From 8684aa38ece3271a0eb0f8a1751f6c3297025afa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 28 Jul 2015 14:35:40 -0400 Subject: Support RBL blocking of incoming mail (#5923) Set zen.spamhaus as the default rbl Change-Id: Ic3537d645c80ba42267bab370a1cf77730382158 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 49692d24..af0f9f56 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,6 +8,7 @@ class site_postfix::mx { $host_domain = $domain_hash['full'] $cert_name = hiera('name') $mynetworks = join(hiera('mynetworks'), ' ') + $rbls = suffix(prefix(hiera('rbls'), 'reject_rbl_client '), ',') $root_mail_recipient = hiera('contacts') $postfix_smtp_listen = 'all' diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0ec40277..1c3e5c92 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks { 'checks_dir': value => '$config_directory/checks'; 'smtpd_client_restrictions': - value => 'permit_mynetworks,permit'; + value => "${site_postfix::mx::rbls}permit_mynetworks,permit"; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': -- cgit v1.2.3 From 738e77a729813901db8725cacfb15f4150fd49d2 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 3 Aug 2015 14:44:24 -0700 Subject: webapp: add support for customizing locales --- puppet/modules/site_webapp/templates/config.yml.erb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index ccde2d2e..e8853ade 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -2,6 +2,11 @@ <%- cert_options = @webapp['client_certificates'] -%> production: admins: <%= @webapp['admins'].inspect %> + default_locale: :<%= @webapp['default_locale'] %> + available_locales: +<%- @webapp['locales'].each do |locale| -%> + - :<%= locale %> +<%- end -%> domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key -- cgit v1.2.3 From 5e21bb0d2415de0a40adfaa3b149313c459e7947 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 11 Aug 2015 14:57:58 +0200 Subject: Don't use check_mk logwatch to watch bigcouch logs anymore (#7375) The rationale here is: - bigcouch/its included erlang version is incredibly noisy and spits out warnings/error msgs all the time - it uses the worst logging format i ever saw, multiple lines directly to a file (couch 2.0 uses lager as logging backend which can log to syslog) - trying to sort out the false positives will take too much time, and who knows which of them will be resolved in couch 1.6/2.0 Change-Id: Idbe6b37a19cd65ce31a50d4c28eedb4cf15ba3b5 --- .../modules/site_check_mk/manifests/agent/couchdb.pp | 16 ++++++++++++---- puppet/modules/site_config/manifests/remove_files.pp | 19 ++++++++++++++++++- 2 files changed, 30 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index abfc7ad0..8de5121b 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -1,9 +1,17 @@ +# configure logwatch and nagios checks for couchdb class site_check_mk::agent::couchdb { - # watch logs - file { '/etc/check_mk/logwatch.d/bigcouch.cfg': - source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', - } + # watch bigcouch logs + # currently disabled because bigcouch is too noisy + # see https://leap.se/code/issues/7375 for more details + # and site_config::remove_files for removing leftovers + #file { '/etc/check_mk/logwatch.d/bigcouch.cfg': + # source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', + #} + + # check syslog msg from: + # - empd + # - /usr/local/bin/couch-doc-update concat::fragment { 'syslog_couchdb': source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/couchdb.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index b339e6af..a9a0c8bf 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -46,5 +46,22 @@ class site_config::remove_files { onlyif => "/bin/grep -qe 'leap_mx.log' /etc/check_mk/logwatch.state" } - + # Don't use check_mk logwatch to watch bigcouch logs anymore + # see https://leap.se/code/issues/7375 for more details + file { '/etc/check_mk/logwatch.d/bigcouch.cfg': + ensure => absent, + notify => [ + Exec['remove_bigcouch_logwatch_spoolfiles'], + Exec['remove_bigcouch_logwatch_stateline'] + ] + } + # remove leftover bigcouch logwatch spool files + exec { 'remove_bigcouch_logwatch_spoolfiles': + command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;', + refreshonly => true, + } + exec { 'remove_bigcouch_logwatch_stateline': + command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state", + refreshonly => true, + } } -- cgit v1.2.3 From c4ddd197a1ca6a3fac70a86a3ed3dc3d4920e3ca Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Aug 2015 07:28:26 +0200 Subject: Increase readability of nagios notification mail subjects (#6847) Change-Id: Ic9af9ef3602abbb51edf1c9d71d4d264b4ace714 --- puppet/modules/site_check_mk/files/extra_host_conf.mk | 6 ------ puppet/modules/site_check_mk/manifests/server.pp | 2 +- puppet/modules/site_check_mk/templates/extra_host_conf.mk | 13 +++++++++++++ 3 files changed, 14 insertions(+), 7 deletions(-) delete mode 100644 puppet/modules/site_check_mk/files/extra_host_conf.mk create mode 100644 puppet/modules/site_check_mk/templates/extra_host_conf.mk (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/extra_host_conf.mk b/puppet/modules/site_check_mk/files/extra_host_conf.mk deleted file mode 100644 index 2c96f97a..00000000 --- a/puppet/modules/site_check_mk/files/extra_host_conf.mk +++ /dev/null @@ -1,6 +0,0 @@ -# retry 3 times before setting a host into a hard state -# and send out notification -extra_host_conf["max_check_attempts"] = [ - ("4", ALL_HOSTS ) -] - diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 67519513..57f68d3e 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -54,7 +54,7 @@ class site_check_mk::server { notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; '/etc/check_mk/conf.d/extra_host_conf.mk': - source => 'puppet:///modules/site_check_mk/extra_host_conf.mk', + content => template('site_check_mk/extra_host_conf.mk'), notify => Exec['check_mk-refresh'], require => Package['check-mk-server']; diff --git a/puppet/modules/site_check_mk/templates/extra_host_conf.mk b/puppet/modules/site_check_mk/templates/extra_host_conf.mk new file mode 100644 index 00000000..bc27b514 --- /dev/null +++ b/puppet/modules/site_check_mk/templates/extra_host_conf.mk @@ -0,0 +1,13 @@ +# retry 3 times before setting a host into a hard state +# and send out notification +extra_host_conf["max_check_attempts"] = [ + ("4", ALL_HOSTS ) +] + +# Use hostnames as alias so notification mail subjects +# are more readable and not so long. Alias defaults to +# the fqdn of a host is not changed. +extra_host_conf["alias"] = [ +<% @hosts.keys.sort.each do |key| -%> ( "<%= key.strip %>", ["<%= @hosts[key]['domain_internal']%>"]), +<% end -%> +] -- cgit v1.2.3 From b5fbda1ca3832043e1636ee964a806ff222cb05f Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 21 Aug 2015 17:13:34 -0700 Subject: add support for configurable mail alias maps --- puppet/modules/postfix | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 3 +- .../site_postfix/manifests/mx/reserved_aliases.pp | 15 ------ .../site_postfix/manifests/mx/static_aliases.pp | 58 ++++++++++++++++++++++ .../site_postfix/templates/custom-aliases.erb | 11 ++++ 5 files changed, 72 insertions(+), 17 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/static_aliases.pp create mode 100644 puppet/modules/site_postfix/templates/custom-aliases.erb (limited to 'puppet/modules') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index f09cd0ef..53572a89 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit f09cd0eff2bcab7e12c09ec67be3c918bc83fac5 +Subproject commit 53572a8934fe5b0a3a567cdec10664f288923739 diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index af0f9f56..334d04d0 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -51,7 +51,7 @@ class site_postfix::mx { include site_postfix::mx::checks include site_postfix::mx::smtp_tls include site_postfix::mx::smtpd_tls - include site_postfix::mx::reserved_aliases + include site_postfix::mx::static_aliases # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -68,6 +68,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', + default_alias_maps => false, mastercf_tail => "smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp deleted file mode 100644 index 83e27376..00000000 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ /dev/null @@ -1,15 +0,0 @@ -# Defines which mail addresses shouldn't be available and where they should fwd -class site_postfix::mx::reserved_aliases { - - postfix::mailalias { - [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', - 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', - 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', - 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', - 'www-data', - ]: - ensure => present, - recipient => 'root' - } - -} diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp new file mode 100644 index 00000000..786d74c1 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -0,0 +1,58 @@ +# +# Defines static, hard coded aliases that are not in the database. +# + +class site_postfix::mx::static_aliases { + + $mx = hiera('mx') + $aliases = $mx['aliases'] + + # + # Predefined aliases. + # + # Defines which mail addresses shouldn't be available and where they should + # fwd + # + # TODO: reconcile this with the node property webapp.forbidden_usernames + # + # NOTE: if you remove one of these, they will still appear in the + # /etc/aliases file + # + postfix::mailalias { + [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', + 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', + 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', + 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', + 'www-data', + ]: + ensure => present, + recipient => 'root' + } + + # + # Custom aliases. + # + # This does not use the puppet mailalias resource because we want to be able + # to guarantee the contents of the alias file. This is needed so if you + # remove an alias from the node's config, it will get removed from the alias + # file. + # + + # both alias files must be listed under "alias_database", because once you + # specify one, then `newaliases` no longer will default to updating + # "/etc/aliases.db". + postfix::config { + 'alias_database': + value => "/etc/aliases, /etc/postfix/custom-aliases"; + 'alias_maps': + value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases"; + } + + file { '/etc/postfix/custom-aliases': + content => template('site_postfix/custom-aliases.erb'), + owner => root, + group => root, + mode => 0600, + notify => Exec['newaliases'] + } +} diff --git a/puppet/modules/site_postfix/templates/custom-aliases.erb b/puppet/modules/site_postfix/templates/custom-aliases.erb new file mode 100644 index 00000000..f261514b --- /dev/null +++ b/puppet/modules/site_postfix/templates/custom-aliases.erb @@ -0,0 +1,11 @@ +# +# This file is managed by puppet. +# +# This is a map of custom, non-standard aliases. The contents of this file +# are derived from the node property `mx.aliases`. +# + +<%- @aliases.keys.sort.each do |from| -%> +"<%= from %>": "<%= [@aliases[from]].flatten.join('", "') %>" +<%- end -%> + -- cgit v1.2.3 From 65c912a7327505b2c99632afa06bba3c6fd4a057 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Aug 2015 14:08:38 +0200 Subject: updated nagios submodule Change-Id: Iae76f9ca03baf459ae8ea044ea6aecfc73a41b3a --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/nagios b/puppet/modules/nagios index b55f23d4..6c3ca97f 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit b55f23d4d90c97cec08251544aa9700df86ad0b3 +Subproject commit 6c3ca97f1524e2b6242c27a2c97dbfb78105889f -- cgit v1.2.3 From 9d645a82c7346e8d585c664a82c719647a0d2ffa Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 3 Sep 2015 23:24:43 -0700 Subject: make couchdb.admin.yml only readable by root, make non-admin cron run as webapp user. --- puppet/modules/site_webapp/manifests/couchdb.pp | 16 ++++++++-------- puppet/modules/site_webapp/manifests/cron.pp | 4 ++++ 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1dbc745d..5cf7f953 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -14,29 +14,29 @@ class site_webapp::couchdb { file { '/srv/leap/webapp/config/couchdb.yml': content => template('site_webapp/couchdb.yml.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0600', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/config/couchdb.admin.yml': content => template('site_webapp/couchdb.admin.yml.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => 'root', + group => 'root', mode => '0600', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/log': ensure => directory, - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0755', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/log/production.log': ensure => present, - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0666', require => Vcsrepo['/srv/leap/webapp']; } diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp index d26ee312..7147a0d2 100644 --- a/puppet/modules/site_webapp/manifests/cron.pp +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -5,12 +5,14 @@ class site_webapp::cron { 'rotate_databases': command => 'cd /srv/leap/webapp && bundle exec rake db:rotate', environment => 'RAILS_ENV=production', + user => 'root', hour => [0,6,12,18], minute => 0; 'delete_tmp_databases': command => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp', environment => 'RAILS_ENV=production', + user => 'root', hour => 1, minute => 1; @@ -19,6 +21,7 @@ class site_webapp::cron { 'remove_expired_sessions': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions', environment => 'RAILS_ENV=production', + user => 'leap-webapp', hour => 2, minute => 30, ensure => absent; @@ -26,6 +29,7 @@ class site_webapp::cron { 'remove_expired_tokens': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens', environment => 'RAILS_ENV=production', + user => 'leap-webapp', hour => 3, minute => 0; } -- cgit v1.2.3 From ffd340e7b014bc9f35fb6f9365230d483650cc1d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Sep 2015 13:03:01 -0400 Subject: rewrite openpgp header to be always correct (#7413) The openpgp header added by the client is sometimes incorrect, because the client doesn't actually know what the proper URL is for the webapp. The server knows, however. Change-Id: I2243b19a6337d8e0be97590e2ca9c9c0b0fffdac --- puppet/modules/site_postfix/manifests/mx.pp | 6 +++++- .../site_postfix/manifests/mx/rewrite_openpgp_header.pp | 11 +++++++++++ .../templates/checks/rewrite_openpgp_headers.erb | 13 +++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp create mode 100644 puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 334d04d0..2b311e06 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -52,6 +52,7 @@ class site_postfix::mx { include site_postfix::mx::smtp_tls include site_postfix::mx::smtpd_tls include site_postfix::mx::static_aliases + include site_postfix::mx::rewrite_openpgp_header # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -74,7 +75,10 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions - -o smtpd_helo_restrictions=\$smtps_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions + -o cleanup_service_name=clean_smtps +clean_smtps unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp new file mode 100644 index 00000000..71f945b8 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/rewrite_openpgp_header.pp @@ -0,0 +1,11 @@ +class site_postfix::mx::rewrite_openpgp_header { + $mx = hiera('mx') + $correct_domain = $mx['key_lookup_domain'] + + file { '/etc/postfix/checks/rewrite_openpgp_headers': + content => template('site_postfix/checks/rewrite_openpgp_headers.erb'), + mode => '0644', + owner => root, + group => root; + } +} diff --git a/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb new file mode 100644 index 00000000..7af14f7d --- /dev/null +++ b/puppet/modules/site_postfix/templates/checks/rewrite_openpgp_headers.erb @@ -0,0 +1,13 @@ +# THIS FILE IS MANAGED BY PUPPET +# +# This will replace the OpenPGP header that the client adds, because it is +# sometimes incorrect (due to the client not always knowing what the proper URL +# is for the webapp). +# e.g. This will rewrite this header: +# OpenPGP: id=4C0E01CD50E2F653; url="https://leap.se/key/elijah"; preference="signencrypt +# with this replacement: +# OpenPGP: id=4C0E01CD50E2F653; url="https://user.leap.se/key/elijah"; preference="signencrypt +# +# Note: whitespace in the pattern is represented by [[:space:]] to avoid these warnings from postmap: +# "record is in "key: value" format; is this an alias file?" and "duplicate entry" +/^(OpenPGP:[[:space:]]id=[[:alnum:]]+;[[:space:]]url="https:\/\/)<%= @domain %>(\/key\/[[:alpha:]]+";.*)/i REPLACE ${1}<%= @correct_domain %>${2} -- cgit v1.2.3 From 36540162129243596a5ce1ecc00c999ba5ddc849 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 4 May 2015 20:09:40 +0200 Subject: moved leap_cli installation to leap module Change-Id: I385f7877d0816456e7c57179511604645a4740bc --- puppet/modules/leap/manifests/cli/install.pp | 33 ++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 puppet/modules/leap/manifests/cli/install.pp (limited to 'puppet/modules') diff --git a/puppet/modules/leap/manifests/cli/install.pp b/puppet/modules/leap/manifests/cli/install.pp new file mode 100644 index 00000000..858bd7da --- /dev/null +++ b/puppet/modules/leap/manifests/cli/install.pp @@ -0,0 +1,33 @@ +# installs leap_cli on node +class leap::cli::install ( $source = false ) { + if $source { + # needed for building leap_cli from source + include ::git + include ::site_config::ruby::dev + + vcsrepo { '/srv/leap/cli': + ensure => present, + force => true, + revision => 'develop', + provider => 'git', + source => 'https://leap.se/git/leap_cli.git', + owner => 'root', + group => 'root', + notify => Exec['install_leap_cli'], + require => Package['git'] + } + + exec { 'install_leap_cli': + command => '/usr/bin/rake build && /usr/bin/rake install', + cwd => '/srv/leap/cli', + refreshonly => true, + require => [ Package['ruby-dev'], File['/etc/gemrc'], Package['rake'] ] + } + } + else { + package { 'leap_cli': + ensure => installed, + provider => gem + } + } +} -- cgit v1.2.3 From d113bf1b2cd3cb6a94fbe20aa711bf9b9b93286f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 9 Sep 2015 09:36:59 -0400 Subject: Fix clients being blocked by RBLs (#7431) Valid users submitting mail to be delivered should not be blocked by configured RBLs. Settings in main.cf are valid and used globally, unless they are overridden in master.cf for specific Postfix daemons. We have set in main.cf the smtp_client_restrictions parameter to check for configured rbls, so we need to override that and empty it in order to allow valid clients to send mail, even when their IP is listed in an RBL. Note: most users will typically be connecting via VPN, so their IP would typically be replaced by the VPN gateway one, but there are cases where this is still useful. Change-Id: Ie4171113c78ae2814402a1ed9b5343280cbf79d1 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 334d04d0..bff3e291 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -74,7 +74,8 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions - -o smtpd_helo_restrictions=\$smtps_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions + -o smtpd_client_restrictions=", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From 0e13876bd54009bf81e7cab2abcca392ca06e32d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 10 Sep 2015 16:04:59 -0400 Subject: Make sure hiera values have valid defaults if they are not specified (#7443) Change-Id: Ib701886ad26c5e39ccd669fadca81404b5c0426a --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index bff3e291..bc65e370 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -7,8 +7,8 @@ class site_postfix::mx { $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') - $mynetworks = join(hiera('mynetworks'), ' ') - $rbls = suffix(prefix(hiera('rbls'), 'reject_rbl_client '), ',') + $mynetworks = join(hiera('mynetworks', ''), ' ') + $rbls = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',') $root_mail_recipient = hiera('contacts') $postfix_smtp_listen = 'all' -- cgit v1.2.3 From 84e6ad1978f8952e28d8935c01b4344c0d62ddbd Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 10 Sep 2015 15:49:26 -0700 Subject: fix various problems with webapp config generation --- .../modules/site_webapp/templates/config.yml.erb | 67 +++++++++++----------- 1 file changed, 34 insertions(+), 33 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index e8853ade..5cb436fc 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,33 +1,34 @@ -<%- require 'json' -%> -<%- cert_options = @webapp['client_certificates'] -%> -production: - admins: <%= @webapp['admins'].inspect %> - default_locale: :<%= @webapp['default_locale'] %> - available_locales: -<%- @webapp['locales'].each do |locale| -%> - - :<%= locale %> -<%- end -%> - domain: <%= @provider_domain %> - force_ssl: <%= @webapp['secure'] %> - client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key - client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt - secret_token: "<%= @secret_token %>" - client_cert_lifespan: <%= cert_options['life_span'] %> - client_cert_bit_size: <%= cert_options['bit_size'].to_i %> - client_cert_hash: <%= cert_options['digest'] %> - allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %> - allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %> - allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %> - limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" - unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" - minimum_client_version: "<%= @webapp['client_version']['min'] %>" - default_service_level: "<%= @webapp['default_service_level'] %>" - service_levels: <%= scope.function_sorted_json([@webapp['service_levels']]) %> - allow_registration: <%= @webapp['allow_registration'].inspect %> - handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %> -<%- if @webapp['engines'] && @webapp['engines'].any? -%> - engines: -<%- @webapp['engines'].each do |engine| -%> - - <%= engine %> -<%- end -%> -<%- end -%> +<%- +cert_options = @webapp['client_certificates'] +production = { + "admins" => @webapp['admins'], + "default_locale" => @webapp['default_locale'], + "available_locales" => @webapp['locales'], + "domain" => @provider_domain, + "force_ssl" => @webapp['secure'], + "client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')], + "client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')], + "secret_token" => @secret_token, + "client_cert_lifespan" => cert_options['life_span'], + "client_cert_bit_size" => cert_options['bit_size'].to_i, + "client_cert_hash" => cert_options['digest'], + "allow_limited_certs" => @webapp['allow_limited_certs'], + "allow_unlimited_certs" => @webapp['allow_unlimited_certs'], + "allow_anonymous_certs" => @webapp['allow_anonymous_certs'], + "limited_cert_prefix" => cert_options['limited_prefix'], + "unlimited_cert_prefix" => cert_options['unlimited_prefix'], + "minimum_client_version" => @webapp['client_version']['min'], + "default_service_level" => @webapp['default_service_level'], + "service_levels" => @webapp['service_levels'], + "allow_registration" => @webapp['allow_registration'], + "handle_blacklist" => @webapp['forbidden_usernames'] +} + +if @webapp['engines'] && @webapp['engines'].any? + production["engines"] = @webapp['engines'] +end +-%> +# +# This file is generated by puppet. This file inherits from defaults.yml. +# +<%= scope.function_sorted_yaml({"production" => production}) %> -- cgit v1.2.3 From 818930af8a05dc44372b99f8e589527050120431 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 10 Sep 2015 22:38:44 -0700 Subject: sshd: let nodes change default AllowTcpForwarding --- puppet/modules/site_sshd/manifests/init.pp | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 1da2f1d5..170be32c 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,6 +1,7 @@ class site_sshd { - $ssh = hiera_hash('ssh') - $hosts = hiera('hosts', '') + $ssh = hiera_hash('ssh') + $ssh_config = $ssh['config'] + $hosts = hiera('hosts', '') ## ## SETUP AUTHORIZED KEYS @@ -52,11 +53,12 @@ class site_sshd { ## SSHD SERVER CONFIGURATION ## class { '::sshd': - manage_nagios => false, - ports => [ $ssh['port'] ], - use_pam => 'yes', - hardened_ssl => 'yes', - print_motd => 'no', - manage_client => false + manage_nagios => false, + ports => [ $ssh['port'] ], + use_pam => 'yes', + hardened_ssl => 'yes', + print_motd => 'no', + tcp_forwarding => $ssh_config['AllowTcpForwarding'], + manage_client => false } } -- cgit v1.2.3 From 702bf139f407d60e7c297ceb67fc6c30fead1e61 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 11 Sep 2015 10:34:56 -0700 Subject: switch aliases to use virtual_alias_maps --- puppet/modules/site_postfix/manifests/mx.pp | 9 ++++-- .../site_postfix/manifests/mx/static_aliases.pp | 32 ++++++++-------------- .../site_postfix/templates/custom-aliases.erb | 11 -------- .../site_postfix/templates/virtual-aliases.erb | 22 +++++++++++++++ 4 files changed, 40 insertions(+), 34 deletions(-) delete mode 100644 puppet/modules/site_postfix/templates/custom-aliases.erb create mode 100644 puppet/modules/site_postfix/templates/virtual-aliases.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index bff3e291..14c8634e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -21,16 +21,20 @@ class site_postfix::mx { postfix::config { 'mynetworks': value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}"; + # Note: mydestination should not include @domain, because this is + # used in virtual alias maps. 'mydestination': - value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + value => "\$myorigin, localhost, localhost.\$mydomain"; 'myhostname': value => $host_domain; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; + # Note: virtual-aliases map will take precedence over leap_mx + # lookup (tcp:localhost) 'virtual_alias_maps': - value => 'tcp:localhost:4242'; + value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'smtpd_tls_received_header': @@ -68,7 +72,6 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - default_alias_maps => false, mastercf_tail => "smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index 786d74c1..d81e05b3 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -30,29 +30,21 @@ class site_postfix::mx::static_aliases { } # - # Custom aliases. - # - # This does not use the puppet mailalias resource because we want to be able - # to guarantee the contents of the alias file. This is needed so if you - # remove an alias from the node's config, it will get removed from the alias - # file. - # - - # both alias files must be listed under "alias_database", because once you - # specify one, then `newaliases` no longer will default to updating - # "/etc/aliases.db". - postfix::config { - 'alias_database': - value => "/etc/aliases, /etc/postfix/custom-aliases"; - 'alias_maps': - value => "hash:/etc/aliases, hash:/etc/postfix/custom-aliases"; + # Custom static virtual aliases. + # + exec { 'postmap_virtual_aliases': + command => '/usr/sbin/postmap /etc/postfix/virtual-aliases', + refreshonly => true, + user => root, + group => root, + require => Package['postfix'], + subscribe => File['/etc/postfix/virtual-aliases'] } - - file { '/etc/postfix/custom-aliases': - content => template('site_postfix/custom-aliases.erb'), + file { '/etc/postfix/virtual-aliases': + content => template('site_postfix/virtual-aliases.erb'), owner => root, group => root, mode => 0600, - notify => Exec['newaliases'] + require => Package['postfix'] } } diff --git a/puppet/modules/site_postfix/templates/custom-aliases.erb b/puppet/modules/site_postfix/templates/custom-aliases.erb deleted file mode 100644 index f261514b..00000000 --- a/puppet/modules/site_postfix/templates/custom-aliases.erb +++ /dev/null @@ -1,11 +0,0 @@ -# -# This file is managed by puppet. -# -# This is a map of custom, non-standard aliases. The contents of this file -# are derived from the node property `mx.aliases`. -# - -<%- @aliases.keys.sort.each do |from| -%> -"<%= from %>": "<%= [@aliases[from]].flatten.join('", "') %>" -<%- end -%> - diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb new file mode 100644 index 00000000..c474e734 --- /dev/null +++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb @@ -0,0 +1,22 @@ +# +# This file is managed by puppet. +# +# This is a map of custom, non-standard aliases. The contents of this file +# are derived from the node property `mx.aliases`. +# + +# +# enable these virtual domains: +# +<%= @domain %> enabled +<%- @aliases.keys.map {|addr| addr.split('@')[1] }.compact.sort.uniq.each do |virt_domain| -%> +<%= virt_domain %> enabled +<%- end %> + +# +# virtual aliases: +# +<%- @aliases.keys.sort.each do |from| -%> +<%- full_address = from =~ /@/ ? from : from + "@" + @domain -%> +<%= full_address %> <%= [@aliases[from]].flatten.map{|a| a =~ /@/ ? a : a + "@" + @domain}.join(', ') %> +<%- end -%> -- cgit v1.2.3 From 36fea3b7f448f50d500c0ec1a30b8c745b6f8c4c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 10:54:24 -0400 Subject: minor linting Change-Id: If92faee5f877301bf23564d5b6e71c4b1263de54 --- puppet/modules/site_postfix/manifests/mx/static_aliases.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index d81e05b3..e9118470 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -44,7 +44,7 @@ class site_postfix::mx::static_aliases { content => template('site_postfix/virtual-aliases.erb'), owner => root, group => root, - mode => 0600, + mode => '0600', require => Package['postfix'] } } -- cgit v1.2.3 From 2b1911f17b0ed5ee5ad2384e176b84b84243802f Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 3 Sep 2015 23:24:43 -0700 Subject: make couchdb.admin.yml only readable by root, make non-admin cron run as webapp user. --- puppet/modules/site_webapp/manifests/couchdb.pp | 16 ++++++++-------- puppet/modules/site_webapp/manifests/cron.pp | 4 ++++ 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 1dbc745d..5cf7f953 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -14,29 +14,29 @@ class site_webapp::couchdb { file { '/srv/leap/webapp/config/couchdb.yml': content => template('site_webapp/couchdb.yml.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0600', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/config/couchdb.admin.yml': content => template('site_webapp/couchdb.admin.yml.erb'), - owner => leap-webapp, - group => leap-webapp, + owner => 'root', + group => 'root', mode => '0600', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/log': ensure => directory, - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0755', require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/log/production.log': ensure => present, - owner => leap-webapp, - group => leap-webapp, + owner => 'leap-webapp', + group => 'leap-webapp', mode => '0666', require => Vcsrepo['/srv/leap/webapp']; } diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp index d26ee312..7147a0d2 100644 --- a/puppet/modules/site_webapp/manifests/cron.pp +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -5,12 +5,14 @@ class site_webapp::cron { 'rotate_databases': command => 'cd /srv/leap/webapp && bundle exec rake db:rotate', environment => 'RAILS_ENV=production', + user => 'root', hour => [0,6,12,18], minute => 0; 'delete_tmp_databases': command => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp', environment => 'RAILS_ENV=production', + user => 'root', hour => 1, minute => 1; @@ -19,6 +21,7 @@ class site_webapp::cron { 'remove_expired_sessions': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions', environment => 'RAILS_ENV=production', + user => 'leap-webapp', hour => 2, minute => 30, ensure => absent; @@ -26,6 +29,7 @@ class site_webapp::cron { 'remove_expired_tokens': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens', environment => 'RAILS_ENV=production', + user => 'leap-webapp', hour => 3, minute => 0; } -- cgit v1.2.3 From 2e30fad6b23f591e84acc06263774919eee6ec76 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Sun, 20 Sep 2015 23:31:10 +0200 Subject: automatic update of submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apt b/puppet/modules/apt index fca10348..ab90d1d0 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit fca103484ddc1f647a54135b6a902edabf459554 +Subproject commit ab90d1d0fe9655d367c637e95dff59e4dbe2dd35 -- cgit v1.2.3 From bbc95640557e200a5a4e463f451ed647692dc0a3 Mon Sep 17 00:00:00 2001 From: Micah Date: Sat, 19 Sep 2015 22:19:44 -0400 Subject: Remove no longer used vhost for leap_webapp (#7475) The configuration /etc/apache/sites-enabled/leap_webapp.conf was never removed after 6255e58bf9ff3489bf2707bc2be9759ec5c7db68 made it obsolete, and because it exists on older systems, it is being used instead of the correct common.conf. This removes it and reloads apache. Change-Id: Ic4c9901f4bba869ecb3dfe5362dfd1971570f89a --- puppet/modules/site_config/manifests/remove_files.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index a9a0c8bf..e2ab3c2e 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -23,6 +23,8 @@ class site_config::remove_files { '/etc/logrotate.d/mx':; '/etc/logrotate.d/stunnel':; '/var/log/stunnel4/stunnel.log':; + '/etc/apache/sites-enabled/leap_webapp.conf': + notify => Service['apache']; 'leap_mx': path => '/var/log/', recurse => true, -- cgit v1.2.3 From 4b26c0f30980789844c747e796c12958f51c932c Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 24 Sep 2015 11:25:48 -0400 Subject: fix missing service dependency error this tidy should only happen on webapp nodes Change-Id: I56faac4fa28fde9dcad7ce9a6ed0d684630a556e --- puppet/modules/site_config/manifests/remove_files.pp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index e2ab3c2e..51d1ea88 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -23,8 +23,6 @@ class site_config::remove_files { '/etc/logrotate.d/mx':; '/etc/logrotate.d/stunnel':; '/var/log/stunnel4/stunnel.log':; - '/etc/apache/sites-enabled/leap_webapp.conf': - notify => Service['apache']; 'leap_mx': path => '/var/log/', recurse => true, @@ -39,6 +37,13 @@ class site_config::remove_files { rmdirs => true; } + if member($::services, 'webapp') { + tidy { + '/etc/apache/sites-enabled/leap_webapp.conf': + notify => Service['apache']; + } + } + # leax-mx logged to /var/log/leap_mx.log in the past # we need to use a dumb exec here because file_line doesn't # allow removing lines that match a regex in the current version -- cgit v1.2.3 From afd8867ba953513c6e08f957e3099f0ff3b1a3a2 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 24 Sep 2015 13:29:15 -0700 Subject: allow certain aliases, like 'abuse', to be publicly forwardable. --- .../site_postfix/manifests/mx/static_aliases.pp | 68 +++++++++++++++++----- .../site_postfix/templates/virtual-aliases.erb | 3 +- 2 files changed, 54 insertions(+), 17 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index e9118470..71c0555a 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -1,37 +1,75 @@ # # Defines static, hard coded aliases that are not in the database. +# These aliases take precedence over the database aliases. +# +# There are three classes of reserved names: +# +# (1) forbidden_usernames: +# Some usernames are forbidden and cannot be registered. +# this is defined in node property webapp.forbidden_usernames +# This is enforced by the webapp. +# +# (2) public aliases: +# Some aliases for root, and are publicly exposed so that anyone +# can deliver mail to them. For example, postmaster. +# These are implemented in the virtual alias map, which takes +# precedence over the local alias map. +# +# (3) local aliases: +# Some aliases are only available locally: mail can be delivered +# to the alias if the mail originates from the local host, or is +# hostname qualified, but otherwise it will be rejected. +# These are implemented in the local alias map. +# +# The alias for local 'root' is defined elsewhere. In this file, we +# define the virtual 'root@domain' (which can be overwritten by +# defining an entry for root in node property mx.aliases). # class site_postfix::mx::static_aliases { $mx = hiera('mx') - $aliases = $mx['aliases'] + $root_recipients = hiera('contacts') # - # Predefined aliases. - # - # Defines which mail addresses shouldn't be available and where they should - # fwd - # - # TODO: reconcile this with the node property webapp.forbidden_usernames + # LOCAL ALIASES # + # NOTE: if you remove one of these, they will still appear in the # /etc/aliases file - # + $local_aliases = [ + 'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop', + 'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys', + 'usenet', 'uucp', 'www', 'www-data' + ] + postfix::mailalias { - [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', - 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', - 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', - 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', - 'www-data', - ]: + $local_aliases: ensure => present, recipient => 'root' } # - # Custom static virtual aliases. + # PUBLIC ALIASES # + + $public_aliases = $mx['aliases'] + + $default_public_aliases = { + 'root' => $root_recipients, + 'abuse' => 'postmaster', + 'arin-admin' => 'root', + 'certmaster' => 'hostmaster', + 'domainadmin' => 'hostmaster', + 'hostmaster' => 'root', + 'mailer-daemon' => 'postmaster', + 'postmaster' => 'root', + 'security' => 'root', + 'webmaster' => 'hostmaster', + } + + $aliases = merge($default_public_aliases, $public_aliases) + exec { 'postmap_virtual_aliases': command => '/usr/sbin/postmap /etc/postfix/virtual-aliases', refreshonly => true, diff --git a/puppet/modules/site_postfix/templates/virtual-aliases.erb b/puppet/modules/site_postfix/templates/virtual-aliases.erb index c474e734..8373de97 100644 --- a/puppet/modules/site_postfix/templates/virtual-aliases.erb +++ b/puppet/modules/site_postfix/templates/virtual-aliases.erb @@ -1,8 +1,7 @@ # # This file is managed by puppet. # -# This is a map of custom, non-standard aliases. The contents of this file -# are derived from the node property `mx.aliases`. +# These virtual aliases take precedence over all other aliases. # # -- cgit v1.2.3 From 14bcd5b08e3059e44e90f080c29fc6e8054cf193 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 24 Sep 2015 13:34:49 -0700 Subject: do not remove /var/log/leap/mx.log.*, this is where leap_mx is logging. --- puppet/modules/site_config/manifests/remove_files.pp | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index e2ab3c2e..776c3731 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -11,6 +11,16 @@ class site_config::remove_files { + # + # Platform 0.8 removals + # + + tidy { + '/etc/apache/sites-enabled/leap_webapp.conf': + notify => Service['apache']; + } + + # # Platform 0.7 removals # @@ -23,16 +33,10 @@ class site_config::remove_files { '/etc/logrotate.d/mx':; '/etc/logrotate.d/stunnel':; '/var/log/stunnel4/stunnel.log':; - '/etc/apache/sites-enabled/leap_webapp.conf': - notify => Service['apache']; 'leap_mx': path => '/var/log/', recurse => true, matches => 'leap_mx*'; - 'leap_mx_rotate': - path => '/var/log/leap/', - recurse => true, - matches => [ 'mx.log.[0-9]', 'mx.log.[0-9]?', 'mx.log.[6-9]?gz']; '/srv/leap/webapp/public/provider.json':; '/srv/leap/couchdb/designs/tmp_users': recurse => true, -- cgit v1.2.3 From 25f7aabc528f9c6804c9b7cf7a1cc6335d43a119 Mon Sep 17 00:00:00 2001 From: ankonym Date: Mon, 28 Sep 2015 13:50:08 +0200 Subject: Modify config.yml.erb to include the invite code option --- puppet/modules/site_webapp/templates/config.yml.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 5cb436fc..19ed6b7b 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -21,7 +21,8 @@ production = { "default_service_level" => @webapp['default_service_level'], "service_levels" => @webapp['service_levels'], "allow_registration" => @webapp['allow_registration'], - "handle_blacklist" => @webapp['forbidden_usernames'] + "handle_blacklist" => @webapp['forbidden_usernames'], + "invite_required" => @webapp['invite_required'] } if @webapp['engines'] && @webapp['engines'].any? -- cgit v1.2.3 From 3224a73ec6b2f06cf4c43f86d5b7673e442043dd Mon Sep 17 00:00:00 2001 From: ankonym Date: Mon, 28 Sep 2015 15:42:08 +0200 Subject: Create invite code db and design docs --- .../files/designs/invite_codes/InviteCode.json | 22 ++++++++++++++++++++++ .../modules/site_couchdb/manifests/create_dbs.pp | 9 +++++++++ puppet/modules/site_couchdb/manifests/designs.pp | 13 +++++++------ 3 files changed, 38 insertions(+), 6 deletions(-) create mode 100644 puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json new file mode 100644 index 00000000..006c1ea1 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/invite_codes/InviteCode.json @@ -0,0 +1,22 @@ +{ + "_id": "_design/InviteCode", + "language": "javascript", + "views": { + "by__id": { + "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['_id'] != null)) {\n emit(doc['_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_invite_code": { + "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_code'] != null)) {\n emit(doc['invite_code'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_invite_count": { + "map": " function(doc) {\n if ((doc['type'] == 'InviteCode') && (doc['invite_count'] != null)) {\n emit(doc['invite_count'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'InviteCode') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "83fb8f504520b4a9c7ddbb7928cd0ce3" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index eea4bbf5..a2d1c655 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -90,4 +90,13 @@ class site_couchdb::create_dbs { members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }", require => Couchdb::Query::Setup['localhost'] } + + ## invite_codes db + ## store invite codes for new signups + ## r/w: webapp + couchdb::create_db { 'invite_codes': + members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }", + require => Couchdb::Query::Setup['localhost'] + } + } diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp index 1ab1c6a1..e5fd94c6 100644 --- a/puppet/modules/site_couchdb/manifests/designs.pp +++ b/puppet/modules/site_couchdb/manifests/designs.pp @@ -12,12 +12,13 @@ class site_couchdb::designs { } site_couchdb::upload_design { - 'customers': design => 'customers/Customer.json'; - 'identities': design => 'identities/Identity.json'; - 'tickets': design => 'tickets/Ticket.json'; - 'messages': design => 'messages/Message.json'; - 'users': design => 'users/User.json'; - 'tmp_users': design => 'users/User.json'; + 'customers': design => 'customers/Customer.json'; + 'identities': design => 'identities/Identity.json'; + 'tickets': design => 'tickets/Ticket.json'; + 'messages': design => 'messages/Message.json'; + 'users': design => 'users/User.json'; + 'tmp_users': design => 'users/User.json'; + 'invite_codes': design => 'invite_codes/InviteCode.json'; 'shared_docs': db => 'shared', design => 'shared/docs.json'; -- cgit v1.2.3 From 35c122900c52858b25e4ff8117b8f1eff47304a5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 11:52:20 -0400 Subject: Fix server-status availability to tor hidden services (#7456) Make the server-status information unavailable by putting the vhost on a port that isn't configured as available to the tor hidden-service. Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb --- puppet/modules/site_apache/manifests/common.pp | 21 +--------------- puppet/modules/site_apache/manifests/common/tls.pp | 6 +++++ puppet/modules/site_nagios/manifests/server.pp | 1 + puppet/modules/site_static/manifests/init.pp | 13 ++++++---- .../modules/site_webapp/files/server-status.conf | 28 ++++++++++++++++++++++ puppet/modules/site_webapp/manifests/apache.pp | 3 ++- .../modules/site_webapp/manifests/common_vhost.pp | 18 ++++++++++++++ .../site_webapp/manifests/hidden_service.pp | 10 ++++++-- 8 files changed, 73 insertions(+), 27 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/common/tls.pp create mode 100644 puppet/modules/site_webapp/files/server-status.conf create mode 100644 puppet/modules/site_webapp/manifests/common_vhost.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 2b83ffa5..64beb231 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -1,27 +1,8 @@ class site_apache::common { - # installs x509 cert + key and common config - # that both nagios + leap webapp use - - $web_domain = hiera('domain') - $domain_name = $web_domain['name'] - - include x509::variables - include site_config::x509::commercial::cert - include site_config::x509::commercial::key - include site_config::x509::commercial::ca - - Class['Site_config::X509::Commercial::Key'] ~> Service[apache] - Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] - Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] include site_apache::module::rewrite class { '::apache': no_default_site => true, ssl => true } - apache::vhost::file { - 'common': - content => template('site_apache/vhosts.d/common.conf.erb') - } - - apache::config::include{ 'ssl_common.inc': } + include site_apache::common::tls } diff --git a/puppet/modules/site_apache/manifests/common/tls.pp b/puppet/modules/site_apache/manifests/common/tls.pp new file mode 100644 index 00000000..040868bf --- /dev/null +++ b/puppet/modules/site_apache/manifests/common/tls.pp @@ -0,0 +1,6 @@ +class site_apache::common::tls { + # class to setup common SSL configurations + + apache::config::include{ 'ssl_common.inc': } + +} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index cb6c8d95..60a471b7 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -32,6 +32,7 @@ class site_nagios::server inherits nagios::base { } include site_apache::common + include site_webapp::common_vhost include site_apache::module::headers File ['nagios_htpasswd'] { diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 1efc510b..f69ffba7 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -9,6 +9,7 @@ class site_static { $domains = $static['domains'] $formats = $static['formats'] $bootstrap = $static['bootstrap_files'] + $tor = hiera('tor', false) if $bootstrap['enabled'] { $bootstrap_domain = $bootstrap['domain'] @@ -27,14 +28,11 @@ class site_static { } } - class { '::apache': no_default_site => true, ssl => true } include site_apache::module::headers include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip - include site_apache::module::rewrite - apache::config::include{ 'ssl_common.inc': } - + include site_apache::common include site_config::ruby::dev if (member($formats, 'rack')) { @@ -57,6 +55,13 @@ class site_static { create_resources(site_static::domain, $domains) + if $tor { + $hidden_service = $tor['hidden_service'] + if $hidden_service['active'] { + include site_webapp::hidden_service + } + } + include site_shorewall::defaults include site_shorewall::service::http include site_shorewall::service::https diff --git a/puppet/modules/site_webapp/files/server-status.conf b/puppet/modules/site_webapp/files/server-status.conf new file mode 100644 index 00000000..84cb9ae0 --- /dev/null +++ b/puppet/modules/site_webapp/files/server-status.conf @@ -0,0 +1,28 @@ +# Keep track of extended status information for each request +ExtendedStatus On + +# Determine if mod_status displays the first 63 characters of a request or +# the last 63, assuming the request itself is greater than 63 chars. +# Default: Off +#SeeRequestTail On + +Listen 127.0.0.1:8162 +NameVirtualHost 127.0.0.1:8162 + + + + + SetHandler server-status + Order deny,allow + Deny from all + Allow from 127.0.0.1 + + + + + + + # Show Proxy LoadBalancer status in mod_status + ProxyStatus On + + diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 93e172a0..ddd04a91 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -15,12 +15,13 @@ class site_webapp::apache { include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip + include site_webapp::common_vhost class { 'passenger': use_munin => false } apache::vhost::file { 'api': - content => template('site_apache/vhosts.d/api.conf.erb') + content => template('site_apache/vhosts.d/api.conf.erb'); } } diff --git a/puppet/modules/site_webapp/manifests/common_vhost.pp b/puppet/modules/site_webapp/manifests/common_vhost.pp new file mode 100644 index 00000000..c57aad57 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/common_vhost.pp @@ -0,0 +1,18 @@ +class site_webapp::common_vhost { + # installs x509 cert + key and common config + # that both nagios + leap webapp use + + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] + + apache::vhost::file { + 'common': + content => template('site_apache/vhosts.d/common.conf.erb') + } +} diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 16b6e2e7..99a756ca 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -32,12 +32,18 @@ class site_webapp::hidden_service { owner => 'debian-tor', group => 'debian-tor', mode => '0600'; + + '/etc/apache2/mods-enabled/status.conf': + ensure => absent, + notify => Service['apache']; } apache::vhost::file { 'hidden_service': - content => template('site_apache/vhosts.d/hidden_service.conf.erb') + content => template('site_apache/vhosts.d/hidden_service.conf.erb'); + 'server_status': + vhost_source => 'modules/site_webapp/server-status.conf'; } include site_shorewall::tor -} \ No newline at end of file +} -- cgit v1.2.3 From 8b0910f1caf19884b6b46976b72536ee1f570ed5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 11:52:20 -0400 Subject: Fix server-status availability to tor hidden services (#7456) Make the server-status information unavailable by putting the vhost on a port that isn't configured as available to the tor hidden-service. Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb --- puppet/modules/site_apache/manifests/common.pp | 21 +--------------- puppet/modules/site_apache/manifests/common/tls.pp | 6 +++++ puppet/modules/site_nagios/manifests/server.pp | 1 + puppet/modules/site_static/manifests/init.pp | 13 ++++++---- .../modules/site_webapp/files/server-status.conf | 28 ++++++++++++++++++++++ puppet/modules/site_webapp/manifests/apache.pp | 3 ++- .../modules/site_webapp/manifests/common_vhost.pp | 18 ++++++++++++++ .../site_webapp/manifests/hidden_service.pp | 10 ++++++-- 8 files changed, 73 insertions(+), 27 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/common/tls.pp create mode 100644 puppet/modules/site_webapp/files/server-status.conf create mode 100644 puppet/modules/site_webapp/manifests/common_vhost.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 2b83ffa5..64beb231 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -1,27 +1,8 @@ class site_apache::common { - # installs x509 cert + key and common config - # that both nagios + leap webapp use - - $web_domain = hiera('domain') - $domain_name = $web_domain['name'] - - include x509::variables - include site_config::x509::commercial::cert - include site_config::x509::commercial::key - include site_config::x509::commercial::ca - - Class['Site_config::X509::Commercial::Key'] ~> Service[apache] - Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] - Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] include site_apache::module::rewrite class { '::apache': no_default_site => true, ssl => true } - apache::vhost::file { - 'common': - content => template('site_apache/vhosts.d/common.conf.erb') - } - - apache::config::include{ 'ssl_common.inc': } + include site_apache::common::tls } diff --git a/puppet/modules/site_apache/manifests/common/tls.pp b/puppet/modules/site_apache/manifests/common/tls.pp new file mode 100644 index 00000000..040868bf --- /dev/null +++ b/puppet/modules/site_apache/manifests/common/tls.pp @@ -0,0 +1,6 @@ +class site_apache::common::tls { + # class to setup common SSL configurations + + apache::config::include{ 'ssl_common.inc': } + +} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index cb6c8d95..60a471b7 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -32,6 +32,7 @@ class site_nagios::server inherits nagios::base { } include site_apache::common + include site_webapp::common_vhost include site_apache::module::headers File ['nagios_htpasswd'] { diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 1efc510b..f69ffba7 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -9,6 +9,7 @@ class site_static { $domains = $static['domains'] $formats = $static['formats'] $bootstrap = $static['bootstrap_files'] + $tor = hiera('tor', false) if $bootstrap['enabled'] { $bootstrap_domain = $bootstrap['domain'] @@ -27,14 +28,11 @@ class site_static { } } - class { '::apache': no_default_site => true, ssl => true } include site_apache::module::headers include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip - include site_apache::module::rewrite - apache::config::include{ 'ssl_common.inc': } - + include site_apache::common include site_config::ruby::dev if (member($formats, 'rack')) { @@ -57,6 +55,13 @@ class site_static { create_resources(site_static::domain, $domains) + if $tor { + $hidden_service = $tor['hidden_service'] + if $hidden_service['active'] { + include site_webapp::hidden_service + } + } + include site_shorewall::defaults include site_shorewall::service::http include site_shorewall::service::https diff --git a/puppet/modules/site_webapp/files/server-status.conf b/puppet/modules/site_webapp/files/server-status.conf new file mode 100644 index 00000000..84cb9ae0 --- /dev/null +++ b/puppet/modules/site_webapp/files/server-status.conf @@ -0,0 +1,28 @@ +# Keep track of extended status information for each request +ExtendedStatus On + +# Determine if mod_status displays the first 63 characters of a request or +# the last 63, assuming the request itself is greater than 63 chars. +# Default: Off +#SeeRequestTail On + +Listen 127.0.0.1:8162 +NameVirtualHost 127.0.0.1:8162 + + + + + SetHandler server-status + Order deny,allow + Deny from all + Allow from 127.0.0.1 + + + + + + + # Show Proxy LoadBalancer status in mod_status + ProxyStatus On + + diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 93e172a0..ddd04a91 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -15,12 +15,13 @@ class site_webapp::apache { include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip + include site_webapp::common_vhost class { 'passenger': use_munin => false } apache::vhost::file { 'api': - content => template('site_apache/vhosts.d/api.conf.erb') + content => template('site_apache/vhosts.d/api.conf.erb'); } } diff --git a/puppet/modules/site_webapp/manifests/common_vhost.pp b/puppet/modules/site_webapp/manifests/common_vhost.pp new file mode 100644 index 00000000..c57aad57 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/common_vhost.pp @@ -0,0 +1,18 @@ +class site_webapp::common_vhost { + # installs x509 cert + key and common config + # that both nagios + leap webapp use + + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] + + apache::vhost::file { + 'common': + content => template('site_apache/vhosts.d/common.conf.erb') + } +} diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 16b6e2e7..99a756ca 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -32,12 +32,18 @@ class site_webapp::hidden_service { owner => 'debian-tor', group => 'debian-tor', mode => '0600'; + + '/etc/apache2/mods-enabled/status.conf': + ensure => absent, + notify => Service['apache']; } apache::vhost::file { 'hidden_service': - content => template('site_apache/vhosts.d/hidden_service.conf.erb') + content => template('site_apache/vhosts.d/hidden_service.conf.erb'); + 'server_status': + vhost_source => 'modules/site_webapp/server-status.conf'; } include site_shorewall::tor -} \ No newline at end of file +} -- cgit v1.2.3 From 5cc27111151083d0a8e5098505a0024c2d2ea201 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 24 Sep 2015 11:25:48 -0400 Subject: fix missing service dependency error this tidy should only happen on webapp nodes Change-Id: I56faac4fa28fde9dcad7ce9a6ed0d684630a556e --- puppet/modules/site_config/manifests/remove_files.