From b7c03c7cac3d3b04dade4086f416f1305c946830 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:24:29 +0100 Subject: include site_mx --- puppet/modules/apache | 2 +- puppet/modules/apt | 2 +- puppet/modules/couchdb | 2 +- puppet/modules/stunnel | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/apache b/puppet/modules/apache index c3e92a9b..090e59ad 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c +Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e diff --git a/puppet/modules/apt b/puppet/modules/apt index 1a72a996..6bf7a6ab 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee +Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 20deb065..7b6c9a29 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 +Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index fc1589a5..75d387fc 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit fc1589a5f09d80f58d730d4e1f6a8058483f61fc +Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 -- cgit v1.2.3 From 3da143db6a4369f09c513d95aeea6eb119f2c9f2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:27:45 +0100 Subject: added submodule postfix from git://labs.riseup.net/shared-postfix --- puppet/modules/postfix | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/postfix (limited to 'puppet') diff --git a/puppet/modules/postfix b/puppet/modules/postfix new file mode 160000 index 00000000..881a59ac --- /dev/null +++ b/puppet/modules/postfix @@ -0,0 +1 @@ +Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 -- cgit v1.2.3 From 1d1afa65b9072cbc59b45d2fcdc77707e31a97ae Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:42:17 +0100 Subject: added site_mx --- puppet/modules/site_mx/manifests/init.pp | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/init.pp (limited to 'puppet') diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp new file mode 100644 index 00000000..f7f358ce --- /dev/null +++ b/puppet/modules/site_mx/manifests/init.pp @@ -0,0 +1,3 @@ +class site_mx { + include site_postfix::mx +} -- cgit v1.2.3 From 4ceba14f444e41dc7dcc9f2176f4bf464f5286cd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 17:16:09 +0100 Subject: shorewall rules for site_mx --- puppet/modules/site_shorewall/manifests/mx.pp | 24 ++++++++++++++++++++++ .../site_shorewall/manifests/service/smtp.pp | 13 ++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/mx.pp create mode 100644 puppet/modules/site_shorewall/manifests/service/smtp.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp new file mode 100644 index 00000000..5ec95fdd --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -0,0 +1,24 @@ +class site_shorewall::mx { + + include site_shorewall::defaults + + $smtpd_ports = '25' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_mx': + content => "PARAM - - tcp ${smtpd_ports} ", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + + shorewall::rule { + 'net2fw-mx': + source => 'net', + destination => '$FW', + action => 'leap_mx(ACCEPT)', + order => 200; + } + + include site_shorewall::service::smtp +} diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp new file mode 100644 index 00000000..7fbdf14e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::smtp { + + include site_shorewall::defaults + + shorewall::rule { + 'fw2net-http': + source => '$FW', + destination => 'net', + action => 'SMTP(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From c1e55fde49858c1bc9cf0da129a3b7df91cf9899 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:15:45 +0100 Subject: include shorewall rules for site_mx --- puppet/modules/site_mx/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index f7f358ce..4b2db215 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -1,3 +1,7 @@ class site_mx { + tag 'leap_service' + include site_postfix::mx + include site_shorewall::mx + include site_shorewall::service::smtp } -- cgit v1.2.3 From db5fd91d32b215eb9827e36e2a51c98af993ab99 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:16:13 +0100 Subject: added basic site_postfix::mx config --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp new file mode 100644 index 00000000..9104c2cb --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -0,0 +1,16 @@ +class site_postfix::mx { + + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + + # see https://leap.se/code/issues/1936 for contact email addr + #$root_mail_recipient = '' + $postfix_smtp_listen = 'all' + + postfix::config { + # just en example + 'delay_warning_time': value => '4h'; + } + + include ::postfix +} -- cgit v1.2.3 From 424dcefa2ab51a2185935b11d910bd2dbab8d1fb Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Apr 2013 18:35:37 +0200 Subject: added site_mx::haproxy --- puppet/modules/site_mx/manifests/haproxy.pp | 14 ++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/haproxy.pp (limited to 'puppet') diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp new file mode 100644 index 00000000..988eeaf3 --- /dev/null +++ b/puppet/modules/site_mx/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_mx::haproxy { + + include site_haproxy + + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] + + # Template uses $global_options, $defaults_options + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 4b2db215..8c8b8d7e 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,7 @@ class site_mx { tag 'leap_service' include site_postfix::mx + include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp } -- cgit v1.2.3 From 67e98211f7414bfd8986ef2be1bcf9e5d5be406f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 16:01:19 -0400 Subject: initial mx couchdb stunnel configuration --- puppet/modules/site_mx/manifests/couchdb.pp | 35 +++++++++++++++++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 2 files changed, 36 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/couchdb.pp (limited to 'puppet') diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp new file mode 100644 index 00000000..f842ceab --- /dev/null +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -0,0 +1,35 @@ +class site_mx::couchdb { + + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variables + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca_name => $ca_name, + ca => $ca + } + + $couchdb_stunnel_client_defaults = { + 'connect_port' => $couch_client_connect, + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 8c8b8d7e..86ae56e1 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -5,4 +5,5 @@ class site_mx { include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp + include site_mx::couchdb } -- cgit v1.2.3 From 886551dfd2e6eb7dc51d15ebbd6393198dfde78f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 17:28:40 +0200 Subject: hiera variable mx.contact -> postfix $root_mail_recipient --- puppet/modules/site_postfix/manifests/mx.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 9104c2cb..15449001 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -1,10 +1,10 @@ class site_postfix::mx { - $domain_hash = hiera ('domain') - $domain = $domain_hash['full_suffix'] + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + $mx_hash = hiera('mx') - # see https://leap.se/code/issues/1936 for contact email addr - #$root_mail_recipient = '' + $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' postfix::config { -- cgit v1.2.3 From d14758f02a6a7d2b8675ea538692bba44b72689d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 42 +++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 15449001..4bab7722 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,8 +8,46 @@ class site_postfix::mx { $postfix_smtp_listen = 'all' postfix::config { - # just en example - 'delay_warning_time': value => '4h'; + 'mydestination': + value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'smtpd_recipient_restrictions': + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; + } + + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, } include ::postfix -- cgit v1.2.3 From 997ab7fb2303da86ee27cb781ba6b74d4a2e89a6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Apr 2013 16:27:43 +0200 Subject: no need to import common anymore --- puppet/manifests/site.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 08cbbb9e..327b6a67 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,6 @@ Package { require => Exec['apt_updated'] } include stdlib -import 'common' include site_config::default include site_config::slow -- cgit v1.2.3 From bb559881644c8207a7d2791655f535cf9bcd61be Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/postfix | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 881a59ac..8e43dc85 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 +Subproject commit 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201c diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4bab7722..2bf844bf 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,13 +42,8 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, + class { 'postfix': + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all' } - - include ::postfix } -- cgit v1.2.3 From adc12547c53639fe9cf97157d05e2b401dc7c9c3 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2bf844bf..82536b80 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,28 +11,15 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; - 'mailbox_size_limit': - value => '0'; - 'home_mailbox': - value => 'Maildir/'; - 'virtual_alias_maps': - value => 'hash:/etc/postfix/virtual'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From e6c4f16351be546985432bf865d123a82024b9ae Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 82536b80..72c38ab1 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,9 +17,10 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; + #'debug_peer_list': value => '127.0.0.1'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp new file mode 100644 index 00000000..e46bc149 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -0,0 +1,8 @@ +class site_postfix::mx::smtpd_checks { + + postfix::config { + 'smtpd_data_restrictions': + value => 'permit_mynetworks, reject_unauth_pipelining, permit' + } + +} -- cgit v1.2.3 From a1dc911c792e963cd814154a24a60dfaf147ecdc Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Apr 2013 14:06:38 +0200 Subject: smtpd_checks: smtpd_delay_reject --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index e46bc149..b2f2d7c2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,8 +1,9 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_delay_reject': value => 'yes'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit' + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; } } -- cgit v1.2.3 From de4bdcddc33bd9aa2fc883ccef63f7c13543bb23 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:39:37 +0200 Subject: smtpd_recipient_restrictions: +permit_tls_all_clientcerts --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 72c38ab1..a625cdcd 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,7 +11,7 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; -- cgit v1.2.3 From bcb165f6ed09dd51cc7b534a1fa5aafde21e3703 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:40:13 +0200 Subject: beginning of smtp_auth config with client certs --- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp new file mode 100644 index 00000000..ab75130e --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -0,0 +1,10 @@ +class site_postfix::mx::smtp_auth { + $x509 = hiera('x509') + + postfix::config { + 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; + 'smtpd_tls_key_file': value => $x509['client_ca_key']; + 'smtpd_tls_ask_ccert': value => 'yes'; + #'smtpd_tls_CAfile': value => + } +} -- cgit v1.2.3 From ff813f6da042e66b38a0c4c19df6956bdd5ca9c3 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:39:56 +0200 Subject: updated submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt index 6bf7a6ab..1a72a996 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 +Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee -- cgit v1.2.3 From 3f31c74e7365a7508377324a9e0b26b3e746c0c1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:07 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7b6c9a29..20deb065 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 +Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 -- cgit v1.2.3 From 9fae22550eb599baac912e88343a81d2517bba93 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:59 +0200 Subject: updated submodule apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apache b/puppet/modules/apache index 090e59ad..c3e92a9b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e +Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c -- cgit v1.2.3 From 0f95eccb08b80c02db99d57da413025813766d5e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 17:26:06 +0200 Subject: re-add mx service --- puppet/manifests/site.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 327b6a67..a340ce66 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -36,3 +36,7 @@ if $services =~ /\bmonitor\b/ { if $services =~ /\btor\b/ { include site_tor } + +if $services =~ /\bmx\b/ { + include site_mx +} -- cgit v1.2.3 From c11047649e1ef630b48b007fb757fcc68b747e62 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 10 Jul 2013 14:10:22 +0200 Subject: added tls support, including smtp auth via client cert --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++----- .../modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ------- puppet/modules/site_postfix/manifests/mx/tls.pp | 31 ++++++++++++++++++++++ 3 files changed, 41 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a625cdcd..e9656072 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -3,6 +3,7 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] $mx_hash = hiera('mx') + $cert_name = hiera('name') $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' @@ -12,15 +13,16 @@ class site_postfix::mx { value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; - 'mailbox_size_limit': value => '0'; - 'home_mailbox': value => 'Maildir/'; - 'virtual_alias_maps': value => 'tcp:localhost:4242'; - 'luser_relay': value => 'vmail'; - 'local_recipient_maps': value => ''; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; #'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks + include site_postfix::mx::tls user { 'vmail': ensure => present, @@ -32,6 +34,8 @@ class site_postfix::mx { class { 'postfix': root_mail_recipient => $root_mail_recipient, - smtp_listen => 'all' + smtp_listen => 'all', + require => [ X509::Key[$cert_name], X509::Cert[$cert_name], + User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp deleted file mode 100644 index ab75130e..00000000 --- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp +++ /dev/null @@ -1,10 +0,0 @@ -class site_postfix::mx::smtp_auth { - $x509 = hiera('x509') - - postfix::config { - 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; - 'smtpd_tls_key_file': value => $x509['client_ca_key']; - 'smtpd_tls_ask_ccert': value => 'yes'; - #'smtpd_tls_CAfile': value => - } -} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp new file mode 100644 index 00000000..7da38100 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -0,0 +1,31 @@ +class site_postfix::mx::tls { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $client_ca = $x509['client_ca_cert'] + + include x509::variables + $cert_name = hiera('name') + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { $cert_name: + content => $key, + } + + x509::cert { $cert_name: + content => $cert, + } + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_req_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'encrypt'; + } + +} -- cgit v1.2.3 From 0e7b47380edb2af6683a0cdc871eaa60a4101f5c Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 10 Jul 2013 21:45:51 -0700 Subject: ensure that /etc/hosts is output deterministically, so that content does not change each time you deploy. --- puppet/modules/site_config/templates/hosts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 2c784b05..c0a2740f 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -4,7 +4,8 @@ 127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> <%- if @hosts then -%> -<% @hosts.each do |name, props| -%> +<% @hosts.keys.sort.each do |name| -%> +<%- props = @hosts[name] -%> <%= props["ip_address"] %> <%= props["domain_full"] %> <%= props["domain_internal"] %> <%= name %> <% end -%> <% end -%> -- cgit v1.2.3 From 8478e8613ded138b5d68b122cb82f5418a199764 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 11 Jul 2013 10:04:21 -0700 Subject: changes to support restrictive permissions for /etc/leap. this is required to work with the latest leap_cli. --- puppet/modules/site_config/manifests/default.pp | 3 ++ puppet/modules/site_config/manifests/files.pp | 10 +++++++ puppet/modules/site_webapp/manifests/init.pp | 29 +++++++++++++------ puppet/modules/try/manifests/file.pp | 38 ++++++++++++++++++++----- 4 files changed, 64 insertions(+), 16 deletions(-) create mode 100644 puppet/modules/site_config/manifests/files.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 00eee9d0..e299a0f4 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -41,4 +41,7 @@ class site_config::default { # include basic shell config include site_config::shell + + # set up core leap files and directories + include site_config::files } diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp new file mode 100644 index 00000000..03c9aff8 --- /dev/null +++ b/puppet/modules/site_config/manifests/files.pp @@ -0,0 +1,10 @@ +class site_config::files { + + file { '/srv/leap': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0711' + } + +} \ No newline at end of file diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index e743dc07..103a0faf 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -107,24 +107,35 @@ class site_webapp { try::file { '/srv/leap/webapp/public/favicon.ico': - ensure => 'link', + ensure => present, + owner => leap-webapp, + group => leap-webapp, require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['favicon']; + source => $webapp['favicon']; '/srv/leap/webapp/app/assets/stylesheets/tail.scss': - ensure => 'link', + ensure => present, + owner => leap-webapp, + group => leap-webapp, require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['tail_scss']; + source => $webapp['tail_scss']; '/srv/leap/webapp/app/assets/stylesheets/head.scss': - ensure => 'link', + ensure => present, + owner => leap-webapp, + group => leap-webapp, require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['head_scss']; + source => $webapp['head_scss']; '/srv/leap/webapp/public/img': - ensure => 'link', - require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['img_dir']; + ensure => directory, + recurse => true, + purge => true, + force => true, + owner => leap-webapp, + group => leap-webapp, + mode => '0644', + source => $webapp['img_dir']; } file { diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 47a8c269..7063ded9 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -1,23 +1,47 @@ # -# like built-in type "file", but gets gracefully ignored if the target does not exist or is undefined. +# Works like the built-in type "file", but gets gracefully ignored if the target/source does not exist or is undefined. +# +# Also, if the source or target doesn't exist, and the destination is a git repo, then the file is restored from git. # # /bin/true and /usr/bin/test are hardcoded to their paths in debian. # - +# known limitations: +# * restore does not work for directories +# define try::file ( $ensure = undef, $target = undef, + $source = undef, + $owner = undef, + $group = undef, + $recurse = undef, + $purge = undef, + $force = undef, + $mode = undef, $restore = true) { - if $target != undef { + if $target { + $target_or_source = $target + } else { + $target_or_source = $source + } + + if $target_or_source != undef { exec { "check_${name}": command => "/bin/true", - onlyif => "/usr/bin/test -e '${target}'", + onlyif => "/usr/bin/test -e '${target_or_source}'", loglevel => info; } file { "$name": ensure => $ensure, target => $target, + source => $source, + owner => $owner, + group => $group, + recurse => $recurse, + purge => $purge, + force => $force, + mode => $mode, require => $require ? { undef => Exec["check_${name}"], default => [ $require, Exec["check_${name}"] ] @@ -27,10 +51,10 @@ define try::file ( } # - # if the target does not exist (or is undef), and the file happens to be in a git repo, + # if the target/source does not exist (or is undef), and the file happens to be in a git repo, # then restore the file to its original state. # - if $target == undef or $restore { + if ($target_or_source == undef) or $restore { $file_basename = basename($name) $file_dirname = dirname($name) $command = "git rev-parse && unlink '${name}'; git checkout -- '${file_basename}' && chown --reference='${file_dirname}' '${name}'; true" @@ -48,7 +72,7 @@ define try::file ( } } else { exec { "restore_${name}": - unless => "/usr/bin/test -e '${target}'", + unless => "/usr/bin/test -e '${target_or_source}'", command => $command, cwd => $file_dirname, require => $require ? { -- cgit v1.2.3 From f64791335e40b2b6e05305a6d8dda989fb755b9d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 15 Jul 2013 11:34:22 +0200 Subject: fix smtpd_recipient_restrictions, debug connections from localhost --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e9656072..5ec8ab49 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -12,13 +12,13 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; + value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; - #'debug_peer_list': value => '127.0.0.1'; + 'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks -- cgit v1.2.3 From cdb7b1805ea20b89c2c9aa9a71700b1be02cd707 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 15 Jul 2013 10:26:54 +0100 Subject: lint nickserver class Change-Id: I03cdb5a6255d245cb1163a30b221b4c32dc4bef6 --- puppet/modules/site_nickserver/manifests/init.pp | 41 ++++++++++++++++-------- 1 file changed, 27 insertions(+), 14 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 7dfa2603..a3368771 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -1,10 +1,12 @@ # -# TODO: currently, this is dependent on some things that are set up in site_webapp +# TODO: currently, this is dependent on some things that are set up in +# site_webapp # # (1) HAProxy -> couchdb # (2) Apache # -# It would be good in the future to make nickserver installable independently of site_webapp. +# It would be good in the future to make nickserver installable independently of +# site_webapp. # class site_nickserver { @@ -16,14 +18,18 @@ class site_nickserver { # $nickserver = hiera('nickserver') - $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425) - $nickserver_local_port = '64250' # the port that nickserver is actually running on + # the port that public connects to (should be 6425) + $nickserver_port = $nickserver['port'] + # the port that nickserver is actually running on + $nickserver_local_port = '64250' $nickserver_domain = $nickserver['domain'] $couchdb_user = $nickserver['couchdb_user']['username'] $couchdb_password = $nickserver['couchdb_user']['password'] - $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. - $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + # couchdb is available on localhost via haproxy, which is bound to 4096. + $couchdb_host = 'localhost' + # See site_webapp/templates/haproxy_couchdb.cfg.erg + $couchdb_port = '4096' # temporarily for now: $domain = hiera('domain') @@ -41,6 +47,7 @@ class site_nickserver { ensure => present, allowdupe => false; } + user { 'nickserver': ensure => present, allowdupe => false, @@ -50,14 +57,14 @@ class site_nickserver { } # - # NICKSERVER CODE - # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem - # is built/installed. + # NICKSERVER CODE NOTE: in order to support TLS, libssl-dev must be installed + # before EventMachine gem is built/installed. # package { 'libssl-dev': ensure => installed; } + vcsrepo { '/srv/leap/nickserver': ensure => present, revision => 'origin/master', @@ -68,13 +75,15 @@ class site_nickserver { require => [ User['nickserver'], Group['nickserver'] ], notify => Exec['nickserver_bundler_update']; } + exec { 'nickserver_bundler_update': cwd => '/srv/leap/nickserver', command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', unless => '/usr/bin/bundle check', user => 'nickserver', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ], + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], + Package['libssl-dev'] ], notify => Service['nickserver']; } @@ -99,8 +108,11 @@ class site_nickserver { ensure => link, target => '/srv/leap/nickserver/bin/nickserver', require => Vcsrepo['/srv/leap/nickserver']; + '/etc/init.d/nickserver': - owner => root, group => 0, mode => '0755', + owner => root, + group => 0, + mode => '0755', source => '/srv/leap/nickserver/dist/debian-init-script', require => Vcsrepo['/srv/leap/nickserver']; } @@ -119,7 +131,7 @@ class site_nickserver { # file { '/etc/shorewall/macro.nickserver': - content => "PARAM - - tcp $nickserver_port", + content => "PARAM - - tcp ${nickserver_port}", notify => Service['shorewall'], require => Package['shorewall']; } @@ -142,7 +154,8 @@ class site_nickserver { } apache::vhost::file { - 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb') + 'nickserver': + content => template('site_nickserver/nickserver-proxy.conf.erb') } x509::key { 'nickserver': @@ -159,4 +172,4 @@ class site_nickserver { content => $x509_ca, notify => Service[apache]; } -} \ No newline at end of file +} -- cgit v1.2.3 From f35db765d82974d2b935036acbc57e7d1acd13a9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Jul 2013 10:54:54 +0100 Subject: lint site_openvpn manifests Change-Id: I314031d93aa9f4a0f217680870678e39c096d46a --- puppet/modules/site_openvpn/manifests/init.pp | 13 +++--- .../site_openvpn/manifests/server_config.pp | 48 +++++++++++----------- 2 files changed, 31 insertions(+), 30 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 4f900623..b2bb0d3a 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -5,8 +5,9 @@ # (2) unlimited only # (3) limited only # -# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix', -# and 'limited' gateways only allow certs that match the 'limited_prefix'. +# The difference is that 'unlimited' gateways only allow client certs that match +# the 'unlimited_prefix', and 'limited' gateways only allow certs that match the +# 'limited_prefix'. # # We potentially create four openvpn config files (thus four daemons): # @@ -89,8 +90,8 @@ class site_openvpn { management => '127.0.0.1 1001' } } else { - tidy { "/etc/openvpn/tcp_config.conf": } - tidy { "/etc/openvpn/udp_config.conf": } + tidy { '/etc/openvpn/tcp_config.conf': } + tidy { '/etc/openvpn/udp_config.conf': } } if $openvpn_allow_limited { @@ -113,8 +114,8 @@ class site_openvpn { management => '127.0.0.1 1003' } } else { - tidy { "/etc/openvpn/limited_tcp_config.conf": } - tidy { "/etc/openvpn/limited_udp_config.conf": } + tidy { '/etc/openvpn/limited_tcp_config.conf': } + tidy { '/etc/openvpn/limited_udp_config.conf': } } file { diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6106cfbb..a53019a8 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -70,7 +70,7 @@ define site_openvpn::server_config( if $tls_remote != undef { openvpn::option { - "tls-remote $openvpn_configname": + 'tls-remote $openvpn_configname': key => 'tls-remote', value => $tls_remote, server => $openvpn_configname; @@ -78,89 +78,89 @@ define site_openvpn::server_config( } openvpn::option { - "ca $openvpn_configname": + "ca ${openvpn_configname}": key => 'ca', value => '/etc/openvpn/ca_bundle.pem', server => $openvpn_configname; - "cert $openvpn_configname": + "cert ${openvpn_configname}": key => 'cert', value => '/etc/x509/certs/leap_openvpn.crt', server => $openvpn_configname; - "key $openvpn_configname": + "key ${openvpn_configname}": key => 'key', value => '/etc/x509/keys/leap_openvpn.key', server => $openvpn_configname; - "dh $openvpn_configname": + "dh ${openvpn_configname}": key => 'dh', value => '/etc/openvpn/keys/dh.pem', server => $openvpn_configname; - "tls-cipher $openvpn_configname": + "tls-cipher ${openvpn_configname}": key => 'tls-cipher', value => 'DHE-RSA-AES128-SHA', server => $openvpn_configname; - "auth $openvpn_configname": + "auth ${openvpn_configname}": key => 'auth', value => 'SHA1', server => $openvpn_configname; - "cipher $openvpn_configname": + "cipher ${openvpn_configname}": key => 'cipher', value => 'AES-128-CBC', server => $openvpn_configname; - "dev $openvpn_configname": + "dev ${openvpn_configname}": key => 'dev', value => 'tun', server => $openvpn_configname; - "duplicate-cn $openvpn_configname": + "duplicate-cn ${openvpn_configname}": key => 'duplicate-cn', server => $openvpn_configname; - "keepalive $openvpn_configname": + "keepalive ${openvpn_configname}": key => 'keepalive', value => '5 20', server => $openvpn_configname; - "local $openvpn_configname": + "local ${openvpn_configname}": key => 'local', value => $local, server => $openvpn_configname; - "mute $openvpn_configname": + "mute ${openvpn_configname}": key => 'mute', value => '5', server => $openvpn_configname; - "mute-replay-warnings $openvpn_configname": + "mute-replay-warnings ${openvpn_configname}": key => 'mute-replay-warnings', server => $openvpn_configname; - "management $openvpn_configname": + "management ${openvpn_configname}": key => 'management', value => $management, server => $openvpn_configname; - "proto $openvpn_configname": + "proto ${openvpn_configname}": key => 'proto', value => $proto, server => $openvpn_configname; - "push1 $openvpn_configname": + "push1 ${openvpn_configname}": key => 'push', value => $push, server => $openvpn_configname; - "push2 $openvpn_configname": + "push2 ${openvpn_configname}": key => 'push', value => '"redirect-gateway def1"', server => $openvpn_configname; - "script-security $openvpn_configname": + "script-security ${openvpn_configname}": key => 'script-security', value => '2', server => $openvpn_configname; - "server $openvpn_configname": + "server ${openvpn_configname}": key => 'server', value => $server, server => $openvpn_configname; - "status $openvpn_configname": + "status ${openvpn_configname}": key => 'status', value => '/var/run/openvpn-status 10', server => $openvpn_configname; - "status-version $openvpn_configname": + "status-version ${openvpn_configname}": key => 'status-version', value => '3', server => $openvpn_configname; - "topology $openvpn_configname": + "topology ${openvpn_configname}": key => 'topology', value => 'subnet', server => $openvpn_configname; @@ -169,7 +169,7 @@ define site_openvpn::server_config( # key => 'up', # value => '/etc/openvpn/server-up.sh', # server => $openvpn_configname; - "verb $openvpn_configname": + "verb ${openvpn_configname}": key => 'verb', value => '3', server => $openvpn_configname; -- cgit v1.2.3 From 3bfa6a7bd1cc9155155c50468a9bbe0769986920 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 17 Jul 2013 00:58:07 -0700 Subject: default to false for $hosts --- puppet/modules/site_config/manifests/hosts.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index ccedf036..a3ce0c1f 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,5 +1,5 @@ class site_config::hosts() { - $hosts = hiera('hosts','') + $hosts = hiera('hosts', false) $hostname = hiera('name') $domain_hash = hiera('domain') $domain_public = $domain_hash['full_suffix'] -- cgit v1.2.3 From e52f2191b616f77ffaf94152f3241ea017c296e3 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 15 Jul 2013 07:16:35 -0700 Subject: an entirely different implementation of try::file, using all execs. the built in file resource of puppet can't be used for what we want, because if you specify $source, it always bombs out if it doesn't exist, regardless of dependencies. --- puppet/modules/try/manifests/file.pp | 92 +++++++++++++++++++++++------------- 1 file changed, 58 insertions(+), 34 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 7063ded9..d21925c0 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -6,7 +6,10 @@ # /bin/true and /usr/bin/test are hardcoded to their paths in debian. # # known limitations: -# * restore does not work for directories +# * this is far too noisy +# * $restore does not work for directories +# * only file:// $source is supported +# * $content is not supported, only $target or $source. # define try::file ( $ensure = undef, @@ -20,33 +23,55 @@ define try::file ( $mode = undef, $restore = true) { - if $target { - $target_or_source = $target - } else { - $target_or_source = $source + # dummy exec to propagate requires: + # metaparameter 'require' will get triggered by this dummy exec + # so then we just need to depend on this to capture all requires. + # exec { $name: command => "/bin/true" } + + exec { + "chmod_${name}": + command => "chmod -R ${mode} '${name}'", + onlyif => "/usr/bin/test $mode", + loglevel => debug; + "chown_${name}": + command => "chown -R ${owner} '${name}'", + onlyif => "/usr/bin/test $owner", + loglevel => debug; + "chgrp_${name}": + command => "chgrp -R ${group} '${name}'", + onlyif => "/usr/bin/test $group", + loglevel => debug; } - if $target_or_source != undef { - exec { "check_${name}": - command => "/bin/true", - onlyif => "/usr/bin/test -e '${target_or_source}'", - loglevel => info; + if $target { + exec { "symlink_${name}": + command => "ln -s ${target} ${name}", + onlyif => "/usr/bin/test -d '${target}'", } - file { "$name": - ensure => $ensure, - target => $target, - source => $source, - owner => $owner, - group => $group, - recurse => $recurse, - purge => $purge, - force => $force, - mode => $mode, - require => $require ? { - undef => Exec["check_${name}"], - default => [ $require, Exec["check_${name}"] ] - }, - loglevel => info; + } elsif $source { + if $ensure == "directory" { + if $purge { + exec { "rsync_${name}": + command => "rsync -r --delete '${source}/' '${name}'", + onlyif => "/usr/bin/test -d '${source}'", + unless => "/usr/bin/diff -q '${source}' '${name}'", + notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] + } + } else { + exec { "cp_r_${name}": + command => "cp -r '${source}' '${name}'", + onlyif => "/usr/bin/test -d '${source}'", + unless => "/usr/bin/diff -q '${source}' '${name}'", + notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] + } + } + } else { + exec { "cp_${name}": + command => "cp '${source}' '${name}'", + onlyif => "/usr/bin/test -e '${source}'", + unless => "/usr/bin/diff -q '${source}' '${name}'", + notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] + } } } @@ -54,20 +79,23 @@ define try::file ( # if the target/source does not exist (or is undef), and the file happens to be in a git repo, # then restore the file to its original state. # + + if $target { + $target_or_source = $target + } else { + $target_or_source = $source + } + if ($target_or_source == undef) or $restore { $file_basename = basename($name) $file_dirname = dirname($name) $command = "git rev-parse && unlink '${name}'; git checkout -- '${file_basename}' && chown --reference='${file_dirname}' '${name}'; true" debug($command) - if $target == undef { + if $target_or_source == undef { exec { "restore_${name}": command => $command, cwd => $file_dirname, - require => $require ? { - undef => undef, - default => [ $require ] - }, loglevel => info; } } else { @@ -75,10 +103,6 @@ define try::file ( unless => "/usr/bin/test -e '${target_or_source}'", command => $command, cwd => $file_dirname, - require => $require ? { - undef => undef, - default => [ $require ] - }, loglevel => info; } } -- cgit v1.2.3 From 3a12f829316b7ccaf353158ea58d27d6fd400065 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 19 Jul 2013 01:55:47 -0700 Subject: try::file - absolute exec paths. --- puppet/modules/try/manifests/file.pp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index d21925c0..4cefef2f 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -3,7 +3,7 @@ # # Also, if the source or target doesn't exist, and the destination is a git repo, then the file is restored from git. # -# /bin/true and /usr/bin/test are hardcoded to their paths in debian. +# All executable paths are hardcoded to their paths in debian. # # known limitations: # * this is far too noisy @@ -30,36 +30,36 @@ define try::file ( exec { "chmod_${name}": - command => "chmod -R ${mode} '${name}'", + command => "/bin/chmod -R ${mode} '${name}'", onlyif => "/usr/bin/test $mode", loglevel => debug; "chown_${name}": - command => "chown -R ${owner} '${name}'", + command => "/bin/chown -R ${owner} '${name}'", onlyif => "/usr/bin/test $owner", loglevel => debug; "chgrp_${name}": - command => "chgrp -R ${group} '${name}'", + command => "/bin/chgrp -R ${group} '${name}'", onlyif => "/usr/bin/test $group", loglevel => debug; } if $target { exec { "symlink_${name}": - command => "ln -s ${target} ${name}", + command => "/bin/ln -s ${target} ${name}", onlyif => "/usr/bin/test -d '${target}'", } } elsif $source { - if $ensure == "directory" { + if $ensure == 'directory' { if $purge { exec { "rsync_${name}": - command => "rsync -r --delete '${source}/' '${name}'", + command => "/usr/bin/rsync -r --delete '${source}/' '${name}'", onlyif => "/usr/bin/test -d '${source}'", unless => "/usr/bin/diff -q '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } else { exec { "cp_r_${name}": - command => "cp -r '${source}' '${name}'", + command => "/bin/cp -r '${source}' '${name}'", onlyif => "/usr/bin/test -d '${source}'", unless => "/usr/bin/diff -q '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] @@ -67,7 +67,7 @@ define try::file ( } } else { exec { "cp_${name}": - command => "cp '${source}' '${name}'", + command => "/bin/cp '${source}' '${name}'", onlyif => "/usr/bin/test -e '${source}'", unless => "/usr/bin/diff -q '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] -- cgit v1.2.3 From 984a6d2e22ff3f11d9b772f9a86e6d75f5e14f4b Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Jul 2013 17:29:51 +0200 Subject: /srv/leap/webapp/public/img: require => Vcsrepo['/srv/leap/webapp'] --- puppet/modules/site_webapp/manifests/init.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 103a0faf..f3c28f49 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -128,14 +128,15 @@ class site_webapp { source => $webapp['head_scss']; '/srv/leap/webapp/public/img': - ensure => directory, + ensure => directory, recurse => true, - purge => true, - force => true, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', - source => $webapp['img_dir']; + purge => true, + force => true, + owner => leap-webapp, + group => leap-webapp, + mode => '0644', + require => Vcsrepo['/srv/leap/webapp'], + source => $webapp['img_dir']; } file { -- cgit v1.2.3 From 87959aa1cda7e942fd0db89857c79e09876006c0 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Jul 2013 17:59:41 +0200 Subject: not need for file { '/srv/leap/webapp': }, we have vcsrepo { '/srv/leap/webapp': } --- puppet/modules/site_webapp/manifests/init.pp | 7 ------- 1 file changed, 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f3c28f49..1071ea1d 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -31,13 +31,6 @@ class site_webapp { require => [ Group['leap-webapp'] ]; } - file { '/srv/leap/webapp': - ensure => directory, - owner => 'leap-webapp', - group => 'leap-webapp', - require => User['leap-webapp']; - } - vcsrepo { '/srv/leap/webapp': ensure => present, force => true, -- cgit v1.2.3 From a1d8ec10bd7d7ac4a146222010cf5a6862e45869 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Jul 2013 12:45:31 -0400 Subject: fix linting error Change-Id: I975e1bd480d756a85e556b440a0e28e3899c9af8 --- puppet/modules/site_openvpn/manifests/server_config.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index a53019a8..5ba9812f 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -70,10 +70,10 @@ define site_openvpn::server_config( if $tls_remote != undef { openvpn::option { - 'tls-remote $openvpn_configname': - key => 'tls-remote', - value => $tls_remote, - server => $openvpn_configname; + "tls-remote ${openvpn_configname}": + key => 'tls-remote', + value => $tls_remote, + server => $openvpn_configname; } } -- cgit v1.2.3 From 56773db9cd0adab580e05e041b674a709a81a1db Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:24:29 +0100 Subject: include site_mx --- puppet/manifests/site.pp | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 08cbbb9e..2ceca4f1 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -37,3 +37,8 @@ if $services =~ /\bmonitor\b/ { if $services =~ /\btor\b/ { include site_tor } + +if 'webapp' in $services { + include site_webapp +} + -- cgit v1.2.3 From 96115ce90ea7f2daf9ce40e738348c9cc4e0da05 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:27:45 +0100 Subject: added submodule postfix from git://labs.riseup.net/shared-postfix --- puppet/modules/postfix | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/postfix (limited to 'puppet') diff --git a/puppet/modules/postfix b/puppet/modules/postfix new file mode 160000 index 00000000..881a59ac --- /dev/null +++ b/puppet/modules/postfix @@ -0,0 +1 @@ +Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 -- cgit v1.2.3 From 1c7664e5efaed6da2a7dff9dd2c2930f147499e9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:42:17 +0100 Subject: added site_mx --- puppet/modules/site_mx/manifests/init.pp | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/init.pp (limited to 'puppet') diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp new file mode 100644 index 00000000..f7f358ce --- /dev/null +++ b/puppet/modules/site_mx/manifests/init.pp @@ -0,0 +1,3 @@ +class site_mx { + include site_postfix::mx +} -- cgit v1.2.3 From ef50a37c6f3eda75d9d631ed8040252be912b365 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 17:16:09 +0100 Subject: shorewall rules for site_mx --- puppet/modules/site_shorewall/manifests/mx.pp | 24 ++++++++++++++++++++++ .../site_shorewall/manifests/service/smtp.pp | 13 ++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/mx.pp create mode 100644 puppet/modules/site_shorewall/manifests/service/smtp.pp (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp new file mode 100644 index 00000000..5ec95fdd --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -0,0 +1,24 @@ +class site_shorewall::mx { + + include site_shorewall::defaults + + $smtpd_ports = '25' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_mx': + content => "PARAM - - tcp ${smtpd_ports} ", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + + shorewall::rule { + 'net2fw-mx': + source => 'net', + destination => '$FW', + action => 'leap_mx(ACCEPT)', + order => 200; + } + + include site_shorewall::service::smtp +} diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp new file mode 100644 index 00000000..7fbdf14e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::smtp { + + include site_shorewall::defaults + + shorewall::rule { + 'fw2net-http': + source => '$FW', + destination => 'net', + action => 'SMTP(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 07f1d18e20fb356a80e726e1555dbcc15db1cf45 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:15:45 +0100 Subject: include shorewall rules for site_mx --- puppet/modules/site_mx/manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index f7f358ce..4b2db215 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -1,3 +1,7 @@ class site_mx { + tag 'leap_service' + include site_postfix::mx + include site_shorewall::mx + include site_shorewall::service::smtp } -- cgit v1.2.3 From 4db33aa76139e26678d1b989873532bc50937917 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 18:16:13 +0100 Subject: added basic site_postfix::mx config --- puppet/modules/site_postfix/manifests/mx.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp new file mode 100644 index 00000000..9104c2cb --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -0,0 +1,16 @@ +class site_postfix::mx { + + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + + # see https://leap.se/code/issues/1936 for contact email addr + #$root_mail_recipient = '' + $postfix_smtp_listen = 'all' + + postfix::config { + # just en example + 'delay_warning_time': value => '4h'; + } + + include ::postfix +} -- cgit v1.2.3 From 930885ac2be95698584e094fa23713a946d81dac Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 17 Apr 2013 18:35:37 +0200 Subject: added site_mx::haproxy --- puppet/modules/site_mx/manifests/haproxy.pp | 14 ++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/haproxy.pp (limited to 'puppet') diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp new file mode 100644 index 00000000..988eeaf3 --- /dev/null +++ b/puppet/modules/site_mx/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_mx::haproxy { + + include site_haproxy + + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] + + # Template uses $global_options, $defaults_options + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 4b2db215..8c8b8d7e 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,7 @@ class site_mx { tag 'leap_service' include site_postfix::mx + include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp } -- cgit v1.2.3 From 720717e177af576936a7e3e950aec1d208a21fae Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 17 Apr 2013 16:01:19 -0400 Subject: initial mx couchdb stunnel configuration --- puppet/modules/site_mx/manifests/couchdb.pp | 35 +++++++++++++++++++++++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 2 files changed, 36 insertions(+) create mode 100644 puppet/modules/site_mx/manifests/couchdb.pp (limited to 'puppet') diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp new file mode 100644 index 00000000..f842ceab --- /dev/null +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -0,0 +1,35 @@ +class site_mx::couchdb { + + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variables + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca_name => $ca_name, + ca => $ca + } + + $couchdb_stunnel_client_defaults = { + 'connect_port' => $couch_client_connect, + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 8c8b8d7e..86ae56e1 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -5,4 +5,5 @@ class site_mx { include site_mx::haproxy include site_shorewall::mx include site_shorewall::service::smtp + include site_mx::couchdb } -- cgit v1.2.3 From 8d93b0f2fa3198cf4071cf93d8213fbfc3e0a9be Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 17:28:40 +0200 Subject: hiera variable mx.contact -> postfix $root_mail_recipient --- puppet/modules/site_postfix/manifests/mx.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 9104c2cb..15449001 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -1,10 +1,10 @@ class site_postfix::mx { - $domain_hash = hiera ('domain') - $domain = $domain_hash['full_suffix'] + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + $mx_hash = hiera('mx') - # see https://leap.se/code/issues/1936 for contact email addr - #$root_mail_recipient = '' + $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' postfix::config { -- cgit v1.2.3 From f45c144272915ef839edd0cb47a1085d01d4c36a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 42 +++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 15449001..4bab7722 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,8 +8,46 @@ class site_postfix::mx { $postfix_smtp_listen = 'all' postfix::config { - # just en example - 'delay_warning_time': value => '4h'; + 'mydestination': + value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'smtpd_recipient_restrictions': + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; + } + + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, } include ::postfix -- cgit v1.2.3 From b8fcdf50b284aa88ff3886243299ce76c9acd3eb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 23 Apr 2013 16:27:43 +0200 Subject: no need to import common anymore --- puppet/manifests/site.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 2ceca4f1..1603176c 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,6 @@ Package { require => Exec['apt_updated'] } include stdlib -import 'common' include site_config::default include site_config::slow -- cgit v1.2.3 From 9c08bdad1cbb5c9c71ef42b99d7ec491ed084269 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/postfix | 2 +- puppet/modules/site_postfix/manifests/mx.pp | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 881a59ac..8e43dc85 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 881a59ac62684028a7f4cb358e3592efc3ae99a9 +Subproject commit 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201c diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4bab7722..2bf844bf 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,13 +42,8 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, + class { 'postfix': + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all' } - - include ::postfix } -- cgit v1.2.3 From a7bcd40d22769ec61b3fdb8d04dd447f6167ed7e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2bf844bf..82536b80 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,28 +11,15 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; - 'mailbox_size_limit': - value => '0'; - 'home_mailbox': - value => 'Maildir/'; - 'virtual_alias_maps': - value => 'hash:/etc/postfix/virtual'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From b50b03d8a2bc1970df696938b382ada79397ba07 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 82536b80..72c38ab1 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,9 +17,10 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; + #'debug_peer_list': value => '127.0.0.1'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp new file mode 100644 index 00000000..e46bc149 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -0,0 +1,8 @@ +class site_postfix::mx::smtpd_checks { + + postfix::config { + 'smtpd_data_restrictions': + value => 'permit_mynetworks, reject_unauth_pipelining, permit' + } + +} -- cgit v1.2.3 From 874cbdc087fde630ef7c44b51974aa702a151c7c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 29 Apr 2013 14:06:38 +0200 Subject: smtpd_checks: smtpd_delay_reject --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index e46bc149..b2f2d7c2 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,8 +1,9 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_delay_reject': value => 'yes'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit' + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; } } -- cgit v1.2.3 From 230ca974a555f0391a6d1d5455d5f779c7b79828 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 7 Mar 2013 15:24:29 +0100 Subject: include site_mx --- puppet/modules/apache | 2 +- puppet/modules/apt | 2 +- puppet/modules/couchdb | 2 +- puppet/modules/stunnel | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/apache b/puppet/modules/apache index c3e92a9b..090e59ad 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c +Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e diff --git a/puppet/modules/apt b/puppet/modules/apt index 1a72a996..6bf7a6ab 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee +Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 20deb065..7b6c9a29 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 +Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index fc1589a5..75d387fc 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit fc1589a5f09d80f58d730d4e1f6a8058483f61fc +Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 -- cgit v1.2.3 From e5e64291b584340032655ff7c9398067691b06f6 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 22 Apr 2013 22:15:51 +0200 Subject: Configure Postfix for incoming mails (Feature #2269) --- puppet/modules/site_postfix/manifests/mx.pp | 31 ++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 72c38ab1..0d2a545a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,9 +18,36 @@ class site_postfix::mx { 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; #'debug_peer_list': value => '127.0.0.1'; + value => 'check_recipient_access hash:/etc/postfix/recipient,reject_unauth_destination'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'hash:/etc/postfix/virtual'; } - include site_postfix::mx::smtpd_checks + postfix::hash { '/etc/postfix/virtual': } + postfix::hash { '/etc/postfix/recipient': } + + # for now, accept all mail + line {'deliver to vmail': + file => '/etc/postfix/recipient', + line => "@${domain} vmail", + notify => Exec['generate /etc/postfix/recipient.db'], + require => Package['postfix'], + } + + postfix::virtual { "@${domain}": destination => 'vmail'; } + #postfix::mailalias { 'vmail': recipient => 'vmail' } + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } user { 'vmail': ensure => present, @@ -30,6 +57,8 @@ class site_postfix::mx { managehome => true, } + include site_postfix::mx::smtpd_checks + class { 'postfix': root_mail_recipient => $root_mail_recipient, smtp_listen => 'all' -- cgit v1.2.3 From c601ad1021dabc0301097f7c32123c44fc06ca75 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 23 Apr 2013 15:59:44 -0400 Subject: update postfix module to new shared version for parameterized classes, and other 2.7 updates update site_postfix::mx to use parameterized classes --- puppet/modules/site_postfix/manifests/mx.pp | 8 -------- 1 file changed, 8 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0d2a545a..932cdd75 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -49,14 +49,6 @@ class site_postfix::mx { managehome => true, } - user { 'vmail': - ensure => present, - comment => 'Leap Mailspool', - home => '/var/mail/vmail', - shell => '/bin/false', - managehome => true, - } - include site_postfix::mx::smtpd_checks class { 'postfix': -- cgit v1.2.3 From 6b4d0522e1578ea1a0683c6a8d6c4117dca67d2f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 10:09:21 +0200 Subject: using alias resolver --- puppet/modules/site_postfix/manifests/mx.pp | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 932cdd75..ee9bce3e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -27,19 +27,7 @@ class site_postfix::mx { value => 'hash:/etc/postfix/virtual'; } - postfix::hash { '/etc/postfix/virtual': } - postfix::hash { '/etc/postfix/recipient': } - - # for now, accept all mail - line {'deliver to vmail': - file => '/etc/postfix/recipient', - line => "@${domain} vmail", - notify => Exec['generate /etc/postfix/recipient.db'], - require => Package['postfix'], - } - - postfix::virtual { "@${domain}": destination => 'vmail'; } - #postfix::mailalias { 'vmail': recipient => 'vmail' } + #include site_postfix::mx::smtp_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From 2a853087a0bec5f9ec166fff538bda9076bb8369 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 26 Apr 2013 12:24:05 +0200 Subject: smtpd_checks: smtpd_data_restrictions --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index ee9bce3e..24698878 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -27,7 +27,7 @@ class site_postfix::mx { value => 'hash:/etc/postfix/virtual'; } - #include site_postfix::mx::smtp_checks + include site_postfix::mx::smtpd_checks user { 'vmail': ensure => present, -- cgit v1.2.3 From 901a06d29c0c658b479f4c5a0828b263d7d6de0f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:39:37 +0200 Subject: smtpd_recipient_restrictions: +permit_tls_all_clientcerts --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 24698878..fa2765a4 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,7 +11,7 @@ class site_postfix::mx { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination'; + value => 'check_recipient_access tcp:localhost:2244,reject_unauth_destination,permit_tls_all_clientcerts'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; -- cgit v1.2.3 From aa5be3d639c5445d3a069c72eb5c20e209440721 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 May 2013 19:40:13 +0200 Subject: beginning of smtp_auth config with client certs --- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_auth.