From 2a3b4ec1bc522409d4dc8d2e7750344de41acb50 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 17 Jun 2014 14:48:50 -0700 Subject: allow webapp.json to configure what engines are enabled --- puppet/modules/site_webapp/manifests/init.pp | 4 ++-- puppet/modules/site_webapp/templates/config.yml.erb | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d6f1d7ae..08618457 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -52,8 +52,8 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"', - unless => '/usr/bin/bundle check', + command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development"', + unless => '/usr/bin/bundle check --path vendor/bundle', user => 'leap-webapp', timeout => 600, require => [ diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 6461c5e8..8faf76f4 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -18,3 +18,9 @@ production: minimum_client_version: "<%= @webapp['client_version']['min'] %>" default_service_level: "<%= @webapp['default_service_level'] %>" service_levels: <%= @webapp['service_levels'].to_json %> +<%- if @webapp['engines'] && @webapp['engines'].any? -%> + engines: +<%- @webapp['engines'].each do |engine| -%> + - <%= engine %> +<%- end -%> +<%- end -%> \ No newline at end of file -- cgit v1.2.3 From 324dce6b8c6a911701fd4a4a7b383f22cc810c9a Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 19 Jun 2014 12:11:14 +0200 Subject: split bigcouch stunnel from plain couch stunnel --- .../site_couchdb/manifests/bigcouch/stunnel.pp | 89 ++++++++++++++++++++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 81 ++------------------ 2 files changed, 95 insertions(+), 75 deletions(-) create mode 100644 puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp b/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp new file mode 100644 index 00000000..5166ba93 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp @@ -0,0 +1,89 @@ +class site_couchdb::bigcouch::stunnel { + + $stunnel = hiera('stunnel') + + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + + # Erlang Port Mapper Daemon (epmd) stunnel server/clients + $epmd_server = $stunnel['epmd_server'] + $epmd_server_accept = $epmd_server['accept'] + $epmd_server_connect = $epmd_server['connect'] + $epmd_clients = $stunnel['epmd_clients'] + + # Erlang Distributed Node Protocol (ednp) stunnel server/clients + $ednp_server = $stunnel['ednp_server'] + $ednp_server_accept = $ednp_server['accept'] + $ednp_server_connect = $ednp_server['connect'] + $ednp_clients = $stunnel['ednp_clients'] + + + # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for + # bigcouch clustering between each bigcouchdb node + stunnel::service { 'epmd_server': + accept => $epmd_server_accept, + connect => $epmd_server_connect, + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/epmd_server.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4', + require => [ + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ]; + } + + # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect + # to the above epmd stunnel server. + $epmd_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) + + # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary + # for bigcouch clustering between each bigcouchdb node + stunnel::service { 'ednp_server': + accept => $ednp_server_accept, + connect => $ednp_server_connect, + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/ednp_server.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4', + require => [ + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ]; + } + + # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect + # to the above ednp stunnel server. + $ednp_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults) + + include site_check_mk::agent::stunnel +} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 91f1e3aa..484a0c00 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,29 +1,21 @@ class site_couchdb::stunnel { $stunnel = hiera('stunnel') + $couchdb_config = hiera('couch') + $couchdb_bigcouch = $couchdb_config['mode'] == "multimaster" $couch_server = $stunnel['couch_server'] $couch_server_accept = $couch_server['accept'] $couch_server_connect = $couch_server['connect'] - # Erlang Port Mapper Daemon (epmd) stunnel server/clients - $epmd_server = $stunnel['epmd_server'] - $epmd_server_accept = $epmd_server['accept'] - $epmd_server_connect = $epmd_server['connect'] - $epmd_clients = $stunnel['epmd_clients'] - - # Erlang Distributed Node Protocol (ednp) stunnel server/clients - $ednp_server = $stunnel['ednp_server'] - $ednp_server_accept = $ednp_server['accept'] - $ednp_server_connect = $ednp_server['connect'] - $ednp_clients = $stunnel['ednp_clients'] - - - include site_config::x509::cert include site_config::x509::key include site_config::x509::ca + if $couchdb_bigcouch { + include site_couchdb::bigcouch::stunnel + } + include x509::variables $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" @@ -47,66 +39,5 @@ class site_couchdb::stunnel { Class['Site_config::X509::Ca'] ]; } - - # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for - # bigcouch clustering between each bigcouchdb node - stunnel::service { 'epmd_server': - accept => $epmd_server_accept, - connect => $epmd_server_connect, - client => false, - cafile => $ca_path, - key => $key_path, - cert => $cert_path, - verify => '2', - pid => '/var/run/stunnel4/epmd_server.pid', - rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4', - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; - } - - # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect - # to the above epmd stunnel server. - $epmd_client_defaults = { - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - } - - create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) - - # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary - # for bigcouch clustering between each bigcouchdb node - stunnel::service { 'ednp_server': - accept => $ednp_server_accept, - connect => $ednp_server_connect, - client => false, - cafile => $ca_path, - key => $key_path, - cert => $cert_path, - verify => '2', - pid => '/var/run/stunnel4/ednp_server.pid', - rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4', - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; - } - - # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect - # to the above ednp stunnel server. - $ednp_client_defaults = { - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - } - - create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults) - include site_check_mk::agent::stunnel } -- cgit v1.2.3 From d2f59e4cfab5b9fd164d24416b241b14ecfd9307 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 19 Jun 2014 12:29:30 +0200 Subject: separate bigcouch specifics from init.pp --- puppet/modules/site_couchdb/manifests/bigcouch.pp | 20 ++++++++++++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 21 ++++----------------- 2 files changed, 24 insertions(+), 17 deletions(-) create mode 100644 puppet/modules/site_couchdb/manifests/bigcouch.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp new file mode 100644 index 00000000..a3f6db2c --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -0,0 +1,20 @@ +class site_couchdb::bigcouch { + + $bigcouch_config = $couchdb_config['bigcouch'] + $bigcouch_cookie = $bigcouch_config['cookie'] + + $ednp_port = $bigcouch_config['ednp_port'] + + Class['site_config::default'] + -> Class['site_couchdb::bigcouch::add_nodes'] + -> Class['site_couchdb::bigcouch::settle_cluster'] + + include site_couchdb::bigcouch::add_nodes + include site_couchdb::bigcouch::settle_cluster + include site_couchdb::bigcouch::compaction + include site_shorewall::couchdb::bigcouch + + file { '/var/log/bigcouch': + ensure => directory + } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 3614661d..22d6ef45 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -35,14 +35,10 @@ class site_couchdb { $couchdb_webapp_salt = $couchdb_webapp['salt'] $couchdb_backup = $couchdb_config['backup'] - - $bigcouch_config = $couchdb_config['bigcouch'] - $bigcouch_cookie = $bigcouch_config['cookie'] - - $ednp_port = $bigcouch_config['ednp_port'] + $couchdb_bigcouch = $couchdb_config['mode'] == "multimaster" class { 'couchdb': - bigcouch => true, + bigcouch => $couchdb_bigcouch, admin_pw => $couchdb_admin_pw, admin_salt => $couchdb_admin_salt, bigcouch_cookie => $bigcouch_cookie, @@ -63,8 +59,6 @@ class site_couchdb { -> Class['site_couchdb::stunnel'] -> Service['couchdb'] -> File['/root/.netrc'] - -> Class['site_couchdb::bigcouch::add_nodes'] - -> Class['site_couchdb::bigcouch::settle_cluster'] -> Class['site_couchdb::create_dbs'] -> Class['site_couchdb::add_users'] @@ -95,24 +89,17 @@ class site_couchdb { } include site_couchdb::stunnel - include site_couchdb::bigcouch::add_nodes - include site_couchdb::bigcouch::settle_cluster include site_couchdb::create_dbs include site_couchdb::add_users include site_couchdb::designs include site_couchdb::logrotate - include site_couchdb::bigcouch::compaction - if $couchdb_backup { include site_couchdb::backup } + if $couchdb_bigcouch { include site_couchdb::bigcouch } + if $couchdb_backup { include site_couchdb::backup } include site_shorewall::couchdb - include site_shorewall::couchdb::bigcouch include site_check_mk::agent::couchdb include site_check_mk::agent::tapicero - file { '/var/log/bigcouch': - ensure => directory - } - } -- cgit v1.2.3 From 7ee86658b0655ded592eecbaa8b1c5b841d8f846 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 19 Jun 2014 20:01:20 +0200 Subject: set mirror option if we are on a couch mirror --- puppet/modules/tapicero/manifests/init.pp | 1 + puppet/modules/tapicero/templates/tapicero.yaml.erb | 2 ++ 2 files changed, 3 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index af1a96ac..1db75eb0 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -12,6 +12,7 @@ class tapicero { $couchdb_soledad_user = $couchdb_users['soledad']['username'] $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username'] + $couchdb_mirror = $couchdb['mode'] == 'mirror' Class['site_config::default'] -> Class['tapicero'] diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index 8e19b22f..3a5f821e 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -24,6 +24,7 @@ log_level: info options: # prefix for per user databases: db_prefix: "user-" + mirror: <%= @couchdb_mirror %> # security settings to be used for the per user databases security: @@ -40,3 +41,4 @@ options: - <%= @couchdb_leap_mx_user %> roles: [] + -- cgit v1.2.3 From 6df59b9f579134a9521aafb71727a98fdc92e19a Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 19 Jun 2014 20:02:02 +0200 Subject: first steps towards mirroring couch --- puppet/modules/site_couchdb/manifests/bigcouch.pp | 6 +-- .../site_couchdb/manifests/bigcouch/add_nodes.pp | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 6 ++- puppet/modules/site_couchdb/manifests/mirror.pp | 61 ++++++++++++++++++++++ 4 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 puppet/modules/site_couchdb/manifests/mirror.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index a3f6db2c..97c8cd12 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -1,9 +1,9 @@ class site_couchdb::bigcouch { - $bigcouch_config = $couchdb_config['bigcouch'] - $bigcouch_cookie = $bigcouch_config['cookie'] + $config = $::site_couchdb::couchdb_config['bigcouch'] + $cookie = $config['cookie'] - $ednp_port = $bigcouch_config['ednp_port'] + $ednp_port = $config['ednp_port'] Class['site_config::default'] -> Class['site_couchdb::bigcouch::add_nodes'] diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp index 97e85785..c8c43275 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp @@ -1,6 +1,6 @@ class site_couchdb::bigcouch::add_nodes { # loop through neighbors array and add nodes - $nodes = $::site_couchdb::bigcouch_config['neighbors'] + $nodes = $::site_couchdb::bigcouch::config['neighbors'] couchdb::bigcouch::add_node { $nodes: require => Couchdb::Query::Setup['localhost'] diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 22d6ef45..0b923c9f 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -35,7 +35,7 @@ class site_couchdb { $couchdb_webapp_salt = $couchdb_webapp['salt'] $couchdb_backup = $couchdb_config['backup'] - $couchdb_bigcouch = $couchdb_config['mode'] == "multimaster" + $couchdb_mode = $couchdb_config['mode'] class { 'couchdb': bigcouch => $couchdb_bigcouch, @@ -94,7 +94,9 @@ class site_couchdb { include site_couchdb::designs include site_couchdb::logrotate - if $couchdb_bigcouch { include site_couchdb::bigcouch } + if $couchdb_mode == "multimaster" { include site_couchdb::bigcouch } + if $couchdb_mode == "mirror" { include site_couchdb::mirror } + if $couchdb_backup { include site_couchdb::backup } include site_shorewall::couchdb diff --git a/puppet/modules/site_couchdb/manifests/mirror.pp b/puppet/modules/site_couchdb/manifests/mirror.pp new file mode 100644 index 00000000..708171e4 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/mirror.pp @@ -0,0 +1,61 @@ +class site_couchdb::mirror { + + # Couchdb databases + + $from = $site_couchdb::couchdb_config['replication']['masters'][0] + + ### customer database + couchdb::mirror_db { 'customers': + from => $from, + require => Couchdb::Query::Setup['localhost'] + } + + ## identities database + couchdb::mirror_db { 'identities': + from => $from, + require => Couchdb::Query::Setup['localhost'] + } + + ## keycache database + couchdb::mirror_db { 'keycache': + from => $from, + require => Couchdb::Query::Setup['localhost'] + } + + ## sessions database + couchdb::mirror_db { 'sessions': + from => $from, + require => Couchdb::Query::Setup['localhost'] + } + + ## shared database + couchdb::mirror_db { 'shared': + from => $from, + require => Couchdb::Query::Setup['localhost'] + } + + ## tickets database + couchdb::mirror_db { 'tickets': + from => $from, + require => Couchdb::Query::Setup['localhost'] + } + + ## tokens database + couchdb::mirror_db { 'tokens': + from => $from, + require => Couchdb::Query::Setup['localhost'] + } + + ## users database + couchdb::mirror_db { 'users': + from => $from, + require => Couchdb::Query::Setup['localhost'] + } + + ## messages db + couchdb::mirror_db { 'messages': + from => $from, + require => Couchdb::Query::Setup['localhost'] + } + +} -- cgit v1.2.3 From 49f0c54a05f6b542367f8ef4538316ba2eaac6cd Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 20 Jun 2014 01:58:39 -0700 Subject: new generic system for stunnel: just `include site_stunnel` and stunnel + needed shorewall will be automatically set up. requires new leap_cli --- .../site_couchdb/manifests/bigcouch/stunnel.pp | 89 ---------------------- puppet/modules/site_couchdb/manifests/stunnel.pp | 43 ----------- puppet/modules/site_shorewall/manifests/couchdb.pp | 24 ------ .../site_shorewall/manifests/couchdb/bigcouch.pp | 51 ------------- .../site_shorewall/manifests/couchdb/dnat.pp | 21 ----- .../site_shorewall/manifests/stunnel/client.pp | 40 ++++++++++ .../site_shorewall/manifests/stunnel/server.pp | 22 ++++++ puppet/modules/site_stunnel/manifests/client.pp | 52 +++++++++++++ puppet/modules/site_stunnel/manifests/clients.pp | 55 ++++++------- puppet/modules/site_stunnel/manifests/init.pp | 15 ++++ puppet/modules/site_stunnel/manifests/servers.pp | 53 +++++++++++++ 11 files changed, 206 insertions(+), 259 deletions(-) delete mode 100644 puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp delete mode 100644 puppet/modules/site_couchdb/manifests/stunnel.pp delete mode 100644 puppet/modules/site_shorewall/manifests/couchdb.pp delete mode 100644 puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp delete mode 100644 puppet/modules/site_shorewall/manifests/couchdb/dnat.pp create mode 100644 puppet/modules/site_shorewall/manifests/stunnel/client.pp create mode 100644 puppet/modules/site_shorewall/manifests/stunnel/server.pp create mode 100644 puppet/modules/site_stunnel/manifests/client.pp create mode 100644 puppet/modules/site_stunnel/manifests/servers.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp b/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp deleted file mode 100644 index 5166ba93..00000000 --- a/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp +++ /dev/null @@ -1,89 +0,0 @@ -class site_couchdb::bigcouch::stunnel { - - $stunnel = hiera('stunnel') - - include site_config::x509::cert - include site_config::x509::key - include site_config::x509::ca - - include x509::variables - $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" - $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" - $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - - - # Erlang Port Mapper Daemon (epmd) stunnel server/clients - $epmd_server = $stunnel['epmd_server'] - $epmd_server_accept = $epmd_server['accept'] - $epmd_server_connect = $epmd_server['connect'] - $epmd_clients = $stunnel['epmd_clients'] - - # Erlang Distributed Node Protocol (ednp) stunnel server/clients - $ednp_server = $stunnel['ednp_server'] - $ednp_server_accept = $ednp_server['accept'] - $ednp_server_connect = $ednp_server['connect'] - $ednp_clients = $stunnel['ednp_clients'] - - - # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for - # bigcouch clustering between each bigcouchdb node - stunnel::service { 'epmd_server': - accept => $epmd_server_accept, - connect => $epmd_server_connect, - client => false, - cafile => $ca_path, - key => $key_path, - cert => $cert_path, - verify => '2', - pid => '/var/run/stunnel4/epmd_server.pid', - rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4', - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; - } - - # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect - # to the above epmd stunnel server. - $epmd_client_defaults = { - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - } - - create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) - - # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary - # for bigcouch clustering between each bigcouchdb node - stunnel::service { 'ednp_server': - accept => $ednp_server_accept, - connect => $ednp_server_connect, - client => false, - cafile => $ca_path, - key => $key_path, - cert => $cert_path, - verify => '2', - pid => '/var/run/stunnel4/ednp_server.pid', - rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4', - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; - } - - # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect - # to the above ednp stunnel server. - $ednp_client_defaults = { - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - } - - create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults) - - include site_check_mk::agent::stunnel -} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp deleted file mode 100644 index 484a0c00..00000000 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ /dev/null @@ -1,43 +0,0 @@ -class site_couchdb::stunnel { - - $stunnel = hiera('stunnel') - $couchdb_config = hiera('couch') - $couchdb_bigcouch = $couchdb_config['mode'] == "multimaster" - - $couch_server = $stunnel['couch_server'] - $couch_server_accept = $couch_server['accept'] - $couch_server_connect = $couch_server['connect'] - - include site_config::x509::cert - include site_config::x509::key - include site_config::x509::ca - - if $couchdb_bigcouch { - include site_couchdb::bigcouch::stunnel - } - - include x509::variables - $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" - $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" - $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - - # setup a stunnel server for the webapp to connect to couchdb - stunnel::service { 'couch_server': - accept => $couch_server_accept, - connect => $couch_server_connect, - client => false, - cafile => $ca_path, - key => $key_path, - cert => $cert_path, - verify => '2', - pid => '/var/run/stunnel4/couchserver.pid', - rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4', - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; - } - - include site_check_mk::agent::stunnel -} diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp deleted file mode 100644 index 73bed62b..00000000 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ /dev/null @@ -1,24 +0,0 @@ -class site_shorewall::couchdb { - - include site_shorewall::defaults - - $stunnel = hiera('stunnel') - $couch_server = $stunnel['couch_server'] - $couch_stunnel_port = $couch_server['accept'] - - # define macro for incoming services - file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp ${couch_stunnel_port}", - notify => Service['shorewall'], - require => Package['shorewall'] - } - - shorewall::rule { - 'net2fw-couchdb': - source => 'net', - destination => '$FW', - action => 'leap_couchdb(ACCEPT)', - order => 200; - } - -} diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp deleted file mode 100644 index 20740650..00000000 --- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp +++ /dev/null @@ -1,51 +0,0 @@ -class site_shorewall::couchdb::bigcouch { - - include site_shorewall::defaults - - $stunnel = hiera('stunnel') - - # Erlang Port Mapper Daemon (epmd) stunnel server/clients - $epmd_clients = $stunnel['epmd_clients'] - $epmd_server = $stunnel['epmd_server'] - $epmd_server_port = $epmd_server['accept'] - $epmd_server_connect = $epmd_server['connect'] - - # Erlang Distributed Node Protocol (ednp) stunnel server/clients - $ednp_clients = $stunnel['ednp_clients'] - $ednp_server = $stunnel['ednp_server'] - $ednp_server_port = $ednp_server['accept'] - $ednp_server_connect = $ednp_server['connect'] - - # define macro for incoming services - file { '/etc/shorewall/macro.leap_bigcouch': - content => "PARAM - - tcp ${epmd_server_port},${ednp_server_port}", - notify => Service['shorewall'], - require => Package['shorewall'] - } - - shorewall::rule { - 'net2fw-bigcouch': - source => 'net', - destination => '$FW', - action => 'leap_bigcouch(ACCEPT)', - order => 300; - } - - # setup DNAT rules for each epmd - $epmd_shorewall_dnat_defaults = { - 'source' => '$FW', - 'proto' => 'tcp', - 'destinationport' => regsubst($epmd_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') - } - create_resources(site_shorewall::couchdb::dnat, $epmd_clients, $epmd_shorewall_dnat_defaults) - - # setup DNAT rules for each ednp - $ednp_shorewall_dnat_defaults = { - 'source' => '$FW', - 'proto' => 'tcp', - 'destinationport' => regsubst($ednp_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') - } - create_resources(site_shorewall::couchdb::dnat, $ednp_clients, $ednp_shorewall_dnat_defaults) - -} - diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp deleted file mode 100644 index f1bc9acf..00000000 --- a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp +++ /dev/null @@ -1,21 +0,0 @@ -define site_shorewall::couchdb::dnat ( - $source, - $connect, - $connect_port, - $accept_port, - $proto, - $destinationport ) -{ - - - shorewall::rule { - "dnat_${name}_${destinationport}": - action => 'DNAT', - source => $source, - destination => "\$FW:127.0.0.1:${accept_port}", - proto => $proto, - destinationport => $destinationport, - originaldest => $connect, - order => 200 - } -} diff --git a/puppet/modules/site_shorewall/manifests/stunnel/client.pp b/puppet/modules/site_shorewall/manifests/stunnel/client.pp new file mode 100644 index 00000000..9a89a244 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/stunnel/client.pp @@ -0,0 +1,40 @@ +# +# Adds some firewall magic to the stunnel. +# +# Using DNAT, this firewall rule allow a locally running program +# to try to connect to the normal remote IP and remote port of the +# service on another machine, but have this connection magically +# routed through the locally running stunnel client. +# +# The network looks like this: +# +# From the client's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# consumer