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index 776c3731..8b2f9541 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -43,6 +43,13 @@ class site_config::remove_files { rmdirs => true; } + if member($::services, 'webapp') { + tidy { + '/etc/apache/sites-enabled/leap_webapp.conf': + notify => Service['apache']; + } + } + # leax-mx logged to /var/log/leap_mx.log in the past # we need to use a dumb exec here because file_line doesn't # allow removing lines that match a regex in the current version -- cgit v1.2.3 From 4fc7419598a3baf564f063b7330b9cf9115420b5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 1 Oct 2015 12:06:02 +0200 Subject: [feat] Create-user-db: use couchdb admin rights - create soledad-admin user - deploy netrc file for userdb creation - Move soledad-server.conf from /etc/leap to /etc/soledad - make soledad-server.conf group-accessible for the soledad group, so the soledad-admin user can read it - Resolves: #7502 --- .../modules/site_config/manifests/remove_files.pp | 1 + puppet/modules/site_couchdb/manifests/setup.pp | 35 +++++++++++++++------- puppet/modules/soledad/manifests/init.pp | 17 +++++++++-- puppet/modules/soledad/manifests/server.pp | 21 ++++++++----- .../soledad/templates/soledad-server.conf.erb | 5 ++-- 5 files changed, 56 insertions(+), 23 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp index 776c3731..3532c0f0 100644 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ b/puppet/modules/site_config/manifests/remove_files.pp @@ -41,6 +41,7 @@ class site_config::remove_files { '/srv/leap/couchdb/designs/tmp_users': recurse => true, rmdirs => true; + '/etc/leap/soledad-server.conf':; } # leax-mx logged to /var/log/leap_mx.log in the past diff --git a/puppet/modules/site_couchdb/manifests/setup.pp b/puppet/modules/site_couchdb/manifests/setup.pp index 69bd1c6a..fef48505 100644 --- a/puppet/modules/site_couchdb/manifests/setup.pp +++ b/puppet/modules/site_couchdb/manifests/setup.pp @@ -12,27 +12,40 @@ class site_couchdb::setup { $user = $site_couchdb::couchdb_admin_user - # /etc/couchdb/couchdb-admin.netrc is deployed by couchdb::query::setup - # we symlink to couchdb.netrc for puppet commands. - # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) - # and makes life easier for the admin (i.e. using curl/wget without - # passing credentials) + # setup /etc/couchdb/couchdb-admin.netrc for couchdb admin access + couchdb::query::setup { 'localhost': + user => $user, + pw => $site_couchdb::couchdb_admin_pw + } + + # We symlink /etc/couchdb/couchdb-admin.netrc to /etc/couchdb/couchdb.netrc + # for puppet commands, and to to /root/.netrc for couchdb_scripts + # (eg. backup) and to makes life easier for the admin on the command line + # (i.e. using curl/wget without passing credentials) file { '/etc/couchdb/couchdb.netrc': ensure => link, target => "/etc/couchdb/couchdb-${user}.netrc"; - '/root/.netrc': ensure => link, target => '/etc/couchdb/couchdb.netrc'; + } - '/srv/leap/couchdb': - ensure => directory + # setup /etc/couchdb/couchdb-soledad-admin.netrc file for couchdb admin + # access, accessible only for the soledad-admin user to create soledad + # userdbs + file { '/etc/couchdb/couchdb-soledad-admin.netrc': + content => "machine localhost login ${user} password ${site_couchdb::couchdb_admin_pw}", + mode => '0400', + owner => 'soledad-admin', + group => 'root', + require => [ Package['couchdb'], User['soledad-admin'] ]; } - couchdb::query::setup { 'localhost': - user => $user, - pw => $site_couchdb::couchdb_admin_pw, + # Checkout couchdb_scripts repo + file { + '/srv/leap/couchdb': + ensure => directory } vcsrepo { '/srv/leap/couchdb/scripts': diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp index 7cf0b729..6a2c328e 100644 --- a/puppet/modules/soledad/manifests/init.pp +++ b/puppet/modules/soledad/manifests/init.pp @@ -1,18 +1,29 @@ +# set up users, group and directories for soledad-server +# although the soledad users are already created by the +# soledad-server package class soledad { group { 'soledad': - ensure => present, - allowdupe => false; + ensure => present, + system => true, } user { 'soledad': ensure => present, - allowdupe => false, + system => true, gid => 'soledad', home => '/srv/leap/soledad', require => Group['soledad']; } + user { 'soledad-admin': + ensure => present, + system => true, + gid => 'soledad', + home => '/srv/leap/soledad', + require => Group['soledad']; + } + file { '/srv/leap/soledad': ensure => directory, diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index b71fab69..e437c8f2 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -1,3 +1,4 @@ +# setup soledad-server class soledad::server { tag 'leap_service' include soledad @@ -22,13 +23,19 @@ class soledad::server { # SOLEDAD CONFIG # - file { '/etc/leap/soledad-server.conf': - content => template('soledad/soledad-server.conf.erb'), - owner => 'soledad', - group => 'soledad', - mode => '0600', - notify => Service['soledad-server'], - require => Class['soledad']; + file { + '/etc/soledad': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755'; + '/etc/soledad/soledad-server.conf': + content => template('soledad/soledad-server.conf.erb'), + owner => 'soledad', + group => 'soledad', + mode => '0640', + notify => Service['soledad-server'], + require => Class['soledad']; } package { $sources['soledad']['package']: diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb index 47d1f6e4..42cf44d8 100644 --- a/puppet/modules/soledad/templates/soledad-server.conf.erb +++ b/puppet/modules/soledad/templates/soledad-server.conf.erb @@ -1,3 +1,4 @@ [soledad-server] -couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %> - +couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %> +create_cmd = sudo -u soledad-admin /usr/bin/create-user-db +admin_netrc = /etc/couchdb/couchdb-soledad-admin.netrc -- cgit v1.2.3 From 276b77cdcc0d169b84e046afe8763e2c52ff76fb Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 5 Oct 2015 15:22:25 +0200 Subject: [feat] remove tapicero leftovers Soledad now creates user-dbs, which has been done by tapicero in the past. we need to remove any leftovers from tapicero. --- .../files/agent/logwatch/bigcouch.cfg | 2 +- .../files/agent/logwatch/tapicero.cfg | 11 -- .../site_check_mk/manifests/agent/tapicero.pp | 26 ---- puppet/modules/site_config/manifests/default.pp | 7 +- puppet/modules/site_config/manifests/remove.pp | 5 + .../modules/site_config/manifests/remove/files.pp | 74 +++++++++++ .../site_config/manifests/remove/tapicero.pp | 57 +++++++++ .../modules/site_config/manifests/remove_files.pp | 81 ------------ puppet/modules/site_couchdb/manifests/add_users.pp | 11 +- puppet/modules/site_couchdb/manifests/init.pp | 6 - puppet/modules/tapicero/files/tapicero.init | 60 --------- puppet/modules/tapicero/manifests/init.pp | 137 --------------------- .../modules/tapicero/templates/tapicero.yaml.erb | 52 -------- 13 files changed, 143 insertions(+), 386 deletions(-) delete mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg delete mode 100644 puppet/modules/site_check_mk/manifests/agent/tapicero.pp create mode 100644 puppet/modules/site_config/manifests/remove.pp create mode 100644 puppet/modules/site_config/manifests/remove/files.pp create mode 100644 puppet/modules/site_config/manifests/remove/tapicero.pp delete mode 100644 puppet/modules/site_config/manifests/remove_files.pp delete mode 100755 puppet/modules/tapicero/files/tapicero.init delete mode 100644 puppet/modules/tapicero/manifests/init.pp delete mode 100644 puppet/modules/tapicero/templates/tapicero.yaml.erb (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 95ddd2ca..0f378a5a 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -6,7 +6,7 @@ I 127.0.0.1 localhost:5984 .* ok # https://leap.se/code/issues/5246 I Shutting down group server - # ignore bigcouch conflict errors, mainly coming from tapicero creating new users + # ignore bigcouch conflict errors I Error in process.*{{nocatch,conflict} # ignore "Uncaught error in HTTP request: {exit, normal}" error # it's suppressed in later versions of bigcouch anhow diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg deleted file mode 100644 index d98f5094..00000000 --- a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg +++ /dev/null @@ -1,11 +0,0 @@ -/var/log/leap/tapicero.log -# Ignore transient Tapicero errors when creating a db (#6511) - I tapicero.*(Creating database|Checking security of|Writing security to|Uploading design doc to) user-.* failed (\(trying again soon\)|(twice )?due to): (RestClient::ResourceNotFound|RestClient::InternalServerError): (404 Resource Not Found|500 Internal Server Error) - C tapicero.*RestClient::InternalServerError: -# possible race condition between multiple tapicero -# instances, so we ignore it -# see https://leap.se/code/issues/5168 - I tapicero.*RestClient::PreconditionFailed: - C tapicero.*Creating database.*failed due to: - C tapicero.*failed - W tapicero.*Couch stream ended unexpectedly. diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp deleted file mode 100644 index 8505b34a..00000000 --- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp +++ /dev/null @@ -1,26 +0,0 @@ -# sets up tapicero monitoring -class site_check_mk::agent::tapicero { - - include ::site_nagios::plugins - - # watch logs - file { '/etc/check_mk/logwatch.d/tapicero.cfg': - source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg', - } - - # local nagios plugin checks via mrpe - augeas { - 'Tapicero_Procs': - incl => '/etc/check_mk/mrpe.cfg', - lens => 'Spacevars.lns', - changes => [ - 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs', - "set Tapicero_Procs \"/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 --ereg-argument-array='^tapicero$'\"" ], - require => File['/etc/check_mk/mrpe.cfg']; - 'Tapicero_Heartbeat': - incl => '/etc/check_mk/mrpe.cfg', - lens => 'Spacevars.lns', - changes => 'set Tapicero_Heartbeat \'/usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/leap/tapicero.log -r "tapicero" -w 1200 -c 2400\'', - require => File['/etc/check_mk/mrpe.cfg']; - } -} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index e69e4b7b..6b10dc19 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -1,3 +1,4 @@ +# common things to set up on every node class site_config::default { tag 'leap_base' @@ -29,7 +30,7 @@ class site_config::default { # i.e. openstack/aws nodes, vagrant nodes # fix dhclient from changing resolver information - if $::dhcp_enabled == 'true' { + if $::dhcp_enabled == 'true' { include site_config::dhclient } @@ -58,7 +59,9 @@ class site_config::default { # set up core leap files and directories include site_config::files - include site_config::remove_files + + # remove leftovers from previous deploys + include site_config::remove if ! member($services, 'mx') { include site_postfix::satellite diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp new file mode 100644 index 00000000..00502c0a --- /dev/null +++ b/puppet/modules/site_config/manifests/remove.pp @@ -0,0 +1,5 @@ +# remove leftovers from previous deploys +class site_config::remove { + include site_config::remove::files + include site_config::remove::tapicero +} diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp new file mode 100644 index 00000000..feff7c05 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -0,0 +1,74 @@ +# +# Sometimes when we upgrade the platform, we need to ensure that files that +# the platform previously created will get removed. +# +# These file removals don't need to be kept forever: we only need to remove +# files that are present in the prior platform release. +# +# We can assume that the every node is upgraded from the previous platform +# release. +# + +class site_config::remove::files { + + # + # Platform 0.8 removals + # + + tidy { + '/etc/apache/sites-enabled/leap_webapp.conf': + notify => Service['apache']; + } + + + # + # Platform 0.7 removals + # + + tidy { + '/etc/rsyslog.d/99-tapicero.conf':; + '/etc/rsyslog.d/99-leap-mx.conf':; + '/etc/rsyslog.d/01-webapp.conf':; + '/etc/rsyslog.d/50-stunnel.conf':; + '/etc/logrotate.d/mx':; + '/etc/logrotate.d/stunnel':; + '/var/log/stunnel4/stunnel.log':; + 'leap_mx': + path => '/var/log/', + recurse => true, + matches => 'leap_mx*'; + '/srv/leap/webapp/public/provider.json':; + '/srv/leap/couchdb/designs/tmp_users': + recurse => true, + rmdirs => true; + '/etc/leap/soledad-server.conf':; + } + + # leax-mx logged to /var/log/leap_mx.log in the past + # we need to use a dumb exec here because file_line doesn't + # allow removing lines that match a regex in the current version + # of stdlib, see https://tickets.puppetlabs.com/browse/MODULES-1903 + exec { 'rm_old_leap_mx_log_destination': + command => "/bin/sed -i '/leap_mx.log/d' /etc/check_mk/logwatch.state", + onlyif => "/bin/grep -qe 'leap_mx.log' /etc/check_mk/logwatch.state" + } + + # Don't use check_mk logwatch to watch bigcouch logs anymore + # see https://leap.se/code/issues/7375 for more details + file { '/etc/check_mk/logwatch.d/bigcouch.cfg': + ensure => absent, + notify => [ + Exec['remove_bigcouch_logwatch_spoolfiles'], + Exec['remove_bigcouch_logwatch_stateline'] + ] + } + # remove leftover bigcouch logwatch spool files + exec { 'remove_bigcouch_logwatch_spoolfiles': + command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;', + refreshonly => true, + } + exec { 'remove_bigcouch_logwatch_stateline': + command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state", + refreshonly => true, + } +} diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp new file mode 100644 index 00000000..765f7428 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/tapicero.pp @@ -0,0 +1,57 @@ +# remove tapicero leftovers from previous deploys +class site_config::remove::tapicero { + + exec { 'kill_tapicero': + onlyif => '/usr/bin/test -s /var/run/tapicero.pid', + command => '/usr/bin/pkill --pidfile /var/run/tapicero.pid' + } + + user { 'tapicero': + ensure => absent; + } + + group { 'tapicero': + ensure => absent, + require => User['tapicero']; + } + + tidy { + '/srv/leap/tapicero': + recurse => true, + require => [ Exec['kill_tapicero'] ]; + '/var/lib/leap/tapicero': + require => [ Exec['kill_tapicero'] ]; + '/var/run/tapicero': + require => [ Exec['kill_tapicero'] ]; + '/etc/leap/tapicero.yaml': + require => [ Exec['kill_tapicero'] ]; + '/etc/init.d/tapicero': + require => [ Exec['kill_tapicero'] ]; + 'tapicero_logs': + path => '/var/log/leap', + recurse => true, + matches => 'tapicero*', + require => [ Exec['kill_tapicero'] ]; + '/etc/check_mk/logwatch.d/tapicero.cfg':; + 'checkmk_logwatch_spool': + path => '/var/lib/check_mk/logwatch', + recurse => true, + matches => '*tapicero.log', + require => [ Exec['kill_tapicero'] ]; + } + + # remove local nagios plugin checks via mrpe + augeas { + 'Tapicero_Procs': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs', + require => File['/etc/check_mk/mrpe.cfg']; + 'Tapicero_Heartbeat': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'rm Tapicero_Heartbeat', + require => File['/etc/check_mk/mrpe.cfg']; + } + +} diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp deleted file mode 100644 index 07487d6a..00000000 --- a/puppet/modules/site_config/manifests/remove_files.pp +++ /dev/null @@ -1,81 +0,0 @@ -# -# Sometimes when we upgrade the platform, we need to ensure that files that -# the platform previously created will get removed. -# -# These file removals don't need to be kept forever: we only need to remove -# files that are present in the prior platform release. -# -# We can assume that the every node is upgraded from the previous platform -# release. -# - -class site_config::remove_files { - - # - # Platform 0.8 removals - # - - tidy { - '/etc/apache/sites-enabled/leap_webapp.conf': - notify => Service['apache']; - } - - - # - # Platform 0.7 removals - # - - tidy { - '/etc/rsyslog.d/99-tapicero.conf':; - '/etc/rsyslog.d/99-leap-mx.conf':; - '/etc/rsyslog.d/01-webapp.conf':; - '/etc/rsyslog.d/50-stunnel.conf':; - '/etc/logrotate.d/mx':; - '/etc/logrotate.d/stunnel':; - '/var/log/stunnel4/stunnel.log':; - 'leap_mx': - path => '/var/log/', - recurse => true, - matches => 'leap_mx*'; - '/srv/leap/webapp/public/provider.json':; - '/srv/leap/couchdb/designs/tmp_users': - recurse => true, - rmdirs => true; - '/etc/leap/soledad-server.conf':; - } - - if member($::services, 'webapp') { - tidy { - '/etc/apache/sites-enabled/leap_webapp.conf': - notify => Service['apache']; - } - } - - # leax-mx logged to /var/log/leap_mx.log in the past - # we need to use a dumb exec here because file_line doesn't - # allow removing lines that match a regex in the current version - # of stdlib, see https://tickets.puppetlabs.com/browse/MODULES-1903 - exec { 'rm_old_leap_mx_log_destination': - command => "/bin/sed -i '/leap_mx.log/d' /etc/check_mk/logwatch.state", - onlyif => "/bin/grep -qe 'leap_mx.log' /etc/check_mk/logwatch.state" - } - - # Don't use check_mk logwatch to watch bigcouch logs anymore - # see https://leap.se/code/issues/7375 for more details - file { '/etc/check_mk/logwatch.d/bigcouch.cfg': - ensure => absent, - notify => [ - Exec['remove_bigcouch_logwatch_spoolfiles'], - Exec['remove_bigcouch_logwatch_stateline'] - ] - } - # remove leftover bigcouch logwatch spool files - exec { 'remove_bigcouch_logwatch_spoolfiles': - command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;', - refreshonly => true, - } - exec { 'remove_bigcouch_logwatch_stateline': - command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state", - refreshonly => true, - } -} diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index 2f734ed4..c905316b 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -1,3 +1,4 @@ +# add couchdb users for all services class site_couchdb::add_users { Class['site_couchdb::create_dbs'] @@ -35,16 +36,6 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } - ### tapicero couchdb user - ### admin: needs to be able to create user- databases - ### read: users - couchdb::add_user { $site_couchdb::couchdb_tapicero_user: - roles => '["users"]', - pw => $site_couchdb::couchdb_tapicero_pw, - salt => $site_couchdb::couchdb_tapicero_salt, - require => Couchdb::Query::Setup['localhost'] - } - ## webapp couchdb user ## read/write: users, tokens, sessions, tickets, identities, customer couchdb::add_user { $site_couchdb::couchdb_webapp_user: diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6b6ddd3a..1ec15f00 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -26,11 +26,6 @@ class site_couchdb { $couchdb_soledad_pw = $couchdb_soledad['password'] $couchdb_soledad_salt = $couchdb_soledad['salt'] - $couchdb_tapicero = $couchdb_users['tapicero'] - $couchdb_tapicero_user = $couchdb_tapicero['username'] - $couchdb_tapicero_pw = $couchdb_tapicero['password'] - $couchdb_tapicero_salt = $couchdb_tapicero['salt'] - $couchdb_webapp = $couchdb_users['webapp'] $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] @@ -66,6 +61,5 @@ class site_couchdb { if $couchdb_backup { include site_couchdb::backup } include site_check_mk::agent::couchdb - include site_check_mk::agent::tapicero } diff --git a/puppet/modules/tapicero/files/tapicero.init b/puppet/modules/tapicero/files/tapicero.init deleted file mode 100755 index 7a9af45f..00000000 --- a/puppet/modules/tapicero/files/tapicero.init +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/sh - -### BEGIN INIT INFO -# Provides: tapicero -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: tapicero initscript -# Description: Controls tapicero daemon -### END INIT INFO - -PATH=/sbin:/usr/sbin:/bin:/usr/bin -BUNDLER=/usr/bin/bundle -NAME=tapicero -HOME="/srv/leap" -DAEMON="${HOME}/${NAME}/bin/${NAME}" -BUNDLE_GEMFILE="${HOME}/${NAME}/Gemfile" - -export BUNDLE_GEMFILE - -# exit if the daemon doesn't exist -[ -x "$DAEMON" ] || exit 0 - -. /lib/init/vars.sh -. /lib/lsb/init-functions - -if [ "$VERBOSE" != no ]; then - OPTIONS="--verbose" -else - OPTIONS="" -fi - -case "$1" in - start) - $BUNDLER exec $DAEMON start $OPTIONS - exit $? - ;; - stop) - $BUNDLER exec $DAEMON stop $OPTIONS - exit $? - ;; - restart) - $BUNDLER exec $DAEMON restart $OPTIONS - exit $? - ;; - reload) - $BUNDLER exec $DAEMON reload $OPTIONS - exit $? - ;; - status) - $BUNDLER exec $DAEMON status $OPTIONS - exit $? - ;; - *) - echo "Usage: /etc/init.d/$NAME {start|stop|reload|restart|status}" - exit 1 -esac - -exit 0 diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp deleted file mode 100644 index ca8488c8..00000000 --- a/puppet/modules/tapicero/manifests/init.pp +++ /dev/null @@ -1,137 +0,0 @@ -class tapicero { - tag 'leap_service' - - $couchdb = hiera('couch') - $couchdb_port = $couchdb['port'] - - $couchdb_users = $couchdb['users'] - - $couchdb_admin_user = $couchdb_users['admin']['username'] - $couchdb_admin_password = $couchdb_users['admin']['password'] - - $couchdb_soledad_user = $couchdb_users['soledad']['username'] - $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username'] - - $couchdb_mode = $couchdb['mode'] - $couchdb_replication = $couchdb['replication'] - - $sources = hiera('sources') - - Class['site_config::default'] -> Class['tapicero'] - - include site_config::ruby::dev - - # - # USER AND GROUP - # - - group { 'tapicero': - ensure => present, - allowdupe => false; - } - - user { 'tapicero': - ensure => present, - allowdupe => false, - gid => 'tapicero', - home => '/srv/leap/tapicero', - require => Group['tapicero']; - } - - # - # TAPICERO FILES - # - - file { - - # - # TAPICERO DIRECTORIES - # - - '/srv/leap/tapicero': - ensure => directory, - owner => 'tapicero', - group => 'tapicero', - require => User['tapicero']; - - '/var/lib/leap/tapicero': - ensure => directory, - owner => 'tapicero', - group => 'tapicero', - require => User['tapicero']; - - # for pid file - '/var/run/tapicero': - ensure => directory, - owner => 'tapicero', - group => 'tapicero', - require => User['tapicero']; - - # - # TAPICERO CONFIG - # - - '/etc/leap/tapicero.yaml': - content => template('tapicero/tapicero.yaml.erb'), - owner => 'tapicero', - group => 'tapicero', - mode => '0600', - notify => Service['tapicero']; - - # - # TAPICERO INIT - # - - '/etc/init.d/tapicero': - source => 'puppet:///modules/tapicero/tapicero.init', - owner => root, - group => 0, - mode => '0755', - require => Vcsrepo['/srv/leap/tapicero']; - } - - # - # TAPICERO CODE - # - - vcsrepo { '/srv/leap/tapicero': - ensure => present, - force => true, - revision => $sources['tapicero']['revision'], - provider => $sources['tapicero']['type'], - source => $sources['tapicero']['source'], - owner => 'tapicero', - group => 'tapicero', - require => [ User['tapicero'], Group['tapicero'] ], - notify => Exec['tapicero_bundler_update'] - } - - exec { 'tapicero_bundler_update': - cwd => '/srv/leap/tapicero', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"', - unless => '/usr/bin/bundle check', - user => 'tapicero', - timeout => 600, - require => [ - Class['bundler::install'], - Vcsrepo['/srv/leap/tapicero'], - Class['site_config::ruby::dev'] ], - notify => Service['tapicero']; - } - - # - # TAPICERO DAEMON - # - - service { 'tapicero': - ensure => running, - enable => true, - hasstatus => false, - hasrestart => true, - require => [ File['/etc/init.d/tapicero'], - File['/var/run/tapicero'], - Couchdb::Add_user[$::site_couchdb::couchdb_tapicero_user] ]; - } - - leap::logfile { 'tapicero': } -} diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb deleted file mode 100644 index 8b08b49c..00000000 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ /dev/null @@ -1,52 +0,0 @@ -<%- require 'json' -%> - -# -# Default configuration options for Tapicero -# - -# couch connection configuration -connection: - protocol: "http" - host: "localhost" - port: <%= @couchdb_port %> - username: <%= @couchdb_admin_user %> - password: <%= @couchdb_admin_password %> - prefix : "" - suffix : "" - netrc: "/etc/couchdb/couchdb.netrc" - -# file to store the last processed user record in so we can resume after -# a restart: -seq_dir: "/var/lib/leap/tapicero/" - -# Configure log_file like this if you want to log to a file instead of syslog: -#log_file: "/var/log/leap/tapicero.log" -#log_level: debug -log_level: info - -# tapicero specific options -options: - # prefix for per user databases: - db_prefix: "user-" - mode: <%= @couchdb_mode %> -<%- if @couchdb_replication %> - replication: <%= @couchdb_replication.to_json %> -<%- end -%> - - # security settings to be used for the per user databases - security: - admins: - names: - # We explicitly allow the admin user to access per user databases, even - # though admin access ignores per database security we just do this to be - # explicit about this - - <%= @couchdb_admin_user %> - roles: [] - members: - names: - - <%= @couchdb_soledad_user %> - - <%= @couchdb_leap_mx_user %> - roles: - - replication - - -- cgit v1.2.3 From b1e50fc76ddece9944ae253da9bacd485ffea84b Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 6 Oct 2015 13:23:56 +0200 Subject: [feat] Remove tapicero from more places Remove from: - platform white-box tests (couchdb user ACLs, tapicero daemon test) - provider_base/ dir that handles the compilation of the hiera config file - Resolves: #7501 --- puppet/modules/site_config/manifests/remove/tapicero.pp | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp index 765f7428..497cf8b2 100644 --- a/puppet/modules/site_config/manifests/remove/tapicero.pp +++ b/puppet/modules/site_config/manifests/remove/tapicero.pp @@ -32,12 +32,14 @@ class site_config::remove::tapicero { recurse => true, matches => 'tapicero*', require => [ Exec['kill_tapicero'] ]; - '/etc/check_mk/logwatch.d/tapicero.cfg':; + '/etc/check_mk/logwatch.d/tapicero.cfg': + notify => Exec['check_mk-refresh']; 'checkmk_logwatch_spool': path => '/var/lib/check_mk/logwatch', recurse => true, matches => '*tapicero.log', - require => [ Exec['kill_tapicero'] ]; + require => Exec['kill_tapicero'], + notify => Exec['check_mk-refresh']; } # remove local nagios plugin checks via mrpe @@ -46,12 +48,14 @@ class site_config::remove::tapicero { incl => '/etc/check_mk/mrpe.cfg', lens => 'Spacevars.lns', changes => 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs', - require => File['/etc/check_mk/mrpe.cfg']; + require => File['/etc/check_mk/mrpe.cfg'], + notify => Exec['check_mk-refresh']; 'Tapicero_Heartbeat': incl => '/etc/check_mk/mrpe.cfg', lens => 'Spacevars.lns', changes => 'rm Tapicero_Heartbeat', - require => File['/etc/check_mk/mrpe.cfg']; + require => File['/etc/check_mk/mrpe.cfg'], + notify => Exec['check_mk-refresh']; } } -- cgit v1.2.3 From 2b0386bee6525dda705152031d7125bc30b65269 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 7 Oct 2015 10:57:24 +0200 Subject: [bug] Fix removal of webapp apache config file Done by including a service-dependend site_config::remove::webapp class. --- puppet/modules/site_config/manifests/remove/files.pp | 17 ----------------- puppet/modules/site_config/manifests/remove/webapp.pp | 7 +++++++ puppet/modules/site_webapp/manifests/init.pp | 4 ++++ 3 files changed, 11 insertions(+), 17 deletions(-) create mode 100644 puppet/modules/site_config/manifests/remove/webapp.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 66647d31..466f50c8 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -11,16 +11,6 @@ class site_config::remove::files { - # - # Platform 0.8 removals - # - - tidy { - '/etc/apache/sites-enabled/leap_webapp.conf': - notify => Service['apache']; - } - - # # Platform 0.7 removals # @@ -44,13 +34,6 @@ class site_config::remove::files { '/etc/leap/soledad-server.conf':; } - if member($::services, 'webapp') { - tidy { - '/etc/apache/sites-enabled/leap_webapp.conf': - notify => Service['apache']; - } - } - # leax-mx logged to /var/log/leap_mx.log in the past # we need to use a dumb exec here because file_line doesn't # allow removing lines that match a regex in the current version diff --git a/puppet/modules/site_config/manifests/remove/webapp.pp b/puppet/modules/site_config/manifests/remove/webapp.pp new file mode 100644 index 00000000..58f59815 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/webapp.pp @@ -0,0 +1,7 @@ +# remove leftovers on webapp nodes +class site_config::remove::webapp { + tidy { + '/etc/apache/sites-enabled/leap_webapp.conf': + notify => Service['apache']; + } +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ec94c090..d046b7df 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -1,3 +1,4 @@ +# configure webapp service class site_webapp { tag 'leap_service' $definition_files = hiera('definition_files') @@ -26,6 +27,9 @@ class site_webapp { include site_config::x509::client_ca::ca include site_config::x509::client_ca::key + # remove leftovers from previous installations on webapp nodes + include site_config::remove::webapp + group { 'leap-webapp': ensure => present, allowdupe => false; -- cgit v1.2.3 From 89f609c97e43b06403706b81caf7a1c3e116bdf8 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 7 Oct 2015 11:17:11 +0200 Subject: [bug] Fix missing dependency (tapicero leftovers) We need to remove local check-mk-agent checks on the tapicero nodes, and want to notify the monitoring server to re-inventarize the local checks. This doesn't work when both services run on different hosts, it will fail with: Could not find dependent Exec[check_mk-refresh] for Tidy[checkmk_logwatch_spool] So i remove the notifies, because we will re-inventarize of local checks by a daily cronjob anyway, see #6873. ... - Resolves: #XYZ - Related: #XYZ - Documentation: #XYZ - Releases: XYZ --- puppet/modules/site_config/manifests/remove/tapicero.pp | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp index 497cf8b2..edb4e393 100644 --- a/puppet/modules/site_config/manifests/remove/tapicero.pp +++ b/puppet/modules/site_config/manifests/remove/tapicero.pp @@ -32,14 +32,12 @@ class site_config::remove::tapicero { recurse => true, matches => 'tapicero*', require => [ Exec['kill_tapicero'] ]; - '/etc/check_mk/logwatch.d/tapicero.cfg': - notify => Exec['check_mk-refresh']; + '/etc/check_mk/logwatch.d/tapicero.cfg':; 'checkmk_logwatch_spool': path => '/var/lib/check_mk/logwatch', recurse => true, matches => '*tapicero.log', require => Exec['kill_tapicero'], - notify => Exec['check_mk-refresh']; } # remove local nagios plugin checks via mrpe @@ -48,14 +46,12 @@ class site_config::remove::tapicero { incl => '/etc/check_mk/mrpe.cfg', lens => 'Spacevars.lns', changes => 'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs', - require => File['/etc/check_mk/mrpe.cfg'], - notify => Exec['check_mk-refresh']; + require => File['/etc/check_mk/mrpe.cfg']; 'Tapicero_Heartbeat': incl => '/etc/check_mk/mrpe.cfg', lens => 'Spacevars.lns', changes => 'rm Tapicero_Heartbeat', - require => File['/etc/check_mk/mrpe.cfg'], - notify => Exec['check_mk-refresh']; + require => File['/etc/check_mk/mrpe.cfg']; } } -- cgit v1.2.3 From b748aeffbdd72d50a7665b9c21c96a9750a840c0 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 8 Oct 2015 14:30:56 +0200 Subject: Update submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 3c20a316..1f583d9c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 3c20a3169e77e5a5f9abc06788c3a7730d5530ca +Subproject commit 1f583d9c9157390850a7737630f60832ced82374 -- cgit v1.2.3 From 33b9876af4af85504107aae20feb57aaab5a17ad Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 11 Oct 2015 20:36:07 -0700 Subject: russian text requires amber 0.3.8 --- puppet/modules/site_static/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index f69ffba7..8df53075 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -44,7 +44,7 @@ class site_static { } if (member($formats, 'amber')) { - rubygems::gem{'amber-0.3.7': + rubygems::gem{'amber-0.3.8': require => Package['zlib1g-dev'] } -- cgit v1.2.3 From 19e5d23e3fe34199265117e033acfabc3cff9109 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 12 Oct 2015 16:30:58 +0200 Subject: [feat] Remove tapicero couchdb user - Resolves: #7514 --- puppet/modules/site_config/manifests/remove.pp | 1 - .../site_config/manifests/remove/monitoring.pp | 10 +++++++++ .../site_config/manifests/remove/tapicero.pp | 24 ++++++++++++++++------ puppet/modules/site_couchdb/manifests/init.pp | 3 +++ puppet/modules/site_nagios/manifests/init.pp | 4 ++++ 5 files changed, 35 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/site_config/manifests/remove/monitoring.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp index 00502c0a..b1ad1a2b 100644 --- a/puppet/modules/site_config/manifests/remove.pp +++ b/puppet/modules/site_config/manifests/remove.pp @@ -1,5 +1,4 @@ # remove leftovers from previous deploys class site_config::remove { include site_config::remove::files - include site_config::remove::tapicero } diff --git a/puppet/modules/site_config/manifests/remove/monitoring.pp b/puppet/modules/site_config/manifests/remove/monitoring.pp new file mode 100644 index 00000000..d7095597 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/monitoring.pp @@ -0,0 +1,10 @@ +# remove leftovers on monitoring nodes +class site_config::remove::monitoring { + + tidy { + 'checkmk_logwatch_spool': + path => '/var/lib/check_mk/logwatch', + recurse => true, + matches => '*tapicero.log' + } +} diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp index edb4e393..4ce972d0 100644 --- a/puppet/modules/site_config/manifests/remove/tapicero.pp +++ b/puppet/modules/site_config/manifests/remove/tapicero.pp @@ -1,6 +1,23 @@ -# remove tapicero leftovers from previous deploys +# remove tapicero leftovers from previous deploys on couchdb nodes class site_config::remove::tapicero { + # remove tapicero couchdb user + $couchdb_config = hiera('couch') + $couchdb_mode = $couchdb_config['mode'] + + if $couchdb_mode == 'multimaster' + { + $port = 5986 + } else { + $port = 5984 + } + + exec { 'remove_couchdb_user': + onlyif => "/usr/bin/curl -s 127.0.0.1:${port}/_users/org.couchdb.user:tapicero | grep -qv 'not_found'", + command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete" + } + + exec { 'kill_tapicero': onlyif => '/usr/bin/test -s /var/run/tapicero.pid', command => '/usr/bin/pkill --pidfile /var/run/tapicero.pid' @@ -33,11 +50,6 @@ class site_config::remove::tapicero { matches => 'tapicero*', require => [ Exec['kill_tapicero'] ]; '/etc/check_mk/logwatch.d/tapicero.cfg':; - 'checkmk_logwatch_spool': - path => '/var/lib/check_mk/logwatch', - recurse => true, - matches => '*tapicero.log', - require => Exec['kill_tapicero'], } # remove local nagios plugin checks via mrpe diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 1ec15f00..61aa887e 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -62,4 +62,7 @@ class site_couchdb { include site_check_mk::agent::couchdb + # remove tapicero leftovers on couchdb nodes + include site_config::remove::tapicero + } diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index eb08cdcb..40ae4b86 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,6 +1,10 @@ +# setup nagios on monitoring node class site_nagios { tag 'leap_service' Class['site_config::default'] -> Class['site_nagios'] include site_nagios::server + + # remove leftovers on monitoring nodes + include site_config::remove::monitoring } -- cgit v1.2.3 From d6b521372243b79105a1513d4559572dfab6db54 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 22 Sep 2015 15:04:33 -0400 Subject: add clamav filtering, with sanesecurity signature updating and provider whitelisting (#3625) Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616 --- puppet/modules/clamav/files/01-leap.conf | 58 +++++++++++++++ puppet/modules/clamav/files/clamav-daemon_default | 8 ++ puppet/modules/clamav/files/clamav-milter_default | 14 ++++ puppet/modules/clamav/manifests/daemon.pp | 86 ++++++++++++++++++++++ puppet/modules/clamav/manifests/freshclam.pp | 21 ++++++ puppet/modules/clamav/manifests/init.pp | 8 ++ puppet/modules/clamav/manifests/milter.pp | 48 ++++++++++++ puppet/modules/clamav/manifests/unofficial_sigs.pp | 22 ++++++ .../clamav/templates/clamav-milter.conf.erb | 28 +++++++ puppet/modules/clamav/templates/local.pdb.erb | 1 + .../clamav/templates/whitelisted_addresses.erb | 5 ++ puppet/modules/site_postfix/manifests/mx.pp | 5 ++ 12 files changed, 304 insertions(+) create mode 100644 puppet/modules/clamav/files/01-leap.conf create mode 100644 puppet/modules/clamav/files/clamav-daemon_default create mode 100644 puppet/modules/clamav/files/clamav-milter_default create mode 100644 puppet/modules/clamav/manifests/daemon.pp create mode 100644 puppet/modules/clamav/manifests/freshclam.pp create mode 100644 puppet/modules/clamav/manifests/init.pp create mode 100644 puppet/modules/clamav/manifests/milter.pp create mode 100644 puppet/modules/clamav/manifests/unofficial_sigs.pp create mode 100644 puppet/modules/clamav/templates/clamav-milter.conf.erb create mode 100644 puppet/modules/clamav/templates/local.pdb.erb create mode 100644 puppet/modules/clamav/templates/whitelisted_addresses.erb (limited to 'puppet/modules') diff --git a/puppet/modules/clamav/files/01-leap.conf b/puppet/modules/clamav/files/01-leap.conf new file mode 100644 index 00000000..abeeb302 --- /dev/null +++ b/puppet/modules/clamav/files/01-leap.conf @@ -0,0 +1,58 @@ +# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and +# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module +# are installed on the system, and you want to report whether clamd +# is running or not, uncomment the "clamd_socket" variable below (you +# will be warned if neither socat nor IO::Socket::UNIX are found, but +# the script will still run). You will also need to set the correct +# path to your clamd socket file (if unsure of the path, check the +# "LocalSocket" setting in your clamd.conf file for socket location). +clamd_socket="/run/clamav/clamd.ctl" + +# If you would like to attempt to restart ClamD if detected not running, +# uncomment the next 2 lines. Confirm the path to the "clamd_lock" file +# (usually can be found in the clamd init script) and also enter the clamd +# start command for your particular distro for the "start_clamd" variable +# (the sample start command shown below should work for most linux distros). +# NOTE: these 2 variables are dependant on the "clamd_socket" variable +# shown above - if not enabled, then the following 2 variables will be +# ignored, whether enabled or not. +clamd_lock="/run/clamav/clamd.pid" +start_clamd="service clamav-daemon start" + +ss_dbs=" + junk.ndb + phish.ndb + rogue.hdb + sanesecurity.ftm + scam.ndb + sigwhitelist.ign2 + spamattach.hdb + spamimg.hdb + winnow.attachments.hdb + winnow_bad_cw.hdb + winnow_extended_malware.hdb + winnow_malware.hdb + winnow_malware_links.ndb + malwarehash.hsb + doppelstern.hdb + bofhland_cracked_URL.ndb + bofhland_malware_attach.hdb + bofhland_malware_URL.ndb + bofhland_phishing_URL.ndb + crdfam.clamav.hdb + phishtank.ndb + porcupine.ndb + spear.ndb + spearl.ndb +" + +# ======================== +# SecuriteInfo Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any SecuriteInfo database downloads, remove the appropriate +# lines below. To disable all SecuriteInfo database file downloads, +# comment all of the following lines. +si_dbs="" + +mbl_dbs="" \ No newline at end of file diff --git a/puppet/modules/clamav/files/clamav-daemon_default b/puppet/modules/clamav/files/clamav-daemon_default new file mode 100644 index 00000000..b4cd6a4f --- /dev/null +++ b/puppet/modules/clamav/files/clamav-daemon_default @@ -0,0 +1,8 @@ +# This is a file designed only t0 set special environment variables +# eg TMP or TMPDIR. It is sourced from a shell script, so anything +# put in here must be in variable=value format, suitable for sourcing +# from a shell script. +# Examples: +# export TMPDIR=/dev/shm +export TMP=/var/tmp +export TMPDIR=/var/tmp diff --git a/puppet/modules/clamav/files/clamav-milter_default b/puppet/modules/clamav/files/clamav-milter_default new file mode 100644 index 00000000..5e33e822 --- /dev/null +++ b/puppet/modules/clamav/files/clamav-milter_default @@ -0,0 +1,14 @@ +# +# clamav-milter init options +# + +## SOCKET_RWGROUP +# by default, the socket created by the milter has permissions +# clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the +# permissions to 775 to give read-write access to that group. +# +# If you are using postfix to speak to the milter, you have to give permission +# to the postfix group to write +# +SOCKET_RWGROUP=postfix +export TMPDIR=/var/tmp diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp new file mode 100644 index 00000000..9aebf9b0 --- /dev/null +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -0,0 +1,86 @@ +class clamav::daemon { + + $domain_hash = hiera('domain') + $domain = $domain_hash['full_suffix'] + + package { [ 'clamav-daemon', 'arj' ]: + ensure => installed; + } + + service { + 'clamav-daemon': + ensure => running, + name => clamav-daemon, + pattern => '/usr/sbin/clamd', + enable => true, + hasrestart => true, + subscribe => File['/etc/default/clamav-daemon']; + } + + file { + '/var/run/clamav': + ensure => directory, + mode => '0750', + owner => clamav, + group => postfix; + + '/var/lib/clamav': + mode => '0755', + owner => clamav, + group => clamav; + + '/etc/default/clamav-daemon': + source => 'puppet:///modules/clamav/clamav-daemon_default', + mode => '0644', + owner => root, + group => root; + + # this file contains additional domains that we want the clamav + # phishing process to look for (our domain) + '/var/lib/clamav/local.pdb': + content => template('clamav/local.pdb.erb'), + mode => '0644', + owner => clamav, + group => clamav; + } + + file_line { + 'clamav_daemon_tmp': + path => '/etc/clamav/clamd.conf', + line => 'TemporaryDirectory /var/tmp', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'enable_phishscanurls': + path => '/etc/clamav/clamd.conf', + match => 'PhishingScanURLs no', + line => 'PhishingScanURLs yes', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'clamav_LogSyslog_true': + path => '/etc/clamav/clamd.conf', + match => '^LogSyslog false', + line => 'LogSyslog true', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'clamav_MaxThreads': + path => '/etc/clamav/clamd.conf', + match => 'MaxThreads 20', + line => 'MaxThreads 100', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + } + + # remove LogFile line + file_line { + 'clamav_LogFile': + path => '/etc/clamav/clamd.conf', + match => '^LogFile .*', + line => '', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + } + +} diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp new file mode 100644 index 00000000..b9827ede --- /dev/null +++ b/puppet/modules/clamav/manifests/freshclam.pp @@ -0,0 +1,21 @@ +class clamav::freshclam { + + package { 'clamav-freshclam': ensure => installed } + + service { + 'freshclam': + ensure => running, + enable => true, + name => clamav-freshclam, + pattern => '/usr/bin/freshclam', + hasrestart => true; + } + + file_line { + 'freshclam_notify': + path => '/etc/clamav/freshclam.conf', + line => 'NotifyClamd /etc/clamav/clamd.conf', + notify => Service[freshclam]; + } + +} diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp new file mode 100644 index 00000000..fa7b553c --- /dev/null +++ b/puppet/modules/clamav/manifests/init.pp @@ -0,0 +1,8 @@ +class clamav { + + include clamav::daemon + include clamav::milter + include clamav::sanesecurity + include clamav::freshclam + +} diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp new file mode 100644 index 00000000..52ddaef1 --- /dev/null +++ b/puppet/modules/clamav/manifests/milter.pp @@ -0,0 +1,48 @@ +class clamav::milter { + + $clamav = hiera('clamav') + $whitelisted_addresses = $clamav['whitelisted_addresses'] + $domain_hash = hiera('domain') + $domain = $domain_hash['full_suffix'] + + package { 'clamav-milter': ensure => installed } + + service { + 'clamav-milter': + ensure => running, + enable => true, + name => clamav-milter, + pattern => '/usr/sbin/clamav-milter', + hasrestart => true, + subscribe => File['/etc/default/clamav-milter']; + } + + file { + '/run/clamav/milter.ctl': + mode => '0666', + owner => clamav, + group => postfix, + require => Class['clamav::daemon']; + + '/etc/clamav/clamav-milter.conf': + content => template('clamav/clamav-milter.conf.erb'), + mode => '0644', + owner => root, + group => root, + subscribe => Service['clamav-milter']; + + '/etc/default/clamav-milter': + source => 'puppet:///modules/clamav/clamav-milter_default', + mode => '0644', + owner => root, + group => root; + + '/etc/clamav/whitelisted_addresses': + content => template('clamav/whitelisted_addresses.erb'), + mode => '0644', + owner => root, + group => root; + + } + +} diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp new file mode 100644 index 00000000..316154d3 --- /dev/null +++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp @@ -0,0 +1,22 @@ +class clamav::unofficial_sigs { + + package { [ 'clamav-unofficial-sigs', 'wget', 'gnupg', + 'socat', 'rsync', 'curl' ]: + ensure => installed + } + + file { + '/var/log/clamav-unofficial-sigs.log': + ensure => file, + owner => clamav, + group => clamav, + require => Package['clamav-unofficial-sigs']; + + '/etc/clamav-unofficial-sigs.conf.d/01-leap.conf': + source => 'puppet:///modules/clamav/01-leap.conf', + mode => '0755', + owner => root, + group => root, + require => Package['clamav-unofficial-sigs']; + } +} diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb new file mode 100644 index 00000000..9bf7099e --- /dev/null +++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb @@ -0,0 +1,28 @@ +# THIS FILE MANAGED BY PUPPET +MilterSocket /var/run/clamav/milter.ctl +FixStaleSocket true +User clamav +MilterSocketGroup clamav +MilterSocketMode 666 +AllowSupplementaryGroups true +ReadTimeout 120 +Foreground false +PidFile /var/run/clamav/clamav-milter.pid +ClamdSocket unix:/var/run/clamav/clamd.ctl +OnClean Accept +OnInfected Reject +OnFail Defer +AddHeader Replace +LogSyslog true +LogFacility LOG_LOCAL6 +LogVerbose yes +LogInfected Basic +LogTime true +LogFileUnlock false +LogClean Off +LogRotate true +SupportMultipleRecipients false +MaxFileSize 10M +TemporaryDirectory /var/tmp +RejectMsg "Message refused due to content violation: %v - contact https://<%= @domain %>/tickets/new if this is in error" +Whitelist /etc/clamav/whitelisted_addresses diff --git a/puppet/modules/clamav/templates/local.pdb.erb b/puppet/modules/clamav/templates/local.pdb.erb new file mode 100644 index 00000000..9ea0584a --- /dev/null +++ b/puppet/modules/clamav/templates/local.pdb.erb @@ -0,0 +1 @@ +H:<%= @domain %> diff --git a/puppet/modules/clamav/templates/whitelisted_addresses.erb b/puppet/modules/clamav/templates/whitelisted_addresses.erb new file mode 100644 index 00000000..9e068ec5 --- /dev/null +++ b/puppet/modules/clamav/templates/whitelisted_addresses.erb @@ -0,0 +1,5 @@ +<%- if @whitelisted_addresses then -%> +<% @whitelisted_addresses.each do |name| -%> +From::<%= name %> +<% end -%> +<% end -%> diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 42313d1a..f0a2554a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -49,6 +49,10 @@ class site_postfix::mx { # alias map 'local_recipient_maps': value => '$alias_maps'; + 'smtpd_milters': + value => 'unix:/run/clamav/milter.ctl'; + 'milter_default_action': + value => 'accept'; } include site_postfix::mx::smtpd_checks @@ -57,6 +61,7 @@ class site_postfix::mx { include site_postfix::mx::smtpd_tls include site_postfix::mx::static_aliases include site_postfix::mx::rewrite_openpgp_header + include clamav # greater verbosity for debugging, take out for production #include site_postfix::debug -- cgit v1.2.3 From eda35dc4f8a9bb5dab84d917c7a9e9a058ba8d2f Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 11:49:20 -0400 Subject: Update resource_file to not include /private/ as this is not used anymore by the nagios module, and our config template has drifted. Fixes: #7527 Change-Id: I56c3492056fcb95c499cf78b893249adcf0ae67f --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 0d729b8c..981dc12a 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -70,7 +70,7 @@ precached_object_file=/var/lib/nagios3/objects.precache # defined as macros in this file and restrictive permissions (600) # can be placed on this file. -resource_file=/etc/nagios3/private/resource.cfg +resource_file=/etc/nagios3/resource.cfg -- cgit v1.2.3 From 717bd0f1061cbc4cd22a22f87b9b00ddf469f2fc Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 12:01:53 -0400 Subject: Make syslog stop logging the icmpv6_send: no reply to icmp error messages, these are spamming provider's logs and will continue to do so until we have ipv6 working for the VPN (#6540) Change-Id: I80673bb64d8239e478bc042794929640f7a7cc39 --- puppet/modules/site_openvpn/manifests/init.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e2a3124e..ede35a9e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -229,6 +229,13 @@ class site_openvpn { } leap::logfile { 'openvpn': } + + # Because we currently do not support ipv6 and instead block it (so no leaks + # happen), we get a large number of these messages, so we ignore them (#6540) + rsyslog::snippet { '01-ignore_icmpv6_send': + content => ':msg, contains, "icmpv6_send: no reply to icmp error" ~' + } + include site_check_mk::agent::openvpn } -- cgit v1.2.3 From 1c5e9e2afad7e9225ff5eaa8350268654078cf21 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 13 Oct 2015 18:13:05 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 1f583d9c..ae53b180 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 1f583d9c9157390850a7737630f60832ced82374 +Subproject commit ae53b180783016faa4331094a52769ddd57463f8 -- cgit v1.2.3 From 2c8de729a2a4213b8cb312bcb481695ae44f9a62 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 14:01:48 -0400 Subject: Class was renamed, but not properly cared for in the rest of the manifest Change-Id: Ic9f022dcbb9f2096b933c898ae43023e0bf278c6 --- puppet/modules/clamav/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp index fa7b553c..de8fb4dc 100644 --- a/puppet/modules/clamav/manifests/init.pp +++ b/puppet/modules/clamav/manifests/init.pp @@ -2,7 +2,7 @@ class clamav { include clamav::daemon include clamav::milter - include clamav::sanesecurity + include clamav::unofficial_sigs include clamav::freshclam } -- cgit v1.2.3 From 43595b105a21aaccb41c4d9199d87b3dc2d48ab5 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 15:58:12 -0400 Subject: Fix ordering of clamav resources, by requiring the package installation as a pre-requisite Change-Id: Ic9c8cc6ccfb31ce5e56937a2d95de7974707c368 --- puppet/modules/clamav/manifests/daemon.pp | 22 +++++++++++++--------- puppet/modules/clamav/manifests/freshclam.pp | 10 ++++++---- puppet/modules/clamav/manifests/milter.pp | 6 ++++-- 3 files changed, 23 insertions(+), 15 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp index 9aebf9b0..bf232e2c 100644 --- a/puppet/modules/clamav/manifests/daemon.pp +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -14,20 +14,23 @@ class clamav::daemon { pattern => '/usr/sbin/clamd', enable => true, hasrestart => true, - subscribe => File['/etc/default/clamav-daemon']; + subscribe => File['/etc/default/clamav-daemon'], + require => Package['clamav-daemon']; } file { '/var/run/clamav': - ensure => directory, - mode => '0750', - owner => clamav, - group => postfix; + ensure => directory, + mode => '0750', + owner => clamav, + group => postfix, + require => [Package['postfix'], Package['clamav-daemon']]; '/var/lib/clamav': - mode => '0755', - owner => clamav, - group => clamav; + mode => '0755', + owner => clamav, + group => clamav, + require => Package['clamav-daemon']; '/etc/default/clamav-daemon': source => 'puppet:///modules/clamav/clamav-daemon_default', @@ -41,7 +44,8 @@ class clamav::daemon { content => template('clamav/local.pdb.erb'), mode => '0644', owner => clamav, - group => clamav; + group => clamav, + require => Package['clamav-daemon']; } file_line { diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp index b9827ede..80c822a4 100644 --- a/puppet/modules/clamav/manifests/freshclam.pp +++ b/puppet/modules/clamav/manifests/freshclam.pp @@ -8,14 +8,16 @@ class clamav::freshclam { enable => true, name => clamav-freshclam, pattern => '/usr/bin/freshclam', - hasrestart => true; + hasrestart => true, + require => Package['clamav-freshclam']; } file_line { 'freshclam_notify': - path => '/etc/clamav/freshclam.conf', - line => 'NotifyClamd /etc/clamav/clamd.conf', - notify => Service[freshclam]; + path => '/etc/clamav/freshclam.conf', + line => 'NotifyClamd /etc/clamav/clamd.conf', + require => Package['clamav-freshclam'], + notify => Service['freshclam']; } } diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp index 52ddaef1..e8a85e3f 100644 --- a/puppet/modules/clamav/manifests/milter.pp +++ b/puppet/modules/clamav/manifests/milter.pp @@ -14,6 +14,7 @@ class clamav::milter { name => clamav-milter, pattern => '/usr/sbin/clamav-milter', hasrestart => true, + require => Package['clamav-milter'], subscribe => File['/etc/default/clamav-milter']; } @@ -29,6 +30,7 @@ class clamav::milter { mode => '0644', owner => root, group => root, + require => Package['clamav-milter'], subscribe => Service['clamav-milter']; '/etc/default/clamav-milter': @@ -41,8 +43,8 @@ class clamav::milter { content => template('clamav/whitelisted_addresses.erb'), mode => '0644', owner => root, - group => root; - + group => root, + require => Package['clamav-milter']; } } -- cgit v1.2.3 From 2443311119a618e544f0f701c4a596690a3fcd05 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 15 Oct 2015 17:12:48 -0400 Subject: switch to ensure_packages to avoid puppet duplicate package definitions (#7530) Change-Id: I398b929fc96cf64e46075266ace0d8d1145b3aac --- puppet/modules/clamav/manifests/unofficial_sigs.pp | 5 +++-- puppet/modules/couchdb | 2 +- puppet/modules/ruby | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp index 316154d3..2d849585 100644 --- a/puppet/modules/clamav/manifests/unofficial_sigs.pp +++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp @@ -1,10 +1,11 @@ class clamav::unofficial_sigs { - package { [ 'clamav-unofficial-sigs', 'wget', 'gnupg', - 'socat', 'rsync', 'curl' ]: + package { 'clamav-unofficial-sigs': ensure => installed } + ensure_packages(['wget', 'gnupg', 'socat', 'rsync', 'curl']) + file { '/var/log/clamav-unofficial-sigs.log': ensure => file, diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index ae53b180..d077a7b1 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit ae53b180783016faa4331094a52769ddd57463f8 +Subproject commit d077a7b11c95089882e08432c45b883a9097e81d diff --git a/puppet/modules/ruby b/puppet/modules/ruby index e4de25d7..0fb2b398 160000 --- a/puppet/modules/ruby +++ b/puppet/modules/ruby @@ -1 +1 @@ -Subproject commit e4de25d78eefc7df70a35dee22a3e0dc1b7e1d0b +Subproject commit 0fb2b398dbfce59c678d6f4044a55969e42c6d4d -- cgit v1.2.3 From 20f298c48e6df0908dddea696d972c61b0e88bb8 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 17 Oct 2015 13:32:42 +0200 Subject: [bug] updated submodule couchdb - Tested: [local singlenode, citest] - Resolves: #7530 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index d077a7b1..cdde1e17 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit d077a7b11c95089882e08432c45b883a9097e81d +Subproject commit cdde1e172b3ed2c6c1f203341e75bcef5c3c3491 -- cgit v1.2.3 From 9b18f7880aad97320cd5d118c31f04a0afc7c542 Mon Sep 17 00:00:00 2001 From: guido Date: Mon, 19 Oct 2015 15:07:30 -0300 Subject: Redirect to webapp_domain instead of domain This is needed for webapp when running on a subdomain. --- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index ee5cd707..7f9fd5ab 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -4,7 +4,7 @@ ServerAlias <%= domain %> ServerAlias www.<%= domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= webapp_domain -%>%{REQUEST_URI} [R=permanent,L] CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common -- cgit v1.2.3 From 91c638f7d30243f0c5c079659bd3bd1d32a7cc7c Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 19 Oct 2015 20:57:07 -0400 Subject: change apache header set for HSTS to be always, otherwise it wont be set for redirects (#7540) Change-Id: Ic77c64c03a99dad951f42633de04c352bed17c1e --- puppet/modules/site_static/templates/apache.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 4d61cc08..2853c5c7 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -48,7 +48,7 @@ Include include.d/ssl_common.inc <%- if @tls_only -%> - Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" + Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> Header set X-Frame-Options "deny" Header always unset X-Powered-By -- cgit v1.2.3 From 1ade690d20618ca5adb0c4a1647b36200197fd26 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 20 Oct 2015 17:17:39 -0400 Subject: Provide tor hidden service configuration for static sites (#7546) Without this configuration, a very basic, and non-functional virtualhost is created, making the hidden service not work Change-Id: Ibe87c6acf5c21cff2388247c4ba320a5b6af7933 --- .../site_apache/templates/vhosts.d/hidden_service.conf.erb | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 0c6f3b8e..2c8d5eb5 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -30,4 +30,14 @@ ExpiresDefault "access plus 1 year" <% end -%> + +<% if (defined? @services) and (@services.include? 