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp new file mode 100644 index 00000000..ab75130e --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -0,0 +1,10 @@ +class site_postfix::mx::smtp_auth { + $x509 = hiera('x509') + + postfix::config { + 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; + 'smtpd_tls_key_file': value => $x509['client_ca_key']; + 'smtpd_tls_ask_ccert': value => 'yes'; + #'smtpd_tls_CAfile': value => + } +} -- cgit v1.2.3 From 34e316e64d0a733b9df48526896fb7c74f659ccb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:39:56 +0200 Subject: updated submodule apt --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt index 6bf7a6ab..1a72a996 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 6bf7a6ab5d6e63f75c94f49aa0f12959e954efa8 +Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee -- cgit v1.2.3 From f250e5bdd7481ced4285dfe8b2805098fa867474 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:07 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7b6c9a29..20deb065 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7b6c9a29b1333ce733dd5d7c0dadd7f90513b261 +Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 -- cgit v1.2.3 From 8a17f5ccb00eeccdce2c41370d4b49ded50aba2b Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 9 Jul 2013 15:42:59 +0200 Subject: updated submodule apache --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apache b/puppet/modules/apache index 090e59ad..c3e92a9b 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 090e59ad1fcba01e868237a83cadf9254cf09d3e +Subproject commit c3e92a9b3cb02f1546b6b1570f10a968d380005c -- cgit v1.2.3 From 1c9c5a5fec51919a8e9ec14f5fe9b16c538bb4fa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 21 May 2013 17:35:20 -0400 Subject: initial soledad configuration Change-Id: I19e91887c3f8e90764b4baef8c5e29e25658e190 --- puppet/manifests/site.pp | 4 ++ puppet/modules/site_shorewall/manifests/soledad.pp | 20 +++++++ puppet/modules/soledad/manifests/init.pp | 34 ++++++++++++ puppet/modules/soledad/manifests/server.pp | 62 ++++++++++++++++++++++ .../soledad/templates/soledad-server.conf.erb | 3 ++ 5 files changed, 123 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/soledad.pp create mode 100644 puppet/modules/soledad/manifests/init.pp create mode 100644 puppet/modules/soledad/manifests/server.pp create mode 100644 puppet/modules/soledad/templates/soledad-server.conf.erb (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 08cbbb9e..bdb57c83 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -30,6 +30,10 @@ if $services =~ /\bwebapp\b/ { include site_nickserver } +if $services =~ /\bsoledad\b/ { + include soledad::server +} + if $services =~ /\bmonitor\b/ { include site_nagios } diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp new file mode 100644 index 00000000..f3272c04 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/soledad.pp @@ -0,0 +1,20 @@ +class site_shorewall::soledad { + + include site_shorewall::defaults + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_soledad': + content => 'PARAM - - tcp 2424', + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-soledad': + source => 'net', + destination => '$FW', + action => 'leap_soledad(ACCEPT)', + order => 200; + } +} + diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp new file mode 100644 index 00000000..08ba88a7 --- /dev/null +++ b/puppet/modules/soledad/manifests/init.pp @@ -0,0 +1,34 @@ +class soledad { + + group { 'soledad': + ensure => present, + allowdupe => false; + } + + user { 'soledad': + ensure => present, + allowdupe => false, + gid => 'soledad', + home => '/srv/leap/soledad', + require => Group['soledad']; + } + + file { + '/srv/leap/soledad': + ensure => directory, + owner => 'soledad', + group => 'soledad', + require => User['soledad']; + + '/var/lib/soledad': + ensure => directory, + owner => 'soledad', + group => 'soledad', + require => User['soledad']; + } + + package { 'soledad-common': + ensure => installed, + require => User['soledad']; + } +} diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp new file mode 100644 index 00000000..06de8642 --- /dev/null +++ b/puppet/modules/soledad/manifests/server.pp @@ -0,0 +1,62 @@ +class soledad::server { + tag 'leap_service' + include soledad + + $couchdb = hiera('couch') + $couchdb_host = 'localhost' + $couchdb_port = '4096' + $couchdb_user = $couchdb['users']['soledad']['username'] + $couchdb_password = $couchdb['users']['soledad']['password'] + + $x509 = hiera('x509') + $x509_key = $x509['key'] + $x509_cert = $x509['cert'] + $x509_ca = $x509['ca_cert'] + + x509::key { 'soledad': + content => $x509_key, + notify => Service['soledad-server']; + } + + x509::cert { 'soledad': + content => $x509_cert, + notify => Service['soledad-server']; + } + + x509::ca { 'soledad': + content => $x509_ca, + notify => Service['soledad-server']; + } + + # + # SOLEDAD CONFIG + # + + file { '/etc/leap/soledad-server.conf': + content => template('soledad/soledad-server.conf.erb'), + owner => 'soledad', + group => 'soledad', + mode => '0600', + notify => Service['soledad-server'], + require => Class['soledad']; + } + + package { 'soledad-server': + ensure => installed + } + + file { '/etc/default/soledad': + content => "CERT_PATH=/etc/x509/certs/soledad.crt\nPRIVKEY_PATH=/etc/x509/keys/soledad.key\n", + require => Package['soledad-server'] + } + + service { 'soledad-server': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => [ Class['soledad'], Package['soledad-server'] ]; + } + + include site_shorewall::soledad +} diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb new file mode 100644 index 00000000..47d1f6e4 --- /dev/null +++ b/puppet/modules/soledad/templates/soledad-server.conf.erb @@ -0,0 +1,3 @@ +[soledad-server] +couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %> + -- cgit v1.2.3 From d8a066a4307bea4c6dd6741daa250b67c92c1606 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 25 Jul 2013 14:40:53 -0400 Subject: initial leap_mx configuration Change-Id: Iddca4cf52706bf2f612d20ba19a53fbbe6b28479 --- puppet/modules/leap_mx/manifests/init.pp | 56 ++++++++++++++++++++++++++++ puppet/modules/leap_mx/templates/mx.conf.erb | 15 ++++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 3 files changed, 72 insertions(+) create mode 100644 puppet/modules/leap_mx/manifests/init.pp create mode 100644 puppet/modules/leap_mx/templates/mx.conf.erb (limited to 'puppet') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp new file mode 100644 index 00000000..652eb85b --- /dev/null +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -0,0 +1,56 @@ +class leap_mx { + + $couchdb_host = 'localhost' + $couchdb_port = '4096' + $couchdb_user = $soledad::couchdb::user + $couchdb_password = $soledad::couchdb::password + + # + # USER AND GROUP + # + + group { 'leap-mx': + ensure => present, + allowdupe => false; + } + + user { 'leap-mx': + ensure => present, + allowdupe => false, + gid => 'leap-mx', + home => '/etc/leap', + require => Group['leap-mx']; + } + + # + # LEAP-MX CONFIG + # + + file { '/etc/leap/mx.conf': + content => template('leap_mx/mx.conf.erb'), + owner => 'leap-mx', + group => 'leap-mx', + mode => '0600', + notify => Service['leap-mx']; + } + + # + # LEAP-MX CODE + # + + package { 'leap-mx': + ensure => installed; + } + + # + # LEAP-MX DAEMON + # + + service { 'leap_mx': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => [ Package['leap-mx'] ]; + } +} diff --git a/puppet/modules/leap_mx/templates/mx.conf.erb b/puppet/modules/leap_mx/templates/mx.conf.erb new file mode 100644 index 00000000..bf1e6421 --- /dev/null +++ b/puppet/modules/leap_mx/templates/mx.conf.erb @@ -0,0 +1,15 @@ +[mail1] +path=/var/mail/vmail +recursive=True + +[couchdb] +user=<%= @couchdb_user %> +password=<%= @couchdb_password %> +server=<%= @couchdb_host %> +port=<%= @couchdb_port %> + +[alias map] +port=4242 + +[check recipient] +port=2244 \ No newline at end of file diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 86ae56e1..4cf3f41a 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -6,4 +6,5 @@ class site_mx { include site_shorewall::mx include site_shorewall::service::smtp include site_mx::couchdb + include leap_mx } -- cgit v1.2.3 From 9ac4380bc1c6c4c88392c371cd3f4b306c3879d9 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Jul 2013 17:12:28 -0700 Subject: try::file bugfixes -- add refreshonly to chmod/chown, ensure old file is replaced even if it is a link --- puppet/modules/try/manifests/file.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 4cefef2f..56a7c997 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -10,6 +10,7 @@ # * $restore does not work for directories # * only file:// $source is supported # * $content is not supported, only $target or $source. +# * does not auto-require all the parent directories like 'file' does # define try::file ( $ensure = undef, @@ -32,14 +33,17 @@ define try::file ( "chmod_${name}": command => "/bin/chmod -R ${mode} '${name}'", onlyif => "/usr/bin/test $mode", + refreshonly => true, loglevel => debug; "chown_${name}": command => "/bin/chown -R ${owner} '${name}'", onlyif => "/usr/bin/test $owner", + refreshonly => true, loglevel => debug; "chgrp_${name}": command => "/bin/chgrp -R ${group} '${name}'", onlyif => "/usr/bin/test $group", + refreshonly => true, loglevel => debug; } @@ -67,9 +71,9 @@ define try::file ( } } else { exec { "cp_${name}": - command => "/bin/cp '${source}' '${name}'", + command => "/bin/cp --remove-destination '${source}' '${name}'", onlyif => "/usr/bin/test -e '${source}'", - unless => "/usr/bin/diff -q '${source}' '${name}'", + unless => "/usr/bin/test ! -h '${name}' && /usr/bin/diff -q '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } -- cgit v1.2.3 From 3368fe07aac81e1bef8701c106234a6d67ccad6d Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Jul 2013 17:13:34 -0700 Subject: site_webapp bugfix - get compile_assets to run by ensuring .scss files are created beforehand and have the correct permissions. --- puppet/modules/site_webapp/manifests/init.pp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1071ea1d..4815bab4 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -55,8 +55,9 @@ class site_webapp { exec { 'compile_assets': cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', + command => '/usr/bin/bundle exec rake assets:precompile', user => 'leap-webapp', + logoutput => on_failure, require => Exec['bundler_update'], notify => Service['apache']; } @@ -103,6 +104,7 @@ class site_webapp { ensure => present, owner => leap-webapp, group => leap-webapp, + mode => '0644', require => Vcsrepo['/srv/leap/webapp'], source => $webapp['favicon']; @@ -110,15 +112,19 @@ class site_webapp { ensure => present, owner => leap-webapp, group => leap-webapp, + mode => '0644', require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['tail_scss']; + source => $webapp['tail_scss'], + before => Exec['bundler_update']; '/srv/leap/webapp/app/assets/stylesheets/head.scss': ensure => present, owner => leap-webapp, group => leap-webapp, + mode => '0644', require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['head_scss']; + source => $webapp['head_scss'], + before => Exec['bundler_update']; '/srv/leap/webapp/public/img': ensure => directory, -- cgit v1.2.3 From 7ac64237fcb09893ae36b1b2f278e1474df8c49b Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 30 Jul 2013 13:10:52 -0700 Subject: site_webapp - add support for haproxy weights and backup servers (resolves #3278) --- .../site_webapp/templates/haproxy_couchdb.cfg.erb | 25 ++++++++++++++-------- 1 file changed, 16 insertions(+), 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb index f08161ee..914a964e 100644 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -1,16 +1,23 @@ listen bigcouch-in - mode http + mode http balance roundrobin - option httplog - option dontlognull - option httpchk GET / - option http-server-close - + option httplog + option dontlognull + option httpchk GET / # health check using simple get to root + option http-server-close # use client keep-alive, but close server connection. + option allbackups # balance among all backups, not just one. + bind localhost:4096 -<% for port in @local_ports -%> - server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 -<% end -%> + default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 + +<%- if @haproxy['servers'] -%> +<%- @haproxy['servers'].each do |name,server| -%> +<%- backup = server['backup'] ? 'backup' : '' -%> + # <%=name%> + server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%=backup%> weight <%=server['weight']%> check +<%- end -%> +<%- end -%> -- cgit v1.2.3 From b87bd57ad010ee6f091f77b8b1f653afafc0e4c7 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 28 Jul 2013 18:14:01 -0700 Subject: added webapp.secure flag (turns on secure cookies and HSTS) --- puppet/modules/site_webapp/templates/config.yml.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index df562cd9..8b4b3bbe 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -2,6 +2,7 @@ production: admins: [admin] domain: <%= @provider_domain %> + force_ssl: <%= @webapp['secure'] %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> secret_token: "<%= @secret_token %>" -- cgit v1.2.3 From 95fc96fc7642e389172b02cb8ef7d4b7689cb7df Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Jul 2013 01:10:33 -0700 Subject: webapp - use hiera config "webapp.admins" for the list of admin usernames, default to empty list. --- puppet/modules/site_webapp/templates/config.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 8b4b3bbe..05d62d41 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,6 +1,6 @@ <%- cert_options = @webapp['client_certificates'] -%> production: - admins: [admin] + admins: <%= @webapp['admins'].inspect %> domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> -- cgit v1.2.3 From 9e83de3497ec55f4910de099917387d500b8f4b4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 14:37:17 +0200 Subject: Site_webapp/Try::File: Could not find command 'git' (Bug #3202) --- puppet/modules/site_config/manifests/base_packages.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp index 3d40f7a2..98a138ee 100644 --- a/puppet/modules/site_config/manifests/base_packages.pp +++ b/puppet/modules/site_config/manifests/base_packages.pp @@ -1,7 +1,7 @@ class site_config::base_packages { # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: + package { [ 'etckeeper', 'git', 'less', 'screen' ]: ensure => installed, } -- cgit v1.2.3 From 3272876226dafc7256dbf2ed056cbac5e63a7380 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 14:47:36 +0200 Subject: Revert "Site_webapp/Try::File: Could not find command 'git' (Bug #3202)" This reverts commit 9e83de3497ec55f4910de099917387d500b8f4b4. --- puppet/modules/site_config/manifests/base_packages.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp index 98a138ee..3d40f7a2 100644 --- a/puppet/modules/site_config/manifests/base_packages.pp +++ b/puppet/modules/site_config/manifests/base_packages.pp @@ -1,7 +1,7 @@ class site_config::base_packages { # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'git', 'less', 'screen' ]: + package { [ 'etckeeper', 'screen', 'less' ]: ensure => installed, } -- cgit v1.2.3 From 04502b614692145141c606f9ed052da4b1e4572a Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 16:02:16 +0200 Subject: fix Could not find dependent Service[leap-mx] (Bug #3331) --- puppet/modules/leap_mx/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 652eb85b..23fd1054 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -46,7 +46,7 @@ class leap_mx { # LEAP-MX DAEMON # - service { 'leap_mx': + service { 'leap-mx': ensure => running, enable => true, hasstatus => true, -- cgit v1.2.3 From 80ae781667ab1d8803593e03fc9c928b86db5e97 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 17:40:26 +0200 Subject: fix /etc/leap/mx.conf doesn't contain any user credentials (Feature #3347) --- puppet/modules/leap_mx/manifests/init.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 23fd1054..1e186bbb 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -1,9 +1,10 @@ class leap_mx { + $couchdb_admin_user = hiera('couchdb_admin_user') $couchdb_host = 'localhost' $couchdb_port = '4096' - $couchdb_user = $soledad::couchdb::user - $couchdb_password = $soledad::couchdb::password + $couchdb_user = $couchdb_admin_user['username'] + $couchdb_password = $couchdb_admin_user['password'] # # USER AND GROUP -- cgit v1.2.3 From 80b196be84d96b92e83acc680130a01370298c13 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 31 Jul 2013 17:56:26 +0200 Subject: use smtpd_tls_security_level = may in postfix config (Bug #3348) --- puppet/modules/site_postfix/manifests/mx/tls.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 7da38100..4b7a2626 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -25,7 +25,7 @@ class site_postfix::mx::tls { 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_req_ccert': value => 'yes'; 'smtpd_tls_security_level': - value => 'encrypt'; + value => 'may'; } } -- cgit v1.2.3 From ab668294faeeb193ccb9c202fa48ed698696f931 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 29 Jul 2013 14:23:11 -0400 Subject: fix #3291: set the soledad port properly in the json and as a temporary work-around, use the couchdb admin/passwd Change-Id: Ibb1cd8416d00552f8ca1716e42a08137a4b461aa --- puppet/modules/soledad/manifests/server.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 06de8642..a75b4b8a 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -2,11 +2,11 @@ class soledad::server { tag 'leap_service' include soledad - $couchdb = hiera('couch') + $couchdb = hiera('soledad') $couchdb_host = 'localhost' $couchdb_port = '4096' - $couchdb_user = $couchdb['users']['soledad']['username'] - $couchdb_password = $couchdb['users']['soledad']['password'] + $couchdb_user = $couchdb['couchdb_admin_user']['username'] + $couchdb_password = $couchdb['couchdb_admin_user']['password'] $x509 = hiera('x509') $x509_key = $x509['key'] -- cgit v1.2.3 From 39285550424853bc4ba38e447361ab77dea505d5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 29 Jul 2013 14:55:37 -0400 Subject: For now, soledad will only exist on couchdb nodes (but not every couchdb has soledad), so fix the port to be the local couchdb port. In the future, we may want to separate them out. There is no need to do haproxy with soledad, because the client is supposed to try a different soledad node if it can't connect Change-Id: I87e2c5079ba361634336316721c4358a0917fb09 --- puppet/modules/soledad/manifests/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index a75b4b8a..00fee4ac 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -4,7 +4,7 @@ class soledad::server { $couchdb = hiera('soledad') $couchdb_host = 'localhost' - $couchdb_port = '4096' + $couchdb_port = '5984' $couchdb_user = $couchdb['couchdb_admin_user']['username'] $couchdb_password = $couchdb['couchdb_admin_user']['password'] -- cgit v1.2.3 From da191971398827f81ddb0dffd86d4a3c572f6386 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 29 Jul 2013 21:00:21 -0400 Subject: make site_shorewall::soledad use the hiera value for the soledad port Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920 --- puppet/modules/site_shorewall/manifests/soledad.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp index f3272c04..518d8689 100644 --- a/puppet/modules/site_shorewall/manifests/soledad.pp +++ b/puppet/modules/site_shorewall/manifests/soledad.pp @@ -1,10 +1,13 @@ class site_shorewall::soledad { + $soledad = hiera('soledad') + $soledad_port = $soledad['port'] + include site_shorewall::defaults # define macro for incoming services file { '/etc/shorewall/macro.leap_soledad': - content => 'PARAM - - tcp 2424', + content => "PARAM - - tcp ${soledad_port}", notify => Service['shorewall'], require => Package['shorewall'] } -- cgit v1.2.3 From 7d6893194cf1b6b8f4b3afa407d70dc90fe25f6c Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 1 Aug 2013 12:31:57 -0700 Subject: run soledad daemon using the configured port. --- puppet/modules/soledad/manifests/server.pp | 11 +++++++++-- puppet/modules/soledad/templates/default-soledad.erb | 4 ++++ 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/soledad/templates/default-soledad.erb (limited to 'puppet') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 00fee4ac..ba482f29 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -13,6 +13,9 @@ class soledad::server { $x509_cert = $x509['cert'] $x509_ca = $x509['ca_cert'] + $soledad = hiera('soledad') + $soledad_port = $soledad['port'] + x509::key { 'soledad': content => $x509_key, notify => Service['soledad-server']; @@ -46,8 +49,12 @@ class soledad::server { } file { '/etc/default/soledad': - content => "CERT_PATH=/etc/x509/certs/soledad.crt\nPRIVKEY_PATH=/etc/x509/keys/soledad.key\n", - require => Package['soledad-server'] + content => template('soledad/default-soledad.erb'), + owner => 'soledad', + group => 'soledad', + mode => '0600', + notify => Service['soledad-server'], + require => Class['soledad']; } service { 'soledad-server': diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb new file mode 100644 index 00000000..da85338a --- /dev/null +++ b/puppet/modules/soledad/templates/default-soledad.erb @@ -0,0 +1,4 @@ +# this file is managed by puppet +CERT_PATH=/etc/x509/certs/soledad.crt +PRIVKEY_PATH=/etc/x509/keys/soledad.key +HTTPS_PORT=<%=@soledad_port%> -- cgit v1.2.3 From 85bdcb07c47e1c310241d31b3360f2b64723585d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 13 Aug 2013 17:23:07 -0400 Subject: update couchdb submodule to the latest version - fixes #3447 Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 20deb065..f317163e 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 +Subproject commit f317163e8aa6abfc992df5ef65d99b0861488d41 -- cgit v1.2.3 From 9aa06a43fdc2a4eee50556e46b40d5003eb25925 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 13 Aug 2013 22:21:44 -0400 Subject: require that the couchdb::query::setup has been run before any attempts are made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0 --- .../modules/site_couchdb/manifests/bigcouch/add_nodes.pp | 5 ++++- puppet/modules/site_couchdb/manifests/init.pp | 16 ++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp index 241a4914..97e85785 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp @@ -1,5 +1,8 @@ class site_couchdb::bigcouch::add_nodes { # loop through neighbors array and add nodes $nodes = $::site_couchdb::bigcouch_config['neighbors'] - couchdb::bigcouch::add_node { $nodes: } + + couchdb::bigcouch::add_node { $nodes: + require => Couchdb::Query::Setup['localhost'] + } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 802f3224..75ed87a0 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -59,23 +59,27 @@ class site_couchdb { # Populate couchdb couchdb::add_user { $couchdb_webapp_user: - roles => '["auth"]', - pw => $couchdb_webapp_pw, - salt => $couchdb_webapp_salt + roles => '["auth"]', + pw => $couchdb_webapp_pw, + salt => $couchdb_webapp_salt, + require => Couchdb::Query::Setup['localhost'] } couchdb::add_user { $couchdb_soledad_user: roles => '["auth"]', pw => $couchdb_soledad_pw, - salt => $couchdb_soledad_salt + salt => $couchdb_soledad_salt, + require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'users': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'tokens': - readers => "{ \"names\": [], \"roles\": [\"auth\"] }" + readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] } include site_shorewall::couchdb -- cgit v1.2.3 From 2530cd5fa6dbf39dc964b158d79d6d5c60babc4e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 30 Jul 2013 22:48:22 +0200 Subject: vagrant: Install squid-deb-proxy on clients (optional) (Feature #3330) squashed commits: site_squid_deb_proxy::client: include shorewall::rules::mdns for avahi discovery added submodule squid_deb_proxy from git://code.leap.se/puppet_squid_deb_proxy updated submodule squid_deb_proxy use squid_deb_proxy::client --- puppet/manifests/setup.pp | 6 ++++++ puppet/modules/site_config/manifests/default.pp | 11 +++++++++++ puppet/modules/site_squid_deb_proxy/manifests/client.pp | 5 +++++ puppet/modules/squid_deb_proxy | 1 + 4 files changed, 23 insertions(+) create mode 100644 puppet/modules/site_squid_deb_proxy/manifests/client.pp create mode 160000 puppet/modules/squid_deb_proxy (limited to 'puppet') diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index 80e7ffc2..d9e5229e 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -5,6 +5,8 @@ $services = '' Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } +include concat::setup + include site_config::hosts include site_apt @@ -14,3 +16,7 @@ package { 'facter': require => Exec['refresh_apt'] } +if hiera('squid_deb_proxy_client', false) { + include site_squid_deb_proxy::client +} + diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index e299a0f4..0a4e75b6 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -44,4 +44,15 @@ class site_config::default { # set up core leap files and directories include site_config::files + + # redundant declarations, remove if + # "Move setup.pp to a subclass (site_config::setup) (Feature #2993)" + # is solved. + + # if squid_deb_proxy_client is set to true, install and configure + # squid_deb_proxy_client for apt caching + if hiera('squid_deb_proxy_client', false) { + include site_squid_deb_proxy::client + } + } diff --git a/puppet/modules/site_squid_deb_proxy/manifests/client.pp b/puppet/modules/site_squid_deb_proxy/manifests/client.pp new file mode 100644 index 00000000..27844270 --- /dev/null +++ b/puppet/modules/site_squid_deb_proxy/manifests/client.pp @@ -0,0 +1,5 @@ +class site_squid_deb_proxy::client { + include squid_deb_proxy::client + include site_shorewall::defaults + include shorewall::rules::mdns +} diff --git a/puppet/modules/squid_deb_proxy b/puppet/modules/squid_deb_proxy new file mode 160000 index 00000000..e796aac4 --- /dev/null +++ b/puppet/modules/squid_deb_proxy @@ -0,0 +1 @@ +Subproject commit e796aac43aa9781069e167459253d040504c2092 -- cgit v1.2.3 From 5b52d1ed6e77416412a293be025580261284aa37 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Aug 2013 10:09:46 -0400 Subject: Fix problem where webapp production.log had the wrong permissions - #3471 Change-Id: I20a6ecc43e36fc1e8416c46f7e4d14726995d2f2 --- puppet/modules/site_webapp/manifests/couchdb.pp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index b4ef0980..ac01a5bc 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -39,7 +39,15 @@ class site_webapp::couchdb { mode => '0600', require => Vcsrepo['/srv/leap/webapp']; - '/srv/leap/webapp/logs/production.log': + '/srv/leap/webapp/log': + ensure => directory, + owner => leap-webapp, + group => leap-webapp, + mode => '0755', + require => Vcsrepo['/srv/leap/webapp']; + + '/srv/leap/webapp/log/production.log': + ensure => present, owner => leap-webapp, group => leap-webapp, mode => '0666', -- cgit v1.2.3 From abfea88ae96f9f4431a4e67866139258ef28a2b5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 13 Aug 2013 17:23:07 -0400 Subject: update couchdb submodule to the latest version - fixes #3447 Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 20deb065..f317163e 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 20deb0652ccfe105eddec6ba2ad32b8d633705f6 +Subproject commit f317163e8aa6abfc992df5ef65d99b0861488d41 -- cgit v1.2.3 From 3544497599bfd7902b7b1be6661aaf1048af44e3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 13 Aug 2013 22:21:44 -0400 Subject: require that the couchdb::query::setup has been run before any attempts are made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0 --- .../modules/site_couchdb/manifests/bigcouch/add_nodes.pp | 5 ++++- puppet/modules/site_couchdb/manifests/init.pp | 16 ++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp index 241a4914..97e85785 100644 --- a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp +++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp @@ -1,5 +1,8 @@ class site_couchdb::bigcouch::add_nodes { # loop through neighbors array and add nodes $nodes = $::site_couchdb::bigcouch_config['neighbors'] - couchdb::bigcouch::add_node { $nodes: } + + couchdb::bigcouch::add_node { $nodes: + require => Couchdb::Query::Setup['localhost'] + } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 802f3224..75ed87a0 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -59,23 +59,27 @@ class site_couchdb { # Populate couchdb couchdb::add_user { $couchdb_webapp_user: - roles => '["auth"]', - pw => $couchdb_webapp_pw, - salt => $couchdb_webapp_salt + roles => '["auth"]', + pw => $couchdb_webapp_pw, + salt => $couchdb_webapp_salt, + require => Couchdb::Query::Setup['localhost'] } couchdb::add_user { $couchdb_soledad_user: roles => '["auth"]', pw => $couchdb_soledad_pw, - salt => $couchdb_soledad_salt + salt => $couchdb_soledad_salt, + require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'users': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'tokens': - readers => "{ \"names\": [], \"roles\": [\"auth\"] }" + readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] } include site_shorewall::couchdb -- cgit v1.2.3 From cd3be2c03f27a9ecf0b5f4159ae4d16dbeb1f046 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 14 Aug 2013 11:17:09 -0400 Subject: add START=yes to /etc/default/soledad to start the daemon, new package requires this to start. Closes: #3474 Change-Id: I921dcf0d6571cd60d2705ae4925d0a4318c84fa2 --- puppet/modules/soledad/templates/default-soledad.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb index da85338a..fd38903a 100644 --- a/puppet/modules/soledad/templates/default-soledad.erb +++ b/puppet/modules/soledad/templates/default-soledad.erb @@ -1,4 +1,5 @@ # this file is managed by puppet +START=yes CERT_PATH=/etc/x509/certs/soledad.crt PRIVKEY_PATH=/etc/x509/keys/soledad.key HTTPS_PORT=<%=@soledad_port%> -- cgit v1.2.3 From 2eec8200a35ea71e1ea5a1a56fe3a266603284fc Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 15 Aug 2013 14:48:38 -0400 Subject: Because both soledad and leap-mx do not function with twisted 12, we had to backport twisted 13. In order to install the backported dependencies we need an apt preferences_snippet installed for the backported twisted packages Change-Id: I886bb735eeb3abe7955c7cf054b749554ab84746 --- puppet/modules/leap_mx/manifests/init.pp | 2 ++ puppet/modules/site_apt/manifests/preferences/twisted.pp | 10 ++++++++++ puppet/modules/soledad/manifests/server.pp | 1 + 3 files changed, 13 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/preferences/twisted.pp (limited to 'puppet') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 1e186bbb..ffa4519d 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -6,6 +6,8 @@ class leap_mx { $couchdb_user = $couchdb_admin_user['username'] $couchdb_password = $couchdb_admin_user['password'] + include site_apt::preferences::twisted + # # USER AND GROUP # diff --git a/puppet/modules/site_apt/manifests/preferences/twisted.pp b/puppet/modules/site_apt/manifests/preferences/twisted.pp new file mode 100644 index 00000000..2ba40e3d --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/twisted.pp @@ -0,0 +1,10 @@ +class site_apt::preferences::twisted { + + apt::preferences_snippet { 'python-twisted': + package => 'python-twisted*', + release => "${::lsbdistcodename}-backports", + priority => 999, + before => Package['soledad-server'] + } + +} diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index ba482f29..00d87a4d 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -1,6 +1,7 @@ class soledad::server { tag 'leap_service' include soledad + include site_apt::preferences::twisted $couchdb = hiera('soledad') $couchdb_host = 'localhost' -- cgit v1.2.3 From 5229fc7ffc3e804b788b3d25042514806f9a4e9b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 16 Aug 2013 09:55:34 -0400 Subject: update couchdb submodule to fix #3481 Change-Id: I474cc691fcfc892b7aff4a3a0e3954155bf5ee30 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f317163e..1434b942 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f317163e8aa6abfc992df5ef65d99b0861488d41 +Subproject commit 1434b9422bf37d1abcff53a076e9f07892c87022 -- cgit v1.2.3 From 377614a88317663847edb7ab692bef90f942a636 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 21 Aug 2013 10:05:09 -0400 Subject: update couchdb module to resolve #3459 Change-Id: Icad17de812392d7c587e5bcbf60cd5242c1241e9 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 1434b942..eb45c81b 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 1434b9422bf37d1abcff53a076e9f07892c87022 +Subproject commit eb45c81bec1328b5fed6bcfe78059037af190c05 -- cgit v1.2.3 From e3a1c5d0c8f644bc0956758a8832d2f586556cf6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:36:12 -0400 Subject: Disable verbose, identifying apache headers (#3462): . Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a --- puppet/modules/site_apache/files/conf.d/security | 50 ++++++++++++++++++++++ .../site_apache/templates/vhosts.d/api.conf.erb | 5 +++ .../templates/vhosts.d/leap_webapp.conf.erb | 5 +++ 3 files changed, 60 insertions(+) create mode 100644 puppet/modules/site_apache/files/conf.d/security (limited to 'puppet') diff --git a/puppet/modules/site_apache/files/conf.d/security b/puppet/modules/site_apache/files/conf.d/security new file mode 100644 index 00000000..11159f48 --- /dev/null +++ b/puppet/modules/site_apache/files/conf.d/security @@ -0,0 +1,50 @@ +# +# Disable access to the entire file system except for the directories that +# are explicitly allowed later. +# +# This currently breaks the configurations that come with some web application +# Debian packages. It will be made the default for the release after lenny. +# +# +# AllowOverride None +# Order Deny,Allow +# Deny from all +# + + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +# +#ServerTokens Minimal +ServerTokens Prod + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +#ServerSignature Off +ServerSignature Off + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +# +#TraceEnable Off +TraceEnable On + diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index ae894cd4..6a276e22 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -21,6 +21,11 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' + + Header always unset X-Powered-By + Header always unset X-Runtime + + DocumentRoot /srv/leap/webapp/public # Check for maintenance file and redirect all requests diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 4b051699..9108caff 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,6 +21,11 @@ RequestHeader set X_FORWARDED_PROTO 'https' + + Header always unset X-Powered-By + Header always unset X-Runtime + + DocumentRoot /srv/leap/webapp/public RewriteEngine On -- cgit v1.2.3 From 538fe40239c59c186099fa7e1a026969fba4ae36 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:53:58 -0400 Subject: Set apache header X-Frame-Options: "DENY" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The LEAP web application can be displayed inside other pages using an HTML iframe. Therefore, an attacker can embed parts of the LEAP application inside of a webpage they control. They can then use special style properties to disguise the embedded page. By tricking a user in to clicking in the iframe, the attacker can coerce the user in to performing unintended actions within the LEAP web application. An attacker creates a website that embeds the LEAP web application in an iframe. They then create an HTML /JavaScript game on the same page that involves clicking and dragging sprites. When a user plays the game, they are in fact dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app, which is hidden behind the game using As long as iframe embedding is not required in the normal usage of the application, the X-Frame-Options header should be added to prevent browsers from displaying the web application in frames on other origins. This has also been set in the webapp Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d --- puppet/modules/site_apache/files/conf.d/security | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_apache/files/conf.d/security b/puppet/modules/site_apache/files/conf.d/security index 11159f48..a5ae5bdc 100644 --- a/puppet/modules/site_apache/files/conf.d/security +++ b/puppet/modules/site_apache/files/conf.d/security @@ -48,3 +48,8 @@ ServerSignature Off #TraceEnable Off TraceEnable On +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +Header set X-Frame-Options: "DENY" -- cgit v1.2.3 From 613f7f12f4c907ea07e79e3e73da8f2b71d3436d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:44:21 -0400 Subject: add HSTS if hiera value for webapp['secure'] is set (#3514) Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 +++ puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 +++ 2 files changed, 6 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 6a276e22..bc5ff156 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -22,6 +22,9 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' +<% if @webapp['secure'] -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> Header always unset X-Powered-By Header always unset X-Runtime diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 9108caff..5e3960c2 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -22,6 +22,9 @@ RequestHeader set X_FORWARDED_PROTO 'https' +<% if @webapp['secure'] -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> Header always unset X-Powered-By Header always unset X-Runtime -- cgit v1.2.3 From 3cdebf3ebe73cb2859dc852dcc73a8ee2d60e976 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 19:45:56 -0400 Subject: install a preliminary firewall that blocks everything, except ssh for the cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38 --- puppet/manifests/setup.pp | 2 + puppet/modules/site_config/manifests/firewall.pp | 62 ++++++++++++++++++++++ .../templates/ipv4firewall_up.rules.erb | 20 +++++++ .../templates/ipv6firewall_up.rules.erb | 7 +++ .../modules/site_shorewall/manifests/defaults.pp | 28 +++++++++- puppet/modules/site_shorewall/manifests/sshd.pp | 6 +++ 6 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_config/manifests/firewall.pp create mode 100644 puppet/modules/site_config/templates/ipv4firewall_up.rules.erb create mode 100644 puppet/modules/site_config/templates/ipv6firewall_up.rules.erb (limited to 'puppet') diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index d9e5229e..84e4c056 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -9,6 +9,8 @@ include concat::setup include site_config::hosts +include site_config::initial_firewall + include site_apt package { 'facter': diff --git a/puppet/modules/site_config/manifests/firewall.pp b/puppet/modules/site_config/manifests/firewall.pp new file mode 100644 index 00000000..b9fc5ffe --- /dev/null +++ b/puppet/modules/site_config/manifests/firewall.pp @@ -0,0 +1,62 @@ +class site_config::initial_firewall { + + # This class is intended to setup an initial firewall, before shorewall is + # configured. The purpose of this is for the rare case where shorewall fails + # to start, we should not expose services to the public. + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + package { 'iptables': + ensure => present + } + + file { + # This firewall enables ssh access, dns lookups and web lookups (for + # package installation) but otherwise restricts all outgoing and incoming + # ports + '/etc/network/ipv4firewall_up.rules': + content => template('site_config/ipv4firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # This firewall denys all ipv6 traffic - we will need to change this + # when we begin to support ipv6 + '/etc/network/ipv6firewall_up.rules': + content => template('site_config/ipv6firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # Run the iptables-restore in if-pre-up so that the network is locked down + # until the correct interfaces and ips are connected + '/etc/network/if-pre-up.d/ipv4tables': + content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + + # Same as above for IPv6 + '/etc/network/if-pre-up.d/ipv6tables': + content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + } + + # Immediately setup these firewall rules, but only if shorewall is not running + exec { + 'default_ipv4_firewall': + command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; + + 'default_ipv6_firewall': + command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; + } +} diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb new file mode 100644 index 00000000..c03716f3 --- /dev/null +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -0,0 +1,20 @@ +# Generated by iptables-save v1.4.14 on Tue Aug 20 14:40:40 2013 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport <%= @ssh_port %> -j ACCEPT +-A INPUT -p udp -m udp --sport 53 -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 +-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT +-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT +-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT +-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 +COMMIT diff --git a/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb new file mode 100644 index 00000000..e7fae52e --- /dev/null +++ b/puppet/modules/site_config/templates/ipv6firewall_up.rules.erb @@ -0,0 +1,7 @@ +# Generated by ip6tables-save v1.4.20 on Tue Aug 20 12:19:43 2013 +*filter +:INPUT DROP [24:1980] +:FORWARD DROP [0:0] +:OUTPUT DROP [14:8030] +COMMIT +# Completed on Tue Aug 20 12:19:43 2013 diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index c62c9307..35e47982 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,4 +1,5 @@ class site_shorewall::defaults { + include shorewall include site_config::params @@ -18,8 +19,6 @@ class site_shorewall::defaults { options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::routestopped { $site_config::params::interface: } - shorewall::policy { 'fw-to-all': sourcezone => 'fw', @@ -42,5 +41,30 @@ class site_shorewall::defaults { order => 200; } + package { 'shorewall-init': + ensure => installed + } + + augeas { + # stop instead of clear firewall on shutdown + 'shorewall_SAFESTOP': + changes => 'set /files/etc/shorewall/shorewall.conf/SAFESTOP Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + # require that the interface exist + 'shorewall_REQUIRE_INTERFACE': + changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + # configure shorewall-init + 'shorewall-init': + changes => 'set /files/etc/default/shorewall-init/PRODUCTS shorewall', + lens => 'Shellvars.lns', + incl => '/etc/default/shorewall-init', + require => [ Package['shorewall-init'], Service['shorewall'] ] + } + include site_shorewall::sshd } diff --git a/puppet/modules/site_shorewall/manifests/sshd.pp b/puppet/modules/site_shorewall/manifests/sshd.pp index a8e09e42..88b4102c 100644 --- a/puppet/modules/site_shorewall/manifests/sshd.pp +++ b/puppet/modules/site_shorewall/manifests/sshd.pp @@ -21,4 +21,10 @@ class site_shorewall::sshd { action => 'leap_sshd(ACCEPT)', order => 200; } + + # setup a routestopped rule to allow ssh when shorewall is stopped + shorewall::routestopped { $site_config::params::interface: + options => "- tcp ${ssh_port}" + } + } -- cgit v1.2.3 From 62c12a6d3c0ef1ff5dfd68d29b56a9846543f81e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Aug 2013 10:57:05 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index eb45c81b..4a55caf8 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit eb45c81bec1328b5fed6bcfe78059037af190c05 +Subproject commit 4a55caf8cb828020b1535a8b7cd8351224b89bf2 -- cgit v1.2.3 From 2341a46e5fed90c8987ff1460e6d4fddfc939a07 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Aug 2013 11:04:10 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 4a55caf8..869ea732 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 4a55caf8cb828020b1535a8b7cd8351224b89bf2 +Subproject commit 869ea732363afa238055c59baad5d5ca83c38024 -- cgit v1.2.3 From c4024b72d5aeebbd814a78c741658ca50eb4dc71 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 27 Jun 2013 11:44:31 +0200 Subject: make git forget about the changes due to symlinking files Git normally tracks the dummy files we replace with symlinks. So we tell it to ignore these changes on deploy. --- puppet/modules/site_webapp/manifests/init.pp | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4815bab4..ba7c7e0d 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -138,6 +138,12 @@ class site_webapp { source => $webapp['img_dir']; } + exec { 'git-assume-unchanged': + cwd => '/srv/leap/webapp', + command => '/bin/bash -c "/usr/bin/git update-index --assume-unchanged app/assets/stylesheets/head.scss app/assets/stylesheets/tail.scss public/favicon.ico"', + user => 'leap-webapp' + } + file { '/srv/leap/webapp/config/config.yml': content => template('site_webapp/config.yml.erb'), -- cgit v1.2.3 From b35146bf42bae91f1211b51dba568295f8d5b8f0 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 26 Aug 2013 12:04:14 +0200 Subject: git:changes expect changes to certain files You can either ensure assume-unchanged or ensure those changes are tracked. Used to keep the git status clean. --- puppet/modules/site_webapp/manifests/git.pp | 30 ++++++++++++++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 13 ++++++++---- 2 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 puppet/modules/site_webapp/manifests/git.pp (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/git.pp b/puppet/modules/site_webapp/manifests/git.pp new file mode 100644 index 00000000..25862707 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/git.pp @@ -0,0 +1,30 @@ +# Usage +# git::changes { name: +# user => "me", +# ensure => {*assume-unchanged*, tracked} +# } +# + +define git::changes ( $user, $ensure='assume-unchanged' ) { + + case $ensure { + default: { err ( "unknown ensure value '${ensure}'" ) } + + assume-unchanged: { + exec { "assume-unchanged ${name}": + command => "/usr/bin/git update-index --assume-unchanged ${name}", + user => $user, + unless => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", + } + } + + tracked: { + exec { "assume-unchanged ${name}": + command => "/usr/bin/git update-index --no-assume-unchanged ${name}", + user => $user, + onlyif => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", + } + } + } +} + diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ba7c7e0d..a8807a1a 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -138,10 +138,15 @@ class site_webapp { source => $webapp['img_dir']; } - exec { 'git-assume-unchanged': - cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/git update-index --assume-unchanged app/assets/stylesheets/head.scss app/assets/stylesheets/tail.scss public/favicon.ico"', - user => 'leap-webapp' + git:changes { + '/srv/leap/webapp/app/assets/stylesheets/head.scss': + user => 'leap-webapp'; + + '/srv/leap/webapp/app/assets/stylesheets/tail.scss': + user => 'leap-webapp'; + + '/srv/leap/webapp/public/favicon.ico': + user => 'leap-webapp'; } file { -- cgit v1.2.3 From 3aa062ecb934731aa5876e60bb7c9086bcbb5742 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 26 Aug 2013 12:21:08 +0200 Subject: specify cwd when using git:changes --- puppet/modules/site_webapp/manifests/git.pp | 5 ++++- puppet/modules/site_webapp/manifests/init.pp | 11 +++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/git.pp b/puppet/modules/site_webapp/manifests/git.pp index 25862707..908bc1a4 100644 --- a/puppet/modules/site_webapp/manifests/git.pp +++ b/puppet/modules/site_webapp/manifests/git.pp @@ -1,11 +1,12 @@ # Usage # git::changes { name: +# cwd => "/path/to/git/" # user => "me", # ensure => {*assume-unchanged*, tracked} # } # -define git::changes ( $user, $ensure='assume-unchanged' ) { +define git::changes ( $cwd, $user, $ensure='assume-unchanged' ) { case $ensure { default: { err ( "unknown ensure value '${ensure}'" ) } @@ -13,6 +14,7 @@ define git::changes ( $user, $ensure='assume-unchanged' ) { assume-unchanged: { exec { "assume-unchanged ${name}": command => "/usr/bin/git update-index --assume-unchanged ${name}", + cwd => $cwd, user => $user, unless => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", } @@ -21,6 +23,7 @@ define git::changes ( $user, $ensure='assume-unchanged' ) { tracked: { exec { "assume-unchanged ${name}": command => "/usr/bin/git update-index --no-assume-unchanged ${name}", + cwd => $cwd, user => $user, onlyif => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index a8807a1a..4bae2088 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -138,14 +138,17 @@ class site_webapp { source => $webapp['img_dir']; } - git:changes { - '/srv/leap/webapp/app/assets/stylesheets/head.scss': + git::changes { + 'app/assets/stylesheets/head.scss': + cwd => '/srv/leap/webapp', user => 'leap-webapp'; - '/srv/leap/webapp/app/assets/stylesheets/tail.scss': + 'app/assets/stylesheets/tail.scss': + cwd => '/srv/leap/webapp', user => 'leap-webapp'; - '/srv/leap/webapp/public/favicon.ico': + 'public/favicon.ico': + cwd => '/srv/leap/webapp', user => 'leap-webapp'; } -- cgit v1.2.3 From b1a8cfe5f82f2d96514fbfacff930fdd58dec5b8 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 27 Aug 2013 14:16:00 +0200 Subject: move git::changes into git module, whitespace fix --- puppet/modules/git | 2 +- puppet/modules/site_webapp/manifests/git.pp | 33 ---------------------------- puppet/modules/site_webapp/manifests/init.pp | 2 +- 3 files changed, 2 insertions(+), 35 deletions(-) delete mode 100644 puppet/modules/site_webapp/manifests/git.pp (limited to 'puppet') diff --git a/puppet/modules/git b/puppet/modules/git index 497a1034..ba5dd8d5 160000 --- a/puppet/modules/git +++ b/puppet/modules/git @@ -1 +1 @@ -Subproject commit 497a1034489e0dc3cab5dab2fb0a857785769734 +Subproject commit ba5dd8d5c8e09d521ff49f1ebc753601e449f828 diff --git a/puppet/modules/site_webapp/manifests/git.pp b/puppet/modules/site_webapp/manifests/git.pp deleted file mode 100644 index 908bc1a4..00000000 --- a/puppet/modules/site_webapp/manifests/git.pp +++ /dev/null @@ -1,33 +0,0 @@ -# Usage -# git::changes { name: -# cwd => "/path/to/git/" -# user => "me", -# ensure => {*assume-unchanged*, tracked} -# } -# - -define git::changes ( $cwd, $user, $ensure='assume-unchanged' ) { - - case $ensure { - default: { err ( "unknown ensure value '${ensure}'" ) } - - assume-unchanged: { - exec { "assume-unchanged ${name}": - command => "/usr/bin/git update-index --assume-unchanged ${name}", - cwd => $cwd, - user => $user, - unless => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", - } - } - - tracked: { - exec { "assume-unchanged ${name}": - command => "/usr/bin/git update-index --no-assume-unchanged ${name}", - cwd => $cwd, - user => $user, - onlyif => "/usr/bin/git ls-files -v | grep '^[ch] ${name}'", - } - } - } -} - diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4bae2088..1db52477 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -138,7 +138,7 @@ class site_webapp { source => $webapp['img_dir']; } - git::changes { + git::changes { 'app/assets/stylesheets/head.scss': cwd => '/srv/leap/webapp', user => 'leap-webapp'; -- cgit v1.2.3 From b9e3aeac876570e35f1e1c3a0f12dcd3758ebd5f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Aug 2013 18:06:54 +0200 Subject: updated submodule stdlib to obtain 'obfuscate_email' function (#3479) --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 66e0fa8f..85470dfc 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 66e0fa8f1bc5062e9d753598ad17602c378a2994 +Subproject commit 85470dfc1e703611a84abf922634d129dd2f8f8d -- cgit v1.2.3 From 7810400fcd09ec4805632981c2034706ab07720f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 27 Aug 2013 18:19:24 +0200 Subject: tor service:obfuscate contact email addr (Feature #3479) --- puppet/modules/site_tor/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 50ab636b..ac830f0d 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -13,7 +13,7 @@ class site_tor { tor::daemon::relay { $nickname: port => 9001, address => $address, - contact_info => $contact_email, + contact_info => obfuscate_email($contact_email), bandwidth_rate => $bandwidth_rate, my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', } -- cgit v1.2.3 From 14cee35e55c999663dbd8ac34197b6ce7382e35d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 14:55:33 -0400 Subject: fix name of initial_firewall.pp file (#3339) Change-Id: I341628d0f36225ce49ae301246e7c152553efcae --- puppet/modules/site_config/manifests/firewall.pp | 62 ---------------------- .../site_config/manifests/initial_firewall.pp | 62 ++++++++++++++++++++++ 2 files changed, 62 insertions(+), 62 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/firewall.pp create mode 100644 puppet/modules/site_config/manifests/initial_firewall.