app -> localhost:accept_port -> connect:connect_port -> localhost:original_port +# +# From the server's perspective: +# +# |------- stunnel client --------------| |---------- stunnel server -----------------------| +# ?? -> *:accept_port -> localhost:connect_port -> service +# + +define site_shorewall::stunnel::client( + $accept_port, + $connect, + $connect_port, + $original_port) { + + include site_shorewall::defaults + + shorewall::rule { + "stunnel_dnat_${name}": + action => 'DNAT', + source => '$FW', + destination => "\$FW:127.0.0.1:${accept_port}", + proto => 'tcp', + destinationport => $original_port, + originaldest => $connect, + order => 200 + } +} diff --git a/puppet/modules/site_shorewall/manifests/stunnel/server.pp b/puppet/modules/site_shorewall/manifests/stunnel/server.pp new file mode 100644 index 00000000..db3ecd3e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/stunnel/server.pp @@ -0,0 +1,22 @@ +# +# Allow all incoming connections to stunnel server port +# + +define site_shorewall::stunnel::server($port) { + + include site_shorewall::defaults + + file { "/etc/shorewall/macro.stunnel_server_${name}": + content => "PARAM - - tcp ${port}", + notify => Service['shorewall'], + require => Package['shorewall'] + } + shorewall::rule { + 'net2fw-couchdb': + source => 'net', + destination => '$FW', + action => "stunnel_server_${name}(ACCEPT)", + order => 200; + } + +} \ No newline at end of file diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp new file mode 100644 index 00000000..12d664b4 --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/client.pp @@ -0,0 +1,52 @@ +# +# Sets up stunnel and firewall configuration for +# a single stunnel client +# +# As a client, we accept connections on localhost, +# and connect to a remote $connect:$connect_port +# + +define site_stunnel::client ( + $accept_port, + $connect_port, + $connect, + $original_port, + $verify = '2', + $pid = $name, + $rndfile = '/var/lib/stunnel4/.rnd', + $debuglevel = '4' ) { + + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:${connect_port}", + client => true, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel, + subscribe => [ + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ]; + } + + site_shorewall::stunnel::client { $name: + accept_port => $accept_port, + connect => $connect, + connect_port => $connect_port, + original_port => $original_port + } + + include site_check_mk::agent::stunnel +} diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index b75c9ac3..44b31aaa 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -1,33 +1,26 @@ -define site_stunnel::clients ( - $accept_port, - $connect_port, - $connect, - $cafile, - $key, - $cert, - $client = true, - $verify = '2', - $pid = $name, - $rndfile = '/var/lib/stunnel4/.rnd', - $debuglevel = '4' ) { +# +# usage: +# create_resource(site_stunnel::clients, hiera('stunnel')['clients']) +# +# example hiera yaml: +# +# stunnel: +# clients: +# ednp_clients: +# thrips_9002: +# accept_port: 4001 +# connect: thrips.demo.bitmask.i +# connect_port: 19002 +# epmd_clients: +# thrips_4369: +# accept_port: 4000 +# connect: thrips.demo.bitmask.i +# connect_port: 14369 +# +# In the above example, this resource definition is called twice, with $name +# 'ednp_clients' and 'epmd_clients' +# - stunnel::service { $name: - accept => "127.0.0.1:${accept_port}", - connect => "${connect}:${connect_port}", - client => $client, - cafile => $cafile, - key => $key, - cert => $cert, - verify => $verify, - pid => "/var/run/stunnel4/${pid}.pid", - rndfile => $rndfile, - debuglevel => $debuglevel, - subscribe => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; - - } - - include site_check_mk::agent::stunnel +define site_stunnel::clients { + create_resources(site_stunnel::client, $site_stunnel::clients[$name]) } diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp index c7d6acc6..b292f1cd 100644 --- a/puppet/modules/site_stunnel/manifests/init.pp +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -1,3 +1,8 @@ +# +# If you need something to happen after stunnel is started, +# you can depend on Service['stunnel'] or Class['site_stunnel'] +# + class site_stunnel { # include the generic stunnel module @@ -13,5 +18,15 @@ class site_stunnel { ensure => absent; } } + + $stunnel = hiera('stunnel') + + # add server stunnels + create_resources(site_stunnel::servers, $stunnel['servers']) + + # add client stunnels + $clients = $stunnel['clients'] + $client_sections = keys($clients) + site_stunnel::clients { $client_sections: } } diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp new file mode 100644 index 00000000..4419923f --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -0,0 +1,53 @@ +# +# usage: +# create_resource(site_stunnel::servers, hiera('stunnel')['servers']) +# +# example hiera yaml: +# +# stunnel: +# servers: +# couch_server: +# accept_port: 15984 +# connect_port: 5984 +# + +define site_stunnel::servers ( + $accept_port, + $connect_port, + $verify = '2', + $pid = $name, + $rndfile = '/var/lib/stunnel4/.rnd', + $debuglevel = '4' ) { + + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + stunnel::service { $name: + accept => $accept_port, + connect => "127.0.0.1:${connect_port}", + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => $debuglevel, + require => [ + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ]; + } + + # allow incoming connections on $accept_port + site_shorewall::stunnel::server { $name: + port => $accept_port + } + + include site_check_mk::agent::stunnel +} -- cgit v1.2.3 From 2bd603b9532fac70a25add8661acc94acb8598f8 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 20 Jun 2014 02:00:18 -0700 Subject: site_couchdb: support auto-stunnel setup, split master, bigcouch, and mirror out into separate files. --- puppet/modules/site_couchdb/manifests/add_users.pp | 3 ++ puppet/modules/site_couchdb/manifests/bigcouch.pp | 20 ++++++-- .../modules/site_couchdb/manifests/create_dbs.pp | 3 ++ puppet/modules/site_couchdb/manifests/init.pp | 60 +++------------------- puppet/modules/site_couchdb/manifests/master.pp | 9 ++++ puppet/modules/site_couchdb/manifests/mirror.pp | 18 ++++++- puppet/modules/site_couchdb/manifests/setup.pp | 39 ++++++++++++++ 7 files changed, 96 insertions(+), 56 deletions(-) create mode 100644 puppet/modules/site_couchdb/manifests/master.pp create mode 100644 puppet/modules/site_couchdb/manifests/setup.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index f9ea7349..41930b7b 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -1,5 +1,8 @@ class site_couchdb::add_users { + Class['site_couchdb::create_dbs'] + -> Class['site_couchdb::add_users'] + # Couchdb users ## leap_mx couchdb user diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index 97c8cd12..f0aab734 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -1,18 +1,32 @@ class site_couchdb::bigcouch { - $config = $::site_couchdb::couchdb_config['bigcouch'] + $config = $couchdb_config['bigcouch'] $cookie = $config['cookie'] + $ednp_port = $config['ednp_port'] - $ednp_port = $config['ednp_port'] + class { 'couchdb': + admin_pw => $couchdb_admin_pw, + admin_salt => $couchdb_admin_salt, + bigcouch => true, + bigcouch_cookie => $cookie, + ednp_port => $ednp_port, + chttpd_bind_address => '127.0.0.1' + } + # + # stunnel must running correctly before bigcouch dbs can be set up. + # Class['site_config::default'] + -> Class['couchdb::bigcouch::package::cloudant'] + -> Service['shorewall'] + -> Service['stunnel'] + -> Class['site_couchdb::setup'] -> Class['site_couchdb::bigcouch::add_nodes'] -> Class['site_couchdb::bigcouch::settle_cluster'] include site_couchdb::bigcouch::add_nodes include site_couchdb::bigcouch::settle_cluster include site_couchdb::bigcouch::compaction - include site_shorewall::couchdb::bigcouch file { '/var/log/bigcouch': ensure => directory diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index 41500d3a..f8d8098a 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -1,5 +1,8 @@ class site_couchdb::create_dbs { + Class['site_couchdb::setup'] + -> Class['site_couchdb::create_dbs'] + # Couchdb databases ### customer database diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 0b923c9f..4999b611 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -37,70 +37,26 @@ class site_couchdb { $couchdb_backup = $couchdb_config['backup'] $couchdb_mode = $couchdb_config['mode'] - class { 'couchdb': - bigcouch => $couchdb_bigcouch, - admin_pw => $couchdb_admin_pw, - admin_salt => $couchdb_admin_salt, - bigcouch_cookie => $bigcouch_cookie, - ednp_port => $ednp_port, - chttpd_bind_address => '127.0.0.1' - } - - # ensure that we don't have leftovers from previous installations - # where we installed the cloudant bigcouch package - # https://leap.se/code/issues/4971 - class { 'couchdb::bigcouch::package::cloudant': - ensure => absent - } + if $couchdb_mode == "multimaster" { include site_couchdb::bigcouch } + if $couchdb_mode == "master" { include site_couchdb::master } + if $couchdb_mode == "mirror" { include site_couchdb::mirror } Class['site_config::default'] - -> Class['couchdb::bigcouch::package::cloudant'] -> Service['shorewall'] - -> Class['site_couchdb::stunnel'] - -> Service['couchdb'] - -> File['/root/.netrc'] - -> Class['site_couchdb::create_dbs'] - -> Class['site_couchdb::add_users'] - - # /etc/couchdb/couchdb.netrc is deployed by couchdb::query::setup - # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) - # and makes life easier for the admin (i.e. using curl/wget without - # passing credentials) - file { - '/root/.netrc': - ensure => link, - target => '/etc/couchdb/couchdb.netrc'; - - '/srv/leap/couchdb': - ensure => directory - } + -> Service['stunnel'] + -> Class['couchdb'] + -> Class['site_couchdb::setup'] - couchdb::query::setup { 'localhost': - user => $couchdb_admin_user, - pw => $couchdb_admin_pw, - } + include site_stunnel - vcsrepo { '/srv/leap/couchdb/scripts': - ensure => present, - provider => git, - source => 'https://leap.se/git/couchdb_scripts', - revision => 'origin/master', - require => File['/srv/leap/couchdb'] - } - - include site_couchdb::stunnel + include site_couchdb::setup include site_couchdb::create_dbs include site_couchdb::add_users include site_couchdb::designs include site_couchdb::logrotate - if $couchdb_mode == "multimaster" { include site_couchdb::bigcouch } - if $couchdb_mode == "mirror" { include site_couchdb::mirror } - if $couchdb_backup { include site_couchdb::backup } - include site_shorewall::couchdb - include site_check_mk::agent::couchdb include site_check_mk::agent::tapicero diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp new file mode 100644 index 00000000..a0a6633d --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/master.pp @@ -0,0 +1,9 @@ +class site_couchdb::master { + + class { 'couchdb': + admin_pw => $site_couchdb::couchdb_admin_pw, + admin_salt => $site_couchdb::couchdb_admin_salt, + chttpd_bind_address => '127.0.0.1' + } + +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/manifests/mirror.pp b/puppet/modules/site_couchdb/manifests/mirror.pp index 708171e4..f3b43cc2 100644 --- a/puppet/modules/site_couchdb/manifests/mirror.pp +++ b/puppet/modules/site_couchdb/manifests/mirror.pp @@ -1,8 +1,24 @@ class site_couchdb::mirror { + Class['site_couchdb::add_users'] + -> Class['site_couchdb::mirror'] + + class { 'couchdb': + admin_pw => $site_couchdb::couchdb_admin_pw, + admin_salt => $site_couchdb::couchdb_admin_salt, + chttpd_bind_address => '127.0.0.1' + } + # Couchdb databases - $from = $site_couchdb::couchdb_config['replication']['masters'][0] + $masters = $site_couchdb::couchdb_config['replication']['masters'] + $master_node_names = keys($site_couchdb::couchdb_config['replication']['masters']) + $master_node = $masters[$master_node_names[0]] + $from_host = $master_node['domain_internal'] + $from_port = $master_node['couch_port'] + $from = "${from_host}:${from_port}" + + notice("mirror from: ${from}") ### customer database couchdb::mirror_db { 'customers': diff --git a/puppet/modules/site_couchdb/manifests/setup.pp b/puppet/modules/site_couchdb/manifests/setup.pp new file mode 100644 index 00000000..e398356b --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/setup.pp @@ -0,0 +1,39 @@ +# +# An initial setup class. All the other classes depend on this +# +class site_couchdb::setup { + + # ensure that we don't have leftovers from previous installations + # where we installed the cloudant bigcouch package + # https://leap.se/code/issues/4971 + class { 'couchdb::bigcouch::package::cloudant': + ensure => absent + } + + # /etc/couchdb/couchdb.netrc is deployed by couchdb::query::setup + # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) + # and makes life easier for the admin (i.e. using curl/wget without + # passing credentials) + file { + '/root/.netrc': + ensure => link, + target => '/etc/couchdb/couchdb.netrc'; + + '/srv/leap/couchdb': + ensure => directory + } + + couchdb::query::setup { 'localhost': + user => $site_couchdb::couchdb_admin_user, + pw => $site_couchdb::couchdb_admin_pw, + } + + vcsrepo { '/srv/leap/couchdb/scripts': + ensure => present, + provider => git, + source => 'https://leap.se/git/couchdb_scripts', + revision => 'origin/master', + require => File['/srv/leap/couchdb'] + } + +} -- cgit v1.2.3 From a8f6415b0869018fd8d4ac947814529e8e85ace2 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 20 Jun 2014 19:10:44 +0200 Subject: add replication user --- puppet/modules/site_couchdb/manifests/add_users.pp | 9 +++++++++ puppet/modules/site_couchdb/manifests/create_dbs.pp | 18 +++++++++--------- puppet/modules/site_couchdb/manifests/init.pp | 5 +++++ puppet/modules/site_couchdb/manifests/mirror.pp | 4 +++- 4 files changed, 26 insertions(+), 10 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index 41930b7b..0585da27 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -54,4 +54,13 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } + ## replication couchdb user + ## read/write: all databases for replication + couchdb::add_user { $site_couchdb::couchdb_replication_user: + roles => '["repliction"]', + pw => $site_couchdb::couchdb_replication_pw, + salt => $site_couchdb::couchdb_replication_salt, + require => Couchdb::Query::Setup['localhost'] + } + } diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index f8d8098a..4322f773 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -8,7 +8,7 @@ class site_couchdb::create_dbs { ### customer database ### r/w: webapp, couchdb::create_db { 'customers': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } @@ -16,35 +16,35 @@ class site_couchdb::create_dbs { ## r: nickserver, leap_mx - needs to be restrict with design document ## r/w: webapp couchdb::create_db { 'identities': - members => "{ \"names\": [], \"roles\": [\"identities\"] }", + members => "{ \"names\": [], \"roles\": [\"replication\", \"identities\"] }", require => Couchdb::Query::Setup['localhost'] } ## keycache database ## r/w: nickserver couchdb::create_db { 'keycache': - members => "{ \"names\": [], \"roles\": [\"keycache\"] }", + members => "{ \"names\": [], \"roles\": [\"replication\", \"keycache\"] }", require => Couchdb::Query::Setup['localhost'] } ## sessions database ## r/w: webapp couchdb::create_db { 'sessions': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } ## shared database ## r/w: soledad couchdb::create_db { 'shared': - members => "{ \"names\": [\"$site_couchdb::couchdb_soledad_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$site_couchdb::couchdb_soledad_user\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } ## tickets database ## r/w: webapp couchdb::create_db { 'tickets': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } @@ -52,14 +52,14 @@ class site_couchdb::create_dbs { ## r: soledad - needs to be restricted with a design document ## r/w: webapp couchdb::create_db { 'tokens': - members => "{ \"names\": [], \"roles\": [\"tokens\"] }", + members => "{ \"names\": [], \"roles\": [\"replication\", \"tokens\"] }", require => Couchdb::Query::Setup['localhost'] } ## users database ## r/w: webapp couchdb::create_db { 'users': - members => "{ \"names\": [], \"roles\": [\"users\"] }", + members => "{ \"names\": [], \"roles\": [\"replication\", \"users\"] }", require => Couchdb::Query::Setup['localhost'] } @@ -67,7 +67,7 @@ class site_couchdb::create_dbs { ## store messages to the clients such as payment reminders ## r/w: webapp couchdb::create_db { 'messages': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 4999b611..6f7e974e 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -34,6 +34,11 @@ class site_couchdb { $couchdb_webapp_pw = $couchdb_webapp['password'] $couchdb_webapp_salt = $couchdb_webapp['salt'] + $couchdb_replication = $couchdb_users['replication'] + $couchdb_replication_user= $couchdb_replication['username'] + $couchdb_replication_pw = $couchdb_replication['password'] + $couchdb_replication_salt= $couchdb_replication['salt'] + $couchdb_backup = $couchdb_config['backup'] $couchdb_mode = $couchdb_config['mode'] diff --git a/puppet/modules/site_couchdb/manifests/mirror.pp b/puppet/modules/site_couchdb/manifests/mirror.pp index f3b43cc2..2a44b1e9 100644 --- a/puppet/modules/site_couchdb/manifests/mirror.pp +++ b/puppet/modules/site_couchdb/manifests/mirror.pp @@ -14,9 +14,11 @@ class site_couchdb::mirror { $masters = $site_couchdb::couchdb_config['replication']['masters'] $master_node_names = keys($site_couchdb::couchdb_config['replication']['masters']) $master_node = $masters[$master_node_names[0]] + $user = $site_couchdb::couchdb_replication_user + $password = $site_couchdb::couchdb_replication_pw $from_host = $master_node['domain_internal'] $from_port = $master_node['couch_port'] - $from = "${from_host}:${from_port}" + $from = "http://${user}:${password}@${from_host}:${from_port}" notice("mirror from: ${from}") -- cgit v1.2.3 From bc42e9bd3a86bb858ef853cf333242c81874209b Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 20 Jun 2014 14:34:53 -0700 Subject: stunnel: make site_mx and site_webapp use new site_stunnel --- puppet/modules/site_mx/manifests/couchdb.pp | 23 ---------------------- puppet/modules/site_mx/manifests/init.pp | 2 +- .../site_shorewall/manifests/stunnel/server.pp | 2 +- puppet/modules/site_stunnel/manifests/clients.pp | 3 --- puppet/modules/site_stunnel/manifests/servers.pp | 3 --- puppet/modules/site_webapp/manifests/couchdb.pp | 14 ------------- 6 files changed, 2 insertions(+), 45 deletions(-) delete mode 100644 puppet/modules/site_mx/manifests/couchdb.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp deleted file mode 100644 index b1f3bd02..00000000 --- a/puppet/modules/site_mx/manifests/couchdb.pp +++ /dev/null @@ -1,23 +0,0 @@ -class site_mx::couchdb { - - $stunnel = hiera('stunnel') - $couch_client = $stunnel['couch_client'] - $couch_client_connect = $couch_client['connect'] - - include x509::variables - $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" - $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" - $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - - include site_stunnel - - $couchdb_stunnel_client_defaults = { - 'connect_port' => $couch_client_connect, - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - } - - create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) -} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index c3d38a46..91014ed6 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -8,12 +8,12 @@ class site_mx { include site_config::x509::client_ca::ca include site_config::x509::client_ca::key + include site_stunnel include site_postfix::mx include site_haproxy include site_shorewall::mx include site_shorewall::service::smtp - include site_mx::couchdb include leap_mx include site_check_mk::agent::mx } diff --git a/puppet/modules/site_shorewall/manifests/stunnel/server.pp b/puppet/modules/site_shorewall/manifests/stunnel/server.pp index db3ecd3e..798cd631 100644 --- a/puppet/modules/site_shorewall/manifests/stunnel/server.pp +++ b/puppet/modules/site_shorewall/manifests/stunnel/server.pp @@ -12,7 +12,7 @@ define site_shorewall::stunnel::server($port) { require => Package['shorewall'] } shorewall::rule { - 'net2fw-couchdb': + "net2fw-stunnel-server-${name}": source => 'net', destination => '$FW', action => "stunnel_server_${name}(ACCEPT)", diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 44b31aaa..c0958b5f 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -1,7 +1,4 @@ # -# usage: -# create_resource(site_stunnel::clients, hiera('stunnel')['clients']) -# # example hiera yaml: # # stunnel: diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp index 4419923f..b1da5c59 100644 --- a/puppet/modules/site_stunnel/manifests/servers.pp +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -1,7 +1,4 @@ # -# usage: -# create_resource(site_stunnel::servers, hiera('stunnel')['servers']) -# # example hiera yaml: # # stunnel: diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ff743fba..3ae4d266 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -7,10 +7,6 @@ class site_webapp::couchdb { $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] - $stunnel = hiera('stunnel') - $couch_client = $stunnel['couch_client'] - $couch_client_connect = $couch_client['connect'] - include x509::variables file { @@ -37,14 +33,4 @@ class site_webapp::couchdb { } include site_stunnel - - $couchdb_stunnel_client_defaults = { - 'connect_port' => $couch_client_connect, - 'client' => true, - 'cafile' => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt", - 'key' => "${x509::variables::keys}/${site_config::params::cert_name}.key", - 'cert' => "${x509::variables::certs}/${site_config::params::cert_name}.crt", - } - - create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) } -- cgit v1.2.3 From 26cbd9a70c4b19b591a6f865812f0ad98de2668c Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 21 Jun 2014 02:52:43 -0700 Subject: haproxy: support read only couchdb mirrors --- puppet/modules/site_haproxy/manifests/init.pp | 42 +++++++++++----------- puppet/modules/site_haproxy/templates/couch.erb | 32 +++++++++++++++++ .../modules/site_haproxy/templates/haproxy.cfg.erb | 11 ++++++ .../site_haproxy/templates/haproxy_couchdb.cfg.erb | 23 ------------ 4 files changed, 64 insertions(+), 44 deletions(-) create mode 100644 puppet/modules/site_haproxy/templates/couch.erb create mode 100644 puppet/modules/site_haproxy/templates/haproxy.cfg.erb delete mode 100644 puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 6bcf3f5c..b28ce80e 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -2,25 +2,25 @@ class site_haproxy { $haproxy = hiera('haproxy') class { 'haproxy': - enable => true, - manage_service => true, - global_options => { - 'log' => '127.0.0.1 local0', - 'maxconn' => '4096', - 'stats' => 'socket /var/run/haproxy.sock user haproxy group haproxy', - 'chroot' => '/usr/share/haproxy', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '' - }, - defaults_options => { - 'log' => 'global', - 'retries' => '3', - 'option' => 'redispatch', - 'timeout connect' => '4000', - 'timeout client' => '20000', - 'timeout server' => '20000' - } + enable => true, + manage_service => true, + global_options => { + 'log' => '127.0.0.1 local0', + 'maxconn' => '4096', + 'stats' => 'socket /var/run/haproxy.sock user haproxy group haproxy', + 'chroot' => '/usr/share/haproxy', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '' + }, + defaults_options => { + 'log' => 'global', + 'retries' => '3', + 'option' => 'redispatch', + 'timeout connect' => '4000', + 'timeout client' => '20000', + 'timeout server' => '20000' + } } # monitor haproxy @@ -34,8 +34,8 @@ class site_haproxy { concat::fragment { 'leap_haproxy_webapp_couchdb': target => '/etc/haproxy/haproxy.cfg', order => '20', - content => template('site_haproxy/haproxy_couchdb.cfg.erb'), + content => template('site_haproxy/haproxy.cfg.erb'), } - + include site_check_mk::agent::haproxy } diff --git a/puppet/modules/site_haproxy/templates/couch.erb b/puppet/modules/site_haproxy/templates/couch.erb new file mode 100644 index 00000000..baa31486 --- /dev/null +++ b/puppet/modules/site_haproxy/templates/couch.erb @@ -0,0 +1,32 @@ +frontend couch + bind localhost:<%= @listen_port %> + mode http + option httplog + option dontlognull + option http-server-close # use client keep-alive, but close server connection. + use_backend couch_write if METH_POST + default_backend couch_read + +backend couch_write + mode http + balance roundrobin + option httpchk GET / # health check using simple get to root + option allbackups # balance among all backups, not just one. + default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 +<%- @servers.sort.each do |name,server| -%> +<%- next unless server['writable'] -%> + # <%=name%> + server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%='backup' if server['backup']%> weight <%=server['weight']%> check +<%- end -%> + +backend couch_read + mode http + balance roundrobin + option httpchk GET / # health check using simple get to root + option allbackups # balance among all backups, not just one. + default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 +<%- @servers.sort.each do |name,server| -%> + # <%=name%> + server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%='backup' if server['backup']%> weight <%=server['weight']%> check +<%- end -%> + diff --git a/puppet/modules/site_haproxy/templates/haproxy.cfg.erb b/puppet/modules/site_haproxy/templates/haproxy.cfg.erb new file mode 100644 index 00000000..8311b1a5 --- /dev/null +++ b/puppet/modules/site_haproxy/templates/haproxy.cfg.erb @@ -0,0 +1,11 @@ +<%- @haproxy.each do |frontend, options| -%> +<%- if options['servers'] -%> + +## +## <%= frontend %> +## + +<%= scope.function_templatewlv(["site_haproxy/#{frontend}.erb", options]) %> +<%- end -%> +<%- end -%> + diff --git a/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb deleted file mode 100644 index 1fa01b96..00000000 --- a/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb +++ /dev/null @@ -1,23 +0,0 @@ - -listen bigcouch-in - mode http - balance roundrobin - option httplog - option dontlognull - option httpchk GET / # health check using simple get to root - option http-server-close # use client keep-alive, but close server connection. - option allbackups # balance among all backups, not just one. - - bind localhost:4096 - - default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 - -<%- if @haproxy['servers'] -%> -<%- @haproxy['servers'].sort.each do |name,server| -%> -<%- backup = server['backup'] ? 