'static') -%> + DocumentRoot "/srv/static/root/public" + AccessFileName .htaccess + + Alias /provider.json /srv/leap/provider.json + + Header set X-Minimum-Client-Version 0.5 + +<% end -%> -- cgit v1.2.3 From 4449f09cc362ec0cf64881f547cb41e73cbd67f5 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 26 Oct 2015 13:26:25 +0100 Subject: updated unbound submodule --- puppet/modules/unbound | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/unbound b/puppet/modules/unbound index 00646b0f..9997485b 160000 --- a/puppet/modules/unbound +++ b/puppet/modules/unbound @@ -1 +1 @@ -Subproject commit 00646b0ffc71a86981b05f983c86ace0979d1b6f +Subproject commit 9997485b8a31abbe0cd1943d09995705c2c8146a -- cgit v1.2.3 From 171a5a9a3794224a92244078574aac4b22845266 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 26 Oct 2015 16:18:17 +0100 Subject: [bug] Add leap_mx username to soledad.conf - Tested: [unstable.pixelated-project.org] - Related: https://github.com/pixelated/pixelated-platform/issues/127 --- puppet/modules/soledad/manifests/server.pp | 7 ++++--- puppet/modules/soledad/templates/soledad-server.conf.erb | 8 ++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index e437c8f2..1113bd86 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -4,9 +4,10 @@ class soledad::server { include soledad include site_apt::preferences::twisted - $soledad = hiera('soledad') - $couchdb_user = $soledad['couchdb_soledad_user']['username'] - $couchdb_password = $soledad['couchdb_soledad_user']['password'] + $soledad = hiera('soledad') + $couchdb_user = $soledad['couchdb_soledad_user']['username'] + $couchdb_password = $soledad['couchdb_soledad_user']['password'] + $couchdb_leap_mx_user = $soledad['couchdb_leap_mx_user']['username'] $couchdb_host = 'localhost' $couchdb_port = '5984' diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb index 42cf44d8..1c6a0d19 100644 --- a/puppet/modules/soledad/templates/soledad-server.conf.erb +++ b/puppet/modules/soledad/templates/soledad-server.conf.erb @@ -2,3 +2,11 @@ couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %> create_cmd = sudo -u soledad-admin /usr/bin/create-user-db admin_netrc = /etc/couchdb/couchdb-soledad-admin.netrc + +[database-security] +members = <%= @couchdb_user %>, <%= @couchdb_leap_mx_user %> +# not needed, but for documentation: +# members_roles = replication +# admins = admin +# admins_roles = replication + -- cgit v1.2.3 From 72bec64f52895153612b5e736274266ebc0ab554 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 30 Oct 2015 10:31:17 +0100 Subject: [feat] Add soledad::client class for soledad-sync - Restructure soledad class - Include soledad::client class on webapp nodes - Tested: [unstable.bitmask.net] - Related: #7523 --- puppet/modules/site_webapp/manifests/init.pp | 6 ++-- puppet/modules/soledad/manifests/client.pp | 18 ++++++++++++ puppet/modules/soledad/manifests/common.pp | 6 ++-- puppet/modules/soledad/manifests/init.pp | 40 --------------------------- puppet/modules/soledad/manifests/server.pp | 41 ++++++++++++++++++++++++---- 5 files changed, 59 insertions(+), 52 deletions(-) create mode 100644 puppet/modules/soledad/manifests/client.pp delete mode 100644 puppet/modules/soledad/manifests/init.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d046b7df..837950a8 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -167,10 +167,8 @@ class site_webapp { # needed for the soledad-sync check which is run on the - # webapp node (#6520) - package { 'python-u1db': - ensure => latest, - } + # webapp node + include soledad::client leap::logfile { 'webapp': } diff --git a/puppet/modules/soledad/manifests/client.pp b/puppet/modules/soledad/manifests/client.pp new file mode 100644 index 00000000..5700cb09 --- /dev/null +++ b/puppet/modules/soledad/manifests/client.pp @@ -0,0 +1,18 @@ +# setup soledad-client +# currently needed on webapp node to run the soledad-sync test +class soledad::client { + + tag 'leap_service' + include soledad::common + + package { + 'soledad-client': + ensure => latest, + require => [ + Class['site_apt::preferences::twisted'], + Class['site_apt::leap_repo'] ]; + 'python-u1db': + ensure => latest; + } + +} diff --git a/puppet/modules/soledad/manifests/common.pp b/puppet/modules/soledad/manifests/common.pp index 8a1d664a..d66e943c 100644 --- a/puppet/modules/soledad/manifests/common.pp +++ b/puppet/modules/soledad/manifests/common.pp @@ -1,10 +1,10 @@ +# install soledad-common, both needed both soledad-client and soledad-server class soledad::common { - include soledad + include site_apt::preferences::twisted package { 'soledad-common': - ensure => latest, - require => User['soledad'] + ensure => latest; } } diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp deleted file mode 100644 index 6a2c328e..00000000 --- a/puppet/modules/soledad/manifests/init.pp +++ /dev/null @@ -1,40 +0,0 @@ -# set up users, group and directories for soledad-server -# although the soledad users are already created by the -# soledad-server package -class soledad { - - group { 'soledad': - ensure => present, - system => true, - } - - user { 'soledad': - ensure => present, - system => true, - gid => 'soledad', - home => '/srv/leap/soledad', - require => Group['soledad']; - } - - user { 'soledad-admin': - ensure => present, - system => true, - gid => 'soledad', - home => '/srv/leap/soledad', - require => Group['soledad']; - } - - file { - '/srv/leap/soledad': - ensure => directory, - owner => 'soledad', - group => 'soledad', - require => User['soledad']; - - '/var/lib/soledad': - ensure => directory, - owner => 'soledad', - group => 'soledad', - require => User['soledad']; - } -} diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 1113bd86..5c5a1bb7 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -1,8 +1,7 @@ # setup soledad-server class soledad::server { tag 'leap_service' - include soledad - include site_apt::preferences::twisted + include soledad::common $soledad = hiera('soledad') $couchdb_user = $soledad['couchdb_soledad_user']['username'] @@ -36,7 +35,17 @@ class soledad::server { group => 'soledad', mode => '0640', notify => Service['soledad-server'], - require => Class['soledad']; + require => [ User['soledad'], Group['soledad'] ]; + '/srv/leap/soledad': + ensure => directory, + owner => 'soledad', + group => 'soledad', + require => [ User['soledad'], Group['soledad'] ]; + '/var/lib/soledad': + ensure => directory, + owner => 'soledad', + group => 'soledad', + require => [ User['soledad'], Group['soledad'] ]; } package { $sources['soledad']['package']: @@ -52,7 +61,7 @@ class soledad::server { group => 'soledad', mode => '0600', notify => Service['soledad-server'], - require => Class['soledad']; + require => [ User['soledad'], Group['soledad'] ]; } service { 'soledad-server': @@ -60,7 +69,7 @@ class soledad::server { enable => true, hasstatus => true, hasrestart => true, - require => Class['soledad'], + require => [ User['soledad'], Group['soledad'] ], subscribe => [ Package['soledad-server'], Class['Site_config::X509::Key'], @@ -70,4 +79,26 @@ class soledad::server { include site_shorewall::soledad include site_check_mk::agent::soledad + + # set up users, group and directories for soledad-server + # although the soledad users are already created by the + # soledad-server package + group { 'soledad': + ensure => present, + system => true, + } + user { + 'soledad': + ensure => present, + system => true, + gid => 'soledad', + home => '/srv/leap/soledad', + require => Group['soledad']; + 'soledad-admin': + ensure => present, + system => true, + gid => 'soledad', + home => '/srv/leap/soledad', + require => Group['soledad']; + } } -- cgit v1.2.3 From cfbe272d17a21c4bff088a87865cbcbefc837e39 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 30 Oct 2015 11:23:40 +0100 Subject: [feat] Remove bigcouch nagios leftovers When migrating from bigcouch to couchdb, we need to remove leftover nagios tests for bigcouch. - Added new classes: site_check_mk::agent::couchdb::bigcouch and site_check_mk::agent::couchdb::master - Tested: unstable.pixelated-project.org - Resolves: https://github.com/pixelated/pixelated-platform/issues/126 --- .../site_check_mk/manifests/agent/couchdb.pp | 49 ++++--------------- .../manifests/agent/couchdb/bigcouch.pp | 56 ++++++++++++++++++++++ .../manifests/agent/couchdb/master.pp | 23 +++++++++ puppet/modules/site_couchdb/manifests/bigcouch.pp | 3 ++ puppet/modules/site_couchdb/manifests/master.pp | 2 + 5 files changed, 94 insertions(+), 39 deletions(-) create mode 100644 puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp create mode 100644 puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index 8de5121b..1554fd3c 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -1,40 +1,18 @@ -# configure logwatch and nagios checks for couchdb +# configure logwatch and nagios checks for couchdb (both bigcouch and plain +# couchdb installations) class site_check_mk::agent::couchdb { - # watch bigcouch logs - # currently disabled because bigcouch is too noisy - # see https://leap.se/code/issues/7375 for more details - # and site_config::remove_files for removing leftovers - #file { '/etc/check_mk/logwatch.d/bigcouch.cfg': - # source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', - #} - - # check syslog msg from: - # - empd - # - /usr/local/bin/couch-doc-update concat::fragment { 'syslog_couchdb': source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/couchdb.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', order => '02'; } - - # check bigcouch processes - augeas { - 'Bigcouch_epmd_procs': - incl => '/etc/check_mk/mrpe.cfg', - lens => 'Spacevars.lns', - changes => [ - 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs', - 'set Bigcouch_epmd_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd\'' ], - require => File['/etc/check_mk/mrpe.cfg']; - 'Bigcouch_beam_procs': - incl => '/etc/check_mk/mrpe.cfg', - lens => 'Spacevars.lns', - changes => [ - 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs', - 'set Bigcouch_beam_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam\'' ], - require => File['/etc/check_mk/mrpe.cfg']; + # check different couchdb stats + file { '/usr/lib/check_mk_agent/local/leap_couch_stats.sh': + source => 'puppet:///modules/site_check_mk/agent/local_checks/couchdb/leap_couch_stats.sh', + mode => '0755', + require => Package['check_mk-agent'] } # check open files for bigcouch proc @@ -44,20 +22,13 @@ class site_check_mk::agent::couchdb { mode => '0755' } augeas { - 'Bigcouch_open_files': + 'Couchdb_open_files': incl => '/etc/check_mk/mrpe.cfg', lens => 'Spacevars.lns', changes => [ - 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files', - 'set Bigcouch_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ], + 'rm /files/etc/check_mk/mrpe.cfg/Couchdb_open_files', + 'set Couchdb_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ], require => File['/etc/check_mk/mrpe.cfg']; } - - # check different couchdb stats - file { '/usr/lib/check_mk_agent/local/leap_couch_stats.sh': - source => 'puppet:///modules/site_check_mk/agent/local_checks/couchdb/leap_couch_stats.sh', - mode => '0755', - require => Package['check_mk-agent'] - } } diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp new file mode 100644 index 00000000..073d07a9 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp @@ -0,0 +1,56 @@ +# configure logwatch and nagios checks for bigcouch +class site_check_mk::agent::couchdb::bigcouch { + + # watch bigcouch logs + # currently disabled because bigcouch is too noisy + # see https://leap.se/code/issues/7375 for more details + # and site_config::remove_files for removing leftovers + #file { '/etc/check_mk/logwatch.d/bigcouch.cfg': + # source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', + #} + + # check syslog msg from: + # - empd + # - /usr/local/bin/couch-doc-update + concat::fragment { 'syslog_bigcouch': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/bigcouch.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + + # check bigcouch processes + augeas { + 'Bigcouch_epmd_procs': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => [ + 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs', + 'set Bigcouch_epmd_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd\'' ], + require => File['/etc/check_mk/mrpe.cfg']; + 'Bigcouch_beam_procs': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => [ + 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs', + 'set Bigcouch_beam_procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam\'' ], + require => File['/etc/check_mk/mrpe.cfg']; + } + + # check open files for bigcouch proc + include site_check_mk::agent::package::perl_plugin + file { '/srv/leap/nagios/plugins/check_unix_open_fds.pl': + source => 'puppet:///modules/site_check_mk/agent/nagios_plugins/check_unix_open_fds.pl', + mode => '0755' + } + + augeas { + 'Bigcouch_open_files': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => [ + 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files', + 'set Bigcouch_open_files \'/srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 28672,28672 -c 30720,30720\'' ], + require => File['/etc/check_mk/mrpe.cfg']; + } + +} diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp new file mode 100644 index 00000000..291b87d1 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp @@ -0,0 +1,23 @@ +# configure logwatch and nagios checks for plain single couchdb master +class site_check_mk::agent::couchdb::master { + + # remove bigcouch leftovers + augeas { + 'Bigcouch_epmd_procs': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs', + require => File['/etc/check_mk/mrpe.cfg']; + 'Bigcouch_beam_procs': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs', + require => File['/etc/check_mk/mrpe.cfg']; + 'Bigcouch_open_files': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files', + require => File['/etc/check_mk/mrpe.cfg']; + } + +} diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp index 469a2783..2de3d4d0 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp @@ -44,4 +44,7 @@ class site_couchdb::bigcouch { require => Package['couchdb'], notify => Service['couchdb'] } + + include site_check_mk::agent::couchdb::bigcouch + } diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp index c28eee7d..5dab6325 100644 --- a/puppet/modules/site_couchdb/manifests/master.pp +++ b/puppet/modules/site_couchdb/manifests/master.pp @@ -6,4 +6,6 @@ class site_couchdb::master { chttpd_bind_address => '127.0.0.1', pwhash_alg => $site_couchdb::couchdb_pwhash_alg } + + include site_check_mk::agent::couchdb::master } -- cgit v1.2.3 From 9b135ab96f1e419698e3e638ea871097fe4956e4 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 30 Oct 2015 18:00:51 +0100 Subject: [bug] Remove duplicte declaration Duplicate declaration: File[/srv/leap/nagios/plugins/check_unix_open_fds.pl] is already declared in file /srv/leap/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp at line 44; cannot redeclare at /srv/leap/puppet/modules/site_check_mk/manifests/agent/couchdb.pp:23 on node rewdevcouch1.rewire.org --- puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp | 7 ------- 1 file changed, 7 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp index 073d07a9..82c3ac72 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb/bigcouch.pp @@ -36,13 +36,6 @@ class site_check_mk::agent::couchdb::bigcouch { require => File['/etc/check_mk/mrpe.cfg']; } - # check open files for bigcouch proc - include site_check_mk::agent::package::perl_plugin - file { '/srv/leap/nagios/plugins/check_unix_open_fds.pl': - source => 'puppet:///modules/site_check_mk/agent/nagios_plugins/check_unix_open_fds.pl', - mode => '0755' - } - augeas { 'Bigcouch_open_files': incl => '/etc/check_mk/mrpe.cfg', -- cgit v1.2.3 From 87ddb4d6505229f36b096188c3e43a19281b540c Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 31 Oct 2015 20:03:28 +0100 Subject: [bug] Add bigcouch syslog snippet for logwatch --- .../modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg | 5 +++++ puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg | 5 ----- 2 files changed, 5 insertions(+), 5 deletions(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg new file mode 100644 index 00000000..f53f0780 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/bigcouch.cfg @@ -0,0 +1,5 @@ +# on one-node bigcouch setups, we'll get this msg +# a lot, so we ignore it here until we fix +# https://leap.se/code/issues/5244 + I epmd: got partial packet only on file descriptor + diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg index f546135a..5f8d5b95 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg @@ -1,7 +1,2 @@ C /usr/local/bin/couch-doc-update.*failed C /usr/local/bin/couch-doc-update.*ERROR -# on one-node bigcouch setups, we'll get this msg -# a lot, so we ignore it here until we fix -# https://leap.se/code/issues/5244 - I epmd: got partial packet only on file descriptor - -- cgit v1.2.3 From e97a9d3800b173375a630e18e4b1aa0894eb96e1 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 20 Oct 2015 17:14:21 -0400 Subject: Add basic DKIM support, this requires changes in leap_cli detailed in issue #5924 Change-Id: I6aa1e7751633407d441cbc6436d8426d37dbbfa7 --- puppet/modules/opendkim/manifests/init.pp | 38 +++++++++++++++++++ puppet/modules/opendkim/templates/opendkim.conf | 44 ++++++++++++++++++++++ .../modules/site_config/manifests/x509/dkim/key.pp | 13 +++++++ puppet/modules/site_postfix/manifests/mx.pp | 2 +- 4 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/opendkim/manifests/init.pp create mode 100644 puppet/modules/opendkim/templates/opendkim.conf create mode 100644 puppet/modules/site_config/manifests/x509/dkim/key.pp (limited to 'puppet/modules') diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp new file mode 100644 index 00000000..9e67569e --- /dev/null +++ b/puppet/modules/opendkim/manifests/init.pp @@ -0,0 +1,38 @@ +# configure opendkim service (#5924) +class opendkim { + + $domain_hash = hiera('domain') + $domain = $domain_hash['full_suffix'] + $dkim = hiera('dkim') + $selector = $dkim['dkim_selector'] + + include site_config::x509::dkim::key + $dkim_key = "${x509::variables::keys}/dkim.key" + + ensure_packages(['opendkim', 'libopendkim7', 'libvbr2']) + + # postfix user needs to be in the opendkim group + # in order to access the opendkim socket located at: + # local:/var/run/opendkim/opendkim.sock + user { 'postfix': + groups => 'opendkim'; + } + + service { 'opendkim': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Class['Site_config::X509::Dkim::Key'], + subscribe => File[$dkim_key]; + } + + file { '/etc/opendkim.conf': + ensure => present, + content => template('opendkim/opendkim.conf'), + mode => '0644', + owner => root, + group => root, + notify => Service['opendkim'], + require => Package['opendkim']; +} diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf new file mode 100644 index 00000000..46ddb7a8 --- /dev/null +++ b/puppet/modules/opendkim/templates/opendkim.conf @@ -0,0 +1,44 @@ +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +# Log to syslog +Syslog yes +SyslogSuccess yes +LogWhy no +# Required to use local socket with MTAs that access the socket as a non- +# privileged user (e.g. Postfix) +UMask 002 + +Domain <%= @domain %> +SubDomains yes + +# set internal hosts to all the known hosts, like mydomains? + +# can we generate a larger key and get it in dns? +KeyFile <%= @dkim_key %> + +# what selector do we use? +Selector <%= @selector %> + +# Commonly-used options; the commented-out versions show the defaults. +Canonicalization relaxed +#Mode sv +#ADSPDiscard no + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures +# (ATPS) (experimental) + +#ATPSDomains example.com + +RemoveOldSignatures yes + +Mode sv +BaseDirectory /var/tmp diff --git a/puppet/modules/site_config/manifests/x509/dkim/key.pp b/puppet/modules/site_config/manifests/x509/dkim/key.pp new file mode 100644 index 00000000..c63a7e94 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/dkim/key.pp @@ -0,0 +1,13 @@ +class site_config::x509::dkim::key { + + ## + ## This is for the DKIM key that is used exclusively for DKIM + ## signing + + $x509 = hiera('x509') + $key = $x509['dkim_key'] + + x509::key { 'dkim': + content => $key + } +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index f0a2554a..edaa506f 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -50,7 +50,7 @@ class site_postfix::mx { 'local_recipient_maps': value => '$alias_maps'; 'smtpd_milters': - value => 'unix:/run/clamav/milter.ctl'; + value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock'; 'milter_default_action': value => 'accept'; } -- cgit v1.2.3 From ed1ff6fa01bf110fc338b7116fdf577aa88a8d46 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 27 Oct 2015 15:27:24 -0400 Subject: Add initial rate-limiting for outgoing SMTP, using postfwd (#5972) Change-Id: I6a6e68908b71d7499eb3ef3c7f0173b3d5b7baa2 --- puppet/modules/postfwd/files/postfwd_default | 19 ++++++++++ puppet/modules/postfwd/manifests/init.pp | 49 +++++++++++++++++++++++++ puppet/modules/postfwd/templates/postfwd.cf.erb | 31 ++++++++++++++++ puppet/modules/site_postfix/manifests/mx.pp | 1 + 4 files changed, 100 insertions(+) create mode 100644 puppet/modules/postfwd/files/postfwd_default create mode 100644 puppet/modules/postfwd/manifests/init.pp create mode 100644 puppet/modules/postfwd/templates/postfwd.cf.erb (limited to 'puppet/modules') diff --git a/puppet/modules/postfwd/files/postfwd_default b/puppet/modules/postfwd/files/postfwd_default new file mode 100644 index 00000000..79d0e3de --- /dev/null +++ b/puppet/modules/postfwd/files/postfwd_default @@ -0,0 +1,19 @@ +### This file managed by Puppet +# Global options for postfwd(8). + +# Set to '1' to enable startup (daemon mode) +STARTUP=1 + +# Config file +CONF=/etc/postfix/postfwd.cf +# IP where listen to +INET=127.0.0.1 +# Port where listen to +PORT=10040 +# run as user postfwd +RUNAS="postfw" +# Arguments passed on start (--daemon implied) +# RISEUP disable summary and cache-no-size +#ARGS="--summary=600 --cache=600 --cache-rdomain-only --cache-no-size" +ARGS="--cache=600 --cache-rdomain-only --no-rulestats" + diff --git a/puppet/modules/postfwd/manifests/init.pp b/puppet/modules/postfwd/manifests/init.pp new file mode 100644 index 00000000..b00bb071 --- /dev/null +++ b/puppet/modules/postfwd/manifests/init.pp @@ -0,0 +1,49 @@ +# This class provides rate-limiting for outgoing SMTP, using postfwd +# it is configured with some limits that seem reasonable for a generic +# use-case. Each of the following applies to sasl_authenticated users: +# +# . 150 recipients at a time +# . no more than 50 messages in 60 minutes +# . no more than 250 recipients in 60 minutes. +# +# This class could be easily extended to add overrides to these rules, +# maximum sizes per client, or additional rules +class postfwd { + + ensure_packages(['libnet-server-perl', 'libnet-dns-perl', 'postfwd']) + + file { + '/etc/default/postfwd': + source => 'puppet:///modules/postfwd/postfwd', + mode => '0644', + owner => root, + group => root, + require => Package['postfwd']; + + '/etc/postfix/postfwd.cf': + content => template('postfwd/postfwd.cf.erb'), + mode => '0644', + owner => root, + group => root, + require => File['/etc/postfix']; + } + + exec { + '/etc/init.d/postfwd reload': + refreshonly => true, + subscribe => [ File['/etc/postfix/postfwd.cf'], + File['/etc/default/postfwd'] ]; + } + + service { + 'postfwd': + ensure => running, + name => postfwd, + pattern => '/usr/sbin/postfwd', + enable => true, + hasrestart => true, + hasstatus => false, + require => [ File['/etc/default/postfwd'], + File['/etc/postfix/postfwd.cf']]; + } +} diff --git a/puppet/modules/postfwd/templates/postfwd.cf.erb b/puppet/modules/postfwd/templates/postfwd.cf.erb new file mode 100644 index 00000000..6460994a --- /dev/null +++ b/puppet/modules/postfwd/templates/postfwd.cf.erb @@ -0,0 +1,31 @@ +### This file managed by Puppet +# Before deploying a rule +# 1. test with an additional "sender==test@domain.org;" in the rule so it +# only applies to your test account +# 2. then when ready to test for all users, use WARN and watch the logs +# for a few days and make sure it working the way you like +# 3. Then when ready to deploy for real set a proper error code + +## Overrides - make like the following example +# id=exampleuser; sasl_username==exampleuser; action=dunno + +## Rules that apply to all senders +# Recipient Per Message Limit +# We only receive mail via smtp from sasl authenticated users +# directly. We want to limit to a lower amount to prevent phished accounts +# spamming +id=RCPTSENDER; recipient_count=150; action=REJECT Too many recipients, please try again. Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:RCPTSENDER + +# Message Rate Limit +# This limits sasl authenticated users to no more than 50/60mins +# NOTE: sasl_username needs to be set to something or this check will fail +id=MSGRATE ; sasl_username=!!(^$); action==rate($$sasl_username/100/3600/450 4.7.1 exceeded message rate. Contact Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:MSGRATE) + +# Total Recipient Rate Limit +# This adds up the recipients for all the sasl authenticated users messages +# and can't exceed more than 250/60min +# NOTE: sasl_username needs to be set to something or this check will fail +id=RCPTRATE ; sasl_username=!!(^$); action==rcpt($$sasl_username/500/3600/450 4.7.1 exceeded message rate. Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:RCPTRATE) + +# Size per client Limit +id=SENDSIZE ; state==END_OF_DATA ; client_address==!!(10.0.1.0/24); action==size($$client_address/314572800/3600/450 4.7.1 Sorry you have sent too much data. Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:SENDSIZE) diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index edaa506f..71d61621 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -62,6 +62,7 @@ class site_postfix::mx { include site_postfix::mx::static_aliases include site_postfix::mx::rewrite_openpgp_header include clamav + include postfwd # greater verbosity for debugging, take out for production #include site_postfix::debug -- cgit v1.2.3 From ea5b55fb9a4f831c586ba773205d3238e5213260 Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 2 Nov 2015 18:45:13 -0500 Subject: fix postfwd dependency requirement Change-Id: Ied475dd1d555a2388034012f5a799a202dcc6ee7 --- puppet/modules/postfwd/manifests/init.pp | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfwd/manifests/init.pp b/puppet/modules/postfwd/manifests/init.pp index b00bb071..1ebc1d53 100644 --- a/puppet/modules/postfwd/manifests/init.pp +++ b/puppet/modules/postfwd/manifests/init.pp @@ -14,7 +14,7 @@ class postfwd { file { '/etc/default/postfwd': - source => 'puppet:///modules/postfwd/postfwd', + source => 'puppet:///modules/postfwd/postfwd_default', mode => '0644', owner => root, group => root, @@ -25,14 +25,7 @@ class postfwd { mode => '0644', owner => root, group => root, - require => File['/etc/postfix']; - } - - exec { - '/etc/init.d/postfwd reload': - refreshonly => true, - subscribe => [ File['/etc/postfix/postfwd.cf'], - File['/etc/default/postfwd'] ]; + require => Package['postfix']; } service { -- cgit v1.2.3 From 7d0b6b25e49a1ccb70c4f502f7dfc58878b900cc Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 2 Nov 2015 21:02:03 -0500 Subject: remove unused postfwd rule Change-Id: I8756c5c3212a3d7e3c44414fdf6bfff5cd29d70f --- puppet/modules/postfwd/templates/postfwd.cf.erb | 3 --- 1 file changed, 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfwd/templates/postfwd.cf.erb b/puppet/modules/postfwd/templates/postfwd.cf.erb index 6460994a..1c45dd03 100644 --- a/puppet/modules/postfwd/templates/postfwd.cf.erb +++ b/puppet/modules/postfwd/templates/postfwd.cf.erb @@ -26,6 +26,3 @@ id=MSGRATE ; sasl_username=!!(^$); action==rate($$sasl_username/100/3600/450 4.7 # and can't exceed more than 250/60min # NOTE: sasl_username needs to be set to something or this check will fail id=RCPTRATE ; sasl_username=!!(^$); action==rcpt($$sasl_username/500/3600/450 4.7.1 exceeded message rate. Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:RCPTRATE) - -# Size per client Limit -id=SENDSIZE ; state==END_OF_DATA ; client_address==!!(10.0.1.0/24); action==size($$client_address/314572800/3600/450 4.7.1 Sorry you have sent too much data. Contact http://<%= @domain %>/tickets/new if this is in error. ERROR:SENDSIZE) -- cgit v1.2.3 From 543fd8cbacf66e4ce44b6761d130e3109f308d02 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 16 Nov 2015 15:15:10 +0100 Subject: [feat] Remove redundant nagios check for mx procs leap_cli integrates a check for running mx procs already, which is also integrated into nagios (called "Mx/Are_MX_daemons_running") --- puppet/modules/site_check_mk/manifests/agent/mx.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp index 98757b59..20cbcade 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mx.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -1,3 +1,4 @@ +# check check_mk agent checks for mx service class site_check_mk::agent::mx { # watch logs @@ -6,13 +7,13 @@ class site_check_mk::agent::mx { } # local nagios plugin checks via mrpe + # removed because leap_cli integrates a check for running mx procs already, + # which is also integrated into nagios (called "Mx/Are_MX_daemons_running") augeas { 'Leap_MX_Procs': incl => '/etc/check_mk/mrpe.cfg', lens => 'Spacevars.lns', - changes => [ - 'rm /files/etc/check_mk/mrpe.cfg/Leap_MX_Procs', - 'set Leap_MX_Procs \'/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a "/usr/bin/python /usr/bin/twistd --pidfile=/var/run/leap_mx.pid --rundir=/var/lib/leap_mx/ --python=/usr/share/app/leap_mx.tac --logfile=/var/log/leap/mx.log"\'' ], + changes => 'rm /files/etc/check_mk/mrpe.cfg/Leap_MX_Procs', require => File['/etc/check_mk/mrpe.cfg']; } -- cgit v1.2.3 From ea12d065ae433b9f67c80578bfa83fcdd8d46443 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Nov 2015 14:52:35 +0100 Subject: [feat] updated submodules to work with jessie - sshd - couchdb - apache - Related: #6920 --- puppet/modules/apache | 2 +- puppet/modules/couchdb | 2 +- puppet/modules/sshd | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index c3e92a9b..fcd2a84e 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c +Subproject commit fcd2a84e535e5d280d5299a8ff489920e1ea2305 diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index cdde1e17..d4e0579e 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit cdde1e172b3ed2c6c1f203341e75bcef5c3c3491 +Subproject commit d4e0579ec88e999d42c9f4ffd32489396dce63c4 diff --git a/puppet/modules/sshd b/puppet/modules/sshd index 750a4977..943dd94d 160000 --- a/puppet/modules/sshd +++ b/puppet/modules/sshd @@ -1 +1 @@ -Subproject commit 750a497758d94c2f5a6cad23cecc3dbde2d2f92f +Subproject commit 943dd94dfab1de9316a5ed4c0751b36a6c75447a -- cgit v1.2.3 From 0d8659d2bbcdc2da8481aa1445affc069b61c2e7 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Nov 2015 18:42:01 +0100 Subject: [feat] Release-specific apt sources file for leap - Related: #6920 --- puppet/modules/site_apt/manifests/leap_repo.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 2d4ba0e1..462b2686 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -1,9 +1,11 @@ +# install leap deb repo together with leap-keyring package +# containing the apt signing key class site_apt::leap_repo { $platform = hiera_hash('platform') $major_version = $platform['major_version'] apt::sources_list { 'leap.list': - content => "deb http://deb.leap.se/${major_version} wheezy main\n", + content => "deb http://deb.leap.se/${major_version} ${::lsbdistcodename} main\n", before => Exec[refresh_apt] } -- cgit v1.2.3 From 02b1b484ad9a5d065ceac72b8263b7bcc112c923 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Nov 2015 19:12:59 +0100 Subject: [feat] install couchdb from unstable on jessie - Related: #6920 --- puppet/modules/site_apt/manifests/sid_repo.pp | 11 +++++++++++ puppet/modules/site_couchdb/manifests/master.pp | 5 +++++ 2 files changed, 16 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/sid_repo.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/sid_repo.pp b/puppet/modules/site_apt/manifests/sid_repo.pp new file mode 100644 index 00000000..7c1d8783 --- /dev/null +++ b/puppet/modules/site_apt/manifests/sid_repo.pp @@ -0,0 +1,11 @@ +# configure debian unstable aka "sid" +# currently only used for installations that +# use plain couchdb instead of bigcouch +class site_apt::sid_repo { + + apt::sources_list { 'debian_sid.list': + content => "deb http://httpredir.debian.org/debian/ sid main\n", + before => Exec[refresh_apt] + } + +} diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp index 5dab6325..c50ed364 100644 --- a/puppet/modules/site_couchdb/manifests/master.pp +++ b/puppet/modules/site_couchdb/manifests/master.pp @@ -7,5 +7,10 @@ class site_couchdb::master { pwhash_alg => $site_couchdb::couchdb_pwhash_alg } + # couchdb is not available in jessie, and the + # leap deb repo only hosts a wheeyz version. + # we install it therefore from unstable + include site_apt::sid_repo + include site_check_mk::agent::couchdb::master } -- cgit v1.2.3 From fe82eaa1b9e9fa0add343ab8f192a88092d676be Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Nov 2015 19:16:18 +0100 Subject: [feat] Don't manually install compiler packages These packages are a dependency of build-essential and will get installed anyway. - Related: #6920 --- puppet/modules/site_config/manifests/packages/build_essential.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp index 7dfb8b03..8f3b2641 100644 --- a/puppet/modules/site_config/manifests/packages/build_essential.pp +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -4,8 +4,8 @@ class site_config::packages::build_essential { if !defined(Package['build-essential']) { package { - ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: + ['build-essential', 'cpp']: ensure => present } } -} \ No newline at end of file +} -- cgit v1.2.3 From 24a83a7db1408b6b8956266327ae0823fe07ecc4 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Nov 2015 19:18:11 +0100 Subject: [feat] Provide postfix preseed fix also for jessie --- puppet/modules/site_apt/templates/jessie/postfix.seeds | 1 + 1 file changed, 1 insertion(+) create mode 100644 puppet/modules/site_apt/templates/jessie/postfix.seeds (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/templates/jessie/postfix.seeds b/puppet/modules/site_apt/templates/jessie/postfix.seeds new file mode 100644 index 00000000..1a878ccc --- /dev/null +++ b/puppet/modules/site_apt/templates/jessie/postfix.seeds @@ -0,0 +1 @@ +postfix postfix/main_mailer_type select No configuration -- cgit v1.2.3 From 40455b8d66d2680debfa408de63533e80baee259 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Nov 2015 19:19:33 +0100 Subject: [feat] Query erb variables like puppet 3 needs it - Related: #6920 --- .../site_apache/templates/vhosts.d/common.conf.erb | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index 7f9fd5ab..21c3a211 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -1,18 +1,18 @@ - ServerName <%= webapp_domain %> - ServerAlias <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> + ServerName <%= @webapp_domain %> + ServerAlias <%= @domain_name %> + ServerAlias <%= @domain %> + ServerAlias www.<%= @domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= webapp_domain -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= @webapp_domain -%>%{REQUEST_URI} [R=permanent,L] CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common - ServerName <%= webapp_domain %> - ServerAlias <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> + ServerName <%= @webapp_domain %> + ServerAlias <%= @domain_name %> + ServerAlias <%= @domain %> + ServerAlias www.<%= @domain %> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLCACertificatePath /etc/ssl/certs @@ -69,4 +69,3 @@ <% end -%> - -- cgit v1.2.3 From 0307cc047f253a18a36a23cb128b862e113bf414 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Nov 2015 13:36:01 +0100 Subject: [bug] [jessie] Don't specify ruby versions because ruby-1.9.3 is not available on jessie. - Related: #6920 --- puppet/modules/site_config/manifests/ruby.pp | 12 +++--------- puppet/modules/site_config/manifests/ruby/dev.pp | 2 +- 2 files changed, 4 insertions(+), 10 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp index 2a720114..5c13233d 100644 --- a/puppet/modules/site_config/manifests/ruby.pp +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -1,14 +1,8 @@ +# install ruby, rubygems and bundler +# configure ruby settings common to all servers class site_config::ruby { Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - class { '::ruby': ruby_version => '1.9.3' } + class { '::ruby': } class { 'bundler::install': install_method => 'package' } include rubygems } - - -# -# Ruby settings common to all servers -# -# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors. -# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/ -# diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp index 3ea6ca96..e6eb2f8a 100644 --- a/puppet/modules/site_config/manifests/ruby/dev.pp +++ b/puppet/modules/site_config/manifests/ruby/dev.pp @@ -1,6 +1,6 @@ +# install ruby dev packages needed for building some gems class site_config::ruby::dev inherits site_config::ruby { Class['::ruby'] { - ruby_version => '1.9.3', install_dev => true } # building gems locally probably requires build-essential and gcc: -- cgit v1.2.3 From 741bf02b5fabbba35b5cd34437b75eade5fe5dc4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Nov 2015 13:51:21 +0100 Subject: [bug] [jessie] template functions need an array from https://docs.puppetlabs.com/puppet/latest/reference/lang_template_erb.html#calling-puppet-functions-from-templates: "The arguments of the function must be provided as an array, even if there is only one argument." This is a hard requirement in puppet 3 now. - Related: #6920 --- puppet/modules/site_webapp/templates/config.yml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 19ed6b7b..c2e9f3df 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,4 +1,4 @@ -<%- +<% cert_options = @webapp['client_certificates'] production = { "admins" => @webapp['admins'], @@ -32,4 +32,4 @@ end # # This file is generated by puppet. This file inherits from defaults.yml. # -<%= scope.function_sorted_yaml({"production" => production}) %> +<%= scope.function_sorted_yaml([{"production" => production}]) %> -- cgit v1.2.3 From 20dd8f27004a5dac0ad68113f4b8038cb34bc791 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Nov 2015 21:13:31 +0100 Subject: [bug] [jessie] Load needed modules for apache 2.4 - Related: #6920 --- puppet/modules/site_apache/manifests/common.pp | 20 +++++++++++++++++++- puppet/modules/site_apache/manifests/module/alias.pp | 5 ----- .../modules/site_apache/manifests/module/expires.pp | 4 ---- .../modules/site_apache/manifests/module/headers.pp | 5 ----- .../modules/site_apache/manifests/module/removeip.pp | 5 ----- .../modules/site_apache/manifests/module/rewrite.pp | 5 ----- puppet/modules/site_nagios/manifests/server.pp | 2 +- .../modules/site_nagios/manifests/server/apache.pp | 18 ++++++++++++++++++ puppet/modules/site_webapp/manifests/apache.pp | 9 +++++---- .../modules/site_webapp/manifests/hidden_service.pp | 8 ++++---- 10 files changed, 47 insertions(+), 34 deletions(-) delete mode 100644 puppet/modules/site_apache/manifests/module/alias.pp delete mode 100644 puppet/modules/site_apache/manifests/module/expires.pp delete mode 100644 puppet/modules/site_apache/manifests/module/headers.pp delete mode 100644 puppet/modules/site_apache/manifests/module/removeip.pp delete mode 100644 puppet/modules/site_apache/manifests/module/rewrite.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 64beb231..6d63f5e1 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -1,8 +1,26 @@ +# install basic apache modules needed for all services (nagios, webapp) class site_apache::common { - include site_apache::module::rewrite + include apache::module::rewrite + include apache::module::env class { '::apache': no_default_site => true, ssl => true } + # needed for the mod_ssl config + include apache::module::mime + + # load mods depending on apache version + if ( versioncmp($::apache_version, '2.4') >= 0 ) { + # apache >= 2.4, debian jessie + # needed for mod_ssl config + include apache::module::socache_shmcb + # generally needed + include apache::module::mpm_prefork + } else { + # apache < 2.4, debian wheezy + # for "Order" directive, i.e. main apache2.conf + include apache::module::authz_host + } + include site_apache::common::tls } diff --git a/puppet/modules/site_apache/manifests/module/alias.pp b/puppet/modules/site_apache/manifests/module/alias.pp deleted file mode 100644 index c1f5e185..00000000 --- a/puppet/modules/site_apache/manifests/module/alias.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_apache::module::alias ( $ensure = present ) -{ - - apache::module { 'alias': ensure => $ensure } -} diff --git a/puppet/modules/site_apache/manifests/module/expires.pp b/puppet/modules/site_apache/manifests/module/expires.pp deleted file mode 100644 index f73a5607..00000000 --- a/puppet/modules/site_apache/manifests/module/expires.pp +++ /dev/null @@ -1,4 +0,0 @@ -class site_apache::module::expires ( $ensure = present ) -{ - apache::module { 'expires': ensure => $ensure } -} diff --git a/puppet/modules/site_apache/manifests/module/headers.pp b/puppet/modules/site_apache/manifests/module/headers.pp deleted file mode 100644 index f7caa28c..00000000 --- a/puppet/modules/site_apache/manifests/module/headers.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_apache::module::headers ( $ensure = present ) -{ - - apache::module {'headers': ensure => $ensure } -} diff --git a/puppet/modules/site_apache/manifests/module/removeip.pp b/puppet/modules/site_apache/manifests/module/removeip.pp deleted file mode 100644 index f106167a..00000000 --- a/puppet/modules/site_apache/manifests/module/removeip.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_apache::module::removeip ( $ensure = present ) -{ - package { 'libapache2-mod-removeip': ensure => $ensure } - apache::module { 'removeip': ensure => $ensure } -} diff --git a/puppet/modules/site_apache/manifests/module/rewrite.pp b/puppet/modules/site_apache/manifests/module/rewrite.pp deleted file mode 100644 index 7ad00a0c..00000000 --- a/puppet/modules/site_apache/manifests/module/rewrite.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_apache::module::rewrite ( $ensure = present ) -{ - - apache::module { 'rewrite': ensure => $ensure } -} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 60a471b7..5c833508 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -33,7 +33,7 @@ class site_nagios::server inherits nagios::base { include site_apache::common include site_webapp::common_vhost - include site_apache::module::headers + include apache::module::headers File ['nagios_htpasswd'] { source => undef, diff --git a/puppet/modules/site_nagios/manifests/server/apache.pp b/puppet/modules/site_nagios/manifests/server/apache.pp index 8dbc7e9b..7de477cd 100644 --- a/puppet/modules/site_nagios/manifests/server/apache.pp +++ b/puppet/modules/site_nagios/manifests/server/apache.pp @@ -1,7 +1,25 @@ +# set up apache for nagios class site_nagios::server::apache { + include x509::variables + include site_config::x509::commercial::cert include site_config::x509::commercial::key include site_config::x509::commercial::ca + include apache::module::authn_file + # "AuthUserFile" + include apache::module::authz_user + # "AuthType Basic" + include apache::module::auth_basic + # "DirectoryIndex" + include apache::module::dir + include apache::module::php5 + include apache::module::cgi + + # apache >= 2.4, debian jessie + if ( versioncmp($::apache_version, '2.4') >= 0 ) { + include apache::module::authn_core + } + } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index ddd04a91..80c7b29b 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -1,3 +1,4 @@ +# configure apache and passenger to serve the webapp class site_webapp::apache { $web_api = hiera('api') @@ -11,10 +12,10 @@ class site_webapp::apache { $webapp_domain = $webapp['domain'] include site_apache::common - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip + include apache::module::headers + include apache::module::alias + include apache::module::expires + include apache::module::removeip include site_webapp::common_vhost class { 'passenger': use_munin => false } diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 99a756ca..4cf7a8ca 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -4,10 +4,10 @@ class site_webapp::hidden_service { $tor_domain = "${hidden_service['address']}.onion" include site_apache::common - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip + include apache::module::headers + include apache::module::alias + include apache::module::expires + include apache::module::removeip include tor::daemon tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } -- cgit v1.2.3 From e433b14fa14837f9889e08cb662bf29498179237 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Nov 2015 22:43:42 +0100 Subject: [bug] [jessie] Allow apache to access webapp dir - Resolves: #7580 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 6 ++++++ puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 6 ++++++ 2 files changed, 12 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 0396f54b..a54112f8 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -27,6 +27,12 @@ Listen 0.0.0.0:<%= api_port %> DocumentRoot /srv/leap/webapp/public + <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %> + + AllowOverride None + Require all granted + + <% end %> # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index 21c3a211..cbb08c30 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -32,6 +32,12 @@ <% if (defined? @services) and (@services.include? 'webapp') -%> DocumentRoot /srv/leap/webapp/public + <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %> + + AllowOverride None + Require all granted + + <% end %> RewriteEngine On # Check for maintenance file and redirect all requests -- cgit v1.2.3 From dc035701e86385e8593630230bb2a5bef7ddf0e6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 6 Nov 2015 12:23:51 +0100 Subject: [bug] fix check_mk on jessie - Related: #6920 --- puppet/modules/site_check_mk/manifests/server.pp | 13 +++++++++++++ puppet/modules/site_check_mk/templates/use_ssh.mk | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 57f68d3e..0159a050 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -17,6 +17,19 @@ class site_check_mk::server { ensure => installed, } + # we don't use check-mk-multisite, and the jessie version + # of this config file breaks with apache 2.4 + # until https://gitlab.com/shared-puppet-modules-group/apache/issues/11 + # is not fixed, we need to use a generic file type here + #apache::config::global { 'check-mk-multisite.conf': + # ensure => absent + #} + + file { '/etc/apache2/conf-enabled/check-mk-multisite.conf': + ensure => absent, + require => Package['check-mk-server']; + } + # override paths to use the system check_mk rather than OMD class { 'check_mk::config': site => '', diff --git a/puppet/modules/site_check_mk/templates/use_ssh.mk b/puppet/modules/site_check_mk/templates/use_ssh.mk index 0bebebcf..55269536 100644 --- a/puppet/modules/site_check_mk/templates/use_ssh.mk +++ b/puppet/modules/site_check_mk/templates/use_ssh.mk @@ -1,6 +1,6 @@ # http://mathias-kettner.de/checkmk_datasource_programs.html datasource_programs = [ -<% nagios_hosts.sort.each do |name,config| %> +<% @nagios_hosts.sort.each do |name,config| %> ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa -p <%=config['ssh_port']%> <%=config['domain_internal']%> check_mk_agent", [ "<%=config['domain_internal']%>" ], ),<%- end -%> ] -- cgit v1.2.3 From 5e78892e07d94d3d3da8d97fef9d67a15297070d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 16 Nov 2015 13:46:35 +0100 Subject: [bug] use $lsbdistcodename to query apache version Using $::apache_version won't work because the facts are evaluated before compiling the catalog and with this, before the installation of apache. so on an install from scratch, this fact won't contain anything. --- puppet/modules/site_apache/manifests/common.pp | 2 +- puppet/modules/site_nagios/manifests/server/apache.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 6d63f5e1..dadf7ea5 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -10,7 +10,7 @@ class site_apache::common { include apache::module::mime # load mods depending on apache version - if ( versioncmp($::apache_version, '2.4') >= 0 ) { + if ( $::lsbdistcodename == 'jessie' ) { # apache >= 2.4, debian jessie # needed for mod_ssl config include apache::module::socache_shmcb diff --git a/puppet/modules/site_nagios/manifests/server/apache.pp b/puppet/modules/site_nagios/manifests/server/apache.pp index 7de477cd..82962e89 100644 --- a/puppet/modules/site_nagios/manifests/server/apache.pp +++ b/puppet/modules/site_nagios/manifests/server/apache.pp @@ -18,7 +18,7 @@ class site_nagios::server::apache { include apache::module::cgi # apache >= 2.4, debian jessie - if ( versioncmp($::apache_version, '2.4') >= 0 ) { + if ( $::lsbdistcodename == 'jessie' ) { include apache::module::authn_core } -- cgit v1.2.3 From 16a7a2745d30b92a5a45102eb05dac20fdaf0d0b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 9 Nov 2015 16:53:09 +0100 Subject: [deprec] Update subm. for puppet3 deprec warns - sshd - haproxy - unbound --- puppet/modules/haproxy | 2 +- puppet/modules/sshd | 2 +- puppet/modules/unbound | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/haproxy b/puppet/modules/haproxy index b398f3cb..af322a73 160000 --- a/puppet/modules/haproxy +++ b/puppet/modules/haproxy @@ -1 +1 @@ -Subproject commit b398f3cb0a67d1170d0564a3f03977f9a08c2b6c +Subproject commit af322a73c013f80a958ab7d5d31d0c75cf6d0523 diff --git a/puppet/modules/sshd b/puppet/modules/sshd index 943dd94d..76f4f872 160000 --- a/puppet/modules/sshd +++ b/puppet/modules/sshd @@ -1 +1 @@ -Subproject commit 943dd94dfab1de9316a5ed4c0751b36a6c75447a +Subproject commit 76f4f872f81209a52df2205fd88b5619df58f003 diff --git a/puppet/modules/unbound b/puppet/modules/unbound index 9997485b..a26b91df 160000 --- a/puppet/modules/unbound +++ b/puppet/modules/unbound @@ -1 +1 @@ -Subproject commit 9997485b8a31abbe0cd1943d09995705c2c8146a +Subproject commit a26b91dfea3189e6777629fa00d54f51dc41f4d4 -- cgit v1.2.3 From d3501d3e81a4a31248829a59ae68a15da4034bf8 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 9 Nov 2015 10:21:54 +0100 Subject: [deprec] use @ in front of erb template tags Puppet 3 shows now deprecation warnings if the "@" is missing. see https://docs.puppetlabs.com/puppet/latest/reference/lang_template_erb.html#non-printing-tags#[bug|feat|docs|style|refactor|test|pkg|i18n] --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 10 +++++----- puppet/modules/site_apt/templates/secondary.list | 2 +- puppet/modules/site_postfix/templates/checks/helo_access.erb | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index a54112f8..9efc6b41 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -1,14 +1,14 @@ - ServerName <%= api_domain %> + ServerName <%= @api_domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= @api_domain -%>:<%= @api_port -%>%{REQUEST_URI} [R=permanent,L] CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common -Listen 0.0.0.0:<%= api_port %> +Listen 0.0.0.0:<%= @api_port %> -> - ServerName <%= api_domain %> +> + ServerName <%= @api_domain %> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLCACertificatePath /etc/ssl/certs diff --git a/puppet/modules/site_apt/templates/secondary.list b/puppet/modules/site_apt/templates/secondary.list index 41334b0b..0c024549 100644 --- a/puppet/modules/site_apt/templates/secondary.list +++ b/puppet/modules/site_apt/templates/secondary.list @@ -1,3 +1,3 @@ # basic -deb http://ftp.debian.org/debian/ <%= lsbdistcodename %> main contrib non-free +deb http://ftp.debian.org/debian/ <%= @lsbdistcodename %> main contrib non-free diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb index bef3c11d..bac2c45a 100644 --- a/puppet/modules/site_postfix/templates/checks/helo_access.erb +++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb @@ -18,4 +18,4 @@ # Reject anybody that HELO's as being in our own domain(s) # anyone who identifies themselves as us is a virus/spammer -<%= domain %> 554 You are not in domain <%= domain %> +<%= @domain %> 554 You are not in domain <%= @domain %> -- cgit v1.2.3 From 41a8b76828d4dfa6345a6a04f9f68621fb46fcd7 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 9 Nov 2015 17:12:00 +0100 Subject: [bug] Don't limit sshd KexAlgorithms - #7591 Net::SSH::Exception: could not settle on kex algorithm We need to disable the ssh hardened mode, because it will not work together with the net-ssh gem leap_cli is pinned to. All other options that would be included by this parameter are included by '$::sshd::tail_additional_options'. --- puppet/modules/site_sshd/manifests/init.pp | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 170be32c..e92a6af7 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,3 +1,4 @@ +# configures sshd, mosh, authorized keys and known hosts class site_sshd { $ssh = hiera_hash('ssh') $ssh_config = $ssh['config'] @@ -53,12 +54,20 @@ class site_sshd { ## SSHD SERVER CONFIGURATION ## class { '::sshd': - manage_nagios => false, - ports => [ $ssh['port'] ], - use_pam => 'yes', - hardened_ssl => 'yes', - print_motd => 'no', - tcp_forwarding => $ssh_config['AllowTcpForwarding'], - manage_client => false + manage_nagios => false, + ports => [ $ssh['port'] ], + use_pam => 'yes', + print_motd => 'no', + tcp_forwarding => $ssh_config['AllowTcpForwarding'], + manage_client => false, + use_storedconfigs => true, + # we cannot use the 'hardened' parameter because leap_cli uses an + # old net-ssh gem that is incompatible with the included + # "KexAlgorithms curve25519-sha256@libssh.org", + # see https://leap.se/code/issues/7591 + # therefore we don't use it here, but include all other options + # that would be applied by the 'hardened' parameter + tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' } } -- cgit v1.2.3 From a63102f6defab1266b05b3b24f6264a767e0924e Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 18 Nov 2015 12:19:45 +0100 Subject: update design docs for couch from webapp --- .../files/designs/identities/Identity.json | 32 +++++++++++++--------- .../files/designs/messages/Message.json | 12 ++++---- .../site_couchdb/files/designs/tickets/Ticket.json | 24 ++++++++-------- .../site_couchdb/files/designs/users/User.json | 4 +-- 4 files changed, 39 insertions(+), 33 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/files/designs/identities/Identity.json b/puppet/modules/site_couchdb/files/designs/identities/Identity.json index 2ac092ab..b1c567c1 100644 --- a/puppet/modules/site_couchdb/files/designs/identities/Identity.json +++ b/puppet/modules/site_couchdb/files/designs/identities/Identity.json @@ -2,27 +2,33 @@ "_id": "_design/Identity", "language": "javascript", "views": { - "by_user_id": { - "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", - "reduce": "_sum" - }, "by_address_and_destination": { "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null) && (doc['destination'] != null)) {\n emit([doc['address'], doc['destination']], 1);\n }\n }\n", "reduce": "_sum" }, - "by_address": { - "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null)) {\n emit(doc['address'], 1);\n }\n }\n", - "reduce": "_sum" + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" }, - "pgp_key_by_email": { - "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.keys === \"object\") {\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n }\n" + "cert_fingerprints_by_expiry": { + "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.cert_fingerprints === \"object\") {\n for (fp in doc.cert_fingerprints) {\n if (doc.cert_fingerprints.hasOwnProperty(fp)) {\n emit(doc.cert_fingerprints[fp], fp);\n }\n }\n }\n}\n" + }, + "cert_expiry_by_fingerprint": { + "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.cert_fingerprints === \"object\") {\n for (fp in doc.cert_fingerprints) {\n if (doc.cert_fingerprints.hasOwnProperty(fp)) {\n emit(fp, doc.cert_fingerprints[fp]);\n }\n }\n }\n}\n" }, "disabled": { - "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n }\n" + "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n}\n" }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" + "pgp_key_by_email": { + "map": "function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.keys === \"object\") {\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n}\n" + }, + "by_user_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_address": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null)) {\n emit(doc['address'], 1);\n }\n }\n", + "reduce": "_sum" } }, - "couchrest-hash": "e9004d70e26770c621a9667536429a68" + "couchrest-hash": "4a774c3f56122b655a314670403b27e2" } \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/messages/Message.json b/puppet/modules/site_couchdb/files/designs/messages/Message.json index 7bcd74c7..6a48fc4d 100644 --- a/puppet/modules/site_couchdb/files/designs/messages/Message.json +++ b/puppet/modules/site_couchdb/files/designs/messages/Message.json @@ -2,17 +2,17 @@ "_id": "_design/Message", "language": "javascript", "views": { - "by_user_ids_to_show_and_created_at": { - "map": "// not using at moment\n// call with something like Message.by_user_ids_to_show_and_created_at.startkey([user_id, start_date]).endkey([user_id,end_date])\nfunction (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit([userId, doc.created_at], 1);\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, "by_user_ids_to_show": { "map": "function (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit(userId, 1);\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" + }, + "by_user_ids_to_show_and_created_at": { + "map": "// not using at moment\n// call with something like Message.by_user_ids_to_show_and_created_at.startkey([user_id, start_date]).endkey([user_id,end_date])\nfunction (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit([userId, doc.created_at], 1);\n });\n }\n}\n", + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" }, "all": { "map": " function(doc) {\n if (doc['type'] == 'Message') {\n emit(doc._id, null);\n }\n }\n" } }, - "couchrest-hash": "0967e7cc5bb1e61edc1c085f6f0cecbf" + "couchrest-hash": "ba80168e51015d2678cad88fc6c5b986" } \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json index 2c9408b8..578f632b 100644 --- a/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json +++ b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json @@ -24,27 +24,27 @@ }, "by_includes_post_by_and_is_open_and_created_at": { "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by_and_is_open_and_updated_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by_and_updated_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" }, "by_includes_post_by": { "map": "// TODO: This view is only used in tests--should we keep it?