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/firewall.pp b/puppet/modules/site_config/manifests/firewall.pp deleted file mode 100644 index b9fc5ffe..00000000 --- a/puppet/modules/site_config/manifests/firewall.pp +++ /dev/null @@ -1,62 +0,0 @@ -class site_config::initial_firewall { - - # This class is intended to setup an initial firewall, before shorewall is - # configured. The purpose of this is for the rare case where shorewall fails - # to start, we should not expose services to the public. - - $ssh_config = hiera('ssh') - $ssh_port = $ssh_config['port'] - - package { 'iptables': - ensure => present - } - - file { - # This firewall enables ssh access, dns lookups and web lookups (for - # package installation) but otherwise restricts all outgoing and incoming - # ports - '/etc/network/ipv4firewall_up.rules': - content => template('site_config/ipv4firewall_up.rules.erb'), - owner => root, - group => 0, - mode => '0644'; - - # This firewall denys all ipv6 traffic - we will need to change this - # when we begin to support ipv6 - '/etc/network/ipv6firewall_up.rules': - content => template('site_config/ipv6firewall_up.rules.erb'), - owner => root, - group => 0, - mode => '0644'; - - # Run the iptables-restore in if-pre-up so that the network is locked down - # until the correct interfaces and ips are connected - '/etc/network/if-pre-up.d/ipv4tables': - content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", - owner => root, - group => 0, - mode => '0744'; - - # Same as above for IPv6 - '/etc/network/if-pre-up.d/ipv6tables': - content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", - owner => root, - group => 0, - mode => '0744'; - } - - # Immediately setup these firewall rules, but only if shorewall is not running - exec { - 'default_ipv4_firewall': - command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', - logoutput => true, - unless => '/sbin/shorewall status', - require => File['/etc/network/ipv4firewall_up.rules']; - - 'default_ipv6_firewall': - command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', - logoutput => true, - unless => '/sbin/shorewall status', - require => File['/etc/network/ipv6firewall_up.rules']; - } -} diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp new file mode 100644 index 00000000..b9fc5ffe --- /dev/null +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -0,0 +1,62 @@ +class site_config::initial_firewall { + + # This class is intended to setup an initial firewall, before shorewall is + # configured. The purpose of this is for the rare case where shorewall fails + # to start, we should not expose services to the public. + + $ssh_config = hiera('ssh') + $ssh_port = $ssh_config['port'] + + package { 'iptables': + ensure => present + } + + file { + # This firewall enables ssh access, dns lookups and web lookups (for + # package installation) but otherwise restricts all outgoing and incoming + # ports + '/etc/network/ipv4firewall_up.rules': + content => template('site_config/ipv4firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # This firewall denys all ipv6 traffic - we will need to change this + # when we begin to support ipv6 + '/etc/network/ipv6firewall_up.rules': + content => template('site_config/ipv6firewall_up.rules.erb'), + owner => root, + group => 0, + mode => '0644'; + + # Run the iptables-restore in if-pre-up so that the network is locked down + # until the correct interfaces and ips are connected + '/etc/network/if-pre-up.d/ipv4tables': + content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + + # Same as above for IPv6 + '/etc/network/if-pre-up.d/ipv6tables': + content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n", + owner => root, + group => 0, + mode => '0744'; + } + + # Immediately setup these firewall rules, but only if shorewall is not running + exec { + 'default_ipv4_firewall': + command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; + + 'default_ipv6_firewall': + command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', + logoutput => true, + unless => '/sbin/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; + } +} -- cgit v1.2.3 From 92ad38f756f277866e6a3953dbc3e7f31b99898f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 15:07:02 -0400 Subject: now that soledad has been split we can better organize things (#3579) . create a soledad::common class . leap-mx now only needs to include soledad-common . move the site_apt::preferences::twisted to a preferences block inside the soledad server class . make sure that the packages are doing 'ensure => latest' instead of installed Change-Id: Ifa978e831cdc8835666b27322a6e068d67251f5d --- puppet/modules/leap_mx/manifests/init.pp | 6 ++++-- puppet/modules/site_apt/manifests/preferences/twisted.pp | 3 +-- puppet/modules/soledad/manifests/common.pp | 10 ++++++++++ puppet/modules/soledad/manifests/init.pp | 4 ---- puppet/modules/soledad/manifests/server.pp | 3 ++- 5 files changed, 17 insertions(+), 9 deletions(-) create mode 100644 puppet/modules/soledad/manifests/common.pp (limited to 'puppet') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index ffa4519d..25b2758f 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -6,8 +6,9 @@ class leap_mx { $couchdb_user = $couchdb_admin_user['username'] $couchdb_password = $couchdb_admin_user['password'] + include soledad::common include site_apt::preferences::twisted - + # # USER AND GROUP # @@ -42,7 +43,8 @@ class leap_mx { # package { 'leap-mx': - ensure => installed; + ensure => installed, + require => Class['site_apt::preferences::twisted'] } # diff --git a/puppet/modules/site_apt/manifests/preferences/twisted.pp b/puppet/modules/site_apt/manifests/preferences/twisted.pp index 2ba40e3d..abff6838 100644 --- a/puppet/modules/site_apt/manifests/preferences/twisted.pp +++ b/puppet/modules/site_apt/manifests/preferences/twisted.pp @@ -3,8 +3,7 @@ class site_apt::preferences::twisted { apt::preferences_snippet { 'python-twisted': package => 'python-twisted*', release => "${::lsbdistcodename}-backports", - priority => 999, - before => Package['soledad-server'] + priority => 999; } } diff --git a/puppet/modules/soledad/manifests/common.pp b/puppet/modules/soledad/manifests/common.pp new file mode 100644 index 00000000..8a1d664a --- /dev/null +++ b/puppet/modules/soledad/manifests/common.pp @@ -0,0 +1,10 @@ +class soledad::common { + + include soledad + + package { 'soledad-common': + ensure => latest, + require => User['soledad'] + } + +} diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp index 08ba88a7..7d44c8b4 100644 --- a/puppet/modules/soledad/manifests/init.pp +++ b/puppet/modules/soledad/manifests/init.pp @@ -27,8 +27,4 @@ class soledad { require => User['soledad']; } - package { 'soledad-common': - ensure => installed, - require => User['soledad']; - } } diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 00d87a4d..fcf9d461 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -46,7 +46,8 @@ class soledad::server { } package { 'soledad-server': - ensure => installed + ensure => latest, + require => Class['site_apt::preferences::twisted'] } file { '/etc/default/soledad': -- cgit v1.2.3 From 778e85c3a163b6343cd545073e4432b882dc888a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 19:42:15 -0400 Subject: setup bigcouch logrotation (#3491) Change-Id: Ia35cf7a9fc1d0fad6a57bbae73968ab6b8f0c847 --- puppet/modules/site_couchdb/manifests/init.pp | 2 ++ puppet/modules/site_couchdb/manifests/logrotate.pp | 12 ++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/logrotate.pp (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 75ed87a0..238b83d9 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -82,6 +82,8 @@ class site_couchdb { require => Couchdb::Query::Setup['localhost'] } + include site_couchdb::logrotate + include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch } diff --git a/puppet/modules/site_couchdb/manifests/logrotate.pp b/puppet/modules/site_couchdb/manifests/logrotate.pp new file mode 100644 index 00000000..e1039d49 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/logrotate.pp @@ -0,0 +1,12 @@ +class site_couchdb::logrotate { + + augeas { + 'logrotate_bigcouch': + context => '/files/etc/logrotate.d/bigcouch/rule', + changes => [ 'set file /opt/bigcouch/var/log/*.log', 'set rotate 7', + 'set schedule daily', 'set compress compress', + 'set missingok missingok', 'set ifempty notifempty', + 'set copytruncate copytruncate' ] + } + +} -- cgit v1.2.3 From 231f6a03a93caa914bc04d40af2cb203ded676fb Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 12:14:01 +0200 Subject: added site_postfix::debug for debugging (#3538) --- puppet/modules/site_postfix/manifests/debug.pp | 9 +++++++++ puppet/modules/site_postfix/manifests/mx.pp | 4 +++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/debug.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/debug.pp b/puppet/modules/site_postfix/manifests/debug.pp new file mode 100644 index 00000000..f370d166 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/debug.pp @@ -0,0 +1,9 @@ +class site_postfix::debug { + + postfix::config { + 'debug_peer_list': value => '127.0.0.1'; + 'debug_peer_level': value => '1'; + 'smtpd_tls_loglevel': value => '1'; + } + +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0581f147..d7637c70 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,12 +18,14 @@ class site_postfix::mx { 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; 'local_recipient_maps': value => ''; - 'debug_peer_list': value => '127.0.0.1'; } include site_postfix::mx::smtpd_checks include site_postfix::mx::tls + # greater verbosity for debugging, take out for production + include site_postfix::debug + user { 'vmail': ensure => present, comment => 'Leap Mailspool', -- cgit v1.2.3 From 4bcf6fbba365097286c9a411436d2d6b686336c0 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 12:18:16 +0200 Subject: integrate manual postfix config changes in puppet (Feature #3538) --- puppet/modules/site_postfix/manifests/mx.pp | 1 - puppet/modules/site_postfix/manifests/mx/tls.pp | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index d7637c70..7e2082d9 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -17,7 +17,6 @@ class site_postfix::mx { 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; 'luser_relay': value => 'vmail'; - 'local_recipient_maps': value => ''; } include site_postfix::mx::smtpd_checks diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 4b7a2626..8c9da9db 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -23,7 +23,7 @@ class site_postfix::mx::tls { 'smtpd_tls_CAfile': value => $client_ca; 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; - 'smtpd_tls_req_ccert': value => 'yes'; + 'smtpd_tls_ask_ccert': value => 'yes'; 'smtpd_tls_security_level': value => 'may'; } -- cgit v1.2.3 From 579a9d4d2f68d020c993d1c680eb9022d8c789e3 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 28 Aug 2013 13:00:27 +0200 Subject: require VCS repo before git assume-unchanged (feature #1608) --- puppet/modules/site_webapp/manifests/init.pp | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 1db52477..84ec8fab 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -54,12 +54,12 @@ class site_webapp { } exec { 'compile_assets': - cwd => '/srv/leap/webapp', - command => '/usr/bin/bundle exec rake assets:precompile', - user => 'leap-webapp', + cwd => '/srv/leap/webapp', + command => '/usr/bin/bundle exec rake assets:precompile', + user => 'leap-webapp', logoutput => on_failure, - require => Exec['bundler_update'], - notify => Service['apache']; + require => Exec['bundler_update'], + notify => Service['apache']; } file { @@ -74,14 +74,14 @@ class site_webapp { target => '/usr/local/share/ca-certificates/leap_api.crt'; "/srv/leap/webapp/public/${api_version}": - ensure => directory, + ensure => directory, require => Vcsrepo['/srv/leap/webapp'], - owner => leap-webapp, group => leap-webapp, mode => '0755'; + owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap/webapp/public/${api_version}/config/": - ensure => directory, + ensure => directory, require => Vcsrepo['/srv/leap/webapp'], - owner => leap-webapp, group => leap-webapp, mode => '0755'; + owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap/webapp/public/${api_version}/config/eip-service.json": content => $eip_service, @@ -141,14 +141,17 @@ class site_webapp { git::changes { 'app/assets/stylesheets/head.scss': cwd => '/srv/leap/webapp', + require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; 'app/assets/stylesheets/tail.scss': cwd => '/srv/leap/webapp', + require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; 'public/favicon.ico': cwd => '/srv/leap/webapp', + require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; } -- cgit v1.2.3 From 979e2f5d21a0516aec79063eff0a63ecbfabe661 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 14:42:58 +0200 Subject: updated submodule stdlib to obtain facts that show netmask in cidr notation --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 85470dfc..73b69e81 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 85470dfc1e703611a84abf922634d129dd2f8f8d +Subproject commit 73b69e8198f702f086ff6afd94a54dddc7935893 -- cgit v1.2.3 From 6a1ed392b4528f07d19c5cced68909db2a1825d9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Aug 2013 20:15:21 -0400 Subject: apache headers module needs to be enabled on the monitor server (#3462) Change-Id: Ia4e36e9cb2b37172a148c209c5c07b9eca59d89e --- puppet/modules/site_nagios/manifests/server.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index c114a39a..5ca04da2 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -18,6 +18,10 @@ class site_nagios::server inherits nagios::base { #before => Class ['nagios::defaults'] } + apache::module { + 'headers': ensure => present; + } + File ['nagios_htpasswd'] { source => undef, content => "nagiosadmin:$nagiosadmin_pw", -- cgit v1.2.3 From f52d2e77f3b3f0c478fcaa192e02683d7508a728 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 28 Aug 2013 16:37:49 +0200 Subject: SMTP checks (Feature #2304) --- puppet/modules/site_postfix/manifests/mx.pp | 2 -- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 11 ++++++++++- 2 files changed, 10 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 7e2082d9..53dd9be4 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -11,8 +11,6 @@ class site_postfix::mx { postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; - 'smtpd_recipient_restrictions': - value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination'; 'mailbox_size_limit': value => '0'; 'home_mailbox': value => 'Maildir/'; 'virtual_alias_maps': value => 'tcp:localhost:4242'; diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index b2f2d7c2..bda666f8 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,9 +1,18 @@ class site_postfix::mx::smtpd_checks { postfix::config { - 'smtpd_delay_reject': value => 'yes'; + 'smtpd_client_restrictions': + value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': value => 'permit_mynetworks, reject_unauth_pipelining, permit'; + 'smtpd_delay_reject': + value => 'yes'; + 'smtpd_helo_restrictions': + value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; + 'smtpd_recipient_restrictions': + value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'smtpd_sender_restrictions': + value => 'check_sender_access tcp:localhost:2244, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } } -- cgit v1.2.3 From fcfbbf21dcd61d668c4289ba97bf845d0b97ed93 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 18:48:30 +0200 Subject: removed submodule "puppet/modules/postfix" (url: git://labs.riseup.net/shared-postfix) --- puppet/modules/postfix | 1 - 1 file changed, 1 deletion(-) delete mode 160000 puppet/modules/postfix (limited to 'puppet') diff --git a/puppet/modules/postfix b/puppet/modules/postfix deleted file mode 160000 index 8e43dc85..00000000 --- a/puppet/modules/postfix +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201c -- cgit v1.2.3 From fb10fcf5484417c5bfb9099c17f0edf4ccf3bc09 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 18:51:03 +0200 Subject: re-added submodule postfix from git://code.leap.se/puppet_postfix (#3584) --- puppet/modules/postfix | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/postfix (limited to 'puppet') diff --git a/puppet/modules/postfix b/puppet/modules/postfix new file mode 160000 index 00000000..25b1de20 --- /dev/null +++ b/puppet/modules/postfix @@ -0,0 +1 @@ +Subproject commit 25b1de206454c663539b748fb9f08276ad95b3e4 -- cgit v1.2.3 From 683a1dbe729d3979c9390e2d0aeb5e0e4c258370 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 16:02:07 +0200 Subject: Deploy postfix with an empty main.cf as beginning (Feature #3584) --- puppet/modules/site_apt/templates/wheezy/postfix.seeds | 1 + puppet/modules/site_postfix/manifests/mx.pp | 1 + 2 files changed, 2 insertions(+) create mode 100644 puppet/modules/site_apt/templates/wheezy/postfix.seeds (limited to 'puppet') diff --git a/puppet/modules/site_apt/templates/wheezy/postfix.seeds b/puppet/modules/site_apt/templates/wheezy/postfix.seeds new file mode 100644 index 00000000..1a878ccc --- /dev/null +++ b/puppet/modules/site_apt/templates/wheezy/postfix.seeds @@ -0,0 +1 @@ +postfix postfix/main_mailer_type select No configuration diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 53dd9be4..ed5b3832 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,6 +32,7 @@ class site_postfix::mx { } class { 'postfix': + preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', require => [ X509::Key[$cert_name], X509::Cert[$cert_name], -- cgit v1.2.3 From 6c508c1c938fa2933d633fa7896505e23128c997 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 19:00:33 +0200 Subject: fix smtpd mail restrictions (Feature #3166) --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index bda666f8..0973e625 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -4,15 +4,15 @@ class site_postfix::mx::smtpd_checks { 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': - value => 'permit_mynetworks, reject_unauth_pipelining, permit'; + value => 'permit_tls_all_clientcerts, permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; 'smtpd_recipient_restrictions': - value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'reject_unknown_recipient_domain, permit_tls_all_clientcerts, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': - value => 'check_sender_access tcp:localhost:2244, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; + value => 'check_sender_access tcp:localhost:2244, permit_tls_all_clientcerts, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } } -- cgit v1.2.3 From 7240764c9f1f319a002eb63f7a2dc26a2d479d31 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 19:28:43 +0200 Subject: updated submodule couchdb, fix puppet couchdb module doesn't create necessary databases anymore (Bug #3594) --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 869ea732..32a0f9df 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 869ea732363afa238055c59baad5d5ca83c38024 +Subproject commit 32a0f9df6e80c15b3b49b8ad81b9a49ecc6f39dd -- cgit v1.2.3 From 7ec54bd92bc63e1d7a5213196c1b4fb1bbe1b0b4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 29 Aug 2013 19:42:56 +0200 Subject: updated submodule couchdb, fixed merge resolution error from last merge --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 32a0f9df..ca467f2c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 32a0f9df6e80c15b3b49b8ad81b9a49ecc6f39dd +Subproject commit ca467f2c8ec25132133e058f446217828b932671 -- cgit v1.2.3 From 1f66ee794114d6a7096e15d0b044c17cb6d22a91 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Aug 2013 15:10:55 -0400 Subject: change the name of the couch_database in the nickserver.yaml to the new one Change-Id: I5fe6912f3774ae87c595ca1dcac60a61e24de9e5 --- puppet/modules/site_nickserver/templates/nickserver.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb index 7aab5605..e717cbaa 100644 --- a/puppet/modules/site_nickserver/templates/nickserver.yml.erb +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -6,7 +6,7 @@ domain: "<%= @address_domain %>" couch_host: "<%= @couchdb_host %>" couch_port: <%= @couchdb_port %> -couch_database: "users" +couch_database: "identities" couch_user: "<%= @couchdb_user %>" couch_password: "<%= @couchdb_password %>" -- cgit v1.2.3 From 323ceff1ea60bd3463821fc2295ffb790d822165 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Aug 2013 15:05:15 -0400 Subject: create individual classes for the apache modules so they can be included more than once in different locations, depending on what services are configured on a node (#3612) Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770 --- puppet/modules/site_apache/manifests/module/alias.pp | 5 +++++ puppet/modules/site_apache/manifests/module/headers.pp | 5 +++++ puppet/modules/site_apache/manifests/module/rewrite.pp | 5 +++++ puppet/modules/site_nagios/manifests/server.pp | 4 +--- puppet/modules/site_webapp/manifests/apache.pp | 8 +++----- 5 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/module/alias.pp create mode 100644 puppet/modules/site_apache/manifests/module/headers.pp create mode 100644 puppet/modules/site_apache/manifests/module/rewrite.pp (limited to 'puppet') diff --git a/puppet/modules/site_apache/manifests/module/alias.pp b/puppet/modules/site_apache/manifests/module/alias.pp new file mode 100644 index 00000000..c1f5e185 --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/alias.pp @@ -0,0 +1,5 @@ +class site_apache::module::alias ( $ensure = present ) +{ + + apache::module { 'alias': ensure => $ensure } +} diff --git a/puppet/modules/site_apache/manifests/module/headers.pp b/puppet/modules/site_apache/manifests/module/headers.pp new file mode 100644 index 00000000..f7caa28c --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/headers.pp @@ -0,0 +1,5 @@ +class site_apache::module::headers ( $ensure = present ) +{ + + apache::module {'headers': ensure => $ensure } +} diff --git a/puppet/modules/site_apache/manifests/module/rewrite.pp b/puppet/modules/site_apache/manifests/module/rewrite.pp new file mode 100644 index 00000000..7ad00a0c --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/rewrite.pp @@ -0,0 +1,5 @@ +class site_apache::module::rewrite ( $ensure = present ) +{ + + apache::module { 'rewrite': ensure => $ensure } +} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 5ca04da2..a088921a 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -18,9 +18,7 @@ class site_nagios::server inherits nagios::base { #before => Class ['nagios::defaults'] } - apache::module { - 'headers': ensure => present; - } + include site_apache::module::headers File ['nagios_htpasswd'] { source => undef, diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 8b340160..4331afe4 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -14,11 +14,9 @@ class site_webapp::apache { class { '::apache': no_default_site => true, ssl => true } - apache::module { - 'alias': ensure => present; - 'rewrite': ensure => present; - 'headers': ensure => present; - } + include site_apache::module::headers + include site_apache::module::rewrite + include site_apache::module::alias class { 'passenger': use_munin => false } -- cgit v1.2.3 From ddcab83dda101ee335bbf37451f37e2bfe358c7f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 29 Aug 2013 16:14:53 -0400 Subject: Make TLS-required smtps (465) be port for sending SMTP. This is preferred over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02 --- puppet/modules/site_postfix/manifests/mx.pp | 1 + puppet/modules/site_shorewall/manifests/mx.pp | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index ed5b3832..18815f70 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,6 +35,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', + mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 5ec95fdd..123ffec2 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -2,7 +2,7 @@ class site_shorewall::mx { include site_shorewall::defaults - $smtpd_ports = '25' + $smtpd_ports = '25,465' # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': -- cgit v1.2.3 From f18a47cfcabcc126689b1166464b5f7c3d000b79 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 30 Aug 2013 08:54:18 +0200 Subject: create sessions db with puppet (Bug #3597) --- puppet/modules/site_couchdb/manifests/init.pp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 238b83d9..84f737d7 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -66,9 +66,9 @@ class site_couchdb { } couchdb::add_user { $couchdb_soledad_user: - roles => '["auth"]', - pw => $couchdb_soledad_pw, - salt => $couchdb_soledad_salt, + roles => '["auth"]', + pw => $couchdb_soledad_pw, + salt => $couchdb_soledad_salt, require => Couchdb::Query::Setup['localhost'] } @@ -82,6 +82,11 @@ class site_couchdb { require => Couchdb::Query::Setup['localhost'] } + couchdb::create_db { 'sessions': + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + include site_couchdb::logrotate include site_shorewall::couchdb -- cgit v1.2.3 From 8b7e1d9afda6a0ae2a8ff5548d9c8ab78370693b Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 30 Aug 2013 14:57:21 +0200 Subject: updated submodule couchdb: couchdb: update_user_webapp fails (Bug #3611) --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index ca467f2c..f59e8b2e 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit ca467f2c8ec25132133e058f446217828b932671 +Subproject commit f59e8b2e4aad3023f46ae3a1aad655b06605ee84 -- cgit v1.2.3 From 27efd6072ecf13b4bbdb098ee70eb81eb5cdc81c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 30 Aug 2013 15:01:15 -0400 Subject: change the master.cf_tail to pull in -o smtpd_recipient_restrictions=$smtps_recipient_restrictions from main.cf, allowing us to setup specific restrictions for the smtps port move permit_tls_all_clientcerts from the smtpd_data_restrictions and smtpd_recipient_restrictions to only be in smtps_recipient_restrictions make a note about the permit_tls_all_clientcerts being something that we don't want in the future remove check_sender_access check which was doing an unnecessary lookup Change-Id: If9101512e42f7cd82c0e06543cef696d6063f8dc --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 18815f70..e9f662c3 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,7 +35,7 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n", + mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0973e625..640f2390 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -4,15 +4,22 @@ class site_postfix::mx::smtpd_checks { 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': - value => 'permit_tls_all_clientcerts, permit_mynetworks, reject_unauth_pipelining, permit'; + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; 'smtpd_recipient_restrictions': - value => 'reject_unknown_recipient_domain, permit_tls_all_clientcerts, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts + # with a lookup on $relay_clientcerts! Right now we are listing the only + # valid CA that client certificates can use in the $smtp_tls_CAfile parameter + # but we cannot cut off a certificate that should no longer be used unless + # we use permit_tls_clientcerts with the $relay_clientcerts lookup + 'smtps_recipient_restrictions': + value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': - value => 'check_sender_access tcp:localhost:2244, permit_tls_all_clientcerts, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; + value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } } -- cgit v1.2.3 From ff26ca98604d9e3f3856cca2af678b21c096d1ee Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 30 Aug 2013 15:19:43 -0400 Subject: postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa --- puppet/modules/site_postfix/manifests/mx.pp | 8 +++++++- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 4 +++- puppet/modules/site_shorewall/manifests/mx.pp | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e9f662c3..eddf19f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -35,7 +35,13 @@ class site_postfix::mx { preseed => true, root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', - mastercf_tail => "smtps inet n - - - - smtpd\n -o smtpd_tls_wrappermode=yes\n -o smtpd_tls_security_level=encrypt\n -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions", + mastercf_tail => + "smtps inet n - - - - smtpd\n + -o smtpd_tls_wrappermode=yes\n + -o smtpd_tls_security_level=encrypt\n + submission inet n - n - - smtpd\n + -o smtpd_tls_security_level=encrypt\n + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions", require => [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 640f2390..7ade8588 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -18,8 +18,10 @@ class site_postfix::mx::smtpd_checks { # we use permit_tls_clientcerts with the $relay_clientcerts lookup 'smtps_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'submission_recipient_restrictions': + value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; - } + } } diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp index 123ffec2..332f164e 100644 --- a/puppet/modules/site_shorewall/manifests/mx.pp +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -2,7 +2,7 @@ class site_shorewall::mx { include site_shorewall::defaults - $smtpd_ports = '25,465' + $smtpd_ports = '25,465,587' # define macro for incoming services file { '/etc/shorewall/macro.leap_mx': -- cgit v1.2.3 From e2782d2153e176416224fb7ed8eb37ca6ca98ff3 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 2 Sep 2013 10:59:45 +0200 Subject: specify RAILS_ENV when calling bundle assets-precompile (fixes #3638) We currently disable the billing gem in production while it's on in development and test. Therefore bundler will not install its dependencies - in particular the braintree gem when deploying. Since the RAILS_ENV was not specified rake was called with the default of 'development'. It therefore tried to load the development gems and failed when looking for 'braintree'. Specifying the production RAILS_ENV fixes this. It looks like we'll always need to specify RAILS_ENV when calling rake or we might want to export it to the environment in a separate task or the user config files such as .bashrc --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 84ec8fab..b3a556a6 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -55,7 +55,7 @@ class site_webapp { exec { 'compile_assets': cwd => '/srv/leap/webapp', - command => '/usr/bin/bundle exec rake assets:precompile', + command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake assets:precompile"', user => 'leap-webapp', logoutput => on_failure, require => Exec['bundler_update'], -- cgit v1.2.3 From c25c97adeb6c41d9af008ba918dfa6ee192f2fd9 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 2 Sep 2013 11:57:48 +0200 Subject: create all webapp databases so _security is set (fixes 3517) --- puppet/modules/site_couchdb/manifests/init.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 84f737d7..43abd616 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -87,6 +87,19 @@ class site_couchdb { require => Couchdb::Query::Setup['localhost'] } + couchdb::create_db { 'tickets': + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + + # leap_mx will want access to this. Granting access to the soledad user + # via the auth group for now. + # leap_mx could use that for a start. + couchdb::create_db { 'identities': + readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] + } + include site_couchdb::logrotate include site_shorewall::couchdb -- cgit v1.2.3 From 822f92c3ff3fb8ef640b7e1c10819f367014f8d1 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 2 Sep 2013 17:02:55 +0200 Subject: disable postfix debugging by default --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index eddf19f2..2e68297d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -21,7 +21,7 @@ class site_postfix::mx { include site_postfix::mx::tls # greater verbosity for debugging, take out for production - include site_postfix::debug + #include site_postfix::debug user { 'vmail': ensure => present, -- cgit v1.2.3 From 8d69a43fe97079f9595ed460bfa36c4bfd6cb0a8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:22:40 -0400 Subject: Without smtpd_helo_required, the helo restrictions are easily bypassed by not sending a HELO (#3693) Change-Id: I6a7338136a53e16962a070826493139fa3307df7 --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7ade8588..34cffb0d 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,6 +1,8 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'smtpd_helo_required': + value => 'yes'; 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': -- cgit v1.2.3 From 9e66f8128274a8c82d3af50597b8a61061153186 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:54:28 -0400 Subject: require that shorewall has been installed before execs are run (#3339) Change-Id: Iae2b1cacd64565931cef77194a733aeae681efaf --- puppet/modules/site_config/manifests/initial_firewall.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index b9fc5ffe..9178a5f2 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -51,12 +51,14 @@ class site_config::initial_firewall { command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, unless => '/sbin/shorewall status', - require => File['/etc/network/ipv4firewall_up.rules']; + require => [ Package['shorewall'], + File['/etc/network/ipv4firewall_up.rules'] ]; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, unless => '/sbin/shorewall status', - require => File['/etc/network/ipv6firewall_up.rules']; + require => [ Package['shorewall'], + File['/etc/network/ipv6firewall_up.rules'] ]; } } -- cgit v1.2.3 From cfdbad27fe0b1c5e98b127f2c3d22258e233ef11 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 10:37:21 -0400 Subject: add /etc/postfix/checks directory and setup a check_helo_access that allows admins to have some control over problem clients connecting that present helo patterns that they wish to block (#3694) Change-Id: I159c29b6fe17e3d75b607d1a6fa82856b976c9b4 --- puppet/modules/site_postfix/manifests/checks.pp | 23 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/mx.pp | 1 + .../site_postfix/manifests/mx/smtpd_checks.pp | 4 +++- .../site_postfix/templates/checks/helo_access.erb | 21 ++++++++++++++++++++ 4 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/checks.pp create mode 100644 puppet/modules/site_postfix/templates/checks/helo_access.erb (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp new file mode 100644 index 00000000..06f9a7a4 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/checks.pp @@ -0,0 +1,23 @@ +class site_postfix::checks { + + file { + '/etc/postfix/checks': + ensure => directory, + mode => '0755', + owner => root, + group => postfix, + require => Class['postfix']; + + '/etc/postfix/checks/helo_checks': + content => template('site_postfix/checks/helo_access.erb'), + mode => '0644', + owner => root, + group => root; + } + + exec { + '/usr/sbin/postmap /etc/postfix/checks/helo_checks': + refreshonly => true, + subscribe => File['/etc/postfix/checks/helo_checks']; + } +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2e68297d..e5dc1c7b 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -18,6 +18,7 @@ class site_postfix::mx { } include site_postfix::mx::smtpd_checks + include site_postfix::checks include site_postfix::mx::tls # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7ade8588..795c1703 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -1,6 +1,8 @@ class site_postfix::mx::smtpd_checks { postfix::config { + 'checks_dir': + value => '$config_directory/checks'; 'smtpd_client_restrictions': value => 'permit_mynetworks,permit'; 'smtpd_data_restrictions': @@ -8,7 +10,7 @@ class site_postfix::mx::smtpd_checks { 'smtpd_delay_reject': value => 'yes'; 'smtpd_helo_restrictions': - value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit'; + value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_recipient_restrictions': value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; # We should change from permit_tls_all_clientcerts to permit_tls_clientcerts diff --git a/puppet/modules/site_postfix/templates/checks/helo_access.erb b/puppet/modules/site_postfix/templates/checks/helo_access.erb new file mode 100644 index 00000000..bef3c11d --- /dev/null +++ b/puppet/modules/site_postfix/templates/checks/helo_access.erb @@ -0,0 +1,21 @@ +# THIS FILE IS MANAGED BY PUPPET +# To make changes to this file, please edit your platform directory under +# puppet/modules/site_postfix/templates/checks/helo_access.erb and then deploy + +# The format of this file is the HELO/EHLO domain followed by an action. +# The action could be OK to allow it, REJECT to reject it, or a custom +# status code and message. Any lines that are prefixed by an octothorpe (#) +# will be considered comments. + +# Some examples: +# +# Reject anyone that HELO's with foobar: +# foobar REJECT +# +# Allow the switches to skip this check: +# switch1 OK +# switch2 OK + +# Reject anybody that HELO's as being in our own domain(s) +# anyone who identifies themselves as us is a virus/spammer +<%= domain %> 554 You are not in domain <%= domain %> -- cgit v1.2.3 From d901c602f61697f329e37bc92209c264755094c1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Sep 2013 15:26:23 +0200 Subject: Sending mail fails when relaying using non-fully-qualified hostname (Feature #3667) --- puppet/modules/site_postfix/manifests/mx.pp | 7 ++++--- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e5dc1c7b..515b6825 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -42,8 +42,9 @@ class site_postfix::mx { -o smtpd_tls_security_level=encrypt\n submission inet n - n - - smtpd\n -o smtpd_tls_security_level=encrypt\n - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions", - require => [ X509::Key[$cert_name], X509::Cert[$cert_name], - User['vmail'] ] + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions\n + -o smtpd_helo_restrictions=\$submission_helo_restrictions", + require => + [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index b1536d64..7aea71fb 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -24,6 +24,8 @@ class site_postfix::mx::smtpd_checks { value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'submission_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; + 'submission_helo_restrictions': + value => 'permit_mynetworks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } -- cgit v1.2.3 From 1c0bde0eef6f693a3a67b88eed40173d9f4cf756 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Sep 2013 16:20:02 +0200 Subject: fix $master_cf_tail format --- puppet/modules/site_postfix/manifests/mx.pp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 515b6825..2d8f3db5 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -37,14 +37,14 @@ class site_postfix::mx { root_mail_recipient => $root_mail_recipient, smtp_listen => 'all', mastercf_tail => - "smtps inet n - - - - smtpd\n - -o smtpd_tls_wrappermode=yes\n - -o smtpd_tls_security_level=encrypt\n - submission inet n - n - - smtpd\n - -o smtpd_tls_security_level=encrypt\n - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions\n - -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => - [ X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] + "smtps inet n - - - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_tls_security_level=encrypt +submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_recipient_restrictions=\$submission_recipient_restrictions + -o smtpd_helo_restrictions=\$submission_helo_restrictions", + require => [ + X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] } } -- cgit v1.2.3 From ccdf90ea9c48efbaa34dda8f23d6a95db9970cd9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Sep 2013 18:46:09 +0200 Subject: use check_helo_access hash:/helo_checks also for $submission_helo_restrictions --- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 7aea71fb..0f1500a4 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -25,7 +25,7 @@ class site_postfix::mx::smtpd_checks { 'submission_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; 'submission_helo_restrictions': - value => 'permit_mynetworks, permit'; + value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; } -- cgit v1.2.3 From 94cdd54caa0cfabb80dab35ebfe9ae02d68ddfb3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 15:47:18 -0400 Subject: Work around for shorewall not being available at the site_config stage (#3339) Change-Id: Id3138cb967f76380b7f4e22ce862a099cb47669e --- puppet/modules/site_config/manifests/initial_firewall.pp | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 9178a5f2..6bef0032 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -50,15 +50,13 @@ class site_config::initial_firewall { 'default_ipv4_firewall': command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, - unless => '/sbin/shorewall status', - require => [ Package['shorewall'], - File['/etc/network/ipv4firewall_up.rules'] ]; + unless => '/etc/init.d/shorewall status', + require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => '/sbin/shorewall status', - require => [ Package['shorewall'], - File['/etc/network/ipv6firewall_up.rules'] ]; + unless => '/etc/init.d/shorewall status', + require => File['/etc/network/ipv6firewall_up.rules']; } } -- cgit v1.2.3 From 042310874c13ee2901c73d36a5f743f69520c6f3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 4 Sep 2013 10:10:15 +0200 Subject: updated submodule couchdb: don't use couchdb::document for creating _security, cause this special doc doesn't have and _id (#3706) --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index f59e8b2e..dacaeb4d 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit f59e8b2e4aad3023f46ae3a1aad655b06605ee84 +Subproject commit dacaeb4d98be9468336923f5501822d389bda768 -- cgit v1.2.3 From 9544d1a4c8e3dfa11ba611b296a3e47edde0e67f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 14:47:09 -0400 Subject: make sure that the shorewall package is installed before trying to change its configuration file (#3701) Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed --- puppet/modules/site_shorewall/manifests/defaults.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 35e47982..6a40d501 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -51,12 +51,14 @@ class site_shorewall::defaults { changes => 'set /files/etc/shorewall/shorewall.conf/SAFESTOP Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', + require => Package['shorewall'], notify => Service[shorewall]; # require that the interface exist 'shorewall_REQUIRE_INTERFACE': changes => 'set /files/etc/shorewall/shorewall.conf/REQUIRE_INTERFACE Yes', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', + require => Package['shorewall'], notify => Service[shorewall]; # configure shorewall-init 'shorewall-init': -- cgit v1.2.3 From ae225f1a9d478019cd22485795e7c6c916b2845c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Sep 2013 15:04:03 -0400 Subject: fix soledad-server not being available before the leap repository has been configured (#3702) Change-Id: I8a86a241c52d88b4b681a800647d7c9c7c574b8e --- puppet/modules/soledad/manifests/server.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index fcf9d461..393d416a 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -47,7 +47,8 @@ class soledad::server { package { 'soledad-server': ensure => latest, - require => Class['site_apt::preferences::twisted'] + require => [ Class['site_apt::preferences::twisted'], + Class['site_apt::leap_repo'] ]; } file { '/etc/default/soledad': -- cgit v1.2.3 From 64a190e046847a90d9148f4bf48441b0f2e05287 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 4 Sep 2013 20:46:35 +0200 Subject: updated couchdb submodule: bigcouch nodes doesn't get registered as cluster members (Bug #3703) --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index dacaeb4d..9250ca56 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit dacaeb4d98be9468336923f5501822d389bda768 +Subproject commit 9250ca56e0235e4b213af932c8952b97630cc076 -- cgit v1.2.3 From 99ffaf7ab6fb4ee39b1e2bb4977a9101cdfebec6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Sep 2013 14:56:27 -0400 Subject: need to test that /etc/init.d/shorewall exists before attempting to call it, otherwise puppet complains (#3339) Change-Id: I7c8cc235817fe3d898157de4c4fdd8f1fe74f05a --- puppet/modules/site_config/manifests/initial_firewall.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/initial_firewall.pp b/puppet/modules/site_config/manifests/initial_firewall.pp index 6bef0032..51cceb31 100644 --- a/puppet/modules/site_config/manifests/initial_firewall.pp +++ b/puppet/modules/site_config/manifests/initial_firewall.pp @@ -50,13 +50,13 @@ class site_config::initial_firewall { 'default_ipv4_firewall': command => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules', logoutput => true, - unless => '/etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', require => File['/etc/network/ipv4firewall_up.rules']; 'default_ipv6_firewall': command => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules', logoutput => true, - unless => '/etc/init.d/shorewall status', + unless => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status', require => File['/etc/network/ipv6firewall_up.rules']; } } -- cgit v1.2.3 From c8488a381071aba3ebe88f8b84185d7b6ad8a625 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Sep 2013 20:14:26 -0400 Subject: change git repository clone URIs from git:// to https:// (#3732) Change-Id: Ic700fec9cfb8e8474fb65dbdd4a1a537bf586ec9 --- puppet/modules/site_nickserver/manifests/init.pp | 2 +- puppet/modules/site_webapp/manifests/init.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index a3368771..153355f1 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -69,7 +69,7 @@ class site_nickserver { ensure => present, revision => 'origin/master', provider => git, - source => 'git://code.leap.se/nickserver', + source => 'https://leap.se/git/nickserver', owner => 'nickserver', group => 'nickserver', require => [ User['nickserver'], Group['nickserver'] ], diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index b3a556a6..9c4c2693 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -36,7 +36,7 @@ class site_webapp { force => true, revision => 'origin/master', provider => git, - source => 'git://code.leap.se/leap_web', + source => 'https://leap.se/git/leap_web', owner => 'leap-webapp', group => 'leap-webapp', require => [ User['leap-webapp'], Group['leap-webapp'] ], -- cgit v1.2.3 From f9ee40f2fca2396c1ef7d85a9c44b97fe834671a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Sep 2013 22:46:56 -0400 Subject: fix initial firewall to allow outgoing lo traffic and outgoing port 443 (#3736) this allows nameserver queries to the local resolver to work and clones to the leap https repository to work Change-Id: I575d08405a0c28e12c8d201a8dbc79585a5a9a48 --- puppet/modules/site_config/templates/ipv4firewall_up.rules.erb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb index c03716f3..524ae308 100644 --- a/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb +++ b/puppet/modules/site_config/templates/ipv4firewall_up.rules.erb @@ -10,10 +10,12 @@ -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 +-A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --sport <%= @ssh_port %> -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -- cgit v1.2.3 From 3d56396278a160d03efd1ddeda65646fcf7ca1a4 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Sep 2013 17:57:15 +0200 Subject: puppet fails if no services are configured (Bug #3747) --- puppet/manifests/site.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index c7d00c61..bce3a08b 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -2,7 +2,7 @@ Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } # parse services for host -$services=join(hiera_array('services'), ' ') +$services=join(hiera_array('services', ['']), ' ') notice("Services for ${fqdn}: ${services}") # make sure apt is updated before any packages are installed -- cgit v1.2.3 From e328df2ba76628ae23f3fcdee476d6bb0ec8177f Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Sep 2013 18:09:25 +0200 Subject: Some packages are installed before refresh_apt is called (Bug #2988) --- puppet/modules/site_apt/manifests/init.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 8821c110..3fa9a2b7 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -37,6 +37,6 @@ class site_apt { # The creation of sources.list depends on the lsb package File['/etc/apt/preferences'] -> - Exec['refresh_apt'] - Package <| ( title != 'lsb' ) |> + Exec['refresh_apt'] -> + Package <| ( title != 'lsb' ) |> } -- cgit v1.2.3 From bda67fd78d64bcc152535d2d16bca9b31c1ecbf8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Sep 2013 18:32:03 +0200 Subject: updated submodule apt: unattended-upgrades package cannot be installed (Bug #3098) --- puppet/modules/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/apt b/puppet/modules/apt index 1a72a996..64fb988c 160000 --- a/puppet/modules/apt +++ b/puppet/modules/apt @@ -1 +1 @@ -Subproject commit 1a72a99693c1d77bfe891546408f88264fca98ee +Subproject commit 64fb988c0e37d64fb3e241dc95f156072e43bf2a -- cgit v1.2.3 From a6a001c4b2bb147a3ef25f9058c48658bf1ef573 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 5 Sep 2013 14:23:15 -0400 Subject: require that shorewall is up before running bundler commands, it needs to pull things from git (#3756) Change-Id: If404452c54dedb7a39a910994dc68309257d351d --- puppet/modules/site_webapp/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 9c4c2693..b4d5bb14 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -49,7 +49,7 @@ class site_webapp { unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'] ], + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'], Service['shorewall'] ], notify => Service['apache']; } -- cgit v1.2.3 From fcbf7c0b4df14149269b646b5ac8e66acd63647e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 6 Sep 2013 17:37:03 +0200 Subject: use define instead of class for site_stunnel::setup (#3817) so it can be called multiple times --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- puppet/modules/site_mx/manifests/couchdb.pp | 2 +- puppet/modules/site_stunnel/manifests/setup.pp | 2 +- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index d982013e..481da279 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -27,7 +27,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { # basic setup: ensure cert, key, ca files are in place, and some generic # stunnel things are done - class { 'site_stunnel::setup': + site_stunnel::setup { 'couchdb_couchdb': cert_name => $cert_name, key => $key, cert => $cert, diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp index f842ceab..85db7327 100644 --- a/puppet/modules/site_mx/manifests/couchdb.pp +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -15,7 +15,7 @@ class site_mx::couchdb { $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" - class { 'site_stunnel::setup': + site_stunnel::setup {'mx_couchdb': cert_name => $cert_name, key => $key, cert => $cert, diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index 92eeb425..7fd18d47 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -1,4 +1,4 @@ -class site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { +define site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { include site_stunnel diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ac01a5bc..4bafc7f3 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -60,7 +60,7 @@ class site_webapp::couchdb { mode => '0744'; } - class { 'site_stunnel::setup': + site_stunnel::setup { 'webapp_couchdb': cert_name => $cert_name, key => $key, cert => $cert, -- cgit v1.2.3 From 4d58a02c83baf0ce0a9ecb349d998aa3dad9493f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 14:17:20 +0200 Subject: deploy default x509::ca leap_ca in site_config::default (#3817) --- puppet/modules/site_config/manifests/default.