'backup' : '' -%> - # <%=name%> - server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%=backup%> weight <%=server['weight']%> check - -<%- end -%> -<%- end -%> - -- cgit v1.2.3 From 5075fdeee3c8b70d39a2f6105d8e1e33c6843eb4 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 23 Jun 2014 21:49:38 +0200 Subject: minor: fix typo in replication user roles --- puppet/modules/site_couchdb/manifests/add_users.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index 0585da27..2f734ed4 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -57,7 +57,7 @@ class site_couchdb::add_users { ## replication couchdb user ## read/write: all databases for replication couchdb::add_user { $site_couchdb::couchdb_replication_user: - roles => '["repliction"]', + roles => '["replication"]', pw => $site_couchdb::couchdb_replication_pw, salt => $site_couchdb::couchdb_replication_salt, require => Couchdb::Query::Setup['localhost'] -- cgit v1.2.3 From 813f840cceb284c38dcedea1577d125e62e280f0 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 23 Jun 2014 21:50:50 +0200 Subject: hand replication credentials to tapicero --- puppet/modules/tapicero/manifests/init.pp | 3 ++- puppet/modules/tapicero/templates/tapicero.yaml.erb | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index 1db75eb0..fd8c1344 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -12,7 +12,8 @@ class tapicero { $couchdb_soledad_user = $couchdb_users['soledad']['username'] $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username'] - $couchdb_mirror = $couchdb['mode'] == 'mirror' + $couchdb_mode = $couchdb['mode'] + $couchdb_replication = $couchdb['replication'] Class['site_config::default'] -> Class['tapicero'] diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index 3a5f821e..182a6aa6 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -24,7 +24,8 @@ log_level: info options: # prefix for per user databases: db_prefix: "user-" - mirror: <%= @couchdb_mirror %> + mode: <%= @couchdb_mode %> + replication: <%= @couchdb_replication %> # security settings to be used for the per user databases security: -- cgit v1.2.3 From 7778b20479d4d6789948dc24904ef9302980d983 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 23 Jun 2014 22:04:59 +0200 Subject: create netrc files for all users with new puppet_couchdb This only works with the latest patch to puppet_couchdb --- puppet/modules/site_couchdb/manifests/mirror.pp | 2 -- puppet/modules/site_couchdb/manifests/setup.pp | 11 +++++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/mirror.pp b/puppet/modules/site_couchdb/manifests/mirror.pp index 2a44b1e9..abe35c4c 100644 --- a/puppet/modules/site_couchdb/manifests/mirror.pp +++ b/puppet/modules/site_couchdb/manifests/mirror.pp @@ -9,8 +9,6 @@ class site_couchdb::mirror { chttpd_bind_address => '127.0.0.1' } - # Couchdb databases - $masters = $site_couchdb::couchdb_config['replication']['masters'] $master_node_names = keys($site_couchdb::couchdb_config['replication']['masters']) $master_node = $masters[$master_node_names[0]] diff --git a/puppet/modules/site_couchdb/manifests/setup.pp b/puppet/modules/site_couchdb/manifests/setup.pp index e398356b..69bd1c6a 100644 --- a/puppet/modules/site_couchdb/manifests/setup.pp +++ b/puppet/modules/site_couchdb/manifests/setup.pp @@ -10,11 +10,18 @@ class site_couchdb::setup { ensure => absent } - # /etc/couchdb/couchdb.netrc is deployed by couchdb::query::setup + $user = $site_couchdb::couchdb_admin_user + + # /etc/couchdb/couchdb-admin.netrc is deployed by couchdb::query::setup + # we symlink to couchdb.netrc for puppet commands. # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) # and makes life easier for the admin (i.e. using curl/wget without # passing credentials) file { + '/etc/couchdb/couchdb.netrc': + ensure => link, + target => "/etc/couchdb/couchdb-${user}.netrc"; + '/root/.netrc': ensure => link, target => '/etc/couchdb/couchdb.netrc'; @@ -24,7 +31,7 @@ class site_couchdb::setup { } couchdb::query::setup { 'localhost': - user => $site_couchdb::couchdb_admin_user, + user => $user, pw => $site_couchdb::couchdb_admin_pw, } -- cgit v1.2.3 From 3a5a235a975ae25ced89b60c247b6d1d20174e8b Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 25 Jun 2014 18:07:28 -0700 Subject: update couchdb submodule --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index c8f5443e..8bc5ed43 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit c8f5443e0998d3d3d43505ff5a6fdf8c438d6c24 +Subproject commit 8bc5ed434c124457b7467140152602c67a9547c5 -- cgit v1.2.3 From d6eabb09f978f1501b8b797d28e949a2e00ac82e Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 25 Jun 2014 23:10:29 -0700 Subject: lint site_couchdb --- puppet/modules/site_couchdb/manifests/init.pp | 80 +++++++++++++-------------- 1 file changed, 40 insertions(+), 40 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6f7e974e..5a4fb936 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,46 +1,46 @@ class site_couchdb { tag 'leap_service' - $couchdb_config = hiera('couch') - $couchdb_users = $couchdb_config['users'] - - $couchdb_admin = $couchdb_users['admin'] - $couchdb_admin_user = $couchdb_admin['username'] - $couchdb_admin_pw = $couchdb_admin['password'] - $couchdb_admin_salt = $couchdb_admin['salt'] - - $couchdb_leap_mx = $couchdb_users['leap_mx'] - $couchdb_leap_mx_user = $couchdb_leap_mx['username'] - $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] - $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] - - $couchdb_nickserver = $couchdb_users['nickserver'] - $couchdb_nickserver_user = $couchdb_nickserver['username'] - $couchdb_nickserver_pw = $couchdb_nickserver['password'] - $couchdb_nickserver_salt = $couchdb_nickserver['salt'] - - $couchdb_soledad = $couchdb_users['soledad'] - $couchdb_soledad_user = $couchdb_soledad['username'] - $couchdb_soledad_pw = $couchdb_soledad['password'] - $couchdb_soledad_salt = $couchdb_soledad['salt'] - - $couchdb_tapicero = $couchdb_users['tapicero'] - $couchdb_tapicero_user = $couchdb_tapicero['username'] - $couchdb_tapicero_pw = $couchdb_tapicero['password'] - $couchdb_tapicero_salt = $couchdb_tapicero['salt'] - - $couchdb_webapp = $couchdb_users['webapp'] - $couchdb_webapp_user = $couchdb_webapp['username'] - $couchdb_webapp_pw = $couchdb_webapp['password'] - $couchdb_webapp_salt = $couchdb_webapp['salt'] - - $couchdb_replication = $couchdb_users['replication'] - $couchdb_replication_user= $couchdb_replication['username'] - $couchdb_replication_pw = $couchdb_replication['password'] - $couchdb_replication_salt= $couchdb_replication['salt'] - - $couchdb_backup = $couchdb_config['backup'] - $couchdb_mode = $couchdb_config['mode'] + $couchdb_config = hiera('couch') + $couchdb_users = $couchdb_config['users'] + + $couchdb_admin = $couchdb_users['admin'] + $couchdb_admin_user = $couchdb_admin['username'] + $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_admin_salt = $couchdb_admin['salt'] + + $couchdb_leap_mx = $couchdb_users['leap_mx'] + $couchdb_leap_mx_user = $couchdb_leap_mx['username'] + $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] + $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] + + $couchdb_nickserver = $couchdb_users['nickserver'] + $couchdb_nickserver_user = $couchdb_nickserver['username'] + $couchdb_nickserver_pw = $couchdb_nickserver['password'] + $couchdb_nickserver_salt = $couchdb_nickserver['salt'] + + $couchdb_soledad = $couchdb_users['soledad'] + $couchdb_soledad_user = $couchdb_soledad['username'] + $couchdb_soledad_pw = $couchdb_soledad['password'] + $couchdb_soledad_salt = $couchdb_soledad['salt'] + + $couchdb_tapicero = $couchdb_users['tapicero'] + $couchdb_tapicero_user = $couchdb_tapicero['username'] + $couchdb_tapicero_pw = $couchdb_tapicero['password'] + $couchdb_tapicero_salt = $couchdb_tapicero['salt'] + + $couchdb_webapp = $couchdb_users['webapp'] + $couchdb_webapp_user = $couchdb_webapp['username'] + $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] + + $couchdb_replication = $couchdb_users['replication'] + $couchdb_replication_user = $couchdb_replication['username'] + $couchdb_replication_pw = $couchdb_replication['password'] + $couchdb_replication_salt = $couchdb_replication['salt'] + + $couchdb_backup = $couchdb_config['backup'] + $couchdb_mode = $couchdb_config['mode'] if $couchdb_mode == "multimaster" { include site_couchdb::bigcouch } if $couchdb_mode == "master" { include site_couchdb::master } -- cgit v1.2.3 From 89669fbc6d43590f73055c00ee0bb415d5c8eb3e Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 26 Jun 2014 15:14:46 +0200 Subject: reorder /etc/hosts now "hostname -f" results in the correct hostname. Fixes #5835 --- puppet/modules/site_config/manifests/hosts.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 6982d37b..e43ad45e 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -10,10 +10,9 @@ class site_config::hosts() { } else { $dns_aliases = $dns['aliases'] } - $my_hostnames = unique(sort(concat( - [$hostname, $domain_hash['full'], $domain_hash['internal']], - $dns_aliases - ))) + $my_hostnames = unique(concat( + $dns_aliases, [$hostname, $domain_hash['full'], $domain_hash['internal']] + )) file { '/etc/hostname': ensure => present, -- cgit v1.2.3 From 54fcafe131c411a49e4277cd0d14c6ea20044203 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 20 May 2014 23:20:58 +0300 Subject: Initial commit for obfsproxy server feature in platform --- puppet/modules/obfsproxy/files/obfsproxy_daemon | 99 ++++++++++++++++++++++ puppet/modules/obfsproxy/manifests/init.pp | 64 ++++++++++++++ puppet/modules/obfsproxy/templates/etc_conf.erb | 11 +++ .../site_apt/manifests/preferences/obfsproxy.pp | 9 ++ puppet/modules/site_obfsproxy/README | 0 puppet/modules/site_obfsproxy/manifests/init.pp | 28 ++++++ 6 files changed, 211 insertions(+) create mode 100755 puppet/modules/obfsproxy/files/obfsproxy_daemon create mode 100644 puppet/modules/obfsproxy/manifests/init.pp create mode 100644 puppet/modules/obfsproxy/templates/etc_conf.erb create mode 100644 puppet/modules/site_apt/manifests/preferences/obfsproxy.pp create mode 100644 puppet/modules/site_obfsproxy/README create mode 100644 puppet/modules/site_obfsproxy/manifests/init.pp (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_daemon b/puppet/modules/obfsproxy/files/obfsproxy_daemon new file mode 100755 index 00000000..f5914980 --- /dev/null +++ b/puppet/modules/obfsproxy/files/obfsproxy_daemon @@ -0,0 +1,99 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: obfsproxy daemon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: obfsproxy daemon +# Description: obfsproxy daemon +### END INIT INFO + +. /lib/lsb/init-functions + +DAEMON=/usr/bin/obfsproxy +NAME=obfsproxy +DESC="obfsproxy daemon" +USER=obfsproxy +PIDFILE=/var/run/obfsproxy.pid +CONF=/etc/obfsproxy.conf + +# If the daemon is not there, then exit. +test -x $DAEMON || exit 0 + +if [ -f $CONF ] ; then + . $CONF +else + echo "Obfsproxy configuration file is missing, aborting..." + exit +fi + +DAEMONARGS=" --log-min-severity=$LOG $TRANSPORT $PARAM \ + --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" + +start_obfsproxy() { + start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ + -b -c $USER --startas $DAEMON --$DAEMONARGS +} + +stop_obfsproxy() { + start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE +} + +status_obfsproxy() { + status_of_proc -p $PIDFILE $DAEMON $NAME && status="0" || status="$?" +} + +case $1 in + start) + if [ -e $PIDFILE ]; then + status_obfsproxy + if [ $status = "0" ]; then + exit + fi + fi + log_begin_msg "Starting $DESC" + start_obfsproxy + log_end_msg $? + ;; + stop) + if [ -e $PIDFILE ]; then + status_obfsproxy + if [ $status = "0" ]; then + log_begin_msg "Stopping $DESC" + stop_obfsproxy + rm -f $PIDFILE + log_end_msg $? + fi + else + log_daemon_msg "$NAME is not running" + log_end_msg $? + fi + ;; + restart) + $0 stop && sleep 2 && $0 start + ;; + status) +# if [ -e $PIDFILE ]; then +# #status_of_proc -p $PIDFILE $DAEMON "$NAME " && exit 0 || exit $? +# status_obfsproxy +# else +# log_daemon_msg "$NAME is not running" +# log_end_msg 0 +# fi + status_obfsproxy + ;; + reload) + if [ -e $PIDFILE ]; then + start-stop-daemon --stop --signal USR1 --quiet --pidfile $PIDFILE --name $NAME + log_success_msg "$DESC reloaded successfully" + else + log_failure_msg "$PIDFILE does not exists" + fi + ;; + *) + echo "Usage: $0 {start|stop|restart|reload|status}" + exit 2 + ;; +esac diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp new file mode 100644 index 00000000..4deebb62 --- /dev/null +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -0,0 +1,64 @@ +class obfsproxy ( + $transport, + $port, + $param, + $dest_ip, + $dest_port +){ + + user { obfsproxy: + ensure => present, + system => true, + gid => obfsproxy, + } + + group { obfsproxy: + ensure => present, + system => true, + } + +# file { '/etc/default/obfsproxy': +# path => '/etc/default/obfsproxy', +# owner => 'root', +# group => 'root', +# mode => '0750', +# content => template('obfsproxy/etc_default_conf.erb'), +# } + + file { '/etc/init.d/obfsproxy': + path => '/etc/init.d/obfsproxy', + ensure => present, + source => 'puppet:///modules/obfsproxy/obfsproxy_daemon', + owner => 'root', + group => 'root', + mode => '0755', + require => File['/etc/obfsproxy.conf'], + subscribe => File['/etc/obfsproxy.conf'], + #content => template('obfsproxy/etc_init_d.erb'), + } + + file { '/etc/obfsproxy.conf': + path => '/etc/obfsproxy.conf', + ensure => present, + owner => 'root', + group => 'root', + mode => '0750', + content => template('obfsproxy/etc_conf.erb'), + } + + package { "obfsproxy": + ensure => present, + } + + service { "obfsproxy": + ensure => running, + status => '/usr/sbin/service obfsproxy status + | grep "is running"', + require => [ + Package["obfsproxy"], + File["/etc/init.d/obfsproxy"] ] + } + + +} + diff --git a/puppet/modules/obfsproxy/templates/etc_conf.erb b/puppet/modules/obfsproxy/templates/etc_conf.erb new file mode 100644 index 00000000..3313b326 --- /dev/null +++ b/puppet/modules/obfsproxy/templates/etc_conf.erb @@ -0,0 +1,11 @@ +TRANSPORT=<%= @transport %> +PORT=<%= @port %> +DEST_IP=<%= @dest_ip %> +DEST_PORT=<%= @dest_port %> +<% if @transport == "scramblesuit" %> +PARAM=--password=<%= @param %> +<% else %> +PARAM=<%= @param %> +<% end %> +LOG=info + diff --git a/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp b/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp new file mode 100644 index 00000000..081086e5 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::obfsproxy { + + apt::preferences_snippet { 'obfsproxy': + package => 'obfsproxy', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + +} diff --git a/puppet/modules/site_obfsproxy/README b/puppet/modules/site_obfsproxy/README new file mode 100644 index 00000000..e69de29b diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp new file mode 100644 index 00000000..23a8dd30 --- /dev/null +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -0,0 +1,28 @@ +class site_obfsproxy { + tag 'leap_service' + Class['site_config::default'] -> Class['site_obfsproxy'] + + $transport = 'scramblesuit' + + $obfsproxy = hiera('obfsproxy') + $scramblesuit = $obfsproxy['scramblesuit'] + $scram_pass = $scramblesuit['password'] + $scram_port = $scramblesuit['port'] + $dest_ip = $obfsproxy['gateway_address'] + $dest_port = '443' + + include site_apt::preferences::twisted + include site_apt::preferences::obfsproxy + + class { 'obfsproxy': + transport => $transport, + port => $scram_port, + param => $scram_pass, + dest_ip => $dest_ip, + dest_port => $dest_port, + } + +} + + + -- cgit v1.2.3 From 156c2e1194c65d2f7813b946ac8baa90ffdf1f39 Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 21 May 2014 20:42:46 +0300 Subject: Make shorewall accept incoming traffic for obfsproxy server --- puppet/modules/site_obfsproxy/manifests/init.pp | 2 ++ .../modules/site_shorewall/manifests/obfsproxy.pp | 24 ++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/obfsproxy.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 23a8dd30..276b30db 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -22,6 +22,8 @@ class site_obfsproxy { dest_port => $dest_port, } + include site_shorewall::obfsproxy + } diff --git a/puppet/modules/site_shorewall/manifests/obfsproxy.pp b/puppet/modules/site_shorewall/manifests/obfsproxy.pp new file mode 100644 index 00000000..68fb9b9f --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/obfsproxy.pp @@ -0,0 +1,24 @@ +class site_shorewall::obfsproxy { + + include site_shorewall::defaults + + $obfsproxy = hiera('obfsproxy') + $scramblesuit = $obfsproxy['scramblesuit'] + $scram_port = $scramblesuit['port'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_obfsproxy': + content => "PARAM - - tcp $scram_port ", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-obfs': + source => 'net', + destination => '$FW', + action => 'leap_obfsproxy(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 94e0791cff9a3ce47e66c56a921e41b83b52b3d9 Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 21 May 2014 21:52:14 +0300 Subject: Add data directory to save scramblesuit's state. Also clean up a little the obfsproxy puppet class, create appropriate directories, restrict permissions. --- puppet/modules/obfsproxy/files/obfsproxy_daemon | 7 +++--- puppet/modules/obfsproxy/manifests/init.pp | 30 ++++++++++++++++--------- 2 files changed, 24 insertions(+), 13 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_daemon b/puppet/modules/obfsproxy/files/obfsproxy_daemon index f5914980..4c9bcedc 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_daemon +++ b/puppet/modules/obfsproxy/files/obfsproxy_daemon @@ -16,8 +16,9 @@ DAEMON=/usr/bin/obfsproxy NAME=obfsproxy DESC="obfsproxy daemon" USER=obfsproxy +DATDIR=/etc/obfsproxy PIDFILE=/var/run/obfsproxy.pid -CONF=/etc/obfsproxy.conf +CONF=$DATDIR/obfsproxy.conf # If the daemon is not there, then exit. test -x $DAEMON || exit 0 @@ -29,8 +30,8 @@ else exit fi -DAEMONARGS=" --log-min-severity=$LOG $TRANSPORT $PARAM \ - --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" +DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ + $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" start_obfsproxy() { start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 4deebb62..c15a0dc8 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -6,13 +6,16 @@ class obfsproxy ( $dest_port ){ - user { obfsproxy: + $user = 'obfsproxy' + $conf = '/etc/obfsproxy/obfsproxy.conf' + + user { $user: ensure => present, system => true, - gid => obfsproxy, + gid => $user, } - group { obfsproxy: + group { $user: ensure => present, system => true, } @@ -31,19 +34,26 @@ class obfsproxy ( source => 'puppet:///modules/obfsproxy/obfsproxy_daemon', owner => 'root', group => 'root', - mode => '0755', - require => File['/etc/obfsproxy.conf'], - subscribe => File['/etc/obfsproxy.conf'], - #content => template('obfsproxy/etc_init_d.erb'), + mode => '0750', + require => File[$conf], + subscribe => File[$conf], } - file { '/etc/obfsproxy.conf': - path => '/etc/obfsproxy.conf', + file { $conf : + path => $conf, ensure => present, owner => 'root', group => 'root', - mode => '0750', + mode => '0600', content => template('obfsproxy/etc_conf.erb'), + require => File['/etc/obfsproxy'], + } + + file { '/etc/obfsproxy': + ensure => directory, + owner => $user, + group => $user, + mode => '0700', } package { "obfsproxy": -- cgit v1.2.3 From 7c9dd9ee9653c854badaf4f1d21d7dd833e3e620 Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:44:51 +0300 Subject: Move obfsproxy_daemon to obfsproxy_init --- puppet/modules/obfsproxy/files/obfsproxy_daemon | 100 ------------------------ puppet/modules/obfsproxy/files/obfsproxy_init | 100 ++++++++++++++++++++++++ puppet/modules/obfsproxy/manifests/init.pp | 2 +- 3 files changed, 101 insertions(+), 101 deletions(-) delete mode 100755 puppet/modules/obfsproxy/files/obfsproxy_daemon create mode 100755 puppet/modules/obfsproxy/files/obfsproxy_init (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_daemon b/puppet/modules/obfsproxy/files/obfsproxy_daemon deleted file mode 100755 index 4c9bcedc..00000000 --- a/puppet/modules/obfsproxy/files/obfsproxy_daemon +++ /dev/null @@ -1,100 +0,0 @@ -#!