\nfunction(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit(comment.posted_by, 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" + }, + "by_includes_post_by_and_is_open_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" }, "by_includes_post_by_and_created_at": { "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" + }, + "by_includes_post_by_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" }, "all": { "map": " function(doc) {\n if (doc['type'] == 'Ticket') {\n emit(doc._id, null);\n }\n }\n" } }, - "couchrest-hash": "9978e2cbeacbe8622c2a7f103bf8130f" + "couchrest-hash": "b21eaeea8ea66bfda65581b1b7ce06af" } \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users/User.json b/puppet/modules/site_couchdb/files/designs/users/User.json index 4089ad97..8a82cf4a 100644 --- a/puppet/modules/site_couchdb/files/designs/users/User.json +++ b/puppet/modules/site_couchdb/files/designs/users/User.json @@ -11,12 +11,12 @@ }, "by_created_at_and_one_month_warning_not_sent": { "map": "function (doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null) && (doc['one_month_warning_sent'] == null)) {\n emit(doc['created_at'], 1);\n } \n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" + "reduce": " function(key, values, rereduce) {\n return sum(values);\n }\n" }, "by_created_at": { "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", "reduce": "_sum" } }, - "couchrest-hash": "61840ab3ec0f94ef8bbd6dd208db3b70" + "couchrest-hash": "d854607d299887a347e554176cb79e20" } \ No newline at end of file -- cgit v1.2.3 From d146d1525adfe1f08be9df0f72aac389e2370de5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Nov 2015 00:10:23 +0100 Subject: [bug] Use right sshd Ciphers and MACs for wheezy - Tested: [unstable.bitmask.net] --- puppet/modules/site_sshd/manifests/init.pp | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index e92a6af7..5efd459f 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -50,6 +50,21 @@ class site_sshd { } } + # we cannot use the 'hardened' parameter because leap_cli uses an + # old net-ssh gem that is incompatible with the included + # "KexAlgorithms curve25519-sha256@libssh.org", + # see https://leap.se/code/issues/7591 + # therefore we don't use it here, but include all other options + # that would be applied by the 'hardened' parameter + # not all options are available on wheezy + if ( $::lsbdistcodename == 'wheezy' ) { + $tail_additional_options = 'Ciphers aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } else { + $tail_additional_options = 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' + } + ## ## SSHD SERVER CONFIGURATION ## @@ -61,13 +76,6 @@ class site_sshd { tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, use_storedconfigs => true, - # we cannot use the 'hardened' parameter because leap_cli uses an - # old net-ssh gem that is incompatible with the included - # "KexAlgorithms curve25519-sha256@libssh.org", - # see https://leap.se/code/issues/7591 - # therefore we don't use it here, but include all other options - # that would be applied by the 'hardened' parameter - tail_additional_options => 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' + tail_additional_options => $tail_additional_options } } -- cgit v1.2.3 From 36f4b8df0eb9d7d8a9a6fa5d4874d09e9d5c2020 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Nov 2015 15:06:01 +0100 Subject: [bug] [jessie] Install pnp4nagios deb from stretch Configure the apt class together with "use_next_release => true", so pnp4nagios* packages can get installed from strech. No other package will be upgraded as the apt module pins stretch very low, so that only packages are installed if there are no other sources available. - Resolves: #7604 --- puppet/modules/site_apt/manifests/init.pp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index cf49f870..635ba975 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -7,11 +7,19 @@ class site_apt { $apt_url_security = $apt_config['security'] $apt_url_backports = $apt_config['backports'] + # needed on jessie hosts for getting pnp4nagios from testing + if ( $::operatingsystemmajrelease == '8' ) { + $use_next_release = true + } else { + $use_next_release = false + } + class { 'apt': - custom_key_dir => 'puppet:///modules/site_apt/keys', - debian_url => $apt_url_basic, - security_url => $apt_url_security, - backports_url => $apt_url_backports + custom_key_dir => 'puppet:///modules/site_apt/keys', + debian_url => $apt_url_basic, + security_url => $apt_url_security, + backports_url => $apt_url_backports, + use_next_release => $use_next_release } # enable http://deb.leap.se debian package repository -- cgit v1.2.3 From 4f858d2e2919f6acea4c1b9de91bd5a594eaa292 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 19 Nov 2015 11:52:31 -0500 Subject: Cleanup old leap mx logs that may appear on some nodes due to how things were logged before Change-Id: Ief95f35ea52a189075c2eda28c00bcc567c464b2 --- puppet/modules/site_config/manifests/remove/files.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 466f50c8..06c26772 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -27,6 +27,13 @@ class site_config::remove::files { path => '/var/log/', recurse => true, matches => 'leap_mx*'; + # We rotate 5 logs, so we should only have mx.log, mx.log.[1-5], with an + # optional .gz suffix. The following will remove any logs that are out + # of this range + 'leap_mx_rotate': + path => '/var/log/leap/', + recurse => true, + matches => [ 'mx.log.[6-9](.gz)?', 'mx.log.[0-9][0-9]']; '/srv/leap/webapp/public/provider.json':; '/srv/leap/couchdb/designs/tmp_users': recurse => true, -- cgit v1.2.3 From 6da164bdd235f81d226714e37d52735f5c4cf1e6 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 19 Nov 2015 09:13:08 -0500 Subject: Switch to syslog for leap_mx (#6942) In order to switch to syslog for leap_mx, leap_mx needs to change to log to syslog (#6307 and #6937), and we need to clean up the platform pieces that set the non-syslog options, and rotated log files (#6942). Hopefully, this will solve the leap_mx logrotation issue at the same time (#7058) Change-Id: If68f808a65c24c91231b88d15759809c9e379294 --- puppet/modules/leap_mx/manifests/init.pp | 24 +--------------------- .../modules/site_config/manifests/remove/files.pp | 7 ++++++- 2 files changed, 7 insertions(+), 24 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 284662d2..5561e326 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -41,13 +41,7 @@ class leap_mx { notify => Service['leap-mx']; } - file { '/etc/default/leap_mx': - content => 'LOGFILE=/var/log/leap/mx.log', - owner => 'root', - group => 'root', - mode => '0644', - notify => Service['leap-mx']; - } + leap::logfile { 'mx': } # # LEAP-MX CODE AND DEPENDENCIES @@ -75,20 +69,4 @@ class leap_mx { hasrestart => true, require => [ Package['leap-mx'] ]; } - - augeas { - 'logrotate_mx': - context => '/files/etc/logrotate.d/leap-mx/rule', - changes => [ - 'set file /var/log/leap/mx.log', - 'set rotate 5', - 'set schedule daily', - 'clear nocreate', - 'rm create', - 'rm ifempty', - 'set compress compress', - 'set missingok missingok', - 'set copytruncate copytruncate' - ] - } } diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 06c26772..67171259 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -11,6 +11,12 @@ class site_config::remove::files { + # Platform 0.8 removals + tidy { + '/etc/default/leap_mx':; + '/etc/logrotate.d/leap-mx':; + } + # # Platform 0.7 removals # @@ -20,7 +26,6 @@ class site_config::remove::files { '/etc/rsyslog.d/99-leap-mx.conf':; '/etc/rsyslog.d/01-webapp.conf':; '/etc/rsyslog.d/50-stunnel.conf':; - '/etc/logrotate.d/mx':; '/etc/logrotate.d/stunnel':; '/var/log/stunnel4/stunnel.log':; 'leap_mx': -- cgit v1.2.3 From 0f7d91b71ce0cb81ef4c0275b54b04f59270801f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 25 Nov 2015 15:49:34 +0100 Subject: added submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index d4e0579e..83a4d75b 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit d4e0579ec88e999d42c9f4ffd32489396dce63c4 +Subproject commit 83a4d75bf8a480a98ac6fcdc220db59b9133112e -- cgit v1.2.3 From a177dfa537b545bc40c1836f2e0830e36630d22c Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 26 Nov 2015 21:18:29 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 83a4d75b..016ec713 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 83a4d75bf8a480a98ac6fcdc220db59b9133112e +Subproject commit 016ec71359f6b1b368624c6c94bac2b509791658 -- cgit v1.2.3 From c775799b7aff2417d0032f26ee2d598c764beed3 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 28 Nov 2015 13:41:28 +0100 Subject: updated submoule apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index fcd2a84e..41815f55 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit fcd2a84e535e5d280d5299a8ff489920e1ea2305 +Subproject commit 41815f55ec7187a75aec4717c78270593f9776de -- cgit v1.2.3 From 7db6ced463338796771d05cdac54c24731ae936f Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 28 Nov 2015 14:06:13 +0100 Subject: [bug] [jessie] register nickserver at systemd - resolves #7614 --- puppet/modules/site_nickserver/manifests/init.pp | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index c2deab0f..47df0946 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -122,6 +122,19 @@ class site_nickserver { require => Vcsrepo['/srv/leap/nickserver']; } + # register initscript at systemd on nodes newer than wheezy + # see https://leap.se/code/issues/7614 + case $::operatingsystemrelease { + /^7.*/: { } + default: { + exec { 'register_systemd_nickserver': + refreshonly => true, + command => '/bin/systemctl enable nickserver', + subscribe => File['/etc/init.d/nickserver']; + } + } + } + service { 'nickserver': ensure => running, enable => true, @@ -129,6 +142,8 @@ class site_nickserver { hasstatus => true, require => [ File['/etc/init.d/nickserver'], + File['/usr/bin/nickserver'], + Exec['register_systemd_nickserver'], Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; -- cgit v1.2.3 From 8c7a2c7d7f84d56f395556aa893d8bb426c24178 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 28 Nov 2015 22:53:21 +0100 Subject: [bug] Don't enable storedconfig in sshd class - Related: #7615 --- puppet/modules/site_sshd/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 5efd459f..be0d3368 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -75,7 +75,7 @@ MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' print_motd => 'no', tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, - use_storedconfigs => true, + use_storedconfigs => false, tail_additional_options => $tail_additional_options } } -- cgit v1.2.3 From 20b2b4cc8ee1e85cf1bc8dfaa4db9fb70dcac72b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 30 Nov 2015 15:36:41 +0100 Subject: Revert "[feat] install couchdb from unstable on jessie" This reverts commit 02b1b484ad9a5d065ceac72b8263b7bcc112c923. Now that we have a proper couchdb jessie package we don't need to install it from Debian unstable. --- puppet/modules/site_apt/manifests/sid_repo.pp | 11 ----------- puppet/modules/site_couchdb/manifests/master.pp | 5 ----- 2 files changed, 16 deletions(-) delete mode 100644 puppet/modules/site_apt/manifests/sid_repo.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/sid_repo.pp b/puppet/modules/site_apt/manifests/sid_repo.pp deleted file mode 100644 index 7c1d8783..00000000 --- a/puppet/modules/site_apt/manifests/sid_repo.pp +++ /dev/null @@ -1,11 +0,0 @@ -# configure debian unstable aka "sid" -# currently only used for installations that -# use plain couchdb instead of bigcouch -class site_apt::sid_repo { - - apt::sources_list { 'debian_sid.list': - content => "deb http://httpredir.debian.org/debian/ sid main\n", - before => Exec[refresh_apt] - } - -} diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp index c50ed364..5dab6325 100644 --- a/puppet/modules/site_couchdb/manifests/master.pp +++ b/puppet/modules/site_couchdb/manifests/master.pp @@ -7,10 +7,5 @@ class site_couchdb::master { pwhash_alg => $site_couchdb::couchdb_pwhash_alg } - # couchdb is not available in jessie, and the - # leap deb repo only hosts a wheeyz version. - # we install it therefore from unstable - include site_apt::sid_repo - include site_check_mk::agent::couchdb::master } -- cgit v1.2.3 From 1629778659d1e7bf19f14fd42ad675169e88962c Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 20:17:55 -0500 Subject: fix site_apache module class names that were renamed (#7636) Change-Id: Iea1242b3c27d92cef7b217006211e57631fd7e62 --- puppet/modules/site_static/manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 8df53075..3b95ff13 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -28,10 +28,10 @@ class site_static { } } - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip + include apache::module::headers + include apache::module::alias + include apache::module::expires + include apache::module::removeip include site_apache::common include site_config::ruby::dev -- cgit v1.2.3 From 04269bd8964370aa55cc5a0e47106540a7c335c5 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 21:02:20 -0500 Subject: fix missing apache status module (#7638) Change-Id: I77fa50990b5ae60074c54738e8c19929b486d1d0 --- puppet/modules/site_webapp/manifests/hidden_service.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 4cf7a8ca..efdefd8e 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -8,6 +8,7 @@ class site_webapp::hidden_service { include apache::module::alias include apache::module::expires include apache::module::removeip + include apache::module::status include tor::daemon tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } -- cgit v1.2.3 From 8a07c4d039eef1b73d9d03d4be215a43b255bfc4 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 21:02:20 -0500 Subject: fix missing apache modules (#7638) Change-Id: I77fa50990b5ae60074c54738e8c19929b486d1d0 --- puppet/modules/site_static/manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 3b95ff13..e317f580 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -32,6 +32,8 @@ class site_static { include apache::module::alias include apache::module::expires include apache::module::removeip + include apache::module::dir + include apache::module::negotiation include site_apache::common include site_config::ruby::dev -- cgit v1.2.3 From e15e37d6ed83df62ebdae14d925c6aaab0daf9af Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 1 Dec 2015 09:29:24 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 016ec713..84b1d857 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 016ec71359f6b1b368624c6c94bac2b509791658 +Subproject commit 84b1d857b0ea8a9987be0748dab9f6a3ddaba94d -- cgit v1.2.3 From c7dff6fbcd368c126fa03d8bb8b3e32e20b7dbc7 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 1 Dec 2015 11:14:01 +0100 Subject: Update submodule postfix --- puppet/modules/postfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 53572a89..b1875e41 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 53572a8934fe5b0a3a567cdec10664f288923739 +Subproject commit b1875e4143713ee007ce6ceedeef132273a16163 -- cgit v1.2.3 From fc9f820d0cd363e127859af23e20b61eed71dc1e Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 15:11:47 -0500 Subject: stop delivering non-existing local user mail to leap-mx (#5431) When mail comes in to the system, a lookup is done to see if it is a valid leap user, if it is, leap_mx now returns something of the form: uuid@deliver.local (see #5959). The virtual_mailbox_domains lists deliver.local, so postfix choses to deliver to virtual_mailbox_base (/var/mail/vmail) which has been hardcoded to the 'vmail' maildir and user. We want leap related mail and leap aliases to go through the virtual alias system, all the hard-coded universal aliases we want to go through the local system and we dont want these separate. Known domains that are considered 'virtual' will be forwarded or delivered to the vmail user, the rest rejected as unknown recipient, instead of being handed off to leap-mx. Previously, the way this was done is we leaned (too heavily) on the 'luser_relay' postfix configuration which sent anything that wasn't locally configured right to the leap_mx spool. That meant everything went there, including addresses that didn't exist, and leap-mx would then have to process those and bounce them. This removes the 'luser_relay' option, so any address that doesn't resolve properly to either a local address/alias, or a leap address or alias (through tcp lookups on 2424 and 4242) will get bounced as an unknown user. Change-Id: I3c22e9383861b3794dd9adfd7aa6a0cf0a773a18 --- puppet/modules/site_postfix/manifests/mx.pp | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 71d61621..de317205 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -30,13 +30,25 @@ class site_postfix::mx { 'mailbox_size_limit': value => '0'; 'home_mailbox': - value => 'Maildir/'; + value => ''; + 'virtual_mailbox_domains': + value => 'deliver.local'; + 'virtual_mailbox_base': + value => '/var/mail/vmail'; + 'virtual_mailbox_maps': + value => 'static:Maildir/'; # Note: virtual-aliases map will take precedence over leap_mx # lookup (tcp:localhost) 'virtual_alias_maps': value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242'; 'luser_relay': - value => 'vmail'; + value => ''; + # uid and gid are set to an arbitrary hard-coded value here, this + # must match the 'vmail' user block below + 'virtual_uid_maps': + value => 'static:42424'; + 'virtual_gid_maps': + value => 'static:42424'; 'smtpd_tls_received_header': value => 'yes'; # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls @@ -67,11 +79,19 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug + # Make the 'vmail' user for leap-mx. This user is where all legitimate, + # non-system mail is delivered so leap-mx can process it. Previously, we let + # the system pick a uid/gid, but we need to know what they are set to in order + # to set the virtual_uid_maps and virtual_gid_maps. Its a bit overkill write a + # fact just for this, so instead we pick arbitrary numbers that seem unlikely + # to be used and then use them in the postfix configuration user { 'vmail': ensure => present, comment => 'Leap Mailspool', home => '/var/mail/vmail', shell => '/bin/false', + uid => '42424', + gid => '42424', managehome => true, } -- cgit v1.2.3 From 375527b1629597e35a6aeeef6c248a8b085abd87 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 24 Nov 2015 16:03:13 -0500 Subject: Switch from 'vmail' to leap-mx's user/group (#6936, #7639) This change will make sure that the user/group for leap-mx exist, and it changes the mail location from /var/mail/vmail to the more helpful name /var/mail/leap-mx. This change requires: https://github.com/leapcode/leap_mx/pull/78 and it would replace merge request: https://github.com/leapcode/leap_mx/pull/65 and fix https://leap.se/code/issues/6936 and https://leap.se/code/issues/7635 Change-Id: Idbe678dc999e394232c2eeef2b2018d39ab7cc3b --- puppet/modules/leap_mx/manifests/init.pp | 24 ++++++++++++++++------ puppet/modules/leap_mx/templates/mx.conf.erb | 2 +- .../files/agent/local_checks/mx/check_leap_mx.sh | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 24 ++++------------------ 4 files changed, 24 insertions(+), 28 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 5561e326..9c1b9143 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -15,18 +15,29 @@ class leap_mx { # # USER AND GROUP # + # Make the user for leap-mx. This user is where all legitimate, non-system + # mail is delivered so leap-mx can process it. Previously, we let the system + # pick a uid/gid, but we need to know what they are set to in order to set the + # virtual_uid_maps and virtual_gid_maps. Its a bit overkill write a fact just + # for this, so instead we pick arbitrary numbers that seem unlikely to be used + # and then use them in the postfix configuration group { 'leap-mx': ensure => present, + gid => 42424, allowdupe => false; } user { 'leap-mx': - ensure => present, - allowdupe => false, - gid => 'leap-mx', - home => '/etc/leap', - require => Group['leap-mx']; + ensure => present, + comment => 'Leap Mail', + allowdupe => false, + uid => 42424, + gid => 'leap-mx', + home => '/var/mail/leap-mx', + shell => '/bin/false', + managehome => true, + require => Group['leap-mx']; } # @@ -52,7 +63,8 @@ class leap_mx { ensure => $sources['leap-mx']['revision'], require => [ Class['site_apt::preferences::twisted'], - Class['site_apt::leap_repo'] ]; + Class['site_apt::leap_repo'] + User['leap-mx'] ]; 'leap-keymanager': ensure => latest; diff --git a/puppet/modules/leap_mx/templates/mx.conf.erb b/puppet/modules/leap_mx/templates/mx.conf.erb index e05bc150..a2c293c6 100644 --- a/puppet/modules/leap_mx/templates/mx.conf.erb +++ b/puppet/modules/leap_mx/templates/mx.conf.erb @@ -1,5 +1,5 @@ [mail1] -path=/var/mail/vmail/Maildir +path=/var/mail/leap-mx/Maildir recursive=True [couchdb] diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh index b8687c9a..4711e247 100755 --- a/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh +++ b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh @@ -12,7 +12,7 @@ STATUS[1]='Warning' STATUS[2]='Critical' CHECKNAME='Leap_MX_Queue' -WATCHDIR='/var/mail/vmail/Maildir/new/' +WATCHDIR='/var/mail/leap-mx/Maildir/new/' total=`find $WATCHDIR -type f -mmin +$MAXAGE | wc -l` diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index de317205..7ec60d49 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -34,17 +34,17 @@ class site_postfix::mx { 'virtual_mailbox_domains': value => 'deliver.local'; 'virtual_mailbox_base': - value => '/var/mail/vmail'; + value => '/var/mail/leap-mx'; 'virtual_mailbox_maps': value => 'static:Maildir/'; - # Note: virtual-aliases map will take precedence over leap_mx + # Note: virtual-aliases map will take precedence over leap-mx # lookup (tcp:localhost) 'virtual_alias_maps': value => 'hash:/etc/postfix/virtual-aliases tcp:localhost:4242'; 'luser_relay': value => ''; # uid and gid are set to an arbitrary hard-coded value here, this - # must match the 'vmail' user block below + # must match the 'leap-mx' user/group 'virtual_uid_maps': value => 'static:42424'; 'virtual_gid_maps': @@ -79,22 +79,6 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug - # Make the 'vmail' user for leap-mx. This user is where all legitimate, - # non-system mail is delivered so leap-mx can process it. Previously, we let - # the system pick a uid/gid, but we need to know what they are set to in order - # to set the virtual_uid_maps and virtual_gid_maps. Its a bit overkill write a - # fact just for this, so instead we pick arbitrary numbers that seem unlikely - # to be used and then use them in the postfix configuration - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - uid => '42424', - gid => '42424', - managehome => true, - } - class { 'postfix': preseed => true, root_mail_recipient => $root_mail_recipient, @@ -114,6 +98,6 @@ clean_smtps unix n - n - 0 cleanup Class['Site_config::X509::Cert'], Class['Site_config::X509::Client_ca::Key'], Class['Site_config::X509::Client_ca::Ca'], - User['vmail'] ] + User['leap-mx'] ] } } -- cgit v1.2.3 From e3d278dda8105c02e9d22cd947631c9cbbe08d17 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 1 Dec 2015 16:40:23 +0100 Subject: Update submodule postfix --- puppet/modules/postfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index b1875e41..7981d312 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit b1875e4143713ee007ce6ceedeef132273a16163 +Subproject commit 7981d3124d5ffe05681932db62b08bde0e4ce1df -- cgit v1.2.3 From ef4bb8a2d94352750eae218a37450c5baeadc5a9 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 1 Dec 2015 11:15:23 -0500 Subject: fix missing comma Change-Id: I6ab266ea4f74277f8262653c43f2b3a5a4254a79 --- puppet/modules/leap_mx/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 9c1b9143..70d2c2d4 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -63,7 +63,7 @@ class leap_mx { ensure => $sources['leap-mx']['revision'], require => [ Class['site_apt::preferences::twisted'], - Class['site_apt::leap_repo'] + Class['site_apt::leap_repo'], User['leap-mx'] ]; 'leap-keymanager': -- cgit v1.2.3 From 7104664f284485c90647e93d8d0c5feb734fe46b Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 2 Dec 2015 00:39:31 +0100 Subject: Update submodule postfix --- puppet/modules/postfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 7981d312..3a5ca6c7 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 7981d3124d5ffe05681932db62b08bde0e4ce1df +Subproject commit 3a5ca6c754451405fd0c3efec7dc72bed57f4081 -- cgit v1.2.3 From e2444e41f42cc21796bcc45d0363105893d8a348 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 2 Dec 2015 01:02:55 +0100 Subject: fix nickserver dependency for wheezy --- puppet/modules/site_nickserver/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 47df0946..0e585e10 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -130,7 +130,8 @@ class site_nickserver { exec { 'register_systemd_nickserver': refreshonly => true, command => '/bin/systemctl enable nickserver', - subscribe => File['/etc/init.d/nickserver']; + subscribe => File['/etc/init.d/nickserver'], + before => Service['nickserver']; } } } @@ -143,7 +144,6 @@ class site_nickserver { require => [ File['/etc/init.d/nickserver'], File['/usr/bin/nickserver'], - Exec['register_systemd_nickserver'], Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; -- cgit v1.2.3 From 47ff7f7d7e1a991b5a7889870521033ab177e3a6 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 2 Dec 2015 11:49:08 +0100 Subject: [deprec] use @ in front of erb template tags --- puppet/modules/site_sshd/templates/authorized_keys.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb index 69f4d8e6..51bdc5b3 100644 --- a/puppet/modules/site_sshd/templates/authorized_keys.erb +++ b/puppet/modules/site_sshd/templates/authorized_keys.erb @@ -1,7 +1,7 @@ # NOTICE: This file is autogenerated by Puppet # all manually added keys will be overridden -<% keys.sort.each do |user, hash| -%> +<% @keys.sort.each do |user, hash| -%> <% if user == 'monitor' -%> command="/usr/bin/check_mk_agent",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, <%=hash['type']-%> <%=hash['key']%> <%=user%> <% else -%> -- cgit v1.2.3 From 256105ac5641b5b28cb0edff3d7437cf5f6105c7 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 3 Dec 2015 20:12:56 -0500 Subject: Make sure /etc/default and config file are there before service is triggered (#7618) Change-Id: Ib9fa598a94e8fd41329b1c9ed4bb52281bf04992 --- puppet/modules/postfwd/files/postfwd_default | 2 +- puppet/modules/postfwd/manifests/init.pp | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfwd/files/postfwd_default b/puppet/modules/postfwd/files/postfwd_default index 79d0e3de..83742e40 100644 --- a/puppet/modules/postfwd/files/postfwd_default +++ b/puppet/modules/postfwd/files/postfwd_default @@ -13,7 +13,7 @@ PORT=10040 # run as user postfwd RUNAS="postfw" # Arguments passed on start (--daemon implied) -# RISEUP disable summary and cache-no-size +# disable summary and cache-no-size #ARGS="--summary=600 --cache=600 --cache-rdomain-only --cache-no-size" ARGS="--cache=600 --cache-rdomain-only --no-rulestats" diff --git a/puppet/modules/postfwd/manifests/init.pp b/puppet/modules/postfwd/manifests/init.pp index 1ebc1d53..6db3fa52 100644 --- a/puppet/modules/postfwd/manifests/init.pp +++ b/puppet/modules/postfwd/manifests/init.pp @@ -18,14 +18,15 @@ class postfwd { mode => '0644', owner => root, group => root, - require => Package['postfwd']; + before => Package['postfwd']; '/etc/postfix/postfwd.cf': content => template('postfwd/postfwd.cf.erb'), mode => '0644', owner => root, group => root, - require => Package['postfix']; + require => Package['postfix'], + before => Package['postfwd']; } service { -- cgit v1.2.3 From 58130067510d873cfbfbfbc770bc5a62e832b03f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 7 Dec 2015 14:44:36 +0100 Subject: Update submoule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apt b/puppet/modules/apt index ab90d1d0..e12c5bfd 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit ab90d1d0fe9655d367c637e95dff59e4dbe2dd35 +Subproject commit e12c5bfd6c9ff5d1dc5e14c227e8c15388ecb042 -- cgit v1.2.3 From 40968b97e8a01957667d12fe627a1a194d57be77 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 8 Dec 2015 14:54:33 -0500 Subject: Manage the /var/mail/leap-mx directory to ensure it exists properly and has the right permissions (see #6936) Change-Id: Ib7b86d73197fecfd74b72fe5ff06d1a78d9d4432 --- puppet/modules/leap_mx/manifests/init.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 70d2c2d4..055a57ef 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -40,6 +40,14 @@ class leap_mx { require => Group['leap-mx']; } + file { '/var/mail/leap-mx': + ensure => directory, + owner => 'leap-mx', + group => 'leap-mx', + mode => '0755', + require => User['leap-mx'], + } + # # LEAP-MX CONFIG # -- cgit v1.2.3 From b383a34e7ae0f988bf942bd033d8795bd8ea71ac Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 9 Dec 2015 16:43:26 +0100 Subject: [feat] Remove puppet run stages To reduce complexity, let's get rid of run stages. We used them earlier but they seem to have no purpose anymore. There was two stage leftovers: - `site_config::slow` did an `apt-get dist-upgrade` in the `setup` stage - `site_config::setup` did call the `site_config::hosts` class in the `setup` stage I checked for dependencies to to those resources, and it looks good, i tested by triggering a citest. From https://docs.puppetlabs.com/puppet/latest/reference/lang_run_stages.html#limitations-and-known-issues: ``` Due to these limitations, stages should only be used with the simplest of classes, and only when absolutely necessary. Mass dependencies like package repositories are effectively the only valid use case. ``` --- puppet/modules/site_config/manifests/setup.pp | 8 +++++--- puppet/modules/site_config/manifests/slow.pp | 7 ++++--- 2 files changed, 9 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index b09d0413..dba5fa14 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -1,3 +1,7 @@ +# common things to set up on every node +# leftover from the past, where we did two puppetruns +# after another. We should consolidate this into site_config::default +# in the future. class site_config::setup { tag 'leap_base' @@ -13,9 +17,7 @@ class site_config::setup { include stdlib # configure /etc/hosts - class { 'site_config::hosts': - stage => setup, - } + class { 'site_config::hosts': } include site_config::initial_firewall diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp index 94bac88d..3650eb19 100644 --- a/puppet/modules/site_config/manifests/slow.pp +++ b/puppet/modules/site_config/manifests/slow.pp @@ -1,6 +1,7 @@ +# this class is run by default, but can be excluded +# for testing purposes by calling "leap deploy" with +# the "--fast" parameter class site_config::slow { tag 'leap_slow' - class { 'site_apt::dist_upgrade': - stage => setup, - } + class { 'site_apt::dist_upgrade': } } -- cgit v1.2.3 From 7d5b9461958cdb795990459cd0dad29a36e59fdd Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 8 Dec 2015 14:17:11 -0500 Subject: Use client cert fingerprint lookup to determine if the user is allowed to relay mail through us (#3634) Change-Id: I46cf3ffbef4261839c376f4c36a50d9c44eb1374 --- puppet/modules/site_postfix/manifests/mx.pp | 6 ++++++ puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 13 +++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 7ec60d49..75378480 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -51,6 +51,12 @@ class site_postfix::mx { value => 'static:42424'; 'smtpd_tls_received_header': value => 'yes'; + # the following is needed for matching user's client cert fingerprints to + # enable relaying (#3634) + 'smtpd_tls_fingerprint_digest': + value => 'sha1'; + 'relay_clientcerts': + value => 'tcp:localhost:2424'; # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls # because the satellites need to have a different value 'smtp_tls_security_level': diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 1c3e5c92..f2bd571b 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -15,13 +15,14 @@ class site_postfix::mx::smtpd_checks { value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_recipient_restrictions': value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts - # with a lookup on $relay_clientcerts! Right now we are listing the only - # valid CA that client certificates can use in the $smtp_tls_CAfile parameter - # but we cannot cut off a certificate that should no longer be used unless - # we use permit_tls_clientcerts with the $relay_clientcerts lookup + + # permit_tls_clientcerts will lookup client cert fingerprints from the tcp + # lookup on port 2424 (based on what is configured in relay_clientcerts + # paramter, see site_postfix::mx postfix::config resource) to determine + # if a client is allowed to relay mail through us. This enables us to + # disable a user by removing their valid client cert (#3634) 'smtps_recipient_restrictions': - value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': -- cgit v1.2.3 From 80c01ca0218d97bb6296743e142084b288ff55a9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Dec 2015 11:08:26 +0100 Subject: [feat] Add LEAP experimental apt signing key so we can easily use the experimental-0.(8|9) deb repos, which are signed with this key --- .../site_apt/files/keys/leap_experimental_key.asc | 76 ++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 puppet/modules/site_apt/files/keys/leap_experimental_key.asc (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/files/keys/leap_experimental_key.asc b/puppet/modules/site_apt/files/keys/leap_experimental_key.asc new file mode 100644 index 00000000..1baa1a67 --- /dev/null +++ b/puppet/modules/site_apt/files/keys/leap_experimental_key.asc @@ -0,0 +1,76 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFRiYXMBEAC/96OXISCU9kndpa7zYedBd4NzXppk1hRPDgGH5Ccl7mFYRaaY +abKOJuilvMThBn2GelFRVXrhFT0K6TVCbrAaLHpb7KGpaxgKY/a+mYCA9BAtYkvR +ru4Xh6VhozI5hDlIDCD5og96d7ymYjVaxiN89ilh4j8TL5Bh4PoCaxIbmxHiVmtM +fIKw9LPAvpViC+8iS+x751plK8NFe4lAbSycWh3AdDfM5wSlUpEa1FwFuilo4Jya +upEY9Uk5qLlNTFTBJmVEwKFXT0swb2o62EzN4LbW7yNC69Ign+G+PCNBiYhIdUKJ +6dPAUexaSAxW6NPf/rdMVHY6tBlx41lzPvnF3ysnsoxKGdoU/Jbri4cIJRikMnzW +GFCJmUdEPkAkkKHgGXCipvrM6Amhmp3Kg5PQUIjRafH9CBo0bsPSordtk/GarMe+ +8fxZ0rjyLN17hsgwWKCWBIBvPAB0UTh22xjNDh4jmehn5ijdjqKatchcEu9MsSPA +l5r0aU+cDLghw6c8TmbqYfOK2nkbwBVkctWjlVohnO1PAOdxwQ0gFoZf3o9QIADg +BsZTy2CZCag9OK0NCiMoO47JoAdQiaFcUAJvjOwncoE3SuyKTtKitENuAmzl7xjY +HNyq72t7TKBJaWqzngnIp2nsJVaZ8Va+7hC/xqRbWoXVrY5mp53xwJQoiwARAQAB +tDZMRUFQIGV4cGVyaW1lbnRhbCBhcmNoaXZlIHNpZ25pbmcga2V5IDxzeXNkZXZA +bGVhcC5zZT6JAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJU +70BcBQkET0XnAAoJEIN8GtU2dCnZ37gQALHC4ms+1zqht2rO2WB8mD9Hi8a0hvUm +v94pbsdovb4whZNYwAt9KLjo2COZArj9grpSq0Cu7nrnL01OdZ7spi1sFbrWAsE7 +Fdtx0LceTXcpNgjpQkfBUFxo+tdXnMIGM8ZF4afKRJX4+oVdxqZ0GXwP3fXqcHKk +oEMGtQkCQlORzmhe3q3gQTc4hgut2Z4DihprdF83jTZFCkfuQdlZqx93aOmmNuSZ +0ElE3k1F4D0KSO70BZmxLQQAWdaHOpKX7ABcF6gcRf2IRwZleL5tTecxYAUvcPvy +h9KGRLkxLesCbBrop7k3X+NQUj94reFyTcLrPpzHtoqENrfy49nxJXJRzN5O1YA/ +b9VwcRqICszqydwmHeEPf3GEss3A3maamDnhrw8F7NEB6u7GzV00iH7C+ZHUrirk +Hifiz7u88fsKF8VJh0K9oJiD1IQ8+ctQUNU0ObXRy6bizduKHBgYnNTHzVgUIfzZ +j0IUjH+xpuTrk1Ry1GUtj0rr+qmc+smh7Jw1apSQx8Yr4Dv613IhVe8v/bLsuLDo +tChYLLzrXp02sOKz1jw2LX1YAC3VRm4iQi25CQM3O62MxNep1+oRY6C1PXmINb8z +iuZpSa+lIKqWpu07O0Taevpkg2R95lNdQ3zAF2vAwghSQCPzYqLbX2wHnUESK/5Y +r/VqRDKoJqb4iQI+BBMBAgAoBQJUYmFzAhsDBQkB4TOABgsJCAcDAgYVCAIJCgsE +FgIDAQIeAQIXgAAKCRCDfBrVNnQp2fAhD/4jROIUTlOLxPmYIt9RSAH+aaVQb3Jz +JYYKpU8KCgxNHZ0CJX2IHVs+slR5tpWTCWfRRcy+KDxc89MCpQH0TggIom515VIY +53oc6r4UXjEdWP5QvL2Kq8s/EWNxQ9rTiHlP8PzZcavVgCOm7xHdqtAdRs7hkXLp +5WFxT9GzLXnXROOmV8dfX3P9qc3uHtct9tAaMm7GZOBH0So3a6MhZtiNzSTuuXBf +zL88ETTkp8qwFr+ZV5SzvUIkP2CESk4O3YEEz1d+cBEeL/RlTz91aVyB5sEIHtk5 +xAaATRMYxDOW6y3au61R1esWspU35CuJW3y58Mm5wM/EhhNIQBpKawMAlBPxRUag +MF594UkAWJWblnuOzJm5XOXwQpkGfJLgpxxfpi7P5qZagESt8eTeXH8Ljmbi2kPy +4cYX8ZN5tYjkdIJD2IFNYoRoUGWm7peRIV7zxZysojfecsdT0tqOz/i5KQD/kvLM +kLTjpQbF9nUjEXpGEbzzapmveEVmmPar3tEYU41YdDEowqnNm2CLMezXy68FKHsl +VAaY5rftvaWLHHu8Osm8sbzcPDAyHuf//iEUddGfUEOrZY/5FGx3T/NpQODh8BhJ +DSavn8HyX8nV6zOho4sN4psuiCLRiVT/fRfYNOXCZZ4i69mviGE3t7AJbcJdqoS7 +wOfSzvDc+boqQLkCDQRUYmFzARAAuXEBKATEkCyugIsWGocUkAwSzY1qJi3bj0cs +aYiEN7/5+at6bsCLzoLCOLvvvGZk8481B6UaNz3qm5/+w8P0zAGuZb2nI7tZ9nVl +9krRaj4cj9MrFiRe6fMLfxqBSITNWIkGptQc/4RC2wpmUGf+uY05FDZLCyWykK5N ++Qn0SNkxX6dN/aKA60f4tNSwvjDWiClnjalDanJ8xJmTZ9k6Rt+99KYy2auE450n +hGZ08LZdMGtsxQOqDecchNlw1fIRsI81J4x3E7CP8x1ByS0Mp0hWeOagXfKwkNZS +cI5HU2nlKAoPZNUvPJLJU2BlpmTZNeAsvk3SGMuwrxiSKE/4Tf4FLTcnU35MYT/1 +RncJrjG17WJ36tLu/MveEBMpb7lNOpf4sbnC51etA1QPU3Q0f9GsOIh+ZcNFKD1d +9apgzhqpa+3TYArOfJrOpODRrALIuFQXn732QI6phBAMXKGqQ1vKyE0cQRmKqEfE +CPagOdG0vmdSxToifgdGIcN0Xj0KDcI2wqKXIjgAA03KVS4XNeVBmftQqOX6HNCq +lxuzkKQK8B1/wbnhpUKao7TipwofZ8xGpBB7dKYS3iEp+MKvRS6A4f/HXcplCJfC +gS6ZgNCwWVfpW5lCH+8usIP7H+QpYLkclY4s0o3Pr2aA8hc1zXXF8hf5+zUQr1Ot +0RC1KWUAEQEAAYkCJQQYAQIADwUCVGJhcwIbDAUJAeEzgAAKCRCDfBrVNnQp2c3e +D/9aqiwS3irHJu3oQZedbseQ+7Fu9yjflVBD5mvcsqTQ4feCv83As+tYIrNm2vfG +cRZM54evroKnxSXwNm9csp8VMZigyUnLVWMWKZaUwMr5x/5zScQk55jEWJfmRK0j +io7aKiWx+m3DGw4lgidII09OcOt7jfaYaelWFaYJ+OZFMDfOQu/sRepPjbcsOFJj +o/1Y8CS7NZNM3lIWRoyRkS31QeEWZ55pF/R8xr4hyRE6ipqDfREvPk7eFpQXZ4LI +E8q/B1xTs3Njsc0Zhe64NRSoQnmj/BKDnLzMqf+WoZxHiaLa/s9m3FpStOw/INLq +NLY1PK+n1Ih8GQ/t4kBhV1vjAzE4/wjDnpvj4Xttj5/coz1gN3JkJghQvudtz3JI +fcR2YD7cKuhf/S9w0HkpsF3suUNsAWxBiyfyFh4Yg1xuiA8thqONTNFgqI4rdG+4 +Zu9Ji6bQNayAw7P0/7tDCd0JpFMao+/id5eE93dBYds/yik3QSYRr8eYdkI8aISI +6W+ibACAY5fOa06pOsol/HLf4vS16gOJbhG+O0pdZHNlkMmb+lT5orAXmsw1556X +Neb7jnS6qdCYQvomhj75ELPqI0AUnSKp2KQ9BJoq3L6FucobS35TGXT69ynhScZl +KSPYvmUpu7HOpHoZXBqsy6/6e1mbyQZh/dgIBKYnKg4SXokCWgQoAQoARAUCVO9A +hz0dA0VuY3J5cHRpb24gY2FwYWJsZSBzdWJrZXkgaXMgbm90IG5lZWRlZCBmb3Ig +YXJjaGl2ZSBzaWduaW5nAAoJEIN8GtU2dCnZAP0P/08/k+GxL4X99qg+DDsnxS43 +1ApDrR8GnDgIZfHWCaf6QummFo3XhRe+heL6SM8+lAFYXGCDhs4jwEjqXSVvdi8Y +mWYUYRiJPUd/y9PBMH4WQjte85cBZJ41t7mnPfDTPfyfEiN6xFtmKhwVgvxhpAWR +U7gxg5T88ZSILaD2XRKUWtzN0E6c+5Won54PR4xclSICInRYAwU903bUDwvdBGSX +ivYklg2zStlqcfuwBSUBRro/GUarWymZFK9FQKRpcw6VwnxoZ9Dz9lkkMti3ZQSY +tGZkA6jUCnGQ7Tlm7Vxg1jbBUB3PSS7nA2vy3iVeww66SH167ByoX5KSZwkWOC42 +OBydH4Lliy+8SaGxXMzddjcZw4Zu4oy1xgiov4B/3elCi1ftvLBF1pTydrtL8Cmu +fpPE2olpqCnubpfG72ZQiV6OQmeDHecxQkQvKb7Zb8osuAcPQydqYdmnI+K+MXhs +mzbhbofzxwOwirt9sDRyMqSoWBY5nohjeNAGhyYxqQYf2g2xo3bX1gAgwdHpD+FY +P+E1bEIPDFcTB6KbJbKspTVQl/TUgM75aa7A4JYhnXh2iImn0sZ+pwEn0qbhfh9f +atzRTdBqNNZrrEenwhUPjOD3vs75sb+7vMOP33iFdL+ioZv9w5+0Wnk72ixJbjyV +0Aajyaaa0eUMFZ1GLalK +=tlXs +-----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From efed34739df6cafbb5f5e8144aa98a87d96d6924 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Dec 2015 11:16:17 +0100 Subject: [feat] Make leap apt sources url configurable So we can use the experimental-0.8 repo instead of 0.8 i.e. Use this to customize the main LEAP deb url: "sources": { "apt": { "leap": { "basic": "http://deb.leap.se/experimental-0.9" } } } --- puppet/modules/site_apt/manifests/init.pp | 16 +++++++++++----- puppet/modules/site_apt/manifests/leap_repo.pp | 8 +++++++- 2 files changed, 18 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 635ba975..5d177e7f 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,11 +1,17 @@ # setup apt on all nodes class site_apt { - $sources = hiera('sources') - $apt_config = $sources['apt'] - $apt_url_basic = $apt_config['basic'] - $apt_url_security = $apt_config['security'] - $apt_url_backports = $apt_config['backports'] + $sources = hiera('sources') + $apt_config = $sources['apt'] + + # debian repo urls + $apt_url_basic = $apt_config['basic'] + $apt_url_security = $apt_config['security'] + $apt_url_backports = $apt_config['backports'] + + # leap repo url + $apt_config_leap = $apt_config['leap'] + $apt_url_leap_basic = $apt_config_leap['basic'] # needed on jessie hosts for getting pnp4nagios from testing if ( $::operatingsystemmajrelease == '8' ) { diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 462b2686..317c2f12 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -4,8 +4,14 @@ class site_apt::leap_repo { $platform = hiera_hash('platform') $major_version = $platform['major_version'] + if $::site_apt::apt_url_leap_basic == '' { + $content = "deb http://deb.leap.se/${major_version} ${::lsbdistcodename} main\n" + } else { + $content = "deb ${::site_apt::apt_url_leap_basic} ${::lsbdistcodename} main\n" + } + apt::sources_list { 'leap.list': - content => "deb http://deb.leap.se/${major_version} ${::lsbdistcodename} main\n", + content => $content, before => Exec[refresh_apt] } -- cgit v1.2.3 From 1f9da0490a3d55831e2b834ab5801c629123d226 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Dec 2015 12:30:52 +0100 Subject: [bug] Configure default sources.platform.apt.basic Providing a custom sources.platform.apt.basic value worked with the last commit, but without that the platform would fail. So we provide a default value now in provider_base/common.json, which can get overridden. --- puppet/modules/site_apt/manifests/init.pp | 14 +++++++------- puppet/modules/site_apt/manifests/leap_repo.pp | 8 +------- 2 files changed, 8 insertions(+), 14 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 5d177e7f..c809a837 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,17 +1,17 @@ # setup apt on all nodes class site_apt { - $sources = hiera('sources') - $apt_config = $sources['apt'] + $sources = hiera('sources') + $apt_config = $sources['apt'] # debian repo urls - $apt_url_basic = $apt_config['basic'] - $apt_url_security = $apt_config['security'] - $apt_url_backports = $apt_config['backports'] + $apt_url_basic = $apt_config['basic'] + $apt_url_security = $apt_config['security'] + $apt_url_backports = $apt_config['backports'] # leap repo url - $apt_config_leap = $apt_config['leap'] - $apt_url_leap_basic = $apt_config_leap['basic'] + $platform_sources = $sources['platform'] + $apt_url_platform_basic = $platform_sources['apt']['basic'] # needed on jessie hosts for getting pnp4nagios from testing if ( $::operatingsystemmajrelease == '8' ) { diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 317c2f12..a1382374 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -4,14 +4,8 @@ class site_apt::leap_repo { $platform = hiera_hash('platform') $major_version = $platform['major_version'] - if $::site_apt::apt_url_leap_basic == '' { - $content = "deb http://deb.leap.se/${major_version} ${::lsbdistcodename} main\n" - } else { - $content = "deb ${::site_apt::apt_url_leap_basic} ${::lsbdistcodename} main\n" - } - apt::sources_list { 'leap.list': - content => $content, + content => "deb ${::site_apt::apt_url_platform_basic} ${::lsbdistcodename} main\n", before => Exec[refresh_apt] } -- cgit v1.2.3 From d7ff99a1e8dfc5665f1bb94bc6bf4b369ea3a1ec Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Dec 2015 17:59:54 +0100 Subject: [feat] Dont remove nfs client on local vagrant nodes --- puppet/modules/site_config/manifests/packages/base.pp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index c23495fc..b53a9364 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -8,12 +8,18 @@ class site_config::packages::base { } # base set of packages that we want to remove everywhere - package { [ 'acpi', 'eject', 'ftp', - 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', - 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + package { [ 'acpi', 'eject', 'ftp', 'laptop-detect', 'lpr', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', 'x11-utils', 'xterm' ]: ensure => absent; } + + notice($::site_config::params::environment) + if $::site_config::params::environment != 'local' { + package { [ 'nfs-common', 'nfs-kernel-server', 'rpcbind' ]: + ensure => purged; + } + } } -- cgit v1.2.3 From 26ece7a240fe842e5645a47bac86699c5d2bd34c Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 12 Dec 2015 23:55:00 +0100 Subject: [bug] Use guess_apache_version in apache templates The apache_version() fact only works if apache is already installed. So we use the guess_apache_version() function from the apache module to determine which apache version is to be installed. - Resolves: #7681 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 2 +- .../modules/site_apache/templates/vhosts.d/common.conf.erb | 2 +- .../site_apache/templates/vhosts.d/hidden_service.conf.erb | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 9efc6b41..d566437a 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -27,7 +27,7 @@ Listen 0.0.0.0:<%= @api_port %> DocumentRoot /srv/leap/webapp/public - <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %> + <% if scope.function_guess_apache_version([]) == '2.4' %> AllowOverride None Require all granted diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index cbb08c30..b24d1353 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -32,7 +32,7 @@ <% if (defined? @services) and (@services.include? 'webapp') -%> DocumentRoot /srv/leap/webapp/public - <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %> + <% if scope.function_guess_apache_version([]) == '2.4' %> AllowOverride None Require all granted diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 2c8d5eb5..653664ec 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -8,6 +8,12 @@ <% if (defined? @services) and (@services.include? 'webapp') -%> DocumentRoot /srv/leap/webapp/public + <% if scope.function_guess_apache_version([]) == '2.4' %> + + AllowOverride None + Require all granted + + <% end %> RewriteEngine On # Check for maintenance file and redirect all requests @@ -33,6 +39,12 @@ <% if (defined? @services) and (@services.include? 'static') -%> DocumentRoot "/srv/static/root/public" + <% if scope.function_guess_apache_version([]) == '2.4' %> + + AllowOverride None + Require all granted + + <% end %> AccessFileName .htaccess Alias /provider.json /srv/leap/provider.json -- cgit v1.2.3 From 73624f1e87974ab71b5d8e44073347725e492e5c Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 10 Dec 2015 15:55:57 -0500 Subject: Have leap-mx log with the process name 'leap-mx', but log to /var/log/leap/mx.log, and clean up the files associated with the previous configuration (#7691) Change-Id: Id08c97980292968e8e89f128afb5fa78bda30069 --- puppet/modules/leap_mx/manifests/init.pp | 2 +- puppet/modules/site_config/manifests/remove/files.pp | 10 +++------- 2 files changed, 4 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 055a57ef..5c356315 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -60,7 +60,7 @@ class leap_mx { notify => Service['leap-mx']; } - leap::logfile { 'mx': } + leap::logfile { 'mx': process => 'leap-mx' } # # LEAP-MX CODE AND DEPENDENCIES diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 67171259..077381e1 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -14,7 +14,7 @@ class site_config::remove::files { # Platform 0.8 removals tidy { '/etc/default/leap_mx':; - '/etc/logrotate.d/leap-mx':; + '/etc/logrotate.d/mx':; } # @@ -23,7 +23,6 @@ class site_config::remove::files { tidy { '/etc/rsyslog.d/99-tapicero.conf':; - '/etc/rsyslog.d/99-leap-mx.conf':; '/etc/rsyslog.d/01-webapp.conf':; '/etc/rsyslog.d/50-stunnel.conf':; '/etc/logrotate.d/stunnel':; @@ -32,13 +31,10 @@ class site_config::remove::files { path => '/var/log/', recurse => true, matches => 'leap_mx*'; - # We rotate 5 logs, so we should only have mx.log, mx.log.[1-5], with an - # optional .gz suffix. The following will remove any logs that are out - # of this range - 'leap_mx_rotate': + 'mx': path => '/var/log/leap/', recurse => true, - matches => [ 'mx.log.[6-9](.gz)?', 'mx.log.[0-9][0-9]']; + matches => 'mx.log*'; '/srv/leap/webapp/public/provider.json':; '/srv/leap/couchdb/designs/tmp_users': recurse => true, -- cgit v1.2.3 From 583ce5e8f3b548f17fb3f9a48156edeba381e260 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 10 Dec 2015 15:38:25 -0500 Subject: Make sure /var/mail/leap-mx/Maildir and its associated common maildir directories are managed by the platform (#6936) Change-Id: I1836eb728c0379b6175ae6d54231a6f6a7ae1033 --- puppet/modules/leap_mx/manifests/init.pp | 37 ++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 5c356315..50bc8a18 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -40,12 +40,37 @@ class leap_mx { require => Group['leap-mx']; } - file { '/var/mail/leap-mx': - ensure => directory, - owner => 'leap-mx', - group => 'leap-mx', - mode => '0755', - require => User['leap-mx'], + file { + '/var/mail/leap-mx': + ensure => directory, + owner => 'leap-mx', + group => 'leap-mx', + mode => '0755', + require => User['leap-mx']; + + '/var/mail/leap-mx/Maildir': + ensure => directory, + owner => 'leap-mx', + group => 'leap-mx', + mode => '0700'; + + '/var/mail/leap-mx/Maildir/new': + ensure => directory, + owner => 'leap-mx', + group => 'leap-mx', + mode => '0700'; + + '/var/mail/leap-mx/Maildir/cur': + ensure => directory, + owner => 'leap-mx', + group => 'leap-mx', + mode => '0700'; + + '/var/mail/leap-mx/Maildir/tmp': + ensure => directory, + owner => 'leap-mx', + group => 'leap-mx', + mode => '0700'; } # -- cgit v1.2.3 From 22d6397fb2e71345652a80392cd72d359ece68a4 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 15 Dec 2015 19:23:47 -0500 Subject: add fingerprint map configuration section (#7725) Change-Id: I895c25daca65c19916c47267e61a4f04a6489a84 --- puppet/modules/leap_mx/templates/mx.conf.erb | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/templates/mx.conf.erb b/puppet/modules/leap_mx/templates/mx.conf.erb index a2c293c6..b54b3a86 100644 --- a/puppet/modules/leap_mx/templates/mx.conf.erb +++ b/puppet/modules/leap_mx/templates/mx.conf.erb @@ -13,3 +13,6 @@ port=4242 [check recipient] port=2244 + +[fingerprint map] +port=2424 -- cgit v1.2.3 From 5d0562cfa4d381c4819e88bb6eb825a84083693b Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 17 Dec 2015 15:51:21 -0500 Subject: Make sure values that might get set incorrectly, due to preseed or debconf selections, are set correctly (#7478) Change-Id: I3bd261fd6fe27bbf10b8994ffff9f8b7be5b9de0 --- puppet/modules/site_postfix/manifests/mx.