorestart_spec.rb | 7 +++++++ 3 files changed, 17 insertions(+), 9 deletions(-) delete mode 100644 puppet/modules/site_apache/spec/classes/autorestart.rb create mode 100644 puppet/modules/site_apache/spec/classes/autorestart_spec.rb (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common/autorestart.pp b/puppet/modules/site_apache/manifests/common/autorestart.pp index f8213439..0273f272 100644 --- a/puppet/modules/site_apache/manifests/common/autorestart.pp +++ b/puppet/modules/site_apache/manifests/common/autorestart.pp @@ -3,8 +3,16 @@ # class site_apache::common::autorestart { - ::systemd::unit_file { '/etc/systemd/system/apache2.service.d/autorestart.conf': + file { '/etc/systemd/system/apache2.service.d': + ensure => directory, + mode => '0755', + } + + ::systemd::unit_file { 'apache2.service.d/autorestart.conf': source => 'puppet:///modules/site_apache/autorestart.conf', - require => Service['apache'], + require => [ + File['/etc/systemd/system/apache2.service.d'], + Service['apache'], + ] } } diff --git a/puppet/modules/site_apache/spec/classes/autorestart.rb b/puppet/modules/site_apache/spec/classes/autorestart.rb deleted file mode 100644 index afa02ec9..00000000 --- a/puppet/modules/site_apache/spec/classes/autorestart.rb +++ /dev/null @@ -1,7 +0,0 @@ -require 'spec_helper' - -describe 'site_apache::common::autorestart' do - it "should include apache autorestart" do - should contain_file('/etc/systemd/system/apache2.service.d/autorestart.conf').with_source('puppet:///modules/site_apache/autorestart.conf') - end -end diff --git a/puppet/modules/site_apache/spec/classes/autorestart_spec.rb b/puppet/modules/site_apache/spec/classes/autorestart_spec.rb new file mode 100644 index 00000000..ad9c9f2e --- /dev/null +++ b/puppet/modules/site_apache/spec/classes/autorestart_spec.rb @@ -0,0 +1,7 @@ +require 'spec_helper' + +describe 'site_apache::common::autorestart' do + it "should include apache autorestart" do + should contain_file('apache2.service.d/autorestart.conf').with_source('puppet:///modules/site_apache/autorestart.conf') + end +end -- cgit v1.2.3 From 7e51872c854f48eaf372a6025f4550ca801cb447 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 16 Jan 2017 15:41:44 +0100 Subject: Use systemd unit file for nickserver [#8578] --- puppet/modules/site_nickserver/manifests/init.pp | 46 ++++++++---------------- 1 file changed, 15 insertions(+), 31 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index ad97f829..12236b3b 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -101,42 +101,26 @@ class site_nickserver { # NICKSERVER DAEMON # - file { - '/usr/bin/nickserver': - ensure => link, - target => '/srv/leap/nickserver/bin/nickserver', - require => Vcsrepo['/srv/leap/nickserver']; - - '/etc/init.d/nickserver': - owner => root, - group => 0, - mode => '0755', - source => '/srv/leap/nickserver/dist/debian-init-script', - require => Vcsrepo['/srv/leap/nickserver']; + file { '/usr/bin/nickserver': + ensure => link, + target => '/srv/leap/nickserver/bin/nickserver', + require => Vcsrepo['/srv/leap/nickserver']; } - # register initscript at systemd on nodes newer than wheezy - # see https://leap.se/code/issues/7614 - case $::operatingsystemrelease { - /^7.*/: { } - default: { - exec { 'register_systemd_nickserver': - refreshonly => true, - command => '/bin/systemctl enable nickserver', - subscribe => File['/etc/init.d/nickserver'], - before => Service['nickserver']; - } - } + ::systemd::unit_file {'nickserver.service': + ensure => present, + source => '/srv/leap/nickserver/dist/nickserver.service', + subscribe => Vcsrepo['/srv/leap/nickserver'], + require => File['/usr/bin/nickserver']; } service { 'nickserver': - ensure => running, - enable => true, - hasrestart => true, - hasstatus => true, - require => [ - File['/etc/init.d/nickserver'], - File['/usr/bin/nickserver'], + ensure => running, + provider => 'systemd', + enable => true, + require => [ + Systemd::Unit_file['nickserver.service'], + Exec['systemctl-daemon-reload'], Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; -- cgit v1.2.3 From 83b5b3f78953560e53547a8fa21181e09b124744 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 15 Feb 2017 11:17:44 +0100 Subject: Remove old leap-keyring package --- puppet/modules/site_config/manifests/remove.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp index 443df9c2..be6cdfd8 100644 --- a/puppet/modules/site_config/manifests/remove.pp +++ b/puppet/modules/site_config/manifests/remove.pp @@ -2,6 +2,11 @@ class site_config::remove { include site_config::remove::files + package { 'leap-keyring': + ensure => purged, + } + + case $::operatingsystemrelease { /^8.*/: { include site_config::remove::jessie -- cgit v1.2.3 From 0255d8a42fc2c37cfaa660a43936ae546b6178ef Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 15:04:05 +0200 Subject: [feat] dont use backports for passenger anymore --- puppet/modules/site_apt/manifests/preferences/passenger.pp | 14 -------------- puppet/modules/site_config/manifests/remove/jessie.pp | 2 +- 2 files changed, 1 insertion(+), 15 deletions(-) delete mode 100644 puppet/modules/site_apt/manifests/preferences/passenger.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/preferences/passenger.pp b/puppet/modules/site_apt/manifests/preferences/passenger.pp deleted file mode 100644 index 8cd41f91..00000000 --- a/puppet/modules/site_apt/manifests/preferences/passenger.pp +++ /dev/null @@ -1,14 +0,0 @@ -# -# currently, this is only used by static_site to get passenger v4. -# -# UPGRADE: this is not needed for jessie. -# -class site_apt::preferences::passenger { - - apt::preferences_snippet { 'passenger': - package => 'libapache2-mod-passenger', - release => "${::lsbdistcodename}-backports", - priority => 999; - } - -} diff --git a/puppet/modules/site_config/manifests/remove/jessie.pp b/puppet/modules/site_config/manifests/remove/jessie.pp index e9497baf..a3ac19b7 100644 --- a/puppet/modules/site_config/manifests/remove/jessie.pp +++ b/puppet/modules/site_config/manifests/remove/jessie.pp @@ -7,7 +7,7 @@ class site_config::remove::jessie { } apt::preferences_snippet { - [ 'facter', 'obfsproxy', 'python-twisted', 'unbound' ]: + [ 'facter', 'obfsproxy', 'python-twisted', 'unbound', 'passenger' ]: ensure => absent; } -- cgit v1.2.3 From 8b8ddde128d949f041f62dcf26ac65bfcf4b0875 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 15:10:06 +0200 Subject: [feat] dont use backports for rsyslog anymore --- .../site_apt/manifests/preferences/rsyslog.pp | 13 ---------- .../modules/site_config/manifests/remove/jessie.pp | 5 ++-- puppet/modules/site_config/manifests/syslog.pp | 30 ++++++++-------------- 3 files changed, 14 insertions(+), 34 deletions(-) delete mode 100644 puppet/modules/site_apt/manifests/preferences/rsyslog.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp deleted file mode 100644 index bfeaa7da..00000000 --- a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_apt::preferences::rsyslog { - - apt::preferences_snippet { - 'rsyslog_anon_depends': - package => 'libestr0 librelp0 rsyslog*', - priority => '999', - pin => 'release a=wheezy-backports', - before => Class['rsyslog::install']; - - 'fixed_rsyslog_anon_package': - ensure => absent; - } -} diff --git a/puppet/modules/site_config/manifests/remove/jessie.pp b/puppet/modules/site_config/manifests/remove/jessie.pp index a3ac19b7..2fdc4794 100644 --- a/puppet/modules/site_config/manifests/remove/jessie.pp +++ b/puppet/modules/site_config/manifests/remove/jessie.pp @@ -7,8 +7,9 @@ class site_config::remove::jessie { } apt::preferences_snippet { - [ 'facter', 'obfsproxy', 'python-twisted', 'unbound', 'passenger' ]: - ensure => absent; + [ 'facter', 'obfsproxy', 'python-twisted', 'unbound', 'passenger', + 'rsyslog_anon_depends' ]: + ensure => absent; } } diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 591e0601..096d5d77 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,25 +1,17 @@ # configure rsyslog on all nodes class site_config::syslog { - # only pin rsyslog packages to backports on wheezy - case $::operatingsystemrelease { - /^7.*/: { - include ::site_apt::preferences::rsyslog - } - # on jessie+ systems, systemd and journald are enabled, - # and journald logs IP addresses, so we need to disable - # it until a solution is found, (#7863): - # https://github.com/systemd/systemd/issues/2447 - default: { - include ::journald - augeas { - 'disable_journald': - incl => '/etc/systemd/journald.conf', - lens => 'Puppet.lns', - changes => 'set /files/etc/systemd/journald.conf/Journal/Storage \'none\'', - notify => Service['systemd-journald']; - } - } + # on jessie+ systems, systemd and journald are enabled, + # and journald logs IP addresses, so we need to disable + # it until a solution is found, (#7863): + # https://github.com/systemd/systemd/issues/2447 + include ::journald + augeas { + 'disable_journald': + incl => '/etc/systemd/journald.conf', + lens => 'Puppet.lns', + changes => 'set /files/etc/systemd/journald.conf/Journal/Storage \'none\'', + notify => Service['systemd-journald']; } class { '::rsyslog::client': -- cgit v1.2.3 From 61b0127cb0357e187a930cba1cc0e1ace149ed55 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 15:14:04 +0200 Subject: [feat] only care for apache >= 2.4 --- puppet/modules/site_apache/manifests/common.pp | 16 ++++------------ puppet/modules/site_nagios/manifests/server/apache.pp | 5 +---- 2 files changed, 5 insertions(+), 16 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 4847cbe3..74116575 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -13,18 +13,10 @@ class site_apache::common { # needed for the mod_ssl config include apache::module::mime - # load mods depending on apache version - if ( $::lsbdistcodename == 'jessie' ) { - # apache >= 2.4, debian jessie - # needed for mod_ssl config - include apache::module::socache_shmcb - # generally needed - include apache::module::mpm_prefork - } else { - # apache < 2.4, debian wheezy - # for "Order" directive, i.e. main apache2.conf - include apache::module::authz_host - } + # needed for mod_ssl config + include apache::module::socache_shmcb + # generally needed + include apache::module::mpm_prefork include site_apache::common::tls include site_apache::common::acme diff --git a/puppet/modules/site_nagios/manifests/server/apache.pp b/puppet/modules/site_nagios/manifests/server/apache.pp index 82962e89..98d38122 100644 --- a/puppet/modules/site_nagios/manifests/server/apache.pp +++ b/puppet/modules/site_nagios/manifests/server/apache.pp @@ -17,9 +17,6 @@ class site_nagios::server::apache { include apache::module::php5 include apache::module::cgi - # apache >= 2.4, debian jessie - if ( $::lsbdistcodename == 'jessie' ) { - include apache::module::authn_core - } + include apache::module::authn_core } -- cgit v1.2.3 From 43124b2481a8c37221a25b9cbc633433bb30b0b0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 15:18:13 +0200 Subject: assume systemd is always present now --- .../site_openvpn/manifests/server_config.pp | 23 +++++++++------------- 1 file changed, 9 insertions(+), 14 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 15e6fb38..f33ab17c 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -209,20 +209,15 @@ define site_openvpn::server_config( server => $openvpn_configname; } - # register openvpn services at systemd on nodes newer than wheezy + # register openvpn services at systemd # see https://leap.se/code/issues/7798 - case $::operatingsystemrelease { - /^7.*/: { } - default: { - exec { "enable_systemd_${openvpn_configname}": - refreshonly => true, - command => "/bin/systemctl enable openvpn@${openvpn_configname}", - subscribe => File["/etc/openvpn/${openvpn_configname}.conf"], - notify => Service["openvpn@${openvpn_configname}"]; - } - service { "openvpn@${openvpn_configname}": - ensure => running - } - } + exec { "enable_systemd_${openvpn_configname}": + refreshonly => true, + command => "/bin/systemctl enable openvpn@${openvpn_configname}", + subscribe => File["/etc/openvpn/${openvpn_configname}.conf"], + notify => Service["openvpn@${openvpn_configname}"]; + } + service { "openvpn@${openvpn_configname}": + ensure => running } } -- cgit v1.2.3 From e982bbf4d35529e59fbff386284d5478c7f5eb66 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 15:18:52 +0200 Subject: no build_essential packages for wheeyz anymore --- puppet/modules/site_config/manifests/packages/build_essential.pp | 6 ------ 1 file changed, 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp index 2b3e13b9..5b9a2602 100644 --- a/puppet/modules/site_config/manifests/packages/build_essential.pp +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -16,12 +16,6 @@ class site_config::packages::build_essential inherits ::site_config::packages { } } - /^7.*/: { - Package[ 'gcc-4.7','g++-4.7', 'cpp-4.7' ] { - ensure => present - } - } - default: { } } -- cgit v1.2.3 From 03235f93f32edf225128d24325b486531138e486 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 15:23:28 +0200 Subject: [feat] always set smtpd_relay_restrictions now that we deprecate wheezy, we can always set smtpd_relay_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2dac85f5..e94320c9 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -140,21 +140,13 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug - case $::operatingsystemrelease { - /^7.*/: { - $smtpd_relay_restrictions='' - } - default: { - $smtpd_relay_restrictions=" -o smtpd_relay_restrictions=\$smtps_relay_restrictions\n" - } - } - $mastercf_tail = " smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o tls_preempt_cipherlist=yes -${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions + -o smtpd_relay_restrictions=\$smtps_relay_restrictions + -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -o smtpd_helo_restrictions=\$smtps_helo_restrictions -o smtpd_client_restrictions= -o cleanup_service_name=clean_smtps -- cgit v1.2.3 From ab5f9ccfe525e39dc1d6c77f12ad68878038f2c0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 15:27:10 +0200 Subject: Dont apply specific ssh parameters for wheezy --- puppet/modules/site_sshd/manifests/init.pp | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index a9202da4..7d5c728a 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -57,13 +57,8 @@ class site_sshd { # therefore we don't use it here, but include all other options # that would be applied by the 'hardened' parameter # not all options are available on wheezy - if ( $::lsbdistcodename == 'wheezy' ) { - $tail_additional_options = 'Ciphers aes256-ctr + $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' - } else { - $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' - } ## ## SSHD SERVER CONFIGURATION -- cgit v1.2.3 From 15d2a330d3382306b80e3bd773604f0a6f0c79d5 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 21 Feb 2017 21:17:46 +0100 Subject: Cleanup modified Gemfile.lock before pulling nickserver vcsrepo Resolves: #8492 --- puppet/modules/site_nickserver/manifests/init.pp | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 12236b3b..8ef47b07 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -61,21 +61,30 @@ class site_nickserver { require => Group['nickserver']; } + # Eariler we used bundle install without --deployment + exec { 'clean_git_repo': + cwd => '/srv/leap/nickserver', + user => 'nickserver', + command => '/usr/bin/git checkout Gemfile.lock', + onlyif => '/usr/bin/git status | /bin/grep -q "modified: *Gemfile.lock"', + require => Package['git'] + } + vcsrepo { '/srv/leap/nickserver': - ensure => present, + ensure => latest, revision => $sources['nickserver']['revision'], provider => $sources['nickserver']['type'], source => $sources['nickserver']['source'], owner => 'nickserver', group => 'nickserver', - require => [ User['nickserver'], Group['nickserver'] ], + require => [ User['nickserver'], Group['nickserver'], Exec['clean_git_repo'] ], notify => Exec['nickserver_bundler_update']; } exec { 'nickserver_bundler_update': cwd => '/srv/leap/nickserver', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', - unless => '/usr/bin/bundle check', + command => '/usr/bin/bundle install --deployment', + unless => '/bin/bash -c "/usr/bin/bundle config --local frozen 1; /usr/bin/bundle check"', user => 'nickserver', timeout => 600, require => [ -- cgit v1.2.3 From dea0638d978b4fab1f6ebe9f20ba51a3cb0effdd Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 27 Feb 2017 10:09:09 +0100 Subject: Install stunnel4 from jessie-backports The jessie version randonly closes the connection prematurely see https://0xacab.org/leap/platform/issues/8746 - Resolves: #8746 --- puppet/modules/site_stunnel/manifests/init.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp index a874721f..5f53d576 100644 --- a/puppet/modules/site_stunnel/manifests/init.pp +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -5,6 +5,15 @@ class site_stunnel { + # Install stunnel4 from jessie-backports because the + # jessie version randonly closes the connection prematurely + # see https://0xacab.org/leap/platform/issues/8746 + apt::preferences_snippet { 'stunnel4': + package => 'stunnel4', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + # include the generic stunnel module # increase the number of open files to allow for 800 connections class { 'stunnel': default_extra => 'ulimit -n 4096' } @@ -45,4 +54,3 @@ class site_stunnel { include site_stunnel::override_service } - -- cgit v1.2.3 From bb4dd153bbf1174a95017d0046ea9e1320fd81a9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 Feb 2017 11:05:46 +0100 Subject: Linted couchdb.pp --- puppet/modules/site_webapp/manifests/couchdb.