/bin/sh - -### BEGIN INIT INFO -# Provides: obfsproxy daemon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: obfsproxy daemon -# Description: obfsproxy daemon -### END INIT INFO - -. /lib/lsb/init-functions - -DAEMON=/usr/bin/obfsproxy -NAME=obfsproxy -DESC="obfsproxy daemon" -USER=obfsproxy -DATDIR=/etc/obfsproxy -PIDFILE=/var/run/obfsproxy.pid -CONF=$DATDIR/obfsproxy.conf - -# If the daemon is not there, then exit. -test -x $DAEMON || exit 0 - -if [ -f $CONF ] ; then - . $CONF -else - echo "Obfsproxy configuration file is missing, aborting..." - exit -fi - -DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ - $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" - -start_obfsproxy() { - start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ - -b -c $USER --startas $DAEMON --$DAEMONARGS -} - -stop_obfsproxy() { - start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE -} - -status_obfsproxy() { - status_of_proc -p $PIDFILE $DAEMON $NAME && status="0" || status="$?" -} - -case $1 in - start) - if [ -e $PIDFILE ]; then - status_obfsproxy - if [ $status = "0" ]; then - exit - fi - fi - log_begin_msg "Starting $DESC" - start_obfsproxy - log_end_msg $? - ;; - stop) - if [ -e $PIDFILE ]; then - status_obfsproxy - if [ $status = "0" ]; then - log_begin_msg "Stopping $DESC" - stop_obfsproxy - rm -f $PIDFILE - log_end_msg $? - fi - else - log_daemon_msg "$NAME is not running" - log_end_msg $? - fi - ;; - restart) - $0 stop && sleep 2 && $0 start - ;; - status) -# if [ -e $PIDFILE ]; then -# #status_of_proc -p $PIDFILE $DAEMON "$NAME " && exit 0 || exit $? -# status_obfsproxy -# else -# log_daemon_msg "$NAME is not running" -# log_end_msg 0 -# fi - status_obfsproxy - ;; - reload) - if [ -e $PIDFILE ]; then - start-stop-daemon --stop --signal USR1 --quiet --pidfile $PIDFILE --name $NAME - log_success_msg "$DESC reloaded successfully" - else - log_failure_msg "$PIDFILE does not exists" - fi - ;; - *) - echo "Usage: $0 {start|stop|restart|reload|status}" - exit 2 - ;; -esac diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init new file mode 100755 index 00000000..4c9bcedc --- /dev/null +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -0,0 +1,100 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: obfsproxy daemon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: obfsproxy daemon +# Description: obfsproxy daemon +### END INIT INFO + +. /lib/lsb/init-functions + +DAEMON=/usr/bin/obfsproxy +NAME=obfsproxy +DESC="obfsproxy daemon" +USER=obfsproxy +DATDIR=/etc/obfsproxy +PIDFILE=/var/run/obfsproxy.pid +CONF=$DATDIR/obfsproxy.conf + +# If the daemon is not there, then exit. +test -x $DAEMON || exit 0 + +if [ -f $CONF ] ; then + . $CONF +else + echo "Obfsproxy configuration file is missing, aborting..." + exit +fi + +DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ + $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" + +start_obfsproxy() { + start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ + -b -c $USER --startas $DAEMON --$DAEMONARGS +} + +stop_obfsproxy() { + start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE +} + +status_obfsproxy() { + status_of_proc -p $PIDFILE $DAEMON $NAME && status="0" || status="$?" +} + +case $1 in + start) + if [ -e $PIDFILE ]; then + status_obfsproxy + if [ $status = "0" ]; then + exit + fi + fi + log_begin_msg "Starting $DESC" + start_obfsproxy + log_end_msg $? + ;; + stop) + if [ -e $PIDFILE ]; then + status_obfsproxy + if [ $status = "0" ]; then + log_begin_msg "Stopping $DESC" + stop_obfsproxy + rm -f $PIDFILE + log_end_msg $? + fi + else + log_daemon_msg "$NAME is not running" + log_end_msg $? + fi + ;; + restart) + $0 stop && sleep 2 && $0 start + ;; + status) +# if [ -e $PIDFILE ]; then +# #status_of_proc -p $PIDFILE $DAEMON "$NAME " && exit 0 || exit $? +# status_obfsproxy +# else +# log_daemon_msg "$NAME is not running" +# log_end_msg 0 +# fi + status_obfsproxy + ;; + reload) + if [ -e $PIDFILE ]; then + start-stop-daemon --stop --signal USR1 --quiet --pidfile $PIDFILE --name $NAME + log_success_msg "$DESC reloaded successfully" + else + log_failure_msg "$PIDFILE does not exists" + fi + ;; + *) + echo "Usage: $0 {start|stop|restart|reload|status}" + exit 2 + ;; +esac diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index c15a0dc8..e62bfcd8 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -31,7 +31,7 @@ class obfsproxy ( file { '/etc/init.d/obfsproxy': path => '/etc/init.d/obfsproxy', ensure => present, - source => 'puppet:///modules/obfsproxy/obfsproxy_daemon', + source => 'puppet:///modules/obfsproxy/obfsproxy_init', owner => 'root', group => 'root', mode => '0750', -- cgit v1.2.3 From f8694b037dfd22382dc2abd8afefd947d3531974 Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:46:06 +0300 Subject: Change exit status code if config file is missing --- puppet/modules/obfsproxy/files/obfsproxy_init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 4c9bcedc..2496bba7 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -27,7 +27,7 @@ if [ -f $CONF ] ; then . $CONF else echo "Obfsproxy configuration file is missing, aborting..." - exit + exit 2 fi DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ -- cgit v1.2.3 From f4b56483c6e80774f746cd1fbf7d92573dd0f51d Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:47:23 +0300 Subject: Remove commented lines from init script status section --- puppet/modules/obfsproxy/files/obfsproxy_init | 7 ------- 1 file changed, 7 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 2496bba7..5223ec9d 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -76,13 +76,6 @@ case $1 in $0 stop && sleep 2 && $0 start ;; status) -# if [ -e $PIDFILE ]; then -# #status_of_proc -p $PIDFILE $DAEMON "$NAME " && exit 0 || exit $? -# status_obfsproxy -# else -# log_daemon_msg "$NAME is not running" -# log_end_msg 0 -# fi status_obfsproxy ;; reload) -- cgit v1.2.3 From ae75dccbb6a65ee22b6185dcd8c0fedd14e35d0f Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:49:12 +0300 Subject: Remove commented lines from obfsproxy puppet module class --- puppet/modules/obfsproxy/manifests/init.pp | 8 -------- 1 file changed, 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index e62bfcd8..d0212c64 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -20,14 +20,6 @@ class obfsproxy ( system => true, } -# file { '/etc/default/obfsproxy': -# path => '/etc/default/obfsproxy', -# owner => 'root', -# group => 'root', -# mode => '0750', -# content => template('obfsproxy/etc_default_conf.erb'), -# } - file { '/etc/init.d/obfsproxy': path => '/etc/init.d/obfsproxy', ensure => present, -- cgit v1.2.3 From 1a0161da0ff420d26732b492898ebf0074b2292c Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:52:44 +0300 Subject: Line up equal signs, change double to single quotes --- puppet/modules/obfsproxy/manifests/init.pp | 8 ++++---- puppet/modules/site_obfsproxy/manifests/init.pp | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index d0212c64..456fe1a7 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -48,17 +48,17 @@ class obfsproxy ( mode => '0700', } - package { "obfsproxy": + package { 'obfsproxy': ensure => present, } - service { "obfsproxy": + service { 'obfsproxy': ensure => running, status => '/usr/sbin/service obfsproxy status | grep "is running"', require => [ - Package["obfsproxy"], - File["/etc/init.d/obfsproxy"] ] + Package['obfsproxy'], + File['/etc/init.d/obfsproxy'] ] } diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 276b30db..6509fec8 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -4,12 +4,12 @@ class site_obfsproxy { $transport = 'scramblesuit' - $obfsproxy = hiera('obfsproxy') + $obfsproxy = hiera('obfsproxy') $scramblesuit = $obfsproxy['scramblesuit'] - $scram_pass = $scramblesuit['password'] - $scram_port = $scramblesuit['port'] - $dest_ip = $obfsproxy['gateway_address'] - $dest_port = '443' + $scram_pass = $scramblesuit['password'] + $scram_port = $scramblesuit['port'] + $dest_ip = $obfsproxy['gateway_address'] + $dest_port = '443' include site_apt::preferences::twisted include site_apt::preferences::obfsproxy -- cgit v1.2.3 From 7a54923591125894440b9ff7020e4b413a1c6fb5 Mon Sep 17 00:00:00 2001 From: irregulator Date: Fri, 23 May 2014 17:28:32 +0300 Subject: Address logging for obfsproxy daemon Create obfsproxy directory in /var/log, specify log file when obfsproxy is spawned by init script, create a logrotate configuration for obfsproxy's logs. --- puppet/modules/obfsproxy/files/obfsproxy_init | 5 +++-- puppet/modules/obfsproxy/files/obfsproxy_logrotate | 14 ++++++++++++++ puppet/modules/obfsproxy/manifests/init.pp | 16 ++++++++++++++++ 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/obfsproxy/files/obfsproxy_logrotate (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 5223ec9d..7a7e7609 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -19,6 +19,7 @@ USER=obfsproxy DATDIR=/etc/obfsproxy PIDFILE=/var/run/obfsproxy.pid CONF=$DATDIR/obfsproxy.conf +LOGFILE=/var/log/obfsproxy/log # If the daemon is not there, then exit. test -x $DAEMON || exit 0 @@ -30,8 +31,8 @@ else exit 2 fi -DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ - $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" +DAEMONARGS=" --log-min-severity=$LOG --log-file=$LOGFILE --data-dir=$DATDIR \ + $TRANSPORT $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" start_obfsproxy() { start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ diff --git a/puppet/modules/obfsproxy/files/obfsproxy_logrotate b/puppet/modules/obfsproxy/files/obfsproxy_logrotate new file mode 100644 index 00000000..623bbab1 --- /dev/null +++ b/puppet/modules/obfsproxy/files/obfsproxy_logrotate @@ -0,0 +1,14 @@ +/var/log/obfsproxy/log { + weekly + missingok + rotate 10 + compress + delaycompress + notifempty + create 600 obfsproxy obfsproxy + postrotate + if [ -f /var/run/obfsproxy.pid ]; then + /etc/init.d/obfsproxy restart > /dev/null + fi + endscript +} diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 456fe1a7..9ba2d0fd 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -48,6 +48,22 @@ class obfsproxy ( mode => '0700', } + file { '/var/log/obfsproxy': + ensure => directory, + owner => $user, + group => $user, + mode => '0750', + } + + file { '/etc/logrotate.d/obfsproxy': + ensure => present, + source => 'puppet:///modules/obfsproxy/obfsproxy_logrotate', + owner => 'root', + group => 'root', + mode => '0644', + require => File['/var/log/obfsproxy'], + } + package { 'obfsproxy': ensure => present, } -- cgit v1.2.3 From fedbb6dccf7bd78b0b2a507a817dacaef0b67ac3 Mon Sep 17 00:00:00 2001 From: irregulator Date: Fri, 23 May 2014 17:45:13 +0300 Subject: Be able to specify log_level parameter for obfsproxy log_level sets minimum logging severity of obfsproxy daemon, can be error, warning, info, debug. Defaults to info. --- puppet/modules/obfsproxy/manifests/init.pp | 3 ++- puppet/modules/obfsproxy/templates/etc_conf.erb | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 9ba2d0fd..1ee44d6f 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -3,7 +3,8 @@ class obfsproxy ( $port, $param, $dest_ip, - $dest_port + $dest_port, + $log_level = 'info' ){ $user = 'obfsproxy' diff --git a/puppet/modules/obfsproxy/templates/etc_conf.erb b/puppet/modules/obfsproxy/templates/etc_conf.erb index 3313b326..d9938e1a 100644 --- a/puppet/modules/obfsproxy/templates/etc_conf.erb +++ b/puppet/modules/obfsproxy/templates/etc_conf.erb @@ -7,5 +7,5 @@ PARAM=--password=<%= @param %> <% else %> PARAM=<%= @param %> <% end %> -LOG=info +LOG=<%= @log_level %> -- cgit v1.2.3 From 49c4235477ab11118f8fc92a6f554b36121b36b2 Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 16:39:29 +0300 Subject: Change logrotate's frequency and number of log files to keep --- puppet/modules/obfsproxy/files/obfsproxy_logrotate | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_logrotate b/puppet/modules/obfsproxy/files/obfsproxy_logrotate index 623bbab1..e776fcd3 100644 --- a/puppet/modules/obfsproxy/files/obfsproxy_logrotate +++ b/puppet/modules/obfsproxy/files/obfsproxy_logrotate @@ -1,7 +1,7 @@ /var/log/obfsproxy/log { - weekly + daily missingok - rotate 10 + rotate 3 compress delaycompress notifempty -- cgit v1.2.3 From 4ad025d9d7b0c1999bf34e0acd3ca12c88358d05 Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 17:41:46 +0300 Subject: Simplify init script, let puppet service resource use init status --- puppet/modules/obfsproxy/files/obfsproxy_init | 9 ++++----- puppet/modules/obfsproxy/manifests/init.pp | 2 -- 2 files changed, 4 insertions(+), 7 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 7a7e7609..b1297738 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -44,14 +44,14 @@ stop_obfsproxy() { } status_obfsproxy() { - status_of_proc -p $PIDFILE $DAEMON $NAME && status="0" || status="$?" + status_of_proc -p $PIDFILE $DAEMON $NAME } case $1 in start) if [ -e $PIDFILE ]; then status_obfsproxy - if [ $status = "0" ]; then + if [ $? = "0" ]; then exit fi fi @@ -62,15 +62,14 @@ case $1 in stop) if [ -e $PIDFILE ]; then status_obfsproxy - if [ $status = "0" ]; then + if [ $? = "0" ]; then log_begin_msg "Stopping $DESC" stop_obfsproxy rm -f $PIDFILE log_end_msg $? fi else - log_daemon_msg "$NAME is not running" - log_end_msg $? + status_obfsproxy fi ;; restart) diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 1ee44d6f..b45a60a1 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -71,8 +71,6 @@ class obfsproxy ( service { 'obfsproxy': ensure => running, - status => '/usr/sbin/service obfsproxy status - | grep "is running"', require => [ Package['obfsproxy'], File['/etc/init.d/obfsproxy'] ] -- cgit v1.2.3 From 58347eddee416410e3ad3c8c4edc2b0e40a3d26c Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 18:08:31 +0300 Subject: Subscribe obfsproxy service resource to conf file --- puppet/modules/obfsproxy/manifests/init.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index b45a60a1..4a0221af 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -39,7 +39,6 @@ class obfsproxy ( group => 'root', mode => '0600', content => template('obfsproxy/etc_conf.erb'), - require => File['/etc/obfsproxy'], } file { '/etc/obfsproxy': @@ -70,8 +69,9 @@ class obfsproxy ( } service { 'obfsproxy': - ensure => running, - require => [ + ensure => running, + subscribe => File[$conf], + require => [ Package['obfsproxy'], File['/etc/init.d/obfsproxy'] ] } -- cgit v1.2.3 From db9290a2b1b406e8231c0df569ae47c0a74ec12a Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 19:26:05 +0300 Subject: Move log files to var/log instead of var/log/obfsproxy --- puppet/modules/obfsproxy/files/obfsproxy_init | 2 +- puppet/modules/obfsproxy/files/obfsproxy_logrotate | 2 +- puppet/modules/obfsproxy/manifests/init.pp | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index b1297738..629fea9f 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -19,7 +19,7 @@ USER=obfsproxy DATDIR=/etc/obfsproxy PIDFILE=/var/run/obfsproxy.pid CONF=$DATDIR/obfsproxy.conf -LOGFILE=/var/log/obfsproxy/log +LOGFILE=/var/log/obfsproxy.log # If the daemon is not there, then exit. test -x $DAEMON || exit 0 diff --git a/puppet/modules/obfsproxy/files/obfsproxy_logrotate b/puppet/modules/obfsproxy/files/obfsproxy_logrotate index e776fcd3..e5679d0c 100644 --- a/puppet/modules/obfsproxy/files/obfsproxy_logrotate +++ b/puppet/modules/obfsproxy/files/obfsproxy_logrotate @@ -1,4 +1,4 @@ -/var/log/obfsproxy/log { +/var/log/obfsproxy.log { daily missingok rotate 3 diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 4a0221af..9750932f 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -48,11 +48,11 @@ class obfsproxy ( mode => '0700', } - file { '/var/log/obfsproxy': - ensure => directory, - owner => $user, - group => $user, - mode => '0750', + file { '/var/log/obfsproxy.log': + ensure => present, + owner => $user, + group => $user, + mode => '0640', } file { '/etc/logrotate.d/obfsproxy': @@ -61,7 +61,7 @@ class obfsproxy ( owner => 'root', group => 'root', mode => '0644', - require => File['/var/log/obfsproxy'], + require => File['/var/log/obfsproxy.log'], } package { 'obfsproxy': -- cgit v1.2.3 From 436d98b3781aa66c78b3ec77fa7d47652a92f590 Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 19:33:08 +0300 Subject: Remove initscript subscription to conf file --- puppet/modules/obfsproxy/manifests/init.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 9750932f..ddb198bb 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -29,7 +29,6 @@ class obfsproxy ( group => 'root', mode => '0750', require => File[$conf], - subscribe => File[$conf], } file { $conf : -- cgit v1.2.3 From 791e22b136910ecfa204eb78be747baed2b02590 Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 28 May 2014 17:35:12 +0300 Subject: Make obfsproxy daemon bind to specific address rather than 0.0.0.0 If obfsproxy is spawned alongside eip service, make it listen to the gateway_adress IP. If obfsproxy is running standalone listen to ip_address. --- puppet/modules/obfsproxy/files/obfsproxy_init | 2 +- puppet/modules/obfsproxy/manifests/init.pp | 1 + puppet/modules/obfsproxy/templates/etc_conf.erb | 1 + puppet/modules/site_obfsproxy/manifests/init.pp | 19 ++++++++++++++----- 4 files changed, 17 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 629fea9f..69dbab41 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -32,7 +32,7 @@ else fi DAEMONARGS=" --log-min-severity=$LOG --log-file=$LOGFILE --data-dir=$DATDIR \ - $TRANSPORT $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" + $TRANSPORT $PARAM --dest=$DEST_IP:$DEST_PORT server $BINDADDR:$PORT" start_obfsproxy() { start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index ddb198bb..35d47d13 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -1,5 +1,6 @@ class obfsproxy ( $transport, + $bind_address, $port, $param, $dest_ip, diff --git a/puppet/modules/obfsproxy/templates/etc_conf.erb b/puppet/modules/obfsproxy/templates/etc_conf.erb index d9938e1a..10f6a7f7 100644 --- a/puppet/modules/obfsproxy/templates/etc_conf.erb +++ b/puppet/modules/obfsproxy/templates/etc_conf.erb @@ -8,4 +8,5 @@ PARAM=--password=<%= @param %> PARAM=<%= @param %> <% end %> LOG=<%= @log_level %> +BINDADDR=<%= @bind_address %> diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 6509fec8..40b7fba8 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -11,15 +11,24 @@ class site_obfsproxy { $dest_ip = $obfsproxy['gateway_address'] $dest_port = '443' + if $::services =~ /\bopenvpn\b/ { + $openvpn = hiera('openvpn') + $bind_address = $openvpn['gateway_address'] + } + elsif $::services =~ /\bobfsproxy\b/ { + $bind_address = hiera('ip_address') + } + include site_apt::preferences::twisted include site_apt::preferences::obfsproxy class { 'obfsproxy': - transport => $transport, - port => $scram_port, - param => $scram_pass, - dest_ip => $dest_ip, - dest_port => $dest_port, + transport => $transport, + bind_address => $bind_address, + port => $scram_port, + param => $scram_pass, + dest_ip => $dest_ip, + dest_port => $dest_port, } include site_shorewall::obfsproxy -- cgit v1.2.3 From abb89aca59915223ec3b6ca999d3a15ba8ede594 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 3 Jun 2014 17:35:14 +0300 Subject: Explicitly set apt preferences for obfsproxy to wheezy-backports --- puppet/modules/site_apt/manifests/preferences/obfsproxy.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp b/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp index 081086e5..75b01956 100644 --- a/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp +++ b/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp @@ -2,7 +2,7 @@ class site_apt::preferences::obfsproxy { apt::preferences_snippet { 'obfsproxy': package => 'obfsproxy', - release => "${::lsbdistcodename}-backports", + release => 'wheezy-backports', priority => 999; } -- cgit v1.2.3 From ee8064a8281c3f933aeea219baec822ec8f52b84 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 3 Jun 2014 17:37:52 +0300 Subject: Remove unneeded newlines from obfsproxy.conf --- puppet/modules/obfsproxy/templates/etc_conf.erb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/templates/etc_conf.erb b/puppet/modules/obfsproxy/templates/etc_conf.erb index 10f6a7f7..8959ef78 100644 --- a/puppet/modules/obfsproxy/templates/etc_conf.erb +++ b/puppet/modules/obfsproxy/templates/etc_conf.erb @@ -2,11 +2,10 @@ TRANSPORT=<%= @transport %> PORT=<%= @port %> DEST_IP=<%= @dest_ip %> DEST_PORT=<%= @dest_port %> -<% if @transport == "scramblesuit" %> +<% if @transport == "scramblesuit" -%> PARAM=--password=<%= @param %> -<% else %> +<% else -%> PARAM=<%= @param %> -<% end %> +<% end -%> LOG=<%= @log_level %> BINDADDR=<%= @bind_address %> - -- cgit v1.2.3 From aa3e39bc8342b6800129965efad72527b53596df Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 3 Jun 2014 17:41:46 +0300 Subject: Add User resource requirement for obfsproxy service, log, etc dir --- puppet/modules/obfsproxy/manifests/init.pp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 35d47d13..a23cfa58 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -42,10 +42,11 @@ class obfsproxy ( } file { '/etc/obfsproxy': - ensure => directory, - owner => $user, - group => $user, - mode => '0700', + ensure => directory, + owner => $user, + group => $user, + mode => '0700', + require => User[$user], } file { '/var/log/obfsproxy.log': @@ -53,6 +54,7 @@ class obfsproxy ( owner => $user, group => $user, mode => '0640', + require => User[$user], } file { '/etc/logrotate.d/obfsproxy': @@ -73,7 +75,9 @@ class obfsproxy ( subscribe => File[$conf], require => [ Package['obfsproxy'], - File['/etc/init.d/obfsproxy'] ] + File['/etc/init.d/obfsproxy'], + User[$user], + Group[$user]] } -- cgit v1.2.3 From e184143d3066f02968c8bb1035e0e02bae44d587 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 3 Jun 2014 17:47:50 +0300 Subject: Add apt preferences requirement for obfsproxy package resource --- puppet/modules/obfsproxy/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index a23cfa58..61714fdf 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -67,7 +67,8 @@ class obfsproxy ( } package { 'obfsproxy': - ensure => present, + ensure => present, + require => Class['site_apt::preferences::obfsproxy'], } service { 'obfsproxy': -- cgit v1.2.3 From 7e278f92f34e3809d380be724f0c306430791b10 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 1 Jul 2014 01:49:56 +0300 Subject: Use new macro pick_node to pick vpn gateway for obfsproxy.json --- puppet/modules/obfsproxy/files/obfsproxy_init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 69dbab41..01c8013a 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -83,7 +83,7 @@ case $1 in start-stop-daemon --stop --signal USR1 --quiet --pidfile $PIDFILE --name $NAME log_success_msg "$DESC reloaded successfully" else - log_failure_msg "$PIDFILE does not exists" + log_failure_msg "$PIDFILE does not exist" fi ;; *) -- cgit v1.2.3 From 9ab38e0551fe3210f57be2889e70db4aa2b4cc2f Mon Sep 17 00:00:00 2001 From: Folker Bernitt Date: Thu, 10 Jul 2014 17:54:36 +0200 Subject: Added allow_registration to webapp config.yml. - See issue #5217 - See companion change in leap_web --- puppet/modules/site_webapp/templates/config.yml.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 8faf76f4..ef139404 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -18,9 +18,10 @@ production: minimum_client_version: "<%= @webapp['client_version']['min'] %>" default_service_level: "<%= @webapp['default_service_level'] %>" service_levels: <%= @webapp['service_levels'].to_json %> + allow_registration: <%= @provider['allow_registration'].inspect %> <%- if @webapp['engines'] && @webapp['engines'].any? -%> engines: <%- @webapp['engines'].each do |engine| -%> - <%= engine %> <%- end -%> -<%- end -%> \ No newline at end of file +<%- end -%> -- cgit v1.2.3 From 3e8721d4c4e0ad8ea0daae3c35c79f7130afda6e Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 14 Jul 2014 19:50:26 +0200 Subject: update couchdb puppet module --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 8bc5ed43..f01b3586 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 8bc5ed434c124457b7467140152602c67a9547c5 +Subproject commit f01b3586215bdc10f0067fa0f6d940be8e88bcea -- cgit v1.2.3 From 3206634d0d17064ecd4b18cc8e2e47051e422bf3 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 14 Jul 2014 19:50:41 +0200 Subject: proper json for tapicero config --- puppet/modules/tapicero/templates/tapicero.yaml.erb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index 182a6aa6..d6ea56fa 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -1,3 +1,5 @@ +<%- require 'json' -%> + # # Default configuration options for Tapicero # @@ -25,7 +27,9 @@ options: # prefix for per user databases: db_prefix: "user-" mode: <%= @couchdb_mode %> - replication: <%= @couchdb_replication %> +<%- if @couchdb_replication %> + replication: <%= @couchdb_replication.to_json %> +<%- end -%> # security settings to be used for the per user databases security: -- cgit v1.2.3 From ac5781ef6edaf03f06fa980478726aa7d11653c0 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 15 Jul 2014 13:13:28 +0200 Subject: haproxy default to couch_write, couch_read on GET METH_POST probably does not catch PUT, DESTROY etc. So instead we now use the master as the default and only use the replications for GET and HEAD requests. --- puppet/modules/site_haproxy/templates/couch.