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 75378480..d456baf3 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -71,6 +71,15 @@ class site_postfix::mx { value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock'; 'milter_default_action': value => 'accept'; + # Make sure that the right values are set, these could be set to different + # things on install, depending on preseed or debconf options + # selected (see #7478) + 'relay_transport': + value => 'relay'; + 'default_transport': + value => 'smtp'; + 'mailbox_command': + value => ''; } include site_postfix::mx::smtpd_checks -- cgit v1.2.3 From 14b40366ba6ce03af9b624d27e626bb4ef5b342b Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 23 Dec 2015 15:44:47 +0100 Subject: [bug] Fix leap::cli::install on jessie leap_cli could not get installed from source on jessie --- puppet/modules/leap/manifests/cli/install.pp | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap/manifests/cli/install.pp b/puppet/modules/leap/manifests/cli/install.pp index 858bd7da..6a12a4a5 100644 --- a/puppet/modules/leap/manifests/cli/install.pp +++ b/puppet/modules/leap/manifests/cli/install.pp @@ -3,7 +3,20 @@ class leap::cli::install ( $source = false ) { if $source { # needed for building leap_cli from source include ::git - include ::site_config::ruby::dev + include ::rubygems + include ::site_config::packages::build_essential + + class { '::ruby': + install_dev => true + } + + class { 'bundler::install': install_method => 'package' } + + Class[Ruby] -> + Class[rubygems] -> + Class[::site_config::packages::build_essential] -> + Class[bundler::install] + vcsrepo { '/srv/leap/cli': ensure => present, @@ -20,8 +33,10 @@ class leap::cli::install ( $source = false ) { exec { 'install_leap_cli': command => '/usr/bin/rake build && /usr/bin/rake install', cwd => '/srv/leap/cli', + user => 'root', + environment => 'USER=root', refreshonly => true, - require => [ Package['ruby-dev'], File['/etc/gemrc'], Package['rake'] ] + require => [ Class[bundler::install] ] } } else { -- cgit v1.2.3 From 4ff763cfec7fbd9db04229c947604a7601d6dcec Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Thu, 31 Dec 2015 11:17:12 +0100 Subject: update postfix module --- puppet/modules/postfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 3a5ca6c7..969076a8 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 3a5ca6c754451405fd0c3efec7dc72bed57f4081 +Subproject commit 969076a813b88dafd222c413bf6fbabab837eafb -- cgit v1.2.3 From e9d4b594b6030eeb966b7ff18ad608d9f4d295b6 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Fri, 1 Jan 2016 21:48:06 +0100 Subject: revert 4ff763c sorry --- puppet/modules/postfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 969076a8..3a5ca6c7 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 969076a813b88dafd222c413bf6fbabab837eafb +Subproject commit 3a5ca6c754451405fd0c3efec7dc72bed57f4081 -- cgit v1.2.3 From fe560e3769cb04c03de7ba2a2d40cb3040365156 Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 4 Jan 2016 16:05:09 -0500 Subject: Fix status module invocation for hidden service enabled webapps (#7776) Change-Id: I101e4c9791102123d4334e1b84a48dacea99ac52 --- puppet/modules/site_webapp/manifests/hidden_service.pp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index efdefd8e..12eb1793 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -8,8 +8,7 @@ class site_webapp::hidden_service { include apache::module::alias include apache::module::expires include apache::module::removeip - include apache::module::status - + include tor::daemon tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } @@ -33,12 +32,13 @@ class site_webapp::hidden_service { owner => 'debian-tor', group => 'debian-tor', mode => '0600'; - - '/etc/apache2/mods-enabled/status.conf': - ensure => absent, - notify => Service['apache']; } + # it is necessary to zero out the config of the status module + # because we are configuring our own version that is unavailable + # over the hidden service (see: #7456 and #7776) + apache::module { 'status': ensure => present, conf_content => ' ' } + apache::vhost::file { 'hidden_service': content => template('site_apache/vhosts.d/hidden_service.conf.erb'); -- cgit v1.2.3 From 5825513bcd14efd39031ba5cab3613a39c3027ec Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 9 Dec 2015 17:06:59 +0100 Subject: [feat] Remove double run of apt-get update --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 08de31bb..250f4b70 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -3,15 +3,11 @@ class site_apt::dist_upgrade { if $::apt_running == 'true' { fail ('apt-get is running in background - Please wait until it finishes. Exiting.') } else { - exec{'initial_apt_update': - command => '/usr/bin/apt-get update', - refreshonly => false, - timeout => 360, - } exec{'initial_apt_dist_upgrade': command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", refreshonly => false, timeout => 1200, + require => Exec['refresh_apt'] } } } -- cgit v1.2.3 From 3bb37824d5cf1e146a257d14d5cf41d7df3def5d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 9 Dec 2015 17:13:23 +0100 Subject: [style] Lint site_apt::dist_upgrade --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 250f4b70..40e2dd58 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,6 +1,10 @@ +# upgrade all packages class site_apt::dist_upgrade { + # facter returns 'true' as string + # lint:ignore:quoted_booleans if $::apt_running == 'true' { + # lint:endignore fail ('apt-get is running in background - Please wait until it finishes. Exiting.') } else { exec{'initial_apt_dist_upgrade': -- cgit v1.2.3 From 87ae360ea2d101af7c583930dcff378386d41da9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 6 Jan 2016 11:08:43 +0100 Subject: Update submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apt b/puppet/modules/apt index e12c5bfd..d459567b 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit e12c5bfd6c9ff5d1dc5e14c227e8c15388ecb042 +Subproject commit d459567bf246eee85cd101c2e2f17f451e6230b8 -- cgit v1.2.3 From 986a0ac73585d8f8427c6fa4818cbc662b59cef3 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Jan 2016 14:02:08 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 84b1d857..b2dada71 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 84b1d857b0ea8a9987be0748dab9f6a3ddaba94d +Subproject commit b2dada713dd3486dec8eaf9bdcd1e223c9297f68 -- cgit v1.2.3 From 1241fb2f62733b8b8b561f9746505f23cd81e3be Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 8 Jan 2016 12:12:07 +0100 Subject: [bug] Make /etc/leap world-readable Under jessie, leap-mx is started by systemd now, not as a forked proc by twistd anymore. Therefore leap-mx (the user the mx proc runs as) needs direct access to it's config file under /etc/leap/mx.conf. Before, twistd would start as root, read the config and then fork an mx proc as unprivileged leap-mx user. - Tested: [quetzal] - Resolves: #7782 --- puppet/modules/site_config/manifests/files.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp index 684d3ad0..d2ef8a98 100644 --- a/puppet/modules/site_config/manifests/files.pp +++ b/puppet/modules/site_config/manifests/files.pp @@ -1,3 +1,4 @@ +# set up core leap files and directories class site_config::files { file { @@ -7,15 +8,15 @@ class site_config::files { group => 'root', mode => '0711'; - '/var/lib/leap': + [ '/etc/leap', '/var/lib/leap']: ensure => directory, - owner => root, + owner => 'root', group => 'root', mode => '0755'; '/var/log/leap': ensure => directory, - owner => root, + owner => 'root', group => 'adm', mode => '0750'; } -- cgit v1.2.3 From 596f689adf3fbeea70107de3d73333e3e2bbf86d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 15 Jan 2016 13:03:23 +0100 Subject: linted site_config::syslog --- puppet/modules/site_config/manifests/syslog.pp | 29 ++++++++++++++------------ 1 file changed, 16 insertions(+), 13 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 83b49c8e..e94ff62f 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,3 +1,4 @@ +# configure rsyslog on all nodes class site_config::syslog { include site_apt::preferences::rsyslog @@ -15,12 +16,13 @@ action(type="mmanon" ipv4.bits="32" mode="rewrite")' augeas { 'logrotate_leap_deploy': context => '/files/etc/logrotate.d/leap_deploy/rule', - changes => [ 'set file /var/log/leap/deploy.log', - 'set rotate 5', - 'set size 1M', - 'set compress compress', - 'set missingok missingok', - 'set copytruncate copytruncate' ]; + changes => [ + 'set file /var/log/leap/deploy.log', + 'set rotate 5', + 'set size 1M', + 'set compress compress', + 'set missingok missingok', + 'set copytruncate copytruncate' ]; # NOTE: # the puppet_command script requires the option delaycompress @@ -28,12 +30,13 @@ action(type="mmanon" ipv4.bits="32" mode="rewrite")' 'logrotate_leap_deploy_summary': context => '/files/etc/logrotate.d/leap_deploy_summary/rule', - changes => [ 'set file /var/log/leap/deploy-summary.log', - 'set rotate 5', - 'set size 100k', - 'set delaycompress delaycompress', - 'set compress compress', - 'set missingok missingok', - 'set copytruncate copytruncate' ] + changes => [ + 'set file /var/log/leap/deploy-summary.log', + 'set rotate 5', + 'set size 100k', + 'set delaycompress delaycompress', + 'set compress compress', + 'set missingok missingok', + 'set copytruncate copytruncate' ] } } -- cgit v1.2.3 From 6faf628e191a296777f733e928eb35f573afd648 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 15 Jan 2016 13:28:34 +0100 Subject: [bug] Only pin rsyslog debs to backports on wheezy - Resolves: #7802 --- puppet/modules/site_config/manifests/remove.pp | 7 +++++++ puppet/modules/site_config/manifests/remove/jessie.pp | 9 +++++++++ puppet/modules/site_config/manifests/syslog.pp | 8 +++++++- 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_config/manifests/remove/jessie.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp index b1ad1a2b..443df9c2 100644 --- a/puppet/modules/site_config/manifests/remove.pp +++ b/puppet/modules/site_config/manifests/remove.pp @@ -1,4 +1,11 @@ # remove leftovers from previous deploys class site_config::remove { include site_config::remove::files + + case $::operatingsystemrelease { + /^8.*/: { + include site_config::remove::jessie + } + default: { } + } } diff --git a/puppet/modules/site_config/manifests/remove/jessie.pp b/puppet/modules/site_config/manifests/remove/jessie.pp new file mode 100644 index 00000000..cbeaae05 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/jessie.pp @@ -0,0 +1,9 @@ +# remove possible leftovers after upgrading from wheezy to jessie +class site_config::remove::jessie { + + tidy { + '/etc/apt/preferences.d/rsyslog_anon_depends': + notify => Exec['refresh_apt']; + } + +} diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index e94ff62f..c397dc15 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,7 +1,13 @@ # configure rsyslog on all nodes class site_config::syslog { - include site_apt::preferences::rsyslog + # only pin rsyslog packages to backports on wheezy + case $::operatingsystemrelease { + /^7.*/: { + include site_apt::preferences::rsyslog + } + default: { } + } class { 'rsyslog::client': log_remote => false, -- cgit v1.2.3 From 428ff11ca95ba91a529dff7ba3a8a40c854aa39b Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 16 Jan 2016 15:27:48 +0100 Subject: [bug] Enable openvpn services on jessie - Tested: [unstable.bitmask.net] - Resolves: #7798 --- puppet/modules/site_openvpn/manifests/server_config.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 221c79a7..d7f6f9eb 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -204,4 +204,17 @@ define site_openvpn::server_config( value => '3', server => $openvpn_configname; } + + # register openvpn services at systemd on nodes newer than wheezy + # see https://leap.se/code/issues/7798 + case $::operatingsystemrelease { + /^7.*/: { } + default: { + exec { "enable_systemd_${openvpn_configname}": + refreshonly => true, + command => "/bin/systemctl enable openvpn@${openvpn_configname}", + subscribe => File["/etc/openvpn/${openvpn_configname}.conf"]; + } + } + } } -- cgit v1.2.3 From ed2f050ca4474089bef9ba57d5d91d49ff37add0 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 19 Jan 2016 11:09:56 -0500 Subject: Ensure curl is installed before it is called (#7803) Change-Id: Iedd464a397e9944159991241cd84caad6a2a40d6 --- puppet/modules/site_config/manifests/remove/tapicero.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp index 4ce972d0..07c3c6c6 100644 --- a/puppet/modules/site_config/manifests/remove/tapicero.pp +++ b/puppet/modules/site_config/manifests/remove/tapicero.pp @@ -1,6 +1,8 @@ # remove tapicero leftovers from previous deploys on couchdb nodes class site_config::remove::tapicero { + ensure_packages('curl') + # remove tapicero couchdb user $couchdb_config = hiera('couch') $couchdb_mode = $couchdb_config['mode'] @@ -14,7 +16,8 @@ class site_config::remove::tapicero { exec { 'remove_couchdb_user': onlyif => "/usr/bin/curl -s 127.0.0.1:${port}/_users/org.couchdb.user:tapicero | grep -qv 'not_found'", - command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete" + command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete", + require => Package['curl'] } -- cgit v1.2.3 From ab536804b671b55d1bec2a03fd0ba1b15d887f66 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 19 Jan 2016 13:24:00 -0500 Subject: Make sure machines in mynetworks are able to send mail through us, without getting blocked by the rbl (#7819) Change-Id: Ib7a00f810b6c49528e5f99a1d83296553a81e65e --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index f2bd571b..0ea452ee 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -6,7 +6,7 @@ class site_postfix::mx::smtpd_checks { 'checks_dir': value => '$config_directory/checks'; 'smtpd_client_restrictions': - value => "${site_postfix::mx::rbls}permit_mynetworks,permit"; + value => "permit_mynetworks,${site_postfix::mx::rbls},permit"; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': -- cgit v1.2.3 From 935a5e884dc468da2b9ec724638f1c55a8f74e85 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 19 Jan 2016 15:49:50 -0500 Subject: Swiss privacy foundation nameserver is not responding, switch secondary fall-back to an OpenNIC resolver that does not log (#7781) Change-Id: I290321927c8188c82e95e2cd4b93cd01bd2258c2 --- puppet/modules/site_config/manifests/resolvconf.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 05990c67..09f0b405 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -8,7 +8,7 @@ class site_config::resolvconf { nameservers => [ '127.0.0.1 # local caching-only, unbound', '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', - '77.109.138.45 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' + '172.81.176.146 # OpenNIC (https://servers.opennicproject.org/edit.php?srv=ns1.tor.ca.dns.opennic.glue)' ] } } -- cgit v1.2.3 From d5ecb50e4d31fde0792a77d12006a26ef33e8d3f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Jan 2016 11:07:44 +0100 Subject: Ensure openvpn services are running on jessie --- puppet/modules/site_openvpn/manifests/server_config.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index d7f6f9eb..ca9926cc 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -213,7 +213,11 @@ define site_openvpn::server_config( exec { "enable_systemd_${openvpn_configname}": refreshonly => true, command => "/bin/systemctl enable openvpn@${openvpn_configname}", - subscribe => File["/etc/openvpn/${openvpn_configname}.conf"]; + subscribe => File["/etc/openvpn/${openvpn_configname}.conf"], + notify => Service["openvpn@${openvpn_configname}"]; + } + service { "openvpn@${openvpn_configname}": + ensure => running } } } -- cgit v1.2.3 From fb2d35ae441bce0496e274b2339589f5b8f84252 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 19 Jan 2016 16:56:52 -0500 Subject: Make the reject parameter an array to fix the following (#7822): failed to parse template tor/torrc.exit_policy.erb, undefined method `each' for "*:*":String Change-Id: I2b7b444187376dbc2f3cc5095391ae54bf8321b3 --- puppet/modules/site_tor/manifests/disable_exit.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp index 73016646..078f80ae 100644 --- a/puppet/modules/site_tor/manifests/disable_exit.pp +++ b/puppet/modules/site_tor/manifests/disable_exit.pp @@ -1,7 +1,7 @@ class site_tor::disable_exit { tor::daemon::exit_policy { 'no_exit_at_all': - reject => '*:*'; + reject => [ '*:*' ]; } } -- cgit v1.2.3 From d87a8787908fb1c82901d9611a971c9bed0a3907 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 19 Jan 2016 12:01:34 -0500 Subject: Make sure the certs are installed for all smtp tls clients, thus ensuring the satellite hosts are setup properly (#7611) Change-Id: I9dce57c305a6fd6a39596a941174fe1879af5e4f --- puppet/modules/site_postfix/manifests/mx.pp | 7 +++---- puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 4 ++++ puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 2 ++ 3 files changed, 9 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index d456baf3..cd493807 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -49,10 +49,9 @@ class site_postfix::mx { value => 'static:42424'; 'virtual_gid_maps': value => 'static:42424'; - 'smtpd_tls_received_header': - value => 'yes'; - # the following is needed for matching user's client cert fingerprints to - # enable relaying (#3634) + # the two following configs are needed for matching user's client cert + # fingerprints to enable relaying (#3634). Satellites do not have + # these configured. 'smtpd_tls_fingerprint_digest': value => 'sha1'; 'relay_clientcerts': diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index d56f6b54..4eb80dd6 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -2,10 +2,14 @@ class site_postfix::mx::smtp_tls { include site_config::x509::ca include x509::variables + $cert_name = hiera('name') $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + include site_config::x509::cert + include site_config::x509::key + # smtp TLS postfix::config { 'smtp_use_tls': value => 'yes'; diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 0809c75f..9fed3874 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -12,6 +12,8 @@ class site_postfix::mx::smtpd_tls { 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_ask_ccert': value => 'yes'; + 'smtpd_tls_received_header': + value => 'yes'; 'smtpd_tls_security_level': value => 'may'; 'smtpd_tls_eecdh_grade': -- cgit v1.2.3 From 150579fb14716892cc3e4d7d9c0f81b30d56f03a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 13 Apr 2015 23:16:00 +0200 Subject: restructured site.pp, now only one class gets included in site.pp per service (Bug #6851) Also, moved global Exec{} defaults to site.pp Change-Id: I9ae91b77afde944d2f1312613b9d9030e32239dd --- puppet/modules/site_config/manifests/default.pp | 6 ++---- puppet/modules/site_couchdb/manifests/init.pp | 1 + puppet/modules/site_mx/manifests/init.pp | 1 + puppet/modules/site_nagios/manifests/init.pp | 3 +++ puppet/modules/site_obfsproxy/manifests/init.pp | 1 + puppet/modules/site_openvpn/manifests/init.pp | 4 +++- puppet/modules/site_static/manifests/init.pp | 1 + puppet/modules/site_tor/manifests/init.pp | 1 + puppet/modules/site_webapp/manifests/init.pp | 2 ++ puppet/modules/soledad/manifests/server.pp | 3 +++ 10 files changed, 18 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 6b10dc19..4e297026 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -2,17 +2,15 @@ class site_config::default { tag 'leap_base' - # the logoutput exec parameter defaults to "on_error" in puppet 3, - # but to "false" in puppet 2.7, so we need to set this globally here - Exec<||> { logoutput => on_failure } - $services = hiera('services', []) $domain_hash = hiera('domain') include site_config::params + include site_config::setup # make sure apt is updated before any packages are installed include apt::update Package { require => Exec['apt_updated'] } + include site_config::packages::uninstall include site_config::slow diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 61aa887e..ea02d1f4 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -50,6 +50,7 @@ class site_couchdb { -> Class['couchdb'] -> Class['site_couchdb::setup'] + include ::site_config::default include site_stunnel include site_couchdb::setup diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 91014ed6..a9b0198b 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,7 @@ class site_mx { tag 'leap_service' Class['site_config::default'] -> Class['site_mx'] + include site_config::default include site_config::x509::cert include site_config::x509::key include site_config::x509::ca diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index 40ae4b86..f91bfc26 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,6 +1,9 @@ # setup nagios on monitoring node class site_nagios { tag 'leap_service' + + include site_config::default + Class['site_config::default'] -> Class['site_nagios'] include site_nagios::server diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 6275ebee..b622588b 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -19,6 +19,7 @@ class site_obfsproxy { $bind_address = hiera('ip_address') } + include site_config::default include site_apt::preferences::twisted include site_apt::preferences::obfsproxy diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index ede35a9e..4777464e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -24,9 +24,11 @@ class site_openvpn { include site_config::x509::key include site_config::x509::ca_bundle - + include site_config::default Class['site_config::default'] -> Class['site_openvpn'] + include ::site_obfsproxy + $openvpn = hiera('openvpn') $openvpn_ports = $openvpn['ports'] $openvpn_config = $openvpn['configuration'] diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index e317f580..76ee6e19 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -1,6 +1,7 @@ class site_static { tag 'leap_service' + include site_config::default include site_config::x509::cert include site_config::x509::key include site_config::x509::ca_bundle diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 80ccc5d3..2207a5a9 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -19,6 +19,7 @@ class site_tor { $openvpn_ports = [] } + include site_config::default include tor::daemon tor::daemon::relay { $nickname: port => 9001, diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 837950a8..4f3147e7 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -21,11 +21,13 @@ class site_webapp { include site_webapp::couchdb include site_haproxy include site_webapp::cron + include site_config::default include site_config::x509::cert include site_config::x509::key include site_config::x509::ca include site_config::x509::client_ca::ca include site_config::x509::client_ca::key + include site_nickserver # remove leftovers from previous installations on webapp nodes include site_config::remove::webapp diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 5c5a1bb7..f46c1eff 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -1,7 +1,10 @@ # setup soledad-server class soledad::server { tag 'leap_service' + + include site_config::default include soledad::common + include site_apt::preferences::twisted $soledad = hiera('soledad') $couchdb_user = $soledad['couchdb_soledad_user']['username'] -- cgit v1.2.3 From 8d8a64348df0dcca044316f85ee1757cfceb13b4 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 14 Apr 2015 15:26:54 +0200 Subject: Include site_config::params in all x509 subclasses (#6851) After restructuring site.pp to only include site_config::default and the service-specific classes, we got this: Duplicate declaration: X509::Cert[undef] is already declared in file /srv/leap/puppet/modules/site_config/manifests/x509/commercial/cert.pp at line 8; cannot redeclare at /srv/leap/puppet/modules/site_config/manifests/x509/cert.pp:8 on node rewcitestweb1.rewire.org So i included site_config::params in all site_config::x509 clases. Change-Id: Ib8387abfdc68b36c73a45fd2dd1f3a159eaec4a5 --- puppet/modules/site_config/manifests/x509/ca.pp | 2 ++ puppet/modules/site_config/manifests/x509/ca_bundle.pp | 1 + puppet/modules/site_config/manifests/x509/cert.pp | 2 ++ puppet/modules/site_config/manifests/x509/client_ca/ca.pp | 2 ++ puppet/modules/site_config/manifests/x509/client_ca/key.pp | 2 ++ puppet/modules/site_config/manifests/x509/commercial/ca.pp | 2 ++ puppet/modules/site_config/manifests/x509/commercial/cert.pp | 2 ++ puppet/modules/site_config/manifests/x509/commercial/key.pp | 2 ++ puppet/modules/site_config/manifests/x509/key.pp | 2 ++ 9 files changed, 17 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp index b16d0eeb..2880ecaf 100644 --- a/puppet/modules/site_config/manifests/x509/ca.pp +++ b/puppet/modules/site_config/manifests/x509/ca.pp @@ -1,5 +1,7 @@ class site_config::x509::ca { + include ::site_config::params + $x509 = hiera('x509') $ca = $x509['ca_cert'] diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp index 4cbe574a..5808e29e 100644 --- a/puppet/modules/site_config/manifests/x509/ca_bundle.pp +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -5,6 +5,7 @@ class site_config::x509::ca_bundle { # we will want to be able to smoothly phase out one CA and phase in another. # I tried "--capath" for this, but it did not work. + include ::site_config::params $x509 = hiera('x509') $ca = $x509['ca_cert'] diff --git a/puppet/modules/site_config/manifests/x509/cert.pp b/puppet/modules/site_config/manifests/x509/cert.pp index 7ed42959..7e5a36b9 100644 --- a/puppet/modules/site_config/manifests/x509/cert.pp +++ b/puppet/modules/site_config/manifests/x509/cert.pp @@ -1,5 +1,7 @@ class site_config::x509::cert { + include ::site_config::params + $x509 = hiera('x509') $cert = $x509['cert'] diff --git a/puppet/modules/site_config/manifests/x509/client_ca/ca.pp b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp index 0f313898..3fbafa98 100644 --- a/puppet/modules/site_config/manifests/x509/client_ca/ca.pp +++ b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp @@ -5,6 +5,8 @@ class site_config::x509::client_ca::ca { ## client certificates by the webapp. ## + include ::site_config::params + $x509 = hiera('x509') $cert = $x509['client_ca_cert'] diff --git a/puppet/modules/site_config/manifests/x509/client_ca/key.pp b/puppet/modules/site_config/manifests/x509/client_ca/key.pp index f9ef3f52..0b537e76 100644 --- a/puppet/modules/site_config/manifests/x509/client_ca/key.pp +++ b/puppet/modules/site_config/manifests/x509/client_ca/key.pp @@ -5,6 +5,8 @@ class site_config::x509::client_ca::key { ## client certificates by the webapp. ## + include ::site_config::params + $x509 = hiera('x509') $key = $x509['client_ca_key'] diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp index 8f35759f..c76a9dbb 100644 --- a/puppet/modules/site_config/manifests/x509/commercial/ca.pp +++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp @@ -1,5 +1,7 @@ class site_config::x509::commercial::ca { + include ::site_config::params + $x509 = hiera('x509') $ca = $x509['commercial_ca_cert'] diff --git a/puppet/modules/site_config/manifests/x509/commercial/cert.pp b/puppet/modules/site_config/manifests/x509/commercial/cert.pp index 0c71a705..d71d9838 100644 --- a/puppet/modules/site_config/manifests/x509/commercial/cert.pp +++ b/puppet/modules/site_config/manifests/x509/commercial/cert.pp @@ -1,5 +1,7 @@ class site_config::x509::commercial::cert { + include ::site_config::params + $x509 = hiera('x509') $cert = $x509['commercial_cert'] diff --git a/puppet/modules/site_config/manifests/x509/commercial/key.pp b/puppet/modules/site_config/manifests/x509/commercial/key.pp index d32e85ef..2be439fd 100644 --- a/puppet/modules/site_config/manifests/x509/commercial/key.pp +++ b/puppet/modules/site_config/manifests/x509/commercial/key.pp @@ -1,5 +1,7 @@ class site_config::x509::commercial::key { + include ::site_config::params + $x509 = hiera('x509') $key = $x509['commercial_key'] diff --git a/puppet/modules/site_config/manifests/x509/key.pp b/puppet/modules/site_config/manifests/x509/key.pp index 32b59726..448dc6a6 100644 --- a/puppet/modules/site_config/manifests/x509/key.pp +++ b/puppet/modules/site_config/manifests/x509/key.pp @@ -1,5 +1,7 @@ class site_config::x509::key { + include ::site_config::params + $x509 = hiera('x509') $key = $x509['key'] -- cgit v1.2.3 From f5ecaaa1bd7412fc152b41e4cc522cd0dc43cc37 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 5 Jan 2016 21:44:30 +0100 Subject: linted puppet/modules/site_openvpn/manifests/init.pp --- puppet/modules/site_openvpn/manifests/init.pp | 64 +++++++++++++-------------- 1 file changed, 32 insertions(+), 32 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4777464e..7397d89c 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -87,24 +87,24 @@ class site_openvpn { if $openvpn_allow_unlimited { site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $unlimited_gateway_address, - tls_remote => "\"${openvpn_unlimited_prefix}\"", - server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000', - config => $openvpn_config + port => '1194', + proto => 'tcp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1000', + config => $openvpn_config } site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - local => $unlimited_gateway_address, - tls_remote => "\"${openvpn_unlimited_prefix}\"", - server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", - management => '127.0.0.1 1001', - config => $openvpn_config + port => '1194', + proto => 'udp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", + management => '127.0.0.1 1001', + config => $openvpn_config } } else { tidy { '/etc/openvpn/tcp_config.conf': } @@ -113,24 +113,24 @@ class site_openvpn { if $openvpn_allow_limited { site_openvpn::server_config { 'limited_tcp_config': - port => '1194', - proto => 'tcp', - local => $limited_gateway_address, - tls_remote => "\"${openvpn_limited_prefix}\"", - server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1002', - config => $openvpn_config + port => '1194', + proto => 'tcp', + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1002', + config => $openvpn_config } site_openvpn::server_config { 'limited_udp_config': - port => '1194', - proto => 'udp', - local => $limited_gateway_address, - tls_remote => "\"${openvpn_limited_prefix}\"", - server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", - management => '127.0.0.1 1003', - config => $openvpn_config + port => '1194', + proto => 'udp', + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", + management => '127.0.0.1 1003', + config => $openvpn_config } } else { tidy { '/etc/openvpn/limited_tcp_config.conf': } -- cgit v1.2.3 From 69d2549a8b3b670b10d0efe079bcbc4ba066907d Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 22 Jan 2016 17:05:26 +0100 Subject: [bug] refactor build-essential package installation In certain node setups, the webapp gems cannot get built because `build-essential` and dependent packages were not present. I refactored the `site_config::packages::build_essential` class, which now inherits `site_config::packages`. The latter class removes all unneccessary (development) packages, but when the `site_config::packages::build_essential` class is included, some dev packages are overridden to be installed. - Tested: [local] - Resolves: #7834 --- puppet/modules/site_config/manifests/default.pp | 6 +++-- puppet/modules/site_config/manifests/packages.pp | 31 ++++++++++++++++++++++ .../modules/site_config/manifests/packages/base.pp | 25 ----------------- .../manifests/packages/build_essential.pp | 25 ++++++++++++++--- .../site_config/manifests/packages/uninstall.pp | 16 ----------- puppet/modules/site_nickserver/manifests/init.pp | 7 ----- 6 files changed, 56 insertions(+), 54 deletions(-) create mode 100644 puppet/modules/site_config/manifests/packages.pp delete mode 100644 puppet/modules/site_config/manifests/packages/base.pp delete mode 100644 puppet/modules/site_config/manifests/packages/uninstall.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 4e297026..7a2a0a79 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -10,7 +10,6 @@ class site_config::default { # make sure apt is updated before any packages are installed include apt::update Package { require => Exec['apt_updated'] } - include site_config::packages::uninstall include site_config::slow @@ -28,7 +27,10 @@ class site_config::default { # i.e. openstack/aws nodes, vagrant nodes # fix dhclient from changing resolver information + # facter returns 'true' as string + # lint:ignore:quoted_booleans if $::dhcp_enabled == 'true' { + # lint:endignore include site_config::dhclient } @@ -45,7 +47,7 @@ class site_config::default { include haveged # install/remove base packages - include site_config::packages::base + include site_config::packages # include basic shorewall config include site_shorewall::defaults diff --git a/puppet/modules/site_config/manifests/packages.pp b/puppet/modules/site_config/manifests/packages.pp new file mode 100644 index 00000000..4cd45bc9 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages.pp @@ -0,0 +1,31 @@ +# install default packages and remove unwanted packages +class site_config::packages { + + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less', 'ntp' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ + 'acpi', 'build-essential', + 'cpp', 'cpp-4.6', 'cpp-4.7', 'cpp-4.8', 'cpp-4.9', + 'eject', 'ftp', + 'g++', 'g++-4.6', 'g++-4.7', 'g++-4.8', 'g++-4.9', + 'gcc', 'gcc-4.6', 'gcc-4.7', 'gcc-4.8', 'gcc-4.9', + 'laptop-detect', 'libc6-dev', 'libssl-dev', 'lpr', 'make', 'portmap', + 'pppconfig', 'pppoe', 'pump', 'qstat', + 'samba-common', 'samba-common-bin', 'smbclient', + 'tcl8.5', 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => purged; + } + + notice($::site_config::params::environment) + if $::site_config::params::environment != 'local' { + package { [ 'nfs-common', 'nfs-kernel-server', 'rpcbind' ]: + ensure => purged; + } + } +} diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp deleted file mode 100644 index b53a9364..00000000 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ /dev/null @@ -1,25 +0,0 @@ -# install default packages and remove unwanted packages -class site_config::packages::base { - - - # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less', 'ntp' ]: - ensure => installed, - } - - # base set of packages that we want to remove everywhere - package { [ 'acpi', 'eject', 'ftp', 'laptop-detect', 'lpr', - 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', - 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', - 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', - 'x11-utils', 'xterm' ]: - ensure => absent; - } - - notice($::site_config::params::environment) - if $::site_config::params::environment != 'local' { - package { [ 'nfs-common', 'nfs-kernel-server', 'rpcbind' ]: - ensure => purged; - } - } -} diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp index 8f3b2641..2b3e13b9 100644 --- a/puppet/modules/site_config/manifests/packages/build_essential.pp +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -1,11 +1,28 @@ # # include this whenever you want to ensure build-essential package and related compilers are installed. # -class site_config::packages::build_essential { - if !defined(Package['build-essential']) { - package { - ['build-essential', 'cpp']: +class site_config::packages::build_essential inherits ::site_config::packages { + + # NICKSERVER CODE NOTE: in order to support TLS, libssl-dev must be installed + # before EventMachine gem is built/installed. + Package[ 'gcc', 'make', 'g++', 'cpp', 'libssl-dev', 'libc6-dev' ] { + ensure => present + } + + case $::operatingsystemrelease { + /^8.*/: { + Package[ 'gcc-4.9','g++-4.9', 'cpp-4.9' ] { + ensure => present + } + } + + /^7.*/: { + Package[ 'gcc-4.7','g++-4.7', 'cpp-4.7' ] { ensure => present + } } + + default: { } } + } diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp deleted file mode 100644 index 12f527d9..00000000 --- a/puppet/modules/site_config/manifests/packages/uninstall.pp +++ /dev/null @@ -1,16 +0,0 @@ -# -# Uninstall build-essential and compilers, unless they have been explicitly installed elsewhere. -# -class site_config::packages::uninstall { - tag 'leap_base' - - # generally, dev packages are needed for installing ruby gems with native extensions. - # (nickserver, webapp, etc) - - if !defined(Package['build-essential']) { - package { - ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: - ensure => purged - } - } -} \ No newline at end of file diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 0e585e10..eb4415e7 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -61,13 +61,6 @@ class site_nickserver { require => Group['nickserver']; } - # - # NICKSERVER CODE NOTE: in order to support TLS, libssl-dev must be installed - # before EventMachine gem is built/installed. - # - - package { 'libssl-dev': ensure => installed } - vcsrepo { '/srv/leap/nickserver': ensure => present, revision => $sources['nickserver']['revision'], -- cgit v1.2.3 From 28a369a77e198105b4a892a2d0d92ea43f8046d0 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 23 Jan 2016 00:31:20 +0100 Subject: [feat] Don't remove portmap on vagrant Vagrant uses portmap and nfs-common for mounting shared folders using nfs. --- puppet/modules/site_config/manifests/packages.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/packages.pp b/puppet/modules/site_config/manifests/packages.pp index 4cd45bc9..140189a4 100644 --- a/puppet/modules/site_config/manifests/packages.pp +++ b/puppet/modules/site_config/manifests/packages.pp @@ -14,7 +14,7 @@ class site_config::packages { 'eject', 'ftp', 'g++', 'g++-4.6', 'g++-4.7', 'g++-4.8', 'g++-4.9', 'gcc', 'gcc-4.6', 'gcc-4.7', 'gcc-4.8', 'gcc-4.9', - 'laptop-detect', 'libc6-dev', 'libssl-dev', 'lpr', 'make', 'portmap', + 'laptop-detect', 'libc6-dev', 'libssl-dev', 'lpr', 'make', 'pppconfig', 'pppoe', 'pump', 'qstat', 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', @@ -22,9 +22,10 @@ class site_config::packages { ensure => purged; } - notice($::site_config::params::environment) - if $::site_config::params::environment != 'local' { - package { [ 'nfs-common', 'nfs-kernel-server', 'rpcbind' ]: + # leave a few packages installed on local environments + # vagrant i.e. needs them for mounting shared folders + if $::site_config::params::environment != 'local' { + package { [ 'nfs-common', 'nfs-kernel-server', 'rpcbind', 'portmap' ]: ensure => purged; } } -- cgit v1.2.3 From 5f7f7bd91c6d6c20305d97d8c2bfc03a78cdad69 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 22 Jan 2016 17:39:41 +0100 Subject: [feat] Don't install rubygems package on every run I merged immerda's changes to the `rubygems` module, which remove the installation of the `rubygems` package from jessie on, because it's a dependency of the `ruby2.1` package, which is a dep of puppet, and therefore installed on every node. - Tested: [local singlenode] - Resolves: #7619 --- puppet/modules/rubygems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems index ef820cfe..e704c9fe 160000 --- a/puppet/modules/rubygems +++ b/puppet/modules/rubygems @@ -1 +1 @@ -Subproject commit ef820cfec3321d17be99ef814318adb4e3cc1e91 +Subproject commit e704c9fe1c40fea5b10fe3ca2b4f5de825341cc6 -- cgit v1.2.3 From 38e1003186ca194c75b87fdb8898304556d89a7a Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 22 Jan 2016 23:52:58 +0100 Subject: [bug] Use ruby::devel to install ruby-dev deb Ruby itself is a parameterized class, and parameters cannot get overridden (see https://projects.puppetlabs.com/issues/9259). The webapp node didn't install the ruby-dev package (we never noticed because our vagrant images as probably other debian images had ruby-dev preinstalled). We now use the ruby::devel class to install ruby-dev. - Tested: [citest-jessie] - Resolves: #7838 --- puppet/modules/ruby | 2 +- puppet/modules/site_config/manifests/ruby/dev.pp | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/ruby b/puppet/modules/ruby index 0fb2b398..9ccd853c 160000 --- a/puppet/modules/ruby +++ b/puppet/modules/ruby @@ -1 +1 @@ -Subproject commit 0fb2b398dbfce59c678d6f4044a55969e42c6d4d +Subproject commit 9ccd853c49af7d0b57ebd9c2ea7673b193fce24b diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp index e6eb2f8a..2b0b106d 100644 --- a/puppet/modules/site_config/manifests/ruby/dev.pp +++ b/puppet/modules/site_config/manifests/ruby/dev.pp @@ -1,8 +1,8 @@ # install ruby dev packages needed for building some gems -class site_config::ruby::dev inherits site_config::ruby { - Class['::ruby'] { - install_dev => true - } +class site_config::ruby::dev { + include site_config::ruby + include ::ruby::devel + # building gems locally probably requires build-essential and gcc: include site_config::packages::build_essential } -- cgit v1.2.3 From 982f8b6ce9c470366f967f3ad8fece2a673db59d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 25 Jan 2016 12:07:11 +0100 Subject: [feat] Move bigcouch removals to own class We now include "site_config::remove::bigcouch" in class "site_couchdb::master", which sets up plain couchdb. --- .../site_config/manifests/remove/bigcouch.pp | 22 ++++++++++++++++++++++ .../modules/site_config/manifests/remove/files.pp | 18 ------------------ puppet/modules/site_couchdb/manifests/master.pp | 4 ++++ 3 files changed, 26 insertions(+), 18 deletions(-) create mode 100644 puppet/modules/site_config/manifests/remove/bigcouch.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp new file mode 100644 index 00000000..19d18eb0 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp @@ -0,0 +1,22 @@ +# remove bigcouch leftovers from previous installations +class site_config::remove::bigcouch { + + # Don't use check_mk logwatch to watch bigcouch logs anymore + # see https://leap.se/code/issues/7375 for more details + file { '/etc/check_mk/logwatch.d/bigcouch.cfg': + ensure => absent, + notify => [ + Exec['remove_bigcouch_logwatch_spoolfiles'], + Exec['remove_bigcouch_logwatch_stateline'] + ] + } + # remove leftover bigcouch logwatch spool files + exec { 'remove_bigcouch_logwatch_spoolfiles': + command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;', + refreshonly => true, + } + exec { 'remove_bigcouch_logwatch_stateline': + command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state", + refreshonly => true, + } +} diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 077381e1..4f7aa6e6 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -51,22 +51,4 @@ class site_config::remove::files { onlyif => "/bin/grep -qe 'leap_mx.log' /etc/check_mk/logwatch.state" } - # Don't use check_mk logwatch to watch bigcouch logs anymore - # see https://leap.se/code/issues/7375 for more details - file { '/etc/check_mk/logwatch.d/bigcouch.cfg': - ensure => absent, - notify => [ - Exec['remove_bigcouch_logwatch_spoolfiles'], - Exec['remove_bigcouch_logwatch_stateline'] - ] - } - # remove leftover bigcouch logwatch spool files - exec { 'remove_bigcouch_logwatch_spoolfiles': - command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;', - refreshonly => true, - } - exec { 'remove_bigcouch_logwatch_stateline': - command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state", - refreshonly => true, - } } diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp index 5dab6325..49d90f2f 100644 --- a/puppet/modules/site_couchdb/manifests/master.pp +++ b/puppet/modules/site_couchdb/manifests/master.pp @@ -8,4 +8,8 @@ class site_couchdb::master { } include site_check_mk::agent::couchdb::master + + # remove bigcouch leftovers from previous installations + include ::site_config::remove::bigcouch + } -- cgit v1.2.3 From 742e11902b88d1e135d131ebef7a7d8433f03dfe Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 25 Jan 2016 12:09:55 +0100 Subject: [bug] remove bigcouch compaction cronjob - Resolves: #7629 --- puppet/modules/site_config/manifests/remove/bigcouch.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp index 19d18eb0..0783fe9d 100644 --- a/puppet/modules/site_config/manifests/remove/bigcouch.pp +++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp @@ -19,4 +19,8 @@ class site_config::remove::bigcouch { command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state", refreshonly => true, } + + cron { 'compact_all_shards': + ensure => absent + } } -- cgit v1.2.3 From bb76a5a1c77bd23ba988f2591a093693619b23f9 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 25 Jan 2016 15:09:28 +0100 Subject: [bug] Fix unattended-upgrades on jessie - Resolves: #7842 --- .../site_apt/files/Debian/51unattended-upgrades-leap | 6 ++++++ puppet/modules/site_apt/manifests/unattended_upgrades.pp | 13 ++++++++++++- puppet/modules/site_apt/templates/50unattended-upgrades | 16 ---------------- 3 files changed, 18 insertions(+), 17 deletions(-) create mode 100644 puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap delete mode 100644 puppet/modules/site_apt/templates/50unattended-upgrades (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap b/puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap new file mode 100644 index 00000000..bbaac6a2 --- /dev/null +++ b/puppet/modules/site_apt/files/Debian/51unattended-upgrades-leap @@ -0,0 +1,6 @@ +// this file is managed by puppet ! + +Unattended-Upgrade::Allowed-Origins { + "leap.se:stable"; +} + diff --git a/puppet/modules/site_apt/manifests/unattended_upgrades.pp b/puppet/modules/site_apt/manifests/unattended_upgrades.pp index 40111deb..42f1f4c6 100644 --- a/puppet/modules/site_apt/manifests/unattended_upgrades.pp +++ b/puppet/modules/site_apt/manifests/unattended_upgrades.pp @@ -1,9 +1,20 @@ +# configute unattended upgrades so packages from both Debian and LEAP +# repos get upgraded unattended class site_apt::unattended_upgrades { # override unattended-upgrades package resource to make sure # that it is upgraded on every deploy (#6245) + # configure upgrades for Debian class { 'apt::unattended_upgrades': - config_content => template('site_apt/50unattended-upgrades'), ensure_version => latest } + + # configure LEAP upgrades + apt::apt_conf { '51unattended-upgrades-leap': + source => [ + "puppet:///modules/site_apt/${::lsbdistid}/51unattended-upgrades-leap"], + require => Package['unattended-upgrades'], + refresh_apt => false, + } + } diff --git a/puppet/modules/site_apt/templates/50unattended-upgrades b/puppet/modules/site_apt/templates/50unattended-upgrades deleted file mode 100644 index 9ae3ab84..00000000 --- a/puppet/modules/site_apt/templates/50unattended-upgrades +++ /dev/null @@ -1,16 +0,0 @@ -// this file is managed by puppet ! - -Unattended-Upgrade::Allowed-Origins { - "${distro_id}:oldstable"; - "${distro_id}:${distro_codename}-security"; - "${distro_id}:${distro_codename}-updates"; - "${distro_id} Backports:${distro_codename}-backports"; - "leap.se:stable"; -}; - -APT::Periodic::Update-Package-Lists "1"; -APT::Periodic::Download-Upgradeable-Packages "1"; -APT::Periodic::Unattended-Upgrade "1"; - -Unattended-Upgrade::Mail "root"; -Unattended-Upgrade::MailOnlyOnError "true"; -- cgit v1.2.3 From 01b05ec8453b44d93780e04dd832b9a0e7b3cd48 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 25 Jan 2016 17:27:48 +0100 Subject: [feat] Cronjob to delete orphaned userdbs - Resolves: #7418 --- puppet/modules/site_couchdb/manifests/init.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index ea02d1f4..8d79ae75 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -66,4 +66,13 @@ class site_couchdb { # remove tapicero leftovers on couchdb nodes include site_config::remove::tapicero + # Destroy every per-user storage database + # where the corresponding user record does not exist. + cron { 'cleanup_stale_userdbs': + command => '(/bin/date; /srv/leap/couchdb/scripts/cleanup-user-dbs) >> /var/log/leap/couchdb-cleanup.log', + user => 'root', + hour => 4, + minute => 7; + } + } -- cgit v1.2.3 From 33cf7e313cf9dfa2e5ac0e8eeb91cacb016ebe62 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 27 Jan 2016 21:03:58 +0100 Subject: [refactor] Optimize static apache vhost templates - Related: #7853 --- puppet/modules/site_static/templates/amber.erb | 10 ++-------- puppet/modules/site_static/templates/rack.erb | 10 ++-------- 2 files changed, 4 insertions(+), 16 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb index 17dc2ad6..48df555e 100644 --- a/puppet/modules/site_static/templates/amber.erb +++ b/puppet/modules/site_static/templates/amber.erb @@ -1,15 +1,9 @@ -<%- if @location_path == '' -%> - /"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - -<%- else -%> +<%- if @location_path != '' -%> AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1" Alias /<%=@location_path%> "<%=@directory%>/" +<%- end -%> /"> AllowOverride FileInfo Indexes Options=All,MultiViews Order deny,allow Allow from all -<%- end -%> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb index aae91f1c..d70d3ddb 100644 --- a/puppet/modules/site_static/templates/rack.erb +++ b/puppet/modules/site_static/templates/rack.erb @@ -1,21 +1,15 @@ #PassengerLogLevel 1 #PassengerAppEnv production #PassengerFriendlyErrorPages on -<%- if @location_path == '' -%> - "> - Order deny,allow - Allow from all - Options -MultiViews - -<%- else -%> +<%- if @location_path != '' -%> Alias /<%=@location_path%> "<%=@directory%>" > PassengerBaseURI /<%=@location_path%> PassengerAppRoot "<%=File.dirname(@directory)%>" +<%- end -%> "> Order deny,allow Allow from all Options -MultiViews -<%- end -%> -- cgit v1.2.3 From 8effa368557761c23f5496d4a26554b9cec6036c Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 27 Jan 2016 21:12:07 +0100 Subject: [bug] [jessie] Fix apache 2.4 auth directives - Resolves: #7853 --- puppet/modules/site_static/templates/amber.erb | 4 ++++ puppet/modules/site_static/templates/rack.erb | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb index 48df555e..694f1136 100644 --- a/puppet/modules/site_static/templates/amber.erb +++ b/puppet/modules/site_static/templates/amber.erb @@ -4,6 +4,10 @@ <%- end -%> /"> AllowOverride FileInfo Indexes Options=All,MultiViews +<% if scope.function_guess_apache_version([]) == '2.4' %> + Require all granted +<% else %> Order deny,allow Allow from all +<% end %> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb index d70d3ddb..431778bb 100644 --- a/puppet/modules/site_static/templates/rack.erb +++ b/puppet/modules/site_static/templates/rack.erb @@ -9,7 +9,11 @@ <%- end -%> "> + Options -MultiViews +<% if scope.function_guess_apache_version([]) == '2.4' %> + Require all granted +<% else %> Order deny,allow Allow from all - Options -MultiViews +<% end %> -- cgit v1.2.3 From 54bd11793c13140651d908db7f88d550712ee85a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 28 Jan 2016 11:12:59 +0100 Subject: [bug] Fix removing of bigcouch logwatch spoolfiles The problem was that puppet tried to remove them on the couch node, but they need to get removed on monitor node. - Resolves: #7641 --- puppet/modules/site_config/manifests/remove/bigcouch.pp | 6 +----- puppet/modules/site_config/manifests/remove/monitoring.pp | 7 +++++++ 2 files changed, 8 insertions(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp index 0783fe9d..f8e0ebe2 100644 --- a/puppet/modules/site_config/manifests/remove/bigcouch.pp +++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp @@ -10,11 +10,7 @@ class site_config::remove::bigcouch { Exec['remove_bigcouch_logwatch_stateline'] ] } - # remove leftover bigcouch logwatch spool files - exec { 'remove_bigcouch_logwatch_spoolfiles': - command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;', - refreshonly => true, - } + exec { 'remove_bigcouch_logwatch_stateline': command => "sed -i '/bigcouch.log/d' /etc/check_mk/logwatch.state", refreshonly => true, diff --git a/puppet/modules/site_config/manifests/remove/monitoring.pp b/puppet/modules/site_config/manifests/remove/monitoring.pp index d7095597..ab9f7a8f 100644 --- a/puppet/modules/site_config/manifests/remove/monitoring.pp +++ b/puppet/modules/site_config/manifests/remove/monitoring.pp @@ -7,4 +7,11 @@ class site_config::remove::monitoring { recurse => true, matches => '*tapicero.log' } + + # remove leftover bigcouch logwatch spool files + exec { 'remove_bigcouch_logwatch_spoolfiles': + command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;', + refreshonly => true, + } + } -- cgit v1.2.3 From a8343508a6ced1dcbca621ad4c6f3ac39676326b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 28 Jan 2016 00:04:10 +0100 Subject: [feat] Fix fast deploy using 'leap deploy --fast' This worked before, but somehow stopped working. We need to include 'site_config::slow' top-level scope instead of including it in 'site_config::default', because otherwise it would get tagged with 'leap_base', and would be included always. This way 'site_config::slow' gets included by default, but can be excluded by using 'leap deploy --fast'. See https://leap.se/en/docs/platform/details/under-the-hood#tags - Resolves: #7844 --- puppet/modules/site_config/manifests/default.pp | 14 ++++++++++---- puppet/modules/site_config/manifests/slow.pp | 2 ++ 2 files changed, 12 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 7a2a0a79..96f06e6c 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -7,11 +7,17 @@ class site_config::default { include site_config::params include site_config::setup - # make sure apt is updated before any packages are installed - include apt::update - Package { require => Exec['apt_updated'] } + # By default, the class 'site_config::slow' is included in site.pp. + # It basically does an 'apt-get update' and 'apt-get dist-upgrade'. + # This class can be excluded by using 'leap deploy --fast', + # see https://leap.se/en/docs/platform/details/under-the-hood#tags for more + # details. + # The following Package resource override makes sure that *if* an + # 'apt-get update' is executed by 'site_config::slow', it should be done + # before any packages are installed. + + Package { require => Exec['refresh_apt'] } - include site_config::slow # default class, used by all hosts diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp index 3650eb19..de276bc3 100644 --- a/puppet/modules/site_config/manifests/slow.pp +++ b/puppet/modules/site_config/manifests/slow.pp @@ -3,5 +3,7 @@ # the "--fast" parameter class site_config::slow { tag 'leap_slow' + + include apt::update class { 'site_apt::dist_upgrade': } } -- cgit v1.2.3 From e244e724c40c5f4770a43721e4c7441dec242e4f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 1 Feb 2016 20:52:47 +0100 Subject: updated submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apt b/puppet/modules/apt index d459567b..d997142b 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit d459567bf246eee85cd101c2e2f17f451e6230b8 +Subproject commit d997142b0cb55b23ed85ee32bbbb72d4456465d1 -- cgit v1.2.3 From 45e81ca4abc81600998f11a5e74a565f545e6c84 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 2 Feb 2016 10:21:49 -0800 Subject: finally fix leap-mx logging, for the last time, hopefully. --- puppet/modules/leap/manifests/logfile.pp | 15 ++++++++++++--- puppet/modules/leap_mx/manifests/init.pp | 5 ++++- puppet/modules/site_config/manifests/remove/files.pp | 7 ++----- 3 files changed, 18 insertions(+), 9 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap/manifests/logfile.pp b/puppet/modules/leap/manifests/logfile.pp index 63dbd16b..adb3ca8a 100644 --- a/puppet/modules/leap/manifests/logfile.pp +++ b/puppet/modules/leap/manifests/logfile.pp @@ -1,9 +1,18 @@ # # make syslog log to a particular file for a particular process. # - -define leap::logfile($process=$name) { - $logfile = "/var/log/leap/${name}.log" +# arguments: +# +# * name: what config files are named as (eg. /etc/rsyslog.d/50-$name.conf) +# * log: the full path of the log file (defaults to /var/log/leap/$name.log +# * process: the syslog tag to filter on (defaults to name) +# +define leap::logfile($process = $name, $log = undef) { + if $log { + $logfile = $log + } else { + $logfile = "/var/log/leap/${name}.log" + } rsyslog::snippet { "50-${name}": content => template('leap/rsyslog.erb') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 50bc8a18..6bdcec42 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -85,7 +85,10 @@ class leap_mx { notify => Service['leap-mx']; } - leap::logfile { 'mx': process => 'leap-mx' } + leap::logfile { 'leap-mx': + log => '/var/log/leap/mx.log', + process => 'leap-mx' + } # # LEAP-MX CODE AND DEPENDENCIES diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 4f7aa6e6..3efcbf0f 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -15,6 +15,7 @@ class site_config::remove::files { tidy { '/etc/default/leap_mx':; '/etc/logrotate.d/mx':; + '/etc/rsyslog.d/50-mx.conf':; } # @@ -30,11 +31,7 @@ class site_config::remove::files { 'leap_mx': path => '/var/log/', recurse => true, - matches => 'leap_mx*'; - 'mx': - path => '/var/log/leap/', - recurse => true, - matches => 'mx.log*'; + matches => ['leap_mx*', 'mx.log.[6-9](.gz)?', 'mx.log.[0-9][0-9](.gz)?']; '/srv/leap/webapp/public/provider.json':; '/srv/leap/couchdb/designs/tmp_users': recurse => true, -- cgit v1.2.3 From 3dabb02d43f2a65890085734032c9678dee5b830 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 2 Feb 2016 19:37:02 +0100 Subject: don't deploy bundler debug to servers --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4f3147e7..15925aba 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -60,7 +60,7 @@ class site_webapp { exec { 'bundler_update': cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development"', + command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"', unless => '/usr/bin/bundle check --path vendor/bundle', user => 'leap-webapp', timeout => 600, -- cgit v1.2.3 From 2211934991158ea66b8d64ac8de4fb8b971f736e Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 1 Feb 2016 11:54:33 +0100 Subject: [refactor] Don't declare dependencies for apt resources The apt module now takes care of all the dependencies removed from `site_apt`. Also, the dependency to install the `lsb` package after `refresh_apt` is unnesseccary because lsb facts won't work anyway on the first run if `lsb` is not installed before, so we can safely remove it. --- puppet/modules/site_apt/manifests/init.pp | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index c809a837..fea4b8e7 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -52,13 +52,10 @@ class site_apt { pin => 'origin "deb.leap.se"' } - # All packages should be installed _after_ refresh_apt is called, - # which does an apt-get update. - # There is one exception: - # The creation of sources.list depends on the lsb package +# All packages should be installed _after_ refresh_apt is called, +# which does an apt-get update. + + Exec['refresh_apt'] -> + Package <||> - File['/etc/apt/preferences'] -> - Apt::Preferences_snippet <| |> -> - Exec['refresh_apt'] -> - Package <| ( title != 'lsb' ) |> } -- cgit v1.2.3 From 5d4642e94c8a1a460988fe11419556753ce0f1aa Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 1 Feb 2016 13:24:53 +0100 Subject: [refactor] Remove atomic apt package dependecy `site_config::default.pp` takes care the all packages are installed before `Exec['refresh_apt']`, so we don't need to add it here for a single package. --- puppet/modules/site_apt/manifests/leap_repo.pp | 3 --- puppet/modules/site_config/manifests/setup.pp | 3 +-- 2 files changed, 1 insertion(+), 5 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index a1382374..60948d91 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -13,7 +13,4 @@ class site_apt::leap_repo { ensure => latest } - # We wont be able to install the leap-keyring package unless the leap apt - # source has been added and apt has been refreshed - Exec['refresh_apt'] -> Package['leap-keyring'] } diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index dba5fa14..82dfe76d 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -24,8 +24,7 @@ class site_config::setup { include site_apt package { 'facter': - ensure => latest, - require => Exec['refresh_apt'] + ensure => latest } # if squid_deb_proxy_client is set to true, install and configure -- cgit v1.2.3 From 65d1d6da0dc76803f26668e92acda11cfc4bbf16 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 1 Feb 2016 13:54:18 +0100 Subject: [bug] Fix duplicate definition error for Class[Apt] We need to include class `site_config::default` in class `site_config::slow` so we don't get this duplicate definition: - [local1.bitmask.local] Error: Duplicate declaration: Class[Apt] is already declared; cannot redeclare at /srv/leap/puppet/modules/site_apt/manifests/init.pp:29 on node local1.bitmask.local To be honest, i didn't figuered out the real cause of this, but it works with this. --- puppet/modules/site_config/manifests/slow.