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 0a4e75b6..dd0d37f7 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -55,4 +55,15 @@ class site_config::default { include site_squid_deb_proxy::client } + # Set up leap ca + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + $ca_name = 'leap_ca' + + x509::ca { $ca_name: + content => $ca, + before => [ + Class['Site_openvpn::Keys'], + Class['Site_stunnel'] ] + } } -- cgit v1.2.3 From a6c19295e276da865f6c66963ed761d3ebc7dc99 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 14:17:54 +0200 Subject: remove x509::ca for leap_ca in site_openvpn::keys and site_stunnel::stunnel (#3817) --- puppet/modules/site_openvpn/manifests/keys.pp | 6 ------ puppet/modules/site_stunnel/manifests/setup.pp | 6 ------ 2 files changed, 12 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index f3c5b423..864bbd9b 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -12,12 +12,6 @@ class site_openvpn::keys { notify => Service[openvpn]; } - x509::ca { - 'leap_ca': - content => $site_openvpn::x509_config['ca_cert'], - notify => Service[openvpn]; - } - file { '/etc/openvpn/keys/dh.pem': content => $site_openvpn::x509_config['dh'], mode => '0644', diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp index 7fd18d47..2309800b 100644 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -14,11 +14,5 @@ define site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { notify => Service['stunnel']; } - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; - } - } -- cgit v1.2.3 From 3a9569ca027dccef87509323f08407e60039d9a9 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 15:55:09 +0200 Subject: Deploy default x509 cert + key that services can use (Feature #3836) --- puppet/modules/site_config/manifests/default.pp | 13 ++----------- puppet/modules/site_config/manifests/params.pp | 3 +++ puppet/modules/site_config/manifests/x509.pp | 19 +++++++++++++++++++ 3 files changed, 24 insertions(+), 11 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index dd0d37f7..b315044a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -55,15 +55,6 @@ class site_config::default { include site_squid_deb_proxy::client } - # Set up leap ca - $x509 = hiera('x509') - $ca = $x509['ca_cert'] - $ca_name = 'leap_ca' - - x509::ca { $ca_name: - content => $ca, - before => [ - Class['Site_openvpn::Keys'], - Class['Site_stunnel'] ] - } + include site_config::x509 + } diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 237ee454..20697042 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -22,4 +22,7 @@ class site_config::params { else { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } + + $ca_name = 'leap_ca' + $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp new file mode 100644 index 00000000..879285dd --- /dev/null +++ b/puppet/modules/site_config/manifests/x509.pp @@ -0,0 +1,19 @@ +class site_config::x509 { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + + x509::key { $site_config::params::cert_name: + content => $key + } + + x509::cert { $site_config::params::cert_name: + content => $cert + } + + x509::ca { $site_config::params::ca_name: + content => $ca + } +} -- cgit v1.2.3 From 3e5e685200e9b5c3ac8567100e552929ea55d8e8 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 13 Sep 2013 16:20:07 +0200 Subject: setup stunnel config to use default x509 cert,key+ca (#3837) * fix stunnel setups for couchdb, mx, webapp services --- puppet/modules/site_couchdb/manifests/init.pp | 11 +---------- puppet/modules/site_couchdb/manifests/stunnel.pp | 20 ++++---------------- puppet/modules/site_mx/manifests/couchdb.pp | 20 ++++---------------- puppet/modules/site_stunnel/manifests/setup.pp | 18 ------------------ puppet/modules/site_webapp/manifests/couchdb.pp | 8 +------- 5 files changed, 10 insertions(+), 67 deletions(-) delete mode 100644 puppet/modules/site_stunnel/manifests/setup.pp (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 43abd616..6bc4f6a3 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,11 +1,6 @@ class site_couchdb { tag 'leap_service' - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -44,11 +39,7 @@ class site_couchdb { -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_soledad_user] - class { 'site_couchdb::stunnel': - key => $key, - cert => $cert, - ca => $ca - } + class { 'site_couchdb::stunnel': } class { 'site_couchdb::bigcouch::add_nodes': } diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 481da279..993555cb 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,4 +1,4 @@ -class site_couchdb::stunnel ($key, $cert, $ca) { +class site_couchdb::stunnel { $stunnel = hiera('stunnel') @@ -19,21 +19,9 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $ednp_clients = $stunnel['ednp_clients'] include x509::variables - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - # basic setup: ensure cert, key, ca files are in place, and some generic - # stunnel things are done - site_stunnel::setup { 'couchdb_couchdb': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" # setup a stunnel server for the webapp to connect to couchdb stunnel::service { 'couch_server': diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp index 85db7327..b1f3bd02 100644 --- a/puppet/modules/site_mx/manifests/couchdb.pp +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -5,23 +5,11 @@ class site_mx::couchdb { $couch_client_connect = $couch_client['connect'] include x509::variables - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - site_stunnel::setup {'mx_couchdb': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + include site_stunnel $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp deleted file mode 100644 index 2309800b..00000000 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ /dev/null @@ -1,18 +0,0 @@ -define site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { - - include site_stunnel - - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - -} - diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 4bafc7f3..f9a4eb6b 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -60,13 +60,7 @@ class site_webapp::couchdb { mode => '0744'; } - site_stunnel::setup { 'webapp_couchdb': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + include site_stunnel exec { 'migrate_design_documents': cwd => '/srv/leap/webapp', -- cgit v1.2.3 From a27a46af184331c2b6dab4a0ead4f7a77de713df Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Fri, 13 Sep 2013 22:06:46 +0200 Subject: change vcsrepo submodule url (bug #3139) --- puppet/modules/openvpn | 2 +- puppet/modules/tor | 2 +- puppet/modules/vcsrepo | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn index 25f1fe8d..26d4edc6 160000 --- a/puppet/modules/openvpn +++ b/puppet/modules/openvpn @@ -1 +1 @@ -Subproject commit 25f1fe8d813f6128068d890a40f5e24be78fb47c +Subproject commit 26d4edc669853a268a65d2cbbfb42c19f1333de7 diff --git a/puppet/modules/tor b/puppet/modules/tor index a780e840..dcb6e748 160000 --- a/puppet/modules/tor +++ b/puppet/modules/tor @@ -1 +1 @@ -Subproject commit a780e84001177f10a86a7bf824589c0553f513a0 +Subproject commit dcb6e748864e7dfd3c14f4f2aba4c9120f12b78a diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo index 4db1120c..f92d0922 160000 --- a/puppet/modules/vcsrepo +++ b/puppet/modules/vcsrepo @@ -1 +1 @@ -Subproject commit 4db1120c78763f5244dc6c9d2e0d064a6ef363e0 +Subproject commit f92d09226cfddb0c7e5e342dd199d8ea05b497cb -- cgit v1.2.3 From 70284fd0e786ad838fbbd40c816f6c0d01cc1629 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Sat, 14 Sep 2013 11:41:16 +0200 Subject: moved openvpn submodule back to 25f1fe8d8, like it was before --- puppet/modules/openvpn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/openvpn b/puppet/modules/openvpn index 26d4edc6..25f1fe8d 160000 --- a/puppet/modules/openvpn +++ b/puppet/modules/openvpn @@ -1 +1 @@ -Subproject commit 26d4edc669853a268a65d2cbbfb42c19f1333de7 +Subproject commit 25f1fe8d813f6128068d890a40f5e24be78fb47c -- cgit v1.2.3 From f1ad11887a65b94f101e0d99363daeba93020d2a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 14 Sep 2013 13:00:15 -0400 Subject: ensure site_config::caching_resolver runs with tag leap_base (#3757) Change-Id: I593602ff9d3486dee39227673147e137045c55c5 --- puppet/modules/site_config/manifests/caching_resolver.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 922c394f..3d7b9206 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,4 +1,5 @@ class site_config::caching_resolver { + tag 'leap_base' # Setup a conf.d directory to place additional unbound configuration files. # There must be at least one file in the directory, or unbound will not start, -- cgit v1.2.3 From d9fc65006a65d7fe7e5799079ce3e1d0baeade8c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 17:24:45 +0200 Subject: updated submodule stunnel - include stunnel in stunnel::service (https://leap.se/code/issues/3861) --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 75d387fc..53d5864d 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 75d387fc8aff12232fdeae2efbbfccdd91f94656 +Subproject commit 53d5864d217fbbb265aba7887bb4900b40a0fcc8 -- cgit v1.2.3 From c5d4a716ffc8bad1a0a634438245eb02452ed43d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Sep 2013 12:07:45 -0400 Subject: update stunnel submodule commit id to correct one for new repository Change-Id: I33292b9eb2a5553ac296857c99fdaf350ed52542 --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index 53d5864d..b6fbb5f0 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit 53d5864d217fbbb265aba7887bb4900b40a0fcc8 +Subproject commit b6fbb5f013976f6ad1448ac744ae50b2b1aa0bd0 -- cgit v1.2.3 From ecb3727ad43ee55f07db067e80b9d74308296582 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 18:00:32 +0200 Subject: site_config::params::interface should contain eth1 for vagrant cause it's the main interface we use (#2399, #2401) --- puppet/modules/site_config/manifests/params.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 20697042..a4657457 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -5,7 +5,7 @@ class site_config::params { $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") if $::virtual == 'virtualbox' { - $interface = [ 'eth0', 'eth1' ] + $interface = 'eth1' } elsif hiera('interface','') != '' { $interface = hiera('interface') @@ -17,7 +17,7 @@ class site_config::params { $interface = $ec2_local_ipv4_interface } elsif $::interfaces =~ /eth0/ { - $interface = eth0 + $interface = 'eth0' } else { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") -- cgit v1.2.3 From 5ca8f6f9d26a2c2abfa9f1752aad6b8d91020074 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 18:37:00 +0200 Subject: shorewall: #2399 blocks uplink (Bug #2866) --- puppet/modules/site_config/manifests/default.pp | 7 +++++++ puppet/modules/site_config/manifests/vagrant.pp | 10 ++++++++++ 2 files changed, 17 insertions(+) create mode 100644 puppet/modules/site_config/manifests/vagrant.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index b315044a..83a344a2 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -15,11 +15,18 @@ class site_config::default { # configure ssh and include ssh-keys include site_config::sshd + # include classes for special environments + # i.e. openstack/aws nodes, vagrant nodes + # fix dhclient from changing resolver information if $::ec2_instance_id { include site_config::dhclient } + if ( $::virtual == 'virtualbox' ) { + include site_config::vagrant + } + # configure /etc/resolv.conf include site_config::resolvconf diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp new file mode 100644 index 00000000..04266735 --- /dev/null +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -0,0 +1,10 @@ +class site_config::vagrant { + # class for vagrant nodes + + # eth0 on vagrant nodes is the uplink if + shorewall::interface { 'eth0': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + +} -- cgit v1.2.3 From 5d253f32696851771f0d95c2de1fec081657f8a4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Sep 2013 16:05:46 -0400 Subject: fix stunnel module so that code was not removed accidentally Change-Id: Ia236eb5b7609d9f96970230fce4d0051d832e3cb --- puppet/modules/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel index b6fbb5f0..ec49fd93 160000 --- a/puppet/modules/stunnel +++ b/puppet/modules/stunnel @@ -1 +1 @@ -Subproject commit b6fbb5f013976f6ad1448ac744ae50b2b1aa0bd0 +Subproject commit ec49fd93c2469bc5c13f7e6a7d25468613e1b84f -- cgit v1.2.3 From ca3f34da520ff835d383aa82f528adf927d3364f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 18 Sep 2013 12:20:43 +0200 Subject: include shorewall::interface{eth0} in setup.pp so packages can be installed during main puppetrun, even before shorewall is configured completly --- puppet/manifests/setup.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index 84e4c056..ba58e728 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -22,3 +22,11 @@ if hiera('squid_deb_proxy_client', false) { include site_squid_deb_proxy::client } +# shorewall is installed/half-configured during setup.pp (Bug #3871) +# we need to include shorewall::interface{eth0} in setup.pp so +# packages can be installed during main puppetrun, even before shorewall +# is configured completly +if ( $::virtual == 'virtualbox' ) { + include site_config::vagrant +} + -- cgit v1.2.3 From bdfef97e49f17c74158084e10e7d0121cc70dd42 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Sep 2013 19:11:39 +0200 Subject: openvpn should use /usr/local/share/ca-certificates/leap_ca.crt (Feature #3831) --- puppet/modules/site_config/manifests/params.pp | 5 +++-- puppet/modules/site_config/manifests/x509.pp | 5 +++++ puppet/modules/site_openvpn/manifests/server_config.pp | 6 +++--- 3 files changed, 11 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index a4657457..b434af90 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,6 +23,7 @@ class site_config::params { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } - $ca_name = 'leap_ca' - $cert_name = 'leap' + $ca_name = 'leap_ca' + $ca_bundle_name = 'leap_ca_bundle' + $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp index 879285dd..2660c523 100644 --- a/puppet/modules/site_config/manifests/x509.pp +++ b/puppet/modules/site_config/manifests/x509.pp @@ -4,6 +4,7 @@ class site_config::x509 { $key = $x509['key'] $cert = $x509['cert'] $ca = $x509['ca_cert'] + $client_ca = $x509['client_ca_cert'] x509::key { $site_config::params::cert_name: content => $key @@ -16,4 +17,8 @@ class site_config::x509 { x509::ca { $site_config::params::ca_name: content => $ca } + + x509::ca { $site_config::params::ca_bundle_name: + content => "${ca}${client_ca}" + } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5ba9812f..befeaef7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -80,15 +80,15 @@ define site_openvpn::server_config( openvpn::option { "ca ${openvpn_configname}": key => 'ca', - value => '/etc/openvpn/ca_bundle.pem', + value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", server => $openvpn_configname; "cert ${openvpn_configname}": key => 'cert', - value => '/etc/x509/certs/leap_openvpn.crt', + value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", server => $openvpn_configname; "key ${openvpn_configname}": key => 'key', - value => '/etc/x509/keys/leap_openvpn.key', + value => "${x509::variables::keys}/${site_config::params::cert_name}.key", server => $openvpn_configname; "dh ${openvpn_configname}": key => 'dh', -- cgit v1.2.3 From 869b9e26475180d41513d036a0600ee433da1b77 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 18 Sep 2013 16:50:15 +0200 Subject: deploy client_ca (#3833) --- puppet/modules/site_config/manifests/params.pp | 1 + puppet/modules/site_config/manifests/x509.pp | 4 ++++ 2 files changed, 5 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index b434af90..008a4e1f 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -24,6 +24,7 @@ class site_config::params { } $ca_name = 'leap_ca' + $client_ca_name = 'leap_client_ca' $ca_bundle_name = 'leap_ca_bundle' $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp index 2660c523..8eca97e7 100644 --- a/puppet/modules/site_config/manifests/x509.pp +++ b/puppet/modules/site_config/manifests/x509.pp @@ -18,6 +18,10 @@ class site_config::x509 { content => $ca } + x509::ca { $site_config::params::client_ca_name: + content => $client_ca + } + x509::ca { $site_config::params::ca_bundle_name: content => "${ca}${client_ca}" } -- cgit v1.2.3 From 1f9003eb6ed90400279011d477e6143e2eb6e2db Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 18 Sep 2013 16:50:59 +0200 Subject: use x509 for postfix ca and fix names for cert+key (Feature #3833) --- puppet/modules/site_postfix/manifests/mx.pp | 3 +-- puppet/modules/site_postfix/manifests/mx/tls.pp | 20 ++++---------------- 2 files changed, 5 insertions(+), 18 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2d8f3db5..4a7d66ed 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -44,7 +44,6 @@ submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => [ - X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] + require => Class['Site_config::X509'] } } diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 8c9da9db..34df72bb 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -1,26 +1,14 @@ class site_postfix::mx::tls { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $client_ca = $x509['client_ca_cert'] - include x509::variables - $cert_name = hiera('name') - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - x509::key { $cert_name: - content => $key, - } + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - x509::cert { $cert_name: - content => $cert, - } postfix::config { 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_CAfile': value => $ca_path; 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_ask_ccert': value => 'yes'; -- cgit v1.2.3 From 3388336b57cc59617b6dc8380beeeacfdb2fb5b3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 18 Sep 2013 12:05:10 -0400 Subject: Setup a class dependency for every tag 'leap_service' to make sure that shorewall is setup before the service is setup. This is necessary due to the strict initial firewall that stops various service setup operations from happening, but is relaxed once shorewall is setup properly (#3782) Change-Id: Ia9640c4118aa0053cdb99e7bc11860fed5527501 --- puppet/modules/site_couchdb/manifests/init.pp | 3 ++- puppet/modules/site_mx/manifests/init.pp | 1 + puppet/modules/site_nagios/manifests/init.pp | 2 ++ puppet/modules/site_nickserver/manifests/init.pp | 2 ++ puppet/modules/site_openvpn/manifests/init.pp | 2 ++ puppet/modules/site_tor/manifests/init.pp | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 2 ++ 7 files changed, 13 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 6bc4f6a3..f4f93828 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -31,7 +31,8 @@ class site_couchdb { class { 'couchdb::bigcouch::package::cloudant': } - Class ['couchdb::bigcouch::package::cloudant'] + Class['site_config::default'] + -> Class ['couchdb::bigcouch::package::cloudant'] -> Service ['couchdb'] -> Class ['site_couchdb::bigcouch::add_nodes'] -> Couchdb::Create_db['users'] diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 4cf3f41a..3d8469fd 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -1,5 +1,6 @@ class site_mx { tag 'leap_service' + Class['site_config::default'] -> Class['site_mx'] include site_postfix::mx include site_mx::haproxy diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index cab32905..c3cfa02e 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,4 +1,6 @@ class site_nagios { tag 'leap_service' + Class['site_config::default'] -> Class['site_nagios'] + include site_nagios::server } diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 153355f1..45503d8a 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -11,6 +11,8 @@ class site_nickserver { tag 'leap_service' + Class['site_config::default'] -> Class['site_nickserver'] + include site_config::ruby # diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index b2bb0d3a..fe5ef87f 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,6 +20,8 @@ class site_openvpn { tag 'leap_service' + Class['site_config::default'] -> Class['site_openvpn'] + $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index ac830f0d..16ee4c30 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,6 +1,7 @@ class site_tor { tag 'leap_service' - + Class['site_config::default'] -> Class['site_tor'] + $tor = hiera('tor') $bandwidth_rate = $tor['bandwidth_rate'] $tor_type = $tor['type'] diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index b4d5bb14..97a75010 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -11,6 +11,8 @@ class site_webapp { $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] + Class['site_config::default'] -> Class['site_webapp'] + include site_config::ruby include site_webapp::apache include site_webapp::couchdb -- cgit v1.2.3 From 1ce6cb5a30c5ee73d6474ac9c1bbd4c7819d9a73 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:19:00 +0200 Subject: only deploy x509 stuff for nodes if it existes in hiera (Feature #3875) --- puppet/modules/site_config/manifests/default.pp | 2 -- puppet/modules/site_config/manifests/x509.pp | 28 ---------------------- puppet/modules/site_config/manifests/x509/ca.pp | 9 +++++++ .../site_config/manifests/x509/ca_bundle.pp | 10 ++++++++ .../modules/site_config/manifests/x509/cert_key.pp | 15 ++++++++++++ .../site_config/manifests/x509/client_ca.pp | 9 +++++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 5 ++++ puppet/modules/site_mx/manifests/init.pp | 5 ++++ puppet/modules/site_nickserver/manifests/init.pp | 5 ++++ puppet/modules/site_openvpn/manifests/init.pp | 6 ++++- puppet/modules/site_postfix/manifests/mx.pp | 8 ++++++- puppet/modules/site_webapp/manifests/couchdb.pp | 2 ++ puppet/modules/soledad/manifests/server.pp | 3 +++ 13 files changed, 75 insertions(+), 32 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/x509.pp create mode 100644 puppet/modules/site_config/manifests/x509/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/ca_bundle.pp create mode 100644 puppet/modules/site_config/manifests/x509/cert_key.pp create mode 100644 puppet/modules/site_config/manifests/x509/client_ca.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 83a344a2..b27e99af 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -62,6 +62,4 @@ class site_config::default { include site_squid_deb_proxy::client } - include site_config::x509 - } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp deleted file mode 100644 index 8eca97e7..00000000 --- a/puppet/modules/site_config/manifests/x509.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::x509 { - - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $client_ca = $x509['client_ca_cert'] - - x509::key { $site_config::params::cert_name: - content => $key - } - - x509::cert { $site_config::params::cert_name: - content => $cert - } - - x509::ca { $site_config::params::ca_name: - content => $ca - } - - x509::ca { $site_config::params::client_ca_name: - content => $client_ca - } - - x509::ca { $site_config::params::ca_bundle_name: - content => "${ca}${client_ca}" - } -} diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp new file mode 100644 index 00000000..b16d0eeb --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::ca { + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + + x509::ca { $site_config::params::ca_name: + content => $ca + } +} diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp new file mode 100644 index 00000000..204f0a5e --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -0,0 +1,10 @@ +class site_config::x509::ca_bundle { + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::ca_bundle_name: + content => "${ca}${client_ca}" + } +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp new file mode 100644 index 00000000..d55c6cf2 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert_key.pp @@ -0,0 +1,15 @@ +class site_config::x509::cert_key { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + + x509::key { $site_config::params::cert_name: + content => $key + } + + x509::cert { $site_config::params::cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp new file mode 100644 index 00000000..f91ea970 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::client_ca { + + $x509 = hiera('x509') + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::client_ca_name: + content => $client_ca + } +} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 993555cb..fbb75000 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -18,6 +18,11 @@ class site_couchdb::stunnel { $ednp_server_connect = $ednp_server['connect'] $ednp_clients = $stunnel['ednp_clients'] + + + include site_config::x509::cert_key + include site_config::x509::ca + include x509::variables $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 3d8469fd..527dc4a5 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,11 @@ class site_mx { tag 'leap_service' Class['site_config::default'] -> Class['site_mx'] + include site_config::x509::cert_key + include site_config::x509::ca + include site_config::x509::client_ca + + include site_postfix::mx include site_mx::haproxy include site_shorewall::mx diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 45503d8a..84b07e77 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -36,6 +36,11 @@ class site_nickserver { # temporarily for now: $domain = hiera('domain') $address_domain = $domain['full_suffix'] + + + include site_config::x509::cert_key + include site_config::x509::ca + $x509 = hiera('x509') $x509_key = $x509['key'] $x509_cert = $x509['cert'] diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index fe5ef87f..41f4c6d4 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,8 +20,12 @@ class site_openvpn { tag 'leap_service' + include site_config::x509::cert_key + include site_config::x509::ca_bundle + + Class['site_config::default'] -> Class['site_openvpn'] - + $openvpn_config = hiera('openvpn') $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4a7d66ed..32465e01 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,6 +8,9 @@ class site_postfix::mx { $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' + include site_config::x509::cert_key + include site_config::x509::client_ca + postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; @@ -44,6 +47,9 @@ submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => Class['Site_config::X509'] + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Client_ca'], + User['vmail'] ] } } diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index f9a4eb6b..24f9279d 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -13,6 +13,8 @@ class site_webapp::couchdb { $couch_client = $stunnel['couch_client'] $couch_client_connect = $couch_client['connect'] + include site_config::x509::cert_key + include site_config::x509::ca include x509::variables $x509 = hiera('x509') $key = $x509['key'] diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 393d416a..c0af238c 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -9,6 +9,9 @@ class soledad::server { $couchdb_user = $couchdb['couchdb_admin_user']['username'] $couchdb_password = $couchdb['couchdb_admin_user']['password'] + include site_config::x509::cert_key + include site_config::x509::ca + $x509 = hiera('x509') $x509_key = $x509['key'] $x509_cert = $x509['cert'] -- cgit v1.2.3 From c68399c019d09a4c8ba44f47936b4b3842802177 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:29:15 +0200 Subject: tidy openvpn x509 definitions (#3831) --- .../site_config/manifests/x509/ca_bundle.pp | 6 +++ puppet/modules/site_openvpn/manifests/dh_key.pp | 10 +++++ puppet/modules/site_openvpn/manifests/init.pp | 5 +-- puppet/modules/site_openvpn/manifests/keys.pp | 45 ---------------------- 4 files changed, 18 insertions(+), 48 deletions(-) create mode 100644 puppet/modules/site_openvpn/manifests/dh_key.pp delete mode 100644 puppet/modules/site_openvpn/manifests/keys.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp index 204f0a5e..4cbe574a 100644 --- a/puppet/modules/site_config/manifests/x509/ca_bundle.pp +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -1,5 +1,11 @@ class site_config::x509::ca_bundle { + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + + $x509 = hiera('x509') $ca = $x509['ca_cert'] $client_ca = $x509['client_ca_cert'] diff --git a/puppet/modules/site_openvpn/manifests/dh_key.pp b/puppet/modules/site_openvpn/manifests/dh_key.pp new file mode 100644 index 00000000..13cc0f5b --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/dh_key.pp @@ -0,0 +1,10 @@ +class site_openvpn::dh_key { + + $x509_config = hiera('x509') + + file { '/etc/openvpn/keys/dh.pem': + content => $x509_config['dh'], + mode => '0644', + } + +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 41f4c6d4..29b3f13f 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -27,7 +27,6 @@ class site_openvpn { Class['site_config::default'] -> Class['site_openvpn'] $openvpn_config = hiera('openvpn') - $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] if $::ec2_instance_id { @@ -62,8 +61,8 @@ class site_openvpn { $openvpn_limited_udp_cidr = '21' } - # deploy ca + server keys - include site_openvpn::keys + # deploy dh keys + include site_openvpn::dh_key if $openvpn_allow_unlimited and $openvpn_allow_limited { $unlimited_gateway_address = $openvpn_gateway_address diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp deleted file mode 100644 index 864bbd9b..00000000 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ /dev/null @@ -1,45 +0,0 @@ -class site_openvpn::keys { - - x509::key { - 'leap_openvpn': - content => $site_openvpn::x509_config['key'], - notify => Service[openvpn]; - } - - x509::cert { - 'leap_openvpn': - content => $site_openvpn::x509_config['cert'], - notify => Service[openvpn]; - } - - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', - } - - # - # CA bundle -- we want to have the possibility of allowing multiple CAs. - # For now, the reason is to transition to using client CA. In the future, - # we will want to be able to smoothly phase out one CA and phase in another. - # I tried "--capath" for this, but it did not work. - # - - concat { - '/etc/openvpn/ca_bundle.pem': - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service['openvpn']; - } - - concat::fragment { - 'client_ca_cert': - content => $site_openvpn::x509_config['client_ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - 'ca_cert': - content => $site_openvpn::x509_config['ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - } - -} -- cgit v1.2.3 From 12d22a47ad529f02e0c6d27b25f7ddaa17a32727 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:32:35 +0200 Subject: soledad should use default key, cert and ca (Feature #3841) --- puppet/modules/soledad/manifests/server.pp | 31 ++++++++---------------------- 1 file changed, 8 insertions(+), 23 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index c0af238c..0c073443 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -12,29 +12,9 @@ class soledad::server { include site_config::x509::cert_key include site_config::x509::ca - $x509 = hiera('x509') - $x509_key = $x509['key'] - $x509_cert = $x509['cert'] - $x509_ca = $x509['ca_cert'] - $soledad = hiera('soledad') $soledad_port = $soledad['port'] - x509::key { 'soledad': - content => $x509_key, - notify => Service['soledad-server']; - } - - x509::cert { 'soledad': - content => $x509_cert, - notify => Service['soledad-server']; - } - - x509::ca { 'soledad': - content => $x509_ca, - notify => Service['soledad-server']; - } - # # SOLEDAD CONFIG # @@ -50,8 +30,9 @@ class soledad::server { package { 'soledad-server': ensure => latest, - require => [ Class['site_apt::preferences::twisted'], - Class['site_apt::leap_repo'] ]; + require => [ + Class['site_apt::preferences::twisted'], + Class['site_apt::leap_repo'] ]; } file { '/etc/default/soledad': @@ -68,7 +49,11 @@ class soledad::server { enable => true, hasstatus => true, hasrestart => true, - require => [ Class['soledad'], Package['soledad-server'] ]; + require => [ + Class['soledad'], + Package['soledad-server'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } include site_shorewall::soledad -- cgit v1.2.3 From d7aca479f254ce4cbe58ee2a2197ea5c6d02de53 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 12:44:30 +0200 Subject: Depend services on deployment of default key, cert and ca (Feature #3838) --- puppet/modules/site_couchdb/manifests/stunnel.pp | 15 ++++++++++++--- puppet/modules/site_openvpn/manifests/init.pp | 6 +++++- puppet/modules/site_stunnel/manifests/clients.pp | 6 +++++- 3 files changed, 22 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index fbb75000..7ba303fe 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -39,7 +39,10 @@ class site_couchdb::stunnel { verify => '2', pid => '/var/run/stunnel4/couchserver.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } @@ -55,7 +58,10 @@ class site_couchdb::stunnel { verify => '2', pid => '/var/run/stunnel4/epmd_server.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect @@ -81,7 +87,10 @@ class site_couchdb::stunnel { verify => '2', pid => '/var/run/stunnel4/ednp_server.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 29b3f13f..6ab0d430 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -137,7 +137,11 @@ class site_openvpn { command => '/etc/init.d/openvpn restart', refreshonly => true, subscribe => File['/etc/openvpn'], - require => [ Package['openvpn'], File['/etc/openvpn'] ]; + require => [ + Package['openvpn'], + File['/etc/openvpn'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca_bundle'] ]; } cron { 'add_gateway_ips.sh': diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index ed766e1a..b2c8db1f 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -21,6 +21,10 @@ define site_stunnel::clients ( verify => $verify, pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, - debuglevel => $debuglevel + debuglevel => $debuglevel, + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; + } } -- cgit v1.2.3 From b798d716e5219d00b5b94ce8b80566e4b3bf0899 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:11:24 +0200 Subject: webapp: Depend services on deployment of default key, cert and ca (Feature #3838) --- .../site_config/manifests/x509/client_ca.pp | 5 +++++ puppet/modules/site_webapp/manifests/apache.pp | 24 ++++++++------------- puppet/modules/site_webapp/manifests/client_ca.pp | 25 ---------------------- puppet/modules/site_webapp/manifests/couchdb.pp | 19 ++++------------ puppet/modules/site_webapp/manifests/init.pp | 3 ++- 5 files changed, 20 insertions(+), 56 deletions(-) delete mode 100644 puppet/modules/site_webapp/manifests/client_ca.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp index f91ea970..3e914cf5 100644 --- a/puppet/modules/site_config/manifests/x509/client_ca.pp +++ b/puppet/modules/site_config/manifests/x509/client_ca.pp @@ -1,5 +1,10 @@ class site_config::x509::client_ca { + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + $x509 = hiera('x509') $client_ca = $x509['client_ca_cert'] diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 4331afe4..3dd1c4c7 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -8,9 +8,15 @@ class site_webapp::apache { $commercial_key = $x509['commercial_key'] $commercial_cert = $x509['commercial_cert'] $commercial_root = $x509['commercial_ca_cert'] - $api_key = $x509['key'] - $api_cert = $x509['cert'] - $api_root = $x509['ca_cert'] + + include site_config::x509::cert_key + include site_config::x509::ca + + include x509::variables + + X509::Cert[$site_config::params::cert_name] ~> Service[apache] + X509::Key[$site_config::params::cert_name] ~> Service[apache] + X509::Ca[$site_config::params::ca_name] ~> Service[apache] class { '::apache': no_default_site => true, ssl => true } @@ -34,29 +40,17 @@ class site_webapp::apache { 'leap_webapp': content => $commercial_key, notify => Service[apache]; - - 'leap_api': - content => $api_key, - notify => Service[apache]; } x509::cert { 'leap_webapp': content => $commercial_cert, notify => Service[apache]; - - 'leap_api': - content => $api_cert, - notify => Service[apache]; } x509::ca { 'leap_webapp': content => $commercial_root, notify => Service[apache]; - - 'leap_api': - content => $api_root, - notify => Service[apache]; } } diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp deleted file mode 100644 index 0d9b15d6..00000000 --- a/puppet/modules/site_webapp/manifests/client_ca.pp +++ /dev/null @@ -1,25 +0,0 @@ -## -## This is for the special CA that is used exclusively for generating -## client certificates by the webapp. -## - -class site_webapp::client_ca { - include x509::variables - - $x509 = hiera('x509') - $cert_path = "${x509::variables::certs}/leap_client_ca.crt" - $key_path = "${x509::variables::keys}/leap_client_ca.key" - - x509::key { - 'leap_client_ca': - source => $x509['client_ca_key'], - group => 'leap-webapp', - notify => Service[apache]; - } - - x509::cert { - 'leap_client_ca': - source => $x509['client_ca_cert'], - notify => Service[apache]; - } -} diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 24f9279d..5a5cccad 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -13,18 +13,7 @@ class site_webapp::couchdb { $couch_client = $stunnel['couch_client'] $couch_client_connect = $couch_client['connect'] - include site_config::x509::cert_key - include site_config::x509::ca include x509::variables - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" file { '/srv/leap/webapp/config/couchdb.yml.admin': @@ -73,10 +62,10 @@ class site_webapp::couchdb { $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt", + 'key' => "${x509::variables::keys}/${site_config::params::cert_name}.key", + 'cert' => "${x509::variables::certs}/${site_config::params::cert_name}.crt", } create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 97a75010..4b06cea6 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -16,8 +16,9 @@ class site_webapp { include site_config::ruby include site_webapp::apache include site_webapp::couchdb - include site_webapp::client_ca include site_webapp::haproxy + include site_config::x509::cert_key + include site_config::x509::ca group { 'leap-webapp': ensure => present, -- cgit v1.2.3 From 43a5b322d99effa411c9fddf5f849da70a7768e8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:45:03 +0200 Subject: tidy nickserver x509 definitions (#3842) --- puppet/modules/site_nickserver/manifests/init.pp | 24 ++++------------------ .../templates/nickserver-proxy.conf.erb | 6 +++--- 2 files changed, 7 insertions(+), 23 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 84b07e77..a12ed3a2 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -41,11 +41,6 @@ class site_nickserver { include site_config::x509::cert_key include site_config::x509::ca - $x509 = hiera('x509') - $x509_key = $x509['key'] - $x509_cert = $x509['cert'] - $x509_ca = $x509['ca_cert'] - # # USER AND GROUP # @@ -129,7 +124,10 @@ class site_nickserver { enable => true, hasrestart => true, hasstatus => true, - require => File['/etc/init.d/nickserver']; + require => [ + File['/etc/init.d/nickserver'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # @@ -165,18 +163,4 @@ class site_nickserver { content => template('site_nickserver/nickserver-proxy.conf.erb') } - x509::key { 'nickserver': - content => $x509_key, - notify => Service[apache]; - } - - x509::cert { 'nickserver': - content => $x509_cert, - notify => Service[apache]; - } - - x509::ca { 'nickserver': - content => $x509_ca, - notify => Service[apache]; - } } diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 67896cd3..478ae7f1 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -14,9 +14,9 @@ Listen 0.0.0.0:<%= @nickserver_port -%> SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/nickserver.pem - SSLCertificateKeyFile /etc/x509/keys/nickserver.key - SSLCertificateFile /etc/x509/certs/nickserver.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt ProxyPass / http://localhost:<%= @nickserver_local_port %>/ ProxyPreserveHost On # preserve Host header in HTTP request -- cgit v1.2.3 From 55578fec453d6b090f623fd3368138f9e322c9f5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:48:07 +0200 Subject: tidy webapp api x509 definitions (#3840) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index bc5ff156..4efbbc52 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -15,9 +15,9 @@ Listen 0.0.0.0:<%= api_port %> SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_api.pem - SSLCertificateKeyFile /etc/x509/keys/leap_api.key - SSLCertificateFile /etc/x509/certs/leap_api.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' -- cgit v1.2.3 From 77a2c7864953886e8861217bb4947bae6366acc8 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:50:27 +0200 Subject: tidy soledad x509 definitions (#3841) --- puppet/modules/soledad/templates/default-soledad.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb index fd38903a..32504e38 100644 --- a/puppet/modules/soledad/templates/default-soledad.erb +++ b/puppet/modules/soledad/templates/default-soledad.erb @@ -1,5 +1,5 @@ # this file is managed by puppet START=yes -CERT_PATH=/etc/x509/certs/soledad.crt -PRIVKEY_PATH=/etc/x509/keys/soledad.key +CERT_PATH=<%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt +PRIVKEY_PATH=<%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key HTTPS_PORT=<%=@soledad_port%> -- cgit v1.2.3 From 0397643c8c10de21fb67e0de9cd86c323bbbc3da Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 16:49:53 +0200 Subject: fix x509 path in webapp config.yml.erb (#3894) --- puppet/modules/site_webapp/templates/config.yml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 05d62d41..57e4ccb6 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -3,8 +3,8 @@ production: admins: <%= @webapp['admins'].inspect %> domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> - client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> - client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt secret_token: "<%= @secret_token %>" client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> -- cgit v1.2.3 From 486a9cd3b7bd8d643a9623fd40db2286cdf52fc8 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 20 Sep 2013 18:58:13 +0200 Subject: fix whitespace issues from https://review.leap.se/r/82 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 4 ++-- puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb | 4 ++-- puppet/modules/site_webapp/templates/config.yml.erb | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 4efbbc52..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -16,8 +16,8 @@ Listen 0.0.0.0:<%= api_port %> SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 478ae7f1..ae06410e 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -15,8 +15,8 @@ Listen 0.0.0.0:<%= @nickserver_port -%> SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt ProxyPass / http://localhost:<%= @nickserver_local_port %>/ ProxyPreserveHost On # preserve Host header in HTTP request diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 57e4ccb6..0ce623fc 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -4,7 +4,7 @@ production: domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key - client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt secret_token: "<%= @secret_token %>" client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> -- cgit v1.2.3 From 98d8a337930d5afaf78d88c23adb985a7060f66b Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 18:31:51 +0200 Subject: move all resources that are applied on every node into site_config::default (#3782) in commit 338833, we established a relationship between all resources that have a leap_service tag, that are called in site.pp. But we had some resources as default on every node in site.pp (apt::update, Package { require => Exec['apt_updated'] }, site_config::slow and stdlib), that were still lacking any relationship to the leap_service tag. By moving them into default.pp they automatically are executed before resources with a leap_service tag. --- puppet/manifests/site.pp | 8 -------- puppet/modules/site_config/manifests/default.pp | 9 +++++++++ 2 files changed, 9 insertions(+), 8 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index bce3a08b..9f5d82d8 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,15 +5,7 @@ Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } $services=join(hiera_array('services', ['']), ' ') notice("Services for ${fqdn}: ${services}") -# make sure apt is updated before any packages are installed -include apt::update -Package { require => Exec['apt_updated'] } - -include stdlib - include site_config::default -include site_config::slow - # configure eip if $services =~ /\bopenvpn\b/ { diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 83a344a2..13de82af 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -3,6 +3,15 @@ class site_config::default { $domain_hash = hiera('domain') + # make sure apt is updated before any packages are installed + include apt::update + Package { require => Exec['apt_updated'] } + + include stdlib + + include site_config::slow + + include concat::setup # default class, used by all hosts -- cgit v1.2.3 From d7f5b368547f37cfa53cd606f3d72fab44b6bd7f Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 20 Sep 2013 12:15:36 -0700 Subject: use newer haproxy_servers macro in order to allow couchdb and webapp to be on the same node (requires latest leap_cli) --- puppet/modules/site_webapp/manifests/haproxy.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp index 4a7e3c25..b69c69da 100644 --- a/puppet/modules/site_webapp/manifests/haproxy.pp +++ b/puppet/modules/site_webapp/manifests/haproxy.pp @@ -3,7 +3,6 @@ class site_webapp::haproxy { include site_haproxy $haproxy = hiera('haproxy') - $local_ports = $haproxy['local_ports'] # Template uses $global_options, $defaults_options concat::fragment { 'leap_haproxy_webapp_couchdb': -- cgit v1.2.3 From a95e00f78e07d515b49de563ca5fbcd83be0d015 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 17 Sep 2013 20:09:10 +0200 Subject: adding fqdn as default servername and moving service.domain to ServerAlias (fixing #3384) node name and dns fqdn could be different Also note that on local deploys that warning from #3384 will continue to exist (because of dns) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 ++- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 ++- puppet/modules/site_webapp/manifests/apache.pp | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index bc5ff156..2cac297e 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -7,7 +7,8 @@ Listen 0.0.0.0:<%= api_port %> > - ServerName <%= api_domain %> + ServerName <%= domain_name %> + ServerAlias <%= api_domain %> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 5e3960c2..3b376839 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -6,7 +6,8 @@ - ServerName <%= domain %> + ServerName <%= domain_name %> + ServerAlias <%= domain %> ServerAlias www.<%= domain %> SSLEngine on diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 4331afe4..3d28ec83 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -4,6 +4,9 @@ class site_webapp::apache { $api_domain = $web_api['domain'] $api_port = $web_api['port'] + $web_domain = hiera('domain') + $domain_name = $web_domain['name'] + $x509 = hiera('x509') $commercial_key = $x509['commercial_key'] $commercial_cert = $x509['commercial_cert'] -- cgit v1.2.3 From ffa4504f81c0abecc62b068951ec147741028128 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:09:30 +0200 Subject: seperate cert and key deployment (#3918) --- puppet/modules/site_config/manifests/x509/cert.pp | 10 ++++++++++ puppet/modules/site_config/manifests/x509/cert_key.pp | 15 --------------- puppet/modules/site_config/manifests/x509/key.pp | 9 +++++++++ puppet/modules/site_couchdb/manifests/stunnel.pp | 12 ++++++++---- puppet/modules/site_mx/manifests/init.pp | 3 ++- puppet/modules/site_nickserver/manifests/init.pp | 6 ++++-- puppet/modules/site_openvpn/manifests/init.pp | 6 ++++-- puppet/modules/site_postfix/manifests/mx.pp | 6 ++++-- puppet/modules/site_stunnel/manifests/clients.pp | 3 ++- puppet/modules/site_webapp/manifests/apache.pp | 3 ++- puppet/modules/site_webapp/manifests/init.pp | 3 ++- puppet/modules/soledad/manifests/server.pp | 6 ++++-- 12 files changed, 51 insertions(+), 31 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509/cert.pp delete mode 100644 puppet/modules/site_config/manifests/x509/cert_key.pp create mode 100644 puppet/modules/site_config/manifests/x509/key.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/x509/cert.pp b/puppet/modules/site_config/manifests/x509/cert.pp new file mode 100644 index 00000000..7ed42959 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert.pp @@ -0,0 +1,10 @@ +class site_config::x509::cert { + + $x509 = hiera('x509') + $cert = $x509['cert'] + + x509::cert { $site_config::params::cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp deleted file mode 100644 index d55c6cf2..00000000 --- a/puppet/modules/site_config/manifests/x509/cert_key.pp +++ /dev/null @@ -1,15 +0,0 @@ -class site_config::x509::cert_key { - - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - - x509::key { $site_config::params::cert_name: - content => $key - } - - x509::cert { $site_config::params::cert_name: - content => $cert - } - -} diff --git a/puppet/modules/site_config/manifests/x509/key.pp b/puppet/modules/site_config/manifests/x509/key.pp new file mode 100644 index 00000000..32b59726 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::key { + + $x509 = hiera('x509') + $key = $x509['key'] + + x509::key { $site_config::params::cert_name: + content => $key + } +} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 7ba303fe..87c35f05 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -20,7 +20,8 @@ class site_couchdb::stunnel { - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca include x509::variables @@ -41,7 +42,8 @@ class site_couchdb::stunnel { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4', require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } @@ -60,7 +62,8 @@ class site_couchdb::stunnel { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4', require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } @@ -89,7 +92,8 @@ class site_couchdb::stunnel { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4', require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 527dc4a5..52c5f1d6 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,7 +2,8 @@ class site_mx { tag 'leap_service' Class['site_config::default'] -> Class['site_mx'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca include site_config::x509::client_ca diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index a12ed3a2..bf0511d5 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -38,7 +38,8 @@ class site_nickserver { $address_domain = $domain['full_suffix'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca # @@ -126,7 +127,8 @@ class site_nickserver { hasstatus => true, require => [ File['/etc/init.d/nickserver'], - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 6ab0d430..bf72c8d6 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,7 +20,8 @@ class site_openvpn { tag 'leap_service' - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca_bundle @@ -140,7 +141,8 @@ class site_openvpn { require => [ Package['openvpn'], File['/etc/openvpn'], - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca_bundle'] ]; } diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 32465e01..d56b526f 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,7 +8,8 @@ class site_postfix::mx { $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::client_ca postfix::config { @@ -48,7 +49,8 @@ submission inet n - n - - smtpd -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Client_ca'], User['vmail'] ] } diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index b2c8db1f..791fdbc5 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -23,7 +23,8 @@ define site_stunnel::clients ( rndfile => $rndfile, debuglevel => $debuglevel, require => [ - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d604b00f..062344d7 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -12,7 +12,8 @@ class site_webapp::apache { $commercial_cert = $x509['commercial_cert'] $commercial_root = $x509['commercial_ca_cert'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca include x509::variables diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4b06cea6..ff230417 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,7 +17,8 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca group { 'leap-webapp': diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 0c073443..6ccd934a 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -9,7 +9,8 @@ class soledad::server { $couchdb_user = $couchdb['couchdb_admin_user']['username'] $couchdb_password = $couchdb['couchdb_admin_user']['password'] - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca $soledad = hiera('soledad') @@ -52,7 +53,8 @@ class soledad::server { require => [ Class['soledad'], Package['soledad-server'], - Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Key'], + Class['Site_config::X509::Cert'], Class['Site_config::X509::Ca'] ]; } -- cgit v1.2.3 From 9fae612bd8d147321e0cb553610fcaf0140e84eb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:23:54 +0200 Subject: move commercial x509 deployment to site_x509 (Feature #3889) --- .../templates/vhosts.d/leap_webapp.conf.erb | 6 ++-- puppet/modules/site_config/manifests/params.pp | 10 ++++--- .../site_config/manifests/x509/commercial/ca.pp | 9 ++++++ .../site_config/manifests/x509/commercial/cert.pp | 10 +++++++ .../site_config/manifests/x509/commercial/key.pp | 9 ++++++ puppet/modules/site_webapp/manifests/apache.pp | 35 ++++------------------ 6 files changed, 43 insertions(+), 36 deletions(-) create mode 100644 puppet/modules/site_config/manifests/x509/commercial/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/commercial/cert.pp create mode 100644 puppet/modules/site_config/manifests/x509/commercial/key.pp (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 3b376839..6059453b 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -16,9 +16,9 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem - SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key - SSLCertificateFile /etc/x509/certs/leap_webapp.