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_haproxy/templates/couch.erb b/puppet/modules/site_haproxy/templates/couch.erb index baa31486..f42e8368 100644 --- a/puppet/modules/site_haproxy/templates/couch.erb +++ b/puppet/modules/site_haproxy/templates/couch.erb @@ -4,8 +4,8 @@ frontend couch option httplog option dontlognull option http-server-close # use client keep-alive, but close server connection. - use_backend couch_write if METH_POST - default_backend couch_read + use_backend couch_read if METH_GET + default_backend couch_write backend couch_write mode http -- cgit v1.2.3 From 42327f4881022424bed354356756ab5815d5ba3f Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 30 Jul 2014 16:47:47 +0200 Subject: add replication role to user databases with tapicero This way the replication has read access on the source and write access on the target. --- puppet/modules/tapicero/templates/tapicero.yaml.erb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index d6ea56fa..510450ad 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -40,10 +40,11 @@ options: # explicit about this - <%= @couchdb_admin_user %> roles: [] - readers: + members: names: - <%= @couchdb_soledad_user %> - <%= @couchdb_leap_mx_user %> - roles: [] + roles: + - replication -- cgit v1.2.3 From 2e5d1a8cf2228a87d382bbf8a58d3f485b1ead65 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 1 Aug 2014 11:01:49 +0200 Subject: minor: fix typo in webapp config @provider -> @webapp --- puppet/modules/site_webapp/templates/config.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index ef139404..9205438b 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -18,7 +18,7 @@ production: minimum_client_version: "<%= @webapp['client_version']['min'] %>" default_service_level: "<%= @webapp['default_service_level'] %>" service_levels: <%= @webapp['service_levels'].to_json %> - allow_registration: <%= @provider['allow_registration'].inspect %> + allow_registration: <%= @webapp['allow_registration'].inspect %> <%- if @webapp['engines'] && @webapp['engines'].any? -%> engines: <%- @webapp['engines'].each do |engine| -%> -- cgit v1.2.3 From d6c078f4beecefe42c971cc5802e79f42396ebab Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Sep 2014 11:44:17 +0200 Subject: Increase wait-for-couch timeout (Bug #3735) Site_couchdb::Bigcouch::Settle_cluster/Exec[wait_for_couch_nodes] waits 60s for all nodes to be member of the cluster. Because we deploy to multiple nodes in parallel, not all nodes are ready at the same time, so we increased the timeout from 60s to 120s. --- puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp b/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp index aa843e2e..820b5be2 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp @@ -1,11 +1,11 @@ class site_couchdb::bigcouch::settle_cluster { exec { 'wait_for_couch_nodes': - command => '/srv/leap/bin/run_tests --test CouchDB/Are_configured_nodes_online? --retry 6 --wait 10' + command => '/srv/leap/bin/run_tests --test CouchDB/Are_configured_nodes_online? --retry 12 --wait 10' } exec { 'settle_cluster_membership': - command => '/srv/leap/bin/run_tests --test CouchDB/Is_cluster_membership_ok? --retry 6 --wait 10', + command => '/srv/leap/bin/run_tests --test CouchDB/Is_cluster_membership_ok? --retry 12 --wait 10', require => Exec['wait_for_couch_nodes'] } } -- cgit v1.2.3 From 9cc0f28e9223c76da9cd491d3faa2dd1b18e3fc2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Sep 2014 11:14:46 -0400 Subject: update rsyslog module to fix #6019 Change-Id: I8c64a0c530d44e55963060d52d31a0da1a88615c --- puppet/modules/rsyslog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/rsyslog b/puppet/modules/rsyslog index 20fbda6b..b8ef11c2 160000 --- a/puppet/modules/rsyslog +++ b/puppet/modules/rsyslog @@ -1 +1 @@ -Subproject commit 20fbda6b91472e656331a9c64630fb207e9f5789 +Subproject commit b8ef11c23949d12732ad5cdaebb3023ff39a297a -- cgit v1.2.3 From 63783c1dc0a1e1749810162af169f0ffc0a237d5 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 17 Sep 2014 17:30:38 +0200 Subject: allow outgoing port 3142 for apt-cacher proxy --- puppet/modules/site_config/templates/ipv4firewall_up.rules.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb index 928a2b31..7bde189f 100644 --- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -18,6 +18,7 @@ -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 3142 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -- cgit v1.2.3 From 9da2a36155d3b96e0dc41cac3dd38f8b6c50efd2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 22 Sep 2014 14:57:24 -0400 Subject: stop logging user-agent in apache, fixes #6129 Change-Id: I66384ae4a723be063790362f70e57228a0f1539b --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 2 ++ puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 2 ++ 2 files changed, 4 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 3360ac59..74cd1ced 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -2,12 +2,14 @@ ServerName <%= api_domain %> RewriteEngine On RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L] + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common Listen 0.0.0.0:<%= api_port %> > ServerName <%= api_domain %> + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on SSLProtocol all -SSLv2 diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index ed430510..0e08529c 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -3,12 +3,14 @@ ServerAlias www.<%= domain %> RewriteEngine On RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common ServerName <%= domain_name %> ServerAlias <%= domain %> ServerAlias www.<%= domain %> + CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on SSLProtocol all -SSLv2 -- cgit v1.2.3 From 308ac3cb420cbce7a6c67e03e887db4723aa8169 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Sep 2014 13:55:20 +0200 Subject: remove /etc/apt/preferences.d/fixed_rsyslog_anon_package (#6138) This was a leftover from earlier versions, where we installed rsyslog from the leap debian package repo. Change-Id: I88a852f08b5aff3bd7b591b6220ac354463a9786 --- puppet/modules/site_apt/manifests/preferences/rsyslog.pp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp index 132a6e24..bfeaa7da 100644 --- a/puppet/modules/site_apt/manifests/preferences/rsyslog.pp +++ b/puppet/modules/site_apt/manifests/preferences/rsyslog.pp @@ -1,9 +1,13 @@ class site_apt::preferences::rsyslog { - apt::preferences_snippet { 'rsyslog_anon_depends': - package => 'libestr0 librelp0 rsyslog*', - priority => '999', - pin => 'release a=wheezy-backports', - before => Class['rsyslog::install'] + apt::preferences_snippet { + 'rsyslog_anon_depends': + package => 'libestr0 librelp0 rsyslog*', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install']; + + 'fixed_rsyslog_anon_package': + ensure => absent; } } -- cgit v1.2.3 From 8f8862aab798cbf0b2dbb690a154cd54dd5d6592 Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 25 Sep 2014 16:46:57 +0300 Subject: Use member function instead of regexp to check services array --- puppet/modules/site_obfsproxy/manifests/init.pp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 40b7fba8..6275ebee 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -11,13 +11,13 @@ class site_obfsproxy { $dest_ip = $obfsproxy['gateway_address'] $dest_port = '443' - if $::services =~ /\bopenvpn\b/ { - $openvpn = hiera('openvpn') - $bind_address = $openvpn['gateway_address'] - } - elsif $::services =~ /\bobfsproxy\b/ { - $bind_address = hiera('ip_address') - } + if member($::services, 'openvpn') { + $openvpn = hiera('openvpn') + $bind_address = $openvpn['gateway_address'] + } + elsif member($::services, 'obfsproxy') { + $bind_address = hiera('ip_address') + } include site_apt::preferences::twisted include site_apt::preferences::obfsproxy -- cgit v1.2.3 From 343572ab04686c65c10fd49a5d09314ca99b3d75 Mon Sep 17 00:00:00 2001 From: Christoph Kluenter Date: Thu, 25 Sep 2014 16:01:37 +0200 Subject: allow all outgoing traffic as discussed on #leap --- .../modules/site_config/templates/ipv4firewall_up.rules.erb | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb index 7bde189f..b0c2b7ad 100644 --- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -2,7 +2,7 @@ *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT DROP [0:0] +:OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT @@ -11,15 +11,4 @@ -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 --A OUTPUT -o lo -j ACCEPT --A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport 22 -j ACCEPT --A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT --A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT --A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT --A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 3142 -j ACCEPT --A OUTPUT -p udp -m udp --dport 53 -j ACCEPT --A OUTPUT -p udp -m udp --dport 123 -j ACCEPT --A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 COMMIT -- cgit v1.2.3 From 027c20e2b8f779086d1480048152fe06d044b216 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 7 Oct 2014 13:55:58 +0200 Subject: every environment is defined as nagios hostsgroup (#5216) Change-Id: I6508ce0d06b37a1c5601a0e981a59f7fda47f76a --- puppet/modules/site_check_mk/manifests/server.pp | 13 +++++++++---- puppet/modules/site_check_mk/templates/hostgroups.mk | 4 ++++ puppet/modules/site_nagios/manifests/server.pp | 9 ++++++--- puppet/modules/site_nagios/manifests/server/hostgroup.pp | 3 +++ 4 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/site_check_mk/templates/hostgroups.mk create mode 100644 puppet/modules/site_nagios/manifests/server/hostgroup.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index e544ef0d..aa24d96c 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -5,11 +5,12 @@ class site_check_mk::server { $type = $ssh_hash['authorized_keys']['monitor']['type'] $seckey = $ssh_hash['monitor']['private_key'] - $nagios_hiera = hiera_hash('nagios') - $nagios_hosts = $nagios_hiera['hosts'] + $nagios_hiera = hiera_hash('nagios') + $nagios_hosts = $nagios_hiera['hosts'] - $hosts = hiera_hash('hosts') - $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') + $hosts = hiera_hash('hosts') + $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') + $domains_internal = $nagios_hiera['domains_internal'] package { 'check-mk-server': ensure => installed, @@ -35,6 +36,10 @@ class site_check_mk::server { content => template('site_check_mk/use_ssh.mk'), notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; + '/etc/check_mk/conf.d/hostgroups.mk': + content => template('site_check_mk/hostgroups.mk'), + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/all_hosts_static': content => $all_hosts, notify => Exec['check_mk-refresh'], diff --git a/puppet/modules/site_check_mk/templates/hostgroups.mk b/puppet/modules/site_check_mk/templates/hostgroups.mk new file mode 100644 index 00000000..79b7f92f --- /dev/null +++ b/puppet/modules/site_check_mk/templates/hostgroups.mk @@ -0,0 +1,4 @@ +host_groups = [ + <% @domains_internal.each do |domain| %>( '<%= domain %>', [<% @nagios_hosts.keys.sort.each do |key| -%><% if @nagios_hosts[key]['domain_internal'] == key+'.'+domain -%>'<%= key %>.<%= domain %>', <% end -%><% end -%>] ), + <% end -%> +] diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 85443917..8cc1ae24 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -3,9 +3,10 @@ class site_nagios::server inherits nagios::base { # First, purge old nagios config (see #1467) class { 'site_nagios::server::purge': } - $nagios_hiera = hiera('nagios') - $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) - $nagios_hosts = $nagios_hiera['hosts'] + $nagios_hiera = hiera('nagios') + $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) + $nagios_hosts = $nagios_hiera['hosts'] + $domains_internal = $nagios_hiera['domains_internal'] include nagios::defaults include nagios::base @@ -55,4 +56,6 @@ class site_nagios::server inherits nagios::base { 'set missingok missingok', 'set ifempty notifempty', 'set copytruncate copytruncate' ] } + + ::site_nagios::server::hostgroup { $domains_internal: } } diff --git a/puppet/modules/site_nagios/manifests/server/hostgroup.pp b/puppet/modules/site_nagios/manifests/server/hostgroup.pp new file mode 100644 index 00000000..035ba7d1 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/hostgroup.pp @@ -0,0 +1,3 @@ +define site_nagios::server::hostgroup { + nagios_hostgroup { $name: } +} -- cgit v1.2.3 From 36a1332f5f6e43591a47b89ec505541f84381667 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 7 Oct 2014 14:16:54 +0200 Subject: include different nagios::defaults classes manually (#5216) nagios::defaults will include nagios::defaults::hostgroups which add "all" and "centos_servers" hostgroups which we don't want. Change-Id: If42faa11c167fb7305ebbb21dc358a8813afaa25 --- puppet/modules/site_nagios/manifests/server.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 8cc1ae24..b195c880 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -8,8 +8,14 @@ class site_nagios::server inherits nagios::base { $nagios_hosts = $nagios_hiera['hosts'] $domains_internal = $nagios_hiera['domains_internal'] - include nagios::defaults include nagios::base + include nagios::defaults::commands + include nagios::defaults::contactgroups + include nagios::defaults::contacts + include nagios::defaults::templates + include nagios::defaults::timeperiods + include nagios::defaults::plugins + class {'nagios': # don't manage apache class from nagios, cause we already include # it in site_apache::common -- cgit v1.2.3 From 189bd4b704ba685640ca01afe90f592e7b33567a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 15 Oct 2014 17:07:45 -0400 Subject: Disable SSLv3, and RC4 ciphers Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 4 ++-- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 4 ++-- puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb | 5 +++-- puppet/modules/site_static/templates/apache.conf.erb | 4 ++-- 4 files changed, 9 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 74cd1ced..e4732289 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -12,10 +12,10 @@ Listen 0.0.0.0:<%= api_port %> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on - SSLProtocol all -SSLv2 + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index 0e08529c..a9733a97 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -13,10 +13,10 @@ CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLEngine on - SSLProtocol all -SSLv2 + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index ae06410e..56a8d9f6 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -9,9 +9,10 @@ Listen 0.0.0.0:<%= @nickserver_port -%> ServerAlias <%= @address_domain %> SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 07ac481d..9b516a10 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -46,10 +46,10 @@ #RewriteLogLevel 3 SSLEngine on - SSLProtocol all -SSLv2 + SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" <%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" -- cgit v1.2.3 From f6ffad33042aa6580ec00ef23836291861c1ae17 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 20 Oct 2014 21:44:37 -0400 Subject: implement custom puppet support (#6201, #6226) change puppet command to include in the --modulepath /srv/leap/files/puppet/modules If a provider places puppet code under files/puppet it will be sync'd over to all the nodes, once leap cli #6225 is merged. The custom puppet entry point is in class 'custom' which can be put into files/puppet/modules/custom/manifests/init.pp Change-Id: I74879c6ee056b03cd4691aa81a7668b60383bdad --- puppet/modules/site_config/manifests/default.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index fc2179de..790b5a16 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -59,10 +59,10 @@ class site_config::default { include site_postfix::satellite } - # if class site_custom exists, include it. + # if class custom exists, include it. # possibility for users to define custom puppet recipes - if defined( '::site_custom') { - include ::site_custom + if defined( '::custom') { + include ::custom } include site_check_mk::agent -- cgit v1.2.3 From b76445c07688ba1b4e8940189f8538a741de92d4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 21 Oct 2014 20:27:06 -0400 Subject: modify the leap repository contents so they pick the correct repository, based on the hiera value 'major_version' (#6251) Change-Id: I10532ef83e3aa2d35d9c0be241952a35e366bba4 --- puppet/modules/site_apt/manifests/leap_repo.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 6b3d9919..2d4ba0e1 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -1,6 +1,9 @@ class site_apt::leap_repo { + $platform = hiera_hash('platform') + $major_version = $platform['major_version'] + apt::sources_list { 'leap.list': - content => 'deb http://deb.leap.se/debian stable main', + content => "deb http://deb.leap.se/${major_version} wheezy main\n", before => Exec[refresh_apt] } -- cgit v1.2.3 From 937c61b74bbd99f9955cbee426fb35e96050eea6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 27 Oct 2014 09:23:23 -0400 Subject: Change stunnel default sslversion to be TLSv1, instead of the default SSLv3 (#6261) Change-Id: I7ab5a6455e434f8359169d31febed8b92f84bbcc --- puppet/modules/site_stunnel/manifests/client.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp index 12d664b4..76815174 100644 --- a/puppet/modules/site_stunnel/manifests/client.pp +++ b/puppet/modules/site_stunnel/manifests/client.pp @@ -35,6 +35,7 @@ define site_stunnel::client ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, debuglevel => $debuglevel, + sslversion => 'TLSv1', subscribe => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From f14cfe9601ab60b30af7baf126cb223eacec3593 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 28 Oct 2014 12:18:27 -0400 Subject: upgrade unattended-upgrades on deploy (#6245) unattended-upgrades is not able to upgrade itself in certain situations, such as when the conffile prompt is generated due to the config being changed. We want to set this package as latest in the platform so that it is upgraded on every deploy (we deploy the config anyway). Change-Id: I8c99bfb1b001079f0e1a4ffbf048e0e867633335 --- puppet/modules/site_apt/manifests/init.pp | 4 ++-- puppet/modules/site_apt/manifests/unattended_upgrades.pp | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_apt/manifests/unattended_upgrades.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 9facf4cc..633ccf1e 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,4 +1,4 @@ -class site_apt { +class site_apt { class { 'apt': custom_key_dir => 'puppet:///modules/site_apt/keys' @@ -11,7 +11,7 @@ class site_apt { content => 'Acquire::PDiffs "false";'; } - include ::apt::unattended_upgrades + include ::site_apt::unattended_upgrades apt::sources_list { 'secondary.list.disabled': content => template('site_apt/secondary.list'); diff --git a/puppet/modules/site_apt/manifests/unattended_upgrades.pp b/puppet/modules/site_apt/manifests/unattended_upgrades.pp new file mode 100644 index 00000000..daebffab --- /dev/null +++ b/puppet/modules/site_apt/manifests/unattended_upgrades.pp @@ -0,0 +1,10 @@ +class site_apt::unattended_upgrades inherits apt::unattended_upgrades { + # override unattended-upgrades package resource to make sure + # that it is upgraded on every deploy (#6245) + + include ::apt::unattended_upgrades + + Package['unattended-upgrades'] { + ensure => latest + } +} -- cgit v1.2.3 From d3e24760b33d6ae20f153d3c144d7d443fb0b69e Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 29 Oct 2014 15:20:54 -0700 Subject: added webapp.forbidden_usernames property to allow configuration of usernames to block. --- puppet/modules/site_webapp/templates/config.yml.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 9205438b..0c75f3ca 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -19,6 +19,7 @@ production: default_service_level: "<%= @webapp['default_service_level'] %>" service_levels: <%= @webapp['service_levels'].to_json %> allow_registration: <%= @webapp['allow_registration'].inspect %> + handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %> <%- if @webapp['engines'] && @webapp['engines'].any? -%> engines: <%- @webapp['engines'].each do |engine| -%> -- cgit v1.2.3 From 84957fbd0f1e4aa26303b6488d9ec7df8af08ab7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 31 Oct 2014 13:15:13 -0400 Subject: Fix deprecated dynamic lookups of variables in site_couchdb (#6286) Change-Id: I318944a6872a53ff9c533704514da339426d9401 --- puppet/modules/site_couchdb/manifests/bigcouch.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index f0aab734..e3cba4ba 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -1,12 +1,12 @@ class site_couchdb::bigcouch { - $config = $couchdb_config['bigcouch'] + $config = $::site_couchdb::couchdb_config['bigcouch'] $cookie = $config['cookie'] $ednp_port = $config['ednp_port'] class { 'couchdb': - admin_pw => $couchdb_admin_pw, - admin_salt => $couchdb_admin_salt, + admin_pw => $::site_couchdb::couchdb_admin_pw, + admin_salt => $::site_couchdb::couchdb_admin_salt, bigcouch => true, bigcouch_cookie => $cookie, ednp_port => $ednp_port, -- cgit v1.2.3 From 5787c97b6f73dacae7f01adeff203287007c381d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 1 Nov 2014 10:36:48 -0400 Subject: stop using bad nist curve for ssh host key (#6294) update port parameter in site_sshd to be an array, otherwise puppet errors about it being a Fixnum with new sshd module Change-Id: I854d042edb98817169eef5e758d04d60d3c71dd5 --- puppet/modules/site_sshd/manifests/init.pp | 2 +- puppet/modules/sshd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 9a05b6ed..1da2f1d5 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -53,7 +53,7 @@ class site_sshd { ## class { '::sshd': manage_nagios => false, - ports => $ssh['port'], + ports => [ $ssh['port'] ], use_pam => 'yes', hardened_ssl => 'yes', print_motd => 'no', diff --git a/puppet/modules/sshd b/puppet/modules/sshd index 5c23b332..4652fbca 160000 --- a/puppet/modules/sshd +++ b/puppet/modules/sshd @@ -1 +1 @@ -Subproject commit 5c23b33200fc6229ada7f4e13672b5da0d4bdd8e +Subproject commit 4652fbcae0aadcded5d390e71882aec1b1b738ba -- cgit v1.2.3 From 38d7c80fae4efc1d365ec9f982cb025dc67a4386 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 2 Nov 2014 20:53:34 -0500 Subject: add missing TLSv1 sslversion parameter to site_stunnel::serviers Change-Id: I48dc8135943393bd11c7181853985f4a5799011e --- puppet/modules/site_stunnel/manifests/servers.