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 71450370..175255af 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,3 +1,4 @@ +# Configures webapp couchdb config class site_webapp::couchdb { $webapp = hiera('webapp') @@ -22,8 +23,8 @@ class site_webapp::couchdb { # couchdb.admin.yml is a symlink to prevent the vcsrepo resource # from changing its user permissions every time. '/srv/leap/webapp/config/couchdb.admin.yml': - ensure => 'link', - target => '/etc/leap/couchdb.admin.yml', + ensure => 'link', + target => '/etc/leap/couchdb.admin.yml', require => Vcsrepo['/srv/leap/webapp']; '/etc/leap/couchdb.admin.yml': -- cgit v1.2.3 From cce9af1fce42c29bf062cccfc46ef356d83a6328 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 23 Feb 2017 11:42:47 +0100 Subject: [8144] Remove Haproxy We used haproxy because we had multiple bigcouch nodes but now with a single couchdb node this is not needed anymore. - Resolves: #8144 --- puppet/modules/haproxy/.fixtures.yml | 5 - puppet/modules/haproxy/.gemfile | 5 - puppet/modules/haproxy/.gitrepo | 11 -- puppet/modules/haproxy/.travis.yml | 23 ---- puppet/modules/haproxy/CHANGELOG | 5 - puppet/modules/haproxy/Modulefile | 12 -- puppet/modules/haproxy/README.md | 87 ------------ puppet/modules/haproxy/Rakefile | 1 - puppet/modules/haproxy/manifests/balancermember.pp | 95 ------------- puppet/modules/haproxy/manifests/init.pp | 149 --------------------- puppet/modules/haproxy/manifests/listen.pp | 95 ------------- puppet/modules/haproxy/manifests/params.pp | 65 --------- .../modules/haproxy/spec/classes/haproxy_spec.rb | 138 ------------------- .../haproxy/spec/defines/balancermember_spec.rb | 82 ------------ puppet/modules/haproxy/spec/defines/listen_spec.rb | 53 -------- puppet/modules/haproxy/spec/spec.opts | 6 - puppet/modules/haproxy/spec/spec_helper.rb | 1 - .../modules/haproxy/templates/haproxy-base.cfg.erb | 21 --- .../haproxy/templates/haproxy_balancermember.erb | 3 - .../haproxy/templates/haproxy_listen_block.erb | 10 -- puppet/modules/haproxy/tests/init.pp | 69 ---------- .../site_check_mk/manifests/agent/haproxy.pp | 15 --- .../modules/site_config/manifests/remove/webapp.pp | 12 ++ .../modules/site_haproxy/files/haproxy-stats.cfg | 6 - puppet/modules/site_haproxy/manifests/init.pp | 41 ------ puppet/modules/site_haproxy/templates/couch.erb | 32 ----- .../modules/site_haproxy/templates/haproxy.cfg.erb | 11 -- puppet/modules/site_mx/manifests/init.pp | 1 - puppet/modules/site_nickserver/manifests/init.pp | 10 +- puppet/modules/site_webapp/manifests/couchdb.pp | 4 +- puppet/modules/site_webapp/manifests/init.pp | 3 +- 31 files changed, 20 insertions(+), 1051 deletions(-) delete mode 100644 puppet/modules/haproxy/.fixtures.yml delete mode 100644 puppet/modules/haproxy/.gemfile delete mode 100644 puppet/modules/haproxy/.gitrepo delete mode 100644 puppet/modules/haproxy/.travis.yml delete mode 100644 puppet/modules/haproxy/CHANGELOG delete mode 100644 puppet/modules/haproxy/Modulefile delete mode 100644 puppet/modules/haproxy/README.md delete mode 100644 puppet/modules/haproxy/Rakefile delete mode 100644 puppet/modules/haproxy/manifests/balancermember.pp delete mode 100644 puppet/modules/haproxy/manifests/init.pp delete mode 100644 puppet/modules/haproxy/manifests/listen.pp delete mode 100644 puppet/modules/haproxy/manifests/params.pp delete mode 100644 puppet/modules/haproxy/spec/classes/haproxy_spec.rb delete mode 100644 puppet/modules/haproxy/spec/defines/balancermember_spec.rb delete mode 100644 puppet/modules/haproxy/spec/defines/listen_spec.rb delete mode 100644 puppet/modules/haproxy/spec/spec.opts delete mode 100644 puppet/modules/haproxy/spec/spec_helper.rb delete mode 100644 puppet/modules/haproxy/templates/haproxy-base.cfg.erb delete mode 100644 puppet/modules/haproxy/templates/haproxy_balancermember.erb delete mode 100644 puppet/modules/haproxy/templates/haproxy_listen_block.erb delete mode 100644 puppet/modules/haproxy/tests/init.pp delete mode 100644 puppet/modules/site_check_mk/manifests/agent/haproxy.pp delete mode 100644 puppet/modules/site_haproxy/files/haproxy-stats.cfg delete mode 100644 puppet/modules/site_haproxy/manifests/init.pp delete mode 100644 puppet/modules/site_haproxy/templates/couch.erb delete mode 100644 puppet/modules/site_haproxy/templates/haproxy.cfg.erb (limited to 'puppet/modules') diff --git a/puppet/modules/haproxy/.fixtures.yml b/puppet/modules/haproxy/.fixtures.yml deleted file mode 100644 index 8d6f22d6..00000000 --- a/puppet/modules/haproxy/.fixtures.yml +++ /dev/null @@ -1,5 +0,0 @@ -fixtures: - repositories: - concat: "git://github.com/ripienaar/puppet-concat.git" - symlinks: - haproxy: "#{source_dir}" diff --git a/puppet/modules/haproxy/.gemfile b/puppet/modules/haproxy/.gemfile deleted file mode 100644 index 9aad840c..00000000 --- a/puppet/modules/haproxy/.gemfile +++ /dev/null @@ -1,5 +0,0 @@ -source :rubygems - -puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 2.7'] -gem 'puppet', puppetversion -gem 'puppetlabs_spec_helper', '>= 0.1.0' diff --git a/puppet/modules/haproxy/.gitrepo b/puppet/modules/haproxy/.gitrepo deleted file mode 100644 index ed92831a..00000000 --- a/puppet/modules/haproxy/.gitrepo +++ /dev/null @@ -1,11 +0,0 @@ -; DO NOT EDIT (unless you know what you are doing) -; -; This subdirectory is a git "subrepo", and this file is maintained by the -; git-subrepo command. See https://github.com/git-commands/git-subrepo#readme -; -[subrepo] - remote = https://leap.se/git/puppet_haproxy - branch = master - commit = af322a73c013f80a958ab7d5d31d0c75cf6d0523 - parent = 04279dd8d1390d61d696d2c14817199304ccd4d8 - cmdver = 0.3.0 diff --git a/puppet/modules/haproxy/.travis.yml b/puppet/modules/haproxy/.travis.yml deleted file mode 100644 index fdbc95dc..00000000 --- a/puppet/modules/haproxy/.travis.yml +++ /dev/null @@ -1,23 +0,0 @@ -language: ruby -rvm: - - 1.8.7 - - 1.9.3 -script: "rake spec" -branches: - only: - - master -env: - - PUPPET_VERSION=2.6.17 - - PUPPET_VERSION=2.7.19 - #- PUPPET_VERSION=3.0.1 # Breaks due to rodjek/rspec-puppet#58 -notifications: - email: false -gemfile: .gemfile -matrix: - exclude: - - rvm: 1.9.3 - gemfile: .gemfile - env: PUPPET_VERSION=2.6.17 - - rvm: 1.8.7 - gemfile: .gemfile - env: PUPPET_VERSION=3.0.1 diff --git a/puppet/modules/haproxy/CHANGELOG b/puppet/modules/haproxy/CHANGELOG deleted file mode 100644 index 0b6d670f..00000000 --- a/puppet/modules/haproxy/CHANGELOG +++ /dev/null @@ -1,5 +0,0 @@ -2012-10-12 - Version 0.2.0 -- Initial public release -- Backwards incompatible changes all around -- No longer needs ordering passed for more than one listener -- Accepts multiple listen ips/ports/server_names diff --git a/puppet/modules/haproxy/Modulefile b/puppet/modules/haproxy/Modulefile deleted file mode 100644 index e729739b..00000000 --- a/puppet/modules/haproxy/Modulefile +++ /dev/null @@ -1,12 +0,0 @@ -name 'puppetlabs-haproxy' -version '0.2.0' -source 'git://github.com/puppetlabs/puppetlabs-haproxy' -author 'Puppet Labs' -license 'Apache License, Version 2.0' -summary 'Haproxy Module' -description 'An Haproxy module for Redhat family OSes using Storeconfigs' -project_page 'http://github.com/puppetlabs/puppetlabs-haproxy' - -## Add dependencies, if any: -# dependency 'username/name', '>= 1.2.0' -dependency 'ripienaar/concat', '>= 0.1.0' diff --git a/puppet/modules/haproxy/README.md b/puppet/modules/haproxy/README.md deleted file mode 100644 index d209e9ab..00000000 --- a/puppet/modules/haproxy/README.md +++ /dev/null @@ -1,87 +0,0 @@ -PuppetLabs Module for haproxy -============================= - -HAProxy is an HA proxying daemon for load-balancing to clustered services. It -can proxy TCP directly, or other kinds of traffic such as HTTP. - -Dependencies ------------- - -Tested and built on Debian, Ubuntu and CentOS - -Currently requires the ripienaar/concat module on the Puppet Forge and uses storeconfigs on the Puppet Master to export/collect resources -from all balancer members. - -Basic Usage ------------ - -This haproxy uses storeconfigs to collect and realize balancer member servers -on a load balancer server. - -*To install and configure HAProxy server listening on port 8140* - -```puppet -node 'haproxy-server' { - class { 'haproxy': } - haproxy::listen { 'puppet00': - ipaddress => $::ipaddress, - ports => '8140', - } -} -``` - -*To add backend loadbalance members* - -```puppet -node 'webserver01' { - @@haproxy::balancermember { $fqdn: - listening_service => 'puppet00', - server_names => $::hostname, - ipaddresses => $::ipaddress, - ports => '8140', - options => 'check' - } -} -``` - -Configuring haproxy options ---------------------------- - -The base `haproxy` class can accept two parameters which will configure basic -behaviour of the haproxy server daemon: - -- `global_options` to configure the `global` section in `haproxy.cfg` -- `defaults_options` to configure the `defaults` section in `haproxy.cfg` - -Configuring haproxy daemon listener ------------------------------------ - -One `haproxy::listen` defined resource should be defined for each HAProxy loadbalanced set of backend servers. The title of the `haproxy::listen` resource is the key to which balancer members will be proxied to. The `ipaddress` field should be the public ip address which the loadbalancer will be contacted on. The `ports` attribute can accept an array or comma-separated list of ports which should be proxied to the `haproxy::balancermemeber` nodes. - -Configuring haproxy loadbalanced member nodes ---------------------------------------------- - -The `haproxy::balacemember` defined resource should be exported from each node -which is serving loadbalanced traffic. the `listening_service` attribute will -associate it with `haproxy::listen` directives on the haproxy node. -`ipaddresses` and `ports` will be assigned to the member to be contacted on. If an array of `ipaddresses` and `server_names` are provided then they will be added to the config in lock-step. - - -Copyright and License ---------------------- - -Copyright (C) 2012 [Puppet Labs](https://www.puppetlabs.com/) Inc - -Puppet Labs can be contacted at: info@puppetlabs.com - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. diff --git a/puppet/modules/haproxy/Rakefile b/puppet/modules/haproxy/Rakefile deleted file mode 100644 index cd3d3799..00000000 --- a/puppet/modules/haproxy/Rakefile +++ /dev/null @@ -1 +0,0 @@ -require 'puppetlabs_spec_helper/rake_tasks' diff --git a/puppet/modules/haproxy/manifests/balancermember.pp b/puppet/modules/haproxy/manifests/balancermember.pp deleted file mode 100644 index a0e27539..00000000 --- a/puppet/modules/haproxy/manifests/balancermember.pp +++ /dev/null @@ -1,95 +0,0 @@ -# == Define Resource Type: haproxy::balancermember -# -# This type will setup a balancer member inside a listening service -# configuration block in /etc/haproxy/haproxy.cfg on the load balancer. -# currently it only has the ability to specify the instance name, -# ip address, port, and whether or not it is a backup. More features -# can be added as needed. The best way to implement this is to export -# this resource for all haproxy balancer member servers, and then collect -# them on the main haproxy load balancer. -# -# === Requirement/Dependencies: -# -# Currently requires the ripienaar/concat module on the Puppet Forge and -# uses storeconfigs on the Puppet Master to export/collect resources -# from all balancer members. -# -# === Parameters -# -# [*name*] -# The title of the resource is arbitrary and only utilized in the concat -# fragment name. -# -# [*listening_service*] -# The haproxy service's instance name (or, the title of the -# haproxy::listen resource). This must match up with a declared -# haproxy::listen resource. -# -# [*ports*] -# An array or commas-separated list of ports for which the balancer member -# will accept connections from the load balancer. Note that cookie values -# aren't yet supported, but shouldn't be difficult to add to the -# configuration. If you use an array in server_names and ipaddresses, the -# same port is used for all balancermembers. -# -# [*server_names*] -# The name of the balancer member server as known to haproxy in the -# listening service's configuration block. This defaults to the -# hostname. Can be an array of the same length as ipaddresses, -# in which case a balancermember is created for each pair of -# server_names and ipaddresses (in lockstep). -# -# [*ipaddresses*] -# The ip address used to contact the balancer member server. -# Can be an array, see documentation to server_names. -# -# [*options*] -# An array of options to be specified after the server declaration -# in the listening service's configuration block. -# -# -# === Examples -# -# Exporting the resource for a balancer member: -# -# @@haproxy::balancermember { 'haproxy': -# listening_service => 'puppet00', -# ports => '8140', -# server_names => $::hostname, -# ipaddresses => $::ipaddress, -# options => 'check', -# } -# -# -# Collecting the resource on a load balancer -# -# Haproxy::Balancermember <<| listening_service == 'puppet00' |>> -# -# Creating the resource for multiple balancer members at once -# (for single-pass installation of haproxy without requiring a first -# pass to export the resources if you know the members in advance): -# -# haproxy::balancermember { 'haproxy': -# listening_service => 'puppet00', -# ports => '8140', -# server_names => ['server01', 'server02'], -# ipaddresses => ['192.168.56.200', '192.168.56.201'], -# options => 'check', -# } -# -# (this resource can be declared anywhere) -# -define haproxy::balancermember ( - $listening_service, - $ports, - $server_names = $::hostname, - $ipaddresses = $::ipaddress, - $options = '' -) { - # Template uses $ipaddresses, $server_name, $ports, $option - concat::fragment { "${listening_service}_balancermember_${name}": - order => "20-${listening_service}-${name}", - target => '/etc/haproxy/haproxy.cfg', - content => template('haproxy/haproxy_balancermember.erb'), - } -} diff --git a/puppet/modules/haproxy/manifests/init.pp b/puppet/modules/haproxy/manifests/init.pp deleted file mode 100644 index b91591a3..00000000 --- a/puppet/modules/haproxy/manifests/init.pp +++ /dev/null @@ -1,149 +0,0 @@ -# == Class: haproxy -# -# A Puppet module, using storeconfigs, to model an haproxy configuration. -# Currently VERY limited - Pull requests accepted! -# -# === Requirement/Dependencies: -# -# Currently requires the ripienaar/concat module on the Puppet Forge and -# uses storeconfigs on the Puppet Master to export/collect resources -# from all balancer members. -# -# === Parameters -# -# [*enable*] -# Chooses whether haproxy should be installed or ensured absent. -# Currently ONLY accepts valid boolean true/false values. -# -# [*version*] -# Allows you to specify what version of the package to install. -# Default is simply 'present' -# -# [*global_options*] -# A hash of all the haproxy global options. If you want to specify more -# than one option (i.e. multiple timeout or stats options), pass those -# options as an array and you will get a line for each of them in the -# resultant haproxy.cfg file. -# -# [*defaults_options*] -# A hash of all the haproxy defaults options. If you want to specify more -# than one option (i.e. multiple timeout or stats options), pass those -# options as an array and you will get a line for each of them in the -# resultant haproxy.cfg file. -# -# -# === Examples -# -# class { 'haproxy': -# enable => true, -# global_options => { -# 'log' => "${::ipaddress} local0", -# 'chroot' => '/var/lib/haproxy', -# 'pidfile' => '/var/run/haproxy.pid', -# 'maxconn' => '4000', -# 'user' => 'haproxy', -# 'group' => 'haproxy', -# 'daemon' => '', -# 'stats' => 'socket /var/lib/haproxy/stats' -# }, -# defaults_options => { -# 'log' => 'global', -# 'stats' => 'enable', -# 'option' => 'redispatch', -# 'retries' => '3', -# 'timeout' => [ -# 'http-request 10s', -# 'queue 1m', -# 'connect 10s', -# 'client 1m', -# 'server 1m', -# 'check 10s' -# ], -# 'maxconn' => '8000' -# }, -# } -# -class haproxy ( - $manage_service = true, - $enable = true, - $version = 'present', - $global_options = $haproxy::params::global_options, - $defaults_options = $haproxy::params::defaults_options -) inherits haproxy::params { - include concat::setup - - package { 'haproxy': - ensure => $enable ? { - true => $version, - false => absent, - }, - name => 'haproxy', - } - - if $enable { - concat { '/etc/haproxy/haproxy.cfg': - owner => '0', - group => '0', - mode => '0644', - require => Package['haproxy'], - notify => $manage_service ? { - true => Service['haproxy'], - false => undef, - }, - } - - # Simple Header - concat::fragment { '00-header': - target => '/etc/haproxy/haproxy.cfg', - order => '01', - content => "# This file managed by Puppet\n", - } - - # Template uses $global_options, $defaults_options - concat::fragment { 'haproxy-base': - target => '/etc/haproxy/haproxy.cfg', - order => '10', - content => template('haproxy/haproxy-base.cfg.erb'), - } - - if ($::osfamily == 'Debian') { - file { '/etc/default/haproxy': - content => 'ENABLED=1', - require => Package['haproxy'], - before => $manage_service ? { - true => Service['haproxy'], - false => undef, - }, - } - } - - file { $global_options['chroot']: - ensure => directory, - owner => $global_options['user'], - group => $global_options['group'], - mode => '0550', - require => Package['haproxy'] - } - - } - - if $manage_service { - service { 'haproxy': - ensure => $enable ? { - true => running, - false => stopped, - }, - enable => $enable ? { - true => true, - false => false, - }, - name => 'haproxy', - hasrestart => true, - hasstatus => true, - require => [ - Concat['/etc/haproxy/haproxy.cfg'], - File[$global_options['chroot']], - ], - } - } -} diff --git a/puppet/modules/haproxy/manifests/listen.pp b/puppet/modules/haproxy/manifests/listen.pp deleted file mode 100644 index 00636e3d..00000000 --- a/puppet/modules/haproxy/manifests/listen.pp +++ /dev/null @@ -1,95 +0,0 @@ -# == Define Resource Type: haproxy::listen -# -# This type will setup a listening service configuration block inside -# the haproxy.cfg file on an haproxy load balancer. Each listening service -# configuration needs one or more load balancer member server (that can be -# declared with the haproxy::balancermember defined resource type). Using -# storeconfigs, you can export the haproxy::balancermember resources on all -# load balancer member servers, and then collect them on a single haproxy -# load balancer server. -# -# === Requirement/Dependencies: -# -# Currently requires the ripienaar/concat module on the Puppet Forge and -# uses storeconfigs on the Puppet Master to export/collect resources -# from all balancer members. -# -# === Parameters -# -# [*name*] -# The namevar of the