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp index de276bc3..8e9b7035 100644 --- a/puppet/modules/site_config/manifests/slow.pp +++ b/puppet/modules/site_config/manifests/slow.pp @@ -4,6 +4,7 @@ class site_config::slow { tag 'leap_slow' + include site_config::default include apt::update class { 'site_apt::dist_upgrade': } } -- cgit v1.2.3 From 559b2ccaa71e2c5c459d7a6bea39de975f15cb1c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 1 Feb 2016 16:53:10 +0100 Subject: [refactor] Use Exec[apt_updated] instead of Exec[refresh_apt] Because this is the recommended way of depnending in the apt README. --- puppet/modules/site_apt/manifests/dist_upgrade.pp | 2 +- puppet/modules/site_apt/manifests/init.pp | 2 +- puppet/modules/site_config/manifests/default.pp | 2 +- puppet/modules/site_config/manifests/remove/jessie.pp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index 40e2dd58..0eb98cea 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -11,7 +11,7 @@ class site_apt::dist_upgrade { command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", refreshonly => false, timeout => 1200, - require => Exec['refresh_apt'] + require => Exec['apt_updated'] } } } diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index fea4b8e7..04b1ce69 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -55,7 +55,7 @@ class site_apt { # All packages should be installed _after_ refresh_apt is called, # which does an apt-get update. - Exec['refresh_apt'] -> + Exec['apt_updated'] -> Package <||> } diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 96f06e6c..b5d0f32d 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -16,7 +16,7 @@ class site_config::default { # 'apt-get update' is executed by 'site_config::slow', it should be done # before any packages are installed. - Package { require => Exec['refresh_apt'] } + Package { require => Exec['apt_updated'] } # default class, used by all hosts diff --git a/puppet/modules/site_config/manifests/remove/jessie.pp b/puppet/modules/site_config/manifests/remove/jessie.pp index cbeaae05..c813e46d 100644 --- a/puppet/modules/site_config/manifests/remove/jessie.pp +++ b/puppet/modules/site_config/manifests/remove/jessie.pp @@ -3,7 +3,7 @@ class site_config::remove::jessie { tidy { '/etc/apt/preferences.d/rsyslog_anon_depends': - notify => Exec['refresh_apt']; + notify => Exec['apt_updated']; } } -- cgit v1.2.3 From 5471630d583d21bc21ec1e6a1e17056c2bdecb23 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 1 Feb 2016 17:35:16 +0100 Subject: [refactor] Dont duplicate Package resource override `site_apt` aready ensures for installing packages after Exec[update_apt] is run, so we don't need to duplicate this in `site_config::default.pp`. --- puppet/modules/site_apt/manifests/init.pp | 8 +++----- puppet/modules/site_config/manifests/default.pp | 12 ------------ 2 files changed, 3 insertions(+), 17 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 04b1ce69..447e1781 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -52,10 +52,8 @@ class site_apt { pin => 'origin "deb.leap.se"' } -# All packages should be installed _after_ refresh_apt is called, -# which does an apt-get update. - - Exec['apt_updated'] -> - Package <||> + # All packages should be installed after 'update_apt' is called, + # which does an 'apt-get update'. + Exec['update_apt'] -> Package <||> } diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index b5d0f32d..256de1a1 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -7,18 +7,6 @@ class site_config::default { include site_config::params include site_config::setup - # By default, the class 'site_config::slow' is included in site.pp. - # It basically does an 'apt-get update' and 'apt-get dist-upgrade'. - # This class can be excluded by using 'leap deploy --fast', - # see https://leap.se/en/docs/platform/details/under-the-hood#tags for more - # details. - # The following Package resource override makes sure that *if* an - # 'apt-get update' is executed by 'site_config::slow', it should be done - # before any packages are installed. - - Package { require => Exec['apt_updated'] } - - # default class, used by all hosts include lsb, git -- cgit v1.2.3 From ea2955c73150dc7417b2637acb2b29a955550c29 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 1 Feb 2016 20:51:04 +0100 Subject: [bug] Fix bigcouch spoolfile removal - Resolves: #7641 --- puppet/modules/site_config/manifests/remove/bigcouch.pp | 1 - puppet/modules/site_config/manifests/remove/monitoring.pp | 12 ++++-------- 2 files changed, 4 insertions(+), 9 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp index f8e0ebe2..26ba8d09 100644 --- a/puppet/modules/site_config/manifests/remove/bigcouch.pp +++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp @@ -6,7 +6,6 @@ class site_config::remove::bigcouch { file { '/etc/check_mk/logwatch.d/bigcouch.cfg': ensure => absent, notify => [ - Exec['remove_bigcouch_logwatch_spoolfiles'], Exec['remove_bigcouch_logwatch_stateline'] ] } diff --git a/puppet/modules/site_config/manifests/remove/monitoring.pp b/puppet/modules/site_config/manifests/remove/monitoring.pp index ab9f7a8f..18e2949b 100644 --- a/puppet/modules/site_config/manifests/remove/monitoring.pp +++ b/puppet/modules/site_config/manifests/remove/monitoring.pp @@ -1,17 +1,13 @@ # remove leftovers on monitoring nodes class site_config::remove::monitoring { + # Remove check_mk loggwatch spoolfiles for + # tapicero and bigcouch tidy { - 'checkmk_logwatch_spool': + 'remove_logwatch_spoolfiles': path => '/var/lib/check_mk/logwatch', recurse => true, - matches => '*tapicero.log' - } - - # remove leftover bigcouch logwatch spool files - exec { 'remove_bigcouch_logwatch_spoolfiles': - command => 'find /var/lib/check_mk/logwatch -name \'\\opt\\bigcouch\\var\\log\\bigcouch.log\' -exec rm {} \;', - refreshonly => true, + matches => [ '*tapicero.log', '*bigcouch.log']; } } -- cgit v1.2.3 From 49c8a0c2a5ff413430b4bf7cc90f39f28c936b3e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 2 Feb 2016 14:41:17 +0100 Subject: [bug] Add smtpd_relay_restrictions to postfix conf smtpd_relay_restrictions was added in postfix 2.10 (jessie has 2.11 atm). Without this, outbound mails are rejected to be relayed. from http://www.postfix.org/SMTPD_ACCESS_README.html: NOTE: Postfix versions before 2.10 did not have smtpd_relay_restrictions. They combined the mail relay and spam blocking policies, under smtpd_recipient_restrictions. This could lead to unexpected results. For example, a permissive spam blocking policy could unexpectedly result in a permissive mail relay policy. An example of this is documented under "Dangerous use of smtpd_recipient_restrictions". smtpd_relay_restrictions defaults to 'permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination' and is configured here to check for a valid client cert. see http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions - Resolves: #7856 --- puppet/modules/site_postfix/manifests/mx.pp | 29 +++++++++++++++------- .../site_postfix/manifests/mx/smtpd_checks.pp | 4 +++ 2 files changed, 24 insertions(+), 9 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index cd493807..02b9fbdd 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -93,20 +93,31 @@ class site_postfix::mx { # greater verbosity for debugging, take out for production #include site_postfix::debug - class { 'postfix': - preseed => true, - root_mail_recipient => $root_mail_recipient, - smtp_listen => 'all', - mastercf_tail => - "smtps inet n - - - - smtpd + case $::operatingsystemrelease { + /^7.*/: { + $smtpd_relay_restrictions='' + } + default: { + $smtpd_relay_restrictions=" -o smtpd_relay_restrictions=\$smtps_relay_restrictions\n" + } + } + + $mastercf_tail = " +smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions +${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -o smtpd_helo_restrictions=\$smtps_helo_restrictions -o smtpd_client_restrictions= -o cleanup_service_name=clean_smtps -clean_smtps unix n - n - 0 cleanup - -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers", +clean_smtps unix n - n - 0 cleanup + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers" + + class { 'postfix': + preseed => true, + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all', + mastercf_tail => $mastercf_tail, require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0ea452ee..291d7ee4 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,3 +1,5 @@ +# smtpd checks for incoming mail on smtp port 25 and +# mail sent via the bitmask client using smtps port 465 class site_postfix::mx::smtpd_checks { postfix::config { @@ -23,6 +25,8 @@ class site_postfix::mx::smtpd_checks { # disable a user by removing their valid client cert (#3634) 'smtps_recipient_restrictions': value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'smtps_relay_restrictions': + value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination'; 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': -- cgit v1.2.3 From 461c682cccef760248d6c24d93c6ae47dd14fd22 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 2 Feb 2016 15:50:13 -0500 Subject: fix postfix Received anonymizing header regexp to properly match Client CN entries (#7867) Change-Id: Ie33277a62e90f9dc0602bb963dbb96a61cebed1d --- puppet/modules/site_postfix/files/checks/received_anon | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/files/checks/received_anon b/puppet/modules/site_postfix/files/checks/received_anon index 2822973e..9de25e63 100644 --- a/puppet/modules/site_postfix/files/checks/received_anon +++ b/puppet/modules/site_postfix/files/checks/received_anon @@ -1,2 +1,2 @@ -/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))([[:space:]]+).*(\(using [.[:alnum:]]+ with cipher [-A-Z0-9]+ \([0-9]+\/[0-9]+ bits\)\))[[:space:]]+\(Client CN "([[:alnum:]]+)", Issuer "[[:print:]]+" \(verified OK\)\)[[:space:]]+by ([.[:alnum:]]+) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ +/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))([[:space:]]+).*(\(using [.[:alnum:]]+ with cipher [-A-Z0-9]+ \([0-9]+\/[0-9]+ bits\)\))[[:space:]]+\(Client CN "([-._@[:alnum:]]+)", Issuer "[[:print:]]+" \(verified OK\)\)[[:space:]]+by ([.[:alnum:]]+) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${3}${2}(Authenticated sender: $4)${2}with $7 id $8 -- cgit v1.2.3 From bd8b87f076db5e800de39e570a6b42976be40435 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Wed, 27 Jan 2016 12:22:53 +0100 Subject: add postscreen greeter (Resolves: 2303) --- puppet/modules/site_postfix/manifests/mx.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 02b9fbdd..59a02598 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -10,8 +10,9 @@ class site_postfix::mx { $mynetworks = join(hiera('mynetworks', ''), ' ') $rbls = suffix(prefix(hiera('rbls', []), 'reject_rbl_client '), ',') - $root_mail_recipient = hiera('contacts') - $postfix_smtp_listen = 'all' + $root_mail_recipient = hiera('contacts') + $postfix_smtp_listen = 'all' + $postfix_use_postscreen = 'yes' include site_config::x509::cert include site_config::x509::key @@ -79,6 +80,10 @@ class site_postfix::mx { value => 'smtp'; 'mailbox_command': value => ''; + 'postscreen_access_list': + value => 'permit_mynetworks'; + 'postscreen_greet_action': + value => 'enforce'; } include site_postfix::mx::smtpd_checks @@ -118,6 +123,7 @@ clean_smtps unix n - n - 0 cleanup root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', mastercf_tail => $mastercf_tail, + use_postscreen => 'yes', require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From cee2702b9c66e7e303494822993f46986685d87a Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 9 Feb 2016 16:32:46 -0500 Subject: Due to the smtps transport specifying a header_check, the received_anon replacement wasn't being done. (#7890) This moves that replacement into its own class, clears the old value and sets it properly in the smtps transport. Change-Id: I27c02730597df4943761d8bcb61014aeded9dc75 --- puppet/modules/site_postfix/manifests/mx.pp | 21 ++++++++++++--------- puppet/modules/site_postfix/manifests/mx/checks.pp | 18 ------------------ .../site_postfix/manifests/mx/received_anon.pp | 13 +++++++++++++ 3 files changed, 25 insertions(+), 27 deletions(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/received_anon.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 02b9fbdd..c4ab1bba 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -79,16 +79,19 @@ class site_postfix::mx { value => 'smtp'; 'mailbox_command': value => ''; + 'header_checks': + value => ''; } - include site_postfix::mx::smtpd_checks - include site_postfix::mx::checks - include site_postfix::mx::smtp_tls - include site_postfix::mx::smtpd_tls - include site_postfix::mx::static_aliases - include site_postfix::mx::rewrite_openpgp_header - include clamav - include postfwd + include ::site_postfix::mx::smtpd_checks + include ::site_postfix::mx::checks + include ::site_postfix::mx::smtp_tls + include ::site_postfix::mx::smtpd_tls + include ::site_postfix::mx::static_aliases + include ::site_postfix::mx::rewrite_openpgp_header + include ::site_postfix::mx::received_anon + include ::clamav + include ::postfwd # greater verbosity for debugging, take out for production #include site_postfix::debug @@ -111,7 +114,7 @@ ${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_r -o smtpd_client_restrictions= -o cleanup_service_name=clean_smtps clean_smtps unix n - n - 0 cleanup - -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers" + -o header_checks=pcre:/etc/postfix/checks/rewrite_openpgp_headers,pcre:/etc/postfix/checks/received_anon" class { 'postfix': preseed => true, diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 5d75a5e5..f406ad34 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -20,22 +20,4 @@ class site_postfix::mx::checks { refreshonly => true, subscribe => File['/etc/postfix/checks/helo_checks']; } - - # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } - - file { '/etc/postfix/checks/received_anon': - source => 'puppet:///modules/site_postfix/checks/received_anon', - mode => '0644', - owner => root, - group => root, - notify => Service['postfix'] - } - - postfix::config { - 'header_checks': - value => 'pcre:/etc/postfix/checks/received_anon', - require => File['/etc/postfix/checks/received_anon']; - } - } diff --git a/puppet/modules/site_postfix/manifests/mx/received_anon.pp b/puppet/modules/site_postfix/manifests/mx/received_anon.pp new file mode 100644 index 00000000..51ba3faa --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/received_anon.pp @@ -0,0 +1,13 @@ +# Anonymize the user's home IP from the email headers (Feature #3866) +class site_postfix::mx::received_anon { + + package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } +} -- cgit v1.2.3 From b8bca2d764bbf13a92e7ea861ab510db9b18e3bb Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 2 Feb 2016 11:02:17 -0500 Subject: Disable journald in order to resolve IP logging subversion (#7863) Change-Id: I9cee85c19d86dc7c8d70c4cdeb2e7426191b57a5 --- puppet/modules/journald/manifests/init.pp | 7 +++++++ puppet/modules/site_config/manifests/syslog.pp | 19 ++++++++++++++++--- 2 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 puppet/modules/journald/manifests/init.pp (limited to 'puppet/modules') diff --git a/puppet/modules/journald/manifests/init.pp b/puppet/modules/journald/manifests/init.pp new file mode 100644 index 00000000..879baba4 --- /dev/null +++ b/puppet/modules/journald/manifests/init.pp @@ -0,0 +1,7 @@ +class journald { + + service { 'systemd-journald': + ensure => running, + enable => true, + } +} diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index c397dc15..d1deefcd 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -4,12 +4,25 @@ class site_config::syslog { # only pin rsyslog packages to backports on wheezy case $::operatingsystemrelease { /^7.*/: { - include site_apt::preferences::rsyslog + include ::site_apt::preferences::rsyslog + } + # on jessie+ systems, systemd and journald are enabled, + # and journald logs IP addresses, so we need to disable + # it until a solution is found, (#7863): + # https://github.com/systemd/systemd/issues/2447 + default: { + include ::journald + augeas { + 'disable_journald': + incl => '/etc/systemd/journald.conf', + lens => 'Puppet.lns', + changes => 'set /files/etc/systemd/journald.conf/Journal/Storage \'none\'', + notify => Service['systemd-journald']; + } } - default: { } } - class { 'rsyslog::client': + class { '::rsyslog::client': log_remote => false, log_local => true } -- cgit v1.2.3 From 70444eaf7b07affa832795f7e520c9ef2bd53791 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 9 Feb 2016 16:47:52 -0500 Subject: Allow ecdsa hostkeys (#7642) until we can safely transition providers to better key algorithm choices. Change-Id: I6b9ec83dbfbf15d1b65e14145bf625db6517f6b7 --- puppet/modules/site_sshd/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index be0d3368..a9202da4 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -76,6 +76,7 @@ MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' tcp_forwarding => $ssh_config['AllowTcpForwarding'], manage_client => false, use_storedconfigs => false, - tail_additional_options => $tail_additional_options + tail_additional_options => $tail_additional_options, + hostkey_type => [ 'rsa', 'dsa', 'ecdsa' ] } } -- cgit v1.2.3 From fe312317f6b9ba98a8020a381aa72bfe28bf412f Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Fri, 12 Feb 2016 00:50:42 +0100 Subject: update postfix submodule for postscreen (Resolves: 2303) --- puppet/modules/postfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 3a5ca6c7..7a92279d 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 3a5ca6c754451405fd0c3efec7dc72bed57f4081 +Subproject commit 7a92279d623493dd95de8eaaca5815e625e305a3 -- cgit v1.2.3 From ff818d6be896201adf0b1c9ded9316949dc954d2 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 16 Feb 2016 16:43:54 -0800 Subject: remove pinning of openvpn package to backports --- puppet/modules/site_apt/manifests/init.pp | 7 ++++--- puppet/modules/site_apt/manifests/preferences/openvpn.pp | 9 --------- puppet/modules/site_config/manifests/remove/files.pp | 2 ++ puppet/modules/site_openvpn/manifests/init.pp | 8 +------- 4 files changed, 7 insertions(+), 19 deletions(-) delete mode 100644 puppet/modules/site_apt/manifests/preferences/openvpn.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 447e1781..d6fe0e72 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -37,9 +37,10 @@ class site_apt { include ::site_apt::unattended_upgrades - apt::sources_list { 'secondary.list.disabled': - content => template('site_apt/secondary.list'); - } + # not currently used + #apt::sources_list { 'secondary.list': + # content => template('site_apt/secondary.list'); + #} apt::preferences_snippet { 'facter': release => "${::lsbdistcodename}-backports", diff --git a/puppet/modules/site_apt/manifests/preferences/openvpn.pp b/puppet/modules/site_apt/manifests/preferences/openvpn.pp deleted file mode 100644 index c7ddae25..00000000 --- a/puppet/modules/site_apt/manifests/preferences/openvpn.pp +++ /dev/null @@ -1,9 +0,0 @@ -class site_apt::preferences::openvpn { - - apt::preferences_snippet { 'openvpn': - package => 'openvpn', - release => "${::lsbdistcodename}-backports", - priority => 999; - } - -} diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 3efcbf0f..afdd4fce 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -16,6 +16,8 @@ class site_config::remove::files { '/etc/default/leap_mx':; '/etc/logrotate.d/mx':; '/etc/rsyslog.d/50-mx.conf':; + '/etc/apt/preferences.d/openvpn':; + '/etc/apt/sources.list.d/secondary.list.disabled.list':; } # diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 7397d89c..540262d0 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -174,14 +174,8 @@ class site_openvpn { include site_shorewall::eip - # In wheezy, we need the openvpn backport to get the 2.3 version of - # openvpn which has proper ipv6 support - include site_apt::preferences::openvpn - package { - 'openvpn': - ensure => latest, - require => Class['site_apt::preferences::openvpn']; + 'openvpn': ensure => latest } service { -- cgit v1.2.3 From 54d7a668e1c74bcec39fc60743670bba982b4fa9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Feb 2016 09:52:01 +0100 Subject: Update submodule postfix --- puppet/modules/postfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 7a92279d..cce918f7 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 7a92279d623493dd95de8eaaca5815e625e305a3 +Subproject commit cce918f784ebf8a8875f43c79bc3a1f39ab9456b -- cgit v1.2.3 From 170dfcfc219471dcc4ae58949457f251fd4e067d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Feb 2016 14:49:37 +0100 Subject: Update submodule vcsrepo --- puppet/modules/vcsrepo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo index f92d0922..4e23209e 160000 --- a/puppet/modules/vcsrepo +++ b/puppet/modules/vcsrepo @@ -1 +1 @@ -Subproject commit f92d09226cfddb0c7e5e342dd199d8ea05b497cb +Subproject commit 4e23209eaccf1ab504d35158f4141b3053327c2f -- cgit v1.2.3 From 685642e8bfdaff16a4f02bd40b5d2aef15b68d94 Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 13 Feb 2016 23:48:48 -0800 Subject: get dkim working, closes #5924 --- puppet/modules/opendkim/manifests/init.pp | 13 +++++++------ puppet/modules/opendkim/templates/opendkim.conf | 3 ++- puppet/modules/site_config/manifests/x509/dkim/key.pp | 13 ------------- 3 files changed, 9 insertions(+), 20 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/x509/dkim/key.pp (limited to 'puppet/modules') diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp index 9e67569e..e2e766e7 100644 --- a/puppet/modules/opendkim/manifests/init.pp +++ b/puppet/modules/opendkim/manifests/init.pp @@ -1,13 +1,15 @@ -# configure opendkim service (#5924) +# +# I am not sure about what issues might arise with DKIM key sizes +# larger than 2048. It might or might not be supported. See: +# http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.3.3.3 +# class opendkim { $domain_hash = hiera('domain') $domain = $domain_hash['full_suffix'] $dkim = hiera('dkim') - $selector = $dkim['dkim_selector'] - - include site_config::x509::dkim::key - $dkim_key = "${x509::variables::keys}/dkim.key" + $selector = $dkim['selector'] + $dkim_key = $dkim['private_key'] ensure_packages(['opendkim', 'libopendkim7', 'libvbr2']) @@ -23,7 +25,6 @@ class opendkim { enable => true, hasstatus => true, hasrestart => true, - require => Class['Site_config::X509::Dkim::Key'], subscribe => File[$dkim_key]; } diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf index 46ddb7a8..5a948229 100644 --- a/puppet/modules/opendkim/templates/opendkim.conf +++ b/puppet/modules/opendkim/templates/opendkim.conf @@ -18,7 +18,6 @@ SubDomains yes # can we generate a larger key and get it in dns? KeyFile <%= @dkim_key %> -# what selector do we use? Selector <%= @selector %> # Commonly-used options; the commented-out versions show the defaults. @@ -26,6 +25,8 @@ Canonicalization relaxed #Mode sv #ADSPDiscard no +SignatureAlgorithm rsa-sha256 + # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian pacakge diff --git a/puppet/modules/site_config/manifests/x509/dkim/key.pp b/puppet/modules/site_config/manifests/x509/dkim/key.pp deleted file mode 100644 index c63a7e94..00000000 --- a/puppet/modules/site_config/manifests/x509/dkim/key.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_config::x509::dkim::key { - - ## - ## This is for the DKIM key that is used exclusively for DKIM - ## signing - - $x509 = hiera('x509') - $key = $x509['dkim_key'] - - x509::key { 'dkim': - content => $key - } -} -- cgit v1.2.3 From da2c743faaccd26604c4c26fbb1557934688eb4a Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 1 Feb 2016 15:56:41 -0800 Subject: default to plain couchdb, unless otherwise specified. # Conflicts: # puppet/modules/site_couchdb/manifests/plain.pp --- .../manifests/agent/couchdb/master.pp | 23 ---------------------- .../site_check_mk/manifests/agent/couchdb/plain.pp | 23 ++++++++++++++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 4 ++-- puppet/modules/site_couchdb/manifests/master.pp | 15 -------------- puppet/modules/site_couchdb/manifests/plain.pp | 15 ++++++++++++++ 5 files changed, 40 insertions(+), 40 deletions(-) delete mode 100644 puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp create mode 100644 puppet/modules/site_check_mk/manifests/agent/couchdb/plain.pp delete mode 100644 puppet/modules/site_couchdb/manifests/master.pp create mode 100644 puppet/modules/site_couchdb/manifests/plain.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp deleted file mode 100644 index 291b87d1..00000000 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb/master.pp +++ /dev/null @@ -1,23 +0,0 @@ -# configure logwatch and nagios checks for plain single couchdb master -class site_check_mk::agent::couchdb::master { - - # remove bigcouch leftovers - augeas { - 'Bigcouch_epmd_procs': - incl => '/etc/check_mk/mrpe.cfg', - lens => 'Spacevars.lns', - changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs', - require => File['/etc/check_mk/mrpe.cfg']; - 'Bigcouch_beam_procs': - incl => '/etc/check_mk/mrpe.cfg', - lens => 'Spacevars.lns', - changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs', - require => File['/etc/check_mk/mrpe.cfg']; - 'Bigcouch_open_files': - incl => '/etc/check_mk/mrpe.cfg', - lens => 'Spacevars.lns', - changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files', - require => File['/etc/check_mk/mrpe.cfg']; - } - -} diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb/plain.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb/plain.pp new file mode 100644 index 00000000..3ec2267b --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb/plain.pp @@ -0,0 +1,23 @@ +# configure logwatch and nagios checks for plain single couchdb master +class site_check_mk::agent::couchdb::plain { + + # remove bigcouch leftovers + augeas { + 'Bigcouch_epmd_procs': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_epmd_procs', + require => File['/etc/check_mk/mrpe.cfg']; + 'Bigcouch_beam_procs': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_beam_procs', + require => File['/etc/check_mk/mrpe.cfg']; + 'Bigcouch_open_files': + incl => '/etc/check_mk/mrpe.cfg', + lens => 'Spacevars.lns', + changes => 'rm /files/etc/check_mk/mrpe.cfg/Bigcouch_open_files', + require => File['/etc/check_mk/mrpe.cfg']; + } + +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 8d79ae75..0c126f0c 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -41,8 +41,8 @@ class site_couchdb { $couchdb_pwhash_alg = $couchdb_config['pwhash_alg'] if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch } - if $couchdb_mode == 'master' { include site_couchdb::master } - if $couchdb_mode == 'mirror' { include site_couchdb::mirror } + if $couchdb_mode == 'plain' { include site_couchdb::plain } + # if $couchdb_mode == 'mirror' { include site_couchdb::mirror } Class['site_config::default'] -> Service['shorewall'] diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp deleted file mode 100644 index 49d90f2f..00000000 --- a/puppet/modules/site_couchdb/manifests/master.pp +++ /dev/null @@ -1,15 +0,0 @@ -# this class sets up a single, plain couchdb node -class site_couchdb::master { - class { 'couchdb': - admin_pw => $site_couchdb::couchdb_admin_pw, - admin_salt => $site_couchdb::couchdb_admin_salt, - chttpd_bind_address => '127.0.0.1', - pwhash_alg => $site_couchdb::couchdb_pwhash_alg - } - - include site_check_mk::agent::couchdb::master - - # remove bigcouch leftovers from previous installations - include ::site_config::remove::bigcouch - -} diff --git a/puppet/modules/site_couchdb/manifests/plain.pp b/puppet/modules/site_couchdb/manifests/plain.pp new file mode 100644 index 00000000..64209142 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/plain.pp @@ -0,0 +1,15 @@ +# this class sets up a single, plain couchdb node +class site_couchdb::plain { + class { 'couchdb': + admin_pw => $site_couchdb::couchdb_admin_pw, + admin_salt => $site_couchdb::couchdb_admin_salt, + chttpd_bind_address => '127.0.0.1', + pwhash_alg => $site_couchdb::couchdb_pwhash_alg + } + + include site_check_mk::agent::couchdb::plain + + # remove bigcouch leftovers from previous installations + include ::site_config::remove::bigcouch + +} -- cgit v1.2.3 From e5ecf06ef15637cb52f65424d6d7d889731c68a9 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 11 Feb 2016 15:35:54 -0800 Subject: use pbkdf2 pwhash for plain couch. --- puppet/modules/site_couchdb/manifests/plain.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/plain.pp b/puppet/modules/site_couchdb/manifests/plain.pp index 64209142..9338e56a 100644 --- a/puppet/modules/site_couchdb/manifests/plain.pp +++ b/puppet/modules/site_couchdb/manifests/plain.pp @@ -4,7 +4,7 @@ class site_couchdb::plain { admin_pw => $site_couchdb::couchdb_admin_pw, admin_salt => $site_couchdb::couchdb_admin_salt, chttpd_bind_address => '127.0.0.1', - pwhash_alg => $site_couchdb::couchdb_pwhash_alg + pwhash_alg => 'pbkdf2' } include site_check_mk::agent::couchdb::plain -- cgit v1.2.3 From fd599945751a489a638fadace51c871f59346a46 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 23 Feb 2016 11:40:14 -0500 Subject: We are rotating the mx logs 5 times, but we originally thought we should only have the following logfiles in that directory ever: mx.log, mx.log.[1-5], with an optional .gz suffix. However, we were wrong about the 'optional' part of the compression, we use the 'compress' option, so the logs will always be compressed. So there should never be the log files mx.log.1, mx.log.2, etc. This change adjusts the clean-up to deal with that. (#7058) https://github.com/leapcode/leap_platform/pull/97 Change-Id: I109d08ac063fe094c54e93be91893a67d7fbb51b --- puppet/modules/site_config/manifests/remove/files.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index afdd4fce..5aa07e53 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -33,7 +33,8 @@ class site_config::remove::files { 'leap_mx': path => '/var/log/', recurse => true, - matches => ['leap_mx*', 'mx.log.[6-9](.gz)?', 'mx.log.[0-9][0-9](.gz)?']; + matches => ['leap_mx*', 'mx.log.[1-5]', 'mx.log.[6-9](.gz)?', + 'mx.log.[0-9][0-9](.gz)?']; '/srv/leap/webapp/public/provider.json':; '/srv/leap/couchdb/designs/tmp_users': recurse => true, -- cgit v1.2.3 From cff07b7b3642c0d53e02cb0885f24250037b8d15 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 23 Feb 2016 14:15:17 -0500 Subject: Update opendkim platform pieces to match leap-cli. Change-Id: I9c8f9c9c3ee7cd89f013cbb08397377522ed5a4a --- puppet/modules/opendkim/manifests/init.pp | 50 ++++++++++++++++++++++------- puppet/modules/site_postfix/manifests/mx.pp | 7 +++- 2 files changed, 45 insertions(+), 12 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp index e2e766e7..4d4c5312 100644 --- a/puppet/modules/opendkim/manifests/init.pp +++ b/puppet/modules/opendkim/manifests/init.pp @@ -7,17 +7,20 @@ class opendkim { $domain_hash = hiera('domain') $domain = $domain_hash['full_suffix'] - $dkim = hiera('dkim') + $mx = hiera('mx') + $dkim = $mx['dkim'] $selector = $dkim['selector'] + $dkim_cert = $dkim['public_key'] $dkim_key = $dkim['private_key'] - ensure_packages(['opendkim', 'libopendkim7', 'libvbr2']) + ensure_packages(['opendkim', 'libvbr2']) # postfix user needs to be in the opendkim group # in order to access the opendkim socket located at: # local:/var/run/opendkim/opendkim.sock user { 'postfix': - groups => 'opendkim'; + groups => 'opendkim', + require => Package['opendkim']; } service { 'opendkim': @@ -28,12 +31,37 @@ class opendkim { subscribe => File[$dkim_key]; } - file { '/etc/opendkim.conf': - ensure => present, - content => template('opendkim/opendkim.conf'), - mode => '0644', - owner => root, - group => root, - notify => Service['opendkim'], - require => Package['opendkim']; + file { + '/etc/opendkim.conf': + ensure => file, + content => template('opendkim/opendkim.conf'), + mode => '0644', + owner => root, + group => root, + notify => Service['opendkim'], + require => Package['opendkim']; + + '/etc/default/opendkim.conf': + ensure => file, + content => 'SOCKET="inet:8891@localhost" # listen on loopback on port 8891', + mode => '0644', + owner => root, + group => root, + notify => Service['opendkim'], + require => Package['opendkim']; + + $dkim_key: + ensure => file, + mode => '0600', + owner => 'opendkim', + group => 'opendkim', + require => Package['opendkim']; + + $dkim_cert: + ensure => file, + mode => '0600', + owner => 'opendkim', + group => 'opendkim', + require => Package['opendkim']; + } } diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2ea54d0a..3230d4f0 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -67,8 +67,12 @@ class site_postfix::mx { # alias map 'local_recipient_maps': value => '$alias_maps'; + # setup clamav and opendkim on smtpd 'smtpd_milters': - value => 'unix:/run/clamav/milter.ctl,unix:/var/run/opendkim/opendkim.sock'; + value => 'unix:/run/clamav/milter.ctl,inet:localhost:8891'; + # setup opendkim for smtp (non-smtpd) outgoing mail + 'non_smtpd_milters': + value => 'inet:localhost:8891'; 'milter_default_action': value => 'accept'; # Make sure that the right values are set, these could be set to different @@ -96,6 +100,7 @@ class site_postfix::mx { include ::site_postfix::mx::rewrite_openpgp_header include ::site_postfix::mx::received_anon include ::clamav + include ::opendkim include ::postfwd # greater verbosity for debugging, take out for production -- cgit v1.2.3 From e3f2f2f10a8dfc054ed752209d160c59f5efd6ac Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Feb 2016 09:21:29 +0100 Subject: Update module stunnel --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index b0dc7c84..79e874c1 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit b0dc7c84b5f55aec12d7d65da812037913d9dbee +Subproject commit 79e874c1a86ad5c48c4e726a5d4c68bd879ce454 -- cgit v1.2.3 From 70df05dce934a3d3803ea78e39200c37215cad04 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Feb 2016 11:22:53 +0100 Subject: Use site_couchdb::plain even when couch.master is set top "master" --- puppet/modules/site_couchdb/manifests/init.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 0c126f0c..0c282e1c 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -40,8 +40,9 @@ class site_couchdb { $couchdb_mode = $couchdb_config['mode'] $couchdb_pwhash_alg = $couchdb_config['pwhash_alg'] - if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch } - if $couchdb_mode == 'plain' { include site_couchdb::plain } + if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch } + if $couchdb_mode =~ /^(plain|master)$/ { include site_couchdb::plain } + # if $couchdb_mode == 'mirror' { include site_couchdb::mirror } Class['site_config::default'] -- cgit v1.2.3 From db3edbb51b2f3617eb97f203e0cc6ac4f51d98c7 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 24 Feb 2016 22:30:06 +0100 Subject: [bug] Adopt ncli aliases to new version of icli - Resolves: #7887 --- puppet/modules/site_nagios/templates/icli_aliases.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/templates/icli_aliases.erb b/puppet/modules/site_nagios/templates/icli_aliases.erb index f1428f9e..bcb2abb0 100644 --- a/puppet/modules/site_nagios/templates/icli_aliases.erb +++ b/puppet/modules/site_nagios/templates/icli_aliases.erb @@ -3,5 +3,5 @@ alias ncli_problems='ncli -z '!o,!A'' <% @environments.keys.sort.each do |env_name| %> alias ncli_<%= env_name %>='ncli -z '!o,!A' -g <%= env_name %>' -alias ncli_<%= env_name %>_recheck='ncli -s Check_MK -g <%= env_name %> -r' -<% end -%> \ No newline at end of file +alias ncli_<%= env_name %>_recheck='ncli -s Check_MK -g <%= env_name %> -a R' +<% end -%> -- cgit v1.2.3 From 6c8d3a7639af50266a56ed0661006280c7198b2f Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 09:46:07 +0100 Subject: no build-essential packages needed for building leap_cli --- puppet/modules/leap/manifests/cli/install.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap/manifests/cli/install.pp b/puppet/modules/leap/manifests/cli/install.pp index 6a12a4a5..25e87033 100644 --- a/puppet/modules/leap/manifests/cli/install.pp +++ b/puppet/modules/leap/manifests/cli/install.pp @@ -4,7 +4,6 @@ class leap::cli::install ( $source = false ) { # needed for building leap_cli from source include ::git include ::rubygems - include ::site_config::packages::build_essential class { '::ruby': install_dev => true @@ -14,7 +13,6 @@ class leap::cli::install ( $source = false ) { Class[Ruby] -> Class[rubygems] -> - Class[::site_config::packages::build_essential] -> Class[bundler::install] -- cgit v1.2.3 From a33a7d634ab33f46814bd154882f3b1c9b3b3978 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 15:59:55 +0100 Subject: remove couchdb_pwhash_alg leftover --- puppet/modules/site_apache/manifests/common.pp | 6 +++++- puppet/modules/site_couchdb/manifests/init.pp | 1 - 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index dadf7ea5..8a11759a 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -4,7 +4,11 @@ class site_apache::common { include apache::module::rewrite include apache::module::env - class { '::apache': no_default_site => true, ssl => true } + class { '::apache': + no_default_site => true, + ssl => true, + ssl_cipher_suite => 'HIGH:MEDIUM:!aNULL:!MD5' + } # needed for the mod_ssl config include apache::module::mime diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 0c282e1c..b3d9fdf0 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -38,7 +38,6 @@ class site_couchdb { $couchdb_backup = $couchdb_config['backup'] $couchdb_mode = $couchdb_config['mode'] - $couchdb_pwhash_alg = $couchdb_config['pwhash_alg'] if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch } if $couchdb_mode =~ /^(plain|master)$/ { include site_couchdb::plain } -- cgit v1.2.3 From c6e45bc1097ed0a9dc7cb33898ea0b4e60635983 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 16:08:32 +0100 Subject: couchdb module uses pbkdf2 as default pwhash algor. now --- puppet/modules/couchdb | 2 +- puppet/modules/site_couchdb/manifests/plain.pp | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index b2dada71..53a4c75a 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit b2dada713dd3486dec8eaf9bdcd1e223c9297f68 +Subproject commit 53a4c75ae09feb6d89b3535886663356d9ef4287 diff --git a/puppet/modules/site_couchdb/manifests/plain.pp b/puppet/modules/site_couchdb/manifests/plain.pp index 9338e56a..b40fc100 100644 --- a/puppet/modules/site_couchdb/manifests/plain.pp +++ b/puppet/modules/site_couchdb/manifests/plain.pp @@ -3,8 +3,7 @@ class site_couchdb::plain { class { 'couchdb': admin_pw => $site_couchdb::couchdb_admin_pw, admin_salt => $site_couchdb::couchdb_admin_salt, - chttpd_bind_address => '127.0.0.1', - pwhash_alg => 'pbkdf2' + chttpd_bind_address => '127.0.0.1' } include site_check_mk::agent::couchdb::plain -- cgit v1.2.3 From 64752269a4068c823d8ca0d19db852631e7d9dd2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 18:20:07 +0100 Subject: check-mk's mk_job depends on the time package --- puppet/modules/site_check_mk/manifests/agent.pp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index 589041eb..5dc4eeff 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -1,9 +1,14 @@ +# installs check-mk agent class site_check_mk::agent { $ssh_hash = hiera('ssh') $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] + + # /usr/bin/mk-job depends on /usr/bin/time + ensure_packages('time') + class { 'site_apt::preferences::check_mk': } -> class { 'check_mk::agent': @@ -11,7 +16,8 @@ class site_check_mk::agent { agent_logwatch_package_name => 'check-mk-agent-logwatch', method => 'ssh', homedir => '/etc/nagios/check_mk', - register_agent => false + register_agent => false, + requires => Package['time'] } -> class { 'site_check_mk::agent::mrpe': } -> -- cgit v1.2.3 From 0206d426bd51aa4805915f6e23b53d5fdb40d738 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 18:23:38 +0100 Subject: fix typo in last commit --- puppet/modules/site_check_mk/manifests/agent.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index 5dc4eeff..8d8ab814 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -17,7 +17,7 @@ class site_check_mk::agent { method => 'ssh', homedir => '/etc/nagios/check_mk', register_agent => false, - requires => Package['time'] + require => Package['time'] } -> class { 'site_check_mk::agent::mrpe': } -> -- cgit v1.2.3 From 89a3cd71f50a383a5f85510193087446da0e661f Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 26 Feb 2016 01:44:48 -0800 Subject: plain couchdb now required, bigcouch support disabled. --- puppet/modules/site_couchdb/manifests/init.pp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 0c282e1c..3f670ed2 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -40,10 +40,13 @@ class site_couchdb { $couchdb_mode = $couchdb_config['mode'] $couchdb_pwhash_alg = $couchdb_config['pwhash_alg'] - if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch } - if $couchdb_mode =~ /^(plain|master)$/ { include site_couchdb::plain } + # ensure bigcouch has been purged from the system: + # TODO: remove this check in 0.9 release + if file('/opt/bigcouch/bin/bigcouch', '/dev/null') != '' { + fail 'ERROR: BigCouch appears to be installed. Make sure you have migrated to CouchDB before proceeding. See https://leap.se/upgrade-0-8' + } - # if $couchdb_mode == 'mirror' { include site_couchdb::mirror } + include site_couchdb::plain Class['site_config::default'] -> Service['shorewall'] -- cgit v1.2.3 From f3575cbf80312bd29da9c3c9756f2d5f276be5ed Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Feb 2016 13:12:27 +0100 Subject: Update submodules apache and apt --- puppet/modules/apache | 2 +- puppet/modules/apt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/apache b/puppet/modules/apache index 41815f55..117bed9a 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 41815f55ec7187a75aec4717c78270593f9776de +Subproject commit 117bed9a9263c21d253d86b667eb165948efdc24 diff --git a/puppet/modules/apt b/puppet/modules/apt index d997142b..33c61e8d 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit d997142b0cb55b23ed85ee32bbbb72d4456465d1 +Subproject commit 33c61e8df59db1abbed379a9e9790946060a8f1e -- cgit v1.2.3 From ee4fc33396aa52f9ec797fd431b3027d88fa1aa7 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 2 Mar 2016 13:03:12 +0100 Subject: Dont recreate nagios resources on every run Use purging of nagios resources in a way that not all resources are recreated on every puppetrun. Resolves: #2327 --- .../site_nagios/files/configs/Debian/nagios.cfg | 24 ++++++++++++--- puppet/modules/site_nagios/manifests/server.pp | 36 +++++++++++++++++----- .../site_nagios/manifests/server/hostgroup.pp | 5 ++- .../modules/site_nagios/manifests/server/purge.pp | 19 ------------ 4 files changed, 52 insertions(+), 32 deletions(-) delete mode 100644 puppet/modules/site_nagios/manifests/server/purge.pp (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 981dc12a..695f437b 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -22,18 +22,32 @@ log_file=/var/log/nagios3/nagios.log # if you wish (as shown below), or keep them all in a single config file. #cfg_file=/etc/nagios3/commands.cfg -# Puppet-managed configuration files -cfg_dir=/etc/nagios3/conf.d +# Check_mk configuration files +cfg_dir=/etc/nagios3/conf.d/check_mk -# check-mk managed configuration files -cfg_dir=/etc/nagios3/local +# Puppet-managed configuration files +cfg_file=/etc/nagios3/nagios_templates.cfg +cfg_file=/etc/nagios3/nagios_command.cfg +cfg_file=/etc/nagios3/nagios_contact.cfg +cfg_file=/etc/nagios3/nagios_contactgroup.cfg +cfg_file=/etc/nagios3/nagios_host.cfg +cfg_file=/etc/nagios3/nagios_hostdependency.cfg +cfg_file=/etc/nagios3/nagios_hostescalation.cfg +cfg_file=/etc/nagios3/nagios_hostextinfo.cfg +cfg_file=/etc/nagios3/nagios_hostgroup.cfg +cfg_file=/etc/nagios3/nagios_hostgroupescalation.cfg +cfg_file=/etc/nagios3/nagios_service.cfg +cfg_file=/etc/nagios3/nagios_servicedependency.cfg +cfg_file=/etc/nagios3/nagios_serviceescalation.cfg +cfg_file=/etc/nagios3/nagios_serviceextinfo.cfg +cfg_file=/etc/nagios3/nagios_servicegroup.cfg +cfg_file=/etc/nagios3/nagios_timeperiod.cfg # Debian also defaults to using the check commands defined by the debian # nagios-plugins package cfg_dir=/etc/nagios-plugins/config - # OBJECT CACHE FILE # This option determines where object definitions are cached when # Nagios starts/restarts. The CGIs read object definitions from diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 5c833508..bb3948c0 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -1,8 +1,7 @@ # configures nagios on monitoring node +# lint:ignore:inherits_across_namespaces class site_nagios::server inherits nagios::base { - - # First, purge old nagios config (see #1467) - class { 'site_nagios::server::purge': } +# lint:endignore $nagios_hiera = hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) @@ -25,10 +24,33 @@ class site_nagios::server inherits nagios::base { stored_config => false, } - file { '/etc/apache2/conf.d/nagios3.conf': - ensure => link, - target => '/usr/share/doc/nagios3-common/examples/apache2.conf', - notify => Service['apache'] + # Delete nagios config files provided by packages + # These don't get parsed by nagios.conf, but are + # still irritating duplicates to the real config + # files deployed by puppet in /etc/nagios3/ + file { [ + '/etc/nagios3/conf.d/contacts_nagios2.cfg', + '/etc/nagios3/conf.d/extinfo_nagios2.cfg', + '/etc/nagios3/conf.d/generic-host_nagios2.cfg', + '/etc/nagios3/conf.d/generic-service_nagios2.cfg', + '/etc/nagios3/conf.d/hostgroups_nagios2.cfg', + '/etc/nagios3/conf.d/localhost_nagios2.cfg', + '/etc/nagios3/conf.d/pnp4nagios.cfg', + '/etc/nagios3/conf.d/services_nagios2.cfg', + '/etc/nagios3/conf.d/timeperiods_nagios2.cfg' ]: + ensure => absent; + } + + # deploy apache nagios3 config + # until https://gitlab.com/shared-puppet-modules-group/apache/issues/11 + # is not fixed, we need to manually deploy the config file + file { + '/etc/apache2/conf-available/nagios3.conf': + ensure => present, + source => 'puppet:///modules/nagios/configs/apache2.conf'; + '/etc/apache2/conf-enabled/nagios3.conf': + ensure => link, + target => '/etc/apache2/conf-available/nagios3.conf'; } include site_apache::common diff --git a/puppet/modules/site_nagios/manifests/server/hostgroup.pp b/puppet/modules/site_nagios/manifests/server/hostgroup.pp index 6f85ca6d..25623924 100644 --- a/puppet/modules/site_nagios/manifests/server/hostgroup.pp +++ b/puppet/modules/site_nagios/manifests/server/hostgroup.pp @@ -1,3 +1,6 @@ +# create a nagios hostsgroup define site_nagios::server::hostgroup ($contact_emails) { - nagios_hostgroup { $name: } + nagios_hostgroup { $name: + ensure => present + } } diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp deleted file mode 100644 index 6815a703..00000000 --- a/puppet/modules/site_nagios/manifests/server/purge.pp +++ /dev/null @@ -1,19 +0,0 @@ -class site_nagios::server::purge inherits nagios::base { - # we don't want to get /etc/nagios3 and /etc/nagios3/conf.d - # purged, cause the check-mk-config-nagios3 package - # places its templates in /etc/nagios3/conf.d/check_mk, - # and check_mk -O updated it's nagios config in /etc/nagios3/conf.d/check_mk - File['nagios_cfgdir'] { - purge => false - } - File['nagios_confd'] { - purge => false - } - - # only purge files in the /etc/nagios3/conf.d/ dir, not in any subdir - exec {'purge_conf.d': - command => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f -exec rm {} \;', - onlyif => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f | grep -q "/etc/nagios3/conf.d"', - require => Package['nagios'] - } -} -- cgit v1.2.3 From f73c3d220769faf4dce5e8582fe8cd655f50c996 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 4 Mar 2016 13:59:13 -0800 Subject: only not create soledad admin .netrc file if soledad is enabled --- puppet/modules/site_couchdb/manifests/setup.pp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_couchdb/manifests/setup.pp b/puppet/modules/site_couchdb/manifests/setup.pp index fef48505..710d3c1c 100644 --- a/puppet/modules/site_couchdb/manifests/setup.pp +++ b/puppet/modules/site_couchdb/manifests/setup.pp @@ -34,12 +34,14 @@ class site_couchdb::setup { # setup /etc/couchdb/couchdb-soledad-admin.netrc file for couchdb admin # access, accessible only for the soledad-admin user to create soledad # userdbs - file { '/etc/couchdb/couchdb-soledad-admin.netrc': - content => "machine localhost login ${user} password ${site_couchdb::couchdb_admin_pw}", - mode => '0400', - owner => 'soledad-admin', - group => 'root', - require => [ Package['couchdb'], User['soledad-admin'] ]; + if member(hiera('services', []), 'soledad') { + file { '/etc/couchdb/couchdb-soledad-admin.netrc': + content => "machine localhost login ${user} password ${site_couchdb::couchdb_admin_pw}", + mode => '0400', + owner => 'soledad-admin', + group => 'root', + require => [ Package['couchdb'], User['soledad-admin'] ]; + } } # Checkout couchdb_scripts repo -- cgit v1.2.3 From e7ccdeb6c98ceb6b6afcb09a31d79faba63edbad Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 4 Mar 2016 14:59:33 -0800 Subject: move the location of couchdb.admin.yml so that it does not need to have its ownership reset on each deploy. --- puppet/modules/site_webapp/manifests/couchdb.pp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 5cf7f953..c13052eb 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -19,12 +19,18 @@ class site_webapp::couchdb { mode => '0600', require => Vcsrepo['/srv/leap/webapp']; + # couchdb.admin.yml is a symlink to prevent the vcsrepo resource + # from changing its user permissions every time. '/srv/leap/webapp/config/couchdb.admin.yml': + ensure => 'link', + target => '/srv/leap/couchdb/couchdb.admin.yml', + require => Vcsrepo['/srv/leap/webapp']; + + '/srv/leap/couchdb/couchdb.admin.yml': content => template('site_webapp/couchdb.admin.yml.erb'), owner => 'root', group => 'root', - mode => '0600', - require => Vcsrepo['/srv/leap/webapp']; + mode => '0600'; '/srv/leap/webapp/log': ensure => directory, -- cgit v1.2.3 From 3ea675a94c73b4376c6df46d56933253d0911bc9 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 4 Mar 2016 16:03:41 -0800 Subject: ensure /var/leap/couchdb exists before creating files there. --- puppet/modules/site_webapp/manifests/couchdb.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index c13052eb..223604a9 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -30,7 +30,8 @@ class site_webapp::couchdb { content => template('site_webapp/couchdb.admin.yml.erb'), owner => 'root', group => 'root', - mode => '0600'; + mode => '0600', + require => File['/srv/leap/couchdb']; '/srv/leap/webapp/log': ensure => directory, -- cgit v1.2.3 From 0ec326f27feecda1357ca7ba8b1c09ef2567a481 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 4 Mar 2016 22:50:25 -0800 Subject: fix location of couchdb.admin.yml --- puppet/modules/site_webapp/manifests/couchdb.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 223604a9..71450370 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -23,15 +23,15 @@ class site_webapp::couchdb { # from changing its user permissions every time. '/srv/leap/webapp/config/couchdb.admin.yml': ensure => 'link', - target => '/srv/leap/couchdb/couchdb.admin.yml', + target => '/etc/leap/couchdb.admin.yml', require => Vcsrepo['/srv/leap/webapp']; - '/srv/leap/couchdb/couchdb.admin.yml': + '/etc/leap/couchdb.admin.yml': content => template('site_webapp/couchdb.admin.yml.erb'), owner => 'root', group => 'root', mode => '0600', - require => File['/srv/leap/couchdb']; + require => File['/etc/leap']; '/srv/leap/webapp/log': ensure => directory, -- cgit v1.2.3 From 4c72ad2a67c4183e957d20972ec8f1d12acc97d2 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 8 Mar 2016 09:36:50 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 53a4c75a..40d2289f 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 53a4c75ae09feb6d89b3535886663356d9ef4287 +Subproject commit 40d2289f8e10625cd45fdccdf492b5fb6490e66d -- cgit v1.2.3 From 65d01365ac0e1ab25189ee9b58546e85cd806da4 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 8 Mar 2016 10:14:05 +0100 Subject: [bug] Fix inline template with deprecated variable notation - Resolves: #7948 --- puppet/modules/site_openvpn/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 540262d0..f5eb7fd0 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -69,7 +69,7 @@ class site_openvpn { # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/ # we can do this using an inline_template: $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}" - $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>') + $primary_netmask = inline_template('<%= scope.lookupvar(@factname_primary_netmask) %>') # deploy dh keys include site_openvpn::dh_key -- cgit v1.2.3 From 274b1805f13355cdbb0c2b98fb5ef9ce8d3a97f6 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 8 Mar 2016 10:23:27 -0500 Subject: change name of leap-keyring package to leap-archive-keyring (#7950) Change-Id: I5f04e31e49642597c69895b5aca3ff5326dfd6ec --- puppet/modules/site_apt/manifests/leap_repo.