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 008a4e1f..59a161e8 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,8 +23,10 @@ class site_config::params { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } - $ca_name = 'leap_ca' - $client_ca_name = 'leap_client_ca' - $ca_bundle_name = 'leap_ca_bundle' - $cert_name = 'leap' + $ca_name = 'leap_ca' + $client_ca_name = 'leap_client_ca' + $ca_bundle_name = 'leap_ca_bundle' + $cert_name = 'leap' + $commercial_ca_name = 'leap_commercial_ca' + $commercial_cert_name = 'leap_commercial' } diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp new file mode 100644 index 00000000..8f35759f --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::ca { + + $x509 = hiera('x509') + $ca = $x509['commercial_ca_cert'] + + x509::ca { $site_config::params::commercial_ca_name: + content => $ca + } +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/cert.pp b/puppet/modules/site_config/manifests/x509/commercial/cert.pp new file mode 100644 index 00000000..0c71a705 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/cert.pp @@ -0,0 +1,10 @@ +class site_config::x509::commercial::cert { + + $x509 = hiera('x509') + $cert = $x509['commercial_cert'] + + x509::cert { $site_config::params::commercial_cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/key.pp b/puppet/modules/site_config/manifests/x509/commercial/key.pp new file mode 100644 index 00000000..d32e85ef --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::key { + + $x509 = hiera('x509') + $key = $x509['commercial_key'] + + x509::key { $site_config::params::commercial_cert_name: + content => $key + } +} diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 062344d7..6a199b9e 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -7,20 +7,14 @@ class site_webapp::apache { $web_domain = hiera('domain') $domain_name = $web_domain['name'] - $x509 = hiera('x509') - $commercial_key = $x509['commercial_key'] - $commercial_cert = $x509['commercial_cert'] - $commercial_root = $x509['commercial_ca_cert'] - - include site_config::x509::cert - include site_config::x509::key - include site_config::x509::ca - include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca - X509::Cert[$site_config::params::cert_name] ~> Service[apache] - X509::Key[$site_config::params::cert_name] ~> Service[apache] - X509::Ca[$site_config::params::ca_name] ~> Service[apache] + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] class { '::apache': no_default_site => true, ssl => true } @@ -40,21 +34,4 @@ class site_webapp::apache { content => template('site_apache/vhosts.d/api.conf.erb') } - x509::key { - 'leap_webapp': - content => $commercial_key, - notify => Service[apache]; - } - - x509::cert { - 'leap_webapp': - content => $commercial_cert, - notify => Service[apache]; - } - - x509::ca { - 'leap_webapp': - content => $commercial_root, - notify => Service[apache]; - } } -- cgit v1.2.3 From 02f17c426e6288f898a66a1a687b413ffe9a9b95 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 11:01:19 +0200 Subject: Webapp doesn't serve commercial cert (Bug #3916) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 9e2dbcaf..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -7,8 +7,7 @@ Listen 0.0.0.0:<%= api_port %> > - ServerName <%= domain_name %> - ServerAlias <%= api_domain %> + ServerName <%= api_domain %> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 -- cgit v1.2.3 From abb03cd19389188c38ccaeb96e3136cac5397563 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 17:15:35 +0200 Subject: https://bitmask.net/ca.crt gives 403 Forbidden (Bug #3919) --- puppet/modules/site_webapp/manifests/init.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ff230417..e630875c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,8 +17,7 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy - include site_config::x509::cert - include site_config::x509::key + include site_config::x509::cert_key include site_config::x509::ca group { 'leap-webapp': @@ -75,7 +74,7 @@ class site_webapp { '/srv/leap/webapp/public/ca.crt': ensure => link, require => Vcsrepo['/srv/leap/webapp'], - target => '/usr/local/share/ca-certificates/leap_api.crt'; + target => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"; "/srv/leap/webapp/public/${api_version}": ensure => directory, -- cgit v1.2.3 From 0447e92ab5dcc3d8a07613a765c60db23252f278 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 17:55:22 +0200 Subject: added site_config::x509::client_ca::cert and site_config::x509::client_ca::key for client_ca deployment (#3917) --- puppet/modules/site_config/manifests/x509/client_ca.pp | 14 -------------- puppet/modules/site_config/manifests/x509/client_ca/ca.pp | 14 ++++++++++++++ puppet/modules/site_config/manifests/x509/client_ca/key.pp | 14 ++++++++++++++ puppet/modules/site_webapp/templates/config.yml.erb | 4 ++-- 4 files changed, 30 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/x509/client_ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/client_ca/ca.pp create mode 100644 puppet/modules/site_config/manifests/x509/client_ca/key.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp deleted file mode 100644 index 3e914cf5..00000000 --- a/puppet/modules/site_config/manifests/x509/client_ca.pp +++ /dev/null @@ -1,14 +0,0 @@ -class site_config::x509::client_ca { - - ## - ## This is for the special CA that is used exclusively for generating - ## client certificates by the webapp. - ## - - $x509 = hiera('x509') - $client_ca = $x509['client_ca_cert'] - - x509::ca { $site_config::params::client_ca_name: - content => $client_ca - } -} diff --git a/puppet/modules/site_config/manifests/x509/client_ca/ca.pp b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp new file mode 100644 index 00000000..0f313898 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp @@ -0,0 +1,14 @@ +class site_config::x509::client_ca::ca { + + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + + $x509 = hiera('x509') + $cert = $x509['client_ca_cert'] + + x509::ca { $site_config::params::client_ca_name: + content => $cert + } +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca/key.pp b/puppet/modules/site_config/manifests/x509/client_ca/key.pp new file mode 100644 index 00000000..f9ef3f52 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca/key.pp @@ -0,0 +1,14 @@ +class site_config::x509::client_ca::key { + + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + + $x509 = hiera('x509') + $key = $x509['client_ca_key'] + + x509::key { $site_config::params::client_ca_name: + content => $key + } +} diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 0ce623fc..6b45abc2 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -3,8 +3,8 @@ production: admins: <%= @webapp['admins'].inspect %> domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> - client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key - client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key + client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt secret_token: "<%= @secret_token %>" client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> -- cgit v1.2.3 From 1adbf7af76b10d44a53de28d23f4c7167dc4f941 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 18:02:05 +0200 Subject: fix client_ca cert+key for mx service (Feature #3921) --- puppet/modules/site_mx/manifests/init.pp | 3 ++- puppet/modules/site_postfix/manifests/mx.pp | 6 ++++-- puppet/modules/site_postfix/manifests/mx/smtp_auth.pp | 4 ---- 3 files changed, 6 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 52c5f1d6..cdb84b54 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -5,7 +5,8 @@ class site_mx { include site_config::x509::cert include site_config::x509::key include site_config::x509::ca - include site_config::x509::client_ca + include site_config::x509::client_ca::ca + include site_config::x509::client_ca::key include site_postfix::mx diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index d56b526f..abc0ab46 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -10,7 +10,8 @@ class site_postfix::mx { include site_config::x509::cert include site_config::x509::key - include site_config::x509::client_ca + include site_config::x509::client_ca::ca + include site_config::x509::client_ca::key postfix::config { 'mydestination': @@ -51,7 +52,8 @@ submission inet n - n - - smtpd require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], - Class['Site_config::X509::Client_ca'], + Class['Site_config::X509::Client_ca::Key'], + Class['Site_config::X509::Client_ca::Ca'], User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp index ab75130e..afa70527 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -1,10 +1,6 @@ class site_postfix::mx::smtp_auth { - $x509 = hiera('x509') postfix::config { - 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; - 'smtpd_tls_key_file': value => $x509['client_ca_key']; 'smtpd_tls_ask_ccert': value => 'yes'; - #'smtpd_tls_CAfile': value => } } -- cgit v1.2.3 From 2a60f275d2ee5c0b93b8737fa80396817853ae83 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 19:15:16 +0200 Subject: webapp leftover for seperate cert and key deployment (Feature #3918) --- puppet/modules/site_webapp/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index e630875c..07d2b942 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,7 +17,8 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy - include site_config::x509::cert_key + include site_config::x509::cert + include site_config::x509::key include site_config::x509::ca group { 'leap-webapp': -- cgit v1.2.3 From 2aa2ab27860166b2846abbfd4ed2afc76576f714 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 19:20:34 +0200 Subject: deploy client_ca on webapp node --- puppet/modules/site_webapp/manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 07d2b942..c85a5ddc 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -20,6 +20,8 @@ class site_webapp { include site_config::x509::cert include site_config::x509::key include site_config::x509::ca + include site_config::x509::client_ca::ca + include site_config::x509::client_ca::key group { 'leap-webapp': ensure => present, -- cgit v1.2.3 From e757dd2f52f3859c17f5015274299998dd9f6ba6 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 25 Sep 2013 10:53:37 +0200 Subject: recent couchdb puppet - requires git submodule update --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 9250ca56..e5bbb903 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 9250ca56e0235e4b213af932c8952b97630cc076 +Subproject commit e5bbb903159a94dc3357344d78060343ef47bac8 -- cgit v1.2.3 From 20a8032ae0580356c3399976f44c13825f87093a Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 25 Sep 2013 14:29:15 +0200 Subject: openvpn is restarted before package is installed (Bug #3904) --- puppet/modules/site_openvpn/manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index bf72c8d6..61fefd0a 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -167,7 +167,9 @@ class site_openvpn { ensure => running, hasrestart => true, hasstatus => true, - require => Exec['concat_/etc/default/openvpn']; + require => [ + Package['openvpn'], + Exec['concat_/etc/default/openvpn'] ]; } file { -- cgit v1.2.3 From af6e944090a3b54ca605b1b6145fbb7c008fb093 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 25 Sep 2013 14:22:07 -0400 Subject: add smtp_tls_received_header to include information about the protocol and cipher used as well as the client and issuer CommonName into the "Received:" header Also, clean up the parameters to standardize them Change-Id: Ib6be27f0f93e0a9e20fbdffa1d42220a25fc8ed4 --- puppet/modules/site_postfix/manifests/mx.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index abc0ab46..80b750d0 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -16,10 +16,16 @@ class site_postfix::mx { postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; - 'mailbox_size_limit': value => '0'; - 'home_mailbox': value => 'Maildir/'; - 'virtual_alias_maps': value => 'tcp:localhost:4242'; - 'luser_relay': value => 'vmail'; + 'mailbox_size_limit': + value => '0'; + 'home_mailbox': + value => 'Maildir/'; + 'virtual_alias_maps': + value => 'tcp:localhost:4242'; + 'luser_relay': + value => 'vmail'; + 'smtpd_tls_received_header': + value => 'yes'; } include site_postfix::mx::smtpd_checks -- cgit v1.2.3 From 8cbd46a5c62a4f6d91f03283ea9072e7fcc943d8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 25 Sep 2013 13:06:42 -0400 Subject: properly set the $smtps_recipient_restrictions variable in master.cf (#3935) Change-Id: Ia5f35977b3dad08c10256f0281ab36ffb230c9fd --- puppet/modules/site_postfix/manifests/mx.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index abc0ab46..88922c00 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -45,6 +45,7 @@ class site_postfix::mx { "smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt + -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -- cgit v1.2.3 From a457f610aca8544b4c9e3a3f4ddcc4d00a05baf6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 14:53:37 -0400 Subject: Add client-side TLS configuration (#3868) Change-Id: I0b82930f6f6a453e57f1d57fd8b5df78d464e206 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 34df72bb..89b63ba1 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -17,3 +17,24 @@ class site_postfix::mx::tls { } } + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_ask_ccert': value => 'yes'; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + } + + -- cgit v1.2.3 From 62271e0e067daef064dba2860a92eb6351510d3c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 15:47:03 -0400 Subject: create a site_config::packages directory, move site_config::base_packages to site_config::packages::base add site_config::packages::gnutls for inclusion (#3955) Change-Id: I9599eb26844503613c16f57ee17d6ea7bd0cf6fb --- .../modules/site_config/manifests/base_packages.pp | 28 ---------------------- puppet/modules/site_config/manifests/default.pp | 2 +- .../manifests/packages/base_packages.pp | 28 ++++++++++++++++++++++ .../site_config/manifests/packages/gnutls.pp | 5 ++++ 4 files changed, 34 insertions(+), 29 deletions(-) delete mode 100644 puppet/modules/site_config/manifests/base_packages.pp create mode 100644 puppet/modules/site_config/manifests/packages/base_packages.pp create mode 100644 puppet/modules/site_config/manifests/packages/gnutls.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp deleted file mode 100644 index 3d40f7a2..00000000 --- a/puppet/modules/site_config/manifests/base_packages.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::base_packages { - - # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: - ensure => installed, - } - - # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', - 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', - 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', - 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', - 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', - 'x11-utils', 'xterm' ]: - ensure => absent; - } - - if $::virtual == 'virtualbox' { - $virtualbox_ensure = present - } else { - $virtualbox_ensure = absent - } - - package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $virtualbox_ensure - } -} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 16932ab2..d3bb241f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -48,7 +48,7 @@ class site_config::default { } # install/remove base packages - include site_config::base_packages + include site_config::packages::base # include basic shorewall config include site_shorewall::defaults diff --git a/puppet/modules/site_config/manifests/packages/base_packages.pp b/puppet/modules/site_config/manifests/packages/base_packages.pp new file mode 100644 index 00000000..d93e194b --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/base_packages.pp @@ -0,0 +1,28 @@ +class site_config::packages::base { + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', + 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => absent; + } + + if $::virtual == 'virtualbox' { + $virtualbox_ensure = present + } else { + $virtualbox_ensure = absent + } + + package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $virtualbox_ensure + } +} diff --git a/puppet/modules/site_config/manifests/packages/gnutls.pp b/puppet/modules/site_config/manifests/packages/gnutls.pp new file mode 100644 index 00000000..b1f17480 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/gnutls.pp @@ -0,0 +1,5 @@ +class site_config::packages::gnutls { + + package { 'gnutls-bin': ensure => installed } + +} -- cgit v1.2.3 From 407fad442822e04d311ecfbc7bc54de0b037d3a9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 17:11:39 -0400 Subject: set myhostname in postfix the internet hostname of this mail system. The default would otherwise be set to be something like starfish.local instead of the fully qualified domain (#3869) Change-Id: I4a537402de08b41446d344d8c21973b8d09e7ad6 --- puppet/modules/site_postfix/manifests/mx.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 0eb7a7cd..e44b7a9a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -2,6 +2,7 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] + $host_domain = $domain_hash['full'] $mx_hash = hiera('mx') $cert_name = hiera('name') @@ -16,6 +17,8 @@ class site_postfix::mx { postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'myhostname': + value => $host_domain; 'mailbox_size_limit': value => '0'; 'home_mailbox': -- cgit v1.2.3 From 3b532da3871a5a655af4b0741348d9140b0ebf6a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Oct 2013 10:37:05 -0400 Subject: only add vpn_(un)?limited_udp_resolver and vpn_(un)?limited_tcp_resolver lines to unbound.conf if the openvpn package is installed (#3868) Change-Id: I65852660a606ccea7569b2207bd535bd8aa3867c --- puppet/modules/site_openvpn/manifests/resolver.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c1bce858..c74fb509 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -60,25 +60,25 @@ class site_openvpn::resolver { path => '/etc/unbound/unbound.conf', line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', notify => Service['unbound'], - require => Package['unbound']; + require => [ Package['openvpn'], Package['unbound'] ]; 'add_unlimited_udp_resolver': ensure => $ensure_unlimited, path => '/etc/unbound/unbound.conf', line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', notify => Service['unbound'], - require => Package['unbound']; + require => [ Package['openvpn'], Package['unbound'] ]; 'add_limited_tcp_resolver': ensure => $ensure_limited, path => '/etc/unbound/unbound.conf', line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', notify => Service['unbound'], - require => Package['unbound']; - 'add_limited_udp_resolver': + require => [ Package['openvpn'], Package['unbound'] ]; + 'add_limited_udp_resolver': ensure => $ensure_limited, path => '/etc/unbound/unbound.conf', line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', notify => Service['unbound'], - require => Package['unbound'] + require => [ Package['openvpn'], Package['unbound'] ]; } } -- cgit v1.2.3 From f531ec536a55d756262329f516f1b3bdccf4f0b4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 26 Sep 2013 17:20:19 -0400 Subject: setup smtpd_tls_eecdh_grade to 'ultra' and configure the smtpd_tls_dh1024_param file, after generating it (#3953) Change-Id: I8e88a4862cda052c2f0ca0149f1d0753c7c83cb5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 34df72bb..9122a974 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -14,6 +14,37 @@ class site_postfix::mx::tls { 'smtpd_tls_ask_ccert': value => 'yes'; 'smtpd_tls_security_level': value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + exec { 'certtool-postfix-gendh-1024': + command => 'certtool --generate-dh-params --bits=1024 --outfile=/etc/postfix/dh_1024.pem', + user => root, + group => root, + creates => '/etc/postfix/dh_1024.pem', + require => Package['gnutls-bin'] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/dh_1024.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh-1024']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/dh_1024.pem', + require => File['/etc/postfix/dh_1024.pem'] } } -- cgit v1.2.3 From 56f7b18d03f5ea337a68d653b422834c9283cfab Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:16:43 -0400 Subject: It turns out postfix's variable for 1024bit DH parameters can actually take a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 9122a974..5e399f5c 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -25,17 +25,21 @@ class site_postfix::mx::tls { include site_config::packages::gnutls + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + exec { 'certtool-postfix-gendh-1024': - command => 'certtool --generate-dh-params --bits=1024 --outfile=/etc/postfix/dh_1024.pem', + command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem', user => root, group => root, - creates => '/etc/postfix/dh_1024.pem', + creates => '/etc/postfix/smtpd_tls_dh_param.pem', require => Package['gnutls-bin'] } # Make sure the dh params file has correct ownership and mode file { - '/etc/postfix/dh_1024.pem': + '/etc/postfix/smtpd_tls_dh_param.pem': owner => root, group => root, mode => '0600', @@ -43,8 +47,8 @@ class site_postfix::mx::tls { } postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/dh_1024.pem', - require => File['/etc/postfix/dh_1024.pem'] + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] } } -- cgit v1.2.3 From f7bb77c38d31021e810b1b55097fa3329bd73ce7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 15:27:33 -0400 Subject: fix name of base class file Change-Id: I844970f1c8f895d5a460d5082bfa1a2a88b32ecd --- .../modules/site_config/manifests/packages/base.pp | 28 ++++++++++++++++++++++ .../manifests/packages/base_packages.pp | 28 ---------------------- 2 files changed, 28 insertions(+), 28 deletions(-) create mode 100644 puppet/modules/site_config/manifests/packages/base.pp delete mode 100644 puppet/modules/site_config/manifests/packages/base_packages.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp new file mode 100644 index 00000000..d93e194b --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -0,0 +1,28 @@ +class site_config::packages::base { + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', + 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => absent; + } + + if $::virtual == 'virtualbox' { + $virtualbox_ensure = present + } else { + $virtualbox_ensure = absent + } + + package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $virtualbox_ensure + } +} diff --git a/puppet/modules/site_config/manifests/packages/base_packages.pp b/puppet/modules/site_config/manifests/packages/base_packages.pp deleted file mode 100644 index d93e194b..00000000 --- a/puppet/modules/site_config/manifests/packages/base_packages.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::packages::base { - - # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: - ensure => installed, - } - - # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', - 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', - 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', - 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', - 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', - 'x11-utils', 'xterm' ]: - ensure => absent; - } - - if $::virtual == 'virtualbox' { - $virtualbox_ensure = present - } else { - $virtualbox_ensure = absent - } - - package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $virtualbox_ensure - } -} -- cgit v1.2.3 From 9acb4a7c2a36f12a5ca71e5c4c74364d344e2c5f Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:45:57 -0400 Subject: only use TLSv1 or later for smtp (Feature #4011) Disable on the client-side with postfix (smtp) SSLv2/SSLv3 and only allow for TLSv1 or later SMTP servers almost universally support TLSv1. There are very few servers that don't (the few that are would result sending in the clear for these, but the alternative isn't much better). This is unlikely to cause any significant problems. Change-Id: I8f98ba32973537905b71f63b100f41a420b6aa3f --- puppet/modules/site_postfix/manifests/mx/tls.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 3bc7d85b..96cfa911 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -70,6 +70,9 @@ class site_postfix::mx::tls { value => 'btree:${queue_directory}/smtp_cache'; 'smtp_tls_security_level': value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; } -- cgit v1.2.3 From ed694ff4b412c36801e17c93c0ee587da1ebc981 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 17:57:48 -0400 Subject: implement stripping user's home IPs from Received headers (#3866) Change-Id: I6d78286f84144bba5fd3166cc0264570e4fd3ee0 --- .../modules/site_postfix/files/checks/received_anon | 2 ++ puppet/modules/site_postfix/manifests/checks.pp | 20 +++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/files/checks/received_anon (limited to 'puppet') diff --git a/puppet/modules/site_postfix/files/checks/received_anon b/puppet/modules/site_postfix/files/checks/received_anon new file mode 100644 index 00000000..2822973e --- /dev/null +++ b/puppet/modules/site_postfix/files/checks/received_anon @@ -0,0 +1,2 @@ +/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))([[:space:]]+).*(\(using [.[:alnum:]]+ with cipher [-A-Z0-9]+ \([0-9]+\/[0-9]+ bits\)\))[[:space:]]+\(Client CN "([[:alnum:]]+)", Issuer "[[:print:]]+" \(verified OK\)\)[[:space:]]+by ([.[:alnum:]]+) \(([^)]+)\) with (E?SMTPS?A?) id ([A-F[:digit:]]+).*/ + REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])${2}${3}${2}(Authenticated sender: $4)${2}with $7 id $8 diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp index 06f9a7a4..31399d32 100644 --- a/puppet/modules/site_postfix/manifests/checks.pp +++ b/puppet/modules/site_postfix/manifests/checks.pp @@ -6,7 +6,7 @@ class site_postfix::checks { mode => '0755', owner => root, group => postfix, - require => Class['postfix']; + require => Package['postfix']; '/etc/postfix/checks/helo_checks': content => template('site_postfix/checks/helo_access.erb'), @@ -20,4 +20,22 @@ class site_postfix::checks { refreshonly => true, subscribe => File['/etc/postfix/checks/helo_checks']; } + + # Anonymize the user's home IP from the email headers (Feature #3866) + package { 'postfix-pcre': ensure => installed } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } + + postfix::config { + 'header_checks': + value => 'pcre:/etc/postfix/checks/received_anon', + require => File['/etc/postfix/checks/received_anon']; + } + } -- cgit v1.2.3 From 5d25466e8365577c48df98afdd22d2880b7ef5ce Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 3 Oct 2013 13:16:43 -0400 Subject: It turns out postfix's variable for 1024bit DH parameters can actually take a file of arbitrary length (#4012) Neither Postfix nor OpenSSL actually care about the size of the prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits Change-Id: Id60deec93547e7df6dfc414209afaf9d53c710b5 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 96cfa911..cff686e5 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -29,8 +29,8 @@ class site_postfix::mx::tls { # parameters Neither Postfix nor OpenSSL actually care about the size of the # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits - exec { 'certtool-postfix-gendh-1024': - command => 'certtool --generate-dh-params --bits=2048 --outfile=/etc/postfix/smtpd_tls_dh_param.pem', + exec { 'certtool-postfix-gendh': + command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', user => root, group => root, creates => '/etc/postfix/smtpd_tls_dh_param.pem', @@ -43,7 +43,7 @@ class site_postfix::mx::tls { owner => root, group => root, mode => '0600', - require => Exec['certtool-postfix-gendh-1024']; + require => Exec['certtool-postfix-gendh']; } postfix::config { 'smtpd_tls_dh1024_param_file': -- cgit v1.2.3 From 9890125a57c3a06792e8d08ba15f1b636c764c61 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 8 Oct 2013 19:39:18 -0400 Subject: setup email account 'blacklist' by configuring reserved aliases, effectively implementing RFC2142 and more (#3602) Change-Id: Ic2765b25ff9e1560def4900a1bf38dc8023b0ffa --- puppet/modules/site_postfix/manifests/mx.pp | 1 + .../modules/site_postfix/manifests/mx/reserved_aliases.pp | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index e44b7a9a..a043c277 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -34,6 +34,7 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::checks include site_postfix::mx::tls + include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production #include site_postfix::debug diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp new file mode 100644 index 00000000..6df53355 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp @@ -0,0 +1,13 @@ +class site_postfix::reserved_aliases { + + postfix::mailalias { + [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin', + 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www', + 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games', + 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', + 'ftp': + ensure => present, + recipient => 'root' + } + +} -- cgit v1.2.3 From b22a3524c99f9205c8078d5542718e3625e68244 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:14:24 +0200 Subject: fix site_postfix::mx::reserved_aliases class name and package array --- puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp index 6df53355..aea66f78 100644 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp @@ -1,11 +1,11 @@ -class site_postfix::reserved_aliases { +class site_postfix::mx::reserved_aliases { postfix::mailalias { [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin', 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www', 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games', 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', - 'ftp': + 'ftp' ]: ensure => present, recipient => 'root' } -- cgit v1.2.3 From 2a291df14f20a3e3ac1eeebbaf50c79feb2012ed Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:15:56 +0200 Subject: contacts is now a top-level hiera variable --- puppet/modules/site_postfix/manifests/mx.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a043c277..08d57a24 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -3,10 +3,9 @@ class site_postfix::mx { $domain_hash = hiera ('domain') $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] - $mx_hash = hiera('mx') $cert_name = hiera('name') - $root_mail_recipient = $mx_hash['contact'] + $root_mail_recipient = hiera ('contacts') $postfix_smtp_listen = 'all' include site_config::x509::cert -- cgit v1.2.3 From 04e270616db7d486eeacb298aed173731c9a2fe2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:49:36 +0200 Subject: deploy postfix satellites on all nodes (Bug #1683) --- puppet/modules/site_config/manifests/default.pp | 4 ++++ puppet/modules/site_postfix/manifests/satellite.pp | 11 +++++++++++ 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_postfix/manifests/satellite.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index d3bb241f..a645cb1a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -71,4 +71,8 @@ class site_config::default { include site_squid_deb_proxy::client } + if $::services !~ /\bmx\b/ { + include site_postfix::satellite + } + } diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp new file mode 100644 index 00000000..de20b667 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -0,0 +1,11 @@ +class site_postfix::satellite { + + $root_mail_recipient = hiera ('contacts') + $mail = hiera ('mail') + $relayhost = $mail['smarthost'] + + class { '::postfix::satellite': + relayhost => $relayhost, + root_mail_recipient => $root_mail_recipient + } +} -- cgit v1.2.3 From 2a4ae58cc5e3f6e4a1e09ef6a9f15ade1e2c59fa Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 18:53:13 +0200 Subject: move site_config::checks to site_config::mx::checks --- puppet/modules/site_postfix/manifests/checks.pp | 41 ---------------------- puppet/modules/site_postfix/manifests/mx.pp | 2 +- puppet/modules/site_postfix/manifests/mx/checks.pp | 41 ++++++++++++++++++++++ 3 files changed, 42 insertions(+), 42 deletions(-) delete mode 100644 puppet/modules/site_postfix/manifests/checks.pp create mode 100644 puppet/modules/site_postfix/manifests/mx/checks.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/checks.pp b/puppet/modules/site_postfix/manifests/checks.pp deleted file mode 100644 index 31399d32..00000000 --- a/puppet/modules/site_postfix/manifests/checks.pp +++ /dev/null @@ -1,41 +0,0 @@ -class site_postfix::checks { - - file { - '/etc/postfix/checks': - ensure => directory, - mode => '0755', - owner => root, - group => postfix, - require => Package['postfix']; - - '/etc/postfix/checks/helo_checks': - content => template('site_postfix/checks/helo_access.erb'), - mode => '0644', - owner => root, - group => root; - } - - exec { - '/usr/sbin/postmap /etc/postfix/checks/helo_checks': - refreshonly => true, - subscribe => File['/etc/postfix/checks/helo_checks']; - } - - # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed } - - file { '/etc/postfix/checks/received_anon': - source => 'puppet:///modules/site_postfix/checks/received_anon', - mode => '0644', - owner => root, - group => root, - notify => Service['postfix'] - } - - postfix::config { - 'header_checks': - value => 'pcre:/etc/postfix/checks/received_anon', - require => File['/etc/postfix/checks/received_anon']; - } - -} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 08d57a24..474ed03d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -31,7 +31,7 @@ class site_postfix::mx { } include site_postfix::mx::smtpd_checks - include site_postfix::checks + include site_postfix::mx::checks include site_postfix::mx::tls include site_postfix::mx::reserved_aliases diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp new file mode 100644 index 00000000..31399d32 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -0,0 +1,41 @@ +class site_postfix::checks { + + file { + '/etc/postfix/checks': + ensure => directory, + mode => '0755', + owner => root, + group => postfix, + require => Package['postfix']; + + '/etc/postfix/checks/helo_checks': + content => template('site_postfix/checks/helo_access.erb'), + mode => '0644', + owner => root, + group => root; + } + + exec { + '/usr/sbin/postmap /etc/postfix/checks/helo_checks': + refreshonly => true, + subscribe => File['/etc/postfix/checks/helo_checks']; + } + + # Anonymize the user's home IP from the email headers (Feature #3866) + package { 'postfix-pcre': ensure => installed } + + file { '/etc/postfix/checks/received_anon': + source => 'puppet:///modules/site_postfix/checks/received_anon', + mode => '0644', + owner => root, + group => root, + notify => Service['postfix'] + } + + postfix::config { + 'header_checks': + value => 'pcre:/etc/postfix/checks/received_anon', + require => File['/etc/postfix/checks/received_anon']; + } + +} -- cgit v1.2.3 From c655713c15263848b5af8fc8d8b6b41e69cb8d1c Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 9 Oct 2013 14:55:16 +0200 Subject: don't remove dev-packages on webapp node they are needed for building gems --- puppet/modules/site_config/manifests/packages/base.pp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index d93e194b..94ff679b 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -6,7 +6,7 @@ class site_config::packages::base { } # base set of packages that we want to remove everywhere - package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', 'fontconfig-config', 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', @@ -15,14 +15,17 @@ class site_config::packages::base { ensure => absent; } - if $::virtual == 'virtualbox' { - $virtualbox_ensure = present + if $::virtual == 'virtualbox' or $::services =~ /\bwebapp\b/ { + $dev_packages_ensure = present } else { - $virtualbox_ensure = absent + $dev_packages_ensure = absent } - package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079) + # dev_packages are needed for building gems on the webapp node + + package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $virtualbox_ensure + ensure => $dev_packages_ensure } } -- cgit v1.2.3 From 23304bbc281ef25b9ad2a607631aaa728e9c7b29 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 10 Oct 2013 15:32:26 +0200 Subject: install ruby-dev for nickserver/webapp (#4079 + #4080) --- puppet/modules/site_config/manifests/ruby.pp | 4 +++- puppet/modules/site_config/manifests/ruby/dev.pp | 6 ++++++ puppet/modules/site_nickserver/manifests/init.pp | 9 +++++---- puppet/modules/site_webapp/manifests/init.pp | 8 ++++++-- 4 files changed, 20 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/site_config/manifests/ruby/dev.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp index 2a720114..9c005032 100644 --- a/puppet/modules/site_config/manifests/ruby.pp +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -1,6 +1,8 @@ class site_config::ruby { Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - class { '::ruby': ruby_version => '1.9.3' } + class { '::ruby': + ruby_version => '1.9.3', + } class { 'bundler::install': install_method => 'package' } include rubygems } diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp new file mode 100644 index 00000000..dbc77ae7 --- /dev/null +++ b/puppet/modules/site_config/manifests/ruby/dev.pp @@ -0,0 +1,6 @@ +class site_config::ruby::dev inherits site_config::ruby { + Class['::ruby'] { + ruby_version => '1.9.3', + install_dev => true + } +} diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index bf0511d5..59613f7b 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -13,7 +13,7 @@ class site_nickserver { tag 'leap_service' Class['site_config::default'] -> Class['site_nickserver'] - include site_config::ruby + include site_config::ruby::dev # # VARIABLES @@ -65,7 +65,7 @@ class site_nickserver { # package { - 'libssl-dev': ensure => installed; + [ 'libssl-dev' ]: ensure => installed; } vcsrepo { '/srv/leap/nickserver': @@ -85,8 +85,9 @@ class site_nickserver { unless => '/usr/bin/bundle check', user => 'nickserver', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], - Package['libssl-dev'] ], + require => [ + Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], + Package['libssl-dev'], Package['ruby-dev'] ], notify => Service['nickserver']; } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index c85a5ddc..f305f1a9 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -13,7 +13,7 @@ class site_webapp { Class['site_config::default'] -> Class['site_webapp'] - include site_config::ruby + include site_config::ruby::dev include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy @@ -55,7 +55,11 @@ class site_webapp { unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'], Service['shorewall'] ], + require => [ + Class['bundler::install'], + Vcsrepo['/srv/leap/webapp'], + Package['ruby-dev'], + Service['shorewall'] ], notify => Service['apache']; } -- cgit v1.2.3 From da6cb0546f91444d8c4e059eaa99f17fafe9c5a2 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 11 Oct 2013 18:02:59 +0200 Subject: fixed issues from https://review.leap.se/r/98/ --- puppet/modules/site_config/manifests/ruby.pp | 4 +--- puppet/modules/site_nickserver/manifests/init.pp | 7 +++---- puppet/modules/site_webapp/manifests/init.pp | 2 +- 3 files changed, 5 insertions(+), 8 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp index 9c005032..2a720114 100644 --- a/puppet/modules/site_config/manifests/ruby.pp +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -1,8 +1,6 @@ class site_config::ruby { Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - class { '::ruby': - ruby_version => '1.9.3', - } + class { '::ruby': ruby_version => '1.9.3' } class { 'bundler::install': install_method => 'package' } include rubygems } diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 59613f7b..81482a55 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -64,9 +64,7 @@ class site_nickserver { # before EventMachine gem is built/installed. # - package { - [ 'libssl-dev' ]: ensure => installed; - } + package { 'libssl-dev': ensure => installed } vcsrepo { '/srv/leap/nickserver': ensure => present, @@ -87,7 +85,8 @@ class site_nickserver { timeout => 600, require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], - Package['libssl-dev'], Package['ruby-dev'] ], + Package['libssl-dev'], Class['site_config::ruby::dev'] ], + notify => Service['nickserver']; } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f305f1a9..6c5bda4c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -58,7 +58,7 @@ class site_webapp { require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'], - Package['ruby-dev'], + Class['site_config::ruby::dev'], Service['shorewall'] ], notify => Service['apache']; } -- cgit v1.2.3 From f2cd05902a9dd64beb1417ddb1d9994c4dc29b14 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 11 Oct 2013 22:08:07 +0200 Subject: class moved but forgot to rename --- puppet/modules/site_postfix/manifests/mx/checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 31399d32..6b19891c 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -1,4 +1,4 @@ -class site_postfix::checks { +class site_postfix::mx::checks { file { '/etc/postfix/checks': -- cgit v1.2.3 From 4a75cd70b50969023c507b5c9ec2e8c36142f706 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 11 Oct 2013 22:32:01 +0200 Subject: /etc/haproxy/haproxy.cfg changed randomly (Feature #4111) --- puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb index 914a964e..1fa01b96 100644 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -13,7 +13,7 @@ listen bigcouch-in default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 <%- if @haproxy['servers'] -%> -<%- @haproxy['servers'].each do |name,server| -%> +<%- @haproxy['servers'].sort.each do |name,server| -%> <%- backup = server['backup'] ? 'backup' : '' -%> # <%=name%> server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%=backup%> weight <%=server['weight']%> check -- cgit v1.2.3 From 071bd544ed79a07bb2532b7e79318e76062ba49e Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 12 Oct 2013 01:02:38 +0200 Subject: puppet - openvpn gateway address is hard coded as a /24 network (Bug #1863) --- puppet/modules/site_openvpn/manifests/init.pp | 6 ++++++ puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 61fefd0a..42146741 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -62,6 +62,12 @@ class site_openvpn { $openvpn_limited_udp_cidr = '21' } + # find out the netmask in cidr format of the primary IF + # thx to https://blog.kumina.nl/tag/puppet-tips-and-tricks/ + # we can do this using an inline_template: + $factname_primary_netmask = "netmask_cidr_${::site_config::params::interface}" + $primary_netmask = inline_template('<%= scope.lookupvar(factname_primary_netmask) %>') + # deploy dh keys include site_openvpn::dh_key diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb index 05f3d16b..e76b756b 100644 --- a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -1,11 +1,11 @@ #!/bin/sh -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 || - ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/<%= @primary_netmask %> || + ip addr add <%= @openvpn_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> <% if @openvpn_second_gateway_address %> -ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 || - ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> || + ip addr add <%= @openvpn_second_gateway_address %>/<%= @primary_netmask %> dev <%= scope.lookupvar('site_config::params::interface') %> <% end %> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward -- cgit v1.2.3 From befbc71fa2af217ff89facd8e10794b60f19f66e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 15 Oct 2013 22:43:49 +0200 Subject: new fallback nameservers (#4113) * the german privacy foundation has dissolved itself and shut down their public nameserver. we are now using the public nameserver by Digitalcourage, a german privacy organisation (https://en.wikipedia.org/wiki/Digitalcourage) * the IP for the server of the swiss privacy foundation has changed (http://www.privacyfoundation.ch/de/service/server.html) --- puppet/modules/site_config/manifests/resolvconf.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index 271c5043..b307f18b 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -2,12 +2,13 @@ class site_config::resolvconf { $domain_public = $site_config::default::domain_hash['full_suffix'] - # 127.0.0.1: caching-only local bind - # 87.118.100.175: http://server.privacyfoundation.de - # 62.141.58.13: http://www.privacyfoundation.ch/de/service/server.html class { '::resolvconf': domain => $domain_public, search => $domain_public, - nameservers => [ '127.0.0.1', '87.118.100.175', '62.141.58.13' ] + nameservers => [ + '127.0.0.1 # local caching-only, unbound', + '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', + '62.141.58.13 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' + ] } } -- cgit v1.2.3 From 27f6e30c0096970c49efcf572227d39fe5612ed9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 00:02:27 +0200 Subject: vagrant: support other providers besides virtualbox (Bug #4158) --- puppet/modules/site_config/manifests/default.pp | 3 ++- puppet/modules/site_config/manifests/packages/base.pp | 4 +++- puppet/modules/site_config/manifests/params.pp | 4 +++- 3 files changed, 8 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index a645cb1a..c7243d5f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -2,6 +2,7 @@ class site_config::default { tag 'leap_base' $domain_hash = hiera('domain') + include site_config::params # make sure apt is updated before any packages are installed include apt::update @@ -32,7 +33,7 @@ class site_config::default { include site_config::dhclient } - if ( $::virtual == 'virtualbox' ) { + if ( $::site_config::params::environment == 'local' ) { include site_config::vagrant } diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 94ff679b..3e1d4a67 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -1,5 +1,7 @@ class site_config::packages::base { + include site_config::params + # base set of packages that we want to have installed everywhere package { [ 'etckeeper', 'screen', 'less' ]: ensure => installed, @@ -15,7 +17,7 @@ class site_config::packages::base { ensure => absent; } - if $::virtual == 'virtualbox' or $::services =~ /\bwebapp\b/ { + if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { $dev_packages_ensure = present } else { $dev_packages_ensure = absent diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 59a161e8..2ef391db 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -3,8 +3,10 @@ class site_config::params { $ip_address = hiera('ip_address') $ip_address_interface = getvar("interface_${ip_address}") $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") + $environment = hiera('environment') - if $::virtual == 'virtualbox' { + + if $environment == 'local' { $interface = 'eth1' } elsif hiera('interface','') != '' { -- cgit v1.2.3 From 57a1a16f6d6df7dfebf0d40c38af7fbc3af21a34 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 11:15:44 -0400 Subject: add rsyslog puppet submodule Change-Id: Ic9f521010af7b362490ee5b0048e41cf11bfc593 --- puppet/modules/rsyslog | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/rsyslog (limited to 'puppet') diff --git a/puppet/modules/rsyslog b/puppet/modules/rsyslog new file mode 160000 index 00000000..20fbda6b --- /dev/null +++ b/puppet/modules/rsyslog @@ -0,0 +1 @@ +Subproject commit 20fbda6b91472e656331a9c64630fb207e9f5789 -- cgit v1.2.3 From de8fe441e1c07b63f1c02aa231a8a56c9a9448ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 11:16:18 -0400 Subject: rsyslog: setup default local config that gets us the same config as default from debian Change-Id: If07ee200e2ae0d9cfaf8e405d6354c80d77330ca --- puppet/modules/site_config/manifests/default.pp | 3 +++ puppet/modules/site_config/manifests/syslog.pp | 6 ++++++ 2 files changed, 9 insertions(+) create mode 100644 puppet/modules/site_config/manifests/syslog.pp (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index c7243d5f..2380066a 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -48,6 +48,9 @@ class site_config::default { stage => setup, } + # install/configure syslog + include site_config::syslog + # install/remove base packages include site_config::packages::base diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp new file mode 100644 index 00000000..c7c55c34 --- /dev/null +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -0,0 +1,6 @@ +class site_config::syslog { + + class { 'rsyslog::client': log_remote => false, log_local => true } + +} + -- cgit v1.2.3 From aa86d15696245c6ded59ca51ceff8f6eaf3119c5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 12:18:15 -0400 Subject: syslog: add rsyslog::snippet to anonymize logs it is necessary to install the fixed package from the leap.se repository until it is available in wheezy-backports, so install the apt preferences to pull it from there, and add its necessary library dependency from wheezy-backports Change-Id: I379ff2ceaac1a978143715d3a7ced0011ca0d747 --- puppet/modules/site_config/manifests/syslog.pp | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index c7c55c34..6a9da460 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -1,6 +1,28 @@ class site_config::syslog { - class { 'rsyslog::client': log_remote => false, log_local => true } + # we need to pull in rsyslog from the leap repository until it is availbale in + # wheezy-backports + apt::preferences_snippet { 'fixed_rsyslog_anon_package': + package => 'rsyslog', + priority => '999', + pin => 'release o=leap.se', + before => Class['rsyslog::install'] + } -} + apt::preferences_snippet { 'rsyslog_anon_libestr0': + package => 'libestr0', + priority => '999', + pin => 'release a=wheezy-backports', + before => Class['rsyslog::install'] + } + + class { 'rsyslog::client': + log_remote => false, + log_local => true + } + rsyslog::snippet { '00-anonymize_logs': + content => '$ModLoad mmanon +action(type="mmanon" ipv4.bits="32" mode="rewrite")' + } +} -- cgit v1.2.3 From 6381342712085fc5c147f21b13872d0c49c42855 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 20:48:21 +0200 Subject: /etc/apt/preferences is changed twice on every puppetrun on couch nodes (Feature #3962) this will fix the alteration of the preferences file. we now use the apt module default preferences, and pin the depending packages from squeeze that are dependencies for the bigcouch package in the couchdb module, class couchdb::bigcouch::package::cloudant. --- puppet/modules/site_apt/manifests/init.pp | 9 --------- 1 file changed, 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 3fa9a2b7..9facf4cc 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,15 +1,6 @@ class site_apt { - # on couchdb we need to include squeeze in apt preferences, - # so the cloudant package can pull some packages from squeeze - # template() must be unquoted ! - if 'couchdb' in $::services { - $custom_preferences = template("site_apt/preferences.include_squeeze") - } else { - $custom_preferences = '' - } class { 'apt': - custom_preferences => $custom_preferences, custom_key_dir => 'puppet:///modules/site_apt/keys' } -- cgit v1.2.3 From 99df31cdd58ca60b90c0098b126903e2d8251128 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 21:30:16 +0200 Subject: vagrant: support other providers besides virtualbox (Bug #4158), Part 2 took out the last remaining virtualbox references --- puppet/manifests/setup.pp | 4 +++- puppet/modules/site_shorewall/manifests/defaults.pp | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index ba58e728..84124f5a 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -5,6 +5,8 @@ $services = '' Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } +include site_config::params + include concat::setup include site_config::hosts @@ -26,7 +28,7 @@ if hiera('squid_deb_proxy_client', false) { # we need to include shorewall::interface{eth0} in setup.pp so # packages can be installed during main puppetrun, even before shorewall # is configured completly -if ( $::virtual == 'virtualbox' ) { +if ( $::site_config::params::environment == 'local' ) { include site_config::vagrant } diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 6a40d501..8f56ac42 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -4,7 +4,9 @@ class site_shorewall::defaults { include site_config::params # be safe for development - #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } + # if ( $::site_config::params::environment == 'local' ) { + # $shorewall_startup='0' + # } # If you want logging: shorewall::params { -- cgit v1.2.3 From 62d76bb7454df2c4f0aebac3efed201f6aa0bdb4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 16 Oct 2013 22:36:08 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index e5bbb903..d84dfddb 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit e5bbb903159a94dc3357344d78060343ef47bac8 +Subproject commit d84dfddb0dfc2e5207c90380fb1f7fcf7bc7a72d -- cgit v1.2.3 From a44e598c29b66bd560dbe864b70f13aa324c1437 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Oct 2013 15:59:26 -0400 Subject: fix for rsyslog-relp being installed first, resulting in dependency errors (#4161) Change-Id: I2f0bcc5b4cb5effae57051f04251aeb8b09a4c6d --- puppet/modules/site_config/manifests/syslog.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 6a9da460..73d4f58f 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -3,14 +3,14 @@ class site_config::syslog { # we need to pull in rsyslog from the leap repository until it is availbale in # wheezy-backports apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog', + package => 'rsyslog-*', priority => '999', pin => 'release o=leap.se', before => Class['rsyslog::install'] } - apt::preferences_snippet { 'rsyslog_anon_libestr0': - package => 'libestr0', + apt::preferences_snippet { 'rsyslog_anon_depends': + package => 'libestr0 librelp0', priority => '999', pin => 'release a=wheezy-backports', before => Class['rsyslog::install'] -- cgit v1.2.3 From c884bc04e2eb29bdaacc5c6673ed7f212dc28e88 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Oct 2013 13:48:01 -0400 Subject: syslog: fix apt_preferences snippet to glob on both rsyslog and rsyslog-relp (#4161) Change-Id: I7eaa35897da3b24833be3b2c14db99cd66b547c0 --- puppet/modules/site_config/manifests/syslog.