defined resource type is the listening service's name. -# This name goes right after the 'listen' statement in haproxy.cfg -# -# [*ports*] -# Ports on which the proxy will listen for connections on the ip address -# specified in the virtual_ip parameter. Accepts either a single -# comma-separated string or an array of strings which may be ports or -# hyphenated port ranges. -# -# [*ipaddress*] -# The ip address the proxy binds to. Empty addresses, '*', and '0.0.0.0' -# mean that the proxy listens to all valid addresses on the system. -# -# [*mode*] -# The mode of operation for the listening service. Valid values are 'tcp', -# HTTP', and 'health'. -# -# [*options*] -# A hash of options that are inserted into the listening service -# configuration block. -# -# [*collect_exported*] -# Boolean, default 'true'. True means 'collect exported @@balancermember resources' -# (for the case when every balancermember node exports itself), false means -# 'rely on the existing declared balancermember resources' (for the case when you -# know the full set of balancermembers in advance and use haproxy::balancermember -# with array arguments, which allows you to deploy everything in 1 run) -# -# -# === Examples -# -# Exporting the resource for a balancer member: -# -# haproxy::listen { 'puppet00': -# ipaddress => $::ipaddress, -# ports => '18140', -# mode => 'tcp', -# options => { -# 'option' => [ -# 'tcplog', -# 'ssl-hello-chk' -# ], -# 'balance' => 'roundrobin' -# }, -# } -# -# === Authors -# -# Gary Larizza -# -define haproxy::listen ( - $ports, - $ipaddress = [$::ipaddress], - $mode = 'tcp', - $collect_exported = true, - $options = { - 'option' => [ - 'tcplog', - 'ssl-hello-chk' - ], - 'balance' => 'roundrobin' - } -) { - # Template uses: $name, $ipaddress, $ports, $options - concat::fragment { "${name}_listen_block": - order => "20-${name}-00", - target => '/etc/haproxy/haproxy.cfg', - content => template('haproxy/haproxy_listen_block.erb'), - } - - if $collect_exported { - Haproxy::Balancermember <<| listening_service == $name |>> - } - # else: the resources have been created and they introduced their - # concat fragments. We don't have to do anything about them. -} diff --git a/puppet/modules/haproxy/manifests/params.pp b/puppet/modules/haproxy/manifests/params.pp deleted file mode 100644 index 53442ddc..00000000 --- a/puppet/modules/haproxy/manifests/params.pp +++ /dev/null @@ -1,65 +0,0 @@ -# == Class: haproxy::params -# -# This is a container class holding default parameters for for haproxy class. -# currently, only the Redhat family is supported, but this can be easily -# extended by changing package names and configuration file paths. -# -class haproxy::params { - case $osfamily { - Redhat: { - $global_options = { - 'log' => "${::ipaddress} local0", - 'chroot' => '/var/lib/haproxy', - 'pidfile' => '/var/run/haproxy.pid', - 'maxconn' => '4000', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '', - 'stats' => 'socket /var/lib/haproxy/stats' - } - $defaults_options = { - 'log' => 'global', - 'stats' => 'enable', - 'option' => 'redispatch', - 'retries' => '3', - 'timeout' => [ - 'http-request 10s', - 'queue 1m', - 'connect 10s', - 'client 1m', - 'server 1m', - 'check 10s', - ], - 'maxconn' => '8000' - } - } - Debian: { - $global_options = { - 'log' => "${::ipaddress} local0", - 'chroot' => '/var/lib/haproxy', - 'pidfile' => '/var/run/haproxy.pid', - 'maxconn' => '4000', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '', - 'stats' => 'socket /var/lib/haproxy/stats' - } - $defaults_options = { - 'log' => 'global', - 'stats' => 'enable', - 'option' => 'redispatch', - 'retries' => '3', - 'timeout' => [ - 'http-request 10s', - 'queue 1m', - 'connect 10s', - 'client 1m', - 'server 1m', - 'check 10s', - ], - 'maxconn' => '8000' - } - } - default: { fail("The $::osfamily operating system is not supported with the haproxy module") } - } -} diff --git a/puppet/modules/haproxy/spec/classes/haproxy_spec.rb b/puppet/modules/haproxy/spec/classes/haproxy_spec.rb deleted file mode 100644 index 4b5902ce..00000000 --- a/puppet/modules/haproxy/spec/classes/haproxy_spec.rb +++ /dev/null @@ -1,138 +0,0 @@ -require 'spec_helper' - -describe 'haproxy', :type => :class do - let(:default_facts) do - { - :concat_basedir => '/dne', - :ipaddress => '10.10.10.10' - } - end - context 'on supported platforms' do - describe 'for OS-agnostic configuration' do - ['Debian', 'RedHat'].each do |osfamily| - context "on #{osfamily} family operatingsystems" do - let(:facts) do - { :osfamily => osfamily }.merge default_facts - end - let(:params) do - {'enable' => true} - end - it { should include_class('concat::setup') } - it 'should install the haproxy package' do - subject.should contain_package('haproxy').with( - 'ensure' => 'present' - ) - end - it 'should install the haproxy service' do - subject.should contain_service('haproxy').with( - 'ensure' => 'running', - 'enable' => 'true', - 'hasrestart' => 'true', - 'hasstatus' => 'true', - 'require' => [ - 'Concat[/etc/haproxy/haproxy.cfg]', - 'File[/var/lib/haproxy]' - ] - ) - end - it 'should set up /etc/haproxy/haproxy.cfg as a concat resource' do - subject.should contain_concat('/etc/haproxy/haproxy.cfg').with( - 'owner' => '0', - 'group' => '0', - 'mode' => '0644' - ) - end - it 'should manage the chroot directory' do - subject.should contain_file('/var/lib/haproxy').with( - 'ensure' => 'directory' - ) - end - it 'should contain a header concat fragment' do - subject.should contain_concat__fragment('00-header').with( - 'target' => '/etc/haproxy/haproxy.cfg', - 'order' => '01', - 'content' => "# This file managed by Puppet\n" - ) - end - it 'should contain a haproxy-base concat fragment' do - subject.should contain_concat__fragment('haproxy-base').with( - 'target' => '/etc/haproxy/haproxy.cfg', - 'order' => '10' - ) - end - describe 'Base concat fragment contents' do - let(:contents) { param_value(subject, 'concat::fragment', 'haproxy-base', 'content').split("\n") } - it 'should contain global and defaults sections' do - contents.should include('global') - contents.should include('defaults') - end - it 'should log to an ip address for local0' do - contents.should be_any { |match| match =~ / log \d+(\.\d+){3} local0/ } - end - it 'should specify the default chroot' do - contents.should include(' chroot /var/lib/haproxy') - end - it 'should specify the correct user' do - contents.should include(' user haproxy') - end - it 'should specify the correct group' do - contents.should include(' group haproxy') - end - it 'should specify the correct pidfile' do - contents.should include(' pidfile /var/run/haproxy.pid') - end - end - end - context "on #{osfamily} family operatingsystems without managing the service" do - let(:facts) do - { :osfamily => osfamily }.merge default_facts - end - let(:params) do - { - 'enable' => true, - 'manage_service' => false, - } - end - it { should include_class('concat::setup') } - it 'should install the haproxy package' do - subject.should contain_package('haproxy').with( - 'ensure' => 'present' - ) - end - it 'should install the haproxy service' do - subject.should_not contain_service('haproxy') - end - end - end - end - describe 'for OS-specific configuration' do - context 'only on Debian family operatingsystems' do - let(:facts) do - { :osfamily => 'Debian' }.merge default_facts - end - it 'should manage haproxy service defaults' do - subject.should contain_file('/etc/default/haproxy').with( - 'before' => 'Service[haproxy]', - 'require' => 'Package[haproxy]' - ) - verify_contents(subject, '/etc/default/haproxy', ['ENABLED=1']) - end - end - context 'only on RedHat family operatingsystems' do - let(:facts) do - { :osfamily => 'RedHat' }.merge default_facts - end - end - end - end - context 'on unsupported operatingsystems' do - let(:facts) do - { :osfamily => 'RainbowUnicorn' }.merge default_facts - end - it do - expect { - should contain_service('haproxy') - }.to raise_error(Puppet::Error, /operating system is not supported with the haproxy module/) - end - end -end diff --git a/puppet/modules/haproxy/spec/defines/balancermember_spec.rb b/puppet/modules/haproxy/spec/defines/balancermember_spec.rb deleted file mode 100644 index 74bc7a8b..00000000 --- a/puppet/modules/haproxy/spec/defines/balancermember_spec.rb +++ /dev/null @@ -1,82 +0,0 @@ -require 'spec_helper' - -describe 'haproxy::balancermember' do - let(:title) { 'tyler' } - let(:facts) do - { - :ipaddress => '1.1.1.1', - :hostname => 'dero' - } - end - - context 'with a single balancermember option' do - let(:params) do - { - :name => 'tyler', - :listening_service => 'croy', - :ports => '18140', - :options => 'check' - } - end - - it { should contain_concat__fragment('croy_balancermember_tyler').with( - 'order' => '20-croy-tyler', - 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => " server dero 1.1.1.1:18140 check\n\n" - ) } - end - - context 'with multiple balancermember options' do - let(:params) do - { - :name => 'tyler', - :listening_service => 'croy', - :ports => '18140', - :options => ['check', 'close'] - } - end - - it { should contain_concat__fragment('croy_balancermember_tyler').with( - 'order' => '20-croy-tyler', - 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => " server dero 1.1.1.1:18140 check close\n\n" - ) } - end - - context 'with multiple servers' do - let(:params) do - { - :name => 'tyler', - :listening_service => 'croy', - :ports => '18140', - :server_names => ['server01', 'server02'], - :ipaddresses => ['192.168.56.200', '192.168.56.201'], - :options => ['check'] - } - end - - it { should contain_concat__fragment('croy_balancermember_tyler').with( - 'order' => '20-croy-tyler', - 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => " server server01 192.168.56.200:18140 check\n server server02 192.168.56.201:18140 check\n\n" - ) } - end - context 'with multiple servers and multiple ports' do - let(:params) do - { - :name => 'tyler', - :listening_service => 'croy', - :ports => ['18140','18150'], - :server_names => ['server01', 'server02'], - :ipaddresses => ['192.168.56.200', '192.168.56.201'], - :options => ['check'] - } - end - - it { should contain_concat__fragment('croy_balancermember_tyler').with( - 'order' => '20-croy-tyler', - 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => " server server01 192.168.56.200:18140,192.168.56.200:18150 check\n server server02 192.168.56.201:18140,192.168.56.201:18150 check\n\n" - ) } - end -end diff --git a/puppet/modules/haproxy/spec/defines/listen_spec.rb b/puppet/modules/haproxy/spec/defines/listen_spec.rb deleted file mode 100644 index 31dd4c85..00000000 --- a/puppet/modules/haproxy/spec/defines/listen_spec.rb +++ /dev/null @@ -1,53 +0,0 @@ -require 'spec_helper' - -describe 'haproxy::listen' do - let(:title) { 'tyler' } - let(:facts) {{ :ipaddress => '1.1.1.1' }} - context "when only one port is provided" do - let(:params) do - { - :name => 'croy', - :ports => '18140' - } - end - - it { should contain_concat__fragment('croy_listen_block').with( - 'order' => '20-croy-00', - 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "listen croy\n\n bind 1.1.1.1:18140\n\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" - ) } - end - context "when an array of ports is provided" do - let(:params) do - { - :name => 'apache', - :ipaddress => '23.23.23.23', - :ports => [ - '80', - '443', - ] - } - end - - it { should contain_concat__fragment('apache_listen_block').with( - 'order' => '20-apache-00', - 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "listen apache\n\n bind 23.23.23.23:80\n\n bind 23.23.23.23:443\n\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" - ) } - end - context "when a comma-separated list of ports is provided" do - let(:params) do - { - :name => 'apache', - :ipaddress => '23.23.23.23', - :ports => '80,443' - } - end - - it { should contain_concat__fragment('apache_listen_block').with( - 'order' => '20-apache-00', - 'target' => '/etc/haproxy/haproxy.cfg', - 'content' => "listen apache\n\n bind 23.23.23.23:80\n\n bind 23.23.23.23:443\n\n balance roundrobin\n option tcplog\n option ssl-hello-chk\n" - ) } - end -end diff --git a/puppet/modules/haproxy/spec/spec.opts b/puppet/modules/haproxy/spec/spec.opts deleted file mode 100644 index 91cd6427..00000000 --- a/puppet/modules/haproxy/spec/spec.opts +++ /dev/null @@ -1,6 +0,0 @@ ---format -s ---colour ---loadby -mtime ---backtrace diff --git a/puppet/modules/haproxy/spec/spec_helper.rb b/puppet/modules/haproxy/spec/spec_helper.rb deleted file mode 100644 index 2c6f5664..00000000 --- a/puppet/modules/haproxy/spec/spec_helper.rb +++ /dev/null @@ -1 +0,0 @@ -require 'puppetlabs_spec_helper/module_spec_helper' diff --git a/puppet/modules/haproxy/templates/haproxy-base.cfg.erb b/puppet/modules/haproxy/templates/haproxy-base.cfg.erb deleted file mode 100644 index f25d5c34..00000000 --- a/puppet/modules/haproxy/templates/haproxy-base.cfg.erb +++ /dev/null @@ -1,21 +0,0 @@ -global -<% @global_options.sort.each do |key,val| -%> -<% if val.is_a?(Array) -%> -<% val.each do |item| -%> - <%= key %> <%= item %> -<% end -%> -<% else -%> - <%= key %> <%= val %> -<% end -%> -<% end -%> - -defaults -<% @defaults_options.sort.each do |key,val| -%> -<% if val.is_a?(Array) -%> -<% val.each do |item| -%> - <%= key %> <%= item %> -<% end -%> -<% else -%> - <%= key %> <%= val %> -<% end -%> -<% end -%> diff --git a/puppet/modules/haproxy/templates/haproxy_balancermember.erb b/puppet/modules/haproxy/templates/haproxy_balancermember.erb deleted file mode 100644 index 1d03f565..00000000 --- a/puppet/modules/haproxy/templates/haproxy_balancermember.erb +++ /dev/null @@ -1,3 +0,0 @@ -<% Array(ipaddresses).zip(Array(server_names)).each do |ipaddress,host| -%> - server <%= host %> <%= ipaddress %>:<%= Array(ports).collect {|x|x.split(',')}.flatten.join(",#{ipaddress}:") %> <%= Array(options).join(" ") %> -<% end %> diff --git a/puppet/modules/haproxy/templates/haproxy_listen_block.erb b/puppet/modules/haproxy/templates/haproxy_listen_block.erb deleted file mode 100644 index 129313f1..00000000 --- a/puppet/modules/haproxy/templates/haproxy_listen_block.erb +++ /dev/null @@ -1,10 +0,0 @@ -listen <%= name %> - mode <%= mode %> -<% Array(ipaddress).uniq.each do |virtual_ip| (ports.is_a?(Array) ? ports : Array(ports.split(","))).each do |port| %> - bind <%= virtual_ip %>:<%= port %> -<% end end %> -<% options.sort.each do |key, val| -%> -<% Array(val).each do |item| -%> - <%= key %> <%= item %> -<% end -%> -<% end -%> diff --git a/puppet/modules/haproxy/tests/init.pp b/puppet/modules/haproxy/tests/init.pp deleted file mode 100644 index 77590ac8..00000000 --- a/puppet/modules/haproxy/tests/init.pp +++ /dev/null @@ -1,69 +0,0 @@ -# Declare haproxy base class with configuration options -class { 'haproxy': - enable => true, - global_options => { - 'log' => "${::ipaddress} local0", - 'chroot' => '/var/lib/haproxy', - 'pidfile' => '/var/run/haproxy.pid', - 'maxconn' => '4000', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '', - 'stats' => 'socket /var/lib/haproxy/stats', - }, - defaults_options => { - 'log' => 'global', - 'stats' => 'enable', - 'option' => 'redispatch', - 'retries' => '3', - 'timeout' => [ - 'http-request 10s', - 'queue 1m', - 'connect 10s', - 'client 1m', - 'server 1m', - 'check 10s', - ], - 'maxconn' => '8000', - }, -} - -# Export a balancermember server, note that the listening_service parameter -# will/must correlate with an haproxy::listen defined resource type. -@@haproxy::balancermember { $fqdn: - order => '21', - listening_service => 'puppet00', - server_name => $::hostname, - balancer_ip => $::ipaddress, - balancer_port => '8140', - balancermember_options => 'check' -} - -# Declare a couple of Listening Services for haproxy.cfg -# Note that the balancermember server resources are being collected in -# the haproxy::config defined resource type with the following line: -# Haproxy::Balancermember <<| listening_service == $name |>> -haproxy::listen { 'puppet00': - order => '20', - ipaddress => $::ipaddress, - ports => '18140', - options => { - 'option' => [ - 'tcplog', - 'ssl-hello-chk', - ], - 'balance' => 'roundrobin', - }, -} -haproxy::listen { 'stats': - order => '30', - ipaddress => '', - ports => '9090', - options => { - 'mode' => 'http', - 'stats' => [ - 'uri /', - 'auth puppet:puppet' - ], - }, -} diff --git a/puppet/modules/site_check_mk/manifests/agent/haproxy.pp b/puppet/modules/site_check_mk/manifests/agent/haproxy.pp deleted file mode 100644 index 6d52efba..00000000 --- a/puppet/modules/site_check_mk/manifests/agent/haproxy.pp +++ /dev/null @@ -1,15 +0,0 @@ -class site_check_mk::agent::haproxy { - - include site_check_mk::agent::package::nagios_plugins_contrib - - # local nagios plugin checks via mrpe - augeas { 'haproxy': - incl => '/etc/check_mk/mrpe.cfg', - lens => 'Spacevars.lns', - changes => [ - 'rm /files/etc/check_mk/mrpe.cfg/Haproxy', - 'set Haproxy \'/usr/lib/nagios/plugins/check_haproxy -u "http://localhost:8000/haproxy;csv"\'' ], - require => File['/etc/check_mk/mrpe.cfg']; - } - -} diff --git a/puppet/modules/site_config/manifests/remove/webapp.pp b/puppet/modules/site_config/manifests/remove/webapp.pp index 58f59815..963eb705 100644 --- a/puppet/modules/site_config/manifests/remove/webapp.pp +++ b/puppet/modules/site_config/manifests/remove/webapp.pp @@ -4,4 +4,16 @@ class site_config::remove::webapp { '/etc/apache/sites-enabled/leap_webapp.conf': notify => Service['apache']; } + + # Ensure haproxy is removed + package { 'haproxy': + ensure => purged, + } + augeas { 'haproxy': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => [ 'rm /files/etc/check_mk/mrpe.cfg/Haproxy' ], + require => File['/etc/check_mk/mrpe.cfg']; + } + } diff --git a/puppet/modules/site_haproxy/files/haproxy-stats.cfg b/puppet/modules/site_haproxy/files/haproxy-stats.cfg deleted file mode 100644 index e6335ba2..00000000 --- a/puppet/modules/site_haproxy/files/haproxy-stats.cfg +++ /dev/null @@ -1,6 +0,0 @@ -# provide access to stats for the nagios plugin -listen stats 127.0.0.1:8000 - mode http - stats enable - stats uri /haproxy - diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp deleted file mode 100644 index b28ce80e..00000000 