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp index b1da5c59..8d537644 100644 --- a/puppet/modules/site_stunnel/manifests/servers.pp +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -35,6 +35,7 @@ define site_stunnel::servers ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => '/var/lib/stunnel4/.rnd', debuglevel => $debuglevel, + sslversion => 'TLSv1', require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From 18f5d6ea49446f214cbb764ea223f427aafd641e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 2 Nov 2014 21:47:36 -0500 Subject: change ordering hints to use refresh_stunnel exec instead of service (#6287) In a multi-node couch deployment, it was observed that the Service['stunnel'] would be activated, and then later a stunnel::client was created which would trigger an Exec['refresh_stunnel']. Because of this, and the ordering hints that were in place, the service would get started, and then the couchdb databases, users, designs, etc. were being put into place and then a stunnel client was created, triggering the refresh_stunnel exec, which would cause an interruption in the connectivity and result in failures. This change replaces the Service['stunnel'] hint with the the Exec['refresh_stunnel'] to make sure that the stunnels are fully setup before attempting couch operations. Change-Id: I33ddd24884b3c23a1df5555ca53ca65cd703da50 --- puppet/modules/couchdb | 2 +- puppet/modules/site_couchdb/manifests/bigcouch.pp | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f01b3586..4c0d5673 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f01b3586215bdc10f0067fa0f6d940be8e88bcea +Subproject commit 4c0d5673df02fe42e1bbadfee7d4ea1ca1f88e98 diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index e3cba4ba..d71c00c5 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -19,7 +19,7 @@ class site_couchdb::bigcouch { Class['site_config::default'] -> Class['couchdb::bigcouch::package::cloudant'] -> Service['shorewall'] - -> Service['stunnel'] + -> Exec['refresh_stunnel'] -> Class['site_couchdb::setup'] -> Class['site_couchdb::bigcouch::add_nodes'] -> Class['site_couchdb::bigcouch::settle_cluster'] diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 5a4fb936..a11f6309 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -42,13 +42,13 @@ class site_couchdb { $couchdb_backup = $couchdb_config['backup'] $couchdb_mode = $couchdb_config['mode'] - if $couchdb_mode == "multimaster" { include site_couchdb::bigcouch } - if $couchdb_mode == "master" { include site_couchdb::master } - if $couchdb_mode == "mirror" { include site_couchdb::mirror } + if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch } + if $couchdb_mode == 'master' { include site_couchdb::master } + if $couchdb_mode == 'mirror' { include site_couchdb::mirror } Class['site_config::default'] -> Service['shorewall'] - -> Service['stunnel'] + -> Exec['refresh_stunnel'] -> Class['couchdb'] -> Class['site_couchdb::setup'] -- cgit v1.2.3 From c150fa3eb79d822850205c0178de9bb5f422ae01 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Nov 2014 11:34:42 -0500 Subject: add local 50unattended-upgrades to fix unattended-upgrades not upgrading leap packages (#4425) Change-Id: I78c00c4410ff9f712206f95854d8803e43acb286 --- .../modules/site_apt/files/Debian/50unattended-upgrades | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_apt/files/Debian/50unattended-upgrades (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/files/Debian/50unattended-upgrades b/puppet/modules/site_apt/files/Debian/50unattended-upgrades new file mode 100644 index 00000000..f2f574fc --- /dev/null +++ b/puppet/modules/site_apt/files/Debian/50unattended-upgrades @@ -0,0 +1,16 @@ +// this file is managed by puppet ! + +Unattended-Upgrade::Allowed-Origins { + "${distro_id}:stable"; + "${distro_id}:${distro_codename}-security"; + "${distro_id}:${distro_codename}-updates"; + "${distro_id} Backports:${distro_codename}-backports"; + "leap.se:stable"; +}; + +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::Unattended-Upgrade "1"; + +Unattended-Upgrade::Mail "root"; +Unattended-Upgrade::MailOnlyOnError "true"; -- cgit v1.2.3 From 16c985a1b8e692c0e0f76a30b7ec052c9dc269bd Mon Sep 17 00:00:00 2001 From: guido Date: Tue, 28 Oct 2014 21:03:52 -0300 Subject: Adds support for Tor hidden service on webapp (Feature #6273) Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5 --- .../templates/vhosts.d/hidden_service.conf.erb | 33 +++++++++++++++++ .../site_webapp/manifests/hidden_service.pp | 43 ++++++++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 6 +++ 3 files changed, 82 insertions(+) create mode 100644 puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb create mode 100644 puppet/modules/site_webapp/manifests/hidden_service.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb new file mode 100644 index 00000000..0c6f3b8e --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -0,0 +1,33 @@ + + ServerName <%= tor_domain %> + + + Header always unset X-Powered-By + Header always unset X-Runtime + + +<% if (defined? @services) and (@services.include? 'webapp') -%> + DocumentRoot /srv/leap/webapp/public + + RewriteEngine On + # Check for maintenance file and redirect all requests + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + +<% end -%> + diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp new file mode 100644 index 00000000..ac0e8a37 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -0,0 +1,43 @@ +class site_webapp::hidden_service { + $tor = hiera('tor') + $hidden_service = $tor['hidden_service'] + $tor_domain = "${hidden_service['address']}.onion" + + include site_apache::common + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + + include tor::daemon + tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } + + file { + '/var/lib/tor/webapp/': + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; + + '/var/lib/tor/webapp/private_key': + ensure => present, + source => '/srv/leap/files/nodes/web/tor.key', + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600'; + + '/var/lib/tor/webapp/hostname': + ensure => present, + content => $tor_domain, + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600'; + } + + apache::vhost::file { + 'hidden_service': + content => template('site_apache/vhosts.d/hidden_service.conf.erb') + } + + include site_shorewall::tor +} \ No newline at end of file diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 17b010f3..12c69a39 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -10,6 +10,8 @@ class site_webapp { $webapp = hiera('webapp') $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] + $tor = hiera('tor') + $hidden_service = $tor['hidden_service'] Class['site_config::default'] -> Class['site_webapp'] @@ -157,6 +159,10 @@ class site_webapp { notify => Service['apache']; } + if $hidden_service['active'] { + include site_webapp::hidden_service + } + include site_shorewall::webapp include site_check_mk::agent::webapp } -- cgit v1.2.3 From d0658888a0af6b06b03fd172306ea3f346c50081 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 4 Nov 2014 20:45:39 -0500 Subject: revert 5787c97b6f73dacae7f01adeff203287007c381d: stop using bad nist curve for ssh host key (#6294) We need to transition smoother (see #6319) Change-Id: I8bee032aef9502a7d4b701b99719fbfb3b7169da --- puppet/modules/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/sshd b/puppet/modules/sshd index 4652fbca..750a4977 160000 --- a/puppet/modules/sshd +++ b/puppet/modules/sshd @@ -1 +1 @@ -Subproject commit 4652fbcae0aadcded5d390e71882aec1b1b738ba +Subproject commit 750a497758d94c2f5a6cad23cecc3dbde2d2f92f -- cgit v1.2.3 From 3ec9b173c092f1b582285c3e3573259d289c400e Mon Sep 17 00:00:00 2001 From: guido Date: Thu, 6 Nov 2014 12:45:32 -0300 Subject: Better check for tor hidden service on a webapp node. Change-Id: I92f69b6fa30aae953243ae19096e2998810c9ac6 --- puppet/modules/site_webapp/manifests/init.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 12c69a39..752993c1 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -10,8 +10,7 @@ class site_webapp { $webapp = hiera('webapp') $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] - $tor = hiera('tor') - $hidden_service = $tor['hidden_service'] + $tor = hiera('tor', false) Class['site_config::default'] -> Class['site_webapp'] @@ -159,8 +158,11 @@ class site_webapp { notify => Service['apache']; } - if $hidden_service['active'] { - include site_webapp::hidden_service + if $tor { + $hidden_service = $tor['hidden_service'] + if $hidden_service['active'] { + include site_webapp::hidden_service + } } include site_shorewall::webapp -- cgit v1.2.3 From 180f32512a4c47444ea9e4f36d7376a894a83a4b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 8 Nov 2014 00:44:30 -0500 Subject: Don't configure the tor DirPort options if the node is not an exit (#6335) Change-Id: I4c7fb20b6da6f6a5bb2dd5af70511a28d4581174 --- puppet/modules/site_tor/manifests/init.pp | 4 ---- 1 file changed, 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index e62cb12d..58f9e971 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -24,10 +24,6 @@ class site_tor { tor::daemon::directory { $::hostname: port => 80 } } else { - tor::daemon::directory { $::hostname: - port => 80, - port_front_page => ''; - } include site_tor::disable_exit } -- cgit v1.2.3 From fe23f66f0cff5af71c10aeefdbb0b1131d871219 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 8 Nov 2014 00:45:14 -0500 Subject: Only enable the tor DirPort options on an exit if the node isn't also a webapp node (#6336) Change-Id: Ib70bbd8fe7b94b7a1bfb09390d5dd1c535f2da16 --- puppet/modules/site_tor/manifests/init.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 58f9e971..8f68a4e4 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -21,7 +21,10 @@ class site_tor { } if ( $tor_type == 'exit'){ - tor::daemon::directory { $::hostname: port => 80 } + # Only enable the daemon directory if the node isn't also a webapp node + if ! member($::services, 'webapp') { + tor::daemon::directory { $::hostname: port => 80 } + } } else { include site_tor::disable_exit -- cgit v1.2.3 From 51d581583ca354232f6ccbfb771c1cad00ec2db3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 8 Nov 2014 00:46:00 -0500 Subject: minor linting, arrow lining up Change-Id: Ibd08529b7d1c4fc22bcd0ca36e518afa5b8f6d24 --- puppet/modules/site_tor/manifests/init.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 8f68a4e4..9944bb2b 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -13,11 +13,11 @@ class site_tor { class { 'tor::daemon': } tor::daemon::relay { $nickname: - port => 9001, - address => $address, - contact_info => obfuscate_email($contact_emails), - bandwidth_rate => $bandwidth_rate, - my_family => $family + port => 9001, + address => $address, + contact_info => obfuscate_email($contact_emails), + bandwidth_rate => $bandwidth_rate, + my_family => $family } if ( $tor_type == 'exit'){ -- cgit v1.2.3 From b9d2030beb890e8dccbbe42bfcc430a2c2702a92 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 10 Nov 2014 20:43:24 -0800 Subject: openvpn - support customizing --fragment, and set default to 1400 --- puppet/modules/site_openvpn/manifests/server_config.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 97cf2842..466f6d00 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -85,6 +85,18 @@ define site_openvpn::server_config( key => 'tcp-nodelay', server => $openvpn_configname; } + } elsif $proto == 'udp' { + if $config['fragment'] != 1500 { + openvpn::option { + "fragment ${openvpn_configname}": + key => 'fragment', + value => $config['fragment'], + server => $openvpn_configname; + "mssfix ${openvpn_configname}": + key => 'mssfix', + server => $openvpn_configname; + } + } } openvpn::option { -- cgit v1.2.3 From 7521958cc6c210d65009aa87c6c7297fd9be3dd2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 15 Nov 2014 13:36:51 -0500 Subject: don't enable Tor DirPort if openvpn is running on port 80 (Bug #6377) We need to check the openvpn hiera value, which may or may not be set. If it is not set, then we need to not lookup the $openvpn['ports]' values or we will get an error because it wont be the correct type. If we do have it, then $openvpn_ports gets set with the hash, otherwise it gets set to an empty hash (otherwise puppet will complain when we try to query the member() later with "member(): Requires array to work with"). Finally, if it is set to port 80, we don't include the tor::daemon::directory Change-Id: Ic366c72e966cae9d611e8fe5aa7ea7943be51241 --- puppet/modules/site_tor/manifests/init.pp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 9944bb2b..d14e813d 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -11,6 +11,14 @@ class site_tor { $address = hiera('ip_address') + $openvpn = hiera('openvpn', undef) + if $openvpn { + $openvpn_ports = $openvpn['ports'] + } + else { + $openvpn_ports = [] + } + class { 'tor::daemon': } tor::daemon::relay { $nickname: port => 9001, @@ -22,7 +30,8 @@ class site_tor { if ( $tor_type == 'exit'){ # Only enable the daemon directory if the node isn't also a webapp node - if ! member($::services, 'webapp') { + # or running openvpn on port 80 + if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') { tor::daemon::directory { $::hostname: port => 80 } } } -- cgit v1.2.3 From be18ba31fadd2e587672adc44175dd106187ceba Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 13:13:33 -0500 Subject: minor linting Change-Id: I6d04cc7e028e86ee0012d96d7ef075fdd7ecef19 --- puppet/modules/site_shorewall/manifests/dnat_rule.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index aa298408..49b929f2 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -4,7 +4,7 @@ define site_shorewall::dnat_rule { if $port != 1194 { if $site_openvpn::openvpn_allow_unlimited { shorewall::rule { - "dnat_tcp_port_$port": + "dnat_tcp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", @@ -13,7 +13,7 @@ define site_shorewall::dnat_rule { order => 100; } shorewall::rule { - "dnat_udp_port_$port": + "dnat_udp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", @@ -24,7 +24,7 @@ define site_shorewall::dnat_rule { } if $site_openvpn::openvpn_allow_limited { shorewall::rule { - "dnat_free_tcp_port_$port": + "dnat_free_tcp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", @@ -33,7 +33,7 @@ define site_shorewall::dnat_rule { order => 100; } shorewall::rule { - "dnat_free_udp_port_$port": + "dnat_free_udp_port_${port}": action => 'DNAT', source => 'net', destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", -- cgit v1.2.3 From e334f10447303209ac3802436437670f45511603 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 13:13:55 -0500 Subject: specify the destination IP for DNAT rules for gateway addresses on port 443 (#6388) Previously the DNAT rule would redirect the incoming port 443 requests to openvpn, which was the wrong thing to do on the primary IP (but the right thing to do on the openvpn gateway IPs). This manifested in the webapp not being available when it was also configured as a service on the node. Change-Id: Ic8c6b6c0389859fab168a7df687351e11263277a --- puppet/modules/site_shorewall/manifests/dnat_rule.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 49b929f2..f9fbe950 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -10,6 +10,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'tcp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } shorewall::rule { @@ -19,6 +20,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", proto => 'udp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } } @@ -30,6 +32,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'tcp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } shorewall::rule { @@ -39,6 +42,7 @@ define site_shorewall::dnat_rule { destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", proto => 'udp', destinationport => $port, + originaldest => $site_openvpn::unlimited_gateway_address, order => 100; } } -- cgit v1.2.3 From 896dd69710fa24a0235fc70081a71f35adbf9af1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 15:22:09 -0500 Subject: Make sure that stunnel restarts when cert/key change (#6181) Change-Id: I5085247a87018e18e73833119ac73225afbfea1e --- puppet/modules/site_stunnel/manifests/client.pp | 6 +----- puppet/modules/site_stunnel/manifests/init.pp | 2 ++ puppet/modules/site_stunnel/manifests/override_service.pp | 13 +++++++++++++ puppet/modules/site_stunnel/manifests/servers.pp | 6 +----- 4 files changed, 17 insertions(+), 10 deletions(-) create mode 100644 puppet/modules/site_stunnel/manifests/override_service.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp index 76815174..3b10ecb8 100644 --- a/puppet/modules/site_stunnel/manifests/client.pp +++ b/puppet/modules/site_stunnel/manifests/client.pp @@ -35,11 +35,7 @@ define site_stunnel::client ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, debuglevel => $debuglevel, - sslversion => 'TLSv1', - subscribe => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; + sslversion => 'TLSv1'; } site_shorewall::stunnel::client { $name: diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp index b292f1cd..2e0cf5b8 100644 --- a/puppet/modules/site_stunnel/manifests/init.pp +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -28,5 +28,7 @@ class site_stunnel { $clients = $stunnel['clients'] $client_sections = keys($clients) site_stunnel::clients { $client_sections: } + + include site_stunnel::override_service } diff --git a/puppet/modules/site_stunnel/manifests/override_service.pp b/puppet/modules/site_stunnel/manifests/override_service.pp new file mode 100644 index 00000000..96187048 --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/override_service.pp @@ -0,0 +1,13 @@ +class site_stunnel::override_service inherits stunnel::debian { + + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca + + Service[stunnel] { + subscribe => [ + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ] + } +} diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp index 8d537644..b6fac319 100644 --- a/puppet/modules/site_stunnel/manifests/servers.pp +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -35,11 +35,7 @@ define site_stunnel::servers ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => '/var/lib/stunnel4/.rnd', debuglevel => $debuglevel, - sslversion => 'TLSv1', - require => [ - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ]; + sslversion => 'TLSv1'; } # allow incoming connections on $accept_port -- cgit v1.2.3 From dff949811324215278ab7e4c2db5de63d8a6218b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 15:31:27 -0500 Subject: Make sure openvpn is restarted when cert/key change (#6405) I reformatted the section below for consistency. Change-Id: I18f5e23850e0c1ab4b1f2ee467d5af54ae9ff303 --- puppet/modules/site_openvpn/manifests/init.pp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index b6331f12..a8d2044d 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -148,13 +148,17 @@ class site_openvpn { exec { 'restart_openvpn': command => '/etc/init.d/openvpn restart', refreshonly => true, - subscribe => File['/etc/openvpn'], + subscribe => [ + File['/etc/openvpn'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca'] ], require => [ - Package['openvpn'], - File['/etc/openvpn'], - Class['Site_config::X509::Key'], - Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca_bundle'] ]; + Package['openvpn'], + File['/etc/openvpn'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], + Class['Site_config::X509::Ca_bundle'] ]; } cron { 'add_gateway_ips.sh': -- cgit v1.2.3 From 503a316e67da2b4e0dbae7db28bbd0574fa3739f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 20 Nov 2014 16:27:35 -0500 Subject: ship a modified runit config for bigcouch that raises the open file descriptor limits to account for bigcouch sync spikes (#4935) Change-Id: I242fba31f961b6139ec641e1708b170f5c0d009b --- puppet/modules/site_couchdb/files/runit_config | 6 ++++++ puppet/modules/site_couchdb/manifests/bigcouch.pp | 10 ++++++++++ 2 files changed, 16 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/runit_config (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/files/runit_config b/puppet/modules/site_couchdb/files/runit_config new file mode 100644 index 00000000..169b4832 --- /dev/null +++ b/puppet/modules/site_couchdb/files/runit_config @@ -0,0 +1,6 @@ +#!/bin/bash +exec 2>&1 +export HOME=/home/bigcouch +ulimit -H -n 32768 +ulimit -S -n 32768 +exec chpst -u bigcouch /opt/bigcouch/bin/bigcouch diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index d71c00c5..16593ec7 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -31,4 +31,14 @@ class site_couchdb::bigcouch { file { '/var/log/bigcouch': ensure => directory } + + file { '/etc/sv/bigcouch/run': + ensure => present, + source => 'puppet:///modules/site_couchdb/runit_config', + owner => root, + group => root, + mode => '0755', + require => Package['couchdb'], + notify => Service['couchdb'] + } } -- cgit v1.2.3 From 6ebd8cee202c81260c151e7903ff2f16518ffa41 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Nov 2014 23:00:50 +0100 Subject: Fix Check_mk notifications (Bug #6403) Let check_mk put all hosts into the same "admin" contactgroup, which is defined as default contactgroup by nagios. Change-Id: I13b434925711ef2037de0cf6e919ce39a8255a94 --- puppet/modules/site_check_mk/files/host_contactgroups.mk | 3 +++ puppet/modules/site_check_mk/manifests/server.pp | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_check_mk/files/host_contactgroups.mk (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/host_contactgroups.mk b/puppet/modules/site_check_mk/files/host_contactgroups.mk new file mode 100644 index 00000000..e89323fb --- /dev/null +++ b/puppet/modules/site_check_mk/files/host_contactgroups.mk @@ -0,0 +1,3 @@ +host_contactgroups = [ + ( "admins", ALL_HOSTS ), +] diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index aa24d96c..388ae94b 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -40,6 +40,10 @@ class site_check_mk::server { content => template('site_check_mk/hostgroups.mk'), notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; + '/etc/check_mk/conf.d/host_contactgroups.mk': + source => 'puppet:///modules/site_check_mk/host_contactgroups.mk', + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/all_hosts_static': content => $all_hosts, notify => Exec['check_mk-refresh'], @@ -64,6 +68,5 @@ class site_check_mk::server { require => Package['nagios-plugins-basic']; } - include check_mk::agent::local_checks } -- cgit v1.2.3 From fbfc88d8e4ff032fd8155e264ba75668b426fdb2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 23 Nov 2014 10:30:10 -0500 Subject: fix dependency on x509 ca_bundle class (#6410) Change-Id: Ia1e7009240d61464d7ba45ad07291664f6a3b768 --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index a8d2044d..d6f9150b 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -152,7 +152,7 @@ class site_openvpn { File['/etc/openvpn'], Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], - Class['Site_config::X509::Ca'] ], + Class['Site_config::X509::Ca_bundle'] ], require => [ Package['openvpn'], File['/etc/openvpn'], -- cgit v1.2.3 From 83267a00f272a6f3f52a66eca44d9ca85924cc8e Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 25 Nov 2014 16:25:43 -0800 Subject: include a host information in ssh_config for ever possible host a given node might communicate with. this includes port and host key algorithm. closes #6432 --- puppet/modules/site_sshd/templates/ssh_config.erb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/templates/ssh_config.erb b/puppet/modules/site_sshd/templates/ssh_config.erb index 7e967413..36c0b6d5 100644 --- a/puppet/modules/site_sshd/templates/ssh_config.erb +++ b/puppet/modules/site_sshd/templates/ssh_config.erb @@ -21,3 +21,20 @@ Host * StrictHostKeyChecking no <% end -%> +# +# Tell SSH what host key algorithm we should use. I don't understand why this +# is needed, since the man