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/syslog.pp b/puppet/modules/site_config/manifests/syslog.pp index 73d4f58f..d3abeca1 100644 --- a/puppet/modules/site_config/manifests/syslog.pp +++ b/puppet/modules/site_config/manifests/syslog.pp @@ -3,7 +3,7 @@ class site_config::syslog { # we need to pull in rsyslog from the leap repository until it is availbale in # wheezy-backports apt::preferences_snippet { 'fixed_rsyslog_anon_package': - package => 'rsyslog-*', + package => 'rsyslog*', priority => '999', pin => 'release o=leap.se', before => Class['rsyslog::install'] -- cgit v1.2.3 From cf9b3a637b4e348cd7c055ccb361e28d737914fd Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 23 Sep 2013 14:15:46 +0200 Subject: nagios: use hash instead of array for hosts (Bug #3909) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Puppet 2.7.19 introduced a change that don't allow resource titles to be something else that a string. from the puppet 2.7.19 changelog: Don’t allow resource titles which aren’t strings It was possible to create resources whose titles weren't strings, by using a variable containing a hash, or the result of a function which doesn't return a string. This can cause problems resolving relationships when the stringified version of the title differs between master and agent. Now we will only accept primitives, and will stringify them. That is: string, symbol, number, boolean. Arrays or nested arrays will still be flattened and used to create multiple resources. Any other value (for instance: a hash) will cause a parse error. currently, it's much easier to iterate over a hash in puppet than over an array, cause every resource you call iterating over an array would need a unique name, and you don't have this in arrays. --- puppet/modules/site_nagios/manifests/add_host.pp | 51 ++++++++++++------------ puppet/modules/site_nagios/manifests/server.pp | 7 ++-- 2 files changed, 30 insertions(+), 28 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp index 498552b5..94352de4 100644 --- a/puppet/modules/site_nagios/manifests/add_host.pp +++ b/puppet/modules/site_nagios/manifests/add_host.pp @@ -1,31 +1,32 @@ -define site_nagios::add_host { - $nagios_host = $name - $nagios_hostname = $name['domain_internal'] - $nagios_ip = $name['ip_address'] - $nagios_services = $name['services'] - $nagios_openvpn_gw = $name['openvpn_gateway_address'] +define site_nagios::add_host ( + $domain_internal, + $ip_address, + $services, + $openvpn_gateway_address='' ) { - # Add Nagios host - nagios_host { $nagios_hostname: - address => $nagios_ip, - use => 'generic-host', - } + $nagios_hostname = $domain_internal - # Add Nagios service + # Add Nagios host + nagios_host { $nagios_hostname: + address => $ip_address, + use => 'generic-host', + } - # First, we need to turn the serice array into hash, using a "hash template" - # see https://github.com/ashak/puppet-resource-looping - $nagios_service_hashpart = { - 'hostname' => $nagios_hostname, - 'ip_address' => $nagios_ip, - 'openvpn_gw' => $nagios_openvpn_gw, - } - $dynamic_parameters = { - 'service' => '%s' - } - $nagios_servicename = "${nagios_hostname}_%s" + # Add Nagios service - $nagios_service_hash = create_resources_hash_from($nagios_servicename, $nagios_services, $nagios_service_hashpart, $dynamic_parameters) + # First, we need to turn the serice array into hash, using a "hash template" + # see https://github.com/ashak/puppet-resource-looping + $nagios_service_hashpart = { + 'hostname' => $nagios_hostname, + 'ip_address' => $ip_address, + 'openvpn_gw' => $openvpn_gateway_address, + } + $dynamic_parameters = { + 'service' => '%s' + } + $nagios_servicename = "${nagios_hostname}_%s" - create_resources ( site_nagios::add_service, $nagios_service_hash ) + $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) + + create_resources ( site_nagios::add_service, $nagios_service_hash ) } diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index a088921a..3e1ef7e7 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -5,9 +5,9 @@ class site_nagios::server inherits nagios::base { stage => setup } - $nagios_hiera=hiera('nagios') + $nagios_hiera = hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) - $hosts = $nagios_hiera['hosts'] + $hosts = $nagios_hiera['hosts'] include nagios::defaults include nagios::base @@ -35,6 +35,7 @@ class site_nagios::server inherits nagios::base { group => 'nagios', } - site_nagios::add_host {$hosts:} + create_resources ( site_nagios::add_host, $hosts ) + include site_shorewall::monitor } -- cgit v1.2.3 From 9074a7bce264d64f467bc628f06e37a5802043bd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 17 Oct 2013 23:09:49 +0200 Subject: "Header set X-Frame-Options: Allow" only for nagios (Bug #4169) Nagios won't work with setting this option to "DENY", as set in conf.d/security (#4169). Therefor we allow it here, only for nagios. --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 6059453b..afc19782 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -18,7 +18,7 @@ SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' @@ -49,6 +49,10 @@ PassengerEnabled off AllowOverride all + # Nagios won't work with setting this option to "DENY", + # as set in conf.d/security (#4169). Therefor we allow + # it here, only for nagios. + Header set X-Frame-Options: "ALLOW" <% end -%> -- cgit v1.2.3 From d272b9a45b1099a17719fbe3c77b24f10b5de5cb Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 20 Oct 2013 20:59:22 +0200 Subject: Possibility to include local puppet recipes (Feature #3976) --- puppet/manifests/setup.pp | 5 +++++ puppet/modules/site_config/manifests/default.pp | 5 +++++ 2 files changed, 10 insertions(+) (limited to 'puppet') diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index 84124f5a..f89b7032 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -32,3 +32,8 @@ if ( $::site_config::params::environment == 'local' ) { include site_config::vagrant } +# if class site_custom::setup exists, include it. +# possibility for users to define custom puppet recipes +if defined( '::site_custom::setup') { + include ::site_custom::setup +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 2380066a..33d3df05 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -79,4 +79,9 @@ class site_config::default { include site_postfix::satellite } + # if class site_custom exists, include it. + # possibility for users to define custom puppet recipes + if defined( '::site_custom') { + include ::site_custom + } } -- cgit v1.2.3 From bf42d6764421c182401f981b3463f261044e9878 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 21 Oct 2013 18:40:06 +0200 Subject: updated submodule postfix --- puppet/modules/postfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/postfix b/puppet/modules/postfix index 25b1de20..1103a73a 160000 --- a/puppet/modules/postfix +++ b/puppet/modules/postfix @@ -1 +1 @@ -Subproject commit 25b1de206454c663539b748fb9f08276ad95b3e4 +Subproject commit 1103a73ab4253712c6446bba7a443619fe516717 -- cgit v1.2.3 From 367f1402ddb23f50c9b47d8f35bef31ac83fcd81 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 22 Oct 2013 13:38:02 +0200 Subject: site_tor: can't convert String into Integer (Bug #3974) tor.contacts has been a string, and is now an array of email addresses this change needed to be adopted also in stdlib/lib/puppet/parser/functions/obfuscate_email.rb (see #4193). --- puppet/modules/site_tor/manifests/init.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 16ee4c30..b6e73a23 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,12 +1,12 @@ class site_tor { tag 'leap_service' Class['site_config::default'] -> Class['site_tor'] - + $tor = hiera('tor') $bandwidth_rate = $tor['bandwidth_rate'] $tor_type = $tor['type'] $nickname = $tor['nickname'] - $contact_email = $tor['contacts'] + $contact_emails = join($tor['contacts'],', ') $address = hiera('ip_address') @@ -14,7 +14,7 @@ class site_tor { tor::daemon::relay { $nickname: port => 9001, address => $address, - contact_info => obfuscate_email($contact_email), + contact_info => obfuscate_email($contact_emails), bandwidth_rate => $bandwidth_rate, my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', } -- cgit v1.2.3 From ce086618f0da8eab312c44c71117f3f95bf2a39a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Oct 2013 11:50:58 -0400 Subject: stop specifying the haproxy that we provided in our repository, it is available in wheezy-backports now (#4272) Change-Id: Ie0b8b69f1305f4ec8d11356acc308aad2a8c1e91 --- puppet/modules/site_haproxy/manifests/init.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index ace88a7b..602e26be 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -2,7 +2,6 @@ class site_haproxy { class { 'haproxy': enable => true, - version => '1.4.23-0.1~leap60+1', manage_service => true, global_options => { 'log' => '127.0.0.1 local0', -- cgit v1.2.3 From befa14796567d950f7afa066381070ca7246b1d4 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 25 Oct 2013 12:50:00 +0200 Subject: Users with access to a db are called members - not readers (#4219) ( they can read and write ). I think couch themselves changed the termology at some point but i might just have used the wrong term from the beginning on. Let's call them members either way because it's more clear that read only members require aditional design docs. --- puppet/modules/couchdb | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index d84dfddb..4597cf55 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit d84dfddb0dfc2e5207c90380fb1f7fcf7bc7a72d +Subproject commit 4597cf55613aa25e77ef9943c32918fd59ff65c2 diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index f4f93828..5d77c994 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -65,22 +65,22 @@ class site_couchdb { } couchdb::create_db { 'users': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'tokens': - readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'sessions': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } couchdb::create_db { 'tickets': - readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } @@ -88,7 +88,7 @@ class site_couchdb { # via the auth group for now. # leap_mx could use that for a start. couchdb::create_db { 'identities': - readers => "{ \"names\": [], \"roles\": [\"auth\"] }", + members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } -- cgit v1.2.3 From 6492bf38a0e092d9eaa4a56a80c441d9eb272da6 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Oct 2013 22:24:22 +0100 Subject: updated submodule stdlib --- puppet/modules/stdlib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib index 73b69e81..71cb0f4c 160000 --- a/puppet/modules/stdlib +++ b/puppet/modules/stdlib @@ -1 +1 @@ -Subproject commit 73b69e8198f702f086ff6afd94a54dddc7935893 +Subproject commit 71cb0f4c2c3bf95f62c9f189f5cef155b09a9682 -- cgit v1.2.3 From 39ad06e91c959a3503cde763121fe4b8cdf10c19 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 30 Oct 2013 23:08:11 +0100 Subject: added submodule backupninja from https://leap.se/git/puppet_backupninja --- puppet/modules/backupninja | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/backupninja (limited to 'puppet') diff --git a/puppet/modules/backupninja b/puppet/modules/backupninja new file mode 160000 index 00000000..daeb1a1f --- /dev/null +++ b/puppet/modules/backupninja @@ -0,0 +1 @@ +Subproject commit daeb1a1f112a4dbf6b39565f0dea461e46a64681 -- cgit v1.2.3 From 747bfed900f53461fa342d7fa2c44b9275d3a8d1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Oct 2013 13:31:26 -0400 Subject: require postfix is installed before installing postfix-pcre (#4223) Change-Id: I547b99becb8b16fec0ac89f06fb6d833cbde3c2b --- puppet/modules/site_postfix/manifests/mx/checks.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp index 6b19891c..5d75a5e5 100644 --- a/puppet/modules/site_postfix/manifests/mx/checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/checks.pp @@ -22,7 +22,7 @@ class site_postfix::mx::checks { } # Anonymize the user's home IP from the email headers (Feature #3866) - package { 'postfix-pcre': ensure => installed } + package { 'postfix-pcre': ensure => installed, require => Package['postfix'] } file { '/etc/postfix/checks/received_anon': source => 'puppet:///modules/site_postfix/checks/received_anon', -- cgit v1.2.3 From 12f13e38f0776f801907841b8fe4ab65f67ad060 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 30 Oct 2013 14:34:27 -0400 Subject: certtool-postfix-gendh attempted before postfix is installed (Bug #4340) Change-Id: I4ffb5b9203741d1152dfd93ef9ecc45f6a6088d4 --- puppet/modules/site_postfix/manifests/mx/tls.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index cff686e5..08978efd 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -34,7 +34,7 @@ class site_postfix::mx::tls { user => root, group => root, creates => '/etc/postfix/smtpd_tls_dh_param.pem', - require => Package['gnutls-bin'] + require => [ Package['gnutls-bin'], Package['postfix'] ] } # Make sure the dh params file has correct ownership and mode -- cgit v1.2.3 From ce084fbbe5980497b8b3f3e643e6b618c4fa0b0a Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 31 Oct 2013 00:48:37 +0100 Subject: Automate local backup of couchdb data (Feature #4350) --- puppet/modules/site_couchdb/manifests/backup.pp | 12 ++++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 25 +++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/backup.pp (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/backup.pp b/puppet/modules/site_couchdb/manifests/backup.pp new file mode 100644 index 00000000..ef505693 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/backup.pp @@ -0,0 +1,12 @@ +class site_couchdb::backup { + + # general backupninja config + backupninja::config { 'backupninja_config': + usecolors => false, + } + + # dump all DBs locally to /var/backups/couchdb once a day + backupninja::sh { 'couchdb_backup': + command_string => "cd /srv/leap/couchdb/scripts \n./couchdb_dumpall.sh" + } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 5d77c994..684d3ab7 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -16,6 +16,8 @@ class site_couchdb { $couchdb_soledad_pw = $couchdb_soledad['password'] $couchdb_soledad_salt = $couchdb_soledad['salt'] + $couchdb_backup = $couchdb_config['backup'] + $bigcouch_config = $couchdb_config['bigcouch'] $bigcouch_cookie = $bigcouch_config['cookie'] @@ -96,4 +98,27 @@ class site_couchdb { include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch + + # /etc/couchdb/couchdb.netrc is deployed by the couchdb module + # needed for couchdb_scripts (backup) and makes life easier + # for the admin (i.e. using curl/wget without passing credentials) + + file { '/root/.netrc': + ensure => link, + target => '/etc/couchdb/couchdb.netrc' + } + + file { '/srv/leap/couchdb': + ensure => directory + } + + vcsrepo { '/srv/leap/couchdb/scripts': + ensure => present, + provider => git, + source => 'https://leap.se/git/couchdb_scripts', + revision => 'origin/master', + require => File['/srv/leap/couchdb'] + } + + if $couchdb_backup { include site_couchdb::backup } } -- cgit v1.2.3 From 41c5506ef0adc0381bcae99ae1139d2de3a2a858 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Nov 2013 15:51:39 -0500 Subject: added website nagios check (#1629) Change-Id: Icebf9d8849b4440f4f6dbc00a1a8ac0873b62f6a --- .../modules/site_nagios/manifests/add_service.pp | 26 +++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/add_service.pp b/puppet/modules/site_nagios/manifests/add_service.pp index 6ef3cbf5..8d2a310b 100644 --- a/puppet/modules/site_nagios/manifests/add_service.pp +++ b/puppet/modules/site_nagios/manifests/add_service.pp @@ -3,19 +3,19 @@ define site_nagios::add_service ( case $service { 'webapp': { - $check_command = 'check_https_cert' - $service_description = 'Website Certificate' + nagios_service { + "${name}_cert": + use => 'generic-service', + check_command => 'check_https_cert', + service_description => 'Website Certificate', + host_name => $hostname; + "${name}_website": + use => 'generic-service', + check_command => 'check_https', + service_description => 'Website', + host_name => $hostname + } } - default: { - #notice ("No Nagios service check for service \"$service\"") - } - } - - if ( $check_command != '' ) { - nagios_service { $name: - use => 'generic-service', - check_command => $check_command, - service_description => $service_description, - host_name => $hostname } + default: {} } } -- cgit v1.2.3 From 1ada62ad64b9664783de875820242fc404f967f2 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 19 Nov 2013 15:15:59 +0100 Subject: initial design documents from the webapp (#3770) --- .../modules/site_couchdb/files/designs/Readme.md | 14 ++++++ .../files/designs/customers/Customer.json | 18 ++++++++ .../files/designs/identities/Identity.json | 28 ++++++++++++ .../files/designs/sessions/Session.json | 8 ++++ .../site_couchdb/files/designs/tickets/Ticket.json | 50 ++++++++++++++++++++++ .../site_couchdb/files/designs/tokens/Token.json | 14 ++++++ .../site_couchdb/files/designs/users/User.json | 26 +++++++++++ 7 files changed, 158 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/designs/Readme.md create mode 100644 puppet/modules/site_couchdb/files/designs/customers/Customer.json create mode 100644 puppet/modules/site_couchdb/files/designs/identities/Identity.json create mode 100644 puppet/modules/site_couchdb/files/designs/sessions/Session.json create mode 100644 puppet/modules/site_couchdb/files/designs/tickets/Ticket.json create mode 100644 puppet/modules/site_couchdb/files/designs/tokens/Token.json create mode 100644 puppet/modules/site_couchdb/files/designs/users/User.json (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/designs/Readme.md b/puppet/modules/site_couchdb/files/designs/Readme.md new file mode 100644 index 00000000..983f629f --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/Readme.md @@ -0,0 +1,14 @@ +This directory contains design documents for the leap platform. + +They need to be uploaded to the couch database in order to query the +database in certain ways. + +Each subdirectory corresponds to a couch database and contains the design +documents that need to be added to that particular database. + +Here's an example of how to upload the users design document: +```bash +HOST="http://localhost:5984" +curl -X PUT $HOST/users/_design/User --data @users/User.json + +``` diff --git a/puppet/modules/site_couchdb/files/designs/customers/Customer.json b/puppet/modules/site_couchdb/files/designs/customers/Customer.json new file mode 100644 index 00000000..1b4bbddd --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/customers/Customer.json @@ -0,0 +1,18 @@ +{ + "_id": "_design/Customer", + "language": "javascript", + "views": { + "by_user_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_braintree_customer_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['braintree_customer_id'] != null)) {\n emit(doc['braintree_customer_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Customer') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "688c401ec0230b75625c176a88fc4a02" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/identities/Identity.json b/puppet/modules/site_couchdb/files/designs/identities/Identity.json new file mode 100644 index 00000000..8cf8c39b --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/identities/Identity.json @@ -0,0 +1,28 @@ +{ + "_id": "_design/Identity", + "language": "javascript", + "views": { + "by_user_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_address_and_destination": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null) && (doc['destination'] != null)) {\n emit([doc['address'], doc['destination']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_address": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null)) {\n emit(doc['address'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "pgp_key_by_email": { + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n" + }, + "disabled": { + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n }\n" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "5b0ece9d28b3025d18ea71fddf3a532f" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/sessions/Session.json b/puppet/modules/site_couchdb/files/designs/sessions/Session.json new file mode 100644 index 00000000..70202780 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/sessions/Session.json @@ -0,0 +1,8 @@ +{ + "views": { + "by_expires": { + "reduce": "_sum", + "map": "function(doc) {\n if(typeof doc.expires !== \"undefined\") {\n emit(doc.expires, 1);\n }\n}\n" + } + } +} diff --git a/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json new file mode 100644 index 00000000..2c9408b8 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/tickets/Ticket.json @@ -0,0 +1,50 @@ +{ + "_id": "_design/Ticket", + "language": "javascript", + "views": { + "by_updated_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['updated_at'] != null)) {\n emit(doc['updated_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_created_by": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_by'] != null)) {\n emit(doc['created_by'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_is_open_and_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['created_at'] != null)) {\n emit([doc['is_open'], doc['created_at']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_is_open_and_updated_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['updated_at'] != null)) {\n emit([doc['is_open'], doc['updated_at']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_includes_post_by_and_is_open_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_is_open_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by": { + "map": "// TODO: This view is only used in tests--should we keep it?\nfunction(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit(comment.posted_by, 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Ticket') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "9978e2cbeacbe8622c2a7f103bf8130f" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/tokens/Token.json b/puppet/modules/site_couchdb/files/designs/tokens/Token.json new file mode 100644 index 00000000..b9025f15 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/tokens/Token.json @@ -0,0 +1,14 @@ +{ + "_id": "_design/Token", + "language": "javascript", + "views": { + "by_last_seen_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Token') && (doc['last_seen_at'] != null)) {\n emit(doc['last_seen_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Token') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "541dd924551c42a2317b345effbe65cc" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users/User.json b/puppet/modules/site_couchdb/files/designs/users/User.json new file mode 100644 index 00000000..c500822b --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/users/User.json @@ -0,0 +1,26 @@ +{ + "_id": "_design/User", + "language": "javascript", + "views": { + "by_login": { + "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['login'] != null)) {\n emit(doc['login'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" + }, + "by_alias": { + "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_login_or_alias": { + "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n emit(doc.login, 1);\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", + "reduce": "_sum" + } + }, + "couchrest-hash": "26adb5c9480663de3fe60d959b60a7b2" +} \ No newline at end of file -- cgit v1.2.3 From 481e945b3c8ea6bcb1de501b925d4332b1275c2d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 22 Nov 2013 11:08:31 -0500 Subject: update couchdb submodule to get debugging output #4225 Change-Id: Ie1b6d67f493ed6891a2df76b044d64d359edb420 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 4597cf55..d3153dd2 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 4597cf55613aa25e77ef9943c32918fd59ff65c2 +Subproject commit d3153dd2da619035c0504b02f478796d656bb11d -- cgit v1.2.3 From 970fcd5d3262735c8ae7979a462cd77bf270b108 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 13 Nov 2013 10:13:53 -0800 Subject: added custom index.html --- puppet/modules/site_webapp/manifests/init.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 6c5bda4c..d5687804 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -146,6 +146,14 @@ class site_webapp { mode => '0644', require => Vcsrepo['/srv/leap/webapp'], source => $webapp['img_dir']; + + '/srv/leap/webapp/app/views/home/index.html.haml': + ensure => present, + owner => leap-webapp, + group => leap-webapp, + mode => '0644', + require => Vcsrepo['/srv/leap/webapp'], + source => $webapp['home_page']; } git::changes { @@ -163,6 +171,11 @@ class site_webapp { cwd => '/srv/leap/webapp', require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; + + 'app/views/home/index.html.haml': + cwd => '/srv/leap/webapp', + require => Vcsrepo['/srv/leap/webapp'], + user => 'leap-webapp'; } file { -- cgit v1.2.3 From 289a00a149ac08d01b8ee638620d8c2928966fa3 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 15 Nov 2013 01:02:25 -0800 Subject: improvements to webapp deployment: allow for greater customization, allow for custom git source, improve apache config. --- .../site_apache/manifests/module/expires.pp | 4 ++ .../templates/vhosts.d/leap_webapp.conf.erb | 8 +++ puppet/modules/site_webapp/manifests/apache.pp | 1 + puppet/modules/site_webapp/manifests/init.pp | 64 ++++------------------ 4 files changed, 23 insertions(+), 54 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/module/expires.pp (limited to 'puppet') diff --git a/puppet/modules/site_apache/manifests/module/expires.pp b/puppet/modules/site_apache/manifests/module/expires.pp new file mode 100644 index 00000000..f73a5607 --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/expires.pp @@ -0,0 +1,4 @@ +class site_apache::module::expires ( $ensure = present ) +{ + apache::module { 'expires': ensure => $ensure } +} diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index afc19782..a001552a 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -45,6 +45,14 @@ PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + + <% if (defined? @services) and (@services.include? 'monitor') -%> PassengerEnabled off diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 6a199b9e..581922cb 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -21,6 +21,7 @@ class site_webapp::apache { include site_apache::module::headers include site_apache::module::rewrite include site_apache::module::alias + include site_apache::module::expires class { 'passenger': use_munin => false } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d5687804..c090c6a0 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -40,9 +40,9 @@ class site_webapp { vcsrepo { '/srv/leap/webapp': ensure => present, force => true, - revision => 'origin/master', + revision => $webapp['git']['revision'], provider => git, - source => 'https://leap.se/git/leap_web', + source => $webapp['git']['source'], owner => 'leap-webapp', group => 'leap-webapp', require => [ User['leap-webapp'], Group['leap-webapp'] ], @@ -63,6 +63,10 @@ class site_webapp { notify => Service['apache']; } + # + # NOTE: in order to support a webapp that is running on a subpath and not the root of the domain + # assets:precompile needs to be run with RAILS_RELATIVE_URL_ROOT=/application-root + # exec { 'compile_assets': cwd => '/srv/leap/webapp', command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake assets:precompile"', @@ -110,72 +114,24 @@ class site_webapp { } try::file { - '/srv/leap/webapp/public/favicon.ico': - ensure => present, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', - require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['favicon']; - - '/srv/leap/webapp/app/assets/stylesheets/tail.scss': - ensure => present, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', - require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['tail_scss'], - before => Exec['bundler_update']; - - '/srv/leap/webapp/app/assets/stylesheets/head.scss': - ensure => present, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', - require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['head_scss'], - before => Exec['bundler_update']; - - '/srv/leap/webapp/public/img': + '/srv/leap/webapp/config/customization': ensure => directory, recurse => true, purge => true, force => true, owner => leap-webapp, group => leap-webapp, - mode => '0644', - require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['img_dir']; - - '/srv/leap/webapp/app/views/home/index.html.haml': - ensure => present, - owner => leap-webapp, - group => leap-webapp, - mode => '0644', + mode => 'u=rwX,go=rX', require => Vcsrepo['/srv/leap/webapp'], - source => $webapp['home_page']; + notify => Exec['compile_assets'], + source => $webapp['customization_dir']; } git::changes { - 'app/assets/stylesheets/head.scss': - cwd => '/srv/leap/webapp', - require => Vcsrepo['/srv/leap/webapp'], - user => 'leap-webapp'; - - 'app/assets/stylesheets/tail.scss': - cwd => '/srv/leap/webapp', - require => Vcsrepo['/srv/leap/webapp'], - user => 'leap-webapp'; - 'public/favicon.ico': cwd => '/srv/leap/webapp', require => Vcsrepo['/srv/leap/webapp'], user => 'leap-webapp'; - - 'app/views/home/index.html.haml': - cwd => '/srv/leap/webapp', - require => Vcsrepo['/srv/leap/webapp'], - user => 'leap-webapp'; } file { -- cgit v1.2.3 From 846728631f5247984dfa69b7e82f5014e10f4427 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 25 Nov 2013 00:43:51 -0800 Subject: fix bug when 'environment' is nil in hiera.yaml --- puppet/modules/site_config/manifests/params.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 2ef391db..5bdc0077 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -3,7 +3,7 @@ class site_config::params { $ip_address = hiera('ip_address') $ip_address_interface = getvar("interface_${ip_address}") $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") - $environment = hiera('environment') + $environment = hiera('environment', undef) if $environment == 'local' { -- cgit v1.2.3 From e86f20b2435ec251c6373baf4c2ee36d5f26b83e Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 25 Nov 2013 01:20:52 -0800 Subject: fixed `diff` bug with try::file and directories --- puppet/modules/try/manifests/file.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 56a7c997..cd1bb035 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -58,14 +58,14 @@ define try::file ( exec { "rsync_${name}": command => "/usr/bin/rsync -r --delete '${source}/' '${name}'", onlyif => "/usr/bin/test -d '${source}'", - unless => "/usr/bin/diff -q '${source}' '${name}'", + unless => "/usr/bin/diff -rq '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } else { exec { "cp_r_${name}": command => "/bin/cp -r '${source}' '${name}'", onlyif => "/usr/bin/test -d '${source}'", - unless => "/usr/bin/diff -q '${source}' '${name}'", + unless => "/usr/bin/diff -rq '${source}' '${name}'", notify => [Exec["chmod_${name}"], Exec["chown_${name}"], Exec["chgrp_${name}"]] } } -- cgit v1.2.3 From 82544d7ce6c1952fe9d1043facd64c4737b5f4f3 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 25 Nov 2013 22:49:25 +0100 Subject: add new version of couchdb submodule This one reverts a buggy fix. Trying to push it out asap --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index d3153dd2..4c7bc8b6 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit d3153dd2da619035c0504b02f478796d656bb11d +Subproject commit 4c7bc8b661250bb7fe1000ae1515507c5bf4beb1 -- cgit v1.2.3 From fee571ccc4cd0cf8c665cf7446a0bb99c6dd30cf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 13:10:01 -0500 Subject: disable starttls over submission for client connections, we are using TLS wrapper mode on the smtps port 465 now (#4366) enable the missing smtpd_helo_restrictions for smtps Change-Id: Iac497369d65c5ad8fd7e93e6fcabb830b855b4f6 --- puppet/modules/site_postfix/manifests/mx.pp | 5 +---- puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp | 4 +--- 2 files changed, 2 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 474ed03d..59d3030d 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -55,10 +55,7 @@ class site_postfix::mx { -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -submission inet n - n - - smtpd - -o smtpd_tls_security_level=encrypt - -o smtpd_recipient_restrictions=\$submission_recipient_restrictions - -o smtpd_helo_restrictions=\$submission_helo_restrictions", + -o smtpd_helo_restrictions=\$smtps_helo_restrictions", require => [ Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp index 0f1500a4..0ec40277 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -22,9 +22,7 @@ class site_postfix::mx::smtpd_checks { # we use permit_tls_clientcerts with the $relay_clientcerts lookup 'smtps_recipient_restrictions': value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - 'submission_recipient_restrictions': - value => 'permit_tls_all_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit'; - 'submission_helo_restrictions': + 'smtps_helo_restrictions': value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit'; 'smtpd_sender_restrictions': value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit'; -- cgit v1.2.3 From ab278941346cc868aad7a3900a2cd5a1007986ea Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 25 Nov 2013 12:16:04 -0500 Subject: make some more dependency chains explicit Change-Id: Ib9525c3a933041fa9b378e1869c0a866375bb509 --- puppet/modules/site_couchdb/manifests/init.pp | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 684d3ab7..dcf7f48a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -34,9 +34,11 @@ class site_couchdb { class { 'couchdb::bigcouch::package::cloudant': } Class['site_config::default'] - -> Class ['couchdb::bigcouch::package::cloudant'] - -> Service ['couchdb'] - -> Class ['site_couchdb::bigcouch::add_nodes'] + -> Class['couchdb::bigcouch::package::cloudant'] + -> Service['couchdb'] + -> Class['site_couchdb::stunnel'] + -> File['/root/.netrc'] + -> Class['site_couchdb::bigcouch::add_nodes'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] @@ -46,11 +48,21 @@ class site_couchdb { class { 'site_couchdb::bigcouch::add_nodes': } + # /etc/couchdb/couchdb.netrc is deployed by couchdb::query::setup + # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) + # and makes life easier for the admin (i.e. using curl/wget without + # passing credentials) couchdb::query::setup { 'localhost': user => $couchdb_admin_user, pw => $couchdb_admin_pw, } + file { '/root/.netrc': + ensure => link, + target => '/etc/couchdb/couchdb.netrc', + require => Couchdb::Query::Setup['localhost'] + } + # Populate couchdb couchdb::add_user { $couchdb_webapp_user: roles => '["auth"]', @@ -99,15 +111,6 @@ class site_couchdb { include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch - # /etc/couchdb/couchdb.netrc is deployed by the couchdb module - # needed for couchdb_scripts (backup) and makes life easier - # for the admin (i.e. using curl/wget without passing credentials) - - file { '/root/.netrc': - ensure => link, - target => '/etc/couchdb/couchdb.netrc' - } - file { '/srv/leap/couchdb': ensure => directory } -- cgit v1.2.3 From dc6c48cbc25216417a02304ec2c23663688cd99d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Nov 2013 14:49:53 -0500 Subject: enable uploading a document to couch from a file (#4256) deploy design documents during couch deploy (#3771) Change-Id: I4679e066303ac9b02582214c48e2e7dcfe5bd651 --- puppet/modules/couchdb | 2 +- .../site_couchdb/files/designs/customers.json | 18 ++++++++ .../site_couchdb/files/designs/identities.json | 28 ++++++++++++ .../site_couchdb/files/designs/sessions.json | 8 ++++ .../site_couchdb/files/designs/tickets.json | 50 ++++++++++++++++++++++ .../modules/site_couchdb/files/designs/tokens.json | 14 ++++++ .../modules/site_couchdb/files/designs/users.json | 26 +++++++++++ puppet/modules/site_couchdb/manifests/designs.pp | 20 +++++++++ 8 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_couchdb/files/designs/customers.json create mode 100644 puppet/modules/site_couchdb/files/designs/identities.json create mode 100644 puppet/modules/site_couchdb/files/designs/sessions.json create mode 100644 puppet/modules/site_couchdb/files/designs/tickets.json create mode 100644 puppet/modules/site_couchdb/files/designs/tokens.json create mode 100644 puppet/modules/site_couchdb/files/designs/users.json create mode 100644 puppet/modules/site_couchdb/manifests/designs.pp (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 4c7bc8b6..e4906614 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 4c7bc8b661250bb7fe1000ae1515507c5bf4beb1 +Subproject commit e49066146ffeb91ce7c8e2100cdc4eca0ceb3a9b diff --git a/puppet/modules/site_couchdb/files/designs/customers.json b/puppet/modules/site_couchdb/files/designs/customers.json new file mode 100644 index 00000000..1b4bbddd --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/customers.json @@ -0,0 +1,18 @@ +{ + "_id": "_design/Customer", + "language": "javascript", + "views": { + "by_user_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_braintree_customer_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['braintree_customer_id'] != null)) {\n emit(doc['braintree_customer_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Customer') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "688c401ec0230b75625c176a88fc4a02" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/identities.json b/puppet/modules/site_couchdb/files/designs/identities.json new file mode 100644 index 00000000..8cf8c39b --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/identities.json @@ -0,0 +1,28 @@ +{ + "_id": "_design/Identity", + "language": "javascript", + "views": { + "by_user_id": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_address_and_destination": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null) && (doc['destination'] != null)) {\n emit([doc['address'], doc['destination']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_address": { + "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null)) {\n emit(doc['address'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "pgp_key_by_email": { + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n" + }, + "disabled": { + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n }\n" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "5b0ece9d28b3025d18ea71fddf3a532f" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/sessions.json b/puppet/modules/site_couchdb/files/designs/sessions.json new file mode 100644 index 00000000..70202780 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/sessions.json @@ -0,0 +1,8 @@ +{ + "views": { + "by_expires": { + "reduce": "_sum", + "map": "function(doc) {\n if(typeof doc.expires !== \"undefined\") {\n emit(doc.expires, 1);\n }\n}\n" + } + } +} diff --git a/puppet/modules/site_couchdb/files/designs/tickets.json b/puppet/modules/site_couchdb/files/designs/tickets.json new file mode 100644 index 00000000..2c9408b8 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/tickets.json @@ -0,0 +1,50 @@ +{ + "_id": "_design/Ticket", + "language": "javascript", + "views": { + "by_updated_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['updated_at'] != null)) {\n emit(doc['updated_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_created_by": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_by'] != null)) {\n emit(doc['created_by'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_is_open_and_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['created_at'] != null)) {\n emit([doc['is_open'], doc['created_at']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_is_open_and_updated_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['updated_at'] != null)) {\n emit([doc['is_open'], doc['updated_at']], 1);\n }\n }\n", + "reduce": "_sum" + }, + "by_includes_post_by_and_is_open_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_is_open_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_updated_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by": { + "map": "// TODO: This view is only used in tests--should we keep it?\nfunction(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit(comment.posted_by, 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_includes_post_by_and_created_at": { + "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Ticket') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "9978e2cbeacbe8622c2a7f103bf8130f" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/tokens.json b/puppet/modules/site_couchdb/files/designs/tokens.json new file mode 100644 index 00000000..b9025f15 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/tokens.json @@ -0,0 +1,14 @@ +{ + "_id": "_design/Token", + "language": "javascript", + "views": { + "by_last_seen_at": { + "map": " function(doc) {\n if ((doc['type'] == 'Token') && (doc['last_seen_at'] != null)) {\n emit(doc['last_seen_at'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Token') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "541dd924551c42a2317b345effbe65cc" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users.json b/puppet/modules/site_couchdb/files/designs/users.json new file mode 100644 index 00000000..c500822b --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/users.json @@ -0,0 +1,26 @@ +{ + "_id": "_design/User", + "language": "javascript", + "views": { + "by_login": { + "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['login'] != null)) {\n emit(doc['login'], 1);\n }\n }\n", + "reduce": "_sum" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" + }, + "by_alias": { + "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_login_or_alias": { + "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n emit(doc.login, 1);\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_created_at": { + "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", + "reduce": "_sum" + } + }, + "couchrest-hash": "26adb5c9480663de3fe60d959b60a7b2" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp new file mode 100644 index 00000000..2d0a8326 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/designs.pp @@ -0,0 +1,20 @@ +class site_couchdb::designs { + + Class['site_couchdb::create_dbs'] + -> Class['site_couchdb::designs'] + + file { '/srv/leap/couchdb/designs': + ensure => directory, + source => 'puppet:///modules/site_couchdb/designs', + recurse => true, + mode => '0755' + } + + exec { '/srv/leap/couchdb/scripts/load_design_documents.sh': + subscribe => File['/srv/leap/couchdb/designs'], + refreshonly => true, + require => Vcsrepo['/srv/leap/couchdb/scripts'] + } + +} + -- cgit v1.2.3 From 92d68c912d0de44ec9e88f7327303cc0fce7114b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Nov 2013 16:25:14 -0500 Subject: break out the database creation, user creation and design document loading into different classes Change-Id: Idd126d69e1fbe9c9794ad50337307dcc5dd635f4 --- puppet/modules/site_couchdb/manifests/add_users.pp | 17 +++++++ .../modules/site_couchdb/manifests/create_dbs.pp | 31 ++++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 56 ++++------------------ 3 files changed, 56 insertions(+), 48 deletions(-) create mode 100644 puppet/modules/site_couchdb/manifests/add_users.pp create mode 100644 puppet/modules/site_couchdb/manifests/create_dbs.pp (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp new file mode 100644 index 00000000..e9d3da78 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -0,0 +1,17 @@ +class site_couchdb::add_users { + + # Populate couchdb + couchdb::add_user { $site_couchdb::couchdb_webapp_user: + roles => '["auth"]', + pw => $site_couchdb::couchdb_webapp_pw, + salt => $site_couchdb::couchdb_webapp_salt, + require => Couchdb::Query::Setup['localhost'] + } + + couchdb::add_user { $site_couchdb::couchdb_soledad_user: + roles => '["auth"]', + pw => $site_couchdb::couchdb_soledad_pw, + salt => $site_couchdb::couchdb_soledad_salt, + require => Couchdb::Query::Setup['localhost'] + } +} diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp new file mode 100644 index 00000000..2dca51c1 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -0,0 +1,31 @@ +class site_couchdb::create_dbs { + + couchdb::create_db { 'users': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + + couchdb::create_db { 'tokens': + members => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] + } + + couchdb::create_db { 'sessions': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + + couchdb::create_db { 'tickets': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + + # leap_mx will want access to this. Granting access to the soledad user + # via the auth group for now. + # leap_mx could use that for a start. + couchdb::create_db { 'identities': + members => "{ \"names\": [], \"roles\": [\"auth\"] }", + require => Couchdb::Query::Setup['localhost'] + } + +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index dcf7f48a..0f839997 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -52,69 +52,29 @@ class site_couchdb { # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) # and makes life easier for the admin (i.e. using curl/wget without # passing credentials) - couchdb::query::setup { 'localhost': - user => $couchdb_admin_user, - pw => $couchdb_admin_pw, - } - file { '/root/.netrc': ensure => link, target => '/etc/couchdb/couchdb.netrc', require => Couchdb::Query::Setup['localhost'] } - # Populate couchdb - couchdb::add_user { $couchdb_webapp_user: - roles => '["auth"]', - pw => $couchdb_webapp_pw, - salt => $couchdb_webapp_salt, - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::add_user { $couchdb_soledad_user: - roles => '["auth"]', - pw => $couchdb_soledad_pw, - salt => $couchdb_soledad_salt, - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'users': - members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'tokens': - members => "{ \"names\": [], \"roles\": [\"auth\"] }", - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'sessions': - members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'tickets': - members => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }", - require => Couchdb::Query::Setup['localhost'] + file { '/srv/leap/couchdb': + ensure => directory } - # leap_mx will want access to this. Granting access to the soledad user - # via the auth group for now. - # leap_mx could use that for a start. - couchdb::create_db { 'identities': - members => "{ \"names\": [], \"roles\": [\"auth\"] }", - require => Couchdb::Query::Setup['localhost'] + couchdb::query::setup { 'localhost': + user => $couchdb_admin_user, + pw => $couchdb_admin_pw, } + include site_couchdb::create_dbs + include site_couchdb::add_users + include site_couchdb::designs include site_couchdb::logrotate include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch - file { '/srv/leap/couchdb': - ensure => directory - } - vcsrepo { '/srv/leap/couchdb/scripts': ensure => present, provider => git, -- cgit v1.2.3 From 69e626d819317ce977007571714dd7a2f1235492 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Nov 2013 13:13:36 -0500 Subject: initial tapicero configuration Change-Id: Ie53b09df0758ba01b30ed658bee04682bc180b01 --- puppet/manifests/site.pp | 1 + puppet/modules/tapicero/files/tapicero.init | 60 ++++++++++ puppet/modules/tapicero/manifests/init.pp | 126 +++++++++++++++++++++ .../modules/tapicero/templates/tapicero.yaml.erb | 36 ++++++ 4 files changed, 223 insertions(+) create mode 100755 puppet/modules/tapicero/files/tapicero.init create mode 100644 puppet/modules/tapicero/manifests/init.pp create mode 100644 puppet/modules/tapicero/templates/tapicero.yaml.erb (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 9f5d82d8..def0a642 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -14,6 +14,7 @@ if $services =~ /\bopenvpn\b/ { if $services =~ /\bcouchdb\b/ { include site_couchdb + include tapicero } if $services =~ /\bwebapp\b/ { diff --git a/puppet/modules/tapicero/files/tapicero.init b/puppet/modules/tapicero/files/tapicero.init new file mode 100755 index 00000000..7a9af45f --- /dev/null +++ b/puppet/modules/tapicero/files/tapicero.init @@ -0,0 +1,60 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: tapicero +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: tapicero initscript +# Description: Controls tapicero daemon +### END INIT INFO + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +BUNDLER=/usr/bin/bundle +NAME=tapicero +HOME="/srv/leap" +DAEMON="${HOME}/${NAME}/bin/${NAME}" +BUNDLE_GEMFILE="${HOME}/${NAME}/Gemfile" + +export BUNDLE_GEMFILE + +# exit if the daemon doesn't exist +[ -x "$DAEMON" ] || exit 0 + +. /lib/init/vars.sh +. /lib/lsb/init-functions + +if [ "$VERBOSE" != no ]; then + OPTIONS="--verbose" +else + OPTIONS="" +fi + +case "$1" in + start) + $BUNDLER exec $DAEMON start $OPTIONS + exit $? + ;; + stop) + $BUNDLER exec $DAEMON stop $OPTIONS + exit $? + ;; + restart) + $BUNDLER exec $DAEMON restart $OPTIONS + exit $? + ;; + reload) + $BUNDLER exec $DAEMON reload $OPTIONS + exit $? + ;; + status) + $BUNDLER exec $DAEMON status $OPTIONS + exit $? + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|reload|restart|status}" + exit 1 +esac + +exit 0 diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp new file mode 100644 index 00000000..fe33ac75 --- /dev/null +++ b/puppet/modules/tapicero/manifests/init.pp @@ -0,0 +1,126 @@ +class tapicero { + tag 'leap_service' + + $couchdb = hiera('couch') + $couchdb_port = $couchdb['port'] + + $couchdb_users = $couchdb['users'] + + $couchdb_admin_user = $couchdb_users['admin']['username'] + $couchdb_admin_password = $couchdb_users['admin']['password'] + + $couchdb_soledad_user = $couchdb_users['soledad']['username'] + $couchdb_soledad_password = $couchdb_users['soledad']['password'] + + $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username'] + $couchdb_leap_mx_password = $couchdb_users['leap_mx']['password'] + + + Class['site_config::default'] -> Class['tapicero'] + + include site_config::ruby::dev + + # + # USER AND GROUP + # + + group { 'tapicero': + ensure => present, + allowdupe => false; + } + + user { 'tapicero': + ensure => present, + allowdupe => false, + gid => 'tapicero', + home => '/srv/leap/tapicero', + require => Group['tapicero']; + } + + # + # TAPICERO FILES + # + + file { + + ## + ## TAPICERO DIRECTORIES + ## + + '/srv/leap/tapicero': + ensure => directory, + owner => 'tapicero', + group => 'tapicero', + require => User['tapicero']; + + '/var/lib/leap/tapicero': + ensure => directory, + owner => 'tapicero', + group => 'tapicero', + require => User['tapicero']; + + ## + ## TAPICERO CONFIG + ## + + '/etc/leap/tapicero.yaml': + content => template('tapicero/tapicero.yaml.erb'), + owner => 'tapicero', + group => 'tapicero', + mode => '0600', + notify => Service['tapicero']; + + ## + ## TAPICERO INIT + ## + + '/etc/init.d/tapicero': + source => 'puppet:///modules/tapicero/tapicero.init', + owner => root, + group => 0, + mode => '0755', + require => Vcsrepo['/srv/leap/tapicero']; + } + + # + # TAPICERO CODE + # + + vcsrepo { '/srv/leap/tapicero': + ensure => present, + force => true, + revision => 'origin/master', + provider => git, + source => 'https://leap.se/git/tapicero', + owner => 'tapicero', + group => 'tapicero', + require => [ User['tapicero'], Group['tapicero'] ], + notify => Exec['tapicero_bundler_update'] + } + + exec { 'tapicero_bundler_update': + cwd => '/srv/leap/tapicero', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"', + unless => '/usr/bin/bundle check', + user => 'tapicero', + timeout => 600, + require => [ + Class['bundler::install'], + Vcsrepo['/srv/leap/tapicero'], + Class['site_config::ruby::dev'] ], + notify => Service['tapicero']; + } + + # + # TAPICERO DAEMON + # + + service { 'tapicero': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => File['/etc/init.d/tapicero']; + } + +} diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb new file mode 100644 index 00000000..75b8d5f6 --- /dev/null +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -0,0 +1,36 @@ +# +# Default configuration options for Tapicero +# + +# database to observe for changes: +users_db_name: "users" + +# prefix for per user databases: +db_prefix: "user-" + +# couch connection configuration +couch_connection: + protocol: "http" + host: "localhost" + port: <%= @couchdb_port %> + username: <%= @couchdb_admin_user %> + password: <%= @couchdb_admin_password %> + +# security settings to be used for the per user databases +security: + admins: + names: [] + roles: [] + readers: + names: + - <%= @couchdb_soledad_user %> + - <%= @couchdb_leap_mx_user %> + roles: [] + +# file to store the last processed user record in so we can resume after +# a restart: +seq_file: "/var/lib/leap/tapicero/tapicero.seq" + +# Configure log_file like this if you want to log to a file instead of syslog: +# log_file: "/var/leap/log/tapicero.log" +log_level: info -- cgit v1.2.3 From 52f64689a9db8b7300cadaa850e5d7914cef0b9d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Nov 2013 13:13:47 -0500 Subject: setup some common leap system directories: /var/lib/leap and /var/log/leap Change-Id: I18aa0ee635d7166676e4bb4384e2b517784a68b0 --- puppet/modules/site_config/manifests/files.pp | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/files.pp b/puppet/modules/site_config/manifests/files.pp index 03c9aff8..684d3ad0 100644 --- a/puppet/modules/site_config/manifests/files.pp +++ b/puppet/modules/site_config/manifests/files.pp @@ -1,10 +1,23 @@ class site_config::files { - file { '/srv/leap': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0711' + file { + '/srv/leap': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0711'; + + '/var/lib/leap': + ensure => directory, + owner => root, + group => 'root', + mode => '0755'; + + '/var/log/leap': + ensure => directory, + owner => root, + group => 'adm', + mode => '0750'; } -} \ No newline at end of file +} -- cgit v1.2.3 From 3accc19120285c9f518c830100d97f5bba91d3ec Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 13:15:03 -0500 Subject: explicitly set the admin user as having access to the per-user databases, even though it is probably not needed Change-Id: I2f9e751570190f7358332404ae734ae850f92b9f --- puppet/modules/tapicero/templates/tapicero.yaml.erb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index 75b8d5f6..098f95bd 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -19,7 +19,11 @@ couch_connection: # security settings to be used for the per user databases security: admins: - names: [] + names: + # We explicitly allow the admin user to access per user databases, even + # though admin access ignores per database security we just do this to be + # explicit about this + - <%= @couchdb_admin_user %> roles: [] readers: names: -- cgit v1.2.3 From 77528b228c6d7ba095a796df4c5cc4c95eb50d9d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:00:10 -0500 Subject: pretty reformat couchdb.json and site_couchdb/manifests/init.pp, alphabetizing couchdb users Change-Id: I88264d32e9381f826652d1631083ba371e2b1b54 --- puppet/modules/site_couchdb/manifests/add_users.pp | 14 ++++++++------ puppet/modules/site_couchdb/manifests/create_dbs.pp | 19 +++++++++---------- puppet/modules/site_couchdb/manifests/init.pp | 11 +++++++---- 3 files changed, 24 insertions(+), 20 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index e9d3da78..b9304a97 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -1,12 +1,6 @@ class site_couchdb::add_users { # Populate couchdb - couchdb::add_user { $site_couchdb::couchdb_webapp_user: - roles => '["auth"]', - pw => $site_couchdb::couchdb_webapp_pw, - salt => $site_couchdb::couchdb_webapp_salt, - require => Couchdb::Query::Setup['localhost'] - } couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["auth"]', @@ -14,4 +8,12 @@ class site_couchdb::add_users { salt => $site_couchdb::couchdb_soledad_salt, require => Couchdb::Query::Setup['localhost'] } + + couchdb::add_user { $site_couchdb::couchdb_webapp_user: + roles => '["auth"]', + pw => $site_couchdb::couchdb_webapp_pw, + salt => $site_couchdb::couchdb_webapp_salt, + require => Couchdb::Query::Setup['localhost'] + } + } diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index 2dca51c1..b5404231 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -1,11 +1,9 @@ class site_couchdb::create_dbs { - couchdb::create_db { 'users': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", - require => Couchdb::Query::Setup['localhost'] - } - - couchdb::create_db { 'tokens': + # leap_mx will want access to this. Granting access to the soledad user + # via the auth group for now. + # leap_mx could use that for a start. + couchdb::create_db { 'identities': members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } @@ -20,12 +18,13 @@ class site_couchdb::create_dbs { require => Couchdb::Query::Setup['localhost'] } - # leap_mx will want access to this. Granting access to the soledad user - # via the auth group for now. - # leap_mx could use that for a start. - couchdb::create_db { 'identities': + couchdb::create_db { 'tokens': members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } + couchdb::create_db { 'users': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 0f839997..82f2befb 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -3,19 +3,22 @@ class site_couchdb { $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] + $couchdb_admin = $couchdb_users['admin'] $couchdb_admin_user = $couchdb_admin['username'] $couchdb_admin_pw = $couchdb_admin['password'] $couchdb_admin_salt = $couchdb_admin['salt'] - $couchdb_webapp = $couchdb_users['webapp'] - $couchdb_webapp_user = $couchdb_webapp['username'] - $couchdb_webapp_pw = $couchdb_webapp['password'] - $couchdb_webapp_salt = $couchdb_webapp['salt'] + $couchdb_soledad = $couchdb_users['soledad'] $couchdb_soledad_user = $couchdb_soledad['username'] $couchdb_soledad_pw = $couchdb_soledad['password'] $couchdb_soledad_salt = $couchdb_soledad['salt'] + $couchdb_webapp = $couchdb_users['webapp'] + $couchdb_webapp_user = $couchdb_webapp['username'] + $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] + $couchdb_backup = $couchdb_config['backup'] $bigcouch_config = $couchdb_config['bigcouch'] -- cgit v1.2.3 From fdf028e53cb1efa9d3d6c8ab76c89f98e2fb7498 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:03:03 -0500 Subject: add leap_mx couchdb user/password Change-Id: Ice83115e0feabddd40ad74c2a6e98e24da9b4c2f --- puppet/modules/site_couchdb/manifests/add_users.pp | 7 +++++++ puppet/modules/site_couchdb/manifests/init.pp | 5 +++++ 2 files changed, 12 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index b9304a97..c83b096d 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -2,6 +2,13 @@ class site_couchdb::add_users { # Populate couchdb + couchdb::add_user { $site_couchdb::couchdb_leap_mx_user: + roles => '["identities"]', + pw => $site_couchdb::couchdb_leap_mx_pw, + salt => $site_couchdb::couchdb_leap_mx_salt, + require => Couchdb::Query::Setup['localhost'] + } + couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["auth"]', pw => $site_couchdb::couchdb_soledad_pw, diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 82f2befb..b73c23c3 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -9,6 +9,11 @@ class site_couchdb { $couchdb_admin_pw = $couchdb_admin['password'] $couchdb_admin_salt = $couchdb_admin['salt'] + $couchdb_leap_mx = $couchdb_users['leap_mx'] + $couchdb_leap_mx_user = $couchdb_leap_mx['username'] + $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] + $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] + $couchdb_soledad = $couchdb_users['soledad'] $couchdb_soledad_user = $couchdb_soledad['username'] $couchdb_soledad_pw = $couchdb_soledad['password'] -- cgit v1.2.3 From e25091395d49d7e10c6266528d4bdfc48c10c886 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:08:20 -0500 Subject: add identities roles Change-Id: I483509850bee448bb2ea39863c1e6a796e102c3c --- puppet/modules/site_couchdb/manifests/add_users.pp | 2 +- puppet/modules/site_couchdb/manifests/create_dbs.pp | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index c83b096d..e525d01a 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -17,7 +17,7 @@ class site_couchdb::add_users { } couchdb::add_user { $site_couchdb::couchdb_webapp_user: - roles => '["auth"]', + roles => '["auth","identities"]', pw => $site_couchdb::couchdb_webapp_pw, salt => $site_couchdb::couchdb_webapp_salt, require => Couchdb::Query::Setup['localhost'] diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index b5404231..a734c870 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -1,10 +1,10 @@ class site_couchdb::create_dbs { - # leap_mx will want access to this. Granting access to the soledad user - # via the auth group for now. - # leap_mx could use that for a start. + # identities database + # r/w: webapp + # r: nickserver, leap_mx - need to restrict with design document couchdb::create_db { 'identities': - members => "{ \"names\": [], \"roles\": [\"auth\"] }", + members => "{ \"names\": [], \"roles\": [\"identities\"] }", require => Couchdb::Query::Setup['localhost'] } -- cgit v1.2.3 From 6bff399fdcdab967a13a27d40dcef4bfb871e046 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:12:28 -0500 Subject: add nickserver couchdb user, set it to have 'identities' role Change-Id: I06723ccf2ba040204e9fc5256c99a1faad6abb5f --- puppet/modules/site_couchdb/manifests/add_users.