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ /dev/null @@ -1,41 +0,0 @@ -class site_haproxy { - $haproxy = hiera('haproxy') - - class { 'haproxy': - enable => true, - manage_service => true, - global_options => { - 'log' => '127.0.0.1 local0', - 'maxconn' => '4096', - 'stats' => 'socket /var/run/haproxy.sock user haproxy group haproxy', - 'chroot' => '/usr/share/haproxy', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '' - }, - defaults_options => { - 'log' => 'global', - 'retries' => '3', - 'option' => 'redispatch', - 'timeout connect' => '4000', - 'timeout client' => '20000', - 'timeout server' => '20000' - } - } - - # monitor haproxy - concat::fragment { 'stats': - target => '/etc/haproxy/haproxy.cfg', - order => '90', - source => 'puppet:///modules/site_haproxy/haproxy-stats.cfg'; - } - - # Template uses $haproxy - concat::fragment { 'leap_haproxy_webapp_couchdb': - target => '/etc/haproxy/haproxy.cfg', - order => '20', - content => template('site_haproxy/haproxy.cfg.erb'), - } - - include site_check_mk::agent::haproxy -} diff --git a/puppet/modules/site_haproxy/templates/couch.erb b/puppet/modules/site_haproxy/templates/couch.erb deleted file mode 100644 index f42e8368..00000000 --- a/puppet/modules/site_haproxy/templates/couch.erb +++ /dev/null @@ -1,32 +0,0 @@ -frontend couch - bind localhost:<%= @listen_port %> - mode http - option httplog - option dontlognull - option http-server-close # use client keep-alive, but close server connection. - use_backend couch_read if METH_GET - default_backend couch_write - -backend couch_write - mode http - balance roundrobin - option httpchk GET / # health check using simple get to root - option allbackups # balance among all backups, not just one. - default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 -<%- @servers.sort.each do |name,server| -%> -<%- next unless server['writable'] -%> - # <%=name%> - server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%='backup' if server['backup']%> weight <%=server['weight']%> check -<%- end -%> - -backend couch_read - mode http - balance roundrobin - option httpchk GET / # health check using simple get to root - option allbackups # balance among all backups, not just one. - default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 -<%- @servers.sort.each do |name,server| -%> - # <%=name%> - server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%='backup' if server['backup']%> weight <%=server['weight']%> check -<%- end -%> - diff --git a/puppet/modules/site_haproxy/templates/haproxy.cfg.erb b/puppet/modules/site_haproxy/templates/haproxy.cfg.erb deleted file mode 100644 index 8311b1a5..00000000 --- a/puppet/modules/site_haproxy/templates/haproxy.cfg.erb +++ /dev/null @@ -1,11 +0,0 @@ -<%- @haproxy.each do |frontend, options| -%> -<%- if options['servers'] -%> - -## -## <%= frontend %> -## - -<%= scope.function_templatewlv(["site_haproxy/#{frontend}.erb", options]) %> -<%- end -%> -<%- end -%> - diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index c910a45a..5876e555 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -13,7 +13,6 @@ class site_mx { include ::site_stunnel include ::site_postfix::mx - include ::site_haproxy include ::site_shorewall::mx include ::site_shorewall::service::smtp include ::leap_mx diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 8ef47b07..cab13522 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -1,9 +1,8 @@ # -# TODO: currently, this is dependent on some things that are set up in +# TODO: currently, this is dependent on one thing that is set up in # site_webapp # -# (1) HAProxy -> couchdb -# (2) Apache +# (1) Apache # # It would be good in the future to make nickserver installable independently of # site_webapp. @@ -29,10 +28,9 @@ class site_nickserver { # the port that nickserver is actually running on $nickserver_local_port = '64250' - # couchdb is available on localhost via haproxy, which is bound to 4096. + # couchdb is available on localhost via stunnel, which is bound to 4000. $couchdb_host = 'localhost' - # See site_webapp/templates/haproxy_couchdb.cfg.erg - $couchdb_port = '4096' + $couchdb_port = '4000' $sources = hiera('sources') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 175255af..ffe364c6 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -2,9 +2,9 @@ class site_webapp::couchdb { $webapp = hiera('webapp') - # haproxy listener on port localhost:4096, see site_webapp::haproxy + # stunnel endpoint on port localhost:4000 $couchdb_host = 'localhost' - $couchdb_port = '4096' + $couchdb_port = '4000' $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 83cf99a9..1ae80012 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -19,7 +19,6 @@ class site_webapp { include ::site_config::ruby::dev include ::site_webapp::apache include ::site_webapp::couchdb - include ::site_haproxy include ::site_webapp::cron include ::site_config::default include ::site_config::x509::cert @@ -106,7 +105,9 @@ class site_webapp { '/srv/leap/webapp/public/ca.crt': ensure => link, require => Vcsrepo['/srv/leap/webapp'], + # lint:ignore:variable_is_lowercase target => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"; + # lint:endignore "/srv/leap/webapp/public/${api_version}": ensure => directory, -- cgit v1.2.3 From 8c1c4c102936dd779c74d615763e7adef7033ec1 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 15 Mar 2017 00:56:47 +0100 Subject: Direct connection when couch runs locally --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ffe364c6..e1947048 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -4,7 +4,7 @@ class site_webapp::couchdb { $webapp = hiera('webapp') # stunnel endpoint on port localhost:4000 $couchdb_host = 'localhost' - $couchdb_port = '4000' + $couchdb_port = $webapp['couchdb_port'] $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] -- cgit v1.2.3 From 2568ae95455b1800b784971440c609d3680f8dfd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 16 Mar 2017 00:44:44 +0100 Subject: Direct couch connection if running on same host --- puppet/modules/leap_mx/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index d758e3ab..558b5404 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -6,7 +6,7 @@ class leap_mx { $couchdb_password = $leap_mx['password'] $couchdb_host = 'localhost' - $couchdb_port = '4096' + $couchdb_port = hiera('couchdb_port') $sources = hiera('sources') -- cgit v1.2.3 From 168013abf257df1576bc69f907729db60c1fb04a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 14 Mar 2017 00:04:15 +0100 Subject: Make platform apt dist/component configurable --- puppet/modules/site_apt/manifests/init.pp | 7 +++++++ puppet/modules/site_apt/manifests/leap_repo.pp | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 26bd2c6a..798d0b84 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -12,6 +12,13 @@ class site_apt { # leap repo url $platform_sources = $sources['platform'] $apt_url_platform_basic = $platform_sources['apt']['basic'] + $apt_platform_component = $platform_sources['apt']['component'] + + if ( $platform_sources['apt']['codename'] == '') { + $apt_platform_codename = $::lsbdistcodename + } else { + $apt_platform_codename = $platform_sources['apt']['codename'] + } # needed on jessie hosts for getting pnp4nagios from testing if ( $::operatingsystemmajrelease == '8' ) { diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 5eedce45..3d95d8b6 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -5,7 +5,7 @@ class site_apt::leap_repo { $major_version = $platform['major_version'] apt::sources_list { 'leap.list': - content => "deb ${::site_apt::apt_url_platform_basic} ${::lsbdistcodename} main\n", + content => "deb ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n", before => Exec[refresh_apt] } -- cgit v1.2.3 From 44f20f7c3907d500adde0edc87c90b2cd339acea Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 22 Mar 2017 10:10:16 +0100 Subject: webapp: add secret_key_base to config This replaces the secret_token from rails 4.1 on. Both are used for securing cookies in the browser. The secret_key_base will also encrypt the cookies while the token will only sign them. Keeping the token in there for now allows us to migrate existing sessions / cookies to the new secrets. We can remove it in the next version once all providers have run with secret_key_base for a while. --- puppet/modules/site_webapp/manifests/init.pp | 1 + puppet/modules/site_webapp/templates/config.yml.erb | 1 + 2 files changed, 2 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1ae80012..deb8e8c8 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -10,6 +10,7 @@ class site_webapp { $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') $api_version = $webapp['api_version'] + $secret_key_base = $webapp['secret_key_base'] $secret_token = $webapp['secret_token'] $tor = hiera('tor', false) $sources = hiera('sources') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index dd55d3e9..1a802f4c 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -8,6 +8,7 @@ production = { "force_ssl" => @webapp['secure'], "client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')], "client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')], + "secret_key_base" => @secret_key_base, "secret_token" => @secret_token, "client_cert_lifespan" => cert_options['life_span'], "client_cert_bit_size" => cert_options['bit_size'].to_i, -- cgit v1.2.3 From 10d96b990af1d680e31c291a15c7b66a6522de89 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Apr 2017 12:04:55 -0400 Subject: git subrepo pull (merge) puppet/modules/tor subrepo: subdir: "puppet/modules/tor" merged: "5ef29012" upstream: origin: "https://leap.se/git/puppet_tor" branch: "master" commit: "5ef29012" git-subrepo: version: "0.4.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "2e78d5d" --- puppet/modules/tor/.gitrepo | 6 +++--- puppet/modules/tor/README | 2 +- puppet/modules/tor/manifests/daemon/base.pp | 14 ++++---------- puppet/modules/tor/manifests/daemon/bridge.pp | 3 --- puppet/modules/tor/manifests/daemon/control.pp | 18 +++++++++--------- puppet/modules/tor/manifests/daemon/directory.pp | 3 --- puppet/modules/tor/manifests/daemon/dns.pp | 3 --- puppet/modules/tor/manifests/daemon/exit_policy.pp | 3 --- puppet/modules/tor/manifests/daemon/hidden_service.pp | 18 +++++++++++------- puppet/modules/tor/manifests/daemon/map_address.pp | 3 --- puppet/modules/tor/manifests/daemon/relay.pp | 3 --- puppet/modules/tor/manifests/daemon/snippet.pp | 3 --- puppet/modules/tor/manifests/daemon/socks.pp | 3 --- puppet/modules/tor/manifests/daemon/transparent.pp | 3 --- puppet/modules/tor/manifests/munin.pp | 2 +- puppet/modules/tor/manifests/repo.pp | 3 ++- puppet/modules/tor/manifests/repo/debian.pp | 2 +- puppet/modules/tor/templates/torrc.directory.erb | 4 ++-- puppet/modules/tor/templates/torrc.global.erb | 4 ++-- puppet/modules/tor/templates/torrc.hidden_service.erb | 6 ++++++ 20 files changed, 42 insertions(+), 64 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tor/.gitrepo b/puppet/modules/tor/.gitrepo index dfc1b3d9..5e3e3c1f 100644 --- a/puppet/modules/tor/.gitrepo +++ b/puppet/modules/tor/.gitrepo @@ -6,6 +6,6 @@ [subrepo] remote = https://leap.se/git/puppet_tor branch = master - commit = 9981a70f7ba1f9e4fe33e4eb46654295287c1fc1 - parent = 26aac7ccf240b06d65616bdd00ae472d980aaea9 - cmdver = 0.3.0 + commit = 5ef29012dccc90e68afc215be9521629a0903bc6 + parent = 747d3e9b55c8b7b7d98a63474b6de82d7114c389 + cmdver = 0.4.0 diff --git a/puppet/modules/tor/README b/puppet/modules/tor/README index 7777438a..188accac 100644 --- a/puppet/modules/tor/README +++ b/puppet/modules/tor/README @@ -113,7 +113,7 @@ Installing torsocks To install torsocks, simply include the 'torsocks' class in your manifests: - class { 'torsocks': } + class { 'tor::torsocks': } You can specify the $ensure_version class parameter to get a specific version installed. diff --git a/puppet/modules/tor/manifests/daemon/base.pp b/puppet/modules/tor/manifests/daemon/base.pp index 63d7bc4d..c0c82ac6 100644 --- a/puppet/modules/tor/manifests/daemon/base.pp +++ b/puppet/modules/tor/manifests/daemon/base.pp @@ -2,7 +2,7 @@ class tor::daemon::base inherits tor::base { # packages, user, group Service['tor'] { - subscribe => File[$tor::daemon::config_file], + subscribe => Concat[$tor::daemon::config_file], } Package[ 'tor' ] { @@ -49,18 +49,15 @@ class tor::daemon::base inherits tor::base { # tor configuration file concat { $tor::daemon::config_file: - mode => '0600', - owner => 'debian-tor', - group => 'debian-tor', + mode => '0600', + owner => 'debian-tor', + group => 'debian-tor', } # config file headers concat::fragment { '00.header': ensure => present, content => template('tor/torrc.header.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => 00, target => $tor::daemon::config_file, } @@ -68,9 +65,6 @@ class tor::daemon::base inherits tor::base { # global configurations concat::fragment { '01.global': content => template('tor/torrc.global.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => 01, target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/bridge.pp b/puppet/modules/tor/manifests/daemon/bridge.pp index 063f5656..83d74e07 100644 --- a/puppet/modules/tor/manifests/daemon/bridge.pp +++ b/puppet/modules/tor/manifests/daemon/bridge.pp @@ -8,9 +8,6 @@ define tor::daemon::bridge( concat::fragment { "10.bridge.${name}": ensure => $ensure, content => template('tor/torrc.bridge.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => 10, target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/control.pp b/puppet/modules/tor/manifests/daemon/control.pp index 01726562..ee425f33 100644 --- a/puppet/modules/tor/manifests/daemon/control.pp +++ b/puppet/modules/tor/manifests/daemon/control.pp @@ -7,20 +7,20 @@ define tor::daemon::control( $cookie_auth_file_group_readable = '', $ensure = present ) { - if $cookie_authentication == '0' and $hashed_control_password == '' and $ensure != 'absent' { - fail('You need to define the tor control password') - } + if $cookie_authentication == '0' + and $hashed_control_password == '' + and $ensure != 'absent' { + fail('You need to define the tor control password') + } - if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') { - notice('You set a tor cookie authentication option, but do not have cookie_authentication on') - } + if $cookie_authentication == 0 + and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') { + notice('You set a tor cookie authentication option, but do not have cookie_authentication on') # lint:ignore:80chars + } concat::fragment { '04.control': ensure => $ensure, content => template('tor/torrc.control.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0600', order => 04, target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/directory.pp b/puppet/modules/tor/manifests/daemon/directory.pp index d877a861..e2e405da 100644 --- a/puppet/modules/tor/manifests/daemon/directory.pp +++ b/puppet/modules/tor/manifests/daemon/directory.pp @@ -8,9 +8,6 @@ define tor::daemon::directory ( concat::fragment { '06.directory': ensure => $ensure, content => template('tor/torrc.directory.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => 06, target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/dns.pp b/puppet/modules/tor/manifests/daemon/dns.pp index 4677f24d..e8d4fc88 100644 --- a/puppet/modules/tor/manifests/daemon/dns.pp +++ b/puppet/modules/tor/manifests/daemon/dns.pp @@ -7,9 +7,6 @@ define tor::daemon::dns( concat::fragment { "08.dns.${name}": ensure => $ensure, content => template('tor/torrc.dns.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => '08', target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/exit_policy.pp b/puppet/modules/tor/manifests/daemon/exit_policy.pp index f459ece7..df0fb999 100644 --- a/puppet/modules/tor/manifests/daemon/exit_policy.pp +++ b/puppet/modules/tor/manifests/daemon/exit_policy.pp @@ -8,9 +8,6 @@ define tor::daemon::exit_policy( concat::fragment { "07.exit_policy.${name}": ensure => $ensure, content => template('tor/torrc.exit_policy.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => 07, target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/hidden_service.pp b/puppet/modules/tor/manifests/daemon/hidden_service.pp index c8272116..07121bd6 100644 --- a/puppet/modules/tor/manifests/daemon/hidden_service.pp +++ b/puppet/modules/tor/manifests/daemon/hidden_service.pp @@ -1,17 +1,21 @@ # hidden services definition define tor::daemon::hidden_service( - $ports = [], - $data_dir = $tor::daemon::data_dir, - $ensure = present ) { + $ports = [], + $single_hop = false, + $data_dir = $tor::daemon::data_dir, + $ensure = present ) { + + + if $single_hop { + file { "${$data_dir}/${$name}/onion_service_non_anonymous": + ensure => 'present', + } + } concat::fragment { "05.hidden_service.${name}": ensure => $ensure, content => template('tor/torrc.hidden_service.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => 05, target => $tor::daemon::config_file, } } - diff --git a/puppet/modules/tor/manifests/daemon/map_address.pp b/puppet/modules/tor/manifests/daemon/map_address.pp index 270eac21..ac624a0a 100644 --- a/puppet/modules/tor/manifests/daemon/map_address.pp +++ b/puppet/modules/tor/manifests/daemon/map_address.pp @@ -7,9 +7,6 @@ define tor::daemon::map_address( concat::fragment { "08.map_address.${name}": ensure => $ensure, content => template('tor/torrc.map_address.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => '08', target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/relay.pp b/puppet/modules/tor/manifests/daemon/relay.pp index ff528937..555587cd 100644 --- a/puppet/modules/tor/manifests/daemon/relay.pp +++ b/puppet/modules/tor/manifests/daemon/relay.pp @@ -33,9 +33,6 @@ define tor::daemon::relay( concat::fragment { '03.relay': ensure => $ensure, content => template('tor/torrc.relay.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => 03, target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/snippet.pp b/puppet/modules/tor/manifests/daemon/snippet.pp index b9089b40..7e1494c5 100644 --- a/puppet/modules/tor/manifests/daemon/snippet.pp +++ b/puppet/modules/tor/manifests/daemon/snippet.pp @@ -6,9 +6,6 @@ define tor::daemon::snippet( concat::fragment { "99.snippet.