page says that "if hostkeys are known for the +# destination host then [HostKeyAlgorithms default] is modified to prefer +# their algorithms." +# + +<% @hosts.sort.each do |name, host| -%> +Host <%= name %> <%= host['domain_full'] %> <%= host['domain_internal'] %> <%= host['ip_address'] %> +<% if host['host_pub_key'] -%> +HostKeyAlgorithms <%= host['host_pub_key'].split(" ").first %> +<% end -%> +<% if host['port'] -%> +Port <%= host['port'] %> +<% end -%> + +<% end -%> -- cgit v1.2.3 From fb02557925a464488c2996df3625c051c172f8ad Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 30 Nov 2014 22:18:41 -0800 Subject: pin tapicero to version/0.6 --- puppet/modules/tapicero/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index 2bf72004..28711b94 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -95,7 +95,7 @@ class tapicero { vcsrepo { '/srv/leap/tapicero': ensure => present, force => true, - revision => 'origin/master', + revision => 'origin/version/0.6', provider => git, source => 'https://leap.se/git/tapicero', owner => 'tapicero', -- cgit v1.2.3 From 1de9dd7b9297cdd67f8bf51352e5dcea08f5fb29 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Nov 2014 22:21:15 +0100 Subject: ignore ntp check because it's flapping to often (Bug #6407) Change-Id: I52e19bbdfcf6576bd9c247d99aace47eb86c8116 --- puppet/modules/site_check_mk/files/ignored_services.mk | 3 +++ puppet/modules/site_check_mk/manifests/server.pp | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_check_mk/files/ignored_services.mk (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/ignored_services.mk b/puppet/modules/site_check_mk/files/ignored_services.mk new file mode 100644 index 00000000..35dc4433 --- /dev/null +++ b/puppet/modules/site_check_mk/files/ignored_services.mk @@ -0,0 +1,3 @@ +ignored_services = [ + ( ALL_HOSTS, [ "NTP Time" ] ) +] diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 388ae94b..93107b04 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -41,7 +41,11 @@ class site_check_mk::server { notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; '/etc/check_mk/conf.d/host_contactgroups.mk': - source => 'puppet:///modules/site_check_mk/host_contactgroups.mk', + source => 'puppet:///modules/site_check_mk/host_contactgroups.mk', + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; + '/etc/check_mk/conf.d/ignored_services.mk': + source => 'puppet:///modules/site_check_mk/ignored_services.mk', notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; '/etc/check_mk/all_hosts_static': @@ -61,6 +65,7 @@ class site_check_mk::server { owner => 'nagios', mode => '0644', require => Package['check-mk-server']; + # check_icmp must be suid root or called by sudo # see https://leap.se/code/issues/5171 '/usr/lib/nagios/plugins/check_icmp': -- cgit v1.2.3 From 989c203002c812b1e6089232409aab08c80aec5d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Nov 2014 22:22:41 +0100 Subject: Increase nagios max_checks_attempts from 1 to 4 so notifications won't be sent out on first failed check_mk check (Bug #6461) Change-Id: I1bd47b3c3d17508488a4db90d74118006d85a03a --- puppet/modules/site_check_mk/files/extra_service_conf.mk | 3 +++ puppet/modules/site_check_mk/manifests/server.pp | 6 ++++++ 2 files changed, 9 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/extra_service_conf.mk (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/extra_service_conf.mk b/puppet/modules/site_check_mk/files/extra_service_conf.mk new file mode 100644 index 00000000..51f348f1 --- /dev/null +++ b/puppet/modules/site_check_mk/files/extra_service_conf.mk @@ -0,0 +1,3 @@ +extra_service_conf["max_check_attempts"] = [ + ("4", ALL_HOSTS , ALL_SERVICES ) +] diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 93107b04..b384923c 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -48,10 +48,16 @@ class site_check_mk::server { source => 'puppet:///modules/site_check_mk/ignored_services.mk', notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; + '/etc/check_mk/conf.d/extra_service_conf.mk': + source => 'puppet:///modules/site_check_mk/extra_service_conf.mk', + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; + '/etc/check_mk/all_hosts_static': content => $all_hosts, notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; + '/etc/check_mk/.ssh': ensure => directory, require => Package['check-mk-server']; -- cgit v1.2.3 From 77b04f641582d6995449305100b7a93d61b219d9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 1 Dec 2014 13:29:20 -0500 Subject: Increase the nagios alert thresholds for bigcouch open file descriptors (#6473) Change-Id: I2549d781427fffc865c2bdcd1e950d60dad509fd --- puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index 01e2b886..ee0268a3 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -29,7 +29,7 @@ class site_check_mk::agent::couchdb { } file_line { 'Bigcouch_open_files': - line => 'Bigcouch_open_files /srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 750,750 -c 1000,1000', + line => 'Bigcouch_open_files /srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720', path => '/etc/check_mk/mrpe.cfg'; } -- cgit v1.2.3 From a3af7019efe6f5ff3daeeff474a8c31b1b3318c8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Dec 2014 10:13:11 -0500 Subject: minor linting Change-Id: Idf550ed004bcb42d6e19ac0a2c5286f52a390935 --- puppet/modules/site_nagios/manifests/add_service.pp | 2 +- puppet/modules/site_nagios/manifests/server.pp | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 1b67d14e..97c0b30d 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -9,7 +9,7 @@ define site_nagios::add_service ( nagios_service { "${name}_ssh": use => 'generic-service', - check_command => "check_ssh_port!$ssh_port", + check_command => "check_ssh_port!${ssh_port}", service_description => 'SSH', host_name => $hostname; "${name}_cert": diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index b195c880..37bd77fb 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -16,7 +16,7 @@ class site_nagios::server inherits nagios::base { include nagios::defaults::timeperiods include nagios::defaults::plugins - class {'nagios': + class { 'nagios': # don't manage apache class from nagios, cause we already include # it in site_apache::common httpd => 'absent', diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index bdfee665..81f10b77 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -1,12 +1,12 @@ class site_postfix::mx { - $domain_hash = hiera ('domain') + $domain_hash = hiera('domain') $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') $mynetworks = join(hiera('mynetworks'), ' ') - $root_mail_recipient = hiera ('contacts') + $root_mail_recipient = hiera('contacts') $postfix_smtp_listen = 'all' include site_config::x509::cert -- cgit v1.2.3 From 172ad4bc7dd5b82629bfa776ec4164f902569fdb Mon Sep 17 00:00:00 2001 From: guido Date: Tue, 2 Dec 2014 11:40:04 -0300 Subject: Use $hostname to locate tor.key. Fixes #6478 Change-Id: Ibbe3687d5a773b444f6e9145bf235aaeea637e1d --- puppet/modules/site_webapp/manifests/hidden_service.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index ac0e8a37..16b6e2e7 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -21,7 +21,7 @@ class site_webapp::hidden_service { '/var/lib/tor/webapp/private_key': ensure => present, - source => '/srv/leap/files/nodes/web/tor.key', + source => "/srv/leap/files/nodes/${::hostname}/tor.key", owner => 'debian-tor', group => 'debian-tor', mode => '0600'; -- cgit v1.2.3 From 8578cf78aca62636cd80bf1302d2946f2d62dbfe Mon Sep 17 00:00:00 2001 From: guido Date: Tue, 2 Dec 2014 11:41:46 -0300 Subject: Use include to avoid redeclaration of class { 'tor::daemon': }. Fixes #6479 Change-Id: Ibd1b1eef7afca10cf2a2d56a24e703636d6a52c6 --- puppet/modules/site_tor/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index d14e813d..80ccc5d3 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -18,8 +18,8 @@ class site_tor { else { $openvpn_ports = [] } - - class { 'tor::daemon': } + + include tor::daemon tor::daemon::relay { $nickname: port => 9001, address => $address, -- cgit v1.2.3 From 5c300d2399398a7384728ef11b00642b8cfe5128 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 2 Dec 2014 20:21:26 +0100 Subject: Ignore bigcouch conflict errors, mainly coming from tapicero creating new users (Feature #6481) There are potentially many tapicero daemons running, and they all try to do the same thing at the same time. It is basically designed to create race conditions. All tapicero daemons try to create the user db at the same time. Only one of them wins the race and actually creates it. We need to fix this later (see https://leap.se/code/issues/6480) but for now, we ignore them because conflict errors should be handled by the applictation anyway. Change-Id: I91095b1901d238e3d199954ba3716023d3fd49c1 --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 28f333b0..d274a676 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -6,6 +6,8 @@ I 127.0.0.1 localhost:5984 .* ok # https://leap.se/code/issues/5246 I Shutting down group server + # ignore bigcouch conflict errors, mainly coming from tapicero creating new users + I Error in process.*{{nocatch,conflict} # ignore "Uncaught error in HTTP request: {exit, normal}" error # it's suppressed in later versions of bigcouch anhow # see https://leap.se/code/issues/5226 -- cgit v1.2.3 From a84272aa77715a4029ebd06b38b7a5ad05e6acd0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 Dec 2014 11:26:35 -0500 Subject: Change nagios mail To: Header to contain the actual platform environment's contact email (Bug #6466) Change-Id: Ib86ae771e0ac3b6f329a517a8a31c9ec54d33a05 --- .../modules/site_check_mk/files/host_contactgroups.mk | 3 --- puppet/modules/site_check_mk/manifests/server.pp | 3 ++- .../site_check_mk/templates/host_contactgroups.mk | 17 +++++++++++++++++ puppet/modules/site_check_mk/templates/hostgroups.mk | 17 +++++++++++++++-- .../modules/site_nagios/manifests/add_host_services.pp | 5 ++++- puppet/modules/site_nagios/manifests/add_service.pp | 11 +++++++---- puppet/modules/site_nagios/manifests/server.pp | 9 +++++---- .../site_nagios/manifests/server/add_contacts.pp | 16 ++++++++++++++++ .../site_nagios/manifests/server/contactgroup.pp | 6 ++++++ .../modules/site_nagios/manifests/server/hostgroup.pp | 2 +- 10 files changed, 73 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_check_mk/files/host_contactgroups.mk create mode 100644 puppet/modules/site_check_mk/templates/host_contactgroups.mk create mode 100644 puppet/modules/site_nagios/manifests/server/add_contacts.pp create mode 100644 puppet/modules/site_nagios/manifests/server/contactgroup.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/host_contactgroups.mk b/puppet/modules/site_check_mk/files/host_contactgroups.mk deleted file mode 100644 index e89323fb..00000000 --- a/puppet/modules/site_check_mk/files/host_contactgroups.mk +++ /dev/null @@ -1,3 +0,0 @@ -host_contactgroups = [ - ( "admins", ALL_HOSTS ), -] diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index b384923c..1a866b9c 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -11,6 +11,7 @@ class site_check_mk::server { $hosts = hiera_hash('hosts') $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') $domains_internal = $nagios_hiera['domains_internal'] + $environments = $nagios_hiera['environments'] package { 'check-mk-server': ensure => installed, @@ -41,7 +42,7 @@ class site_check_mk::server { notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; '/etc/check_mk/conf.d/host_contactgroups.mk': - source => 'puppet:///modules/site_check_mk/host_contactgroups.mk', + content => template('site_check_mk/host_contactgroups.mk'), notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; '/etc/check_mk/conf.d/ignored_services.mk': diff --git a/puppet/modules/site_check_mk/templates/host_contactgroups.mk b/puppet/modules/site_check_mk/templates/host_contactgroups.mk new file mode 100644 index 00000000..6a534967 --- /dev/null +++ b/puppet/modules/site_check_mk/templates/host_contactgroups.mk @@ -0,0 +1,17 @@ +<% + contact_groups = [] + @environments.keys.sort.each do |env_name| + hosts = "" + @nagios_hosts.keys.sort.each do |hostname| + hostdata = @nagios_hosts[hostname] + domain_internal = hostdata['domain_internal'] + if hostdata['environment'] == env_name + hosts << '"' + domain_internal + '", ' + end + end + contact_groups << ' ( "%s", [%s] )' % [env_name, hosts] + end +%> +host_contactgroups = [ +<%= contact_groups.join(",\n") %> +] diff --git a/puppet/modules/site_check_mk/templates/hostgroups.mk b/puppet/modules/site_check_mk/templates/hostgroups.mk index 79b7f92f..7158dcd1 100644 --- a/puppet/modules/site_check_mk/templates/hostgroups.mk +++ b/puppet/modules/site_check_mk/templates/hostgroups.mk @@ -1,4 +1,17 @@ +<% + host_groups = [] + @environments.keys.sort.each do |env_name| + hosts = "" + @nagios_hosts.keys.sort.each do |hostname| + hostdata = @nagios_hosts[hostname] + domain_internal = hostdata['domain_internal'] + if hostdata['environment'] == env_name + hosts << '"' + domain_internal + '", ' + end + end + host_groups << ' ( "%s", [%s] )' % [env_name, hosts] + end +%> host_groups = [ - <% @domains_internal.each do |domain| %>( '<%= domain %>', [<% @nagios_hosts.keys.sort.each do |key| -%><% if @nagios_hosts[key]['domain_internal'] == key+'.'+domain -%>'<%= key %>.<%= domain %>', <% end -%><% end -%>] ), - <% end -%> +<%= host_groups.join(",\n") %> ] diff --git a/puppet/modules/site_nagios/manifests/add_host_services.pp b/puppet/modules/site_nagios/manifests/add_host_services.pp index 279809d1..236702e2 100644 --- a/puppet/modules/site_nagios/manifests/add_host_services.pp +++ b/puppet/modules/site_nagios/manifests/add_host_services.pp @@ -4,7 +4,9 @@ define site_nagios::add_host_services ( $ip_address, $services, $ssh_port, - $openvpn_gateway_address='' ) { + $environment, + $openvpn_gateway_address='', + ) { $nagios_hostname = $domain_internal @@ -16,6 +18,7 @@ define site_nagios::add_host_services ( 'hostname' => $nagios_hostname, 'ip_address' => $ip_address, 'openvpn_gw' => $openvpn_gateway_address, + 'environment' => $environment } $dynamic_parameters = { 'service' => '%s' diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 97c0b30d..72cd038a 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -1,5 +1,5 @@ define site_nagios::add_service ( - $hostname, $ip_address, $openvpn_gw = '', $service) { + $hostname, $ip_address, $service, $environment, $openvpn_gw = '') { $ssh = hiera_hash('ssh') $ssh_port = $ssh['port'] @@ -11,17 +11,20 @@ define site_nagios::add_service ( use => 'generic-service', check_command => "check_ssh_port!${ssh_port}", service_description => 'SSH', - host_name => $hostname; + host_name => $hostname, + contact_groups => $environment; "${name}_cert": use => 'generic-service', check_command => 'check_https_cert', service_description => 'Website Certificate', - host_name => $hostname; + host_name => $hostname, + contact_groups => $environment; "${name}_website": use => 'generic-service', check_command => 'check_https', service_description => 'Website', - host_name => $hostname + host_name => $hostname, + contact_groups => $environment; } } default: {} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 37bd77fb..068ee419 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -6,12 +6,11 @@ class site_nagios::server inherits nagios::base { $nagios_hiera = hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) $nagios_hosts = $nagios_hiera['hosts'] - $domains_internal = $nagios_hiera['domains_internal'] + $nagios_contacts = hiera('contacts') + $environment = $nagios_hiera['environments'] include nagios::base include nagios::defaults::commands - include nagios::defaults::contactgroups - include nagios::defaults::contacts include nagios::defaults::templates include nagios::defaults::timeperiods include nagios::defaults::plugins @@ -63,5 +62,7 @@ class site_nagios::server inherits nagios::base { 'set copytruncate copytruncate' ] } - ::site_nagios::server::hostgroup { $domains_internal: } + create_resources ( site_nagios::server::hostgroup, $environment ) + create_resources ( site_nagios::server::contactgroup, $environment ) + create_resources ( site_nagios::server::add_contacts, $environment ) } diff --git a/puppet/modules/site_nagios/manifests/server/add_contacts.pp b/puppet/modules/site_nagios/manifests/server/add_contacts.pp new file mode 100644 index 00000000..db507abf --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/add_contacts.pp @@ -0,0 +1,16 @@ +define site_nagios::server::add_contacts ($contact_emails) { + + $environment = $name + + nagios_contact { + $environment: + alias => $environment, + service_notification_period => '24x7', + host_notification_period => '24x7', + service_notification_options => 'w,u,c,r', + host_notification_options => 'd,r', + service_notification_commands => 'notify-service-by-email', + host_notification_commands => 'notify-host-by-email', + email => join($contact_emails, ', ') + } +} diff --git a/puppet/modules/site_nagios/manifests/server/contactgroup.pp b/puppet/modules/site_nagios/manifests/server/contactgroup.pp new file mode 100644 index 00000000..188c54f1 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/contactgroup.pp @@ -0,0 +1,6 @@ +define site_nagios::server::contactgroup ($contact_emails) { + + nagios_contactgroup { $name: + members => $name + } +} diff --git a/puppet/modules/site_nagios/manifests/server/hostgroup.pp b/puppet/modules/site_nagios/manifests/server/hostgroup.pp index 035ba7d1..6f85ca6d 100644 --- a/puppet/modules/site_nagios/manifests/server/hostgroup.pp +++ b/puppet/modules/site_nagios/manifests/server/hostgroup.pp @@ -1,3 +1,3 @@ -define site_nagios::server::hostgroup { +define site_nagios::server::hostgroup ($contact_emails) { nagios_hostgroup { $name: } } -- cgit v1.2.3 From 049b29370e406cb424254f3be9a283f83f9e92d8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 4 Dec 2014 13:56:41 +0100 Subject: remove webapp python tests, because they are integrated into the platform now (Bug #6489) Change-Id: Iaec748a173b6e11bb3ab3c11ca152809817644f9 --- .../modules/site_check_mk/manifests/agent/webapp.pp | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index 64f5ea6d..88c3da30 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -1,20 +1,11 @@ class site_check_mk::agent::webapp { - # check webapp login + soledad sync - package { [ 'python-srp', 'python-requests', 'python-yaml', 'python-u1db' ]: - ensure => installed + # remove leftovers of webapp python checks + file { + [ '/usr/lib/check_mk_agent/local/nagios-webapp_login.py', + '/usr/lib/check_mk_agent/local/soledad_sync.py' ]: + ensure => absent } - file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': - ensure => link, - target => '/srv/leap/webapp/test/nagios/webapp_login.py', - require => Package['check_mk-agent'] - } - file { '/usr/lib/check_mk_agent/local/soledad_sync.py': - ensure => link, - target => '/srv/leap/webapp/test/nagios/soledad_sync.py', - require => Package['check_mk-agent'] - } - # check syslog concat::fragment { 'syslog_webapp': -- cgit v1.2.3 From dd888ede2897d56e1b7273160b99f990cd4bcf31 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Dec 2014 10:07:12 +0100 Subject: logwatch: ignore postfix errors on lost connection (Bug #6476) Change-Id: I0b1eec11a3b3da39d65572b6bee8b3ce892e08ac --- puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg index 450b9e90..60881e22 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg @@ -1,7 +1,9 @@ # some general patterns + I Error: Driver 'pcspkr' is already registered, aborting... +# ignore postfix errors on lost connection (Bug #6476) + I postfix/smtpd.*SSL_accept error from.*lost connection C panic C Oops - I Error: Driver 'pcspkr' is already registered, aborting... C Error C error W generic protection rip -- cgit v1.2.3 From 5f2369f1152d63f8a1969f1826140161cc9cd241 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Dec 2014 12:54:36 +0100 Subject: Deploy leap ca cert for smtp tls config (Bug #6485) Change-Id: I029ffabd33299a5b42e5f262e372eafb6272d094 --- puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index d9b59f40..d56f6b54 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -1,5 +1,6 @@ class site_postfix::mx::smtp_tls { + include site_config::x509::ca include x509::variables $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" -- cgit v1.2.3 From f48d4dd084376e813cd94c3ef56c3363d83c6f85 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Dec 2014 21:43:42 +0100 Subject: updated submodule check_mk in order to purge old checks from check_mk_objects.cfg (Feature #5142) Change-Id: Ib0283806b5485a9d15f0aa7e09142989367dae20 --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index 5c11597a..205859d8 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit 5c11597a055858b5ddc1ce8f7f8db249f5f1b336 +Subproject commit 205859d87884ac4ceee6d1365548e7dc55640bfa -- cgit v1.2.3 From 3c62d05813568dc389ce54754c1f4f055c899fdc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Dec 2014 16:48:53 -0500 Subject: add dependency on the stunnel service so refresh_stunnel is not run until the service has been started (#6495) Change-Id: Id48fedb5731117b68b7386c4ce22516333d94081 --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index ec49fd93..b0dc7c84 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit ec49fd93c2469bc5c13f7e6a7d25468613e1b84f +Subproject commit b0dc7c84b5f55aec12d7d65da812037913d9dbee -- cgit v1.2.3 From 2097a686cbe4958a0224e16806ae09ff5fe13933 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Dec 2014 23:31:48 +0100 Subject: Soledad sync check needs python-u1db package installed (Bug #6520) Change-Id: I8a6c27434f548f24d9dba1a969699200ab307477 --- puppet/modules/site_webapp/manifests/init.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 752993c1..9f97d2c5 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -165,6 +165,13 @@ class site_webapp { } } + + # needed for the soledad-sync check which is run on the + # webapp node (#6520) + package { 'python-u1db': + ensure => latest, + } + include site_shorewall::webapp include site_check_mk::agent::webapp } -- cgit v1.2.3 From a8334795fd393fac6e5055085fd7ab94b3b3295a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Dec 2014 21:03:02 -0500 Subject: Ignore rexi_EXIT bigcouch error (Bug #6512) Change-Id: I03842b65329aabb012cc2c7514007e174cbd8fc0 --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index d274a676..5cd2a47b 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -13,6 +13,8 @@ # see https://leap.se/code/issues/5226 I Uncaught error in HTTP request: {exit,normal} I Uncaught error in HTTP request: {exit, + # Ignore rexi_EXIT bigcouch error (Bug #6512) + I Error in process <[0-9.]+> on node .* with exit value: {{rexi_EXIT,{killed,\[{couch_db,collect_results C Uncaught error in HTTP request: {error, C Response abnormally terminated: {nodedown, C rexi_DOWN,noproc -- cgit v1.2.3 From a70488de29e8721191de1f6a504dcc35e5d74770 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 10 Dec 2014 11:55:24 +0100 Subject: ignore transient Tapicero errors when creating a db (Bug #6511) Change-Id: I0939070482fad4f99f03e41094a3df42ff5063e4 --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index 93ce0311..3aec4ad0 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -3,6 +3,8 @@ # instances, so we ignore it # see https://leap.se/code/issues/5168 I tapicero.*RestClient::PreconditionFailed: +# Ignore transient Tapicero errors when creating a db (#6511) + I tapicero.*Creating database user-[[:alnum:]]* failed \(trying again soon\): RestClient::InternalServerError: 500 Internal Server Error C tapicero.*Creating database.*failed due to: C tapicero.*failed W tapicero.