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index e525d01a..e3b74865 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -9,6 +9,16 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } + # nickserver couchdb user + # read: identities, keycache + # write: keycache (a cache of discovered key, doesn’t exist yet) + couchdb::add_user { $site_couchdb::couchdb_nickserver_user: + roles => '["identities"]', + pw => $site_couchdb::couchdb_nickserver_pw, + salt => $site_couchdb::couchdb_nickserver_salt, + require => Couchdb::Query::Setup['localhost'] + } + couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["auth"]', pw => $site_couchdb::couchdb_soledad_pw, -- cgit v1.2.3 From a9d75259f96e64825ea97eca17cbe6e0c6005d0d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:19:36 -0500 Subject: add comments with access information Change-Id: I058ac1f061bca17736662f14826e99d32472739b --- puppet/modules/site_couchdb/manifests/add_users.pp | 16 ++++++++++++---- puppet/modules/site_couchdb/manifests/create_dbs.pp | 17 ++++++++++++++--- 2 files changed, 26 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index e3b74865..8af9ea66 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -1,7 +1,10 @@ class site_couchdb::add_users { - # Populate couchdb + # Couchdb users + ## leap_mx couchdb user + ## read: identities + ## write access to user- couchdb::add_user { $site_couchdb::couchdb_leap_mx_user: roles => '["identities"]', pw => $site_couchdb::couchdb_leap_mx_pw, @@ -9,9 +12,9 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } - # nickserver couchdb user - # read: identities, keycache - # write: keycache (a cache of discovered key, doesn’t exist yet) + ## nickserver couchdb user + ## r: identities + ## r/w: keycache couchdb::add_user { $site_couchdb::couchdb_nickserver_user: roles => '["identities"]', pw => $site_couchdb::couchdb_nickserver_pw, @@ -19,6 +22,9 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } + ## soledad couchdb user + ## read: tokens, user-, shared + ## write: user-, shared couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["auth"]', pw => $site_couchdb::couchdb_soledad_pw, @@ -26,6 +32,8 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } + ## webapp couchdb user + ## read/write: users, tokens, sessions, tickets, identities couchdb::add_user { $site_couchdb::couchdb_webapp_user: roles => '["auth","identities"]', pw => $site_couchdb::couchdb_webapp_pw, diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index a734c870..d3125448 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -1,28 +1,39 @@ class site_couchdb::create_dbs { - # identities database - # r/w: webapp - # r: nickserver, leap_mx - need to restrict with design document + # Couchdb databases + + ## identities database + ## r: nickserver, leap_mx - needs to be restrict with design document + ## r/w: webapp couchdb::create_db { 'identities': members => "{ \"names\": [], \"roles\": [\"identities\"] }", require => Couchdb::Query::Setup['localhost'] } + ## sessions database + ## r/w: webapp couchdb::create_db { 'sessions': members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } + ## tickets database + ## r/w: webapp couchdb::create_db { 'tickets': members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } + ## tokens database + ## r: soledad - needs to be restricted with a design document + ## r/w: webapp couchdb::create_db { 'tokens': members => "{ \"names\": [], \"roles\": [\"auth\"] }", require => Couchdb::Query::Setup['localhost'] } + ## users database + ## r/w: webapp couchdb::create_db { 'users': members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] -- cgit v1.2.3 From 25ff4895b47ffd937e9f9881747ee8ffb511dacf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:20:51 -0500 Subject: add keycache couchdb database, and set appropriate roles Change-Id: I492a8dfb42e92ced80fb09c2095fa1328e24346b --- puppet/modules/site_couchdb/manifests/add_users.pp | 2 +- puppet/modules/site_couchdb/manifests/create_dbs.pp | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index 8af9ea66..f5c38cbb 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -16,7 +16,7 @@ class site_couchdb::add_users { ## r: identities ## r/w: keycache couchdb::add_user { $site_couchdb::couchdb_nickserver_user: - roles => '["identities"]', + roles => '["identities","keycache"]', pw => $site_couchdb::couchdb_nickserver_pw, salt => $site_couchdb::couchdb_nickserver_salt, require => Couchdb::Query::Setup['localhost'] diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index d3125448..f8c38987 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -10,6 +10,13 @@ class site_couchdb::create_dbs { require => Couchdb::Query::Setup['localhost'] } + ## keycache database + ## r/w: nickserver + couchdb::create_db { 'keycache': + members => "{ \"names\": [], \"roles\": [\"keycache\"] }", + require => Couchdb::Query::Setup['localhost'] + } + ## sessions database ## r/w: webapp couchdb::create_db { 'sessions': -- cgit v1.2.3 From d0911282e2e201b1f60cd3431018d57cd8321482 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:21:49 -0500 Subject: add shared couchdb database, giving soledad access Change-Id: I743538f66e35f0fffaa0d07fb4ee44b810635aa3 --- puppet/modules/site_couchdb/manifests/create_dbs.pp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index f8c38987..9e21e33a 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -16,7 +16,7 @@ class site_couchdb::create_dbs { members => "{ \"names\": [], \"roles\": [\"keycache\"] }", require => Couchdb::Query::Setup['localhost'] } - + ## sessions database ## r/w: webapp couchdb::create_db { 'sessions': @@ -24,6 +24,13 @@ class site_couchdb::create_dbs { require => Couchdb::Query::Setup['localhost'] } + ## shared database + ## r/w: soledad + couchdb::create_db { 'shared': + members => "{ \"names\": [\"$site_couchdb::couchdb_soledad_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + ## tickets database ## r/w: webapp couchdb::create_db { 'tickets': -- cgit v1.2.3 From ef0eae6b9ed6294f5c921a73777090142861beba Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:22:57 -0500 Subject: setup tokens couchdb role for the tokens database and give soledad and the webapp access Change-Id: Ifc44d5775e37655240573ab01dd2ee2f794bd8f3 --- puppet/modules/site_couchdb/manifests/add_users.pp | 6 +++--- puppet/modules/site_couchdb/manifests/create_dbs.pp | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index f5c38cbb..03ce12f1 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -26,16 +26,16 @@ class site_couchdb::add_users { ## read: tokens, user-, shared ## write: user-, shared couchdb::add_user { $site_couchdb::couchdb_soledad_user: - roles => '["auth"]', + roles => '["tokens"]', pw => $site_couchdb::couchdb_soledad_pw, salt => $site_couchdb::couchdb_soledad_salt, require => Couchdb::Query::Setup['localhost'] } ## webapp couchdb user - ## read/write: users, tokens, sessions, tickets, identities + ## read/write: users, tokens, sessions, tickets, identities, customer couchdb::add_user { $site_couchdb::couchdb_webapp_user: - roles => '["auth","identities"]', + roles => '["tokens","identities"]', pw => $site_couchdb::couchdb_webapp_pw, salt => $site_couchdb::couchdb_webapp_salt, require => Couchdb::Query::Setup['localhost'] diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index 9e21e33a..a1db9d54 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -42,7 +42,7 @@ class site_couchdb::create_dbs { ## r: soledad - needs to be restricted with a design document ## r/w: webapp couchdb::create_db { 'tokens': - members => "{ \"names\": [], \"roles\": [\"auth\"] }", + members => "{ \"names\": [], \"roles\": [\"tokens\"] }", require => Couchdb::Query::Setup['localhost'] } -- cgit v1.2.3 From 0aed6d16a0303e05462f4c81cda0ced9872773bf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 14:27:50 -0500 Subject: add the tapicero couchdb user, and appropriate roles Change-Id: I41e9a73c8d04d5a2d74b41c8e32aca9906f3a4cf --- puppet/modules/site_couchdb/manifests/add_users.pp | 16 +++++++++++++--- puppet/modules/site_couchdb/manifests/create_dbs.pp | 2 +- puppet/modules/site_couchdb/manifests/init.pp | 5 +++++ 3 files changed, 19 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp index 03ce12f1..f9ea7349 100644 --- a/puppet/modules/site_couchdb/manifests/add_users.pp +++ b/puppet/modules/site_couchdb/manifests/add_users.pp @@ -23,8 +23,8 @@ class site_couchdb::add_users { } ## soledad couchdb user - ## read: tokens, user-, shared - ## write: user-, shared + ## r/w: user-, shared + ## read: tokens couchdb::add_user { $site_couchdb::couchdb_soledad_user: roles => '["tokens"]', pw => $site_couchdb::couchdb_soledad_pw, @@ -32,10 +32,20 @@ class site_couchdb::add_users { require => Couchdb::Query::Setup['localhost'] } + ### tapicero couchdb user + ### admin: needs to be able to create user- databases + ### read: users + couchdb::add_user { $site_couchdb::couchdb_tapicero_user: + roles => '["users"]', + pw => $site_couchdb::couchdb_tapicero_pw, + salt => $site_couchdb::couchdb_tapicero_salt, + require => Couchdb::Query::Setup['localhost'] + } + ## webapp couchdb user ## read/write: users, tokens, sessions, tickets, identities, customer couchdb::add_user { $site_couchdb::couchdb_webapp_user: - roles => '["tokens","identities"]', + roles => '["tokens","identities","users"]', pw => $site_couchdb::couchdb_webapp_pw, salt => $site_couchdb::couchdb_webapp_salt, require => Couchdb::Query::Setup['localhost'] diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index a1db9d54..f53597e7 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -49,7 +49,7 @@ class site_couchdb::create_dbs { ## users database ## r/w: webapp couchdb::create_db { 'users': - members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + members => "{ \"names\": [], \"roles\": [\"users\"] }", require => Couchdb::Query::Setup['localhost'] } } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index b73c23c3..bb3fa5d7 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -19,6 +19,11 @@ class site_couchdb { $couchdb_soledad_pw = $couchdb_soledad['password'] $couchdb_soledad_salt = $couchdb_soledad['salt'] + $couchdb_tapicero = $couchdb_users['tapicero'] + $couchdb_tapicero_user = $couchdb_tapicero['username'] + $couchdb_tapicero_pw = $couchdb_tapicero['password'] + $couchdb_tapicero_salt = $couchdb_tapicero['salt'] + $couchdb_webapp = $couchdb_users['webapp'] $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] -- cgit v1.2.3 From 4aedafa09dd40673ae654f685cbad1b01c72f84c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Nov 2013 20:37:55 -0500 Subject: add webapp cron entries to cleanup sessions and tokens (#4572) Change-Id: Ic1ef7e25f07cbbbcea9bcc90248479009904303e --- puppet/modules/site_webapp/manifests/cron.pp | 19 +++++++++++++++++++ puppet/modules/site_webapp/manifests/init.pp | 1 + 2 files changed, 20 insertions(+) create mode 100644 puppet/modules/site_webapp/manifests/cron.pp (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp new file mode 100644 index 00000000..be997103 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -0,0 +1,19 @@ +class site_webapp::cron { + + # cron tasks that need to be performed to cleanup the database + cron { + 'remove_expired_sessions': + command => 'bundle exec rake cleanup:sessions', + cwd => '/srv/leap/webapp', + environment => 'RAILS_ENV=production', + hour => 2, + minute => 30; + + 'remove_expired_tokens': + command => 'bundle exec rake cleanup:tokens', + cwd => '/srv/leap/webapp', + environment => 'RAILS_ENV=production', + hour => 3, + minute => 0; + } +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index c090c6a0..cb94d328 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -17,6 +17,7 @@ class site_webapp { include site_webapp::apache include site_webapp::couchdb include site_webapp::haproxy + include site_webapp::cron include site_config::x509::cert include site_config::x509::key include site_config::x509::ca -- cgit v1.2.3 From 27b084fbb61ea036a45970f1b0c5a8f8175f96e8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 27 Nov 2013 15:00:10 -0500 Subject: add missing nickserver hiera value lookup Change-Id: I77061054f4768f0677ca9c498e6cd6d5df4ff806 --- puppet/modules/site_couchdb/manifests/init.pp | 49 +++++++++++++++------------ 1 file changed, 27 insertions(+), 22 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index bb3fa5d7..1933f01b 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,40 +1,45 @@ class site_couchdb { tag 'leap_service' - $couchdb_config = hiera('couch') - $couchdb_users = $couchdb_config['users'] + $couchdb_config = hiera('couch') + $couchdb_users = $couchdb_config['users'] - $couchdb_admin = $couchdb_users['admin'] - $couchdb_admin_user = $couchdb_admin['username'] - $couchdb_admin_pw = $couchdb_admin['password'] - $couchdb_admin_salt = $couchdb_admin['salt'] + $couchdb_admin = $couchdb_users['admin'] + $couchdb_admin_user = $couchdb_admin['username'] + $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_admin_salt = $couchdb_admin['salt'] - $couchdb_leap_mx = $couchdb_users['leap_mx'] - $couchdb_leap_mx_user = $couchdb_leap_mx['username'] - $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] - $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] + $couchdb_leap_mx = $couchdb_users['leap_mx'] + $couchdb_leap_mx_user = $couchdb_leap_mx['username'] + $couchdb_leap_mx_pw = $couchdb_leap_mx['password'] + $couchdb_leap_mx_salt = $couchdb_leap_mx['salt'] - $couchdb_soledad = $couchdb_users['soledad'] - $couchdb_soledad_user = $couchdb_soledad['username'] - $couchdb_soledad_pw = $couchdb_soledad['password'] - $couchdb_soledad_salt = $couchdb_soledad['salt'] + $couchdb_nickserver = $couchdb_users['nickserver'] + $couchdb_nickserver_user = $couchdb_nickserver['username'] + $couchdb_nickserver_pw = $couchdb_nickserver['password'] + $couchdb_nickserver_salt = $couchdb_nickserver['salt'] + + $couchdb_soledad = $couchdb_users['soledad'] + $couchdb_soledad_user = $couchdb_soledad['username'] + $couchdb_soledad_pw = $couchdb_soledad['password'] + $couchdb_soledad_salt = $couchdb_soledad['salt'] $couchdb_tapicero = $couchdb_users['tapicero'] $couchdb_tapicero_user = $couchdb_tapicero['username'] $couchdb_tapicero_pw = $couchdb_tapicero['password'] $couchdb_tapicero_salt = $couchdb_tapicero['salt'] - $couchdb_webapp = $couchdb_users['webapp'] - $couchdb_webapp_user = $couchdb_webapp['username'] - $couchdb_webapp_pw = $couchdb_webapp['password'] - $couchdb_webapp_salt = $couchdb_webapp['salt'] + $couchdb_webapp = $couchdb_users['webapp'] + $couchdb_webapp_user = $couchdb_webapp['username'] + $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] - $couchdb_backup = $couchdb_config['backup'] + $couchdb_backup = $couchdb_config['backup'] - $bigcouch_config = $couchdb_config['bigcouch'] - $bigcouch_cookie = $bigcouch_config['cookie'] + $bigcouch_config = $couchdb_config['bigcouch'] + $bigcouch_cookie = $bigcouch_config['cookie'] - $ednp_port = $bigcouch_config['ednp_port'] + $ednp_port = $bigcouch_config['ednp_port'] class { 'couchdb': bigcouch => true, -- cgit v1.2.3 From bf563b722126c0e6ae1d8f2f830be03e006664a1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Nov 2013 12:10:52 -0500 Subject: setup customer couchdb database Change-Id: Ic0e9f5f6a1f28d865d7757a9de0d9399a6a9a5e3 Conflicts: puppet/modules/site_couchdb/manifests/init.pp --- puppet/modules/site_couchdb/manifests/create_dbs.pp | 7 +++++++ puppet/modules/site_couchdb/manifests/init.pp | 13 ++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index f53597e7..f206fddb 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -2,6 +2,13 @@ class site_couchdb::create_dbs { # Couchdb databases + ### customer database + ### r/w: webapp, + couchdb::create_db { 'customer': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } + ## identities database ## r: nickserver, leap_mx - needs to be restrict with design document ## r/w: webapp diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 1933f01b..ad0c996a 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -70,14 +70,13 @@ class site_couchdb { # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) # and makes life easier for the admin (i.e. using curl/wget without # passing credentials) - file { '/root/.netrc': - ensure => link, - target => '/etc/couchdb/couchdb.netrc', - require => Couchdb::Query::Setup['localhost'] - } + file { + '/root/.netrc': + ensure => link, + target => '/etc/couchdb/couchdb.netrc'; - file { '/srv/leap/couchdb': - ensure => directory + '/srv/leap/couchdb': + ensure => directory } couchdb::query::setup { 'localhost': -- cgit v1.2.3 From 7f59d8c7f5a41125c17271b1cd55118dafa52151 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 09:54:37 -0500 Subject: remove admin access from webapp Change-Id: Ib2ce0d38a8e4dd30ae6842bfb5579d9c3dd10f18 --- .../site_webapp/files/migrate_design_documents | 16 ---------------- puppet/modules/site_webapp/manifests/couchdb.pp | 22 ---------------------- puppet/modules/site_webapp/manifests/init.pp | 6 ++++-- .../site_webapp/templates/couchdb.yml.admin.erb | 9 --------- 4 files changed, 4 insertions(+), 49 deletions(-) delete mode 100644 puppet/modules/site_webapp/files/migrate_design_documents delete mode 100644 puppet/modules/site_webapp/templates/couchdb.yml.admin.erb (limited to 'puppet') diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents deleted file mode 100644 index 6e24aa5b..00000000 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -cd /srv/leap/webapp - -# use admin credentials -cp config/couchdb.yml.admin config/couchdb.yml -chown leap-webapp:leap-webapp config/couchdb.yml - -# needs to be run twice -RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate -RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate - -# use user credentials and remove admin credentials -cp config/couchdb.yml.webapp config/couchdb.yml -chown leap-webapp:leap-webapp config/couchdb.yml - diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 5a5cccad..7f6ebbc6 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -4,8 +4,6 @@ class site_webapp::couchdb { # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' $couchdb_port = '4096' - $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] - $couchdb_admin_password = $webapp['couchdb_admin_user']['password'] $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] @@ -16,13 +14,6 @@ class site_webapp::couchdb { include x509::variables file { - '/srv/leap/webapp/config/couchdb.yml.admin': - content => template('site_webapp/couchdb.yml.admin.erb'), - owner => leap-webapp, - group => leap-webapp, - mode => '0600', - require => Vcsrepo['/srv/leap/webapp']; - '/srv/leap/webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, @@ -43,23 +34,10 @@ class site_webapp::couchdb { group => leap-webapp, mode => '0666', require => Vcsrepo['/srv/leap/webapp']; - - '/usr/local/sbin/migrate_design_documents': - source => 'puppet:///modules/site_webapp/migrate_design_documents', - owner => root, - group => root, - mode => '0744'; } include site_stunnel - exec { 'migrate_design_documents': - cwd => '/srv/leap/webapp', - command => '/usr/local/sbin/migrate_design_documents', - require => Exec['bundler_update'], - notify => Service['apache']; - } - $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, 'client' => true, diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index cb94d328..ae644287 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -65,9 +65,11 @@ class site_webapp { } # - # NOTE: in order to support a webapp that is running on a subpath and not the root of the domain - # assets:precompile needs to be run with RAILS_RELATIVE_URL_ROOT=/application-root + # NOTE: in order to support a webapp that is running on a subpath and not the + # root of the domain assets:precompile needs to be run with + # RAILS_RELATIVE_URL_ROOT=/application-root # + exec { 'compile_assets': cwd => '/srv/leap/webapp', command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake assets:precompile"', diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb deleted file mode 100644 index a0921add..00000000 --- a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb +++ /dev/null @@ -1,9 +0,0 @@ -production: - prefix: "" - protocol: 'http' - host: <%= @couchdb_host %> - port: <%= @couchdb_port %> - auto_update_design_doc: false - username: <%= @couchdb_admin_user %> - password: <%= @couchdb_admin_password %> - -- cgit v1.2.3 From 6d3f584bb2b1ff63cd3a1973585807d283fc9041 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 10:02:07 -0500 Subject: remove unnecessary soledad/leap_mx hiera password variables from tapicero Change-Id: I17827fb88db9de088f638899433f5df1be9c3615 --- puppet/modules/tapicero/manifests/init.pp | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/tapicero/manifests/init.pp b/puppet/modules/tapicero/manifests/init.pp index fe33ac75..743e8a84 100644 --- a/puppet/modules/tapicero/manifests/init.pp +++ b/puppet/modules/tapicero/manifests/init.pp @@ -9,11 +9,8 @@ class tapicero { $couchdb_admin_user = $couchdb_users['admin']['username'] $couchdb_admin_password = $couchdb_users['admin']['password'] - $couchdb_soledad_user = $couchdb_users['soledad']['username'] - $couchdb_soledad_password = $couchdb_users['soledad']['password'] - - $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username'] - $couchdb_leap_mx_password = $couchdb_users['leap_mx']['password'] + $couchdb_soledad_user = $couchdb_users['soledad']['username'] + $couchdb_leap_mx_user = $couchdb_users['leap_mx']['username'] Class['site_config::default'] -> Class['tapicero'] -- cgit v1.2.3 From 82f0c979bb91912518db3111b714f61cbe21e7df Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 10:02:26 -0500 Subject: remove admin access from soledad Change-Id: I7c516c6a4ba26d2c5cebe19a9bff66eae3bd430f --- puppet/modules/soledad/manifests/server.pp | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 6ccd934a..339030fc 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -3,19 +3,21 @@ class soledad::server { include soledad include site_apt::preferences::twisted - $couchdb = hiera('soledad') - $couchdb_host = 'localhost' - $couchdb_port = '5984' - $couchdb_user = $couchdb['couchdb_admin_user']['username'] - $couchdb_password = $couchdb['couchdb_admin_user']['password'] + $couchdb = hiera('couch') + $couchdb_users = $couchdb['users'] + $couchdb_user = $couchdb_users['soledad']['username'] + $couchdb_password = $couchdb_users['soledad']['password'] - include site_config::x509::cert - include site_config::x509::key - include site_config::x509::ca + $couchdb_host = 'localhost' + $couchdb_port = '5984' $soledad = hiera('soledad') $soledad_port = $soledad['port'] + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca + # # SOLEDAD CONFIG # -- cgit v1.2.3 From c42879b031a8363e0ad575550c0fd36b269e9e28 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 10:05:28 -0500 Subject: remove admin access from leap_mx Change-Id: I0bbe42677d7680c99bf205ed4f6080026b308d77 --- puppet/modules/leap_mx/manifests/init.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 25b2758f..0d05a834 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -1,10 +1,11 @@ class leap_mx { - $couchdb_admin_user = hiera('couchdb_admin_user') - $couchdb_host = 'localhost' + $couchdb = hiera('couch') + $couchdb_users = $couchdb['users'] + $couchdb_user = $couchdb_users['leap_mx']['username'] + $couchdb_password = $couchdb_users['leap_mx']['password'] + $couchdb_port = '4096' - $couchdb_user = $couchdb_admin_user['username'] - $couchdb_password = $couchdb_admin_user['password'] include soledad::common include site_apt::preferences::twisted -- cgit v1.2.3 From bba78a580f7c859d3d0d726e291ad628d7e835d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 10:31:49 -0500 Subject: remove admin access from nickserver Change-Id: If7fff4c2b839cef5807ee8cee1355aea4dc719a8 --- puppet/modules/site_nickserver/manifests/init.pp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 81482a55..bedef74d 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -20,14 +20,18 @@ class site_nickserver { # $nickserver = hiera('nickserver') + $nickserver_domain = $nickserver['domain'] + + $couchdb = hiera('couch') + $couchdb_users = $couchdb['users'] + $couchdb_user = $couchdb_users['nickserver']['username'] + $couchdb_password = $couchdb_users['nickserver']['password'] + # the port that public connects to (should be 6425) $nickserver_port = $nickserver['port'] # the port that nickserver is actually running on $nickserver_local_port = '64250' - $nickserver_domain = $nickserver['domain'] - $couchdb_user = $nickserver['couchdb_user']['username'] - $couchdb_password = $nickserver['couchdb_user']['password'] # couchdb is available on localhost via haproxy, which is bound to 4096. $couchdb_host = 'localhost' # See site_webapp/templates/haproxy_couchdb.cfg.erg -- cgit v1.2.3 From 0ee2115516eb8b79ad6ff8711b860d9da60e0f2a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 11:03:20 -0500 Subject: remove duplicate couchdb design document json files Change-Id: I5b3d073aec0522cf464ff41905be1ee326f13197 --- .../site_couchdb/files/designs/customers.json | 18 -------- .../site_couchdb/files/designs/identities.json | 28 ------------ .../site_couchdb/files/designs/sessions.json | 8 ---- .../site_couchdb/files/designs/tickets.json | 50 ---------------------- .../modules/site_couchdb/files/designs/tokens.json | 14 ------ .../modules/site_couchdb/files/designs/users.json | 26 ----------- 6 files changed, 144 deletions(-) delete mode 100644 puppet/modules/site_couchdb/files/designs/customers.json delete mode 100644 puppet/modules/site_couchdb/files/designs/identities.json delete mode 100644 puppet/modules/site_couchdb/files/designs/sessions.json delete mode 100644 puppet/modules/site_couchdb/files/designs/tickets.json delete mode 100644 puppet/modules/site_couchdb/files/designs/tokens.json delete mode 100644 puppet/modules/site_couchdb/files/designs/users.json (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/designs/customers.json b/puppet/modules/site_couchdb/files/designs/customers.json deleted file mode 100644 index 1b4bbddd..00000000 --- a/puppet/modules/site_couchdb/files/designs/customers.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "_id": "_design/Customer", - "language": "javascript", - "views": { - "by_user_id": { - "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_braintree_customer_id": { - "map": " function(doc) {\n if ((doc['type'] == 'Customer') && (doc['braintree_customer_id'] != null)) {\n emit(doc['braintree_customer_id'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'Customer') {\n emit(doc._id, null);\n }\n }\n" - } - }, - "couchrest-hash": "688c401ec0230b75625c176a88fc4a02" -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/identities.json b/puppet/modules/site_couchdb/files/designs/identities.json deleted file mode 100644 index 8cf8c39b..00000000 --- a/puppet/modules/site_couchdb/files/designs/identities.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "_id": "_design/Identity", - "language": "javascript", - "views": { - "by_user_id": { - "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['user_id'] != null)) {\n emit(doc['user_id'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_address_and_destination": { - "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null) && (doc['destination'] != null)) {\n emit([doc['address'], doc['destination']], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_address": { - "map": " function(doc) {\n if ((doc['type'] == 'Identity') && (doc['address'] != null)) {\n emit(doc['address'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "pgp_key_by_email": { - "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n" - }, - "disabled": { - "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n }\n" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" - } - }, - "couchrest-hash": "5b0ece9d28b3025d18ea71fddf3a532f" -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/sessions.json b/puppet/modules/site_couchdb/files/designs/sessions.json deleted file mode 100644 index 70202780..00000000 --- a/puppet/modules/site_couchdb/files/designs/sessions.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "views": { - "by_expires": { - "reduce": "_sum", - "map": "function(doc) {\n if(typeof doc.expires !== \"undefined\") {\n emit(doc.expires, 1);\n }\n}\n" - } - } -} diff --git a/puppet/modules/site_couchdb/files/designs/tickets.json b/puppet/modules/site_couchdb/files/designs/tickets.json deleted file mode 100644 index 2c9408b8..00000000 --- a/puppet/modules/site_couchdb/files/designs/tickets.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "_id": "_design/Ticket", - "language": "javascript", - "views": { - "by_updated_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['updated_at'] != null)) {\n emit(doc['updated_at'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_created_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_created_by": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['created_by'] != null)) {\n emit(doc['created_by'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_is_open_and_created_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['created_at'] != null)) {\n emit([doc['is_open'], doc['created_at']], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_is_open_and_updated_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Ticket') && (doc['is_open'] != null) && (doc['updated_at'] != null)) {\n emit([doc['is_open'], doc['updated_at']], 1);\n }\n }\n", - "reduce": "_sum" - }, - "by_includes_post_by_and_is_open_and_created_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.created_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by_and_is_open_and_updated_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.is_open, doc.updated_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by_and_updated_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.updated_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by": { - "map": "// TODO: This view is only used in tests--should we keep it?\nfunction(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit(comment.posted_by, 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_includes_post_by_and_created_at": { - "map": "function(doc) {\n var arr = {}\n if (doc['type'] == 'Ticket' && doc.comments) {\n doc.comments.forEach(function(comment){\n if (comment.posted_by && !arr[comment.posted_by]) {\n //don't add duplicates\n arr[comment.posted_by] = true;\n emit([comment.posted_by, doc.created_at], 1);\n }\n });\n }\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'Ticket') {\n emit(doc._id, null);\n }\n }\n" - } - }, - "couchrest-hash": "9978e2cbeacbe8622c2a7f103bf8130f" -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/tokens.json b/puppet/modules/site_couchdb/files/designs/tokens.json deleted file mode 100644 index b9025f15..00000000 --- a/puppet/modules/site_couchdb/files/designs/tokens.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "_id": "_design/Token", - "language": "javascript", - "views": { - "by_last_seen_at": { - "map": " function(doc) {\n if ((doc['type'] == 'Token') && (doc['last_seen_at'] != null)) {\n emit(doc['last_seen_at'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'Token') {\n emit(doc._id, null);\n }\n }\n" - } - }, - "couchrest-hash": "541dd924551c42a2317b345effbe65cc" -} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users.json b/puppet/modules/site_couchdb/files/designs/users.json deleted file mode 100644 index c500822b..00000000 --- a/puppet/modules/site_couchdb/files/designs/users.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "_id": "_design/User", - "language": "javascript", - "views": { - "by_login": { - "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['login'] != null)) {\n emit(doc['login'], 1);\n }\n }\n", - "reduce": "_sum" - }, - "all": { - "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" - }, - "by_alias": { - "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_login_or_alias": { - "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n emit(doc.login, 1);\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_created_at": { - "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", - "reduce": "_sum" - } - }, - "couchrest-hash": "26adb5c9480663de3fe60d959b60a7b2" -} \ No newline at end of file -- cgit v1.2.3 From a241d230f01ac2c89405f4ef12f5d27bdedf1543 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 11:52:16 -0500 Subject: remove nickserver admin user, and fix nickserver couchdb hiera variables Change-Id: I5bdb6b946becdc95cadc92651c06e66b826e2698 --- puppet/modules/site_nickserver/manifests/init.pp | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index bedef74d..e1b911c1 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -21,11 +21,8 @@ class site_nickserver { $nickserver = hiera('nickserver') $nickserver_domain = $nickserver['domain'] - - $couchdb = hiera('couch') - $couchdb_users = $couchdb['users'] - $couchdb_user = $couchdb_users['nickserver']['username'] - $couchdb_password = $couchdb_users['nickserver']['password'] + $couchdb_user = $nickserver['couchdb_nickserver_user']['username'] + $couchdb_password = $nickserver['couchdb_nickserver_user']['password'] # the port that public connects to (should be 6425) $nickserver_port = $nickserver['port'] -- cgit v1.2.3 From 408621e4b57b9df1d67fa32eba8d15b83b8d1fd4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 11:52:31 -0500 Subject: remove leap_mx admin user and fix leap_mx couchdb hiera variables Change-Id: I052576279d8a47313cd99412fdd7b715daa73374 --- puppet/modules/leap_mx/manifests/init.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index 0d05a834..d1625f5a 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -1,9 +1,8 @@ class leap_mx { - $couchdb = hiera('couch') - $couchdb_users = $couchdb['users'] - $couchdb_user = $couchdb_users['leap_mx']['username'] - $couchdb_password = $couchdb_users['leap_mx']['password'] + $mx = hiera('mx') + $couchdb_user = $mx['couchdb_leap_mx_user']['username'] + $couchdb_password = $mx['couchdb_leap_mx_password']['password'] $couchdb_port = '4096' -- cgit v1.2.3 From 76c3048a15719bc1dd15287fd3406e94d40684ab Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 12:00:50 -0500 Subject: fix soledad couchdb hiera variables Change-Id: I0882fc993b407eddc40c03838050d42c0443bd3d --- puppet/modules/leap_mx/manifests/init.pp | 6 +++--- puppet/modules/soledad/manifests/server.pp | 7 +++---- 2 files changed, 6 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index d1625f5a..e0c3660b 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -1,8 +1,8 @@ class leap_mx { - $mx = hiera('mx') - $couchdb_user = $mx['couchdb_leap_mx_user']['username'] - $couchdb_password = $mx['couchdb_leap_mx_password']['password'] + $leap_mx = hiera('couchdb_leap_mx_user') + $couchdb_user = $leap_mx['username'] + $couchdb_password = $leap_mx['password'] $couchdb_port = '4096' diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 339030fc..d4991fe6 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -3,10 +3,9 @@ class soledad::server { include soledad include site_apt::preferences::twisted - $couchdb = hiera('couch') - $couchdb_users = $couchdb['users'] - $couchdb_user = $couchdb_users['soledad']['username'] - $couchdb_password = $couchdb_users['soledad']['password'] + $soledad = hiera('soledad') + $couchdb_user = $soledad['couchdb_soledad_user']['username'] + $couchdb_password = $soledad['couchdb_soledad_password']['password'] $couchdb_host = 'localhost' $couchdb_port = '5984' -- cgit v1.2.3 From 81ff8e2b6aaebae35098357146958a8011af85fe Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 11:56:38 -0500 Subject: fix cwd in webapp cronjobs Change-Id: I2e189bf5e209c731077539a57f9b334ac66cd25b --- puppet/modules/site_webapp/manifests/cron.pp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp index be997103..811ad11d 100644 --- a/puppet/modules/site_webapp/manifests/cron.pp +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -3,15 +3,13 @@ class site_webapp::cron { # cron tasks that need to be performed to cleanup the database cron { 'remove_expired_sessions': - command => 'bundle exec rake cleanup:sessions', - cwd => '/srv/leap/webapp', + command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions', environment => 'RAILS_ENV=production', hour => 2, minute => 30; 'remove_expired_tokens': - command => 'bundle exec rake cleanup:tokens', - cwd => '/srv/leap/webapp', + command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens', environment => 'RAILS_ENV=production', hour => 3, minute => 0; -- cgit v1.2.3 From b62056da276abb8eb6ef6d6c883c5d20da2017d8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 28 Nov 2013 12:25:36 -0500 Subject: fix soledad couchdb hiera variables, part ii Change-Id: Ie0028056767358c4fe6796edd5ba4435e86a0cb3 --- puppet/modules/soledad/manifests/server.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index d4991fe6..572cad44 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -5,12 +5,11 @@ class soledad::server { $soledad = hiera('soledad') $couchdb_user = $soledad['couchdb_soledad_user']['username'] - $couchdb_password = $soledad['couchdb_soledad_password']['password'] + $couchdb_password = $soledad['couchdb_soledad_user']['password'] $couchdb_host = 'localhost' $couchdb_port = '5984' - $soledad = hiera('soledad') $soledad_port = $soledad['port'] include site_config::x509::cert -- cgit v1.2.3 From 79c97caa49ca43585fa638f1aa32cacbd94d06f0 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Thu, 5 Dec 2013 09:19:28 +0100 Subject: updated sshd submodule, see #4423 --- puppet/modules/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/sshd b/puppet/modules/sshd index bd2e283a..1eabfe1b 160000 --- a/puppet/modules/sshd +++ b/puppet/modules/sshd @@ -1 +1 @@ -Subproject commit bd2e283ab59430a7b3194804f1c8da7a9b58f8ff +Subproject commit 1eabfe1b590f6663c2558f949408a08fc5f58fa6 -- cgit v1.2.3 From 12d489e5fd3cfc8b7f9d9132ba015cfe2dc46cf8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Dec 2013 10:48:05 -0500 Subject: update couchdb::add_user to use couchdb::document (#4624) Change-Id: Ie7810d7e851f5023bc8970cccc888eccb8661856 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index e4906614..d38d80cc 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit e49066146ffeb91ce7c8e2100cdc4eca0ceb3a9b +Subproject commit d38d80ccb19947984ea9d4ecc8d826144c33dff4 -- cgit v1.2.3 From ea37ddb5b324686fe2e3489119e4000a50d9a138 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 3 Dec 2013 12:39:03 -0500 Subject: restore missing couchdb_host variable for leap_mx Change-Id: I5b21471ab5de55b627a200b256168122f49c1e28 --- puppet/modules/leap_mx/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp index e0c3660b..b59eac01 100644 --- a/puppet/modules/leap_mx/manifests/init.pp +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -4,6 +4,7 @@ class leap_mx { $couchdb_user = $leap_mx['username'] $couchdb_password = $leap_mx['password'] + $couchdb_host = 'localhost' $couchdb_port = '4096' include soledad::common -- cgit v1.2.3 From b947a35003613ebc03d1d3e880d1d5aeeb2d6dea Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 4 Dec 2013 11:02:30 -0500 Subject: replace couch-doc-update with one that uses MultiJson instead, this could prevent the outdated json errors (#4622) Change-Id: Ibd929045a28eef1e9262fad8953df8fd150c1966 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index d38d80cc..7ac2149c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit d38d80ccb19947984ea9d4ecc8d826144c33dff4 +Subproject commit 7ac2149cdc9f9ca0ce00f70c4e7ac48c896889ec -- cgit v1.2.3 From 006a2fec91304f1814deb3c3887b72aa0872a600 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 11:44:50 -0500 Subject: fix name of customers couchdb database (#4787) Change-Id: I704a1d46069f975711323ff8e6a634d06c267157 --- puppet/modules/site_couchdb/manifests/create_dbs.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index f206fddb..b0ebca4d 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -4,7 +4,7 @@ class site_couchdb::create_dbs { ### customer database ### r/w: webapp, - couchdb::create_db { 'customer': + couchdb::create_db { 'customers': members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", require => Couchdb::Query::Setup['localhost'] } -- cgit v1.2.3 From 67eb795b40a3294f86b7ec6c4b1c3e2541635841 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 Dec 2013 18:05:01 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 7ac2149c..090f014c 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 7ac2149cdc9f9ca0ce00f70c4e7ac48c896889ec +Subproject commit 090f014c63ae3e36662cacf9a0bdd2d51cd0e6e6 -- cgit v1.2.3 From 51f17512d031e937ebbb8f6568c7cffc287b65d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:57:20 -0500 Subject: rename the tls.pp to be smtpd_tls.pp, this allows us to have a separate class for smtp vs. smtpd tls configurations Change-Id: Ic1cc560c76924fcbbc15e245bec7b78ac2de83d3 --- .../modules/site_postfix/manifests/mx/smtpd_tls.pp | 53 +++++++++++++++ puppet/modules/site_postfix/manifests/mx/tls.pp | 78 ---------------------- 2 files changed, 53 insertions(+), 78 deletions(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp delete mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp new file mode 100644 index 00000000..5714218c --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -0,0 +1,53 @@ +class site_postfix::mx::smtpd_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $ca_path; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_ask_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + + exec { 'certtool-postfix-gendh': + command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', + user => root, + group => root, + creates => '/etc/postfix/smtpd_tls_dh_param.pem', + require => [ Package['gnutls-bin'], Package['postfix'] ] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/smtpd_tls_dh_param.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] + } +} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp deleted file mode 100644 index 08978efd..00000000 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ /dev/null @@ -1,78 +0,0 @@ -class site_postfix::mx::tls { - - include x509::variables - $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" - $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" - $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - - - postfix::config { - 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $ca_path; - 'smtpd_tls_cert_file': value => $cert_path; - 'smtpd_tls_key_file': value => $key_path; - 'smtpd_tls_ask_ccert': value => 'yes'; - 'smtpd_tls_security_level': - value => 'may'; - 'smtpd_tls_eecdh_grade': - value => 'ultra' - } - - # Setup DH parameters - # Instead of using the dh parameters that are created by leap cli, it is more - # secure to generate new parameter files that will only be used for postfix, - # for each machine - - include site_config::packages::gnutls - - # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh - # parameters Neither Postfix nor OpenSSL actually care about the size of the - # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits - - exec { 'certtool-postfix-gendh': - command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', - user => root, - group => root, - creates => '/etc/postfix/smtpd_tls_dh_param.pem', - require => [ Package['gnutls-bin'], Package['postfix'] ] - } - - # Make sure the dh params file has correct ownership and mode - file { - '/etc/postfix/smtpd_tls_dh_param.pem': - owner => root, - group => root, - mode => '0600', - require => Exec['certtool-postfix-gendh']; - } - - postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/smtpd_tls_dh_param.pem', - require => File['/etc/postfix/smtpd_tls_dh_param.pem'] - } - -} - # smtp TLS - postfix::config { - 'smtp_use_tls': value => 'yes'; - 'smtp_tls_CApath': value => '/etc/ssl/certs/'; - 'smtp_tls_CAfile': value => $ca_path; - 'smtp_tls_cert_file': value => $cert_path; - 'smtp_tls_key_file': value => $key_path; - 'smtp_tls_ask_ccert': value => 'yes'; - 'smtp_tls_loglevel': value => '1'; - 'smtp_tls_exclude_ciphers': - value => 'aNULL, MD5, DES'; - # upstream default is md5 (since 2.5 and older used it), we force sha1 - 'smtp_tls_fingerprint_digest': - value => 'sha1'; - 'smtp_tls_session_cache_database': - value => 'btree:${queue_directory}/smtp_cache'; - 'smtp_tls_security_level': - value => 'may'; - # see issue #4011 - 'smtp_tls_protocols': - value => '!SSLv2, !SSLv3'; - } - - -- cgit v1.2.3 From 86a2d30985cb118fdb158cc605237ae9445b6123 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:58:22 -0500 Subject: add a smtp_tls class and include that on both mx servers and satellites Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- .../modules/site_postfix/manifests/mx/smtp_tls.pp | 29 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/satellite.pp | 3 +++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_tls.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 59d3030d..441252f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,7 +32,8 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::mx::checks - include site_postfix::mx::tls + include site_postfix::mx::smtp_tls + include site_postfix::mx::smtpd_tls include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp new file mode 100644 index 00000000..4b9c2fd9 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -0,0 +1,29 @@ +class site_postfix::mx::smtp_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; + } +} diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index de20b667..7be51b22 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -3,9 +3,12 @@ class site_postfix::satellite { $root_mail_recipient = hiera ('contacts') $mail = hiera ('mail') $relayhost = $mail['smarthost'] + $cert_name = hiera('name') class { '::postfix::satellite': relayhost => $relayhost, root_mail_recipient => $root_mail_recipient } + + include site_postfix::mx::smtp_tls } -- cgit v1.2.3 From 411b7ebb8bce00a81002d1abb9f7c488571ddb47 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:57:20 -0500 Subject: rename the tls.pp to be smtpd_tls.pp, this allows us to have a separate class for smtp vs. smtpd tls configurations Change-Id: Ic1cc560c76924fcbbc15e245bec7b78ac2de83d3 --- .../modules/site_postfix/manifests/mx/smtpd_tls.pp | 53 +++++++++++++++ puppet/modules/site_postfix/manifests/mx/tls.pp | 78 ---------------------- 2 files changed, 53 insertions(+), 78 deletions(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp delete mode 100644 puppet/modules/site_postfix/manifests/mx/tls.