${name}": ensure => $ensure, content => $content, - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => 99, target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/socks.pp b/puppet/modules/tor/manifests/daemon/socks.pp index 910461c9..54c8b6a2 100644 --- a/puppet/modules/tor/manifests/daemon/socks.pp +++ b/puppet/modules/tor/manifests/daemon/socks.pp @@ -6,9 +6,6 @@ define tor::daemon::socks( concat::fragment { '02.socks': content => template('tor/torrc.socks.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => 02, target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/daemon/transparent.pp b/puppet/modules/tor/manifests/daemon/transparent.pp index 65d744f4..6ac7b44c 100644 --- a/puppet/modules/tor/manifests/daemon/transparent.pp +++ b/puppet/modules/tor/manifests/daemon/transparent.pp @@ -7,9 +7,6 @@ define tor::daemon::transparent( concat::fragment { "09.transparent.${name}": ensure => $ensure, content => template('tor/torrc.transparent.erb'), - owner => 'debian-tor', - group => 'debian-tor', - mode => '0644', order => '09', target => $tor::daemon::config_file, } diff --git a/puppet/modules/tor/manifests/munin.pp b/puppet/modules/tor/manifests/munin.pp index 4412337a..2a01175c 100644 --- a/puppet/modules/tor/manifests/munin.pp +++ b/puppet/modules/tor/manifests/munin.pp @@ -8,7 +8,7 @@ class tor::munin { } Munin::Plugin::Deploy { - config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051" + config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051" # lint:ignore:80chars } munin::plugin::deploy { 'tor_connections': diff --git a/puppet/modules/tor/manifests/repo.pp b/puppet/modules/tor/manifests/repo.pp index f6255995..95492191 100644 --- a/puppet/modules/tor/manifests/repo.pp +++ b/puppet/modules/tor/manifests/repo.pp @@ -1,3 +1,4 @@ +# setup repository for tor class tor::repo ( $ensure = present, $source_name = 'torproject.org', @@ -10,7 +11,7 @@ class tor::repo ( class { 'tor::repo::debian': } } default: { - fail("Unsupported managed repository for osfamily: ${::osfamily}, operatingsystem: ${::operatingsystem}, module ${module_name} currently only supports managing repos for osfamily Debian and Ubuntu") + fail("Unsupported managed repository for osfamily: ${::osfamily}, operatingsystem: ${::operatingsystem}, module ${module_name} currently only supports managing repos for osfamily Debian and Ubuntu") # lint:ignore:80chars } } } diff --git a/puppet/modules/tor/manifests/repo/debian.pp b/puppet/modules/tor/manifests/repo/debian.pp index 174c3310..81976a2e 100644 --- a/puppet/modules/tor/manifests/repo/debian.pp +++ b/puppet/modules/tor/manifests/repo/debian.pp @@ -1,6 +1,6 @@ # PRIVATE CLASS: do not use directly class tor::repo::debian inherits tor::repo { - apt::source { $source_name: + apt::source { $tor::repo::source_name: ensure => $::tor::repo::ensure, location => $::tor::repo::location, key => $::tor::repo::key, diff --git a/puppet/modules/tor/templates/torrc.directory.erb b/puppet/modules/tor/templates/torrc.directory.erb index 1af9f40f..c7dc4ab5 100644 --- a/puppet/modules/tor/templates/torrc.directory.erb +++ b/puppet/modules/tor/templates/torrc.directory.erb @@ -1,11 +1,11 @@ # directory listing -<% if port != '0' -%> +<% if @port != '0' -%> DirPort <%= @port %> <% end -%> <% listen_addresses.each do |listen_address| -%> DirListenAddress <%= listen_address %> <% end -%> <% if @port_front_page != '' -%> -DirPortFrontPage <%= port_front_page %> +DirPortFrontPage <%= @port_front_page %> <%- end -%> diff --git a/puppet/modules/tor/templates/torrc.global.erb b/puppet/modules/tor/templates/torrc.global.erb index f577673d..a02afc8e 100644 --- a/puppet/modules/tor/templates/torrc.global.erb +++ b/puppet/modules/tor/templates/torrc.global.erb @@ -12,8 +12,8 @@ Log notice syslog Log <%= log_rule %> <% end -%> <% end -%> -<%- if @safe_logging != 1 then -%> -SafeLogging <%= @safe_logging %> +<%- if (v=scope.lookupvar('tor::daemon::safe_logging')) != '1' then -%> +SafeLogging <%= v %> <%- end -%> <% if (v=scope.lookupvar('tor::daemon::automap_hosts_on_resolve')) != '0' -%> diff --git a/puppet/modules/tor/templates/torrc.hidden_service.erb b/puppet/modules/tor/templates/torrc.hidden_service.erb index 4dec0b25..5b6afe1c 100644 --- a/puppet/modules/tor/templates/torrc.hidden_service.erb +++ b/puppet/modules/tor/templates/torrc.hidden_service.erb @@ -1,3 +1,9 @@ +<% if @single_hop != false %> +HiddenServiceSingleHopMode 1 +HiddenServiceNonAnonymousMode 1 +SOCKSPort 0 +<% end %> + # hidden service <%= @name %> HiddenServiceDir <%= @data_dir %>/<%= @name %> <% @ports.each do |port| -%> -- cgit v1.2.3 From c393af8fd5321b8ddf547aed22f833899e56e20e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Apr 2017 12:08:10 -0400 Subject: Lint --- .../modules/site_static/manifests/hidden_service.pp | 20 ++++++++++---------- .../modules/site_webapp/manifests/hidden_service.pp | 20 ++++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index f1f15f8e..8a10398a 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -5,18 +5,18 @@ class site_static::hidden_service { tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'] } file { '/var/lib/tor/webapp/': - ensure => directory, - owner => 'debian-tor', - group => 'debian-tor', - mode => '2700'; + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; '/var/lib/tor/static/private_key': - ensure => present, - source => "/srv/leap/files/nodes/${::hostname}/tor.key", - owner => 'debian-tor', - group => 'debian-tor', - mode => '0600', - notify => Service['tor']; + ensure => present, + source => "/srv/leap/files/nodes/${::hostname}/tor.key", + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + notify => Service['tor']; '/var/lib/tor/static/hostname': ensure => present, diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index d2662b65..81d431cd 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -15,18 +15,18 @@ class site_webapp::hidden_service { file { '/var/lib/tor/webapp/': - ensure => directory, - owner => 'debian-tor', - group => 'debian-tor', - mode => '2700'; + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; '/var/lib/tor/webapp/private_key': - ensure => present, - source => "/srv/leap/files/nodes/${::hostname}/tor.key", - owner => 'debian-tor', - group => 'debian-tor', - mode => '0600', - notify => Service['tor']; + ensure => present, + source => "/srv/leap/files/nodes/${::hostname}/tor.key", + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + notify => Service['tor']; '/var/lib/tor/webapp/hostname': ensure => present, -- cgit v1.2.3 From ada9645de11d75701db8202f34de5c26a2b749c2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Apr 2017 14:38:32 -0400 Subject: Add single-hop hidden service capability. This cuts the number of hops for a tor onion service from 6 to 3, speeding it up considerably. This removes the anonymity aspect of the service, so it must be enabled intentionally, knowing that the server's location no longer is hidden. --- puppet/modules/site_static/manifests/hidden_service.pp | 7 +++++-- puppet/modules/site_static/manifests/init.pp | 3 +-- puppet/modules/site_tor/manifests/init.pp | 2 +- puppet/modules/site_webapp/manifests/hidden_service.pp | 5 ++++- 4 files changed, 11 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index 8a10398a..b64a35bc 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,8 +1,11 @@ # create hidden service for static sites -class site_static::hidden_service { +class site_static::hidden_service ( $single_hop = false ) { include tor::daemon - tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'] } + tor::daemon::hidden_service { 'static': + ports => [ '80 127.0.0.1:80'], + single_hop => $single_hop + } file { '/var/lib/tor/webapp/': ensure => directory, diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index dd3f912d..8be791e5 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -74,8 +74,7 @@ class site_static { if $tor { $hidden_service = $tor['hidden_service'] $tor_domain = "${hidden_service['address']}.onion" - if $hidden_service['active'] { - include site_static::hidden_service + class { 'site_static::hidden_service': single_hop => $hidden_service['single_hop'] } # Currently, we only support a single hidden service address per server. # So if there is more than one domain configured, then we need to make sure diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 2207a5a9..8a92a944 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -20,7 +20,7 @@ class site_tor { } include site_config::default - include tor::daemon + class { 'tor::daemon': ensure_version => latest } tor::daemon::relay { $nickname: port => 9001, address => $address, diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 81d431cd..6651df86 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -11,7 +11,10 @@ class site_webapp::hidden_service { include apache::module::removeip include tor::daemon - tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'] } + tor::daemon::hidden_service { 'webapp': + ports => [ '80 127.0.0.1:80'], + single_hop => $hidden_service['single_hop'] + } file { '/var/lib/tor/webapp/': -- cgit v1.2.3 From 22c947c33a452e912859832c78bd3660b6734cc6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 May 2017 12:32:05 -0400 Subject: Add signed-by option to sources.list (Closes: #8425) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This gets us a simple apt repository privilege separation: (a) our key can't be used to forge other repos (b) other keys can't be used to forge our repo. From sources.list(5): · Signed-By (signed-by) is either an absolute path to a keyring file (has to be accessible and readable for the _apt user, so ensure everyone has read-permissions on the file) or one or more fingerprints of keys either in the trusted.gpg keyring or in the keyrings in the trusted.gpg.d/ directory (see apt-key fingerprint). If the option is set, only the key(s) in this keyring or only the keys with these fingerprints are used for the apt-secure(8) verification of this repository. Defaults to the value of the option with the same name if set in the previously acquired Release file. Otherwise all keys in the trusted keyrings are considered valid signers for this repository. --- puppet/modules/site_apt/manifests/leap_repo.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 3d95d8b6..7c6c49c5 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -4,8 +4,14 @@ class site_apt::leap_repo { $platform = hiera_hash('platform') $major_version = $platform['major_version'] + if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ { + $archive_key = '/usr/share/keyrings/leap-experimental-archive.gpg' + } else { + $archive_key = '/usr/share/keyrings/leap-archive.gpg' + } + apt::sources_list { 'leap.list': - content => "deb ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n", + content => "deb [signed-by=${archive_key}] ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n", before => Exec[refresh_apt] } -- cgit v1.2.3 From 68e9a28da2db4cb494bc19a1aeaa0663cb286414 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 May 2017 16:23:20 -0400 Subject: Restructure site_tor to be more clear and re-usable (fixes #8784). This makes a more clear site_tor::relay class that the leap service includes, and a more generic site_tor class that other classes can depend on for setting up the initial install. --- .../site_static/manifests/hidden_service.pp | 2 +- puppet/modules/site_tor/manifests/init.pp | 41 +------------------- puppet/modules/site_tor/manifests/relay.pp | 45 ++++++++++++++++++++++ .../site_webapp/manifests/hidden_service.pp | 2 +- 4 files changed, 48 insertions(+), 42 deletions(-) create mode 100644 puppet/modules/site_tor/manifests/relay.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index b64a35bc..31cf328e 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,7 +1,7 @@ # create hidden service for static sites class site_static::hidden_service ( $single_hop = false ) { - include tor::daemon + include site_tor tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'], single_hop => $single_hop diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 8a92a944..356053c1 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,45 +1,6 @@ +# generic configuration needed for tor class site_tor { - tag 'leap_service' - Class['site_config::default'] -> Class['site_tor'] - $tor = hiera('tor') - $bandwidth_rate = $tor['bandwidth_rate'] - $tor_type = $tor['type'] - $nickname = $tor['nickname'] - $contact_emails = join($tor['contacts'],', ') - $family = $tor['family'] - - $address = hiera('ip_address') - - $openvpn = hiera('openvpn', undef) - if $openvpn { - $openvpn_ports = $openvpn['ports'] - } - else { - $openvpn_ports = [] - } - - include site_config::default class { 'tor::daemon': ensure_version => latest } - tor::daemon::relay { $nickname: - port => 9001, - address => $address, - contact_info => obfuscate_email($contact_emails), - bandwidth_rate => $bandwidth_rate, - my_family => $family - } - - if ( $tor_type == 'exit'){ - # Only enable the daemon directory if the node isn't also a webapp node - # or running openvpn on port 80 - if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') { - tor::daemon::directory { $::hostname: port => 80 } - } - } - else { - include site_tor::disable_exit - } - - include site_shorewall::tor } diff --git a/puppet/modules/site_tor/manifests/relay.pp b/puppet/modules/site_tor/manifests/relay.pp new file mode 100644 index 00000000..fcb83bc1 --- /dev/null +++ b/puppet/modules/site_tor/manifests/relay.pp @@ -0,0 +1,45 @@ +class site_tor::relay { + tag 'leap_service' + Class['site_config::default'] -> Class['site_tor::relay'] + + $tor = hiera('tor') + $bandwidth_rate = $tor['bandwidth_rate'] + $tor_type = $tor['type'] + $nickname = $tor['nickname'] + $contact_emails = join($tor['contacts'],', ') + $family = $tor['family'] + + $address = hiera('ip_address') + + $openvpn = hiera('openvpn', undef) + if $openvpn { + $openvpn_ports = $openvpn['ports'] + } + else { + $openvpn_ports = [] + } + + include site_config::default + include site_tor + + tor::daemon::relay { $nickname: + port => 9001, + address => $address, + contact_info => obfuscate_email($contact_emails), + bandwidth_rate => $bandwidth_rate, + my_family => $family + } + + if ( $tor_type == 'exit'){ + # Only enable the daemon directory if the node isn't also a webapp node + # or running openvpn on port 80 + if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') { + tor::daemon::directory { $::hostname: port => 80 } + } + } + else { + include site_tor::disable_exit + } + + include site_shorewall::tor +} diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 6651df86..3f3f1d0c 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -10,7 +10,7 @@ class site_webapp::hidden_service { include apache::module::expires include apache::module::removeip - include tor::daemon + include site_tor tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'], single_hop => $hidden_service['single_hop'] -- cgit v1.2.3 From 449d6169b8d0c7f31279b445f5dd103b244d7382 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 May 2017 16:24:15 -0400 Subject: Install tor from backports (fixes #8783). The newer version is needed for the single-hop functionality. --- puppet/modules/site_tor/manifests/init.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 356053c1..5e209ba8 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,6 +1,14 @@ # generic configuration needed for tor class site_tor { + # Ensure the tor version is the latest from backports + # see https://0xacab.org/leap/platform/issues/8783 + apt::preferences_snippet { 'tor': + package => 'tor', + release => "${::lsbdistcodename}-backports", + priority => 999, + before => Class['tor::daemon'] } + class { 'tor::daemon': ensure_version => latest } } -- cgit v1.2.3 From 65ca1b572024d30dfc12e9fc927099de41c30bd4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 10 May 2017 16:33:40 +0200 Subject: Depend soledad-server on ssl-cert package We should include this in soledad-server package as dependency but until we sorted out this, we depend soledad-server on ssl-cert in the platform. see https://0xacab.org/leap/soledad/issues/8849 for --- puppet/modules/soledad/manifests/server.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 81f51188..3b6a2314 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -54,7 +54,10 @@ class soledad::server { package { $sources['soledad']['package']: ensure => $sources['soledad']['revision'], - require => Class['site_apt::leap_repo']; + require => [ + Class['site_apt::leap_repo'], + Package['ssl-cert'] + ]; } file { '/etc/default/soledad': -- cgit v1.2.3 From 746601becc47fcee9fc85700f175a5b33b310979 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 10 May 2017 20:29:17 +0200 Subject: Nickserver direct access to couchdb on same node Depending whether couchdb is running on the same node as nickserver, couchdb is available on localhost: - When couchdb is running on a different node: Via stunnel, which is bound to 4000. - When couchdb is running on the same node: On port 5984 Resolves: #8793 --- puppet/modules/site_nickserver/manifests/init.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index cab13522..48f7b73d 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -28,9 +28,11 @@ class site_nickserver { # the port that nickserver is actually running on $nickserver_local_port = '64250' - # couchdb is available on localhost via stunnel, which is bound to 4000. + # couchdb is available on localhost: + # - When couchdb is running on a different node: Via stunnel, which is bound to 4000. + # - When couchdb is running on the same node: On port 5984 $couchdb_host = 'localhost' - $couchdb_port = '4000' + $couchdb_port = $nickserver['couchdb_port'] $sources = hiera('sources') -- cgit v1.2.3 From 61252fe74c8ec3668af551fb0b0b91f1bfa4705a Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 21 May 2017 23:28:20 +0200 Subject: [vagrant] Use eth1 on vagrant if present Virtualbox adds eth1 as second interface when private networking is enabled. - Related: #7769 --- puppet/modules/site_config/lib/facter/vagrant.rb | 8 ++++++++ puppet/modules/site_config/manifests/params.pp | 13 +++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_config/lib/facter/vagrant.rb (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/lib/facter/vagrant.rb b/puppet/modules/site_config/lib/facter/vagrant.rb new file mode 100644 index 00000000..29a218dd --- /dev/null +++ b/puppet/modules/site_config/lib/facter/vagrant.rb @@ -0,0 +1,8 @@ +# Checks if systems runs inside vagrant +require 'facter' + +Facter.add(:vagrant) do + setcode do + FileTest.exists?