*Couch stream ended unexpectedly. -- cgit v1.2.3 From 9076e8ccf62bd4cf25cd22af98d3536aff361b51 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 10 Dec 2014 10:48:10 -0500 Subject: update ffa53ef321bbfd771afff1ccb230d1b5e4f9ab00 to fix ordering requirement in logwatch, remove extended regexp character class and also ignore "Writing security" lines Change-Id: I7d33725db06a40361a3b04f9591adeb6a025bf77 --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index 3aec4ad0..c998322c 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -1,10 +1,10 @@ +# Ignore transient Tapicero errors when creating a db (#6511) + I tapicero.*(Creating database|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|twice due to): RestClient::InternalServerError: 500 Internal Server Error C tapicero.*RestClient::InternalServerError: # possible race condition between multiple tapicero # instances, so we ignore it # see https://leap.se/code/issues/5168 I tapicero.*RestClient::PreconditionFailed: -# Ignore transient Tapicero errors when creating a db (#6511) - I tapicero.*Creating database user-[[:alnum:]]* failed \(trying again soon\): RestClient::InternalServerError: 500 Internal Server Error C tapicero.*Creating database.*failed due to: C tapicero.*failed W tapicero.*Couch stream ended unexpectedly. -- cgit v1.2.3 From c02a397a2ce13a8917d647ab849225295253e228 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 10 Dec 2014 20:22:40 +0100 Subject: Fix "invalid parameter domain_internal_suffix" on monitor node (#6477) leap_platform was modified so the nagios.internal_domains contain the domain name (with the tld replaced by an "i" for internal), see https://leap.se/code/issues/6477#note-11. in order to achieve this the easy way, each host got added a domain_internal_suffix value, which can be iterated over to get all nagios.internal_domains. Because we use `create_resources ( site_nagios::add_host_services, $nagios_hosts )` in site_nagios::server to deploy the services, the site_nagios::add_host_services define needs to have a domain_internal_suffix parameter added. Change-Id: I6b83b3f291a1a611b5b92d5ba3ed82597a42bba7 --- puppet/modules/site_nagios/manifests/add_host_services.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/manifests/add_host_services.pp b/puppet/modules/site_nagios/manifests/add_host_services.pp index 236702e2..bd968e6f 100644 --- a/puppet/modules/site_nagios/manifests/add_host_services.pp +++ b/puppet/modules/site_nagios/manifests/add_host_services.pp @@ -1,6 +1,7 @@ define site_nagios::add_host_services ( $domain_full_suffix, $domain_internal, + $domain_internal_suffix, $ip_address, $services, $ssh_port, -- cgit v1.2.3 From 8c0fa3991f03c31fa2b4d61f20c824b86e1efa1c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 11 Dec 2014 15:55:00 -0500 Subject: logwatch: ignore ipv6 icmp errors (Bug #6540) Change-Id: I198c5245c7e73d6dd7a7d9725fac1eb9a8f425a5 --- puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg index 60881e22..b19ac241 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg @@ -11,3 +11,5 @@ # 401 Unauthorized error logged by webapp and possible other # applications C Unauthorized +# ignore ipv6 icmp errors for now (Bug #6540) + I kernel: .*icmpv6_send: no reply to icmp error -- cgit v1.2.3 From c6104cc1ffaca59544f4b4966a640be1ebcfa662 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 11 Dec 2014 22:12:02 +0100 Subject: Increase time between two check_mk_agent runs (Bug #6539) right now, check_mk_agent is run every minute on each host. The soledad sync test depends on tapicero, and in between finishing the soledad test and removing the testuser db, and the start of another test there's only 13s Change-Id: I5b22ba02470cce799a12043d21091c0c9b8e0b5f --- puppet/modules/site_check_mk/files/extra_service_conf.mk | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/extra_service_conf.mk b/puppet/modules/site_check_mk/files/extra_service_conf.mk index 51f348f1..03d1ea76 100644 --- a/puppet/modules/site_check_mk/files/extra_service_conf.mk +++ b/puppet/modules/site_check_mk/files/extra_service_conf.mk @@ -1,3 +1,13 @@ +# retry 3 times before setting a service into a hard state +# and send out notification extra_service_conf["max_check_attempts"] = [ ("4", ALL_HOSTS , ALL_SERVICES ) ] + +# run check_mk_agent every 2 minutes if it terminates +# successfully. +# see https://leap.se/code/issues/6539 for the rationale +extra_service_conf["normal_check_interval"] = [ + ("2", ALL_HOSTS , "Check_MK" ) +] + -- cgit v1.2.3 From 0687c83543da29f86e94c46fb3fe872ab19cb709 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 11 Dec 2014 22:26:28 +0100 Subject: Increase max_check_attempts for hosts checks (Bug #6535) Change-Id: I10ec569821f329e3bd10ac87242db102e9c82246 --- puppet/modules/site_check_mk/files/extra_host_conf.mk | 6 ++++++ puppet/modules/site_check_mk/manifests/server.pp | 4 ++++ 2 files changed, 10 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/extra_host_conf.mk (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/extra_host_conf.mk b/puppet/modules/site_check_mk/files/extra_host_conf.mk new file mode 100644 index 00000000..2c96f97a --- /dev/null +++ b/puppet/modules/site_check_mk/files/extra_host_conf.mk @@ -0,0 +1,6 @@ +# retry 3 times before setting a host into a hard state +# and send out notification +extra_host_conf["max_check_attempts"] = [ + ("4", ALL_HOSTS ) +] + diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 1a866b9c..171f1576 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -53,6 +53,10 @@ class site_check_mk::server { source => 'puppet:///modules/site_check_mk/extra_service_conf.mk', notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; + '/etc/check_mk/conf.d/extra_host_conf.mk': + source => 'puppet:///modules/site_check_mk/extra_host_conf.mk', + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/all_hosts_static': content => $all_hosts, -- cgit v1.2.3 From a64b2081b872823f2d539b48151bc0d323b42453 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 11 Dec 2014 21:22:49 -0500 Subject: Ignore additional tapicero message (#6542): tapicero[921]: Checking security of user-1b3b1fb78db851190fa72dac01207b8d failed (trying again soon): RestClient::ResourceNotFound: 404 Resource Not Found: {"error":"not_found","reason":"Database does not exist."}") tapicero recovers from this error Change-Id: Ic105823ddc282512000e6d7445539428581eb997 --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index c998322c..d9f0eafc 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -1,5 +1,5 @@ # Ignore transient Tapicero errors when creating a db (#6511) - I tapicero.*(Creating database|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|twice due to): RestClient::InternalServerError: 500 Internal Server Error + I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|twice due to): (RestClient::Resource Not Found|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error) C tapicero.*RestClient::InternalServerError: # possible race condition between multiple tapicero # instances, so we ignore it -- cgit v1.2.3 From 8d31cbc8e52f75384e9a5c3e3630a02effe063a8 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 14 Dec 2014 19:45:50 -0800 Subject: pin tapicero to origin/develop --- puppet/modules/tapicero/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index 28711b94..32354823 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -95,7 +95,7 @@ class tapicero { vcsrepo { '/srv/leap/tapicero': ensure => present, force => true, - revision => 'origin/version/0.6', + revision => 'origin/develop' provider => git, source => 'https://leap.se/git/tapicero', owner => 'tapicero', -- cgit v1.2.3 From 42ce1aa4fdeaa54058acbbd8530031ce2e516373 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 14 Dec 2014 20:06:09 -0800 Subject: fix tapicero typo --- puppet/modules/tapicero/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index 32354823..ae5d058e 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -95,7 +95,7 @@ class tapicero { vcsrepo { '/srv/leap/tapicero': ensure => present, force => true, - revision => 'origin/develop' + revision => 'origin/develop', provider => git, source => 'https://leap.se/git/tapicero', owner => 'tapicero', -- cgit v1.2.3 From 6df0eb2921db5ea32662036a9fe297cdfb5042ee Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 11 Dec 2014 19:01:16 -0500 Subject: Move kernel ipv6 log message up before the 'C error' line to it is caught (#6540) Change-Id: I1fe8d4cf60532dfe01cfb3a014c4cbeb4acdc479 --- puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg index b19ac241..b8f47434 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg @@ -5,11 +5,11 @@ C panic C Oops C Error +# ignore ipv6 icmp errors for now (Bug #6540) + I kernel: .*icmpv6_send: no reply to icmp error C error W generic protection rip W .*Unrecovered read error - auto reallocate failed # 401 Unauthorized error logged by webapp and possible other # applications C Unauthorized -# ignore ipv6 icmp errors for now (Bug #6540) - I kernel: .*icmpv6_send: no reply to icmp error -- cgit v1.2.3 From 970af8cf4a7670c01cd06b45a09f010d91949a2f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Dec 2014 10:56:41 -0500 Subject: ignore additional bigcouch error messages (#6512) Change-Id: Ie51fb485bcae9a9467c465bdd1b4a5785023db04 --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 5cd2a47b..3d5ada42 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -14,7 +14,7 @@ I Uncaught error in HTTP request: {exit,normal} I Uncaught error in HTTP request: {exit, # Ignore rexi_EXIT bigcouch error (Bug #6512) - I Error in process <[0-9.]+> on node .* with exit value: {{rexi_EXIT,{killed,\[{couch_db,collect_results + I Error in process <[0-9.]+> on node .* with exit value: {{rexi_EXIT,{(killed|noproc|shutdown),\[{couch_db,collect_results C Uncaught error in HTTP request: {error, C Response abnormally terminated: {nodedown, C rexi_DOWN,noproc -- cgit v1.2.3 From 8c89257f8b600d30e47f9321ef957af719b4ea21 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Dec 2014 11:06:28 -0500 Subject: Ignore postfix "too many errors after DATA" logwatch msg (Bug #6545) Change-Id: I0abeb88f7b6548e5742bd3d99b2f4e5d9c6cf421 --- puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg index b19ac241..71395c50 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg @@ -2,14 +2,16 @@ I Error: Driver 'pcspkr' is already registered, aborting... # ignore postfix errors on lost connection (Bug #6476) I postfix/smtpd.*SSL_accept error from.*lost connection +# ignore postfix too many errors after DATA (#6545) + I postfix/smtpd.*too many errors after DATA from C panic C Oops C Error +# ignore ipv6 icmp errors for now (Bug #6540) + I kernel: .*icmpv6_send: no reply to icmp error C error W generic protection rip W .*Unrecovered read error - auto reallocate failed # 401 Unauthorized error logged by webapp and possible other # applications C Unauthorized -# ignore ipv6 icmp errors for now (Bug #6540) - I kernel: .*icmpv6_send: no reply to icmp error -- cgit v1.2.3 From 9e3be523477be6cf65a1ef1c83382eb7d74d4636 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 16 Dec 2014 10:59:35 -0800 Subject: repin tapicero to version/0.6 --- puppet/modules/tapicero/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index ae5d058e..28711b94 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -95,7 +95,7 @@ class tapicero { vcsrepo { '/srv/leap/tapicero': ensure => present, force => true, - revision => 'origin/develop', + revision => 'origin/version/0.6', provider => git, source => 'https://leap.se/git/tapicero', owner => 'tapicero', -- cgit v1.2.3 From 8d6c05adf08eb2ddc29c4481ea06fcf85dda7b26 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Dec 2014 20:00:01 -0500 Subject: Ignore "Generic server terminating" bigcouch message (Feature #6544) Change-Id: I73defd7964501e4eabe7dd05c02887e7aeb2f063 --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 5cd2a47b..434d5503 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -15,6 +15,10 @@ I Uncaught error in HTTP request: {exit, # Ignore rexi_EXIT bigcouch error (Bug #6512) I Error in process <[0-9.]+> on node .* with exit value: {{rexi_EXIT,{killed,\[{couch_db,collect_results + # Ignore "Generic server terminating" bigcouch message (Feature #6544) + I Generic server <.*> terminating + I {error_report,<.*>, + I {error_info, C Uncaught error in HTTP request: {error, C Response abnormally terminated: {nodedown, C rexi_DOWN,noproc -- cgit v1.2.3 From c16c019a3f0f1f4d5ebce9ade59a7386c3c2bb18 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 16 Dec 2014 22:06:08 +0100 Subject: Check tapicero heartbeat (Bug #6556) In order to assure tapicero is still working, we need to monitor /var/log/syslog for the last tapicero log msg, which should not be older than the last check_mk_agent run (every 2 mins atm). --- .../site_check_mk/manifests/agent/tapicero.pp | 6 ++ .../files/plugins/check_last_regex_in_log | 85 ++++++++++++++++++++++ puppet/modules/site_nagios/manifests/plugins.pp | 16 ++++ 3 files changed, 107 insertions(+) create mode 100755 puppet/modules/site_nagios/files/plugins/check_last_regex_in_log create mode 100644 puppet/modules/site_nagios/manifests/plugins.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp index 369ed00b..ffd11100 100644 --- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -1,5 +1,7 @@ class site_check_mk::agent::tapicero { + include ::site_nagios::plugins + concat::fragment { 'syslog_tapicero': source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/tapicero.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', @@ -11,6 +13,10 @@ class site_check_mk::agent::tapicero { 'Tapicero_Procs': line => 'Tapicero_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero', path => '/etc/check_mk/mrpe.cfg'; + + 'Tapicero_Heartbeat': + line => 'Tapicero_Heartbeat /usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/syslog -r "tapicero" -w 300 -c 600', + path => '/etc/check_mk/mrpe.cfg'; } } diff --git a/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log b/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log new file mode 100755 index 00000000..cf7c03e5 --- /dev/null +++ b/puppet/modules/site_nagios/files/plugins/check_last_regex_in_log @@ -0,0 +1,85 @@ +#!/bin/sh +# +# depends on nagios-plugins-common for /usr/lib/nagios/plugins/utils.sh +# this package is installed using leap_platform by the Site_check_mk::Agent::Mrpe +# class + +set -e + +usage() +{ +cat << EOF +usage: $0 -w -c -r -f + +OPTIONS: + -h Show this message + -r regex to grep for + -f logfile to search in + -w warning state after X seconds + -c critical state after x seconds + +example: $0 -f /var/log/syslog -r 'tapicero' -w 300 -c 600 +EOF +} + + +. /usr/lib/nagios/plugins/utils.sh + + +warn=0 +crit=0 +log='' +regex='' + +set -- $(getopt hr:f:w:c: "$@") +while [ $# -gt 0 ] +do + case "$1" in + (-h) usage; exit 0 ;; + (-f) log="$2"; shift;; + (-r) regex="$2"; shift;; + (-w) warn="$2"; shift;; + (-c) crit="$2"; shift;; + (--) shift; break;; + (-*) echo "$0: error - unrecognized option $1" 1>&2; exit 1;; + (*) break;; + esac + shift +done + +[ $warn -eq 0 -o $crit -eq 0 -o -z "$regex" -o -z "$log" ] && ( usage; exit $STATE_UNKNOWN) +[ -f "$log" ] || (echo "$log doesn't exist"; exit $STATE_UNKNOWN) + +lastmsg=$(tac $log | grep -i $regex | head -1 | cut -d' ' -f 1-3) + +if [ -z "$lastmsg" ] +then + summary="\"$regex\" in $log was not found" + state=$STATE_CRITICAL + state_text='CRITICAL' + diff_sec=0 +else + lastmsg_sec=$(date '+%s' -d "$lastmsg") + now_sec=$(date '+%s') + + diff_sec=$(($now_sec - $lastmsg_sec)) + + if [ $diff_sec -lt $warn ]; then + state=$STATE_OK + state_text='OK' + elif [ $diff_sec -lt $crit ]; then + state=$STATE_WARNING + state_text='WARNING' + else + state=$STATE_CRITICAL + state_text='CRITICAL' + fi + + summary="Last occurrence of \"$regex\" in $log was $diff_sec sec ago" +fi + +# check_mk_agent output +# echo "$state Tapicero_Heatbeat sec=$diff_sec;$warn;$crit;0; $state_text - $summary" + +echo "${state_text}: $summary | seconds=${diff_sec};$warn;$crit;0;" +exit $state diff --git a/puppet/modules/site_nagios/manifests/plugins.pp b/puppet/modules/site_nagios/manifests/plugins.pp new file mode 100644 index 00000000..90a01cfb --- /dev/null +++ b/puppet/modules/site_nagios/manifests/plugins.pp @@ -0,0 +1,16 @@ +# Deploy generic plugins useful to all nodes +# nagios::plugin won't work to deploy a plugin +# because it complains with: +# Could not find dependency Package[nagios-plugins] … +# at /srv/leap/puppet/modules/nagios/manifests/plugin.pp:18 +class site_nagios::plugins { + + file { [ + '/usr/local/lib', '/usr/local/lib/nagios', + '/usr/local/lib/nagios/plugins' ]: + ensure => directory; + '/usr/local/lib/nagios/plugins/check_last_regex_in_log': + source => 'puppet:///modules/site_nagios/plugins/check_last_regex_in_log', + mode => '0755'; + } +} -- cgit v1.2.3 From 547354d07972130fc41cc79a80085731b696f887 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Dec 2014 15:21:09 -0500 Subject: Ignore Soledad "Timing out client" warning (Bug #6566) Change-Id: I6d3fa5028ba6eaca7b21a7e850136ef980f6e782 --- puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg index 623d1e46..3af5045b 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg @@ -2,4 +2,5 @@ C WSGI application error C Error C error - W Timing out client: +# Removed this line because we determined it was better to ignore it (#6566) +# W Timing out client: -- cgit v1.2.3 From 429d49824988873870911bf3425d4ca1118e8605 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Dec 2014 16:04:37 -0500 Subject: Update to logwatch ignore for tapicero Change-Id: I1d8cedfeb1153312c13f7f182c7ac3b031647dd4 --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index d9f0eafc..d00b8a75 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -1,5 +1,5 @@ # Ignore transient Tapicero errors when creating a db (#6511) - I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|twice due to): (RestClient::Resource Not Found|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error) + I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )? due to): (RestClient::Resource Not Found|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error) C tapicero.*RestClient::InternalServerError: # possible race condition between multiple tapicero # instances, so we ignore it -- cgit v1.2.3 From 82abc7fa7b9dd7275365d6a185b51803a34368a3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Dec 2014 22:17:08 +0100 Subject: Check_mk logwatch: ignore openvpn warnings (Feature #6568) Change-Id: I0d30afbcc6dcb90c6716f7c6bb0bca3e6ae0964a --- .../modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg index d58e876d..ac17c0ca 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg @@ -2,6 +2,12 @@ # suddenly hangup before properly establishing # a tls connection I ovpn-.*TLS Error: Unroutable control packet received from - I ovpn-.*TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) + I ovpn-.*TLS Error: TLS key negotiation failed to occur within 60 seconds \(check your network connectivity\) I ovpn-.*TLS Error: TLS handshake failed + I ovpn-.*TLS Error: TLS object -> incoming plaintext read error + I ovpn-.*Fatal TLS error \(check_tls_errors_co\), restarting + I ovpn-.*TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate + + I ovpn-.*SIGUSR1\[soft,tls-error\] received, client-instance restarting + I ovpn-.*VERIFY ERROR: depth=0, error=certificate has expired -- cgit v1.2.3 From d024a172ee4b2dc7fca4fe4251c930ff437f1f1b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 18 Dec 2014 14:07:04 -0500 Subject: update tapicero logwatch messages to remove extra space Change-Id: I0149ac2e767531d9724b57b9e3bdae7943f954ff --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index d00b8a75..e5721eea 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -1,5 +1,5 @@ # Ignore transient Tapicero errors when creating a db (#6511) - I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )? due to): (RestClient::Resource Not Found|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error) + I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )?due to): (RestClient::Resource Not Found|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error) C tapicero.*RestClient::InternalServerError: # possible race condition between multiple tapicero # instances, so we ignore it -- cgit v1.2.3 From 784cc8dcc03f63587206d62b5d49843eb974dbe1 Mon Sep 17 00:00:00 2001 From: guido Date: Thu, 18 Dec 2014 19:37:51 -0300 Subject: Install icli package and configure ncli aliases (solves #6475) Change-Id: I0f9397593bc4f00b64b626a159be09ab5ef694d6 --- puppet/modules/site_nagios/manifests/server.pp | 1 + .../modules/site_nagios/manifests/server/icli.pp | 26 ++++++++++++++++++++++ .../modules/site_nagios/templates/icli_aliases.erb | 7 ++++++ 3 files changed, 34 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/server/icli.pp create mode 100644 puppet/modules/site_nagios/templates/icli_aliases.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 068ee419..092ca503 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -52,6 +52,7 @@ class site_nagios::server inherits nagios::base { include site_nagios::server::apache include site_check_mk::server include site_shorewall::monitor + include site_nagios::server::icli augeas { 'logrotate_nagios': diff --git a/puppet/modules/site_nagios/manifests/server/icli.pp b/puppet/modules/site_nagios/manifests/server/icli.pp new file mode 100644 index 00000000..26fba725 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/icli.pp @@ -0,0 +1,26 @@ +# Install icli package and configure ncli aliases +class site_nagios::server::icli { + $nagios_hiera = hiera('nagios') + $environments = $nagios_hiera['environments'] + + package { 'icli': + ensure => installed; + } + + file { '/root/.bashrc': + ensure => present; + } + + file_line { 'icli aliases': + path => '/root/.bashrc', + line => 'source /root/.icli_aliases'; + } + + file { '/root/.icli_aliases': + content => template("${module_name}/icli_aliases.erb"), + mode => '0644', + owner => root, + group => 0, + require => Package['icli']; + } +} \ No newline at end of file diff --git a/puppet/modules/site_nagios/templates/icli_aliases.erb b/puppet/modules/site_nagios/templates/icli_aliases.erb new file mode 100644 index 00000000..f1428f9e --- /dev/null +++ b/puppet/modules/site_nagios/templates/icli_aliases.erb @@ -0,0 +1,7 @@ +alias ncli='icli -c /var/cache/nagios3/objects.cache -f /var/cache/nagios3/status.dat -F /var/lib/nagios3/rw/nagios.cmd' +alias ncli_problems='ncli -z '!o,!A'' + +<% @environments.keys.sort.each do |env_name| %> +alias ncli_<%= env_name %>='ncli -z '!o,!A' -g <%= env_name %>' +alias ncli_<%= env_name %>_recheck='ncli -s Check_MK -g <%= env_name %> -r' +<% end -%> \ No newline at end of file -- cgit v1.2.3 From 6ccce65c46f36dba8f8d572e31558b6963d48b41 Mon Sep 17 00:00:00 2001 From: guido Date: Fri, 19 Dec 2014 12:51:40 -0300 Subject: Add x509 files to static node allowing postfix to work (solves #6577) + minor lint. https://leap.se/code/issues/6577 Change-Id: Iefefbf3e8fc5c13cdd7e302627504a76b856e725 --- puppet/modules/site_static/manifests/init.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 6e347d35..aed9775e 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -1,5 +1,10 @@ class site_static { tag 'leap_service' + + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca_bundle + $static = hiera('static') $domains = $static['domains'] $formats = $static['formats'] @@ -33,7 +38,7 @@ class site_static { include site_apt::preferences::passenger class { 'passenger': use_munin => false, - require => Class['site_apt::preferences::passenger'] + require => Class['site_apt::preferences::passenger'] } } -- cgit v1.2.3