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp index 60948d91..5eedce45 100644 --- a/puppet/modules/site_apt/manifests/leap_repo.pp +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -9,7 +9,7 @@ class site_apt::leap_repo { before => Exec[refresh_apt] } - package { 'leap-keyring': + package { 'leap-archive-keyring': ensure => latest } -- cgit v1.2.3 From 51adb8067575cc4e37d04d262da9a45afea09787 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 8 Mar 2016 15:25:32 -0500 Subject: update copy of the archive signing keys, switching to the new names Change-Id: I0305e33c743c15ec38abcf66979a1b2f582f693c --- .../modules/site_apt/files/keys/leap-archive.gpg | Bin 0 -> 20188 bytes .../files/keys/leap-experimental-archive.gpg | Bin 0 -> 3423 bytes .../site_apt/files/keys/leap_experimental_key.asc | 76 ---- puppet/modules/site_apt/files/keys/leap_key.asc | 443 --------------------- 4 files changed, 519 deletions(-) create mode 100644 puppet/modules/site_apt/files/keys/leap-archive.gpg create mode 100644 puppet/modules/site_apt/files/keys/leap-experimental-archive.gpg delete mode 100644 puppet/modules/site_apt/files/keys/leap_experimental_key.asc delete mode 100644 puppet/modules/site_apt/files/keys/leap_key.asc (limited to 'puppet/modules') diff --git a/puppet/modules/site_apt/files/keys/leap-archive.gpg b/puppet/modules/site_apt/files/keys/leap-archive.gpg new file mode 100644 index 00000000..dd7f3be6 Binary files /dev/null and b/puppet/modules/site_apt/files/keys/leap-archive.gpg differ diff --git a/puppet/modules/site_apt/files/keys/leap-experimental-archive.gpg b/puppet/modules/site_apt/files/keys/leap-experimental-archive.gpg new file mode 100644 index 00000000..5cc9064b Binary files /dev/null and b/puppet/modules/site_apt/files/keys/leap-experimental-archive.gpg differ diff --git a/puppet/modules/site_apt/files/keys/leap_experimental_key.asc b/puppet/modules/site_apt/files/keys/leap_experimental_key.asc deleted file mode 100644 index 1baa1a67..00000000 --- a/puppet/modules/site_apt/files/keys/leap_experimental_key.asc +++ /dev/null @@ -1,76 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFRiYXMBEAC/96OXISCU9kndpa7zYedBd4NzXppk1hRPDgGH5Ccl7mFYRaaY -abKOJuilvMThBn2GelFRVXrhFT0K6TVCbrAaLHpb7KGpaxgKY/a+mYCA9BAtYkvR -ru4Xh6VhozI5hDlIDCD5og96d7ymYjVaxiN89ilh4j8TL5Bh4PoCaxIbmxHiVmtM -fIKw9LPAvpViC+8iS+x751plK8NFe4lAbSycWh3AdDfM5wSlUpEa1FwFuilo4Jya -upEY9Uk5qLlNTFTBJmVEwKFXT0swb2o62EzN4LbW7yNC69Ign+G+PCNBiYhIdUKJ -6dPAUexaSAxW6NPf/rdMVHY6tBlx41lzPvnF3ysnsoxKGdoU/Jbri4cIJRikMnzW -GFCJmUdEPkAkkKHgGXCipvrM6Amhmp3Kg5PQUIjRafH9CBo0bsPSordtk/GarMe+ -8fxZ0rjyLN17hsgwWKCWBIBvPAB0UTh22xjNDh4jmehn5ijdjqKatchcEu9MsSPA -l5r0aU+cDLghw6c8TmbqYfOK2nkbwBVkctWjlVohnO1PAOdxwQ0gFoZf3o9QIADg -BsZTy2CZCag9OK0NCiMoO47JoAdQiaFcUAJvjOwncoE3SuyKTtKitENuAmzl7xjY -HNyq72t7TKBJaWqzngnIp2nsJVaZ8Va+7hC/xqRbWoXVrY5mp53xwJQoiwARAQAB -tDZMRUFQIGV4cGVyaW1lbnRhbCBhcmNoaXZlIHNpZ25pbmcga2V5IDxzeXNkZXZA -bGVhcC5zZT6JAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJU -70BcBQkET0XnAAoJEIN8GtU2dCnZ37gQALHC4ms+1zqht2rO2WB8mD9Hi8a0hvUm -v94pbsdovb4whZNYwAt9KLjo2COZArj9grpSq0Cu7nrnL01OdZ7spi1sFbrWAsE7 -Fdtx0LceTXcpNgjpQkfBUFxo+tdXnMIGM8ZF4afKRJX4+oVdxqZ0GXwP3fXqcHKk -oEMGtQkCQlORzmhe3q3gQTc4hgut2Z4DihprdF83jTZFCkfuQdlZqx93aOmmNuSZ -0ElE3k1F4D0KSO70BZmxLQQAWdaHOpKX7ABcF6gcRf2IRwZleL5tTecxYAUvcPvy -h9KGRLkxLesCbBrop7k3X+NQUj94reFyTcLrPpzHtoqENrfy49nxJXJRzN5O1YA/ -b9VwcRqICszqydwmHeEPf3GEss3A3maamDnhrw8F7NEB6u7GzV00iH7C+ZHUrirk -Hifiz7u88fsKF8VJh0K9oJiD1IQ8+ctQUNU0ObXRy6bizduKHBgYnNTHzVgUIfzZ -j0IUjH+xpuTrk1Ry1GUtj0rr+qmc+smh7Jw1apSQx8Yr4Dv613IhVe8v/bLsuLDo -tChYLLzrXp02sOKz1jw2LX1YAC3VRm4iQi25CQM3O62MxNep1+oRY6C1PXmINb8z -iuZpSa+lIKqWpu07O0Taevpkg2R95lNdQ3zAF2vAwghSQCPzYqLbX2wHnUESK/5Y -r/VqRDKoJqb4iQI+BBMBAgAoBQJUYmFzAhsDBQkB4TOABgsJCAcDAgYVCAIJCgsE -FgIDAQIeAQIXgAAKCRCDfBrVNnQp2fAhD/4jROIUTlOLxPmYIt9RSAH+aaVQb3Jz -JYYKpU8KCgxNHZ0CJX2IHVs+slR5tpWTCWfRRcy+KDxc89MCpQH0TggIom515VIY -53oc6r4UXjEdWP5QvL2Kq8s/EWNxQ9rTiHlP8PzZcavVgCOm7xHdqtAdRs7hkXLp -5WFxT9GzLXnXROOmV8dfX3P9qc3uHtct9tAaMm7GZOBH0So3a6MhZtiNzSTuuXBf -zL88ETTkp8qwFr+ZV5SzvUIkP2CESk4O3YEEz1d+cBEeL/RlTz91aVyB5sEIHtk5 -xAaATRMYxDOW6y3au61R1esWspU35CuJW3y58Mm5wM/EhhNIQBpKawMAlBPxRUag -MF594UkAWJWblnuOzJm5XOXwQpkGfJLgpxxfpi7P5qZagESt8eTeXH8Ljmbi2kPy -4cYX8ZN5tYjkdIJD2IFNYoRoUGWm7peRIV7zxZysojfecsdT0tqOz/i5KQD/kvLM -kLTjpQbF9nUjEXpGEbzzapmveEVmmPar3tEYU41YdDEowqnNm2CLMezXy68FKHsl -VAaY5rftvaWLHHu8Osm8sbzcPDAyHuf//iEUddGfUEOrZY/5FGx3T/NpQODh8BhJ -DSavn8HyX8nV6zOho4sN4psuiCLRiVT/fRfYNOXCZZ4i69mviGE3t7AJbcJdqoS7 -wOfSzvDc+boqQLkCDQRUYmFzARAAuXEBKATEkCyugIsWGocUkAwSzY1qJi3bj0cs -aYiEN7/5+at6bsCLzoLCOLvvvGZk8481B6UaNz3qm5/+w8P0zAGuZb2nI7tZ9nVl -9krRaj4cj9MrFiRe6fMLfxqBSITNWIkGptQc/4RC2wpmUGf+uY05FDZLCyWykK5N -+Qn0SNkxX6dN/aKA60f4tNSwvjDWiClnjalDanJ8xJmTZ9k6Rt+99KYy2auE450n -hGZ08LZdMGtsxQOqDecchNlw1fIRsI81J4x3E7CP8x1ByS0Mp0hWeOagXfKwkNZS -cI5HU2nlKAoPZNUvPJLJU2BlpmTZNeAsvk3SGMuwrxiSKE/4Tf4FLTcnU35MYT/1 -RncJrjG17WJ36tLu/MveEBMpb7lNOpf4sbnC51etA1QPU3Q0f9GsOIh+ZcNFKD1d -9apgzhqpa+3TYArOfJrOpODRrALIuFQXn732QI6phBAMXKGqQ1vKyE0cQRmKqEfE -CPagOdG0vmdSxToifgdGIcN0Xj0KDcI2wqKXIjgAA03KVS4XNeVBmftQqOX6HNCq -lxuzkKQK8B1/wbnhpUKao7TipwofZ8xGpBB7dKYS3iEp+MKvRS6A4f/HXcplCJfC -gS6ZgNCwWVfpW5lCH+8usIP7H+QpYLkclY4s0o3Pr2aA8hc1zXXF8hf5+zUQr1Ot -0RC1KWUAEQEAAYkCJQQYAQIADwUCVGJhcwIbDAUJAeEzgAAKCRCDfBrVNnQp2c3e -D/9aqiwS3irHJu3oQZedbseQ+7Fu9yjflVBD5mvcsqTQ4feCv83As+tYIrNm2vfG -cRZM54evroKnxSXwNm9csp8VMZigyUnLVWMWKZaUwMr5x/5zScQk55jEWJfmRK0j -io7aKiWx+m3DGw4lgidII09OcOt7jfaYaelWFaYJ+OZFMDfOQu/sRepPjbcsOFJj -o/1Y8CS7NZNM3lIWRoyRkS31QeEWZ55pF/R8xr4hyRE6ipqDfREvPk7eFpQXZ4LI -E8q/B1xTs3Njsc0Zhe64NRSoQnmj/BKDnLzMqf+WoZxHiaLa/s9m3FpStOw/INLq -NLY1PK+n1Ih8GQ/t4kBhV1vjAzE4/wjDnpvj4Xttj5/coz1gN3JkJghQvudtz3JI -fcR2YD7cKuhf/S9w0HkpsF3suUNsAWxBiyfyFh4Yg1xuiA8thqONTNFgqI4rdG+4 -Zu9Ji6bQNayAw7P0/7tDCd0JpFMao+/id5eE93dBYds/yik3QSYRr8eYdkI8aISI -6W+ibACAY5fOa06pOsol/HLf4vS16gOJbhG+O0pdZHNlkMmb+lT5orAXmsw1556X -Neb7jnS6qdCYQvomhj75ELPqI0AUnSKp2KQ9BJoq3L6FucobS35TGXT69ynhScZl -KSPYvmUpu7HOpHoZXBqsy6/6e1mbyQZh/dgIBKYnKg4SXokCWgQoAQoARAUCVO9A -hz0dA0VuY3J5cHRpb24gY2FwYWJsZSBzdWJrZXkgaXMgbm90IG5lZWRlZCBmb3Ig -YXJjaGl2ZSBzaWduaW5nAAoJEIN8GtU2dCnZAP0P/08/k+GxL4X99qg+DDsnxS43 -1ApDrR8GnDgIZfHWCaf6QummFo3XhRe+heL6SM8+lAFYXGCDhs4jwEjqXSVvdi8Y -mWYUYRiJPUd/y9PBMH4WQjte85cBZJ41t7mnPfDTPfyfEiN6xFtmKhwVgvxhpAWR -U7gxg5T88ZSILaD2XRKUWtzN0E6c+5Won54PR4xclSICInRYAwU903bUDwvdBGSX -ivYklg2zStlqcfuwBSUBRro/GUarWymZFK9FQKRpcw6VwnxoZ9Dz9lkkMti3ZQSY -tGZkA6jUCnGQ7Tlm7Vxg1jbBUB3PSS7nA2vy3iVeww66SH167ByoX5KSZwkWOC42 -OBydH4Lliy+8SaGxXMzddjcZw4Zu4oy1xgiov4B/3elCi1ftvLBF1pTydrtL8Cmu -fpPE2olpqCnubpfG72ZQiV6OQmeDHecxQkQvKb7Zb8osuAcPQydqYdmnI+K+MXhs -mzbhbofzxwOwirt9sDRyMqSoWBY5nohjeNAGhyYxqQYf2g2xo3bX1gAgwdHpD+FY -P+E1bEIPDFcTB6KbJbKspTVQl/TUgM75aa7A4JYhnXh2iImn0sZ+pwEn0qbhfh9f -atzRTdBqNNZrrEenwhUPjOD3vs75sb+7vMOP33iFdL+ioZv9w5+0Wnk72ixJbjyV -0Aajyaaa0eUMFZ1GLalK -=tlXs ------END PGP PUBLIC KEY BLOCK----- diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc deleted file mode 100644 index 5d9fb310..00000000 --- a/puppet/modules/site_apt/files/keys/leap_key.asc +++ /dev/null @@ -1,443 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en -Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ -LRz9WSWqDjOAYsb4B5pwmSPAKYtmRAxLVzdxUsuHs2HxRO4VWnaNJQEBj7j7zuGs -gvSJBSq9Vici6cGI9c1fsWyKsnp7R6M54mmQRbsCg2+G/N0hqOz0HE6ZlJKVKaZq -uTrPxGWFuU3mAUpzFLa6Wj8DSUYiWZ/xrqiFdbB4t1HM3vlKB9LEg93DEuG/8Q0T -g2KS0lEWxequBXyE6+jklDNqJeyHmfgkuAfFlkNYa5870XT87MzGE/hS40lbmhQV -HHlwxMkAiERMc0Ys+OfgUJMbIDQBNRFg3Q/bjajFoVBgBoKFp7C22zgoJkUNT+7H -Yv/t6zeDlIzNhgYms5d0gEiAeLauwju36BmwUsbQHwejWKP8pADRZL1bTj0E+rRU -M4FFNh9D2XTFFKaaNubub8tUmo+ZUIEEKfPhNHK9wS/bsFyPv9y3HLe2b3NYGFK5 -+Hznqg8N0H+29I7zLx7VpOh3iRN3Lbxv9dMmukVJtw8Rq/Udprd3Z5p8oCisFo+k -nY+J+IgNjC0eniN8rkkl/4rIN5fvvOR8YCts50hL1fAy3dd/MKExz+QTXQARAQAB -tClMRUFQIGFyY2hpdmUgc2lnbmluZyBrZXkgPHN5c2RldkBsZWFwLnNlPokCHAQQ -AQoABgUCURPzwAAKCRBIWxL6IY6B65FzEACn1Q+9dcLig6yCRPGF8d5qdnWYquts -fLc/W8P9uFCo4bLFhy+BlalZVhOSPt2KMBCApoW0fAc5aXOWjxEmtFOvziPtJ0N7 -uJj7y8XLk1//v7QXDJNYotiO82b9XTmF2G9URhxe/YU7mgx1cRW9X2h6LOG4VCIw -Bd00wM9vV984f50hpftdyjCcWTO9WoSus7dOL457DhcX7uX89AGUJLC9RTiaDtIL -/G/VEM8pIx5zW6Q2TwUXndVsNqyG5s0J0908KNyp5IPI66M07rR939JVAL8HXMxY -KdA9pxkKzPSThx8yWZknJoINsUhrd5ijfiA6kM7HJlJF1SnwyHSSs3KydKHj5zN2 -n3oGGT0bjZiXZHShsWa5mjEvCJ7oqwtcCdo8thW128LY2/0h3JkSsYdgdsJjGJbG -76nYjCIZYa6the4+QI8HM2WG5nrZL4B/EnYHK2lDdeVy/ynu96YhC4mdk566Vcqs -RrWJgRxImkSbxp3f6SAOsLwOdmrs52wCoEpAYPMbu79jb2G7JbR4uDB0i/pXCp+c -aleyKb4ve2EjHAY/VPF5BXKaQh3JIvGKVEZIv5ospoosr78UHBk60RMMzDSlOFso -BcB6Plpqoq4lI/4Zh8M1+eDjAOnOKwQanS4Hv7O2PqldGBUAXS3m6OI2Kvv3VqnM -X0GOB2sX4Ox8UYkCPQQTAQoAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUC -UvT9ZgUJA8NuBQAKCRAeNKGCjiB5AXB+D/9k/BzZdAczQ3/v7hKrN9y3/D8kOEYK -rF8HdcBOH522sN6mqvm7wGkf3RmNSi731m6vzlbBSonrAT5KDMpj+THOmUcY29V5 -a1YOgFCCkToOfl+LmlLiuqfrGCJyE28MKMrsi2zMBKhsSxhvcI0EhJkQpPBu8gUs -XW1GSHuh5CYzwf/i8eNDpVrhHjRF0AVCOWIq52LTR62QchR+6ci/wVDHWd9Ase5X -8rxNnt2/pCbgATklQbmRcQS6efTVk3oXk1DZ8M46vayJ1g2BFuIi7pohiekLAAAt -MCwRKHTHvtPkGAUAEXExPGS78qHxLHIau2VCtSBxm+bQX+ZyCMANDpI+ZTFp1APJ -9SpbtGozuQOpWFjWY1rERunrbyWHIb2DuVVNKGiHlkMJB76zzysvbIPYWx1RqD6s -KFJBkjrM0xn8H+D6qzwzGfmX1Yaw12oYA6pcai4aK5sO7KHt+THAxYAcVF7qxGU7 -lnDifM56hrH/DbE5InlDC8OUqDysj0cHacRee+ZYtj7TiEykWfP5RrZCLQ7L6Jd/ -HtgQti/9TVUaFkIlQCfvF+l4BYZQYvnhx3MVK7ChKLmy6AVQLWnDrBrDvl07HLvW -6pslRzVHfWyIYng0pZ0HvK+MpQztCoUcDK470mjlpAtjNHuyKh6r6TtaiVK8MgbR -Sx/NMHb1/PXQJokCPQQTAQoAJwUCURLC3QIbAwUJAeEzgAULCQgHAwUVCgkICwUW -AgMBAAIeAQIXgAAKCRAeNKGCjiB5AZBiD/wJwUVZjfNeWdpKrYy9HtZExtTcU/94 -3lgRUNinUuLPFU4i2s+hR3h5fzXR15nUD+IBJlXlzLV2G/IjXYPTp4a0gqHpWULa -b5Stu7AzFiO42/RWUAzWD1Fyh6SuZ3FDERvheid8s4SXoe6y4cJ5ErfSlJS6qqku -8ss8mS8lM1Mp+lc9wYTWQ+8hmSUivAZb9WLEljFxhvEnvAKPwD18o7+S9GABFwYs -xflQvKZHguaOVqBEksry+vu8okWNrg3Ll3dDQEeahr7nrLrHe8gqONJgOE9jjxRv -bJmGtIUTyGqgWZZzBfQXL/6uXL23bWkYZDkQNhfsm+colAV8gpj+/E3q/uMXwqz1 -bv06K/LsK3NHzBNE57kJHEhg9K3Uw2Wx5qwFMU1GDxsB3P9p+TyqAboEZAB2irTR -y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp -F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ -M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo -qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw -F5dbD8pcfT/RjYkCHAQQAQoABgUCU4eKwAAKCRCMv5oyKGGnkL6sD/4+jhdGUEO+ -n20VXPWZ7hV4GzVezVV2yLHd3kCfG+wKQPtpY9Qxc+3gyI5rOKxyIp2sYh0xpMkT -bEy7HjFJq3gFtAC/lQQfoncZUrGL6xsh6PmYx3MzXQteoJ/u94c6LXyZoYhYfSi6 -jv4/DASeIdxDZwaaVm7WRb/FcT54l1iazevjJp4h/+udPeGjsS2c9cUu2URJYv2D -lxO6JyKRdv6H4e/RgzUmf5LJ83LLQ3V2BUrpZSnpw1YZkdUESNyNAKXfdAkNOTZX -HM7BbmBSg7MSpaz2PZXgf51CfoKYkNtfyIppiTNxRlmImwXKl9+efQUOiWokuQGb -683bUMRbq2S08CSzrvTAXuDLTrro3emAvhO+NxFQN7Lf5s8eElcTH/dDG12HlMSZ -cQU2S9mEl/N+LwdOpOP84hHU7or6q5riUcALYIYPRcaU8O4QqHKPOId2G60f4S2g -7hHVTi3B7IXCgSzusciSVCiol8Q5jqngBSu3qySjuGtF2CHaz36Qr5cdRSJSAPgm -2mquVOdUtY87a4+662bHmf3w5Ma8cTjnoCntEmXL5YzxMmPWhCR7aNvrL8/TPUwI -PFQfbG+CDgg5hgjJ+gM3tlm4x2LyAcWqJJSua6u58TGEdNKe3c1jJuub32/D0xqI -JF6PA63sIIDHal1488NvPMI32HDITm8H9IkCHAQQAQgABgUCU44YbwAKCRC9aMeq -mX+nf6J8D/sFps0R7GCzzEKgIdDCA4lAWj5XXa5PkGAoZAcPj0kbn3x+lrLtScjA -oDXRFjoJpP+bqh1tBHvLPn849mIcX+jKgTh/HvSWSc4ShSt/4ejKagDUdxHzKipv -H9A73FmVJI4DVTthjLl9d3EK2+de02jzQsHh8mzTjKJPnUUUI61BmdGyQCA+COaV -G66tjZBMb8LuQoXQqgxpzYfDW3EC0IT5MdDu3wDFxOVCVLja0wPsOfp4K4XRsfkA -Ok3AaXVt2DQv4LCEa02FfrKDrsJECRgWfiu4kxVzxR8A5O2ZgPreOh8sWRnDIt2e -Mmzj651hB+W+ym3A9o6WoileJ3yQHfOqK+4gvreTzaQERtR3Bj2YgphlnIi/Mwbu -ofjBhVbM+Zg55D6HS+g12xadxAsFJJ9Z1lhLINgOP+W6pZTU3zgktEc93IagU5Dy -QN2d0nl0Mc9yQHQhYzpDBF2Ub4Czk7uFmTmRVGf8xE9VThv4WeTA60zuonh3hZGr -dkgdgp6xrZ5jJs8SJLxXsIX1umrRSJxCxOJ4FfmsTRDtUlJdOFEg7qmXpjKYe5MH -Gx8PnS6tRiCy+0JnDUXnA2hDBESSrvXcTUQ4iPTpWGluq3vicle7OmKU3Gzxu9VF -ETOGZbZKEbdU9btswvSNaQ+Yat+mr9hJKEbXS1XS6srpT2FwBBhK9IkBHAQQAQgA -BgUCU44c8gAKCRBC6GoqEfSNNttyB/9jiQeAfppuZVfobn4mdMiolTJemB2umaXx -qmP6Pa+UTALhJ+OJFM1j3LBGXChVcU/kox84ndRmjByiP/PlN2yQAZuOMTr0JZis -1Ht+s8o+zE9nFBppFdZa8AsY1ke+4FDz3zqBhAIEL+MNfGlvaBzdWK4MowQzOa/h -r+q1Ysm6gT9RUOaNedUAroHCbGtbbQLCP7fF3muIMD3ItgdiFtqFZp58mlq1OQGG -6qA1EBSy2uinFwaniu87uI4/GIIbRnzjev5q0AfOuPP9996CAbiMvVhs+JjHuAOq -L5G0UY0lysqGJcuZxtYVS/ZfGUQlAzKmjCTKCZrAiqRrTxJMdcBgiQIiBBABCgAM -BQJTjh+mBYMDwmcAAAoJEMzS7ZTSFznprd4QAI/TP9vUqTEm/4Rdzh6oEu7M15f9 -4ErZJHQ5vSR5Z5gzXy4TEnNrMcKLRcYPGLsNJYHxG/H0mCwckPLLSOHwiBjCMuwG -458p8HjfCB49BgLwLjobuXuaOpOmIWIzgUU97ylSn46MI436HLRdcryghEaATXgo -XkTdNX+2WDapG7nbMb7IF4rsvNSNMmgLsbXV2pTMk+wDDZZz3R3Dj/b1XA1aKFhV -3aJU2G8Q1VBwmGESB55OP91IAWQ0LzQpD+K99GPNE9TdA42VLPruQ2Rw8gdP3CU4 -W4+KjgGyX/aFjJTsgid/XPnCWKBLSPto6t/vRePy5FqlzzwcT9rjVxXSFvLnIhMT -C8tp6gfe9Bzx2VXjKENKhLoaYZZLlUkS816b20ebVCcBscjja4CGK1kwyMn6F6FP -abTk/RcakO+M9+JlY/YwCaIeQ5nf15IpMJuBvV1e0Ex4STeIf9VGgL3+mVQpavqA -wl4ks+knJssVF/VYx+doUpVKrj+h4nLM+OAEnEoBKPaOPTnnLPZNQupklSMapdsd -rmkVYuzZFbMjJXa3kFyfynVejgeJxLOPOPbSpeOjOa39CjeE7l0MtN+tDzCeOqrt -tK7h3sy/5KOfNcFp27xxlwRUWipJjQyRzxHKUyL1sSChdNTJozWnLiU3fOb7PUWY -7YogPiVak9tkOiAjiQEcBBABAgAGBQJTjlvwAAoJEAwyonG9PMeAAgUH/i8DN3Fk -74sCBb/eQmUQBeYfNcNvItj4bR17om2R/nvxtNp/RYrJywWwT95rL1gmOwbNtGpT -h8P/34bH5JbagPQZCq2TVVgOgPOa78ljhsx4iTd3jK/oYnJapkCm6JypZ88XudMu -3bciGV6khpZ01KtzJCjV7hsF1HAogU815ivdKv8uBGa8H4og3ooEbE0Yc1byOCk6 -m210ru5Oe3OoK0MjV3F0b2q8Bs8Dzy0b+5kPdL6QCDgErx6TqaniKX7lqPI+GoCp -2IIdacWkhCVjCwKGsDIplruJ108BCV79FJ08ZmSzN/Qyt6VuvWghchPtPWwmCTG3 -MqAdjtyizNX75uOJAhwEEAECAAYFAlOOH/4ACgkQobTFvX+/A7P2Dw//Qp6r2e+K -oxjYQaHJX3Bp0aH90NKqVD//hwF1vLLSQhbFj6HreULbweyjkRVzQtNDVr3xzDKu -Cs05DiTls1NT4p5ujMQllInIZDcFMjkzN6f50RXvI19UE0iBigu72TE4IWerFHNG -vTFM+XtmXe44+G9iD8G76NCnmSxFvszZO+JX+YUrP7/juoMvUsK2ayCo05UQ0PS9 -OmsIZWg0Y47WLAv3TyixeQxe/auX0XcL5fk4Ehv5N1jW7NSukP7MaqX+KZeeC+7B -PWzK321Ofq1/6S/eipmr6cN0t5O3CvP9spJ/4DLUbhsHYrm1qFqD1xDLK/lR0EVP -5qp0s4iSCVjUYUv1VAFAQzu+LtQ90SubzAvjCShQlMB7j4XHqikG3qugnMYuQNzd -oMokATXLsXEhKDkN6tiqFzGmsF7JwyC8cWIDyCZ/X+4O3HmUtZM9Vh86wgtsCVi6 -LEM3ya/l4YS9SwOGXh5oWiBSAatJGOOitObiTpZWgqTd/T9/Am/Nqs2i1R9WQrNc -31N6uisx+jN8r18VZVOl/IXtPsnCut6QHkAal8RH6NtoFqrnUnIwR2tzrDA6dYoJ -Imb8COoFhW5EXErjJPeFq785tlhceApRgeQOuWk7fZyK+vIqSb5jqwAON23dM2aS -h8ULT95Sc53sKPE0Pcqa8njzMZYFmA/uhwGJAhwEEAEIAAYFAlOO1jwACgkQxzKx -0cKPTi9E2g/7BTEDp7obR4wWFSY0MQAWsLTbKe1bVD/fIYH3IXNohnl7uSA7t34K -Mn++vYgBaucdSutsj9YDqBG5NXwp+UbWU+KUNA2fsKSsRC6ZMFMHPEef2kjmmMcZ -ek8lQ03hILjEJFmIg4FQt0mgwk4ejsZh6yBETp4goSPdqAfVV70+mzdsHsNrBMGO -5O2wk7ro7MsFv2s7HPKI3N1r8HXwxJa4mwpfHhQh2BiEIPmFnESL9D0tk8CaBKqY -ypC0igDTXgx8AhV+kDcG3SSVU3y9AaBCjVMShvi3OmO+PIeQ6QOJ3z+9992enqAM -mjngkA0nACclVttNzkdpljb7Oz1ootvoL6/Npj3tbZ3EoawOoHZ/Mhn9W5ncjTqg -6Zzs9l6QyoIMu7ZSJQViD879oPO7Gkv4I3Q/89dQ1yXRvHdJSctrMCpFg7VGW59O -DMNksJGdsXkrn6ynyTfNZCxDP8wLXw9pAk79yopTZ44y0TTKzNOqm8K7scOxvcet -ZC6yyZQmUxul0Z6pp9NzomigAp3qUGOt8k2cp4V8LVj+FcR5sU6Lyk+00mDfr0qJ -lUYwL3nJvxFc+B+tDoM80QK1p08drZrJ7bc6Eh7JgNezu0wNiAQUqxdgWOPjoBL0 -kIlJXbHxAv6j8JUj9NemdaA99AweW1ezwZtFIXjpedQdkodRPzeANbKJAhwEEAEK -AAYFAlOQULEACgkQ1FUjZ27WELeQfg/8C9Tosw7E7+n8fo2z/P/w6XcjvfGGoGAg -MaF02yeVkC5E16VllTBzY4aPMsPR+XfR0BK9DZHcglhEHaKHGjh/qaN9PI3gIodL -o2y5hgtCYxTMeICmHRsqh/1biMMeKHT85ZpoHDA74wB+8p7oY21941aUZM/tKkpN -uE8mriFxpkDB1A+vXe6G3JJi8z0S7QWT/2UleVpo7eXihiC5o3AZmQHXuTyF0UXn -8zLYLHstJpC/AFMi20Pv7jUcroxr3BLaJ23ai2ks15UueczgHLzjPyIg/4zNawpD -fX2r4whbWA/+KC7VyAkR5lQ4i438bKhPPmYkbAP3g2WHqow34dXNaQm/eSLz/+fi -1l3UtgjpNVvxYHj5Sg7q5bz0ZkTjS+jWsc/sIb2lPlwL0u7i7+Jb7njlbJqaiNPZ -sIoM284SKTj9oWrz9KOqerRA3kc4xFH2oh8Acqc+h67MiNCOnHUmKNgtZobe10qT -GCYhCV7CDp7XYZikDGeUyhri2sxASRVruHGlv9qKGbmZyNmoBPhjhyHtY6HZg4lv -SOaZSJ47fCSfTN712sJE6pArsMK2o5hI9Nh/4LgmYiDQYwYGKhB5KeRE82jyATvf -/om1EaEcVD0QyrF4oNcHioNcznQNFhcP49DNjVWTdqrgxQ6vr4+6avwAW2wyOsW+ -cpShmueTf6SJAhwEEAEKAAYFAlOh6LIACgkQTQVh6fnb7hNfYhAAv6dqpWvHDuF4 -QtNxk9vUUgV3RFPIxeVKf5mI9RSU+9Kk/fxSxmqnAXhghqN1SAZyw4jh1A0emQNQ -xldoXAq9G8I539UcA0qQMfoH5YzD21CRNlgHJ/f4fexqZM9aRiMmVGJiAkr7Ih6u -HgLohH0Qjfa02GL/qoxNpGiBcpJ6y6KLuNMi/E572UYugxsYdnRct12jzfkErGdx -rRZlwNsZHdYszxnTCdS6zT1jp3IY5yO8gRcrcazJUo0HK0CEs85nHM7JesVbwkC9 -Qyg1Tn0katx+7NGm22Bytk4sMXnZ1OUcRC1zkGFAu5KXaSPqrLEsdM1sXQuxaXjh -G0GeIflEzuXTNsSPS0UwAirvu9/hjsh4yEvvYhdmwaSaB9rZqIlJxCtO8VPcNXYo -Dz8UEiHxQvzVmm2d2PS/LOXnyod3TdFnM6McDVmb4qiJPGgS0ZBIeHH2wla1cqli -zWK1nCSL+aBPDJHAl+7U1WmokCVJWC4TDarjOnZauEMr6VRKaYE9tAQsP1h/EWtO -J9NSkZRZN6eBCnO5PREw6pznR0IR5ciwQcrYAecYKadwyFl7KTKFXCWV/7v1023U -Q8QunMsATVISQH4VWPDl8ANqy1vqdSgYv9g0/ho84dBWbXmlMmFGuySEwg2KGeYY -1hWgmIfRLbsoqxWdrpkpD2+qAZDYSm+IXQQQEQgABgUCU6MneAAKCRCcAqxiqPWk -3xK8AQCwKzsh41vFnJJ7zTNf4DHzHdBVJNj3WkJKd9aTW9QRogD46xmr0lT1wDS+ -9aKssk6p8qRF0C9bKvxjLI0FLw7oH4kCHAQQAQIABgUCU6PKNgAKCRCEb/rGNK7q -P75REACeQFrfO0xSXZysAboGdzv6I7ZE8YYW3/rd5+RKY/m8F374MXf3YN7KiIdh -g71h/sN4/lzgJl48so9B86Z84pmUOGPVaIGmqzDJBGBY1Z2ULU+sagy8ti94kdES -LLVencI/dQXaL/dxoOerMgULGjNvuftZNFebwMdf0VjUCvWkV6T7pubEgyN8h4Mo -J+rclg/SWf3O4QxFzDyNSdwDkNgTzew7n9DiNDqrTBEvV6ahMI8ayhhs1lzlTOSj -tG8c1edsBa2tQSpkV6BuAv5Fqbp8hAkP79QO4aGATdKuoLIYHD8eULwDArnrR8VU -aeLZTPzfobzg6KfHYTZNw8SXAl640DNbgvMQk9IPtfUXDP1b8EnGf76CjpGRhDNS -VAnPhoFFd5OIzmJikocfYZkuuIw5EveQ+l5GAroO4TytdfGwYl0KhNAqExgbkWT4 -UVQwin24B+1MHN0Iwqg9zupQI0+IjZeWyzkmuHek6sphXC33HarRYeytte2HP35w -MmALHeADTVrngSCsckzbVL5GCV5voiLaplqS4vqE6liqW1pEXWOYwfoPipyVDZxZ -d9EsmErW4FPotht7rWKeizZqAdyQQft07dAckwKF92bG4cez3fFvW1hQKYHM61a6 -91qG8TRybZvnBh8aemrS5o8QChTk0UFQUjpRBbAOb+ayf/dgjIkCHAQQAQgABgUC -U6Mo0wAKCRCl5rymKbpBJy+OEADI3UuK8K8IdayCpC9UOwuA/LDF01RW2EoogmwL -ywSS0ipf+D0rEvH9EtqXbz2ibOBhZIxtYzXXEx0Kx3fnYQvInm8wdnc0650tGMCy -U8sBTaV9B0mdYakMmQZc8Hbwd88fLnwEFn+qHJ0ac31geIxDN7vfgKeqea+4VGKn -NbG1h0bRn2CK2pccnp8sm1eHJ/u25X05Z0Ofrx4It53OhO5RTSHGhHM62+48FcdE -Ytm6jPcS6RY/mXWBWPJsjmvvtQ+67PfJVHVJMDVFJV98PSqLbD69doz+golpESEd -O5uWrLJEXMj8O154HQg5xnOXWurzNG4FdL6eeXk7+1UfXSXLUzGkaMgB6HjNTTrj -JG19B/+9F4nbItN2EOJ4lVEvDCL5uE0CBxvG9y04dxzI8jCg1/hPjYyd4Qb7N6CD -Doo7M0lhm5QSlDa0NDfaIpxEPBtcb0wOKaJUHfDMertl0mWvYbPhP5Lftq+h4syv -Q9iu0gitGCGW6O/GXH3/ZhnyjVJRJnFkcYIeckKXVK7aCEtyS8adffjrwYvH681P -5d+EwDxY2B8UJE9sPx+Bz5mpsETSVbm+aA0KsCwc9jLnJcDB84/7ovuRXdP0C06Q -+YC8fY8QQZmIl/bkzwAWWyZVSw4O9/3pWnjXvqSu/6xOSVfF0455bMvyv+MOiTlx -8NqfgYkCHAQQAQIABgUCU6/1AAAKCRABogUB6BpLumA4D/4hW/M4AcQ+uZHnWmA+ -N+JC3WbWnjOcHcrLplpxSY5paom8nHGOfdSivqpDNaY+5yQLz1i6DFp0bj4c7zL+ -g7s7hRDz1Qf4S0e+dy96NleRkf2RVijhtkNxeyISaHEU7wImFdrrsycP7OImvvZv -Jk6bpWljk9FsXamLEySRKtq0WSa/UdcrLkR/93Wo2PLPpXoMRX8+jV8nLpL9RYkR -ThH05bgaYzGPPGySH4pIkR8RlIvzd170glzNbuuPhhAV8kJUtXsj6W71AWLypnMk -rUKseVL1t4iN+nf3ZFo6y/+s2MIzgiEHN3Ju+aJ+uSNpJdSwD2S89vhsHT22dQOq -DHWdUo1DRYcL9kEug3navGxVUKZ2etjaeT1PFfweLacwl+Uu45RCbmQD6pFzda7W -ng8GbDERndUQ7qA/DCSBfnmJBNhXIMWJd8lA0puzd1wP189ZUzbge7AVLXJfFFuj -5hVqkTKeWW8kodSzYKVfS1lq/jT2rtMDLK6k7vyf0Gjor5XJhfla68BtBNxn0+dU -q25FOTAPy5ETf8BFL0Au8CboxnOMju02WBFb5Q5oNs7fk17hvzR7Ou/f/wMVQDZ1 -6lGRROPsvN6wi6z1j04V4QNqOd60JnBVq+O2qmbtXjou7qxHR0ZBwI/qPaktwFJI -AXmeOFdKQyl+I7TI6FmdpUB6x4kCHAQQAQIABgUCU6h3iQAKCRCDgslcKQI9+WQg -D/9kFhcS5qu+l0RsHNmKfhk6RMlnPs0jY6E2BxdXbJaNBFN1NW3kIVNYPFflvazC -owBP2ek+gtiJW5/uH3C2FAW//Dt2pVcjRN8tIqqrvMRJxLQEP2zJ1YFKnbYl30+e -hHWlUUyleKzIBA/6GbiAig/TbaA1cOgZNVDdtfJUxLphzNZ7FGatfjkKEYP8+xd/ -3Oj/Wba8F4cNhMUbsV2qOs3nXlnVt2hKVB9kOpUJQdjlJp3DKbim6uj/sLs9KRLd -Bfhrezd2KoIpvvGDo/V4xqdhW/J/vwjrISOQ05YsrCMOL2O9/Sdron+gA1zm/xQf -C9k/Nv6lcCaOLywdcaYd3XJqXZBuZy5KEljm5Nyo4Hxhd9ZJiXw+pMzX75NLZr6X -nZz7/t/8FbRKhlHfAl/6hoPK3f31os8KHyj6YrqGDGg8dwvhxMsHpPlvsx4jpIsb -cE7kTwidvhJwe8qet4XicTxnF43irlAk0xIbmxnSgH6XX4G6vejPsqr89p9pCWLj -URTT+tr+U1XiNfehomdhDUYXZv1Sg5pK2HNEqkGKQTsjzb29t6kiGA1JsmBCPP5S -PGdHDagMfa+VFlT/+bmwWsad5R+f3vhTQJ4GBcpBgMpQwEX5wHSGs7dpKxUaL2ki -nRR7wBBtPLO0P0GLJ6vfkBhrtfA4gQCGqT+cOEdHlH8gC4kCHAQQAQIABgUCU6V1 -nAAKCRB4YIWsINNFfeXiEACXy45MLSpjTfAF6xuxtlN2zBuo7gP3VNboIq0MZcD1 -yxRIhSwKS1QAeWso2a7YJ6Kzp/HG2hi60Zi/Hd1vXSnNYwLD50GszInc8iNA2OEZ -UuDiw7c65lWxOdjc9jbnd4tbEBiupfqZ/15R+R7gmeOVElW5d3owC+ENgbPOhmZ3 -AH5cx4QdXtmPy5oWpHyU13izxvV934aY5OXcvsCYwIt7DCISEgiuPJ2azkzX7ak8 -C8U+diHF5M5Ps+6nBmNQ9bpHHwZ7hZOUQGs/1UW5cEeWwJEMcTEPLwvs3qjtK1L/ -k8DS6t95hr7xiNiyojCpC4L1XwT05MxGHKwY5qXMw4bqInyGsnf28NuoaUk+V+fq -IS6uC+p7/D2l9RU206R93vGTOwIxxEaehy8i7GadhiHOKGADm7yatlmOJfMx+9D/ -X7q2wWB+t0Hu5fr34NwEaMfJJgjOHhLqtBiuPsrr6D7+sNKIXkZcJNKE9nf+Nef1 -jygPjDF2O6AcHl2P6vPoKUwEAYYUyYB2ku/pm5wJ3V1bbXkTsYse8bWCUf6jSSWI -acIoHAXtZjOe3BhKGKxG84h/7i/054SYI0+IIuec3zwiy+te+V5cyGbutaVg4Wnd -nH/j27B7oEWmwstsu7i0EIO1dw3WwjhjiXsflaseWoB5LrOHaHpRccEeiRdllka4 -uYkCHAQQAQgABgUCU6f59gAKCRDfoyRRwJ6+uqx7EADLCOXDrUmHbHQzOn5B+uVf -DQJrtVz3jNFdHb3p4qRD01tJ67/GhcoZ7NUVo79ELuWJalQaIM9agmYZa5CsJIUL -RI8JtalcLRXCxFX4ls7L/XRRO0atwzpt/K9hao6Taewp+J0Vy+TVLVeh2jcajRL6 -DfrlawMDpD2OxDw16KGMZagmNoWcuMZqK6PRXBnFGy6lEL7+gCy+vHe30nl9R64q -MhTxnpCFvK1UCk2Khzz/7nUNwXw4McU2KYnU7AiSMNdfPWv/AW0m0MyWRBLmEy/n -en+hIEmoxIomifroX3PuyChjZ2FaNWs3Kb7HKhXGSeCl1UkLBPeZa+obfP0D57qO -DeXMUxny8yOGOXOrHlRhdJz01qZ9v0UCfwnBJo1ewLaacJ1l5Va26GwDbCh03mhw -SE+AWXZbVTuemzUS5QBBYzC+SBxSqF+sE1hFy9okReGFY+AjsjI+uu3A9ht3+vmv -cgLWPyvkxIVksnvcmPp/k2RLkyk/tQWA31pNRMyqaReResg4mFszKEtbC+tFVquc -pCxd/Rvvvz918lkEFjIPN0yQoRenb/bKB4i3jbKIKMnJzCsNeaobdpsNcAdl0DOp -LMfo+RFzheQnMkwBQgI0XNxz3ZNMPN+BkEFWs7u7mfpKk+ZnU/9fKOyrOC1z2KZw -NhjOF9oHv+wfa3ZQ7I/nkokCHAQQAQoABgUCU6xtjAAKCRCqaOzI6YAJU6erEACj -8z2iMep2PzgcnpHz8csKlAmTrBRmNgErJNWfSPG5Uw1wvf6RzcD5iZ9D9Xu6SCcZ -0DVtLdho9Z1/Zb22ocOxTBd40DkryDdO9ANSHj/bw4tYzTtWmftoU5qMdD7nQgp+ -2fMTuptASAx/WK/n1tWam9XyM/i9fdD4iu2pzbBdX0F2RgmMS197fQgAAVMfDDHj -gquiyGBefCaMxv4FEM/Omn5ipkhrmPpsqTmZJNxAusiOiPJS+pjl18Xjf+VKtRgL -tr4pu0y+NVVXmI9IvncFlR1viyaKDoudB0K9UXlVKUURP7ambdS/yginiVbgaZ9T -x5STFC1FYKk69JdouvzYQc9vWW3C0cv68GWivpdFQMHrDAjAy9rFpeqs9UBbHpxC -Q38ReoYDyxL4QJulEv3HpIRRt+UV7NE+3+Ln3a3/nTnUKJZ3m+kX6qKh875Td1OB -ZAmgfy8zlDdd50n0bQjSt8/DZsRdpFq5LG5vXA80Y+Tpn3i0jTJ37JGV+7+Yxb3q -XM8XY0DFnn/cf/BFbbqLwEUxalooKp8eOO1G8yW8kqBdxGe6I1gJEaht5hkbrh7L -Ozjs22Tyz+DN6uo3Lm+cIu2YmC1j38x9LzVxUJHIxFA0XTurwsMDMB4RvSs+jdWC -CdkQM+1StiYeYDC7+dG2FquqpbsFl6fsoICKCksvVIkCHAQTAQIABgUCU7GS8AAK -CRAjY4v3LFk7wWflD/oDgQNEhpD6EFFCQ/y3g5PtOVjeF349vuTIXcTcQI657s7K -5ftCYgWu1NNYUyLFiQJ1siRVZCqq39k7SIG3+4X9mUvGubqXog3+YZRy4FwnLGiz -r6PwEHsLeHoFiGAlbyaBrojgSgwVi5sir7JsH2PugxEFCZj9l6F3RbslBpDW0QwS -sdenw1GQJrejZC3HkuE+D0U2cQ/YMebUaKiIi535H1N1oimcVpowRSX1NoyYI69w -1JSyvc0fau7KfQua0+iGhyicL1BecGPKF+YIns6fuunnZuwsH+K35cUu2tpi58bO -42bbfirpn57LF/a7+o2pjUSMzez06aUqS4WZjw47bnpIm92gUarM41ExXuXLXZlE -ofeiUnWbVkJ5+MWeBKEfTBeqHToESEYoFSVgfszCR/0hQNy7E5ADOPorbvJaqUlN -L6/cDURnQKe85QFi8y+oOzEkf7D6XvouMGQyxsYVjHEpEZdN63evTe99Ir1nFc+F -UCgch0wLPTKlYDpQBsYiZRYrZMG/pvKvu9+ig2sqRjI6nlARN6HocMoAGViK23JG -ikC5B15lblCGTL8bmiDMtd0+JccCSLv7dAJI1FSJEFqyI2CAGm0Rj5Qh2/Zfu6Xl -sJdlnaCIXsqMB+5N50uXY4VuZ0L2+cokpYm+Pn9zJBFyxX3C2F7r1Vsuysds4okC -HAQSAQgABgUCVAJs5gAKCRAIlNrgSWRisWpGD/4lp2TRzpJkSpn/MKcMDPjxu3eJ -bZLISDHeerVhVU7BpyaxUpAHaFyv5eTi2SoTXIWPFUGzZXj0kREmWBQLk/OM2VcL -pN4oSt2b05TPWNXatIve6Zlg1AMJXz+i7iTTLCgjYUhL6uvfIczX3Khx0VwfOZ1x -T+VNJqyXXlL/eONc/+a/VB/ZikvY789VfgS/Xq3JTNQpUnGFf87YBrThd9xLsaVg -pTNhmOQpAEHLaZIRw778roAcQWyZ+/apIRuMUcOyishyT9p68DDu5N91TYfXayy2 -ckgmAt7Cf6j70YT9Xc2u374F/AvtXHHlnX3/hTI3cVKF+Wio8L95aM4BDmoHkk/7 -x2S6TUiHDiBQnLgSuwLdYr9eQKSZIjek94y5nz9KabKwj09vqW1b6jbt1eEsoeBd -FGfL1GgmrSMO/erz7a+KrLgn+4Ld6GB/dLLhPCbf1ILe6oyThzvt+9vGsUqSNw6R -3O1J1VYZBBHaDMZwvLRZcYOTfdpXOtmV5mNRCvDHyVR1OpsAY9m7EpF7npsgJa3U -D+kaf9krVvua+aAR1Cj462M+UAcFFTOBQ5PciWtxKm6R1tFI23K9zqIGl+7Vnrgi -OiwQdEByFtdOnAOcbXf+iCyYZY4iv3ZzDt5ybREdPxgf+6LUVoKBh+Yy70ut/HmE -I0P1exJc3k8ZoZtQUYkCHAQQAQoABgUCU7TR8wAKCRB3w9S09qPTPwxAD/9Yt9gF -oQptDzAEEzbTICYmA8zj2fyvPmSFCYfMQfAEOH0oJerU7ux/7zr3XnzekFd1NPom -HhJuGBLyftHYJvird9KafLznBW8NB54kCHARHqdyqQYoEs1qUIuBNn3TGW+7Ao1q -jXkUr59PzFqILJH1aCYelgy/NN81NNTESw2in0xZ/OliVGZuXtTbYiS4js0p2bkP -fzT/f8FeMGwzAX5RrvP7of6lW2U9pslpUf0g+3m77/G3nwQkV70e8NvL7j9Q+zkH -33IMlnrbDPiIhwgjnrtokUbGbs4XHyhFZxoSMddOy75lRs3YhS+vGIEvfLo/P3ai -MIDLEupdYR6ZbYZxCF2y/+h/KKgypirzK3Z3zePA3KQeEIvlq+vo0nxJCyfnj9wz -M7AJ3IJKzMkvmvYSVqaX1OCBaTLeTUkpFUh4Nq2fv62RRtlRqdIzish3bqlmHwFB -ApQwvm0/uH2k3lucl9Kz7S+unh1h9NR4BVY2l+f8Oi4T4Irut3qJnsrZXunPBMJr -KkPYU8iKEVmSM6E+M4T1yGoVse3JAIFpDVNHlZfckOYmqYG3NAvuralw3mis/eaG -lnBrBI9zp66FzZpoqaATzz6/EIbuZ2vs47xIIgVUoW9NZwGo5igYhW9ixUURznFD -PRrg5+UfoBoCcQ4i2wVvciqbTaetJ6+QuqCadYkCHAQQAQoABgUCU7u12wAKCRDn -vXCXmESXmUfAEACrMuez//VqyvynY5ADBUMytq2jrK8GUqfbxDOzeRe9++16xIYJ -Z5qNsdFBL2ezryvuafcPsIqMBvwucEJ88jU7/BaUClJo2QPD+WLUit99J/O68DTi -2m9Jxn+EUi/L2d0e+Kcb17zbEfbcg42+TZfxQhf1kUWLH71UsDwAiiSnfy6dkIDg -wPnlTpuerRmsgI5dkFeCt8boYFRXatVrjzJsX6rBp+CEasAXHuhAQvIoqepi3CTA -Uo5gPHSF+aldAD2SRw3xegmRnJkKNOYu4RfCUi3iRLV7Lm898pL82659jSUQMo7a -ZevwhaKQU/gm0LBbXHGizV7JuKyYE5vzEpAEA+ChOntE4dcsN2B5m81lD0ra8Hbb -qTO2AVlp/BJxNueGm/WdYHXdpGwLvWWBP5ZMqaPhqBdQ/5DMzkeyZnSBjykMNIFQ -Ii2jRLe6/poReh9ieIuzO8QIMA4X3QTsRv3qaF/TkjTzUpB0x13fXWuyp4mrSEbF -msgMEdsHqOLkBAa2w1RLgvPQ21FKewWyasv2T8NdvuZT0sARuirvxLMFrb8fMC4L -y8xBhXVbpWpFz6eo8leygqSSNSsMzzCtm6yJ0sO9ufQWrQZMmcqV5ERGecnjYJ6Q -CPWEC+xCKGS2W4PmnkO96alEfDjEKsA6uGi4z1FYvx9macKX35Hx1cXsUIkCHAQT -AQIABgUCU/Dt2QAKCRBtnoZL9ilTXmhID/9PzhdXfJKYQLzR9/NBX05SlWVrQU8K -OA4KtaOE9AVCVgD4bcIuH5Sf437xtaLUChw/x112y37kT6i8+NzyedmLjXvZ59bm -aUEzrLw3aZUZ9vNdkLeqQgmk2t0tIfQjVssv3qFqbHmdRT3pXqMRz4JzyA8Q1ogM -3C6Ng7qv1bpQS0JerfSchGrINGSRWIrbsguhmAIiJ/Vt0X8yALzqmg6kt0Lnz5Vn -G7dMpIfDqyef761o/wbAvVx9WphEmlCqiMd/r9kThQT2rQnqjvi2pFnUEwUj1zQf -7ArpErcB50OfBFh9o4OPt8BPYdOkXprsIl+MI7Ax3C+Nu08+jtyKZxTL4gQ6lBvz -jQyseX2tmw3LMd4nekrJhifF406zUY4uDEVINLyDCOyaelKzSsOk92vHD17s6h33 -PxyS5oUZl8ieM7E7s2ibJAa6BAKWXBsQ9JTpKDb7csFz+TOWvqsUMQZVGiINe/YA -fcGQWLOK6NHbEnIOZ5dRSPXKxmWyXKe7KvZBRNExZfE494/ZhKC+Z9/wRRfg7B72 -fkFghwuwuxsmjuEv3DXXqfLeyGgTRQgF2LnFAoShjrJDJUE+ZCtZ2cmdfLDy9wdL -Z0cRHbW26FzP26MUxiQmeOUiJnh2F6uKuF5XbFHipKVmSz0BcP0rNui1+Rq9Uc+j -JunKkuGZ8QRTDIkCHAQTAQgABgUCU8F/NwAKCRDYolbJslup1C3WD/4kJ9NqhgjB -BdW1Qk1VimzcDnMu2HRJOSYNqp/UVV8DRoet+f+507VCYaNgrczhKUra8wHQjiXg -5blBAa/Y4rXxSFP+Yhow4e9DM+0CW3SLWByxXkNfGFtAuflaOFYqbH6fn+1T2meu -ktXqVZroK2gXG1SDKHarg/XAK8QN1ism+tuGHSaO4ry1WLy8Ok94xPG2ca+2ViRh -Zm9FBqX+b4++3sIwycWIoo4MV7QzmFAJR1YxD2neSFp5hul9BgwUM0RLwW2DfbKB -6fBCwVsZBBYRNs3gyrBAguZHi1hb2KGnHZAEgY9XEqfFlUon2A9VGs3MEq0eO67M -pRNvcuVWr79i5stQL2FSj2+U44YlpOjY9zoqQE3ISerOQ/cj7ryqogQqDzbC8C9M -PHCKI+2k6CvX2Bzk5HJWk7KNOM9n94VAiRD8a6NrpBTWrql5DSF46cVyQhUU56AK -EL10tYBbtvm+QkhFvUudcomCxY1WJiNqOZQ0wO18Lw8gyNsymEaija3z/ANIbGUQ -OQN4zqKOJ2TrhrTrZ50JUO6umHRbmObMZ3Y+G/R8WhgKs5kpJjZsvGnCNmi6cVeC -KbLWtlevs0S5lfLafVX4/rGSkrD4TJk9mgzjLygYWiKqygmI2NaIKWslYua93V91 -SMSeSCz5w3Qzc1SRPjLJaeyNEX+cnO1aYIkCHAQTAQgABgUCU8kmlgAKCRBDYhta -0kTdB4ruD/wKAy1lg71RR5uVOsoeM40WKCkaqF/G+9RDRtYxXaj6LKSv7CQ3dVDu -NlAbJXZOt6j3BPFtUSvcZaeSRtvuF3oQDJF78Zhc3UpMEpgcs4k86OOaspNAwb8B -1clh9Yf5qCingQp3nr63a75d7d+5O8hDmqgREqsVHI4XPFz+/rlEQrwxkWaK2ht7 -fP2ARLCcfWccr9m2k4zPyacgjc6u7u3mdLcSiADsVcraoqBIaw/VLP3VBi+cv0B+ -Z99RBbvGgzdnkY1kOESEwmXJAMwv5pwxBXzI0ooVzMJM1pbGTmec9pB4z3FzShsI -wISHV+Z9HPsO+mkJ4W/LhGUZhrc9Fas+zk8loqCuI4u9hDooapkIwwBgeR1O/Gea -NwDU2qLYRmmv3PLATv+bi4qmYXsLbOMgvEEM59WqJxJMGx8QmavFprVCRaO4yTsq -Ih482wFHbOHSZLOXGpzxggaLvveIVTncUhpFVOumCxLblOV0dyqjdCY0xQQC4YiB -N4IH+3u4uwEG34htyZo6US57ilXxCW7nBDVFsKGUpgm5gs4QUSIfK4bpFOVOfKF9 -tyTzwF8NM10HB4HP3AnglgNCsxxoWhtY9H9rqwVxdxBfSmtxureQFSVNUy6JxyfJ -rq+Io3c3oAIlCAJ76IMal7p9XvF2uMsVDnfkvSvcgF3Ba8U2AiJMYokCHAQTAQoA -BgUCU/yTLAAKCRCL3If7chXhiap8EACdzs4+K8bjmXcStt6ONKhWG086FXNDCAre -5PuQ5k4NDqwYvQUBbJ6T1yrSuSa/FNmM+uKwfp3AEAqwNCWrZQHxVagsfSJLcNhP -hc6uON3twtJuC8eIKnXOIob1ITQEwMSGdW4dqR2w3jcwfCLEx2wvlxjFYN7yHYj+ -QdxaidWONjep5VSAt/noovt8WPZgBBoX126QV0gvKF1AQNpqOtiRFRLRceXFfrnN -UuWCchZ6SzGxyer40tphmposQ4Ikehh2NQxTMx9ivbnKpfEYOhffDcSRcUMtYe0q -/XqxcPcas/+Q0BhJ7LD7Tzw5huLRne80d5pX0SSkuPjsZJVS3ZzxQdI+1UYjJrvD -CL0xIFg95JpGsEmeaWc3WsZVnQwVUjhd+yzgE+7jmEFLzlk/j4x1Ofg9Gn1TH72k -XBZb1gqQZa/nI1daydUZu6JuoXLbGrBn3tdalEIagz23SWvMpz6L/yNU56quv0kV -lCv8tEzCojQP6a6TkBIuvtCgjjKEIROqCQQbmGGxZpNVukXC6P8+3Tva305iT+SO -YvQ8VYOh0zPMAt3xjN1fU1/MdaSlZ7n3utF64yp4OkvAzugn13AjHXlYvy09dC9T -RGOyAK8j/YYJ0YBdApBOrLdz3Rja1Xfc2x3WWtcTXigDiScpT9afUXrKSHHAi5xk -ia94q8dGAYkCHAQQAQoABgUCVHNXLgAKCRA1Dr6IHnUkHiwrEADJGKIoU5qyXiSi -kVtmBdYmZilF9T9fzfcrL4TNmL/V/VCZgd9zRANBN+saSXkgm0CG+3jLIBlFhg/+ -zBlxceGrnDMB3M7C5n9kvymh5pAGzOVlYwfR5QICvJ+nEmk/WcaxiEUzGj04i5VO -uRUr0aEVbVqubznnFtc+qEntQ1oWNW/fSvMmfBHBxSLRbqDBUGciDizh1R5XuJBM -S+6freS5NeBnZki4Tl4zYS5Xu4qW2Y8PEHmWeLluNK5EnXmDqK+cZ+xQWn76Or0s -T9xx7hZUvef8y1T9RGoS4lpo96PylZtAMnCJPT3NffaupN/P0XIu9cI90fmRFWvW -Rpj4bF0MWCoA/iGz47rQuIIBo1EAU3oV0I9v7TqEwhkNRFHuKxcqA7dETDvRbsqy -D6/Rkp0696cRCWMOuaokNSEKtjZEeRep07NWckGgBPbLppuS9HC5b1cwhZg9DWz6 -Shy3eZ/UcbCNdLoTt0nJ3/FIInLxCSzKjeKeeaA+OJL+cVz2XiGAqZ1UzBIb4NbN -uTn9jGxc2MfyrpF1lkrYTuXa19ZF6bD8TkH93RGI8FUid7Y58w23OLF77z++glVu -kpNB2BXCPppxhzaAyQIvrCuLVBBABf24JOP5kbSY6yZJL7NPMPW9E/RDRTcX0Yxz -jW5LWdzdRe7NKSQ2Djx8ixT8B6uoV4kCHAQSAQoABgUCU/DRxQAKCRD5gmtHlHEU -hhpDEACbY5HkQMYaXjjsjCzTMsl6oxEXrPlVAFCBk02k47Sb4xLyKYdvJ0w1Kfsc -eo1EzUviwRbQuO/VAKfIc8ZtbikHLhKGU4/e/DVZHF8RtHyTgp9yWACbM8fDP2mi -Grig2ESTxskGLfWIF/nx5fkkpMjEdTs0CQvgT2sV+RUTYRY7ZKy2tmnqctrdIeTJ -Bw1ao1xKgGyqYp2LD4YmHyTW7pQPKIn5XzJr7BUgvRdpeZiC36QbuOJlS0UETk+X -1ncL7VdpBhIGUoN0b22H4euEv1oRvK7wmZHDDI/wIW6F85jFMpEJXRAR3xgMrd45 -zYwM7q8UW3mYpR5qomfMAVtAFPckIt3ptkOuUIHVsUExzJS7AfeqZQxh5RDxphB5 -D+qaHHfqNNBCc2t8Aba89mDIk+789CY/Oxv11BxhVvrK2ZoOLhgprBO5q/edjwXY -Bjtql7TRWrmQuhuFnBbL7Iq5GXovlnp7YSqtxBvA+1uneM2Fp419krP0Wd6WxkXn -K91Nul9jkjN7afnAc4mAjUSmJfeZH8rkQ3Wv8iHEFkVUNd60ELICuIAtQSwlxsYR -y0vpJP5RAzFgVCGukPnAKlnB653vBPGYb7PgCmYFrQ2A/q2TDlIkP3VlCNmvlSdm -A9zIIl75Zi1qgDeOqTKuygQK95BfGbIUMeiJmI7zTnwdAzaPg4kCPQQTAQoAJwIb -AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCVO8/PgUJB57jXQAKCRAeNKGCjiB5 -Aa3dD/9zk64GNdJbN4sxdXQ/Np48wXwnOxCY9AYTRP7rJDjqnGqeJo6+5koHbPVw -bUZCzU4ZcI71MUm3fvit+qedmwJskp+8B9WvGkK2mPCAdkCxXjp9UCx9XSV55Jyc -yXTp2O3oVrm9n9YWmhA0FWssE8qsVaoWAXYIuobDlk3t8Tb978Nug7FYFPmRHB8v -x3pOta8UMmFQ0sREbjwFgrbM+TH9gM4zL5pX4rzWQaIO/0gDaNJWETNNbVbTcXxC -m2r78D/IflRLKSxKAp8e/le5M+WyawJnCydoBrNysXxyI8YDFVsCjXEB0RQ2SC/3 -pFpUGISGdV+iWDrfjv4rKNCjJNC8CKRZG4txNojCJy1HsS3jcslzdHX4uyXTdRN7 -wmeFRwVIYsDw3saqF2F2ajivU7k+pGcl509cOuvFy7aSy4o1QkIvOpQ12ljPC99V -0443qF9DDlhfi9+gesUJyiQbq7x3TTNzZce7mkWjABKGt+u1t8V0KO81DYVjy3td -QfBp7xAjqQvqJnWXhxNjOKVhiha9E5n+1n8ZmScmT3Udy7n0qbQbZvkofaJa9wNi -S3BBl+Lr+ScMdLUhMIus5RGn/5x9a7XL7a+W2vtpBlx5r90CWI1XnOadauzP0m0Y -mervzkNDZq1r8Nh3fGVNv/MM3DGISAAhmx7xCtflGbDDwv0aMYkCPQQTAQoAJwIb -AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCVMvC/gUJBZoznQAKCRAeNKGCjiB5 -AbOiD/9uuAChZPgW6Sn96awak3mpeaKLE6MsOCRI++ahc6RGUEz+8ny3frzQSruW -IutcRtLSRGKuNAaITku7CErjdyrWcAcL7YW1YU8+911U4tEI9rC/Qcy3/T4ULH7M -SqXskVoMcd8PLG9F1Si/tW7rHjVeFNRh64eg9frYCArEFrm/5786IqS67yHQp+mF -LfWqKws8rGg2fkpSE38gWEgn47/Qk6HQXEiNvItJ7XWvOg8xMbR0X83kP6Ctn3sr -tzMEaPsoABxVvu8BmYO1SFfEbR2MGiVbVb8dR1373E6dY1QcoNZVXfYPE0QaJff9 -vLORfXmjkqbeefZxgNj5BA2+yIE04td6jGmuVOl79kJz6VFm8osror68aMl/tP77 -70cA/mg632uMNQqhPdkA+iV+GDWbvscXGA9vCUztptX8F6V4eDy9sJKfyPg/Zz33 -ZSoWDe5C+lDLF2zg0Vrv5bXj0qtIpk704qSIcGnehXXeLaWndCnKb88p+W8/jcfP -QeLjCWnCPjGgeAHyAqEIO73puNltOn+aPXyxjtOi/KQRaS81aJZTxq4ffR44FB2z -I082Oa33gmnZbP3sYsVuH44QQAYUEkHBIIosiqklqEoa9G6+Dtm5zUZtmyP6Cx1a -xiN+5XQGoz1fh6sk9/TMW3fpqV0KS1Gu5JsgXTSxxXkarGueFrkCDQRREsLdARAA -3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFpOWvdhTW9056v+y22DoKbULjT8k+8 -GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGmg1ELygsaOZHdQBNLGPvn+TZNGlaY -XPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LTq+IQ6jVYhho7/Qik9rVE1XHxoOfY -vnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQTsAAQ527wz742Bd6SpuhqBpdEw6Yi -CYxEoo5kBY3IhP3L5OTS4tzhOkdf1xlhWSnCFE7NkPcK6o+r6qCcUqRGV9jRwI97 -JlPKegEHYWvLD4Sk31pWi8NZ0toU/nqRvxbhhtHxuNf3jeAAzxQBhGVi0C/IBr4v -qyFqmEHr9JxIa3DTV8w/a0Y4hX2bczL9Y1cB6n8qOA68aAn+xerJcSOroTIJh83D -/7OguexGGYoZBDvX6dWguf8udFPeYpJvkT6TSYF9U0JpVTtlCNutjScUO2uaV9+u -DqACngwqbzBTjL8UucAleVcFfOi48yepnOd11YFYxbw+/BcqLNhi1eP2AaGxIgXb -R88tF9OC0SXaCH+1Z1bbalOmQNYstOv9BbsHvW7mPgX2xhyoDkVRWaNAQoDLbnJr -4gi9cD8/kQMzdlGOzt2ist/+xueblXJs5TOO80Rw+AEAEQEAAYkCUwQoAQoAPQUC -U4eKeDYdA1NpZ25pbmctb25seSBrZXksIHJldm9raW5nIGVuY3J5cHRpb24gY2Fw -YWJsZSBzdWJrZXkACgkQHjShgo4geQGeGw//fLw5CXRJ/aqz8qgEtI2+9O+Jxh6+ -Jiqyu7cYrRwcuTQLUXAjkE3ZrPRmWGHKL2xsshfO4D2R2KCU7eiy1J0WWvJrMQe6 -u/g8ryJX29tm4rt30L5Vn+iTOms6vHnaDzzK/KpZyrRNMlIhFaJhPYnx950uKVny -F7BSbKIqC3ngApZur4QN5oAv9W/09rMSJ2GIMXa9Mo+4fkDiZ8coHByyxBmbor8I -YsaLCz/ZKuT7RHBbh9mt3S2eIa79M7GV0+4lM2wi+hmPYoA8/Ngv+04hurNNrvgj -6vj1LH+qpEZ+zQdH4QcrQYXKO/1QCXFKKAk8CQw+lGGFcCcrwVgGfzm+ZTGS0OxJ -hXosHb+Bsdfh29fexCiAWMH9mSsNWmo554ZQSdmhOSe6CaYoDSDb+/+FDquzXwJW -ZjTYYez6lbHkJ7icPo5IGb3xxjsXB7vrDOWSIqNptsaRBSjQthsX8NUD8AC/qeSE -K7YL0J3tbuwBYUz3QN5Jk3nmZi+WLBHb9Gz6XruoUN5Cp0PZmYiLQjpU+ZNp2Nb2 -fVNZ/FurSHgu28VZN3fFdW7sQ5/moBLWP/8KK+yMWpJ6Aj5162dOL0+41y9w+u+c -xHuEZsOXFixgubFcljipTDNRfeHNZlsyuWubwYfiHMCFgArktdFRnmtDAnjDqTOk -8ENKxCfgWSoZzteJAiUEGAEKAA8CGwwFAlN2ZdEFCQRE1kEACgkQHjShgo4geQFc -nxAAmTf3BD3xxkU9l0j0uxkizVIWsh4jp+GNVhD80r1QZ6XUfQWlNZS0w8wQAymf -cD8u5EQEnkIegaBecEIVBTAcXxuSqWECaqD2L7S+A8J37gKK+wQ8TPQu+hQivGnR -5STjI/dWZ9iqyR5ZLrvK38obeoylsdRMOncIgJ1J5/ZOyH4IoAEbIwabrfJ/vZ/2 -R/lQXnoE9cu/095pECwHR5AUHl+FcG7B5KPYoY25cI8ZLMn2b9Nl3aK8/b4lVnJY -N9X6c7xcyKhcoUOW1KffVR9X7iiqWuLaZQVV4HX+flxsG6WrmQvGwzXcbcW0/AQA -4Rgd8Rz3X+5zvg2YbdjUMedC1C+nYJ4/nKQGm0uhA+p59jvQX95E2+Bsh4YTw5/v -GqHKRj2IOhROfXEPUtNLIoFbviR/uIEGaaXdhY/XIXn9AemJFXtwV4kBCmqbgou5 -DCKh5MVL8aq6cKfYUhDmlqk2fS7ONVUoMUdan4Ntz9COmCNT6Mdcv9jaZIjhkqzV -OW4cQnMGweTNFGnr9unHxztDA9pXrjyINcEZcqCEXNNEYoha0RQdZvEZzzed+65Y -IgwVvcx0n4doOiJmCI0WNPns1mhzKxDqLz8IfcpxWC1oCCFGP8is7Fgs0UPXoHem -1IsTue7PnRUH7PIWANg464yLlTCqr+hLhsLGjw7D0BR98zCZAg0EURLC3QEQALYJ -H5eBbTgNXBPjbu/ZPj6rP47/EY7BBxqVVpI5S6C5iB/b16cClvqZSpE45O4lY3Wf -DWW9eIDqIXGDoOMNSGynqPnhfsYAACNn1C5q8+Byytpy2wktHP1ZJaoOM4BixvgH -mnCZI8Api2ZEDEtXN3FSy4ezYfFE7hVado0lAQGPuPvO4ayC9IkFKr1WJyLpwYj1 -zV+xbIqyentHozniaZBFuwKDb4b83SGo7PQcTpmUkpUppmq5Os/EZYW5TeYBSnMU -trpaPwNJRiJZn/GuqIV1sHi3Ucze+UoH0sSD3cMS4b/xDRODYpLSURbF6q4FfITr -6OSUM2ol7IeZ+CS4B8WWQ1hrnzvRdPzszMYT+FLjSVuaFBUceXDEyQCIRExzRiz4 -5+BQkxsgNAE1EWDdD9uNqMWhUGAGgoWnsLbbOCgmRQ1P7sdi/+3rN4OUjM2GBiaz -l3SASIB4tq7CO7foGbBSxtAfB6NYo/ykANFkvVtOPQT6tFQzgUU2H0PZdMUUppo2 -5u5vy1Saj5lQgQQp8+E0cr3BL9uwXI+/3Lcct7Zvc1gYUrn4fOeqDw3Qf7b0jvMv -HtWk6HeJE3ctvG/10ya6RUm3DxGr9R2mt3dnmnygKKwWj6Sdj4n4iA2MLR6eI3yu -SSX/isg3l++85HxgK2znSEvV8DLd138woTHP5BNdABEBAAG0KUxFQVAgYXJjaGl2 -ZSBzaWduaW5nIGtleSA8c3lzZGV2QGxlYXAuc2U+iQI9BBMBCgAnBQJREsLdAhsD -BQkB4TOABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEB40oYKOIHkBkGIP/AnB -RVmN815Z2kqtjL0e1kTG1NxT/3jeWBFQ2KdS4s8VTiLaz6FHeHl/NdHXmdQP4gEm -VeXMtXYb8iNdg9OnhrSCoelZQtpvlK27sDMWI7jb9FZQDNYPUXKHpK5ncUMRG+F6 -J3yzhJeh7rLhwnkSt9KUlLqqqS7yyzyZLyUzUyn6Vz3BhNZD7yGZJSK8Blv1YsSW -MXGG8Se8Ao/APXyjv5L0YAEXBizF+VC8pkeC5o5WoESSyvL6+7yiRY2uDcuXd0NA -R5qGvuesusd7yCo40mA4T2OPFG9smYa0hRPIaqBZlnMF9Bcv/q5cvbdtaRhkORA2 -F+yb5yiUBXyCmP78Ter+4xfCrPVu/Tor8uwrc0fME0TnuQkcSGD0rdTDZbHmrAUx -TUYPGwHc/2n5PKoBugRkAHaKtNHL2Tyl4UHvDB/SxbcSDvxcWx/LiDJXrX1WcFH4 -9t86kqoUVcCh0XWYWIis9559pWkX1+JDk7C3SwmMNomdhPzeSwA7YCP5WxjdSOcO -sYVqJXw16K33L/xbwOqZncRkQX8zeJLTIOOqq30AIUP6OQaUpizIe/uBulOrTKLq -7+RFcdRMi9XAUv0zpnoBRwbyDOipsqFcZ9YoSrSU3kcCMn/9X2ujcN6QV3QD41A6 -UVXpe2ylnCmFV21bVZLTvweZWXAXl1sPylx9P9GNuQINBFESwt0BEADcWvD6Pof0 -xwQiL+COIbC/Gch0ZzwxxZyGcWk5a92FNb3Tnq/7LbYOgptQuNPyT7wbO5FDTGnh -XAILWtfdQTHBx5zPMaz61Iq4gaaDUQvKCxo5kd1AE0sY++f5Nk0aVphc+VCjubxi -FcYfCBCt0rKNwUPnGc4fF73zUtOr4hDqNViGGjv9CKT2tUTVcfGg59i+c1kkPRwV -1/05xfjtiiqYzixlg8yg6YqhVBOwABDnbvDPvjYF3pKm6GoGl0TDpiIJjESijmQF -jciE/cvk5NLi3OE6R1/XGWFZKcIUTs2Q9wrqj6vqoJxSpEZX2NHAj3smU8p6AQdh -a8sPhKTfWlaLw1nS2hT+epG/FuGG0fG41/eN4ADPFAGEZWLQL8gGvi+rIWqYQev0 -nEhrcNNXzD9rRjiFfZtzMv1jVwHqfyo4DrxoCf7F6slxI6uhMgmHzcP/s6C57EYZ -ihkEO9fp1aC5/y50U95ikm+RPpNJgX1TQmlVO2UI262NJxQ7a5pX364OoAKeDCpv -MFOMvxS5wCV5VwV86LjzJ6mc53XVgVjFvD78Fyos2GLV4/YBobEiBdtHzy0X04LR -JdoIf7VnVttqU6ZA1iy06/0Fuwe9buY+BfbGHKgORVFZo0BCgMtucmviCL1wPz+R -AzN2UY7O3aKy3/7G55uVcmzlM47zRHD4AQARAQABiQIlBBgBCgAPBQJREsLdAhsM -BQkB4TOAAAoJEB40oYKOIHkB0yoP/1Je6UmrpDhTto3qjtMsxTYyCp5aq0GrBM0i -KwGhImNer053iI3ZLkCTCj9lA7TWdE089z3KPCJ2BvvAJQUM2CVQO4ZLaddpDRcA -7zeocw6w5E3ZL3d07rFVFfYKGHOX1tSvVYhBwz6Uiz8tkJfau8qWwViZlAdf+JuF -CztPTVFdqPAmrDHJfJU8v6Q816jC9rhlR/qvN2opkt8WDInIZ0cjXxsXqVqGAd03 -Y45rAR5TYr4yWW5HdlqGjI3i7UyqKN/qyeZ93T74QioMfBg+fvQXgk90yHK5WlgF -XJW2yAfL1bl9L7NKP69f6qPowFd0UGz5r2evwZkk7gFQ/aa3I2CYR9RVB59Ieer7 -Q6UY9kbitrFMSol+nYpNEIYHiEjNhY7WDVw4F5fEV9cl2Rfwugps/mzYrOf2wAro -HGZrM69I2m6KYIM28qNHTSIo1LgPGLHYUFdBT/ilWkYeNdNA/pGp5OsB51e+mAId -Y/VQiWzAhB5waZBwn+FFmN37S+VyN8JiFkevs33oNroLLy/Z9mJkdpIC3tPaghn1 -feASH+Q6UsNy4h28wdR+iOfQys8J7UCo4fJBCqGRXKW9mlLQ90TRVbc+Yn3y4p9f -YVUA5NQPhHDef0TDtt8zbj0e4/gk5eL9KSniwEH/GCu1XW74T4FbRJL8E6LB+sjj -FTL4yta7 -=DRTl ------END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From 93b0c3833f2f0a69b8d88df9aa2f4922e48e0143 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 9 Mar 2016 17:37:08 +0100 Subject: Update submoduls nagios --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/nagios b/puppet/modules/nagios index 6c3ca97f..4081c669 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit 6c3ca97f1524e2b6242c27a2c97dbfb78105889f +Subproject commit 4081c66952614743b60b5031791cb43d23d48fa1 -- cgit v1.2.3 From 0810e24d7b063c613a482fa04f43be89c6b38fb9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 9 Mar 2016 17:39:34 +0100 Subject: Update submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index 205859d8..3df00e29 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit 205859d87884ac4ceee6d1365548e7dc55640bfa +Subproject commit 3df00e29388adbf1c0e058df09a7c3886edbaca1 -- cgit v1.2.3 From f8a54119d7b7b3a3e5042c4ed3bfd03ebb88a544 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 9 Mar 2016 18:04:55 +0100 Subject: [bug] Adopt new parameters from nagios and check_mk module --- puppet/modules/site_check_mk/manifests/agent.pp | 3 ++- puppet/modules/site_nagios/manifests/server.pp | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index 8d8ab814..b95d5d64 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -15,7 +15,8 @@ class site_check_mk::agent { agent_package_name => 'check-mk-agent', agent_logwatch_package_name => 'check-mk-agent-logwatch', method => 'ssh', - homedir => '/etc/nagios/check_mk', + authdir => '/root/.ssh', + authfile => 'authorized_keys', register_agent => false, require => Package['time'] } -> diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index bb3948c0..5939c82b 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -21,7 +21,7 @@ class site_nagios::server inherits nagios::base { # it in site_apache::common httpd => 'absent', allow_external_cmd => true, - stored_config => false, + storeconfigs => false, } # Delete nagios config files provided by packages -- cgit v1.2.3 From 91251fd30a7b1e5baa17aeff932d8bd13c370d8a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Mar 2016 13:52:06 +0100 Subject: Add Dependencies to site_nagios resources --- puppet/modules/site_nagios/manifests/server.pp | 8 +++++--- puppet/modules/site_nagios/manifests/server/add_contacts.pp | 4 +++- puppet/modules/site_nagios/manifests/server/contactgroup.pp | 4 +++- puppet/modules/site_nagios/manifests/server/hostgroup.pp | 3 ++- 4 files changed, 13 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 5939c82b..aa9b956e 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -46,11 +46,13 @@ class site_nagios::server inherits nagios::base { # is not fixed, we need to manually deploy the config file file { '/etc/apache2/conf-available/nagios3.conf': - ensure => present, - source => 'puppet:///modules/nagios/configs/apache2.conf'; + ensure => present, + source => 'puppet:///modules/nagios/configs/apache2.conf', + require => [ Package['nagios3'], Package['apache2'] ]; '/etc/apache2/conf-enabled/nagios3.conf': ensure => link, - target => '/etc/apache2/conf-available/nagios3.conf'; + target => '/etc/apache2/conf-available/nagios3.conf', + require => [ Package['nagios3'], Package['apache2'] ]; } include site_apache::common diff --git a/puppet/modules/site_nagios/manifests/server/add_contacts.pp b/puppet/modules/site_nagios/manifests/server/add_contacts.pp index db507abf..b5c6f0a5 100644 --- a/puppet/modules/site_nagios/manifests/server/add_contacts.pp +++ b/puppet/modules/site_nagios/manifests/server/add_contacts.pp @@ -1,3 +1,4 @@ +# configure a nagios_contact define site_nagios::server::add_contacts ($contact_emails) { $environment = $name @@ -11,6 +12,7 @@ define site_nagios::server::add_contacts ($contact_emails) { host_notification_options => 'd,r', service_notification_commands => 'notify-service-by-email', host_notification_commands => 'notify-host-by-email', - email => join($contact_emails, ', ') + email => join($contact_emails, ', '), + require => Package['nagios'] } } diff --git a/puppet/modules/site_nagios/manifests/server/contactgroup.pp b/puppet/modules/site_nagios/manifests/server/contactgroup.pp index 188c54f1..5e60dd06 100644 --- a/puppet/modules/site_nagios/manifests/server/contactgroup.pp +++ b/puppet/modules/site_nagios/manifests/server/contactgroup.pp @@ -1,6 +1,8 @@ +# configure a contactgroup define site_nagios::server::contactgroup ($contact_emails) { nagios_contactgroup { $name: - members => $name + members => $name, + require => Package['nagios'] } } diff --git a/puppet/modules/site_nagios/manifests/server/hostgroup.pp b/puppet/modules/site_nagios/manifests/server/hostgroup.pp index 25623924..0692fced 100644 --- a/puppet/modules/site_nagios/manifests/server/hostgroup.pp +++ b/puppet/modules/site_nagios/manifests/server/hostgroup.pp @@ -1,6 +1,7 @@ # create a nagios hostsgroup define site_nagios::server::hostgroup ($contact_emails) { nagios_hostgroup { $name: - ensure => present + ensure => present, + require => Package['nagios'] } } -- cgit v1.2.3 From 3c4b42c0658a432a3efef8e1b3f07b49ada1ddac Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Mar 2016 20:24:04 +0100 Subject: Update submodule nagios --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/nagios b/puppet/modules/nagios index 4081c669..dd744316 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit 4081c66952614743b60b5031791cb43d23d48fa1 +Subproject commit dd7443163c1471b847549de1d6d2ee7606079ee7 -- cgit v1.2.3 From aa2c2590e7b976805402c4c0a2ebe4b554304a85 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 8 Mar 2016 13:51:32 +0100 Subject: [bug] Remove stunnel leftovers from bigcouch - Resolves: #7785 --- .../site_config/manifests/remove/bigcouch.pp | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/bigcouch.pp b/puppet/modules/site_config/manifests/remove/bigcouch.pp index 26ba8d09..3535c3c1 100644 --- a/puppet/modules/site_config/manifests/remove/bigcouch.pp +++ b/puppet/modules/site_config/manifests/remove/bigcouch.pp @@ -18,4 +18,25 @@ class site_config::remove::bigcouch { cron { 'compact_all_shards': ensure => absent } + + + exec { 'kill_bigcouch_stunnel_procs': + refreshonly => true, + command => '/usr/bin/pkill -f "/usr/bin/stunnel4 /etc/stunnel/(ednp|epmd)_server.conf"' + } + + # 'tidy' doesn't notify other resources, so we need to use file here instead + # see https://tickets.puppetlabs.com/browse/PUP-6021 + file { + [ '/etc/stunnel/ednp_server.conf', '/etc/stunnel/epmd_server.conf']: + ensure => absent, + # notifying Service[stunnel] doesn't work here because the config + # files contain the pid of the procs to stop/start. + # If we remove the config, and restart stunnel then it will only + # stop/start the procs for which config files are found and the stale + # service will continue to run. + # So we simply kill them. + notify => Exec['kill_bigcouch_stunnel_procs'] + } + } -- cgit v1.2.3 From 65335becbf8602b65ed385090400088f56293d9b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Mar 2016 21:12:11 +0100 Subject: [jessie] Remove obsolete backports pinning --- puppet/modules/leap_mx/manifests/init.pp | 2 -- puppet/modules/obfsproxy/manifests/init.pp | 3 +-- puppet/modules/site_apt/manifests/init.pp | 5 ----- puppet/modules/site_apt/manifests/preferences/obfsproxy.pp | 9 --------- puppet/modules/site_apt/manifests/preferences/twisted.pp | 9 --------- puppet/modules/site_apt/manifests/preferences/unbound.pp | 10 ---------- puppet/modules/site_config/manifests/caching_resolver.pp | 2 -- puppet/modules/site_config/manifests/remove/jessie.pp | 5 +++++ puppet/modules/site_obfsproxy/manifests/init.pp | 2 -- puppet/modules/soledad/manifests/client.pp | 4 +--- puppet/modules/soledad/manifests/common.pp | 2 -- puppet/modules/soledad/manifests/server.pp | 5 +---- 12 files changed, 8 insertions(+), 50 deletions(-) delete mode 100644 puppet/modules/site_apt/manifests/preferences/obfsproxy.pp delete mode 100644 puppet/modules/site_apt/manifests/preferences/twisted.pp delete mode 100644 puppet/modules/site_apt/manifests/preferences/unbound.pp (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 6bdcec42..6dfee44d 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -10,7 +10,6 @@ class leap_mx { $sources = hiera('sources') include soledad::common - include site_apt::preferences::twisted # # USER AND GROUP @@ -98,7 +97,6 @@ class leap_mx { $sources['leap-mx']['package']: ensure => $sources['leap-mx']['revision'], require => [ - Class['site_apt::preferences::twisted'], Class['site_apt::leap_repo'], User['leap-mx'] ]; diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 61714fdf..5c78560a 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -67,8 +67,7 @@ class obfsproxy ( } package { 'obfsproxy': - ensure => present, - require => Class['site_apt::preferences::obfsproxy'], + ensure => present } service { 'obfsproxy': diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index d6fe0e72..455425c1 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -42,11 +42,6 @@ class site_apt { # content => template('site_apt/secondary.list'); #} - apt::preferences_snippet { 'facter': - release => "${::lsbdistcodename}-backports", - priority => 999 - } - apt::preferences_snippet { 'leap': priority => 999, package => '*', diff --git a/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp b/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp deleted file mode 100644 index 75b01956..00000000 --- a/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp +++ /dev/null @@ -1,9 +0,0 @@ -class site_apt::preferences::obfsproxy { - - apt::preferences_snippet { 'obfsproxy': - package => 'obfsproxy', - release => 'wheezy-backports', - priority => 999; - } - -} diff --git a/puppet/modules/site_apt/manifests/preferences/twisted.pp b/puppet/modules/site_apt/manifests/preferences/twisted.pp deleted file mode 100644 index abff6838..00000000 --- a/puppet/modules/site_apt/manifests/preferences/twisted.pp +++ /dev/null @@ -1,9 +0,0 @@ -class site_apt::preferences::twisted { - - apt::preferences_snippet { 'python-twisted': - package => 'python-twisted*', - release => "${::lsbdistcodename}-backports", - priority => 999; - } - -} diff --git a/puppet/modules/site_apt/manifests/preferences/unbound.pp b/puppet/modules/site_apt/manifests/preferences/unbound.pp deleted file mode 100644 index 6da964f9..00000000 --- a/puppet/modules/site_apt/manifests/preferences/unbound.pp +++ /dev/null @@ -1,10 +0,0 @@ -class site_apt::preferences::unbound { - - apt::preferences_snippet { 'unbound': - package => 'libunbound* unbound*', - release => "${::lsbdistcodename}-backports", - priority => 999, - before => Class['unbound::package']; - } - -} diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index cdebbad0..50824fdd 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,8 +1,6 @@ class site_config::caching_resolver { tag 'leap_base' - include site_apt::preferences::unbound - class { 'unbound': root_hints => false, anchor => false, diff --git a/puppet/modules/site_config/manifests/remove/jessie.pp b/puppet/modules/site_config/manifests/remove/jessie.pp index c813e46d..e9497baf 100644 --- a/puppet/modules/site_config/manifests/remove/jessie.pp +++ b/puppet/modules/site_config/manifests/remove/jessie.pp @@ -6,4 +6,9 @@ class site_config::remove::jessie { notify => Exec['apt_updated']; } + apt::preferences_snippet { + [ 'facter', 'obfsproxy', 'python-twisted', 'unbound' ]: + ensure => absent; + } + } diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index b622588b..2ed5ec9e 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -20,8 +20,6 @@ class site_obfsproxy { } include site_config::default - include site_apt::preferences::twisted - include site_apt::preferences::obfsproxy class { 'obfsproxy': transport => $transport, diff --git a/puppet/modules/soledad/manifests/client.pp b/puppet/modules/soledad/manifests/client.pp index 5700cb09..e470adeb 100644 --- a/puppet/modules/soledad/manifests/client.pp +++ b/puppet/modules/soledad/manifests/client.pp @@ -8,9 +8,7 @@ class soledad::client { package { 'soledad-client': ensure => latest, - require => [ - Class['site_apt::preferences::twisted'], - Class['site_apt::leap_repo'] ]; + require => Class['site_apt::leap_repo']; 'python-u1db': ensure => latest; } diff --git a/puppet/modules/soledad/manifests/common.pp b/puppet/modules/soledad/manifests/common.pp index d66e943c..8d8339d4 100644 --- a/puppet/modules/soledad/manifests/common.pp +++ b/puppet/modules/soledad/manifests/common.pp @@ -1,8 +1,6 @@ # install soledad-common, both needed both soledad-client and soledad-server class soledad::common { - include site_apt::preferences::twisted - package { 'soledad-common': ensure => latest; } diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index f46c1eff..8674f421 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -4,7 +4,6 @@ class soledad::server { include site_config::default include soledad::common - include site_apt::preferences::twisted $soledad = hiera('soledad') $couchdb_user = $soledad['couchdb_soledad_user']['username'] @@ -53,9 +52,7 @@ class soledad::server { package { $sources['soledad']['package']: ensure => $sources['soledad']['revision'], - require => [ - Class['site_apt::preferences::twisted'], - Class['site_apt::leap_repo'] ]; + require => Class['site_apt::leap_repo']; } file { '/etc/default/soledad': -- cgit v1.2.3 From e3112d668a0c8bf334696a251bfc1b5af12ee844 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Mar 2016 21:28:46 +0100 Subject: [feat] add /etc/nagios3/conf.d/local as confdir - Related: #2327 --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 695f437b..62f26f2c 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -24,6 +24,7 @@ log_file=/var/log/nagios3/nagios.log # Check_mk configuration files cfg_dir=/etc/nagios3/conf.d/check_mk +cfg_dir=/etc/nagios3/local # Puppet-managed configuration files cfg_file=/etc/nagios3/nagios_templates.cfg -- cgit v1.2.3 From f69f7ca97791945d0bbe61eda84e69a8ed460e04 Mon Sep 17 00:00:00 2001 From: Micah Date: Sun, 6 Mar 2016 09:23:34 -0500 Subject: Set MUA required ciphers, tighten up the mandatory protocols (#4232) Change-Id: I328aa37b393817e1764ea7e635fcefc801adbbf4 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 10 ++++++++++ puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 11 +++++++++++ 3 files changed, 22 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 3230d4f0..7837f415 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -119,6 +119,7 @@ class site_postfix::mx { smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt + -o tls_preempt_cipherlist=yes ${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -o smtpd_helo_restrictions=\$smtps_helo_restrictions -o smtpd_client_restrictions= diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 4eb80dd6..b27c0e3c 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -28,5 +28,15 @@ class site_postfix::mx::smtp_tls { # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; + 'smtp_tls_mandatory_protocols': + value => '!SSLv2, !SSLv3'; + 'tls_ssl_options': + value => 'NO_COMPRESSION'; + # We can switch between the different postfix internal list of ciphers by + # using smtpd_tls_ciphers. For server-to-server connections we leave this + # at its default because of opportunistic encryption combined with many mail + # servers only support outdated protocols and ciphers and if we are too + # strict with required ciphers, then connections *will* fall-back to + # plain-text. Bad ciphers are still better than plain text transmission. } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 9fed3874..02a59942 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -20,6 +20,17 @@ class site_postfix::mx::smtpd_tls { value => 'ultra'; 'smtpd_tls_session_cache_database': value => 'btree:${data_directory}/smtpd_scache'; + # see issue #4011 + 'smtpd_tls_mandatory_protocols': + value => '!SSLv2, !SSLv3'; + 'smtpd_tls_protocols': + value => '!SSLv2, !SSLv3'; + # For connections to MUAs, TLS is mandatory and the ciphersuite is modified. + # MX and SMTP client configuration + 'smtpd_tls_mandatory_ciphers': + value => 'high'; + 'tls_high_cipherlist': + value => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; } # Setup DH parameters -- cgit v1.2.3 From b3a40e6bf67c6d047253b2454ba824b6f5a7f2e8 Mon Sep 17 00:00:00 2001 From: Micah Date: Fri, 11 Mar 2016 11:53:53 -0500 Subject: update tor submodule to latest, to adapt to new jessie puppet requirements Change-Id: I0ed4827bc53da280d9ed62ea71382ca302ce6924 --- puppet/modules/tor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tor b/puppet/modules/tor index dcb6e748..396e5d88 160000 --- a/puppet/modules/tor +++ b/puppet/modules/tor @@ -1 +1 @@ -Subproject commit dcb6e748864e7dfd3c14f4f2aba4c9120f12b78a +Subproject commit 396e5d888882a9511df673d51f0af78998ef9b26 -- cgit v1.2.3 From ee6cad0750e853b3ac210d17b79471772bfae2a5 Mon Sep 17 00:00:00 2001 From: Micah Date: Fri, 11 Mar 2016 12:16:42 -0500 Subject: fix tor-related jessie deprecation problems (#7962) Change-Id: If493b8a1f06a786df36a28aa1fc592e270eba639 --- .../modules/site_apache/templates/vhosts.d/hidden_service.conf.erb | 2 +- puppet/modules/site_webapp/files/server-status.conf | 4 +--- puppet/modules/site_webapp/manifests/hidden_service.pp | 6 ++++-- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 653664ec..232b1577 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -1,5 +1,5 @@ - ServerName <%= tor_domain %> + ServerName <%= @tor_domain %> Header always unset X-Powered-By diff --git a/puppet/modules/site_webapp/files/server-status.conf b/puppet/modules/site_webapp/files/server-status.conf index 84cb9ae0..10b2d4ed 100644 --- a/puppet/modules/site_webapp/files/server-status.conf +++ b/puppet/modules/site_webapp/files/server-status.conf @@ -7,14 +7,12 @@ ExtendedStatus On #SeeRequestTail On Listen 127.0.0.1:8162 -NameVirtualHost 127.0.0.1:8162 SetHandler server-status - Order deny,allow - Deny from all + Require all granted Allow from 127.0.0.1 diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 12eb1793..72a2ce95 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -10,7 +10,7 @@ class site_webapp::hidden_service { include apache::module::removeip include tor::daemon - tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } + tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'] } file { '/var/lib/tor/webapp/': @@ -38,7 +38,9 @@ class site_webapp::hidden_service { # because we are configuring our own version that is unavailable # over the hidden service (see: #7456 and #7776) apache::module { 'status': ensure => present, conf_content => ' ' } - + # the access_compat module is required to enable Allow directives + apache::module { 'access_compat': ensure => present } + apache::vhost::file { 'hidden_service': content => template('site_apache/vhosts.d/hidden_service.conf.erb'); -- cgit v1.2.3 From 983856ad02b144be081a8857c6685e225b54f33f Mon Sep 17 00:00:00 2001 From: Micah Date: Fri, 11 Mar 2016 15:49:33 -0500 Subject: update backupninja to latest shared version Change-Id: I886b104b1caf561477361e382dae54d718ea88c2 --- puppet/modules/backupninja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/backupninja b/puppet/modules/backupninja index daeb1a1f..49751354 160000 --- a/puppet/modules/backupninja +++ b/puppet/modules/backupninja @@ -1 +1 @@ -Subproject commit daeb1a1f112a4dbf6b39565f0dea461e46a64681 +Subproject commit 497513547be79f9d3c8e96f1650ec43ee634b277 -- cgit v1.2.3 From 0065ffb8087d5d47445e95abb224d6941e74cf38 Mon Sep 17 00:00:00 2001 From: Micah Date: Fri, 11 Mar 2016 15:54:57 -0500 Subject: update tor module to fix deprecated variable references (see https://gitlab.com/shared-puppet-modules-group/tor/merge_requests/3) Change-Id: I7905bedc0256bc1c7b9d7316584c9622b92b7670 --- puppet/modules/tor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/tor b/puppet/modules/tor index 396e5d88..8c936c16 160000 --- a/puppet/modules/tor +++ b/puppet/modules/tor @@ -1 +1 @@ -Subproject commit 396e5d888882a9511df673d51f0af78998ef9b26 +Subproject commit 8c936c166b6da1ebd0e8d95e56ceee5167357d63 -- cgit v1.2.3 From 4183a10168c61366448e39cf4db45eebc741a27e Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 13 Mar 2016 11:57:21 -0700 Subject: static site: don't call site_static::location unless locations are actually defined. --- puppet/modules/site_static/manifests/domain.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index b9177f25..5537d247 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -10,7 +10,9 @@ define site_static::domain ( $domain = $name $base_dir = '/srv/static' - create_resources(site_static::location, $locations) + if is_hash($locations) { + create_resources(site_static::location, $locations) + } x509::cert { $domain: content => $cert, -- cgit v1.2.3 From 7d5450b1e37ab59bd241ae7e3557c39ea9844030 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 17 Mar 2016 13:58:33 +0100 Subject: update nagios submodule --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/nagios b/puppet/modules/nagios index dd744316..2808a7bf 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit dd7443163c1471b847549de1d6d2ee7606079ee7 +Subproject commit 2808a7bfd649ee30847c72ad131d6c000bac1a1f -- cgit v1.2.3 From 7699762d6f94764b1183856c66a2640261fb46dc Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 18 Mar 2016 11:36:26 +0100 Subject: update submodule nagios --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/nagios b/puppet/modules/nagios index 2808a7bf..98a6ba01 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit 2808a7bfd649ee30847c72ad131d6c000bac1a1f +Subproject commit 98a6ba0164ba55a619d0db7e6b50616f382ab454 -- cgit v1.2.3 From b1311b89b3626fe4194801f1c8d954a6f0d9b70e Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 21 Mar 2016 11:07:04 +0100 Subject: update submodule nagios --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/nagios b/puppet/modules/nagios index 98a6ba01..68dab01a 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit 98a6ba0164ba55a619d0db7e6b50616f382ab454 +Subproject commit 68dab01a85996e14efcccf856b623a2caf257823 -- cgit v1.2.3 From b256733c944d65d0af339c472fcb28237f570ed1 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Mar 2016 21:30:03 +0200 Subject: [bug] Fix couch_stats script It failed to calculate the sessions and tokens db names. - Resolves: #7658 --- .../files/agent/local_checks/couchdb/leap_couch_stats.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh index 83b407e0..c7477b18 100755 --- a/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh +++ b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh @@ -11,7 +11,7 @@ start_time=$(date +%s.