('/vagrant') + end +end diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 012b3ce0..4627515a 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -1,3 +1,4 @@ +# Default parameters class site_config::params { $ip_address = hiera('ip_address') @@ -6,8 +7,16 @@ class site_config::params { $environment = hiera('environment', undef) - if $environment == 'local' { - $interface = 'eth1' + if $::vagrant { + # Depending on the backend hypervisor networking is setup differently. + if $::interfaces =~ /eth1/ { + # Virtualbox: Private networking creates a second interface eth1 + $interface = 'eth1' + } + else { + # KVM/Libvirt: Private networking is done by defauly on first interface + $interface = 'eth0' + } include site_config::packages::build_essential } elsif hiera('interface','') != '' { -- cgit v1.2.3 From 0dec9e7305001353beca3b32e180bc9e707ce8b9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 May 2017 13:48:15 +0200 Subject: [vagrant] Lint vagrant.pp --- puppet/modules/site_config/manifests/vagrant.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp index 8f50b305..23ca4de1 100644 --- a/puppet/modules/site_config/manifests/vagrant.pp +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -1,11 +1,11 @@ +# Gets included on vagrant nodes class site_config::vagrant { - # class for vagrant nodes include site_shorewall::defaults - # eth0 on vagrant nodes is the uplink if + # eth0 on vagrant nodes is the uplink shorewall::interface { 'eth0': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; } } -- cgit v1.2.3 From d2824a6bc1178c6c2ce4923faacfde8e05f8389a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 May 2017 13:56:57 +0200 Subject: Include site_config::vagrant on vagrant nodes --- puppet/modules/site_config/manifests/setup.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index 82dfe76d..a96f87a6 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -37,7 +37,7 @@ class site_config::setup { # we need to include shorewall::interface{eth0} in setup.pp so # packages can be installed during main puppetrun, even before shorewall # is configured completly - if ( $::site_config::params::environment == 'local' ) { + if $::vagrant { include site_config::vagrant } -- cgit v1.2.3 From 40f7b49003594a1be8c0540a92292d7cfb63eb61 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 May 2017 13:58:38 +0200 Subject: [vagrant] Don't block eth0 if eth1 is configured Eth0 is vagrant's main interface to access the box --- puppet/modules/site_config/manifests/vagrant.pp | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp index 23ca4de1..1682de8b 100644 --- a/puppet/modules/site_config/manifests/vagrant.pp +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -2,10 +2,14 @@ class site_config::vagrant { include site_shorewall::defaults - # eth0 on vagrant nodes is the uplink - shorewall::interface { 'eth0': - zone => 'net', - options => 'tcpflags,blacklist,nosmurfs'; + + if ( $::site_config::params::interface == 'eth1' ) { + # Don't block eth0 even if eth1 is configured, because + # it's vagrant's main interface to access the box + shorewall::interface { 'eth0': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } } } -- cgit v1.2.3 From 1e463c6638a05a237d660f458f5a147353be3fc1 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 26 May 2017 16:41:51 -0700 Subject: static - support for renewing certs with let's encrypt for static sites --- puppet/modules/site_static/manifests/domain.pp | 13 +++++++++---- puppet/modules/site_static/templates/apache.conf.erb | 10 ++++++++-- 2 files changed, 17 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 6cf2c653..e456c94e 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,25 +1,30 @@ # configure static service for domain define site_static::domain ( - $ca_cert, + $ca_cert=undef, $key, $cert, $tls_only=true, $use_hidden_service=false, $locations=undef, $aliases=undef, - $apache_config=undef) { + $apache_config=undef, + $www_alias=false) { $domain = $name $base_dir = '/srv/static' - $cafile = "${cert}\n${ca_cert}" + if ($ca_cert) { + $certfile = "${cert}\n${ca_cert}" + } else { + $certfile = $cert + } if is_hash($locations) { create_resources(site_static::location, $locations) } x509::cert { $domain: - content => $cafile, + content => $certfile, notify => Service[apache] } x509::key { $domain: diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index dd04ca43..eb21e4c9 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -80,7 +80,9 @@ ## ServerName <%= @tor_domain %> +<%- if @www_alias -%> ServerAlias www.<%= @tor_domain %> +<%- end -%> Header set X-Frame-Options "deny" @@ -102,7 +104,9 @@ ## ServerName <%= @domain %> - ServerAlias www.<%= @domain %> +<%- if @www_alias -%> + ServerAlias www.<%= @tor_domain %> +<%- end -%> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> @@ -122,7 +126,9 @@ ## ServerName <%= @domain %> - ServerAlias www.<%= @domain %> +<%- if @www_alias -%> + ServerAlias www.<%= @tor_domain %> +<%- end -%> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> -- cgit v1.2.3 From a5ac9fa3c8c7910997fc1b0ee305f729f1bf061a Mon Sep 17 00:00:00 2001 From: Varac Date: Thu, 15 Jun 2017 15:48:32 +0200 Subject: Stop sending mails for nagios alerts It's just too much mail... And there are other tools like nagstamon that are better suited to get an overview what's failing. Resolves: #8772 --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 62f26f2c..1a9f266e 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -773,7 +773,7 @@ accept_passive_host_checks=1 # service notifications when it is initially (re)started. # Values: 1 = enable notifications, 0 = disable notifications -enable_notifications=1 +enable_notifications=0 @@ -1299,4 +1299,3 @@ host_perfdata_file_template=DATATYPE::HOSTPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$H host_perfdata_file_mode=a host_perfdata_file_processing_interval=15 host_perfdata_file_processing_command=process-host-perfdata-file-pnp4nagios-bulk-npcd - -- cgit v1.2.3 From f3bafe6b2cb55305bba588fdca4f4e77e3ef2026 Mon Sep 17 00:00:00 2001 From: Varac Date: Thu, 22 Jun 2017 11:23:43 +0200 Subject: Delay hard state of the nagios APT check Delay a hard state of the APT check for 1 day so unattended_upgrades has time to upgrade packages. Resolves: #8748 --- puppet/modules/site_check_mk/files/extra_service_conf.mk | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/extra_service_conf.mk b/puppet/modules/site_check_mk/files/extra_service_conf.mk index c7120a96..9212af95 100644 --- a/puppet/modules/site_check_mk/files/extra_service_conf.mk +++ b/puppet/modules/site_check_mk/files/extra_service_conf.mk @@ -1,6 +1,9 @@ # retry 3 times before setting a service into a hard state -# and send out notification +# Delay a hard state of the APT check for 1 day +# so unattended_upgrades has time to upgrade packages. +# extra_service_conf["max_check_attempts"] = [ + ("360", ALL_HOSTS , ["APT"] ), ("4", ALL_HOSTS , ALL_SERVICES ) ] @@ -11,4 +14,3 @@ extra_service_conf["max_check_attempts"] = [ extra_service_conf["normal_check_interval"] = [ ("4", ALL_HOSTS , "Check_MK" ) ] - -- cgit v1.2.3 From fc907004a75ab2f8f8302706150b68a9cdd6baf0 Mon Sep 17 00:00:00 2001 From: Varac Date: Sat, 24 Jun 2017 12:14:10 +0200 Subject: Add configured apt component to the unattended-upgrades whitelist Resolves: #8792 --- puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap | 6 ------ puppet/modules/site_apt/manifests/unattended_upgrades.pp | 3 +-- puppet/modules/site_apt/templates/51unattended-upgrades-leap | 5 +++++ 3 files changed, 6 insertions(+), 8 deletions(-) delete mode 100644 puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap create mode 100644 puppet/modules/site_apt/templates/51unattended-upgrades-leap (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap b/puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap deleted file mode 100644 index bbaac6a2..00000000 --- a/puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap +++ /dev/null @@ -1,6 +0,0 @@ -// this file is managed by puppet ! - -Unattended-Upgrade::Allowed-Origins { - "leap.se:stable"; -} - diff --git a/puppet/modules/site_apt/manifests/unattended_upgrades.pp b/puppet/modules/site_apt/manifests/unattended_upgrades.pp index 42f1f4c6..ddadd35a 100644 --- a/puppet/modules/site_apt/manifests/unattended_upgrades.pp +++ b/puppet/modules/site_apt/manifests/unattended_upgrades.pp @@ -11,8 +11,7 @@ class site_apt::unattended_upgrades { # configure LEAP upgrades apt::apt_conf { '51unattended-upgrades-leap': - source => [ - "puppet:///modules/site_apt/${::lsbdistid}/51unattended-upgrades-leap"], + content => template('site_apt/51unattended-upgrades-leap'), require => Package['unattended-upgrades'], refresh_apt => false, } diff --git a/puppet/modules/site_apt/templates/51unattended-upgrades-leap b/puppet/modules/site_apt/templates/51unattended-upgrades-leap new file mode 100644 index 00000000..3e28531f --- /dev/null +++ b/puppet/modules/site_apt/templates/51unattended-upgrades-leap @@ -0,0 +1,5 @@ +// this file is managed by puppet ! + +Unattended-Upgrade::Origins-Pattern { + "site=deb.leap.se,component=<%= @apt_platform_component %>"; +} -- cgit v1.2.3 From b04a1a8e7f4e4f53d1e57fd4868f6741d9420fe1 Mon Sep 17 00:00:00 2001 From: Varac Date: Tue, 27 Jun 2017 14:19:24 +0200 Subject: Don't depend on leap-keymanager anymore leap-mx is now independent of leap-keymanager and we can remove this dependency now. see https://0xacab.org/leap/leap_mx/issues/8558 --- puppet/modules/leap_mx/manifests/init.pp | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 558b5404..f26448e2 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -94,15 +94,11 @@ class leap_mx { # LEAP-MX CODE AND DEPENDENCIES # - package { - $sources['leap-mx']['package']: - ensure => $sources['leap-mx']['revision'], - require => [ - Class['site_apt::leap_repo'], - User['leap-mx'] ]; - - 'leap-keymanager': - ensure => latest; + package { $sources['leap-mx']['package']: + ensure => $sources['leap-mx']['revision'], + require => [ + Class['site_apt::leap_repo'], + User['leap-mx'] ]; } # -- cgit v1.2.3 From 98b6713afff0eec77fdbfe5d1a079607e6ed5b2c Mon Sep 17 00:00:00 2001 From: Varac Date: Tue, 27 Jun 2017 16:12:37 +0200 Subject: Install python-treq from strech on jessie nodes New soledad-common depends on `python-treq`, which is only available in debian stretch. We pin all stretch packages to 1 (same as for sid), which means (from `man apt_preferences`): "causes a version to be installed only if there is no installed version of the package" - Resolves: #8836 --- puppet/modules/site_apt/manifests/init.pp | 22 +++++++++++++--------- .../templates/Debian/preferences_jessie.erb | 19 +++++++++++++++++++ 2 files changed, 32 insertions(+), 9 deletions(-) create mode 100644 puppet/modules/site_apt/templates/Debian/preferences_jessie.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 798d0b84..60fe0483 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -20,20 +20,24 @@ class site_apt { $apt_platform_codename = $platform_sources['apt']['codename'] } - # needed on jessie hosts for getting pnp4nagios from testing + # needed on jessie hosts for getting python-treq from stretch + # see https://0xacab.org/leap/platform/issues/8836 if ( $::operatingsystemmajrelease == '8' ) { - $use_next_release = true + $use_next_release = true + $custom_preferences = template("site_apt/${::operatingsystem}/preferences_jessie.erb") } else { - $use_next_release = false + $use_next_release = false + $custom_preferences = '' } class { 'apt': - custom_key_dir => 'puppet:///modules/site_apt/keys', - debian_url => $apt_url_basic, - security_url => $apt_url_security, - backports_url => $apt_url_backports, - use_next_release => $use_next_release, - repos => 'main' + custom_key_dir => 'puppet:///modules/site_apt/keys', + debian_url => $apt_url_basic, + security_url => $apt_url_security, + backports_url => $apt_url_backports, + use_next_release => $use_next_release, + custom_preferences => $custom_preferences, + repos => 'main' } # enable http://deb.leap.se debian package repository diff --git a/puppet/modules/site_apt/templates/Debian/preferences_jessie.erb b/puppet/modules/site_apt/templates/Debian/preferences_jessie.erb new file mode 100644 index 00000000..879885dd --- /dev/null +++ b/puppet/modules/site_apt/templates/Debian/preferences_jessie.erb @@ -0,0 +1,19 @@ +Explanation: Debian jessie +Package: * +Pin: release o=Debian,n=jessie +Pin-Priority: 990 + +Explanation: Debian stretch +Package: * +Pin: release o=Debian,n=stretch +Pin-Priority: 1 + +Explanation: Debian sid +Package: * +Pin: release o=Debian,n=sid +Pin-Priority: 1 + +Explanation: Debian fallback +Package: * +Pin: release o=Debian +Pin-Priority: -10 -- cgit v1.2.3 From 03ff5b1d22f4487d97818da3693e9a33ba1421a3 Mon Sep 17 00:00:00 2001 From: Varac Date: Tue, 27 Jun 2017 20:26:04 +0200 Subject: Pin python-cryptography to jessie-backports Needed to satisfy leap-mx dependency (>=17.0) - Resolves: #8837 --- .../site_apt/manifests/preferences/python_cryptography.pp | 12 ++++++++++++ puppet/modules/site_mx/manifests/init.pp | 2 ++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/preferences/python_cryptography.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/preferences/python_cryptography.pp b/puppet/modules/site_apt/manifests/preferences/python_cryptography.pp new file mode 100644 index 00000000..d725c1af --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/python_cryptography.pp @@ -0,0 +1,12 @@ +# Pin python-cryptography to jessie-backports in order to +# satisfy leap-mx dependency (>=17.0) +# see https://0xacab.org/leap/platform/issues/8837 +class site_apt::preferences::python_cryptography { + + apt::preferences_snippet { 'python_cryptography': + package => 'python-cryptography python-openssl python-pyasn1 python-setuptools python-pkg-resources python-cffi', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 5876e555..28a01d4a 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -19,4 +19,6 @@ class site_mx { include ::site_check_mk::agent::mx # install twisted from jessie backports include ::site_apt::preferences::twisted + # install python-cryptography from jessie backports + include ::site_apt::preferences::python_cryptography } -- cgit v1.2.3 From a38a421a17b199e2207bc0009cba6869d17d4c21 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Jul 2017 17:56:25 -0700 Subject: Ensure directory has proper owner/group (#8841) --- puppet/modules/site_apache/manifests/common/autorestart.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common/autorestart.pp b/puppet/modules/site_apache/manifests/common/autorestart.pp index 0273f272..6d8c4c3a 100644 --- a/puppet/modules/site_apache/manifests/common/autorestart.pp +++ b/puppet/modules/site_apache/manifests/common/autorestart.pp @@ -5,6 +5,8 @@ class site_apache::common::autorestart { file { '/etc/systemd/system/apache2.service.d': ensure => directory, + owner => root, + group => root, mode => '0755', } -- cgit v1.2.3 From f9ff6afebde2fe037fc9a90928501ff1a8d4ccde Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 12 Jul 2017 13:29:06 -0700 Subject: bug: Set .placeholder to fix removal Add a .placeholder file so the directory doesn't get removed by deb-systemd-helper when a package runs a purge in its postrm. This is a work-around and fixes #8841. It probably wont be needed post-jessie. --- .../site_apache/manifests/common/autorestart.pp | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common/autorestart.pp b/puppet/modules/site_apache/manifests/common/autorestart.pp index 6d8c4c3a..8b7b590d 100644 --- a/puppet/modules/site_apache/manifests/common/autorestart.pp +++ b/puppet/modules/site_apache/manifests/common/autorestart.pp @@ -3,11 +3,21 @@ # class site_apache::common::autorestart { - file { '/etc/systemd/system/apache2.service.d': - ensure => directory, - owner => root, - group => root, - mode => '0755', + file { + '/etc/systemd/system/apache2.service.d': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755'; + + # Add .placeholder file so directory doesn't get removed by + # deb-systemd-helper in a package removal postrm, see + # issue #8841 for more details. + '/etc/systemd/system/apache2.service.d/.placeholder': + ensure => file, + owner => 'root', + group => 'root', + mode => '0755'; } ::systemd::unit_file { 'apache2.service.d/autorestart.conf': -- cgit v1.2.3 From 804e022221bfb0b5200282e556d75e601271dac5 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 15 Aug 2017 17:35:55 -0700 Subject: Bug: fix hidden service for static hidden service should be activated iff tor is among the active services and tor.hidden_service.active == true --- puppet/modules/site_static/manifests/init.pp | 13 ++++++++++--- puppet/modules/site_static/templates/apache.conf.erb | 2 +- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 8be791e5..96d92f74 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -12,6 +12,11 @@ class site_static { $formats = $static['formats'] $bootstrap = $static['bootstrap_files'] $tor = hiera('tor', false) + if $tor and member($services, 'tor') and $tor['hidden_service']['active'] == true { + $tor_active = true + } else { + $tor_active = false + } file { '/srv/static/': @@ -67,15 +72,17 @@ class site_static { } package { 'zlib1g-dev': - ensure => installed + ensure => installed } } - if $tor { + if $tor_active { $hidden_service = $tor['hidden_service'] $tor_domain = "${hidden_service['address']}.onion" - class { 'site_static::hidden_service': single_hop => $hidden_service['single_hop'] + class { 'site_static::hidden_service': + single_hop => $hidden_service['single_hop'] } + # Currently, we only support a single hidden service address per server. # So if there is more than one domain configured, then we need to make sure # we don't enable the hidden service for every domain. diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index eb21e4c9..75d834e7 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -74,7 +74,7 @@ Require all granted -<%- if @tor && (@always_use_hidden_service || @use_hidden_service) -%> +<%- if @tor_active && (@always_use_hidden_service || @use_hidden_service) -%> ## ## Tor ## -- cgit v1.2.3 From 6482a4ccb3d72773cc6d00d5fa7933fa83c4cafe Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 5 Sep 2017 18:24:31 -0700 Subject: Bug: fix vpn network problem caused by vagrant fact Boolean facts must be escaped with str2bool. This commit includes new tests to catch VPN problems like this in the future. --- puppet/modules/site_config/manifests/params.pp | 3 +-- puppet/modules/site_config/manifests/setup.pp | 2 +- puppet/modules/site_openvpn/manifests/init.pp | 2 +- .../modules/site_openvpn/templates/add_gateway_ips.sh.erb | 14 ++++++++++++-- 4 files changed, 15 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 4627515a..2c9687a3 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -6,8 +6,7 @@ class site_config::params { $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") $environment = hiera('environment', undef) - - if $::vagrant { + if str2bool("$::vagrant") { # Depending on the backend hypervisor networking is setup differently. if $::interfaces =~ /eth1/ { # Virtualbox: Private networking creates a second interface eth1 diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index a96f87a6..bd3097fa 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -37,7 +37,7 @@ class site_config::setup { # we need to include shorewall::interface{eth0} in setup.pp so # packages can be installed during main puppetrun, even before shorewall # is configured completly - if $::vagrant { + if str2bool("$::vagrant") { include site_config::vagrant } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index f1ecefb9..ee7d6840 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -68,7 +68,7 @@ class site_openvpn { # find out the netmask in cidr format of the primary IF # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/ # we can do this using an inline_template: - $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}" + $factname_primary_netmask = "netmask_${::site_config::params::interface}" $primary_netmask = inline_template('<%= scope.lookupvar(@factname_primary_netmask) %>') # deploy dh keys diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb index e76b756b..f2d2bc70 100644 --- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -1,11 +1,21 @@ #!/bin/sh -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/<%= @primary_netmask %> || +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q "inet <%= @openvpn_gateway_address %>/" || ip addr add <%= @openvpn_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> +EXITCODE=$? +if [ $EXITCODE != 0 ]; then + exit $EXITCODE +fi + <% if @openvpn_second_gateway_address %> -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> || +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q "<%= @openvpn_second_gateway_address %>/" || ip addr add <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> + +EXITCODE=$? +if [ $EXITCODE != 0 ]; then + exit $EXITCODE +fi <% end %> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward -- cgit v1.2.3 From aaf1cbe103d17820feffa09c8dcb6e1fef12e236 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Thu, 27 Jul 2017 09:12:15 +0200 Subject: Bug: remove shared couchdb design docs Soledad is now taking care of the design of said database. Closes #8428 --- .../modules/site_couchdb/files/designs/shared/docs.json | 8 -------- .../site_couchdb/files/designs/shared/syncs.json | 11 ----------- .../site_couchdb/files/designs/shared/transactions.json | 13 ------------- puppet/modules/site_couchdb/manifests/designs.pp | 17 ++++++++--------- 4 files changed, 8 insertions(+), 41 deletions(-) delete mode 100644 puppet/modules/site_couchdb/files/designs/shared/docs.json delete mode 100644 puppet/modules/site_couchdb/files/designs/shared/syncs.json delete mode 100644 puppet/modules/site_couchdb/files/designs/shared/transactions.json (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/files/designs/shared/docs.json b/puppet/modules/site_couchdb/files/designs/shared/docs.json deleted file mode 100644 index 004180cd..00000000 --- a/puppet/modules/site_couchdb/files/designs/shared/docs.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "_id": "_design/docs", - "views": { - "get": { - "map": "function(doc) {\n if (doc.u1db_rev) {\n var is_tombstone = true;\n var has_conflicts = false;\n if (doc._attachments) {\n if (doc._attachments.u1db_content)\n is_tombstone = false;\n if (doc._attachments.u1db_conflicts)\n has_conflicts = true;\n }\n emit(doc._id,\n {\n \"couch_rev\": doc._rev,\n \"u1db_rev\": doc.u1db_rev,\n \"is_tombstone\": is_tombstone,\n \"has_conflicts\": has_conflicts,\n }\n );\n }\n}\n" - } - } -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/shared/syncs.json b/puppet/modules/site_couchdb/files/designs/shared/syncs.json deleted file mode 100644 index bab5622f..00000000 --- a/puppet/modules/site_couchdb/files/designs/shared/syncs.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "_id": "_design/syncs", - "updates": { - "put": "function(doc, req){\n if (!doc) {\n doc = {}\n doc['_id'] = 'u1db_sync_log';\n doc['syncs'] = [];\n }\n body = JSON.parse(req.body);\n // remove outdated info\n doc['syncs'] = doc['syncs'].filter(\n function (entry) {\n return entry[0] != body['other_replica_uid'];\n }\n );\n // store u1db rev\n doc['syncs'].push([\n body['other_replica_uid'],\n body['other_generation'],\n body['other_transaction_id']\n ]);\n return [doc, 'ok'];\n}\n\n" - }, - "views": { - "log": { - "map": "function(doc) {\n if (doc._id == 'u1db_sync_log') {\n if (doc.syncs)\n doc.syncs.forEach(function (entry) {\n emit(entry[0],\n {\n 'known_generation': entry[1],\n 'known_transaction_id': entry[2]\n });\n });\n }\n}\n" - } - } -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/shared/transactions.json b/puppet/modules/site_couchdb/files/designs/shared/transactions.json deleted file mode 100644 index 106ad46c..00000000 --- a/puppet/modules/site_couchdb/files/designs/shared/transactions.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "_id": "_design/transactions", - "lists": { - "generation": "function(head, req) {\n var row;\n var rows=[];\n // fetch all rows\n while(row = getRow()) {\n rows.push(row);\n }\n if (rows.length > 0)\n send(JSON.stringify({\n \"generation\": rows.length,\n \"doc_id\": rows[rows.length-1]['id'],\n \"transaction_id\": rows[rows.length-1]['value']\n }));\n else\n send(JSON.stringify({\n \"generation\": 0,\n \"doc_id\": \"\",\n \"transaction_id\": \"\",\n }));\n}\n", - "trans_id_for_gen": "function(head, req) {\n var row;\n var rows=[];\n var i = 1;\n var gen = 1;\n if (req.query.gen)\n gen = parseInt(req.query['gen']);\n // fetch all rows\n while(row = getRow())\n rows.push(row);\n if (gen <= rows.length)\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": rows[gen-1]['id'],\n \"transaction_id\": rows[gen-1]['value'],\n }));\n else\n send('{}');\n}\n", - "whats_changed": "function(head, req) {\n var row;\n var gen = 1;\n var old_gen = 0;\n if (req.query.old_gen)\n old_gen = parseInt(req.query['old_gen']);\n send('{\"transactions\":[\\n');\n // fetch all rows\n while(row = getRow()) {\n if (gen > old_gen) {\n if (gen > old_gen+1)\n send(',\\n');\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": row[\"id\"],\n \"transaction_id\": row[\"value\"]\n }));\n }\n gen++;\n }\n send('\\n]}');\n}\n" - }, - "views": { - "log": { - "map": "function(doc) {\n if (doc.u1db_transactions)\n doc.u1db_transactions.forEach(function(t) {\n emit(t[0], // use timestamp as key so the results are ordered\n t[1]); // value is the transaction_id\n });\n}\n" - } - } -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp index e5fd94c6..33687999 100644 --- a/puppet/modules/site_couchdb/manifests/designs.pp +++ b/puppet/modules/site_couchdb/manifests/designs.pp @@ -11,6 +11,14 @@ class site_couchdb::designs { mode => '0755' } + #cleanup leftovers from before soledad created its db + file { + '/srv/leap/couchdb/designs/shared/': + ensure => absent, + recurse => true, + force => true, + } + site_couchdb::upload_design { 'customers': design => 'customers/Customer.json'; 'identities': design => 'identities/Identity.json'; @@ -19,15 +27,6 @@ class site_couchdb::designs { 'users': design => 'users/User.json'; 'tmp_users': design => 'users/User.json'; 'invite_codes': design => 'invite_codes/InviteCode.json'; - 'shared_docs': - db => 'shared', - design => 'shared/docs.json'; - 'shared_syncs': - db => 'shared', - design => 'shared/syncs.json'; - 'shared_transactions': - db => 'shared', - design => 'shared/transactions.json'; } $sessions_db = rotated_db_name('sessions', 'monthly') -- cgit v1.2.3 From 0a4a99a0b289402cf527702b91b287e9c6a3cc7c Mon Sep 17 00:00:00 2001 From: Varac Date: Thu, 28 Sep 2017 14:45:39 +0200 Subject: Lint: site_config/manifests/setup.pp --- puppet/modules/site_config/manifests/setup.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index bd3097fa..ce0f91d4 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -37,7 +37,7 @@ class site_config::setup { # we need to include shorewall::interface{eth0} in setup.pp so # packages can be installed during main puppetrun, even before shorewall # is configured completly - if str2bool("$::vagrant") { + if str2bool($::vagrant) { include site_config::vagrant } -- cgit v1.2.3 From 258a7ecfa9e6ac3d32ad5280e856265c5b463bd7 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 26 Sep 2017 10:54:27 +0200 Subject: Bug: jessie apt keys must be in /etc/apt/trusted.gpg.d MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For newer than jessie the 'old' code was enough. This bug didn't show up because our testing images had the keys and sources lines already included within /etc/apt… solves #8862 --- puppet/modules/site_apt/manifests/leap_repo.pp | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 7c6c49c5..08c3d0e6 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -4,10 +4,21 @@ class site_apt::leap_repo { $platform = hiera_hash('platform') $major_version = $platform['major_version'] - if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ { - $archive_key = '/usr/share/keyrings/leap-experimental-archive.gpg' - } else { - $archive_key = '/usr/share/keyrings/leap-archive.gpg' + # on jessie, keys need to be in /etc/apt/... + # see https://0xacab.org/leap/platform/issues/8862 + if ( $::operatingsystemmajrelease == '8' ) { + if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ { + $archive_key = 'CE433F407BAB443AFEA196C1837C1AD5367429D9' + } else { + $archive_key = '1E453B2CE87BEE2F7DFE99661E34A1828E207901' + } + } + if ( $::operatingsystemmajrelease != '8' ) { + if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ { + $archive_key = '/usr/share/keyrings/leap-experimental-archive.gpg' + } else { + $archive_key = '/usr/share/keyrings/leap-archive.gpg' + } } apt::sources_list { 'leap.list': -- cgit v1.2.3 From aac73fbe01660f5a231ab891c967c16b635fc78d Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 3 Oct 2017 22:52:25 +0200 Subject: Bug: jessie apt keys stable/experimental/staging The apt sources lines for people using more experimental software was wrong, we abolished the 'experimental' repository some time ago and develoment happens now in the master branch. solves #8862, #8876 --- puppet/modules/site_apt/manifests/leap_repo.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 08c3d0e6..8b688cfb 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -7,14 +7,14 @@ class site_apt::leap_repo { # on jessie, keys need to be in /etc/apt/... # see https://0xacab.org/leap/platform/issues/8862 if ( $::operatingsystemmajrelease == '8' ) { - if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ { + if $::site_apt::apt_platform_component =~ /.*(staging|master).*/ { $archive_key = 'CE433F407BAB443AFEA196C1837C1AD5367429D9' } else { $archive_key = '1E453B2CE87BEE2F7DFE99661E34A1828E207901' } } if ( $::operatingsystemmajrelease != '8' ) { - if $::site_apt::apt_url_platform_basic =~ /.*experimental.*/ { + if $::site_apt::apt_platform_component =~ /.*(staging|master).*/ { $archive_key = '/usr/share/keyrings/leap-experimental-archive.gpg' } else { $archive_key = '/usr/share/keyrings/leap-archive.gpg' -- cgit v1.2.3 From 96f8af37b4a3bbd9a15651e27f588073c0601299 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 19 Sep 2017 11:54:27 -0700 Subject: Feat: split tor service into three The 'tor' service is now three separate services, 'tor_exit', 'tor_relay', or 'hidden_service'. --- .../site_apache/templates/vhosts.d/hidden_service.conf.erb | 2 +- puppet/modules/site_static/manifests/hidden_service.pp | 2 +- puppet/modules/site_static/manifests/init.pp | 10 +++++----- puppet/modules/site_static/templates/apache.conf.erb | 12 ++++++------ puppet/modules/site_webapp/manifests/hidden_service.pp | 4 ++-- puppet/modules/site_webapp/manifests/init.pp | 6 ++---- 6 files changed, 17 insertions(+), 19 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 1d19094e..ddf69a42 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -1,5 +1,5 @@ - ServerName <%= @tor_domain %> + ServerName <%= @onion_domain %> Header always unset X-Powered-By diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index 31cf328e..dcf3785e 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -23,7 +23,7 @@ class site_static::hidden_service ( $single_hop = false ) { '/var/lib/tor/static/hostname': ensure => present, - content => "${::site_static::tor_domain}\n", + content => "${::site_static::onion_domain}\n", owner => 'debian-tor', group => 'debian-tor', mode => '0600', diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 96d92f74..4ddce5ed 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -12,10 +12,10 @@ class site_static { $formats = $static['formats'] $bootstrap = $static['bootstrap_files'] $tor = hiera('tor', false) - if $tor and member($services, 'tor') and $tor['hidden_service']['active'] == true { - $tor_active = true + if $tor and member($services, 'hidden_service') { + $onion_active = true } else { - $tor_active = false + $onion_active = false } file { @@ -76,9 +76,9 @@ class site_static { } } - if $tor_active { + if $onion_active { $hidden_service = $tor['hidden_service'] - $tor_domain = "${hidden_service['address']}.onion" + $onion_domain = "${hidden_service['address']}.onion" class { 'site_static::hidden_service': single_hop => $hidden_service['single_hop'] } diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 75d834e7..716df437 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -74,14 +74,14 @@ Require all granted -<%- if @tor_active && (@always_use_hidden_service || @use_hidden_service) -%> +<%- if @onion_active && (@always_use_hidden_service || @use_hidden_service) -%> ## -## Tor +## Hidden Service ## - ServerName <%= @tor_domain %> + ServerName <%= @onion_domain %> <%- if @www_alias -%> - ServerAlias www.<%= @tor_domain %> + ServerAlias www.<%= @onion_domain %> <%- end -%> @@ -105,7 +105,7 @@ ServerName <%= @domain %> <%- if @www_alias -%> - ServerAlias www.<%= @tor_domain %> + ServerAlias www.<%= @domain %> <%- end -%> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> @@ -127,7 +127,7 @@ ServerName <%= @domain %> <%- if @www_alias -%> - ServerAlias www.<%= @tor_domain %> + ServerAlias www.<%= @domain %> <%- end -%> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 3f3f1d0c..658d62f9 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -2,7 +2,7 @@ class site_webapp::hidden_service { $tor = hiera('tor') $hidden_service = $tor['hidden_service'] - $tor_domain = "${hidden_service['address']}.onion" + $onion_domain = "${hidden_service['address']}.onion" include site_apache::common include apache::module::headers @@ -33,7 +33,7 @@ class site_webapp::hidden_service { '/var/lib/tor/webapp/hostname': ensure => present, - content => "${tor_domain}\n", + content => "${onion_domain}\n", owner => 'debian-tor', group => 'debian-tor', mode => '0600', diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index deb8e8c8..968859bf 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -177,11 +177,9 @@ class site_webapp { notify => Service['apache']; } - if $tor { + if $tor and member($services, 'hidden_service') { $hidden_service = $tor['hidden_service'] - if $hidden_service['active'] { - include ::site_webapp::hidden_service - } + include ::site_webapp::hidden_service } -- cgit v1.2.3 From fdb58381afa317ab9639dffa59f4155395b68718 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 14 Sep 2017 10:33:41 -0400 Subject: Bug: Ensure tor exit is disabled properly Simply disabling exit policies is not enough to disable an exit node, it also needs to be explicitly disabled. This may change in future versions of tor, but for now, explicitly adding 'ExitRelay 0' to the configuration is needed. This fixes #8863. --- puppet/modules/site_tor/manifests/disable_exit.pp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp index 078f80ae..85c24bfc 100644 --- a/puppet/modules/site_tor/manifests/disable_exit.pp +++ b/puppet/modules/site_tor/manifests/disable_exit.pp @@ -1,7 +1,13 @@ +# ensure that the tor relay is not configured as an exit node class site_tor::disable_exit { tor::daemon::exit_policy { 'no_exit_at_all': reject => [ '*:*' ]; } +# In a future version of Tor, ExitRelay 0 may become the default when no ExitPolicy is given. + tor::daemon::snippet { + 'disable_exit': + content => 'ExitRelay 0'; + } } -- cgit v1.2.3 From 5b10def43d134e5735bfcec1237c04cf66e8610b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Sep 2017 15:36:06 -0400 Subject: Feat: Refactor tor services In order to refactor the tor services, we need to split them out into three different services. This adds the hidden service class that is necessary to support the previous commits. Fixes #8864. --- puppet/modules/site_static/manifests/hidden_service.pp | 6 ++++-- puppet/modules/site_static/manifests/init.pp | 13 +++++++------ puppet/modules/site_tor/manifests/hidden_service.pp | 13 +++++++++++++ puppet/modules/site_webapp/manifests/hidden_service.pp | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 3 ++- 5 files changed, 28 insertions(+), 10 deletions(-) create mode 100644 puppet/modules/site_tor/manifests/hidden_service.