%N) CURL='curl -s --netrc-file /etc/couchdb/couchdb.netrc' URL='http://127.0.0.1:5984' TMPFILE=$(mktemp) -DBLIST_EXCLUDE='(user-|sessions_|tokens_)' +DBLIST_EXCLUDE='(user-|sessions_|tokens_|_replicator|_users)' PREFIX='Couchdb_' @@ -104,7 +104,7 @@ do done # special handling for rotated dbs -suffix=$(($(date +'%s') / (60*60*24*30) + 1)) +suffix=$(($(date +'%s') / (60*60*24*30))) db_stats "sessions_${suffix}" "sessions" db_stats "tokens_${suffix}" "tokens" -- cgit v1.2.3 From 90e1d3ec113d2644b659fd6ed9af7d2b94393407 Mon Sep 17 00:00:00 2001 From: Azul Date: Sun, 3 Apr 2016 16:05:01 +0200 Subject: check_mk: monitor webapp log for response code 500 --- puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg index 008e9e09..337d9ec6 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/webapp.cfg @@ -1,5 +1,7 @@ /var/log/leap/webapp.log # check for webapp errors + C Completed 500 +# couch connection issues C webapp.*Could not connect to couch database messages due to 401 Unauthorized: {"error":"unauthorized","reason":"You are not a server admin."} # ignore RoutingErrors that rails throw when it can't handle a url # see https://leap.se/code/issues/5173 -- cgit v1.2.3 From eac3056c237d523f4786593922fe8f88eb65dff7 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 29 Mar 2016 13:27:01 -0700 Subject: testing: adds mx delivery tests --- puppet/modules/site_config/templates/hosts | 3 ++- puppet/modules/site_postfix/manifests/mx/static_aliases.pp | 2 +- puppet/modules/site_webapp/templates/config.yml.erb | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index d557f730..d62cbc3f 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -6,7 +6,8 @@ <%- if @hosts then -%> <% @hosts.keys.sort.each do |name| -%> <%- props = @hosts[name] -%> -<%= props["ip_address"] %> <%= props["domain_full"] %> <%= props["domain_internal"] %> <%= name %> +<%- aliases = props["aliases"] ? props["aliases"].join(' ') : nil -%> +<%= [props["ip_address"], props["domain_full"], props["domain_internal"], aliases, name].compact.uniq.join(' ') %> <% end -%> <% end -%> diff --git a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp index 71c0555a..9cd7ca02 100644 --- a/puppet/modules/site_postfix/manifests/mx/static_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/static_aliases.pp @@ -40,7 +40,7 @@ class site_postfix::mx::static_aliases { $local_aliases = [ 'admin', 'administrator', 'bin', 'cron', 'games', 'ftp', 'lp', 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postgresql', 'ssladmin', 'sys', - 'usenet', 'uucp', 'www', 'www-data' + 'usenet', 'uucp', 'www', 'www-data', 'leap-mx' ] postfix::mailalias { diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index c2e9f3df..dd55d3e9 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -22,7 +22,8 @@ production = { "service_levels" => @webapp['service_levels'], "allow_registration" => @webapp['allow_registration'], "handle_blacklist" => @webapp['forbidden_usernames'], - "invite_required" => @webapp['invite_required'] + "invite_required" => @webapp['invite_required'], + "api_tokens" => @webapp['api_tokens'] } if @webapp['engines'] && @webapp['engines'].any? -- cgit v1.2.3 From 15b83d88dcedab496a19cef57f11c5c8e091dd4a Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Apr 2016 09:30:44 -0400 Subject: Fix postfix connection to opendkim milter (#8020) In order for postfix to access the opendkim milter socket, we need to remove the chroot option for the cleanup service. See e97a9d3800b173375a630e18e4b1aa0894eb96e1 for opendkim implementation. Change-Id: I2742650965e61273fb804ebe9ce3f9bd38796582 --- puppet/modules/site_postfix/manifests/mx.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 7837f415..c269946b 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -92,6 +92,15 @@ class site_postfix::mx { value => 'enforce'; } + # Make sure that the cleanup serivce is not chrooted, otherwise it cannot + # access the opendkim milter socket (#8020) + exec { 'unset_cleanup_chroot': + command => '/usr/sbin/postconf -F "cleanup/unix/chroot=n"', + onlyif => '/usr/sbin/postconf -h -F "cleanup/unix/chroot" | egrep -q ^n', + notify => Service['postfix'], + require => File['/etc/postfix/master.cf'] + } + include ::site_postfix::mx::smtpd_checks include ::site_postfix::mx::checks include ::site_postfix::mx::smtp_tls -- cgit v1.2.3 From fead715f94551eb3600e449659ad6df12fffe641 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Apr 2016 10:04:48 -0400 Subject: Remove duplicate mail logging (#8021) Add a site_rsyslog config that removes duplicate mail logging. Previously mail logs would be copied to /var/log/syslog, mail.log, mail.err, mail.info, maillog and to the console. This removes those and only puts them in /var/log/mail.log. It also removes other superfluous configurations, either because they are commented out already, or because they are uucp or nntp. Change-Id: Ib05036787d2c818bf8802c22a4b8050f945a6e6d --- puppet/modules/site_config/manifests/syslog.pp | 5 +- .../modules/site_rsyslog/templates/client.conf.rb | 134 +++++++++++++++++++++ 2 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_rsyslog/templates/client.conf.rb (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index d1deefcd..591e0601 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -23,8 +23,9 @@ class site_config::syslog { } class { '::rsyslog::client': - log_remote => false, - log_local => true + log_remote => false, + log_local => true, + custom_config => 'site_rsyslog/client.conf.erb' } rsyslog::snippet { '00-anonymize_logs': diff --git a/puppet/modules/site_rsyslog/templates/client.conf.rb b/puppet/modules/site_rsyslog/templates/client.conf.rb new file mode 100644 index 00000000..7f94759d --- /dev/null +++ b/puppet/modules/site_rsyslog/templates/client.conf.rb @@ -0,0 +1,134 @@ + +# An "In-Memory Queue" is created for remote logging. +$WorkDirectory <%= scope.lookupvar('rsyslog::spool_dir') -%> # where to place spool files +$ActionQueueFileName queue # unique name prefix for spool files +$ActionQueueMaxDiskSpace <%= scope.lookupvar('rsyslog::client::spool_size') -%> # spool space limit (use as much as possible) +$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +$ActionQueueType LinkedList # run asynchronously +$ActionResumeRetryCount -1 # infinety retries if host is down +<% if scope.lookupvar('rsyslog::client::log_templates') and ! scope.lookupvar('rsyslog::client::log_templates').empty?-%> + +# Define custom logging templates +<% scope.lookupvar('rsyslog::client::log_templates').flatten.compact.each do |log_template| -%> +$template <%= log_template['name'] %>,"<%= log_template['template'] %>" +<% end -%> +<% end -%> +<% if scope.lookupvar('rsyslog::client::actionfiletemplate') -%> + +# Using specified format for default logging format: +$ActionFileDefaultTemplate <%= scope.lookupvar('rsyslog::client::actionfiletemplate') %> +<% else -%> + +#Using default format for default logging format: +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +<% end -%> +<% if scope.lookupvar('rsyslog::client::ssl') -%> + +# Setup SSL connection. +# CA/Cert +$DefaultNetStreamDriverCAFile <%= scope.lookupvar('rsyslog::client::ssl_ca') %> + +# Connection settings. +$DefaultNetstreamDriver gtls +$ActionSendStreamDriverMode 1 +$ActionSendStreamDriverAuthMode anon +<% end -%> +<% if scope.lookupvar('rsyslog::client::remote_servers') -%> + +<% scope.lookupvar('rsyslog::client::remote_servers').flatten.compact.each do |server| -%> +<% if server['pattern'] and server['pattern'] != ''-%> +<% pattern = server['pattern'] -%> +<% else -%> +<% pattern = '*.*' -%> +<% end -%> +<% if server['protocol'] == 'TCP' or server['protocol'] == 'tcp'-%> +<% protocol = '@@' -%> +<% protocol_type = 'TCP' -%> +<% else -%> +<% protocol = '@' -%> +<% protocol_type = 'UDP' -%> +<% end -%> +<% if server['host'] and server['host'] != ''-%> +<% host = server['host'] -%> +<% else -%> +<% host = 'localhost' -%> +<% end -%> +<% if server['port'] and server['port'] != ''-%> +<% port = server['port'] -%> +<% else -%> +<% port = '514' -%> +<% end -%> +<% if server['format'] -%> +<% format = ";#{server['format']}" -%> +<% format_type = server['format'] -%> +<% else -%> +<% format = '' -%> +<% format_type = 'the default' -%> +<% end -%> +# Sending logs that match <%= pattern %> to <%= host %> via <%= protocol_type %> on <%= port %> using <%=format_type %> format. +<%= pattern %> <%= protocol %><%= host %>:<%= port %><%= format %> +<% end -%> +<% elsif scope.lookupvar('rsyslog::client::log_remote') -%> + +# Log to remote syslog server using <%= scope.lookupvar('rsyslog::client::remote_type') %> +<% if scope.lookupvar('rsyslog::client::remote_type') == 'tcp' -%> +*.* @@<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;<%= scope.lookupvar('remote_forward_format') -%> +<% else -%> +*.* @<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;<%= scope.lookupvar('remote_forward_format') -%> +<% end -%> +<% end -%> +<% if scope.lookupvar('rsyslog::client::log_auth_local') or scope.lookupvar('rsyslog::client::log_local') -%> + +# Logging locally. + +<% if scope.lookupvar('rsyslog::log_style') == 'debian' -%> +# Log auth messages locally +.*;auth,authpriv.none;mail.none -/var/log/syslog +<% elsif scope.lookupvar('rsyslog::log_style') == 'redhat' -%> +# Log auth messages locally +auth,authpriv.* /var/log/secure +<% end -%> +<% end -%> +<% if scope.lookupvar('rsyslog::client::log_local') -%> +<% if scope.lookupvar('rsyslog::log_style') == 'debian' -%> +# First some standard log files. Log by facility. +# +*.*;auth,authpriv.none -/var/log/syslog +cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +*.info;mail.none;authpriv.none;cron.none /var/log/messages + +# Log cron stuff +cron.* /var/log/cron + +# Everybody gets emergency messages +<% if @rsyslog_version and @rsyslog_version.split('.')[0].to_i >= 8 -%> +*.emerg :omusrmsg:* +<% else -%> +*.emerg * +<% end -%> + +# Save boot messages also to boot.log +local7.* -/var/log/boot.log +<% end -%> +<% end -%> + + + -- cgit v1.2.3 From 64635ed7ccf287ae0d6bab71837b5213b6790613 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Apr 2016 10:22:40 -0400 Subject: Log stunnel server logs same as client (#8021) stunnel server logs were not going to /var/log/stunnel4/*, but to /var/log/syslog instead. This was different from stunnel client logging, now its the same. Change-Id: I2dc2024b77dbb65554fc7865b0e46aedf930c6d8 --- puppet/modules/site_stunnel/manifests/servers.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp index b6fac319..e76d1e9d 100644 --- a/puppet/modules/site_stunnel/manifests/servers.pp +++ b/puppet/modules/site_stunnel/manifests/servers.pp @@ -16,6 +16,8 @@ define site_stunnel::servers ( $rndfile = '/var/lib/stunnel4/.rnd', $debuglevel = '4' ) { + $logfile = "/var/log/stunnel4/${name}.log" + include site_config::x509::cert include site_config::x509::key include site_config::x509::ca @@ -35,7 +37,9 @@ define site_stunnel::servers ( pid => "/var/run/stunnel4/${pid}.pid", rndfile => '/var/lib/stunnel4/.rnd', debuglevel => $debuglevel, - sslversion => 'TLSv1'; + sslversion => 'TLSv1', + syslog => 'no', + output => $logfile; } # allow incoming connections on $accept_port -- cgit v1.2.3 From 0ca80b41060dd8046386f7e49d2ed5ad382948c4 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Apr 2016 10:37:56 -0400 Subject: Put openvpn logs into leap directory (#8021) Have openvpn logs go to /var/log/leap/openvpn_$protocol, instead of to /var/log/daemon.log. Change-Id: I1fc33de660648ab0dba1ce98de2864649c104719 --- puppet/modules/site_config/manifests/remove/files.pp | 2 ++ puppet/modules/site_openvpn/manifests/init.pp | 3 ++- puppet/modules/site_openvpn/manifests/server_config.pp | 6 +++++- 3 files changed, 9 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_config/manifests/remove/files.pp b/puppet/modules/site_config/manifests/remove/files.pp index 5aa07e53..41d6462e 100644 --- a/puppet/modules/site_config/manifests/remove/files.pp +++ b/puppet/modules/site_config/manifests/remove/files.pp @@ -40,6 +40,8 @@ class site_config::remove::files { recurse => true, rmdirs => true; '/etc/leap/soledad-server.conf':; + '/var/log/leap/openvpn.log':; + '/etc/rsyslog.d/50-openvpn.conf':; } # leax-mx logged to /var/log/leap_mx.log in the past diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index f5eb7fd0..f1ecefb9 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -224,7 +224,8 @@ class site_openvpn { order => 10; } - leap::logfile { 'openvpn': } + leap::logfile { 'openvpn_tcp': } + leap::logfile { 'openvpn_udp': } # Because we currently do not support ipv6 and instead block it (so no leaks # happen), we get a large number of these messages, so we ignore them (#6540) diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index ca9926cc..6decc665 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -109,7 +109,7 @@ define site_openvpn::server_config( "cert ${openvpn_configname}": key => 'cert', value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", - server => $openvpn_configname; + server => $openvpn_configname; "key ${openvpn_configname}": key => 'key', value => "${x509::variables::keys}/${site_config::params::cert_name}.key", @@ -203,6 +203,10 @@ define site_openvpn::server_config( key => 'verb', value => '3', server => $openvpn_configname; + "log-append /var/log/leap/openvpn_${proto}.log": + key => 'log-append', + value => "/var/log/leap/openvpn_${proto}.log", + server => $openvpn_configname; } # register openvpn services at systemd on nodes newer than wheezy -- cgit v1.2.3 From 70a9b8a77caf50bc2458c3153526a189c024dea7 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Apr 2016 14:50:09 -0400 Subject: fix incorrect template name Change-Id: I23d7fcea3755e9ecab561ecf69d8a6ecb8bdeca4 --- .../modules/site_rsyslog/templates/client.conf.erb | 134 +++++++++++++++++++++ .../modules/site_rsyslog/templates/client.conf.rb | 134 --------------------- 2 files changed, 134 insertions(+), 134 deletions(-) create mode 100644 puppet/modules/site_rsyslog/templates/client.conf.erb delete mode 100644 puppet/modules/site_rsyslog/templates/client.conf.rb (limited to 'puppet/modules') diff --git a/puppet/modules/site_rsyslog/templates/client.conf.erb b/puppet/modules/site_rsyslog/templates/client.conf.erb new file mode 100644 index 00000000..7f94759d --- /dev/null +++ b/puppet/modules/site_rsyslog/templates/client.conf.erb @@ -0,0 +1,134 @@ + +# An "In-Memory Queue" is created for remote logging. +$WorkDirectory <%= scope.lookupvar('rsyslog::spool_dir') -%> # where to place spool files +$ActionQueueFileName queue # unique name prefix for spool files +$ActionQueueMaxDiskSpace <%= scope.lookupvar('rsyslog::client::spool_size') -%> # spool space limit (use as much as possible) +$ActionQueueSaveOnShutdown on # save messages to disk on shutdown +$ActionQueueType LinkedList # run asynchronously +$ActionResumeRetryCount -1 # infinety retries if host is down +<% if scope.lookupvar('rsyslog::client::log_templates') and ! scope.lookupvar('rsyslog::client::log_templates').empty?-%> + +# Define custom logging templates +<% scope.lookupvar('rsyslog::client::log_templates').flatten.compact.each do |log_template| -%> +$template <%= log_template['name'] %>,"<%= log_template['template'] %>" +<% end -%> +<% end -%> +<% if scope.lookupvar('rsyslog::client::actionfiletemplate') -%> + +# Using specified format for default logging format: +$ActionFileDefaultTemplate <%= scope.lookupvar('rsyslog::client::actionfiletemplate') %> +<% else -%> + +#Using default format for default logging format: +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat +<% end -%> +<% if scope.lookupvar('rsyslog::client::ssl') -%> + +# Setup SSL connection. +# CA/Cert +$DefaultNetStreamDriverCAFile <%= scope.lookupvar('rsyslog::client::ssl_ca') %> + +# Connection settings. +$DefaultNetstreamDriver gtls +$ActionSendStreamDriverMode 1 +$ActionSendStreamDriverAuthMode anon +<% end -%> +<% if scope.lookupvar('rsyslog::client::remote_servers') -%> + +<% scope.lookupvar('rsyslog::client::remote_servers').flatten.compact.each do |server| -%> +<% if server['pattern'] and server['pattern'] != ''-%> +<% pattern = server['pattern'] -%> +<% else -%> +<% pattern = '*.*' -%> +<% end -%> +<% if server['protocol'] == 'TCP' or server['protocol'] == 'tcp'-%> +<% protocol = '@@' -%> +<% protocol_type = 'TCP' -%> +<% else -%> +<% protocol = '@' -%> +<% protocol_type = 'UDP' -%> +<% end -%> +<% if server['host'] and server['host'] != ''-%> +<% host = server['host'] -%> +<% else -%> +<% host = 'localhost' -%> +<% end -%> +<% if server['port'] and server['port'] != ''-%> +<% port = server['port'] -%> +<% else -%> +<% port = '514' -%> +<% end -%> +<% if server['format'] -%> +<% format = ";#{server['format']}" -%> +<% format_type = server['format'] -%> +<% else -%> +<% format = '' -%> +<% format_type = 'the default' -%> +<% end -%> +# Sending logs that match <%= pattern %> to <%= host %> via <%= protocol_type %> on <%= port %> using <%=format_type %> format. +<%= pattern %> <%= protocol %><%= host %>:<%= port %><%= format %> +<% end -%> +<% elsif scope.lookupvar('rsyslog::client::log_remote') -%> + +# Log to remote syslog server using <%= scope.lookupvar('rsyslog::client::remote_type') %> +<% if scope.lookupvar('rsyslog::client::remote_type') == 'tcp' -%> +*.* @@<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;<%= scope.lookupvar('remote_forward_format') -%> +<% else -%> +*.* @<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;<%= scope.lookupvar('remote_forward_format') -%> +<% end -%> +<% end -%> +<% if scope.lookupvar('rsyslog::client::log_auth_local') or scope.lookupvar('rsyslog::client::log_local') -%> + +# Logging locally. + +<% if scope.lookupvar('rsyslog::log_style') == 'debian' -%> +# Log auth messages locally +.*;auth,authpriv.none;mail.none -/var/log/syslog +<% elsif scope.lookupvar('rsyslog::log_style') == 'redhat' -%> +# Log auth messages locally +auth,authpriv.* /var/log/secure +<% end -%> +<% end -%> +<% if scope.lookupvar('rsyslog::client::log_local') -%> +<% if scope.lookupvar('rsyslog::log_style') == 'debian' -%> +# First some standard log files. Log by facility. +# +*.*;auth,authpriv.none -/var/log/syslog +cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +*.info;mail.none;authpriv.none;cron.none /var/log/messages + +# Log cron stuff +cron.* /var/log/cron + +# Everybody gets emergency messages +<% if @rsyslog_version and @rsyslog_version.split('.')[0].to_i >= 8 -%> +*.emerg :omusrmsg:* +<% else -%> +*.emerg * +<% end -%> + +# Save boot messages also to boot.log +local7.* -/var/log/boot.log +<% end -%> +<% end -%> + + + diff --git a/puppet/modules/site_rsyslog/templates/client.conf.rb b/puppet/modules/site_rsyslog/templates/client.conf.rb deleted file mode 100644 index 7f94759d..00000000 --- a/puppet/modules/site_rsyslog/templates/client.conf.rb +++ /dev/null @@ -1,134 +0,0 @@ - -# An "In-Memory Queue" is created for remote logging. -$WorkDirectory <%= scope.lookupvar('rsyslog::spool_dir') -%> # where to place spool files -$ActionQueueFileName queue # unique name prefix for spool files -$ActionQueueMaxDiskSpace <%= scope.lookupvar('rsyslog::client::spool_size') -%> # spool space limit (use as much as possible) -$ActionQueueSaveOnShutdown on # save messages to disk on shutdown -$ActionQueueType LinkedList # run asynchronously -$ActionResumeRetryCount -1 # infinety retries if host is down -<% if scope.lookupvar('rsyslog::client::log_templates') and ! scope.lookupvar('rsyslog::client::log_templates').empty?-%> - -# Define custom logging templates -<% scope.lookupvar('rsyslog::client::log_templates').flatten.compact.each do |log_template| -%> -$template <%= log_template['name'] %>,"<%= log_template['template'] %>" -<% end -%> -<% end -%> -<% if scope.lookupvar('rsyslog::client::actionfiletemplate') -%> - -# Using specified format for default logging format: -$ActionFileDefaultTemplate <%= scope.lookupvar('rsyslog::client::actionfiletemplate') %> -<% else -%> - -#Using default format for default logging format: -$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat -<% end -%> -<% if scope.lookupvar('rsyslog::client::ssl') -%> - -# Setup SSL connection. -# CA/Cert -$DefaultNetStreamDriverCAFile <%= scope.lookupvar('rsyslog::client::ssl_ca') %> - -# Connection settings. -$DefaultNetstreamDriver gtls -$ActionSendStreamDriverMode 1 -$ActionSendStreamDriverAuthMode anon -<% end -%> -<% if scope.lookupvar('rsyslog::client::remote_servers') -%> - -<% scope.lookupvar('rsyslog::client::remote_servers').flatten.compact.each do |server| -%> -<% if server['pattern'] and server['pattern'] != ''-%> -<% pattern = server['pattern'] -%> -<% else -%> -<% pattern = '*.*' -%> -<% end -%> -<% if server['protocol'] == 'TCP' or server['protocol'] == 'tcp'-%> -<% protocol = '@@' -%> -<% protocol_type = 'TCP' -%> -<% else -%> -<% protocol = '@' -%> -<% protocol_type = 'UDP' -%> -<% end -%> -<% if server['host'] and server['host'] != ''-%> -<% host = server['host'] -%> -<% else -%> -<% host = 'localhost' -%> -<% end -%> -<% if server['port'] and server['port'] != ''-%> -<% port = server['port'] -%> -<% else -%> -<% port = '514' -%> -<% end -%> -<% if server['format'] -%> -<% format = ";#{server['format']}" -%> -<% format_type = server['format'] -%> -<% else -%> -<% format = '' -%> -<% format_type = 'the default' -%> -<% end -%> -# Sending logs that match <%= pattern %> to <%= host %> via <%= protocol_type %> on <%= port %> using <%=format_type %> format. -<%= pattern %> <%= protocol %><%= host %>:<%= port %><%= format %> -<% end -%> -<% elsif scope.lookupvar('rsyslog::client::log_remote') -%> - -# Log to remote syslog server using <%= scope.lookupvar('rsyslog::client::remote_type') %> -<% if scope.lookupvar('rsyslog::client::remote_type') == 'tcp' -%> -*.* @@<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;<%= scope.lookupvar('remote_forward_format') -%> -<% else -%> -*.* @<%= scope.lookupvar('rsyslog::client::server') -%>:<%= scope.lookupvar('rsyslog::client::port') -%>;<%= scope.lookupvar('remote_forward_format') -%> -<% end -%> -<% end -%> -<% if scope.lookupvar('rsyslog::client::log_auth_local') or scope.lookupvar('rsyslog::client::log_local') -%> - -# Logging locally. - -<% if scope.lookupvar('rsyslog::log_style') == 'debian' -%> -# Log auth messages locally -.*;auth,authpriv.none;mail.none -/var/log/syslog -<% elsif scope.lookupvar('rsyslog::log_style') == 'redhat' -%> -# Log auth messages locally -auth,authpriv.* /var/log/secure -<% end -%> -<% end -%> -<% if scope.lookupvar('rsyslog::client::log_local') -%> -<% if scope.lookupvar('rsyslog::log_style') == 'debian' -%> -# First some standard log files. Log by facility. -# -*.*;auth,authpriv.none -/var/log/syslog -cron.* /var/log/cron.log -daemon.* -/var/log/daemon.log -kern.* -/var/log/kern.log -mail.* -/var/log/mail.log -user.* -/var/log/user.log - -# -# Some "catch-all" log files. -# -*.=debug;\ - auth,authpriv.none;\ - news.none;mail.none -/var/log/debug -*.=info;*.=notice;*.=warn;\ - auth,authpriv.none;\ - cron,daemon.none;\ - mail,news.none -/var/log/messages - -# Log anything (except mail) of level info or higher. -# Don't log private authentication messages! -*.info;mail.none;authpriv.none;cron.none /var/log/messages - -# Log cron stuff -cron.* /var/log/cron - -# Everybody gets emergency messages -<% if @rsyslog_version and @rsyslog_version.split('.')[0].to_i >= 8 -%> -*.emerg :omusrmsg:* -<% else -%> -*.emerg * -<% end -%> - -# Save boot messages also to boot.log -local7.* -/var/log/boot.log -<% end -%> -<% end -%> - - - -- cgit v1.2.3 From 22b788920defdd42b4abda144afd8ca69d0a9d37 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 18:19:44 +0200 Subject: [style] lint some custom manifests I used `puppet-lint -f FILE` to fix most issues, while finishing with manual intervention. --- puppet/modules/leap_mx/manifests/init.pp | 2 +- puppet/modules/obfsproxy/manifests/init.pp | 14 ++++++------ .../site_config/manifests/caching_resolver.pp | 2 +- puppet/modules/site_config/manifests/dhclient.pp | 8 +++---- puppet/modules/site_couchdb/manifests/mirror.pp | 18 +++++++-------- .../modules/site_shorewall/manifests/obfsproxy.pp | 2 +- .../site_shorewall/manifests/service/webapp_api.pp | 2 +- puppet/modules/site_shorewall/manifests/sshd.pp | 2 +- puppet/modules/site_shorewall/manifests/tor.pp | 2 +- puppet/modules/site_static/manifests/domain.pp | 6 ++--- puppet/modules/site_static/manifests/location.pp | 8 +++---- puppet/modules/site_stunnel/manifests/init.pp | 4 ++-- puppet/modules/try/manifests/file.pp | 26 +++++++++++----------- 13 files changed, 48 insertions(+), 48 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 6dfee44d..e5d85b91 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -85,7 +85,7 @@ class leap_mx { } leap::logfile { 'leap-mx': - log => '/var/log/leap/mx.log', + log => '/var/log/leap/mx.log', process => 'leap-mx' } diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 5c78560a..728295f7 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -23,13 +23,13 @@ class obfsproxy ( } file { '/etc/init.d/obfsproxy': - path => '/etc/init.d/obfsproxy', - ensure => present, - source => 'puppet:///modules/obfsproxy/obfsproxy_init', - owner => 'root', - group => 'root', - mode => '0750', - require => File[$conf], + path => '/etc/init.d/obfsproxy', + ensure => present, + source => 'puppet:///modules/obfsproxy/obfsproxy_init', + owner => 'root', + group => 'root', + mode => '0750', + require => File[$conf], } file { $conf : diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 50824fdd..a016627d 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -6,7 +6,7 @@ class site_config::caching_resolver { anchor => false, ssl => false, settings => { - server => { + server => { verbosity => '1', interface => [ '127.0.0.1', '::1' ], port => '53', diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp index 7755413b..eb09fda1 100644 --- a/puppet/modules/site_config/manifests/dhclient.pp +++ b/puppet/modules/site_config/manifests/dhclient.pp @@ -23,10 +23,10 @@ class site_config::dhclient { } file { '/etc/dhcp/dhclient-enter-hooks.d': - ensure => directory, - mode => '0755', - owner => 'root', - group => 'root', + ensure => directory, + mode => '0755', + owner => 'root', + group => 'root', } file { '/etc/dhcp/dhclient-enter-hooks.d/disable_resolvconf': diff --git a/puppet/modules/site_couchdb/manifests/mirror.pp b/puppet/modules/site_couchdb/manifests/mirror.pp index abe35c4c..a69f3964 100644 --- a/puppet/modules/site_couchdb/manifests/mirror.pp +++ b/puppet/modules/site_couchdb/manifests/mirror.pp @@ -22,55 +22,55 @@ class site_couchdb::mirror { ### customer database couchdb::mirror_db { 'customers': - from => $from, + from => $from, require => Couchdb::Query::Setup['localhost'] } ## identities database couchdb::mirror_db { 'identities': - from => $from, + from => $from, require => Couchdb::Query::Setup['localhost'] } ## keycache database couchdb::mirror_db { 'keycache': - from => $from, + from => $from, require => Couchdb::Query::Setup['localhost'] } ## sessions database couchdb::mirror_db { 'sessions': - from => $from, + from => $from, require => Couchdb::Query::Setup['localhost'] } ## shared database couchdb::mirror_db { 'shared': - from => $from, + from => $from, require => Couchdb::Query::Setup['localhost'] } ## tickets database couchdb::mirror_db { 'tickets': - from => $from, + from => $from, require => Couchdb::Query::Setup['localhost'] } ## tokens database couchdb::mirror_db { 'tokens': - from => $from, + from => $from, require => Couchdb::Query::Setup['localhost'] } ## users database couchdb::mirror_db { 'users': - from => $from, + from => $from, require => Couchdb::Query::Setup['localhost'] } ## messages db couchdb::mirror_db { 'messages': - from => $from, + from => $from, require => Couchdb::Query::Setup['localhost'] } diff --git a/puppet/modules/site_shorewall/manifests/obfsproxy.pp b/puppet/modules/site_shorewall/manifests/obfsproxy.pp index 68fb9b9f..fa8a8bd0 100644 --- a/puppet/modules/site_shorewall/manifests/obfsproxy.pp +++ b/puppet/modules/site_shorewall/manifests/obfsproxy.pp @@ -8,7 +8,7 @@ class site_shorewall::obfsproxy { # define macro for incoming services file { '/etc/shorewall/macro.leap_obfsproxy': - content => "PARAM - - tcp $scram_port ", + content => "PARAM - - tcp ${scram_port} ", notify => Service['shorewall'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp index 0c6c824d..ee021226 100644 --- a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp +++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp @@ -5,7 +5,7 @@ class site_shorewall::service::webapp_api { # define macro for incoming services file { '/etc/shorewall/macro.leap_webapp_api': - content => "PARAM - - tcp $api_port ", + content => "PARAM - - tcp ${api_port} ", notify => Service['shorewall'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp index 88b4102c..91089c87 100644 --- a/puppet/modules/site_shorewall/manifests/sshd.pp +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -7,7 +7,7 @@ class site_shorewall::sshd { # define macro for incoming sshd file { '/etc/shorewall/macro.leap_sshd': - content => "PARAM - - tcp $ssh_port", + content => "PARAM - - tcp ${ssh_port}", notify => Service['shorewall'], require => Package['shorewall'] } diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index f35af985..723f3210 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -7,7 +7,7 @@ class site_shorewall::tor { # define macro for incoming services file { '/etc/shorewall/macro.leap_tor': - content => "PARAM - - tcp $tor_port ", + content => "PARAM - - tcp ${tor_port} ", notify => Service['shorewall'], require => Package['shorewall'] } diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 5537d247..fd217b8f 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -16,15 +16,15 @@ define site_static::domain ( x509::cert { $domain: content => $cert, - notify => Service[apache] + notify => Service[apache] } x509::key { $domain: content => $key, - notify => Service[apache] + notify => Service[apache] } x509::ca { "${domain}_ca": content => $ca_cert, - notify => Service[apache] + notify => Service[apache] } apache::vhost::file { $domain: diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index ce2af9af..1adcce01 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -14,10 +14,10 @@ define site_static::location($path, $format, $source) { if ($format == 'amber') { exec {"amber_build_${name}": - cwd => $file_path, - command => 'amber rebuild', - user => 'www-data', - timeout => 600, + cwd => $file_path, + command => 'amber rebuild', + user => 'www-data', + timeout => 600, subscribe => Vcsrepo[$file_path] } } diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp index d919a072..a874721f 100644 --- a/puppet/modules/site_stunnel/manifests/init.pp +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -36,8 +36,8 @@ class site_stunnel { # the default is to keep 356 log files for each stunnel. # here we set a more reasonable number. augeas { - "logrotate_stunnel": - context => "/files/etc/logrotate.d/stunnel4/rule", + 'logrotate_stunnel': + context => '/files/etc/logrotate.d/stunnel4/rule', changes => [ 'set rotate 5', ] diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index cd1bb035..2493d343 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -32,17 +32,17 @@ define try::file ( exec { "chmod_${name}": command => "/bin/chmod -R ${mode} '${name}'", - onlyif => "/usr/bin/test $mode", + onlyif => "/usr/bin/test ${mode}", refreshonly => true, loglevel => debug; "chown_${name}": command => "/bin/chown -R ${owner} '${name}'", - onlyif => "/usr/bin/test $owner", + onlyif => "/usr/bin/test ${owner}", refreshonly => true, loglevel => debug; "chgrp_${name}": command => "/bin/chgrp -R ${group} '${name}'", - onlyif => "/usr/bin/test $group", + onlyif => "/usr/bin/test ${group}", refreshonly => true, loglevel => debug; } @@ -50,31 +50,31 @@ define try::file ( if $target { exec { "symlink_${name}": command => "/bin/ln -s ${target} ${name}", - onlyif => "/usr/bin/test -d '${target}'", + onlyif => "/usr/bin/test -d '${target}'", } } elsif $source { if $ensure == 'directory' { if $purge { exec { "rsync_${name}": command => "/usr/bin/rsync -r --delete '${source}/' '${name}'", - onlyif => "/usr/bin/test -d '${source}'", - unless => "/usr/bin/diff -rq '${source}' '${name}'", - notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] + onlyif => "/usr/bin/test -d '${source}'", + unless => "/usr/bin/diff -rq '${source}' '${name}'", + notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } else { exec { "cp_r_${name}": command => "/bin/cp -r '${source}' '${name}'", - onlyif => "/usr/bin/test -d '${source}'", - unless => "/usr/bin/diff -rq '${source}' '${name}'", - notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] + onlyif => "/usr/bin/test -d '${source}'", + unless => "/usr/bin/diff -rq '${source}' '${name}'", + notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } } else { exec { "cp_${name}": command => "/bin/cp --remove-destination '${source}' '${name}'", - onlyif => "/usr/bin/test -e '${source}'", - unless => "/usr/bin/test ! -h '${name}' && /usr/bin/diff -q '${source}' '${name}'", - notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] + onlyif => "/usr/bin/test -e '${source}'", + unless => "/usr/bin/test ! -h '${name}' && /usr/bin/diff -q '${source}' '${name}'", + notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } } -- cgit v1.2.3 From 8370875d608ebddae09fcd05741bb77e0e31c122 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 18:28:29 +0200 Subject: [style] more manual linting for custom manifests --- puppet/modules/clamav/manifests/daemon.pp | 3 ++- puppet/modules/leap_mx/manifests/init.pp | 1 + puppet/modules/obfsproxy/manifests/init.pp | 5 +++-- puppet/modules/site_config/manifests/caching_resolver.pp | 1 + puppet/modules/site_config/manifests/dhclient.pp | 10 +++++----- puppet/modules/site_couchdb/manifests/logrotate.pp | 10 ++++++---- puppet/modules/site_couchdb/manifests/mirror.pp | 1 + puppet/modules/site_couchdb/manifests/upload_design.pp | 3 ++- puppet/modules/site_shorewall/manifests/obfsproxy.pp | 1 + puppet/modules/site_shorewall/manifests/service/webapp_api.pp | 1 + puppet/modules/site_shorewall/manifests/sshd.pp | 1 + puppet/modules/site_shorewall/manifests/tor.pp | 1 + puppet/modules/site_static/manifests/domain.pp | 1 + puppet/modules/site_static/manifests/init.pp | 5 +++-- puppet/modules/site_static/manifests/location.pp | 1 + puppet/modules/site_webapp/manifests/cron.pp | 5 +++-- 16 files changed, 33 insertions(+), 17 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp index bf232e2c..2e13a8fb 100644 --- a/puppet/modules/clamav/manifests/daemon.pp +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -1,3 +1,4 @@ +# deploy clamav daemon class clamav::daemon { $domain_hash = hiera('domain') @@ -55,7 +56,7 @@ class clamav::daemon { require => Package['clamav-daemon'], notify => Service['clamav-daemon']; - 'enable_phishscanurls': + 'enable_phishscanurls': path => '/etc/clamav/clamd.conf', match => 'PhishingScanURLs no', line => 'PhishingScanURLs yes', diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index e5d85b91..d758e3ab 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -1,3 +1,4 @@ +# deploy leap mx service class leap_mx { $leap_mx = hiera('couchdb_leap_mx_user') diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 728295f7..6a3d2c72 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -1,3 +1,4 @@ +# deploy obfsproxy service class obfsproxy ( $transport, $bind_address, @@ -23,8 +24,8 @@ class obfsproxy ( } file { '/etc/init.d/obfsproxy': - path => '/etc/init.d/obfsproxy', ensure => present, + path => '/etc/init.d/obfsproxy', source => 'puppet:///modules/obfsproxy/obfsproxy_init', owner => 'root', group => 'root', @@ -33,8 +34,8 @@ class obfsproxy ( } file { $conf : - path => $conf, ensure => present, + path => $conf, owner => 'root', group => 'root', mode => '0600', diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index a016627d..8bf465c1 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,3 +1,4 @@ +# deploy local caching resolver class site_config::caching_resolver { tag 'leap_base' diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp index eb09fda1..a1f87d41 100644 --- a/puppet/modules/site_config/manifests/dhclient.pp +++ b/puppet/modules/site_config/manifests/dhclient.pp @@ -1,10 +1,10 @@ +# Unfortunately, there does not seem to be a way to reload the dhclient.conf +# config file, or a convenient way to disable the modifications to +# /etc/resolv.conf. So the following makes the functions involved noops and +# ships a script to kill and restart dhclient. See the debian bugs: +# #681698, #712796 class site_config::dhclient { - # Unfortunately, there does not seem to be a way to reload the dhclient.conf - # config file, or a convenient way to disable the modifications to - # /etc/resolv.conf. So the following makes the functions involved noops and - # ships a script to kill and restart dhclient. See the debian bugs: - # #681698, #712796 include site_config::params diff --git a/puppet/modules/site_couchdb/manifests/logrotate.pp b/puppet/modules/site_couchdb/manifests/logrotate.pp index e1039d49..bb8843bb 100644 --- a/puppet/modules/site_couchdb/manifests/logrotate.pp +++ b/puppet/modules/site_couchdb/manifests/logrotate.pp @@ -1,12 +1,14 @@ +# configure couchdb logrotation class site_couchdb::logrotate { augeas { 'logrotate_bigcouch': context => '/files/etc/logrotate.d/bigcouch/rule', - changes => [ 'set file /opt/bigcouch/var/log/*.log', 'set rotate 7', - 'set schedule daily', 'set compress compress', - 'set missingok missingok', 'set ifempty notifempty', - 'set copytruncate copytruncate' ] + changes => [ + 'set file /opt/bigcouch/var/log/*.log', 'set rotate 7', + 'set schedule daily', 'set compress compress', + 'set missingok missingok', 'set ifempty notifempty', + 'set copytruncate copytruncate' ] } } diff --git a/puppet/modules/site_couchdb/manifests/mirror.pp b/puppet/modules/site_couchdb/manifests/mirror.pp index a69f3964..fb82b897 100644 --- a/puppet/modules/site_couchdb/manifests/mirror.pp +++ b/puppet/modules/site_couchdb/manifests/mirror.pp @@ -1,3 +1,4 @@ +# configure mirroring of couch nodes class site_couchdb::mirror { Class['site_couchdb::add_users'] diff --git a/puppet/modules/site_couchdb/manifests/upload_design.pp b/puppet/modules/site_couchdb/manifests/upload_design.pp index 7b0cabd7..bd73ebf2 100644 --- a/puppet/modules/site_couchdb/manifests/upload_design.pp +++ b/puppet/modules/site_couchdb/manifests/upload_design.pp @@ -1,4 +1,5 @@ -define site_couchdb::upload_design($db = $title, $design) { +# upload a design doc to a db +define site_couchdb::upload_design($design, $db = $title) { $design_name = regsubst($design, '^.*\/(.*)\.json$', '\1') $id = "_design/${design_name}" $file = "/srv/leap/couchdb/designs/${design}" diff --git a/puppet/modules/site_shorewall/manifests/obfsproxy.pp b/puppet/modules/site_shorewall/manifests/obfsproxy.pp index fa8a8bd0..75846705 100644 --- a/puppet/modules/site_shorewall/manifests/obfsproxy.pp +++ b/puppet/modules/site_shorewall/manifests/obfsproxy.pp @@ -1,3 +1,4 @@ +# configure shorewell for obfsproxy class site_shorewall::obfsproxy { include site_shorewall::defaults diff --git a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp index ee021226..d3a1aeed 100644 --- a/puppet/modules/site_shorewall/manifests/service/webapp_api.pp +++ b/puppet/modules/site_shorewall/manifests/service/webapp_api.pp @@ -1,3 +1,4 @@ +# configure shorewall for webapp api class site_shorewall::service::webapp_api { $api = hiera('api') diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp index 91089c87..e2332592 100644 --- a/puppet/modules/site_shorewall/manifests/sshd.pp +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -1,3 +1,4 @@ +# configure shorewall for sshd class site_shorewall::sshd { $ssh_config = hiera('ssh') diff --git a/puppet/modules/site_shorewall/manifests/tor.pp b/puppet/modules/site_shorewall/manifests/tor.pp index 723f3210..324b4844 100644 --- a/puppet/modules/site_shorewall/manifests/tor.pp +++ b/puppet/modules/site_shorewall/manifests/tor.pp @@ -1,3 +1,4 @@ +# configure shorewall for tor class site_shorewall::tor { include site_shorewall::defaults diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index fd217b8f..8b9378f2 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,3 +1,4 @@ +# configure static service for domain define site_static::domain ( $ca_cert, $key, diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 76ee6e19..4a722d62 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -1,3 +1,4 @@ +# deploy static service class site_static { tag 'leap_service' @@ -48,8 +49,8 @@ class site_static { if (member($formats, 'amber')) { rubygems::gem{'amber-0.3.8': - require => Package['zlib1g-dev'] - } + require => Package['zlib1g-dev'] + } package { 'zlib1g-dev': ensure => installed diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index 1adcce01..d116de2f 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -1,3 +1,4 @@ +# configure static service for location define site_static::location($path, $format, $source) { $file_path = "/srv/static/${name}" diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp index 7147a0d2..70b9da04 100644 --- a/puppet/modules/site_webapp/manifests/cron.pp +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -1,3 +1,4 @@ +# setup webapp cronjobs class site_webapp::cron { # cron tasks that need to be performed to cleanup the database @@ -19,12 +20,12 @@ class site_webapp::cron { # there is no longer a need to remove expired sessions, since the database # will get destroyed. 'remove_expired_sessions': + ensure => absent, command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions', environment => 'RAILS_ENV=production', user => 'leap-webapp', hour => 2, - minute => 30, - ensure => absent; + minute => 30; 'remove_expired_tokens': command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens', -- cgit v1.2.3 From 2c5d27327bc1a90f5813e55a40d0acac644a13eb Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 18 Apr 2016 21:58:06 -0400 Subject: Fix clamd start configuration (#8048) If clamd is not running, the helpful cronjob tries to start it again, but the way it is being started can only be run as root, and the cronjob is run as the clamav user, so you get an error on each cron run. This fixes that problem Change-Id: I4cdb29dc651bee8a2eef1655ad4748d885afae0f --- puppet/modules/clamav/files/01-leap.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/clamav/files/01-leap.conf b/puppet/modules/clamav/files/01-leap.conf index abeeb302..a7e49d17 100644 --- a/puppet/modules/clamav/files/01-leap.conf +++ b/puppet/modules/clamav/files/01-leap.conf @@ -17,7 +17,7 @@ clamd_socket="/run/clamav/clamd.ctl" # shown above - if not enabled, then the following 2 variables will be # ignored, whether enabled or not. clamd_lock="/run/clamav/clamd.pid" -start_clamd="service clamav-daemon start" +start_clamd="clamdscan --reload" ss_dbs=" junk.ndb -- cgit v1.2.3 From f2f2c7391056c252523730cd76ab759db9117c9c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 25 Apr 2016 13:21:48 -0300 Subject: [style] lint further more - ignore puppet lint error about inheriting from different namespace --- .../modules/site_postfix/manifests/mx/smtp_tls.pp | 3 +- .../modules/site_postfix/manifests/mx/smtpd_tls.pp | 3 +- .../modules/site_sshd/manifests/authorized_keys.pp | 32 ++++++++++++---------- .../site_stunnel/manifests/override_service.pp | 5 ++++ 4 files changed, 26 insertions(+), 17 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index b27c0e3c..c93c3ba2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -1,3 +1,4 @@ +# configure smtp tls class site_postfix::mx::smtp_tls { include site_config::x509::ca @@ -24,7 +25,7 @@ class site_postfix::mx::smtp_tls { 'smtp_tls_fingerprint_digest': value => 'sha1'; 'smtp_tls_session_cache_database': - value => 'btree:${data_directory}/smtp_cache'; + value => "btree:\${data_directory}/smtp_cache"; # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 02a59942..66297f55 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -1,3 +1,4 @@ +# configure smtpd tls class site_postfix::mx::smtpd_tls { include x509::variables @@ -19,7 +20,7 @@ class site_postfix::mx::smtpd_tls { 'smtpd_tls_eecdh_grade': value => 'ultra'; 'smtpd_tls_session_cache_database': - value => 'btree:${data_directory}/smtpd_scache'; + value => "btree:\${data_directory}/smtpd_scache"; # see issue #4011 'smtpd_tls_mandatory_protocols': value => '!SSLv2, !SSLv3'; diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index 90a33d8d..a1fde3f6 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,20 +1,22 @@ +# We want to purge unmanaged keys from the authorized_keys file so that only +# keys added in the provider are valid. Any manually added keys will be +# overridden. +# +# In order to do this, we have to use a custom define to deploy the +# authorized_keys file because puppet's internal resource doesn't allow +# purging before populating this file. +# +# See the following for more information: +# https://tickets.puppetlabs.com/browse/PUP-1174 +# https://leap.se/code/issues/2990 +# https://leap.se/code/issues/3010 +# define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { - # We want to purge unmanaged keys from the authorized_keys file so that only - # keys added in the provider are valid. Any manually added keys will be - # overridden. - # - # In order to do this, we have to use a custom define to deploy the - # authorized_keys file because puppet's internal resource doesn't allow - # purging before populating this file. - # - # See the following for more information: - # https://tickets.puppetlabs.com/browse/PUP-1174 - # https://leap.se/code/issues/2990 - # https://leap.se/code/issues/3010 - # # This line allows default homedir based on $title variable. # If $home is empty, the default is used. $homedir = $home ? {'' => "/home/${title}", default => $home} + $owner = $ensure ? {'present' => $title, default => undef } + $group = $ensure ? {'present' => $title, default => undef } file { "${homedir}/.ssh": ensure => 'directory', @@ -23,8 +25,8 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { mode => '0700'; "${homedir}/.ssh/authorized_keys": ensure => $ensure, - owner => $ensure ? {'present' => $title, default => undef }, - group => $ensure ? {'present' => $title, default => undef }, + owner => $owner, + group => $group, mode => '0600', require => File["${homedir}/.ssh"], content => template('site_sshd/authorized_keys.erb'); diff --git a/puppet/modules/site_stunnel/manifests/override_service.pp b/puppet/modules/site_stunnel/manifests/override_service.pp index 96187048..435b9aa0 100644 --- a/puppet/modules/site_stunnel/manifests/override_service.pp +++ b/puppet/modules/site_stunnel/manifests/override_service.pp @@ -1,4 +1,9 @@ +# override stunnel::debian defaults +# +# ignore puppet lint error about inheriting from different namespace +# lint:ignore:inherits_across_namespaces class site_stunnel::override_service inherits stunnel::debian { +# lint:endignore include site_config::x509::cert include site_config::x509::key -- cgit v1.2.3 From e0e3bc3478b3b7ca1afe24ff7e44dbdfa384ea44 Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 25 Apr 2016 16:52:54 -0300 Subject: Fix shorewall not starting with systemd (#8044) Shorewall in jessie doesn't come with a proper unit file, and as a result, it doesn't properly start with systemd. To solve this, we provide the systemd unit file that comes with stretch, add a systemd submodule that provides the exec resources needed for when systemd units or configuration files are changed Change-Id: I861fa951835928b4741abfbf969adcee4b8f147b --- .../site_shorewall/files/Debian/shorewall.service | 23 ++++++++++++++++++++++ .../modules/site_shorewall/manifests/defaults.pp | 16 +++++++++++++-- puppet/modules/systemd | 1 + 3 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_shorewall/files/Debian/shorewall.service create mode 160000 puppet/modules/systemd (limited to 'puppet/modules') diff --git a/puppet/modules/site_shorewall/files/Debian/shorewall.service b/puppet/modules/site_shorewall/files/Debian/shorewall.service new file mode 100644 index 00000000..ec250ef1 --- /dev/null +++ b/puppet/modules/site_shorewall/files/Debian/shorewall.service @@ -0,0 +1,23 @@ +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall +# +# Copyright 2011 Jonathan Underwood +# Copyright 2015 Tom Eastep +# +[Unit] +Description=Shorewall IPv4 firewall +Wants=network-online.target +After=network-online.target +Conflicts=iptables.service firewalld.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=-/etc/default/shorewall +StandardOutput=syslog +ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall $OPTIONS stop +ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS + +[Install] +WantedBy=basic.target diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 8f56ac42..ceb17868 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -47,6 +47,18 @@ class site_shorewall::defaults { ensure => installed } + include ::systemd + file { '/etc/systemd/system/shorewall.service': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + source => 'puppet:///modules/site_shorewall/Debian/shorewall.service', + require => Package['shorewall'], + notify => Service['shorewall'], + } ~> + Exec['systemctl-daemon-reload'] + augeas { # stop instead of clear firewall on shutdown 'shorewall_SAFESTOP': @@ -54,14 +66,14 @@ class site_shorewall::defaults { lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', require => Package['shorewall'], - notify => Service[shorewall]; + notify => Service['shorewall']; # require that the interface exist 'shorewall_REQUIRE_INTERFACE': changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', require => Package['shorewall'], - notify => Service[shorewall]; + notify => Service['shorewall']; # configure shorewall-init 'shorewall-init': changes => 'set /files/etc/default/shorewall-init/PRODUCTS shorewall', diff --git a/puppet/modules/systemd b/puppet/modules/systemd new file mode 160000 index 00000000..6d47fd49 --- /dev/null +++ b/puppet/modules/systemd @@ -0,0 +1 @@ +Subproject commit 6d47fd4999fe03eba6fb11c4490dcbb90d937900 -- cgit v1.2.3 From 3b5ce74f81bb56af0b94a119a85649446a3d6e19 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 3 May 2016 13:21:17 -0400 Subject: migrate from obsolete SSLCertificateChainFile apache option (#8055) Change-Id: I20a28ae77c98071aefc1933e0ea73e5f3b895acb --- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 1 - puppet/modules/site_config/manifests/x509/commercial/cert.pp | 5 ++++- puppet/modules/site_static/manifests/domain.pp | 8 +++----- puppet/modules/site_static/templates/apache.conf.erb | 1 - 4 files changed, 7 insertions(+), 8 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index b24d1353..bf60e794 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -16,7 +16,6 @@ CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt diff --git a/puppet/modules/site_config/manifests/x509/commercial/cert.pp b/puppet/modules/site_config/manifests/x509/commercial/cert.pp index d71d9838..9dd6ffcd 100644 --- a/puppet/modules/site_config/manifests/x509/commercial/cert.pp +++ b/puppet/modules/site_config/manifests/x509/commercial/cert.pp @@ -4,9 +4,12 @@ class site_config::x509::commercial::cert { $x509 = hiera('x509') $cert = $x509['commercial_cert'] + $ca = $x509['commercial_ca_cert'] + + $cafile = "${cert}\n${ca}" x509::cert { $site_config::params::commercial_cert_name: - content => $cert + content => $cafile } } diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 8b9378f2..b26cc9e3 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -11,22 +11,20 @@ define site_static::domain ( $domain = $name $base_dir = '/srv/static' + $cafile = "${cert}\n${ca_cert}" + if is_hash($locations) { create_resources(site_static::location, $locations) } x509::cert { $domain: - content => $cert, + content => $cafile, notify => Service[apache] } x509::key { $domain: content => $key, notify => Service[apache] } - x509::ca { "${domain}_ca": - content => $ca_cert, - notify => Service[apache] - } apache::vhost::file { $domain: content => template('site_static/apache.conf.erb') diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 2853c5c7..6b969d1c 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -56,7 +56,6 @@ SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt - SSLCertificateChainFile /etc/ssl/certs/<%= @domain %>_ca.pem RequestHeader set X_FORWARDED_PROTO 'https' -- cgit v1.2.3 From 8b5541290fc985acd7364d48aaf357457c7622f7 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 3 May 2016 21:02:18 +0200 Subject: migrate from obsolete SSLCertificateChainFile apache option (#8055) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 - puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb | 1 - 2 files changed, 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index d566437a..bfa5d04d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -12,7 +12,6 @@ Listen 0.0.0.0:<%= @api_port %> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index d4e734c3..8f59fe38 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -9,7 +9,6 @@ Listen 0.0.0.0:<%= @nickserver_port -%> ServerAlias <%= @address_domain %> SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt -- cgit v1.2.3 From e9ebc834e7500dceefd0530ba6d0262e87855374 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 May 2016 21:50:03 +0200 Subject: [bug] run check_mk inventory on every puppetrun After upgrading the platform, there might be old check_mk checks registered on the monitor hosts. We now run a check_mk inventory on every run that also purged old non-existng checks. - Resolves: #6873 --- puppet/modules/check_mk | 2 +- puppet/modules/site_check_mk/manifests/server.pp | 21 +++++++++++---------- 2 files changed, 12 insertions(+), 11 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index 3df00e29..265ed218 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit 3df00e29388adbf1c0e058df09a7c3886edbaca1 +Subproject commit 265ed2182f790a723996fd84de4dfcb93f800ee0 diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 0159a050..090f0bae 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -32,18 +32,19 @@ class site_check_mk::server { # override paths to use the system check_mk rather than OMD class { 'check_mk::config': - site => '', - etc_dir => '/etc', - nagios_subdir => 'nagios3', - bin_dir => '/usr/bin', - host_groups => undef, - use_storedconfigs => false, - require => Package['check-mk-server'] + site => '', + etc_dir => '/etc', + nagios_subdir => 'nagios3', + bin_dir => '/usr/bin', + host_groups => undef, + use_storedconfigs => false, + inventory_only_on_changes => false, + require => Package['check-mk-server'] } - Exec['check_mk-reload'] -> - Exec['check_mk-refresh-inventory-daily'] -> - Service['nagios'] + Exec['check_mk-refresh'] -> + Exec['check_mk-reload'] -> + Service['nagios'] file { '/etc/check_mk/conf.d/use_ssh.mk': -- cgit v1.2.3 From 074c86322442ba73fe5ae07c9c07b1158c4d460d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 May 2016 22:59:21 +0200 Subject: [bug] Run check_mk-refresh-inventory-daily after check_mk-refresh Otherwise, the nagios config will get regenerated and nagios gets reloaded before all checks are registered by a check_mk inventory. - Related: #6873 --- puppet/modules/site_check_mk/manifests/server.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet/modules') diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 090f0bae..7ff9eb4a 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -43,8 +43,9 @@ class site_check_mk::server { } Exec['check_mk-refresh'] -> - Exec['check_mk-reload'] -> - Service['nagios'] + Exec['check_mk-refresh-inventory-daily'] -> + Exec['check_mk-reload'] -> + Service['nagios'] file { '/etc/check_mk/conf.d/use_ssh.mk': -- cgit v1.2.3 From e71c10af73be758e407ee352a3a7b12347177dce Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 9 May 2016 17:10:57 +0200 Subject: update check_mk submodule --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index 265ed218..aa025715 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit 265ed2182f790a723996fd84de4dfcb93f800ee0 +Subproject commit aa02571537af90ac73309e6e216c9417802548c3 -- cgit v1.2.3