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index dcf3785e..f23727f7 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,13 +1,15 @@ # create hidden service for static sites class site_static::hidden_service ( $single_hop = false ) { + Class['site_tor::hidden_service'] -> Class['site_static::hidden_service'] + include site_tor::hidden_service - include site_tor tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'], single_hop => $single_hop } + file { - '/var/lib/tor/webapp/': + '/var/lib/tor/static/': ensure => directory, owner => 'debian-tor', group => 'debian-tor', diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4ddce5ed..40c6a28b 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -7,12 +7,13 @@ class site_static { include site_config::x509::key include site_config::x509::ca_bundle - $static = hiera('static') - $domains = $static['domains'] - $formats = $static['formats'] - $bootstrap = $static['bootstrap_files'] - $tor = hiera('tor', false) - if $tor and member($services, 'hidden_service') { + $services = hiera('services', []) + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + $tor = hiera('tor', false) + if $tor and member($services, 'tor_hidden_service') { $onion_active = true } else { $onion_active = false diff --git a/puppet/modules/site_tor/manifests/hidden_service.pp b/puppet/modules/site_tor/manifests/hidden_service.pp new file mode 100644 index 00000000..87a7b696 --- /dev/null +++ b/puppet/modules/site_tor/manifests/hidden_service.pp @@ -0,0 +1,13 @@ +# This class simply makes sure a base tor is installed and configured +# It doesn't configure any specific hidden service functionality, +# instead that is configured in site_webapp::hidden_service and +# site_static::hidden_service. +# +# Those could be factored out to make them more generic. +class site_tor::hidden_service { + tag 'leap_service' + Class['site_config::default'] -> Class['site_tor::hidden_service'] + + include site_config::default + include site_tor +} diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 658d62f9..1f87da6b 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -1,5 +1,7 @@ # Configure tor hidden service for webapp class site_webapp::hidden_service { + Class['site_tor::hidden_service'] -> Class['site_webapp::hidden_service'] + include site_tor::hidden_service $tor = hiera('tor') $hidden_service = $tor['hidden_service'] $onion_domain = "${hidden_service['address']}.onion" @@ -10,7 +12,6 @@ class site_webapp::hidden_service { include apache::module::expires include apache::module::removeip - include site_tor tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'], single_hop => $hidden_service['single_hop'] diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 968859bf..605d71b3 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,6 +1,7 @@ # configure webapp service class site_webapp { tag 'leap_service' + $services = hiera('services', []) $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] @@ -177,7 +178,7 @@ class site_webapp { notify => Service['apache']; } - if $tor and member($services, 'hidden_service') { + if $tor and member($services, 'tor_hidden_service') { $hidden_service = $tor['hidden_service'] include ::site_webapp::hidden_service } -- cgit v1.2.3 From ccfe0c38e532cf68d5485a6e4656b80100f1c1b9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 6 Oct 2017 16:01:37 -0400 Subject: Bug: Remove unused class 0255d8a42fc2c37cfaa660a43936ae546b6178ef removed this class, but it still was being referenced. Since it is not needed, we can just remove the reference. Fixes: #8878 --- puppet/modules/site_static/manifests/init.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 40c6a28b..1a92c29e 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -60,10 +60,8 @@ class site_static { include site_config::ruby::dev if (member($formats, 'rack')) { - include site_apt::preferences::passenger class { 'passenger': manage_munin => false, - require => Class['site_apt::preferences::passenger'] } } -- cgit v1.2.3 From 414e36cf11364a9e581eb260b3267078b6cdda44 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 7 Oct 2017 13:50:55 -0400 Subject: feat: add v3 tor hidden service support Resolves: #8879 --- puppet/modules/site_static/manifests/hidden_service.pp | 5 +++-- puppet/modules/site_static/manifests/init.pp | 5 ++--- puppet/modules/site_webapp/manifests/hidden_service.pp | 3 ++- 3 files changed, 7 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index f23727f7..c5d12c34 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,11 +1,12 @@ # create hidden service for static sites -class site_static::hidden_service ( $single_hop = false ) { +class site_static::hidden_service ( $single_hop = false, $v3 = false ) { Class['site_tor::hidden_service'] -> Class['site_static::hidden_service'] include site_tor::hidden_service tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'], - single_hop => $single_hop + single_hop => $single_hop, + v3 => $v3 } file { diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 40c6a28b..fdc5782f 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -60,10 +60,8 @@ class site_static { include site_config::ruby::dev if (member($formats, 'rack')) { - include site_apt::preferences::passenger class { 'passenger': manage_munin => false, - require => Class['site_apt::preferences::passenger'] } } @@ -81,7 +79,8 @@ class site_static { $hidden_service = $tor['hidden_service'] $onion_domain = "${hidden_service['address']}.onion" class { 'site_static::hidden_service': - single_hop => $hidden_service['single_hop'] + single_hop => $hidden_service['single_hop'], + v3 => $hidden_service['v3'] } # Currently, we only support a single hidden service address per server. diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 1f87da6b..290f9665 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -14,7 +14,8 @@ class site_webapp::hidden_service { tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'], - single_hop => $hidden_service['single_hop'] + single_hop => $hidden_service['single_hop'], + v3 => $hidden_service['v3'] } file { -- cgit v1.2.3 From 3478b7b46087971f4396de3ea370741694963ca9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 7 Oct 2017 14:04:02 -0400 Subject: git subrepo pull puppet/modules/tor subrepo: subdir: "puppet/modules/tor" merged: "4380e2ea" upstream: origin: "https://leap.se/git/puppet_tor" branch: "master" commit: "4380e2ea" git-subrepo: version: "0.3.1" origin: "https://github.com/ingydotnet/git-subrepo" commit: "a7ee886" --- puppet/modules/tor/.gitrepo | 6 +++--- puppet/modules/tor/manifests/daemon/hidden_service.pp | 1 + puppet/modules/tor/templates/torrc.directory.erb | 2 +- puppet/modules/tor/templates/torrc.hidden_service.erb | 8 ++++++++ 4 files changed, 13 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tor/.gitrepo b/puppet/modules/tor/.gitrepo index 5e3e3c1f..ea3c1495 100644 --- a/puppet/modules/tor/.gitrepo +++ b/puppet/modules/tor/.gitrepo @@ -6,6 +6,6 @@ [subrepo] remote = https://leap.se/git/puppet_tor branch = master - commit = 5ef29012dccc90e68afc215be9521629a0903bc6 - parent = 747d3e9b55c8b7b7d98a63474b6de82d7114c389 - cmdver = 0.4.0 + commit = 4380e2eabd94d8f0df7f63c642dd46ec4783ef07 + parent = be4182d7227d57b4da20d088b4750c756f759888 + cmdver = 0.3.1 diff --git a/puppet/modules/tor/manifests/daemon/hidden_service.pp b/puppet/modules/tor/manifests/daemon/hidden_service.pp index 07121bd6..d91bdc89 100644 --- a/puppet/modules/tor/manifests/daemon/hidden_service.pp +++ b/puppet/modules/tor/manifests/daemon/hidden_service.pp @@ -2,6 +2,7 @@ define tor::daemon::hidden_service( $ports = [], $single_hop = false, + $v3 = false, $data_dir = $tor::daemon::data_dir, $ensure = present ) { diff --git a/puppet/modules/tor/templates/torrc.directory.erb b/puppet/modules/tor/templates/torrc.directory.erb index c7dc4ab5..23ed3392 100644 --- a/puppet/modules/tor/templates/torrc.directory.erb +++ b/puppet/modules/tor/templates/torrc.directory.erb @@ -2,7 +2,7 @@ <% if @port != '0' -%> DirPort <%= @port %> <% end -%> -<% listen_addresses.each do |listen_address| -%> +<% @listen_addresses.each do |listen_address| -%> DirListenAddress <%= listen_address %> <% end -%> <% if @port_front_page != '' -%> diff --git a/puppet/modules/tor/templates/torrc.hidden_service.erb b/puppet/modules/tor/templates/torrc.hidden_service.erb index 5b6afe1c..8a691c6b 100644 --- a/puppet/modules/tor/templates/torrc.hidden_service.erb +++ b/puppet/modules/tor/templates/torrc.hidden_service.erb @@ -10,3 +10,11 @@ HiddenServiceDir <%= @data_dir %>/<%= @name %> HiddenServicePort <%= port %> <% end -%> +<% if @v3 != false %> +# hidden service v3 static +HiddenServiceDir <%= @data_dir %>/<%= @name -%>3 +HiddenServiceVersion 3 +<% @ports.each do |port| -%> +HiddenServicePort <%= port %> +<% end -%> +<% end -%> -- cgit v1.2.3 From a96fefa7cf9f9583adf5c152c19f53c8bdeca167 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 17 Oct 2017 14:08:31 +0200 Subject: webapp: update design docs for sorted invite codes webapp#8806 needs couch design docs that allow invite codes to be sorted by date. This updated needs to be deployed in sync with the new webapp version. --- .../files/designs/identities/Identity.json | 8 ++-- .../files/designs/invite_codes/InviteCode.json | 44 ++++++++++++---------- .../files/designs/messages/Message.json | 8 ++-- .../site_couchdb/files/designs/tickets/Ticket.json | 16 ++++---- 4 files changed, 40 insertions(+), 36 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/files/designs/identities/Identity.json b/puppet/modules/site_couchdb/files/designs/identities/Identity.json index b1c567c1..c099ae4a 100644 --- a/puppet/modules/site_couchdb/files/designs/identities/Identity.json +++ b/puppet/modules/site_couchdb/files/designs/identities/Identity.json @@ -9,14 +9,14 @@ "all": { "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" }, - "cert_fingerprints_by_expiry": { - "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.cert_fingerprints === \"object\") {\n for (fp in doc.cert_fingerprints) {\n if (doc.cert_fingerprints.hasOwnProperty(fp)) {\n emit(doc.cert_fingerprints[fp], fp);\n }\n }\n }\n}\n" + "disabled": { + "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n}\n" }, "cert_expiry_by_fingerprint": { "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.cert_fingerprints === \"object\") {\n for (fp in doc.cert_fingerprints) {\n if (doc.cert_fingerprints.hasOwnProperty(fp)) {\n emit(fp, doc.cert_fingerprints[fp]);\n }\n }\n }\n}\n" }, - "disabled": { - "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n}\n" + "cert_fingerprints_by_expiry": { + "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.cert_fingerprints === \"object\") {\n for (fp in doc.cert_fingerprints) {\n if (doc.cert_fingerprints.hasOwnProperty(fp)) {\n emit(doc.cert_fingerprints[fp], fp);\n }\n }\n }\n}\n" }, "pgp_key_by_email": { "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.keys === \"object\") {\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n}\n" diff --git a/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json index 006c1ea1..d6e1e9d5 100644 --- a/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json +++ b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json @@ -1,22 +1,26 @@ { - "_id": "_design/InviteCode", - "language": "javascript", - "views": { - "by__id": { - "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['_id'] != null)) {\n emit(doc['_id'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_invite_code": { - "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_code'] != null)) {\n emit(doc['invite_code'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_invite_count": { - "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_count'] != null)) {\n emit(doc['invite_count'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'InviteCode') {\n emit(doc._id, null);\n }\n }\n" - } - }, - "couchrest-hash": "83fb8f504520b4a9c7ddbb7928cd0ce3" + "_id": "_design/InviteCode", + "language": "javascript", + "views": { + "by_invite_code": { + "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_code'] != null)) {\n emit(doc['invite_code'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_invite_count": { + "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_count'] != null)) {\n emit(doc['invite_count'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_updated_at": { + "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['updated_at'] != null)) {\n emit(doc['updated_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'InviteCode') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "2d1883c83164a0be127c3a569d9c1902" } \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/messages/Message.json b/puppet/modules/site_couchdb/files/designs/messages/Message.json index 6a48fc4d..2cb031c6 100644 --- a/puppet/modules/site_couchdb/files/designs/messages/Message.json +++ b/puppet/modules/site_couchdb/files/designs/messages/Message.json @@ -2,14 +2,14 @@ "_id": "_design/Message", "language": "javascript", "views": { - "by_user_ids_to_show": { - "map": "function (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit(userId, 1);\n });\n }\n}\n", - "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" - }, "by_user_ids_to_show_and_created_at": { "map": "// not using at moment\n// call with something like Message.by_user_ids_to_show_and_created_at.startkey([user_id, start_date]).endkey([user_id,end_date])\nfunction (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit([userId, doc.created_at], 1);\n });\n }\n}\n", "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" }, + "by_user_ids_to_show": { + "map": "function (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit(userId, 1);\n });\n }\n}\n", + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" + }, "all": { "map": " function(doc) {\n if (doc['type'] == 'Message') {\n emit(doc._id, null);\n }\n }\n" } diff --git a/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json index 578f632b..7ec24634 100644 --- a/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json +++ b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json @@ -22,8 +22,12 @@ "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['updated_at'] != null)) {\n emit([doc['is_open'], doc['updated_at']], 1);\n }\n }\n", "reduce": "_sum" }, - "by_includes_post_by_and_is_open_and_created_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n", + "by_includes_post_by_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" + }, + "by_includes_post_by_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n", "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" }, "by_includes_post_by": { @@ -34,12 +38,8 @@ "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n", "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" }, - "by_includes_post_by_and_created_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n", - "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" - }, - "by_includes_post_by_and_updated_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", + "by_includes_post_by_and_is_open_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n", "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" }, "all": { -- cgit v1.2.3 From 71d10f85c5c9cc75dfb3f032a09877102833f739 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 31 Oct 2017 12:16:29 -0400 Subject: Bug: fix repository layout Fix the order of the leap repository so it matches the correct repository layout. Fixes #8888. --- puppet/modules/site_apt/manifests/leap_repo.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 8b688cfb..1e18b441 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -22,7 +22,7 @@ class site_apt::leap_repo { } apt::sources_list { 'leap.list': - content => "deb [signed-by=${archive_key}] ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_codename} ${::site_apt::apt_platform_component}\n", + content => "deb [signed-by=${archive_key}] ${::site_apt::apt_url_platform_basic} ${::site_apt::apt_platform_component} ${::site_apt::apt_platform_codename}\n", before => Exec[refresh_apt] } -- cgit v1.2.3 From 57faf66d7b82cc1ce67cf2e39ba7293c5a9d4bfa Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 8 Nov 2017 09:13:46 +0100 Subject: webapp: alert on 409 responses They might be meaningful response codes for some scenarios. But so far we are not conciously sending them out. If they occur that is because we handed them down from couch. So we might want to fix the underlying issue. Couch 409s should be caught by the webapp and handled there. --- puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg index 337d9ec6..a5375cc8 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg @@ -1,6 +1,10 @@ /var/log/leap/webapp.log # check for webapp errors C Completed 500 +# also alert conflicts. They might be meaningful response codes +# but so far we were just handing them on from couch and they +# indicated some actual problem. + C Completed 409 # couch connection issues C webapp.*Could not connect to couch database messages due to 401 Unauthorized: {"error":"unauthorized","reason":"You are not a server admin."} # ignore RoutingErrors that rails throw when it can't handle a url -- cgit v1.2.3 From b584e92a6b654eee9427cd56d7317aa0125c92a4 Mon Sep 17 00:00:00 2001 From: Varac Date: Fri, 17 Nov 2017 16:10:18 +0100 Subject: Bug: Fix unattended-upgrades for LEAP debs Resolves: #8891 --- puppet/modules/site_apt/templates/51unattended-upgrades-leap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/templates/51unattended-upgrades-leap b/puppet/modules/site_apt/templates/51unattended-upgrades-leap index 3e28531f..2a3494ef 100644 --- a/puppet/modules/site_apt/templates/51unattended-upgrades-leap +++ b/puppet/modules/site_apt/templates/51unattended-upgrades-leap @@ -1,5 +1,5 @@ // this file is managed by puppet ! Unattended-Upgrade::Origins-Pattern { - "site=deb.leap.se,component=<%= @apt_platform_component %>"; + "site=deb.leap.se,codename=<%= @apt_platform_component %>"; } -- cgit v1.2.3