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp new file mode 100644 index 00000000..5714218c --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -0,0 +1,53 @@ +class site_postfix::mx::smtpd_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $ca_path; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_ask_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'may'; + 'smtpd_tls_eecdh_grade': + value => 'ultra' + } + + # Setup DH parameters + # Instead of using the dh parameters that are created by leap cli, it is more + # secure to generate new parameter files that will only be used for postfix, + # for each machine + + include site_config::packages::gnutls + + # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh + # parameters Neither Postfix nor OpenSSL actually care about the size of the + # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits + + exec { 'certtool-postfix-gendh': + command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', + user => root, + group => root, + creates => '/etc/postfix/smtpd_tls_dh_param.pem', + require => [ Package['gnutls-bin'], Package['postfix'] ] + } + + # Make sure the dh params file has correct ownership and mode + file { + '/etc/postfix/smtpd_tls_dh_param.pem': + owner => root, + group => root, + mode => '0600', + require => Exec['certtool-postfix-gendh']; + } + + postfix::config { 'smtpd_tls_dh1024_param_file': + value => '/etc/postfix/smtpd_tls_dh_param.pem', + require => File['/etc/postfix/smtpd_tls_dh_param.pem'] + } +} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp deleted file mode 100644 index 08978efd..00000000 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ /dev/null @@ -1,78 +0,0 @@ -class site_postfix::mx::tls { - - include x509::variables - $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" - $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" - $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - - - postfix::config { - 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $ca_path; - 'smtpd_tls_cert_file': value => $cert_path; - 'smtpd_tls_key_file': value => $key_path; - 'smtpd_tls_ask_ccert': value => 'yes'; - 'smtpd_tls_security_level': - value => 'may'; - 'smtpd_tls_eecdh_grade': - value => 'ultra' - } - - # Setup DH parameters - # Instead of using the dh parameters that are created by leap cli, it is more - # secure to generate new parameter files that will only be used for postfix, - # for each machine - - include site_config::packages::gnutls - - # Note, the file name is called dh_1024.pem, but we are generating 2048bit dh - # parameters Neither Postfix nor OpenSSL actually care about the size of the - # prime in "smtpd_tls_dh1024_param_file". You can make it 2048 bits - - exec { 'certtool-postfix-gendh': - command => 'certtool --generate-dh-params --bits 2048 --outfile /etc/postfix/smtpd_tls_dh_param.pem', - user => root, - group => root, - creates => '/etc/postfix/smtpd_tls_dh_param.pem', - require => [ Package['gnutls-bin'], Package['postfix'] ] - } - - # Make sure the dh params file has correct ownership and mode - file { - '/etc/postfix/smtpd_tls_dh_param.pem': - owner => root, - group => root, - mode => '0600', - require => Exec['certtool-postfix-gendh']; - } - - postfix::config { 'smtpd_tls_dh1024_param_file': - value => '/etc/postfix/smtpd_tls_dh_param.pem', - require => File['/etc/postfix/smtpd_tls_dh_param.pem'] - } - -} - # smtp TLS - postfix::config { - 'smtp_use_tls': value => 'yes'; - 'smtp_tls_CApath': value => '/etc/ssl/certs/'; - 'smtp_tls_CAfile': value => $ca_path; - 'smtp_tls_cert_file': value => $cert_path; - 'smtp_tls_key_file': value => $key_path; - 'smtp_tls_ask_ccert': value => 'yes'; - 'smtp_tls_loglevel': value => '1'; - 'smtp_tls_exclude_ciphers': - value => 'aNULL, MD5, DES'; - # upstream default is md5 (since 2.5 and older used it), we force sha1 - 'smtp_tls_fingerprint_digest': - value => 'sha1'; - 'smtp_tls_session_cache_database': - value => 'btree:${queue_directory}/smtp_cache'; - 'smtp_tls_security_level': - value => 'may'; - # see issue #4011 - 'smtp_tls_protocols': - value => '!SSLv2, !SSLv3'; - } - - -- cgit v1.2.3 From 9531b13447ff204a00a138a137818054603fe1c9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 12:58:22 -0500 Subject: add a smtp_tls class and include that on both mx servers and satellites Change-Id: I779ea60e6d726d042203fa0756d73b4af079d728 --- puppet/modules/site_postfix/manifests/mx.pp | 3 ++- .../modules/site_postfix/manifests/mx/smtp_tls.pp | 29 ++++++++++++++++++++++ puppet/modules/site_postfix/manifests/satellite.pp | 3 +++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_postfix/manifests/mx/smtp_tls.pp (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 59d3030d..441252f2 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -32,7 +32,8 @@ class site_postfix::mx { include site_postfix::mx::smtpd_checks include site_postfix::mx::checks - include site_postfix::mx::tls + include site_postfix::mx::smtp_tls + include site_postfix::mx::smtpd_tls include site_postfix::mx::reserved_aliases # greater verbosity for debugging, take out for production diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp new file mode 100644 index 00000000..4b9c2fd9 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -0,0 +1,29 @@ +class site_postfix::mx::smtp_tls { + + include x509::variables + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" + + # smtp TLS + postfix::config { + 'smtp_use_tls': value => 'yes'; + 'smtp_tls_CApath': value => '/etc/ssl/certs/'; + 'smtp_tls_CAfile': value => $ca_path; + 'smtp_tls_cert_file': value => $cert_path; + 'smtp_tls_key_file': value => $key_path; + 'smtp_tls_loglevel': value => '1'; + 'smtp_tls_exclude_ciphers': + value => 'aNULL, MD5, DES'; + # upstream default is md5 (since 2.5 and older used it), we force sha1 + 'smtp_tls_fingerprint_digest': + value => 'sha1'; + 'smtp_tls_session_cache_database': + value => 'btree:${queue_directory}/smtp_cache'; + 'smtp_tls_security_level': + value => 'may'; + # see issue #4011 + 'smtp_tls_protocols': + value => '!SSLv2, !SSLv3'; + } +} diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index de20b667..7be51b22 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -3,9 +3,12 @@ class site_postfix::satellite { $root_mail_recipient = hiera ('contacts') $mail = hiera ('mail') $relayhost = $mail['smarthost'] + $cert_name = hiera('name') class { '::postfix::satellite': relayhost => $relayhost, root_mail_recipient => $root_mail_recipient } + + include site_postfix::mx::smtp_tls } -- cgit v1.2.3 From 88af29f3aba662aab4ca5ac3122d43139fb97004 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 17 Dec 2013 15:43:58 -0500 Subject: Fix for openvpn/unbound not starting at boot (#4506) This change sets the sysctl net.ipv4.ip_nonlocal_bind to allow applications to bind to an address, even when the link is down. This is necessary because applications like unbound and openvpn fail to start on boot in some situations because interfaces are not fully up (due to a combination of non-deterministic booting because of the likely potential setting of allow-hotplug in the interfaces file and the LSB boot dependency on $network not being sufficient. The only down-side to setting this is a daemon could bind to an incorrect ip and we wouldn't get an error, but this would be a configuration mistake, rather than a fatal condition. Change-Id: I5c03083e8c20bb25afad85a1230f4555808d341c --- puppet/modules/site_config/manifests/default.pp | 4 +++- puppet/modules/site_config/manifests/sysctl.pp | 8 ++++++++ puppet/modules/sysctl | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_config/manifests/sysctl.pp create mode 160000 puppet/modules/sysctl (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 33d3df05..d85d9c8f 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -12,7 +12,6 @@ class site_config::default { include site_config::slow - include concat::setup # default class, used by all hosts @@ -22,6 +21,9 @@ class site_config::default { # configure apt include site_apt + # configure sysctl parameters + include site_config::sysctl + # configure ssh and include ssh-keys include site_config::sshd diff --git a/puppet/modules/site_config/manifests/sysctl.pp b/puppet/modules/site_config/manifests/sysctl.pp new file mode 100644 index 00000000..99f75123 --- /dev/null +++ b/puppet/modules/site_config/manifests/sysctl.pp @@ -0,0 +1,8 @@ +class site_config::sysctl { + + sysctl::config { + 'net.ipv4.ip_nonlocal_bind': + value => 1, + comment => 'Allow applications to bind to an address when link is down (see https://leap.se/code/issues/4506)' + } +} diff --git a/puppet/modules/sysctl b/puppet/modules/sysctl new file mode 160000 index 00000000..975852b7 --- /dev/null +++ b/puppet/modules/sysctl @@ -0,0 +1 @@ +Subproject commit 975852b7acc1125b4cd9d4d490b9abd8d31217e6 -- cgit v1.2.3 From e0c07465d14d701da16e47b9c2e3938c80088c4d Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Dec 2013 12:50:17 +0100 Subject: Deploy /etc/leap/couchdb_scripts_defaults.conf so we can exclude some DBs, i.e. sessions + tokens (#4794) --- .../modules/site_couchdb/files/couchdb_scripts_defaults.conf | 4 ++++ puppet/modules/site_couchdb/manifests/backup.pp | 11 +++++++++++ 2 files changed, 15 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/couchdb_scripts_defaults.conf (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/couchdb_scripts_defaults.conf b/puppet/modules/site_couchdb/files/couchdb_scripts_defaults.conf new file mode 100644 index 00000000..1565e1a1 --- /dev/null +++ b/puppet/modules/site_couchdb/files/couchdb_scripts_defaults.conf @@ -0,0 +1,4 @@ +# space separated list of excluded DBs for dumping +# sourced by couchdb_dumpall.sh +EXCLUDE_DBS='sessions tokens' + diff --git a/puppet/modules/site_couchdb/manifests/backup.pp b/puppet/modules/site_couchdb/manifests/backup.pp index ef505693..8b5aa6ea 100644 --- a/puppet/modules/site_couchdb/manifests/backup.pp +++ b/puppet/modules/site_couchdb/manifests/backup.pp @@ -9,4 +9,15 @@ class site_couchdb::backup { backupninja::sh { 'couchdb_backup': command_string => "cd /srv/leap/couchdb/scripts \n./couchdb_dumpall.sh" } + + # Deploy /etc/leap/couchdb_scripts_defaults.conf so we can exclude + # some databases + + file { '/etc/leap/couchdb_scripts_defaults.conf': + source => 'puppet:///modules/site_couchdb/couchdb_scripts_defaults.conf', + mode => '0644', + owner => 'root', + group => 'root', + } + } -- cgit v1.2.3 From 66ad58f2bc3b285bd17d5e61a21afece11d2c293 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 19 Dec 2013 14:22:43 -0500 Subject: Fix the location of the smtp/smtpd_tls_session_cache_database (#4813) Change-Id: I959fa40ff508bbeaf7baa0b6ba90c10c9e6b0ef7 --- puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 2 +- puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 4b9c2fd9..3cc7ea72 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -19,7 +19,7 @@ class site_postfix::mx::smtp_tls { 'smtp_tls_fingerprint_digest': value => 'sha1'; 'smtp_tls_session_cache_database': - value => 'btree:${queue_directory}/smtp_cache'; + value => 'btree:${data_directory}/smtp_cache'; 'smtp_tls_security_level': value => 'may'; # see issue #4011 diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 5714218c..0809c75f 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -15,7 +15,9 @@ class site_postfix::mx::smtpd_tls { 'smtpd_tls_security_level': value => 'may'; 'smtpd_tls_eecdh_grade': - value => 'ultra' + value => 'ultra'; + 'smtpd_tls_session_cache_database': + value => 'btree:${data_directory}/smtpd_scache'; } # Setup DH parameters -- cgit v1.2.3 From 5f7f2cd3a61aafb1afc81b74b3ef03afe3a64221 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 19 Dec 2013 16:03:45 -0500 Subject: Set mynetworks to include any mx server in the provider to allow them to Helo as the domain (#4495) Change-Id: I6c8ac28faceb8b0c6129a606ede04837efd3d261 --- puppet/modules/site_postfix/manifests/mx.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 441252f2..de89c26e 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -4,6 +4,7 @@ class site_postfix::mx { $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') + $mynetworks = join(hiera('mx_nodes'), ' ') $root_mail_recipient = hiera ('contacts') $postfix_smtp_listen = 'all' @@ -14,6 +15,8 @@ class site_postfix::mx { include site_config::x509::client_ca::key postfix::config { + 'mynetworks': + value => "127.0.0.0/8 [::1]/128 [fe80::]/64 ${mynetworks}"; 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; 'myhostname': -- cgit v1.2.3 From ecb537042e73934d508377280254dc18f8180a41 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 20 Dec 2013 15:48:21 +0100 Subject: Adopt tapicero config file to tapicero > 0.2.0 In order to reuse the couch changes observer for key uploads I extracted it from tapicero and made the configuration more generic. This results in some changes to the config file format. When deploying tapicero >= 0.2.0 this config file format should be used instead. Also set log_level to debug by default. We can reduce this later but it might be useful for now. --- .../modules/tapicero/templates/tapicero.yaml.erb | 48 +++++++++++----------- 1 file changed, 25 insertions(+), 23 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index 098f95bd..cfc02c5c 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -2,34 +2,15 @@ # Default configuration options for Tapicero # -# database to observe for changes: -users_db_name: "users" - -# prefix for per user databases: -db_prefix: "user-" - # couch connection configuration -couch_connection: +connection: protocol: "http" host: "localhost" port: <%= @couchdb_port %> username: <%= @couchdb_admin_user %> password: <%= @couchdb_admin_password %> - -# security settings to be used for the per user databases -security: - admins: - names: - # We explicitly allow the admin user to access per user databases, even - # though admin access ignores per database security we just do this to be - # explicit about this - - <%= @couchdb_admin_user %> - roles: [] - readers: - names: - - <%= @couchdb_soledad_user %> - - <%= @couchdb_leap_mx_user %> - roles: [] + prefix : "" + suffix : "" # file to store the last processed user record in so we can resume after # a restart: @@ -37,4 +18,25 @@ seq_file: "/var/lib/leap/tapicero/tapicero.seq" # Configure log_file like this if you want to log to a file instead of syslog: # log_file: "/var/leap/log/tapicero.log" -log_level: info +log_level: debug + +# tapicero specific options +options: + # prefix for per user databases: + db_prefix: "user-" + + # security settings to be used for the per user databases + security: + admins: + names: + # We explicitly allow the admin user to access per user databases, even + # though admin access ignores per database security we just do this to be + # explicit about this + - <%= @couchdb_admin_user %> + roles: [] + readers: + names: + - <%= @couchdb_soledad_user %> + - <%= @couchdb_leap_mx_user %> + roles: [] + -- cgit v1.2.3 From bf385beb22b7a17899604c21b764d84de55b23a8 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 24 Dec 2013 00:53:14 -0800 Subject: move nickserver config to /etc/nickserver.yml (fixes #4843) --- puppet/modules/site_nickserver/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index e1b911c1..eaf90d55 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -95,7 +95,7 @@ class site_nickserver { # NICKSERVER CONFIG # - file { '/etc/leap/nickserver.yml': + file { '/etc/nickserver.yml': content => template('site_nickserver/nickserver.yml.erb'), owner => nickserver, group => nickserver, -- cgit v1.2.3 From c07e0f2f5ddd17c7d7bdb6a1afc4748b401f14ae Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 31 Dec 2013 17:09:22 +0100 Subject: add design docs for new soledad version to shared db --- puppet/modules/site_couchdb/files/designs/shared/docs.json | 12 ++++++++++++ puppet/modules/site_couchdb/files/designs/shared/syncs.json | 11 +++++++++++ .../site_couchdb/files/designs/shared/transactions.json | 12 ++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 puppet/modules/site_couchdb/files/designs/shared/docs.json create mode 100644 puppet/modules/site_couchdb/files/designs/shared/syncs.json create mode 100644 puppet/modules/site_couchdb/files/designs/shared/transactions.json (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/designs/shared/docs.json b/puppet/modules/site_couchdb/files/designs/shared/docs.json new file mode 100644 index 00000000..4aad02aa --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/shared/docs.json @@ -0,0 +1,12 @@ +{ + "views" : { + "get" : { + "map" : "function(doc) {\n if (doc.u1db_rev) {\n var is_tombstone = true;\n var has_conflicts = false;\n if (doc._attachments) {\n if (doc._attachments.u1db_content)\n is_tombstone = false;\n if (doc._attachments.u1db_conflicts)\n has_conflicts = true;\n }\n emit(doc._id,\n {\n \"couch_rev\": doc._rev,\n \"u1db_rev\": doc.u1db_rev,\n \"is_tombstone\": is_tombstone,\n \"has_conflicts\": has_conflicts,\n }\n );\n }\n}\n" + } + }, + "_id" : "_design/docs", + "updates" : { + "resolve_doc" : "function(doc, req){\n /* we expect to receive the following in `req.body`:\n * {\n * 'couch_rev': '',\n * 'conflicts': '',\n * }\n */\n var body = JSON.parse(req.body);\n\n // fail if no document was given\n if (!doc) {\n return [null, 'document does not exist']\n } \n\n // fail if couch revisions do not match\n if (body['couch_rev'] != null\n && doc['_rev'] != body['couch_rev']) {\n return [null, 'revision conflict']\n }\n\n // fail if conflicts were not sent\n if (body['conflicts'] == null)\n return [null, 'missing conflicts']\n\n // save conflicts as attachment if they were sent\n if (body['conflicts'] != null) {\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_conflicts = {\n content_type: \"application/octet-stream\",\n data: body['conflicts'] // should be base64 encoded\n }\n }\n // or delete attachment if there are no conflicts\n else if (doc._attachments && doc._attachments.u1db_conflicts)\n delete doc._attachments.u1db_conflicts;\n\n return [doc, 'ok'];\n}\n", + "put" : "function(doc, req){\n /* we expect to receive the following in `req.body`:\n * {\n * 'couch_rev': '',\n * 'u1db_rev': '',\n * 'content': '',\n * 'trans_id': ''\n * 'conflicts': '',\n * 'update_conflicts': \n * }\n */\n var body = JSON.parse(req.body);\n\n // create a new document document\n if (!doc) {\n doc = {}\n doc['_id'] = req['id'];\n }\n // or fail if couch revisions do not match\n else if (doc['_rev'] != body['couch_rev']) {\n // of fail if revisions do not match\n return [null, 'revision conflict']\n }\n\n // store u1db rev\n doc.u1db_rev = body['u1db_rev'];\n\n // save content as attachment\n if (body['content'] != null) {\n // save u1db content as attachment\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_content = {\n content_type: \"application/octet-stream\",\n data: body['content'] // should be base64 encoded\n };\n }\n // or delete the attachment if document is tombstone\n else if (doc._attachments &&\n doc._attachments.u1db_content)\n delete doc._attachments.u1db_content;\n\n // store the transaction id\n if (!doc.u1db_transactions)\n doc.u1db_transactions = [];\n var d = new Date();\n doc.u1db_transactions.push([d.getTime(), body['trans_id']]);\n\n // save conflicts as attachment if they were sent\n if (body['update_conflicts'])\n if (body['conflicts'] != null) {\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_conflicts = {\n content_type: \"application/octet-stream\",\n data: body['conflicts'] // should be base64 encoded\n }\n } else {\n if(doc._attachments && doc._attachments.u1db_conflicts)\n delete doc._attachments.u1db_conflicts\n }\n\n return [doc, 'ok'];\n}\n" + } +} diff --git a/puppet/modules/site_couchdb/files/designs/shared/syncs.json b/puppet/modules/site_couchdb/files/designs/shared/syncs.json new file mode 100644 index 00000000..0df5ff74 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/shared/syncs.json @@ -0,0 +1,11 @@ +{ + "views" : { + "log" : { + "map" : "function(doc) {\n if (doc._id == 'u1db_sync_log') {\n if (doc.syncs)\n doc.syncs.forEach(function (entry) {\n emit(entry[0],\n {\n 'known_generation': entry[1],\n 'known_transaction_id': entry[2]\n });\n });\n }\n}\n" + } + }, + "_id" : "_design/syncs", + "updates" : { + "put" : "function(doc, req){\n if (!doc) {\n doc = {}\n doc['_id'] = 'u1db_sync_log';\n doc['syncs'] = [];\n }\n body = JSON.parse(req.body);\n // remove outdated info\n doc['syncs'] = doc['syncs'].filter(\n function (entry) {\n return entry[0] != body['other_replica_uid'];\n }\n );\n // store u1db rev\n doc['syncs'].push([\n body['other_replica_uid'],\n body['other_generation'],\n body['other_transaction_id']\n ]);\n return [doc, 'ok'];\n}\n\n" + } +} diff --git a/puppet/modules/site_couchdb/files/designs/shared/transactions.json b/puppet/modules/site_couchdb/files/designs/shared/transactions.json new file mode 100644 index 00000000..8fcb84d1 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/shared/transactions.json @@ -0,0 +1,12 @@ +{ + "lists" : { + "generation" : "function(head, req) {\n var row;\n var rows=[];\n // fetch all rows\n while(row = getRow()) {\n rows.push(row);\n }\n if (rows.length > 0)\n send(JSON.stringify({\n \"generation\": rows.length,\n \"doc_id\": rows[rows.length-1]['id'],\n \"transaction_id\": rows[rows.length-1]['value']\n }));\n else\n send(JSON.stringify({\n \"generation\": 0,\n \"doc_id\": \"\",\n \"transaction_id\": \"\",\n }));\n}\n", + "whats_changed" : "function(head, req) {\n var row;\n var gen = 1;\n var old_gen = 0;\n if (req.query.old_gen)\n old_gen = parseInt(req.query['old_gen']);\n send('{\"transactions\":[\\n');\n // fetch all rows\n while(row = getRow()) {\n if (gen > old_gen) {\n if (gen > old_gen+1)\n send(',\\n');\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": row[\"id\"],\n \"transaction_id\": row[\"value\"]\n }));\n }\n gen++;\n }\n send('\\n]}');\n}\n", + "trans_id_for_gen" : "function(head, req) {\n var row;\n var rows=[];\n var i = 1;\n var gen = 1;\n if (req.query.gen)\n gen = parseInt(req.query['gen']);\n // fetch all rows\n while(row = getRow())\n rows.push(row);\n if (gen <= rows.length)\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": rows[gen-1]['id'],\n \"transaction_id\": rows[gen-1]['value'],\n }));\n else\n send('{}');\n}\n" + }, + "views" : { + "log" : { + "map" : "function(doc) {\n if (doc.u1db_transactions)\n doc.u1db_transactions.forEach(function(t) {\n emit(t[0], // use timestamp as key so the results are ordered\n t[1]); // value is the transaction_id\n });\n}\n" + } + } +} -- cgit v1.2.3 From fefab2386f0fbd9f218dc0b361eb833875c27f56 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 29 Dec 2013 22:16:03 -0800 Subject: added support for minimum client version checking --- puppet/modules/site_webapp/manifests/init.pp | 11 ++++++++++- puppet/modules/site_webapp/templates/config.yml.erb | 1 + 2 files changed, 11 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index ae644287..f8216aa4 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -80,11 +80,20 @@ class site_webapp { } file { - '/srv/leap/webapp/public/provider.json': + '/srv/leap/webapp/config/provider': + ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], + owner => leap-webapp, group => leap-webapp, mode => '0755'; + + '/srv/leap/webapp/config/provider/provider.json': content => $provider, require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; + # old provider.json location. this can be removed after everyone upgrades. + '/srv/leap/webapp/public/provider.json': + ensure => absent; + '/srv/leap/webapp/public/ca.crt': ensure => link, require => Vcsrepo['/srv/leap/webapp'], diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 6b45abc2..98f8564e 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -14,3 +14,4 @@ production: allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %> limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" + minimum_client_version: "<%= @webapp['client_version']['min'] %>" -- cgit v1.2.3 From 43c7680458664c12b788e490ce4f194a3313265c Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 3 Jan 2014 14:52:50 +0100 Subject: reduce tapicero log level. Debug is becoming quite verbose with the backtraces. Info should suffice as a default. --- puppet/modules/tapicero/templates/tapicero.yaml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb index cfc02c5c..8e19b22f 100644 --- a/puppet/modules/tapicero/templates/tapicero.yaml.erb +++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb @@ -18,7 +18,7 @@ seq_file: "/var/lib/leap/tapicero/tapicero.seq" # Configure log_file like this if you want to log to a file instead of syslog: # log_file: "/var/leap/log/tapicero.log" -log_level: debug +log_level: info # tapicero specific options options: -- cgit v1.2.3 From 73e987b58646ba3fbedc2d4242ba904037c12d98 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 4 Jan 2014 17:59:53 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 090f014c..bab9edcb 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 090f014c63ae3e36662cacf9a0bdd2d51cd0e6e6 +Subproject commit bab9edcb8a081fc32570c3462c8ec7b3c6ce029d -- cgit v1.2.3 From ec080f77f5f4d12d4a67b604a20113a79d22c28a Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 6 Jan 2014 17:25:15 +0100 Subject: install ntp on all platform nodes (Feature #4913) --- puppet/modules/site_config/manifests/packages/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 3e1d4a67..9d416043 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -3,7 +3,7 @@ class site_config::packages::base { include site_config::params # base set of packages that we want to have installed everywhere - package { [ 'etckeeper', 'screen', 'less' ]: + package { [ 'etckeeper', 'screen', 'less', 'ntp' ]: ensure => installed, } -- cgit v1.2.3 From f4eca7fba63c5e0cfe695812c11fae10778fd349 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 7 Jan 2014 18:06:34 +0100 Subject: restrict bigcouch chttp proc to localhost --- puppet/modules/site_couchdb/manifests/init.pp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index ad0c996a..fd7e67a1 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -42,11 +42,12 @@ class site_couchdb { $ednp_port = $bigcouch_config['ednp_port'] class { 'couchdb': - bigcouch => true, - admin_pw => $couchdb_admin_pw, - admin_salt => $couchdb_admin_salt, - bigcouch_cookie => $bigcouch_cookie, - ednp_port => $ednp_port + bigcouch => true, + admin_pw => $couchdb_admin_pw, + admin_salt => $couchdb_admin_salt, + bigcouch_cookie => $bigcouch_cookie, + ednp_port => $ednp_port, + chttpd_bind_address => '127.0.0.1' } class { 'couchdb::bigcouch::package::cloudant': } -- cgit v1.2.3 From fe1561855cd7be38190d54913f84bae5ab3c9a4a Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 8 Jan 2014 14:21:38 -0800 Subject: fix webapp couchdb.yml to be couchdb.yml not couchdb.yml.webapp --- puppet/modules/site_webapp/manifests/couchdb.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 7f6ebbc6..ff743fba 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -14,7 +14,7 @@ class site_webapp::couchdb { include x509::variables file { - '/srv/leap/webapp/config/couchdb.yml.webapp': + '/srv/leap/webapp/config/couchdb.yml': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, -- cgit v1.2.3 From 7fbad48e98cb49367041b22f7c94a8d0e001db33 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 7 Jan 2014 12:02:05 +0100 Subject: fix function issues in webapp design documents This change is a result of https://github.com/leapcode/leap_web/pull/133. Both should be deployed at the same time to prevent conflicts. --- .../site_couchdb/files/designs/identities/Identity.json | 4 ++-- puppet/modules/site_couchdb/files/designs/users/User.json | 10 +--------- 2 files changed, 3 insertions(+), 11 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/designs/identities/Identity.json b/puppet/modules/site_couchdb/files/designs/identities/Identity.json index 8cf8c39b..2ac092ab 100644 --- a/puppet/modules/site_couchdb/files/designs/identities/Identity.json +++ b/puppet/modules/site_couchdb/files/designs/identities/Identity.json @@ -15,7 +15,7 @@ "reduce": "_sum" }, "pgp_key_by_email": { - "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n" + "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.keys === \"object\") {\n emit(doc.address, doc.keys[\"pgp\"]);\n }\n }\n" }, "disabled": { "map": " function(doc) {\n if (doc.type != 'Identity') {\n return;\n }\n if (typeof doc.user_id === \"undefined\") {\n emit(doc._id, 1);\n }\n }\n" @@ -24,5 +24,5 @@ "map": " function(doc) {\n if (doc['type'] == 'Identity') {\n emit(doc._id, null);\n }\n }\n" } }, - "couchrest-hash": "5b0ece9d28b3025d18ea71fddf3a532f" + "couchrest-hash": "e9004d70e26770c621a9667536429a68" } \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users/User.json b/puppet/modules/site_couchdb/files/designs/users/User.json index c500822b..c99666cb 100644 --- a/puppet/modules/site_couchdb/files/designs/users/User.json +++ b/puppet/modules/site_couchdb/files/designs/users/User.json @@ -9,18 +9,10 @@ "all": { "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" }, - "by_alias": { - "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, - "by_login_or_alias": { - "map": "function(doc) {\n if (doc.type != 'User') {\n return;\n }\n emit(doc.login, 1);\n doc.email_aliases.forEach(function(alias){\n emit(alias.username, 1);\n });\n}\n", - "reduce": "function(key, values, rereduce) { return sum(values); }" - }, "by_created_at": { "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", "reduce": "_sum" } }, - "couchrest-hash": "26adb5c9480663de3fe60d959b60a7b2" + "couchrest-hash": "3bdbcd85b928ad911e0c89a8924e015c" } \ No newline at end of file -- cgit v1.2.3 From dfc1368452a6474cb4582aff0f3505a2b8b4842c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 13 Jan 2014 12:42:06 +0100 Subject: load_design_documents.sh fails (Bug #4945) --- puppet/modules/site_couchdb/manifests/designs.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp index 2d0a8326..83d6c8cd 100644 --- a/puppet/modules/site_couchdb/manifests/designs.pp +++ b/puppet/modules/site_couchdb/manifests/designs.pp @@ -7,6 +7,7 @@ class site_couchdb::designs { ensure => directory, source => 'puppet:///modules/site_couchdb/designs', recurse => true, + purge => true, mode => '0755' } -- cgit v1.2.3 From 0e07e1b20acb844a6c610166c9918a92a093df73 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 20 Jan 2014 15:05:19 +0100 Subject: configure leap_platform to install our leap bigcouch package (Feature #4971) --- puppet/modules/site_couchdb/manifests/init.pp | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index ad0c996a..e1414b34 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -49,10 +49,8 @@ class site_couchdb { ednp_port => $ednp_port } - class { 'couchdb::bigcouch::package::cloudant': } Class['site_config::default'] - -> Class['couchdb::bigcouch::package::cloudant'] -> Service['couchdb'] -> Class['site_couchdb::stunnel'] -> File['/root/.netrc'] -- cgit v1.2.3 From e91d7e016244da48be0a9ea23d3bb43bb3b8e93d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 21 Jan 2014 14:41:04 +0100 Subject: properly purge cloudant repository leftovers (#4971) --- .../modules/site_apt/files/keys/cloudant-key.asc | 52 ---------------------- puppet/modules/site_couchdb/manifests/init.pp | 7 +++ 2 files changed, 7 insertions(+), 52 deletions(-) delete mode 100644 puppet/modules/site_apt/files/keys/cloudant-key.asc (limited to 'puppet') diff --git a/puppet/modules/site_apt/files/keys/cloudant-key.asc b/puppet/modules/site_apt/files/keys/cloudant-key.asc deleted file mode 100644 index 99716a3c..00000000 --- a/puppet/modules/site_apt/files/keys/cloudant-key.asc +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.11 (GNU/Linux) - -mQINBFE7fhIBEACrDREcODnhdugNozMeBawOm2irpNCP54yMljST/DOXx1uo3gQw -HnVcQ4lL7lXhbfL6Tp0WhrNYTWbbWHO0DaQbW0GQMHa2BGG0Xm0HPrjr3j55tAcM -NPr0ArDuplq4Py2pwviZiEtQkkn+biH9oV+N3jNO+8+zVHLVU7pHaX6Yd7HAxFM8 -XX+7SeVtplZ7nvSxUREiMNxQb9o0kYNRPS+b0UjiIXHrFO9afl7lTdg/I8AhKWa0 -3jJoY/IRvVopJblISQNGFipR11Lpu5sOHghgz4V8mk/in7JLMmoqSl5DP5VhRII8 -OyADBjaUJD2mkv5cGaevqpB4AId78X9+Y62gFJrGkIHY9uBxIUkRe+leYI4Zz4Bm -D9qBIbEY/kKkblTlC1G7u3qbGQcsbCRVIOnhruCih7vifcP40YwGUk5NmDA5AE78 -OovCGYGp4zMepDTSJxGT3sJOTEbzN09so6C7fQWBeQiiG5Uepp1q+VnaGpT1L4rc -Y6yRbu9dOFj6WzY4W5HtnbalzTIEYy+SIGZqRkJt6jREYLiFfyrpSFIgGoJAs0yx -9M0McXfeOod69TPufB1PeppnBwFcTmYNYxakusQxAebRDPEBZqoEgl0gMmxWbAdI -nxGMWWnSsN/Dj0dXRf1MG/5akOhX2zQcUzBOE2m/Xr5kjDPYFtFxVJDGzQARAQAB -tDNDbG91ZGFudCBQYWNrYWdlIFNpZ25pbmcgS2V5IDxzdXBwb3J0QGNsb3VkYW50 -LmNvbT6JAj4EEwECACgFAlE7fhICGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMB -Ah4BAheAAAoJEFngH70Vvo4mciIP/AlqHA/LDtSYfrFwdXifY2ImCMyzYvH40Ko2 -DHCw2qDjvK5UXn1iWuzXidT7DrxOfYoZpzySRP7VGyHxa3VPhOtzLDZSvTpk9ELo -2x2IczUwLC17M0Iis4CpqlxSFIBYGX78pMzvsEyC4TFqUDfXRlye3apjD0iwK0hE -kdP1+TPdJjhWImJm+3TLu45zTw3Ph5dnf5pLQPNhKfBSdku+vRrd35N5hHso9S1y -Z3NrxcQlWnXuqkLIA14gM7qbBFD+el9Y+tZ7ERGYg3s5uNDQRTb0QC8zg/um2+zW -4hHmuRcWY3n8IgHcYUruC1VyrrsFIWWMyLv7SZkAAoSY+jKyESDfYpJQ8jtZ4EF9 -2/gYm4FgZR8j4gWkzHSLGVt/4EIykJZb0yIg/QEovmmHqpy8xYri3goMSl4h7tfF -TOCZLTzTyQ7xONdyEsrvQPhmdtXEgvSo5S7ZU9kkx32OjCoshLLjhtqAipBgEXqb -hElFo1oSyOVoGc7UNh7KNBjWfeP8dNdCbIbIYPMeM0/CVjD60kW5ZEVDuYglT+Rz -enJJvS4Hs+fq8cFNxMB+l64qE7iS+I6RP2bPeQM2aBa2UZNWxUIbXF7bb3zLrCGn -GT8GF1AFRoW3GiDzB7QnLVp8BhIaqFUzbDim+5mFFG8wguxHTiz4snDdQXq2Es6V -UETFsNsluQINBFE7fhIBEADIyLHyBh8AKJKQHksFAPHOyA48ocxgQDpQnqYlQcAK -D8eUbRXciIz4ePBmvjaQmz8wJgWULc04u4i9jK8Jd/Ks+VhEz3AjRBfjvkBaVMog -FMPKaoDn9LVMBSZJ3fcC1DVck1oO8LnFIdktt0zhvzG+pV5b/UTRsVZmwNh1p2dM -4cJswxlksJXYnI9tFA74qiomDCPYM0zpv7TEjX23PZTLqTSHP5aWctx+MIEtdoqp -EsEDL6npvYBRz/tuL41cUWs7CItH131Hyuizo4vGrxgWPnoXIxLmLOOZCMk/kbx0 -XCSvengqYwNgAOlIjewtTw+WJm1gtNQQeKmaXBX7njf2Wz7LI/0KVxttEpKT5/5y -embOGn7My9i7zOc1frMCDivIOTQDBZTzR9o7/6wUJ69DIoFLMlO8UcCK3R7o5VUI -ezx+XYsOAD7D2vKoiD8Se65Vnax2rfFlLP7OQqdem5l2lkHpJzP3lA8qmA2MfJ7V -jsk7eDSyJQjG5c6KBoaFlYGhp/E2kR82cAKVaFIbW3euMM4XK6Mgzy3+DVKfk8mu -AEuHub7plfxM+65yjLNAK6l6IKtY1HfM7F4GFyNSd3mNNcWN7ceIHh8Ur4DeD2Tp -7r3XcWd6/czLYNsw2BAHeVUxnMTCeGN99UZTtHgVq9IJMOCDOPwMSzHFfZ6sNaYL -qQARAQABiQIlBBgBAgAPBQJRO34SAhsMBQkB4TOAAAoJEFngH70Vvo4mpokP/jJJ -2mXdhMVqZCtZhwphJfdxg8nBERzrd6ebXxKbTq1MmSN/fDwLknPabFHUpzk1ADCf -6mh2o0HB+67yMzo1UVtyfPOaHgCE/pWer5ultJM8gOdpBfSWL8jRwU8ZQ4fDu3z8 -AC6zTNq7znOVLEzZPy8U7q5Rt5/6QdQYoTLe6DwlLmkflzWP5VWi/mTGvtu/t5OV -tGZkzBYQ5QAXRXXkKswqkJpQFuW6d1vlYm9+x/+Q1+2kGT+CKbRAkqkf77qVcyJR -1M2JQSs4ko+rLMZzr01sYA+EBD17nxqV8vUdYebNc9Qnk8Aphid1zarUbySgAdnJ -5SLAjLe/6N6IEE9F3uKsPEs87gJrnwrYHRrmu0wAPwA0cMmtgD4Bz7Iiz4CLYPFW -rHpQCA313K+rS/LLfLBL66wIRKcPuYIFR9N03jX9eGR6qtk0b5Zb3YjWOo4V9Q1r -o+g6IB0Us5vH6ISuokq7Bv+8cXhEMVoctL9A8xWN1KDkweZ+7dNWCGV8lUWKy3Hw -ig6hENH6H7J57U8H2v2aZTeUo6e7VDP9gddNKPSEEeoBKfVnWYGoG8mVPQ2PzTgZ -ZO2vwp4c3Ix/kIV3xe+/Opcq1lxYhD7HSre1MB7HOeFmis6tBBjMJPaatZVfzj1v -6Uhz5oUCwcPol8rsp69DvGVUPSHfDwBxurDX71oG -=lEm7 ------END PGP PUBLIC KEY BLOCK----- diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e1414b34..4cd7ce03 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -49,8 +49,15 @@ class site_couchdb { ednp_port => $ednp_port } + # ensure that we don't have leftovers from previous installations + # where we installed the cloudant bigcouch package + # https://leap.se/code/issues/4971 + class { 'couchdb::bigcouch::package::cloudant': + ensure => absent + } Class['site_config::default'] + -> Class['couchdb::bigcouch::package::cloudant'] -> Service['couchdb'] -> Class['site_couchdb::stunnel'] -> File['/root/.netrc'] -- cgit v1.2.3 From 77c5574d77267b3a92cfe35cb285c3b9eb47de32 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 21 Jan 2014 16:28:44 +0100 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index bab9edcb..32dba50b 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit bab9edcb8a081fc32570c3462c8ec7b3c6ce029d +Subproject commit 32dba50beb0c24b9b883e495149b353aa70506c6 -- cgit v1.2.3 From e7fe6d504565b7e0234681ed500059a54739f2e3 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 22 Jan 2014 16:47:59 +0100 Subject: anonymize webapp ips (Bug #4896) --- puppet/modules/site_apache/manifests/module/removeip.pp | 5 +++++ puppet/modules/site_webapp/manifests/apache.pp | 1 + 2 files changed, 6 insertions(+) create mode 100644 puppet/modules/site_apache/manifests/module/removeip.pp (limited to 'puppet') diff --git a/puppet/modules/site_apache/manifests/module/removeip.pp b/puppet/modules/site_apache/manifests/module/removeip.pp new file mode 100644 index 00000000..f106167a --- /dev/null +++ b/puppet/modules/site_apache/manifests/module/removeip.pp @@ -0,0 +1,5 @@ +class site_apache::module::removeip ( $ensure = present ) +{ + package { 'libapache2-mod-removeip': ensure => $ensure } + apache::module { 'removeip': ensure => $ensure } +} diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 581922cb..d327877a 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -22,6 +22,7 @@ class site_webapp::apache { include site_apache::module::rewrite include site_apache::module::alias include site_apache::module::expires + include site_apache::module::removeip class { 'passenger': use_munin => false } -- cgit v1.2.3 From c356125d06b8c19146f8bd6f34e31da38bfd7cc2 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 24 Jan 2014 17:36:04 +0100 Subject: swiss privacy foundation changed their nameserver IPs: http://www.privacyfoundation.ch/de/service/server.html --- puppet/modules/site_config/manifests/resolvconf.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index b307f18b..05990c67 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -8,7 +8,7 @@ class site_config::resolvconf { nameservers => [ '127.0.0.1 # local caching-only, unbound', '85.214.20.141 # Digitalcourage, a german privacy organisation: (https://en.wikipedia.org/wiki/Digitalcourage)', - '62.141.58.13 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' + '77.109.138.45 # Swiss privacy Foundation (http://www.privacyfoundation.ch/de/service/server.html)' ] } } -- cgit v1.2.3 From d8112f6c897579cbb8bbe1230ca5d0eff6746def Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 30 Jan 2014 17:19:50 +0100 Subject: updated submodule rubygems, change gem source to use https instead of http (Feature #3827) --- puppet/modules/rubygems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems index 1e5ed3db..7e0240ac 160000 --- a/puppet/modules/rubygems +++ b/puppet/modules/rubygems @@ -1 +1 @@ -Subproject commit 1e5ed3dbef9381bb9d5e2a7b4957bb3f5288d6a8 +Subproject commit 7e0240acce5a338e7cc2b55f1f8ba749634c5da4 -- cgit v1.2.3 From d91494c57bc5929853c5ad0bb99212c98b7c3c95 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Feb 2014 16:19:54 +0100 Subject: added submodule check_mk from https://git.codecoop.org/varacanero/puppet_check_mk.git --- puppet/modules/check_mk | 1 + 1 file changed, 1 insertion(+) create mode 160000 puppet/modules/check_mk (limited to 'puppet') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk new file mode 160000 index 00000000..4cd47d03 --- /dev/null +++ b/puppet/modules/check_mk @@ -0,0 +1 @@ +Subproject commit 4cd47d03c68d8530dcbff37c5bc1cf6a8006d767 -- cgit v1.2.3 From dde7b18cc0ad265aa7f7b8ccf4fedd9f0542fc74 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 16:44:23 +0100 Subject: site_nagios::client: install check_mk agent --- puppet/modules/site_nagios/manifests/client.pp | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/client.pp (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp new file mode 100644 index 00000000..ea6062a0 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/client.pp @@ -0,0 +1,5 @@ +class site_nagios::client { + package { [ 'check-mk-agent', 'check-mk-agent-logwatch' ]: + ensure => installed, + } +} -- cgit v1.2.3 From 6156db5b5b817d35cfba185923ce2f5e65a0108a Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:00:58 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index 4cd47d03..b449ad81 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit 4cd47d03c68d8530dcbff37c5bc1cf6a8006d767 +Subproject commit b449ad813d8c9672d23393ca30bbfd3dc1dd7fe3 -- cgit v1.2.3 From e93ca6ae1ebb794fb72ade75ef2e5b27b86619c8 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:14:44 +0100 Subject: include site_nagios::client by default --- puppet/modules/site_config/manifests/default.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index d85d9c8f..a09a30d2 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -86,4 +86,6 @@ class site_config::default { if defined( '::site_custom') { include ::site_custom } + + include site_nagios::client } -- cgit v1.2.3 From db04294845924edb70a6f181f67a49a80cf3a09e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:17:00 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index b449ad81..e291b2c0 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit b449ad813d8c9672d23393ca30bbfd3dc1dd7fe3 +Subproject commit e291b2c07667ebfd73058cd2cab618d497f25f69 -- cgit v1.2.3 From dbca8237f915e2a4d3802d90dcb10aece50a4cc4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:24:49 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index e291b2c0..cd99b5b9 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit e291b2c07667ebfd73058cd2cab618d497f25f69 +Subproject commit cd99b5b90f8096e0c444aa923692342881346998 -- cgit v1.2.3 From 3d22399b2da5fe010ab15de5c641b67f45dc1982 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Feb 2014 17:29:01 +0100 Subject: use check_mk::agent to install check-mk-agent --- puppet/modules/site_nagios/manifests/client.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp index ea6062a0..82063dc3 100644 --- a/puppet/modules/site_nagios/manifests/client.pp +++ b/puppet/modules/site_nagios/manifests/client.pp @@ -1,5 +1,9 @@ class site_nagios::client { - package { [ 'check-mk-agent', 'check-mk-agent-logwatch' ]: - ensure => installed, + class { 'check_mk::agent': + agent_package_name => 'check-mk-agent', + agent_logwatch_package_name => 'check-mk-agent-logwatch', + method => 'ssh', + homedir => '/etc/nagios/check_mk', + register_agent => false } } -- cgit v1.2.3 From 166bf4a33123afe5b17db68c22712408ebfb26ad Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 14:00:42 +0100 Subject: added site_nagios::server::check_mk --- .../site_nagios/manifests/server/check_mk.pp | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/server/check_mk.pp (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp new file mode 100644 index 00000000..c6676d76 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -0,0 +1,24 @@ +class site_nagios::server::check_mk { + + # override paths to use the system check_mk rather than OMD + class { 'check_mk::config': + site => '', + etc_dir => '/etc', + bin_dir => '/usr/bin', + host_groups => undef + } + + file { + '/etc/nagios/check_mk': + ensure => directory, + owner => root, + group => root, + mode => '0755'; + + '/etc/nagios/check_mk/.ssh': + ensure => directory, + owner => root, + group => root, + mode => '0755'; + } +} -- cgit v1.2.3 From f7d12c8b3c31891635f188a37844e33288429a9f Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 14:05:38 +0100 Subject: added site_nagios::server::apache --- puppet/modules/site_nagios/manifests/server.pp | 1 + puppet/modules/site_nagios/manifests/server/apache.pp | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 puppet/modules/site_nagios/manifests/server/apache.pp (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 3e1ef7e7..3cb58f9a 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -37,5 +37,6 @@ class site_nagios::server inherits nagios::base { create_resources ( site_nagios::add_host, $hosts ) + include site_nagios::apache include site_shorewall::monitor } diff --git a/puppet/modules/site_nagios/manifests/server/apache.pp b/puppet/modules/site_nagios/manifests/server/apache.pp new file mode 100644 index 00000000..8dbc7e9b --- /dev/null +++ b/puppet/modules/site_nagios/manifests/server/apache.pp @@ -0,0 +1,7 @@ +class site_nagios::server::apache { + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + +} -- cgit v1.2.3 From 36e5202181452c385b52e183e50166dec6c456d9 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 15:36:12 +0100 Subject: move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096) --- puppet/modules/site_apache/manifests/common.pp | 26 ++++++++ .../site_apache/templates/vhosts.d/common.conf.erb | 72 ++++++++++++++++++++++ .../templates/vhosts.d/leap_webapp.conf.erb | 67 -------------------- puppet/modules/site_nagios/manifests/server.pp | 22 +++++-- puppet/modules/site_webapp/manifests/apache.pp | 18 +----- 5 files changed, 117 insertions(+), 88 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/common.pp create mode 100644 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb delete mode 100644 puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb (limited to 'puppet') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp new file mode 100644 index 00000000..72f24838 --- /dev/null +++ b/puppet/modules/site_apache/manifests/common.pp @@ -0,0 +1,26 @@ +class site_apache::common { + # installs x509 cert + key and common config + # that both nagios + leap webapp use + + $web_domain = hiera('domain') + $domain_name = $web_domain['name'] + + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] + + include site_apache::module::rewrite + + class { '::apache': no_default_site => true, ssl => true } + + apache::vhost::file { + 'common': + content => template('site_apache/vhosts.d/common.conf.erb') + } + +} diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb new file mode 100644 index 00000000..30f0a6b1 --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -0,0 +1,72 @@ + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= domain_name %> + ServerAlias <%= domain %> + ServerAlias www.<%= domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + +<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> + Header always unset X-Powered-By + Header always unset X-Runtime + + +<% if (defined? @services) and (@services.include? 'webapp') -%> + DocumentRoot /srv/leap/webapp/public + + RewriteEngine On + # Check for maintenance file and redirect all requests + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + +<% end -%> + + +<% if (defined? @services) and (@services.include? 'monitor') -%> + + <% if (defined? @services) and (@services.include? 'webapp') -%> + PassengerEnabled off + <% end -%> + AllowOverride all + # Nagios won't work with setting this option to "DENY", + # as set in conf.d/security (#4169). Therefor we allow + # it here, only for nagios. + Header set X-Frame-Options: "ALLOW" + +<% end -%> + + diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb deleted file mode 100644 index a001552a..00000000 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ /dev/null @@ -1,67 +0,0 @@ - - ServerName <%= domain %> - ServerAlias www.<%= domain %> - RewriteEngine On - RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] - - - - ServerName <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> - - SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH - SSLHonorCipherOrder on - - SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt - - RequestHeader set X_FORWARDED_PROTO 'https' - - -<% if @webapp['secure'] -%> - Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" -<% end -%> - Header always unset X-Powered-By - Header always unset X-Runtime - - - DocumentRoot /srv/leap/webapp/public - - RewriteEngine On - # Check for maintenance file and redirect all requests - RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f - RewriteCond %{SCRIPT_FILENAME} !maintenance.html - RewriteCond %{REQUEST_URI} !/images/maintenance.jpg - RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] - - # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt - AllowEncodedSlashes on - PassengerAllowEncodedSlashes on - PassengerFriendlyErrorPages off - SetEnv TMPDIR /var/tmp - - # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) - - Header unset ETag - FileETag None - ExpiresActive On - ExpiresDefault "access plus 1 year" - - - <% if (defined? @services) and (@services.include? 'monitor') -%> - - PassengerEnabled off - AllowOverride all - # Nagios won't work with setting this option to "DENY", - # as set in conf.d/security (#4169). Therefor we allow - # it here, only for nagios. - Header set X-Frame-Options: "ALLOW" - - <% end -%> - - diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 3e1ef7e7..9f66c8ea 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -11,18 +11,32 @@ class site_nagios::server inherits nagios::base { include nagios::defaults include nagios::base - #Class ['nagios'] -> Class ['nagios::defaults'] - class {'nagios::apache': + class {'nagios': + # don't manage apache class from nagios, cause we already include + # it in site_apache::common + httpd => 'absent', allow_external_cmd => true, stored_config => false, - #before => Class ['nagios::defaults'] } + # - [monitor2] err: /Stage[main]/Site_nagios::Server/Apache::Config::Global[nagios3.conf]/Apache::Config::File[nagios3.conf]/File[apache_nagios3.conf]/ensure: change from absent to link failed: Cannot create a symlink without a target at /srv/leap/puppet/modules/apache/manifests/config/file.pp:32 + #apache::config::global { 'nagios3.conf': + # ensure => link, + # target => '/usr/share/doc/nagios3-common/examples/apache2.conf', + #} + + file { '/etc/apache2/conf.d/nagios3.conf': + ensure => link, + target => '/usr/share/doc/nagios3-common/examples/apache2.conf', + notify => Service['apache'] + } + + include site_apache::common include site_apache::module::headers File ['nagios_htpasswd'] { source => undef, - content => "nagiosadmin:$nagiosadmin_pw", + content => "nagiosadmin:${nagiosadmin_pw}", mode => '0640', } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d327877a..21243d34 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -7,30 +7,14 @@ class site_webapp::apache { $web_domain = hiera('domain') $domain_name = $web_domain['name'] - include x509::variables - include site_config::x509::commercial::cert - include site_config::x509::commercial::key - include site_config::x509::commercial::ca - - Class['Site_config::X509::Commercial::Key'] ~> Service[apache] - Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] - Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] - - class { '::apache': no_default_site => true, ssl => true } - + include site_apache::common include site_apache::module::headers - include site_apache::module::rewrite include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip class { 'passenger': use_munin => false } - apache::vhost::file { - 'leap_webapp': - content => template('site_apache/vhosts.d/leap_webapp.conf.erb') - } - apache::vhost::file { 'api': content => template('site_apache/vhosts.d/api.conf.erb') -- cgit v1.2.3 From f2580e5f504aaa2b763e838fc50705355990e98e Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 18:58:35 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index cd99b5b9..382cb6d2 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit cd99b5b90f8096e0c444aa923692342881346998 +Subproject commit 382cb6d2ab5fe05b9db7e4178cd16b71685bef59 -- cgit v1.2.3 From 102a22ff35c8cf844a3eabeb213a508e658e47c2 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 23:46:04 +0100 Subject: add a comment why we use a custom way to populate authorized_keys --- puppet/modules/site_sshd/manifests/authorized_keys.pp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index c18f691c..f36fe20f 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,4 +1,7 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { + # We use a custom define here to deploy the authorized_keys file + # cause puppet doesn't allow purgin before populating this file + # (see https://tickets.puppetlabs.com/browse/PUP-1174) # This line allows default homedir based on $title variable. # If $home is empty, the default is used. $homedir = $home ? {'' => "/home/${title}", default => $home} -- cgit v1.2.3 From f544b5d5fa6d7ad941332bbc787fc97e78a658b6 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 15:41:09 +0100 Subject: added custom $datasource_programs check_mk variable to call the agent via ssh --- puppet/modules/site_check_mk/files/use_ssh.mk | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/use_ssh.mk (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/use_ssh.mk b/puppet/modules/site_check_mk/files/use_ssh.mk new file mode 100644 index 00000000..dbdcd4b5 --- /dev/null +++ b/puppet/modules/site_check_mk/files/use_ssh.mk @@ -0,0 +1,5 @@ +# http://mathias-kettner.de/checkmk_datasource_programs.html +datasource_programs = [ + ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa check_mk_agent", ALL_HOSTS ), +] + -- cgit v1.2.3 From d400d271e616f669cc6383a5893dd992a0efada2 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 15:42:12 +0100 Subject: deploy check_mk pubkey on clients --- puppet/modules/site_nagios/manifests/client.pp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp index 82063dc3..cb72db54 100644 --- a/puppet/modules/site_nagios/manifests/client.pp +++ b/puppet/modules/site_nagios/manifests/client.pp @@ -1,4 +1,9 @@ class site_nagios::client { + + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + class { 'check_mk::agent': agent_package_name => 'check-mk-agent', agent_logwatch_package_name => 'check-mk-agent-logwatch', @@ -6,4 +11,12 @@ class site_nagios::client { homedir => '/etc/nagios/check_mk', register_agent => false } + + file { '/root/.ssh/authorized_keys2': + owner => 'root', + group => 'root', + mode => '0600', + content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ${type} ${pubkey} monitor" + } + } -- cgit v1.2.3 From 65281c7d46a0ebbb7c70eddaef9802ddb1885c65 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 15:42:46 +0100 Subject: deploy check_mk on monitoring server --- puppet/modules/site_nagios/manifests/server.pp | 3 +- .../site_nagios/manifests/server/check_mk.pp | 48 +++++++++++++++------- 2 files changed, 35 insertions(+), 16 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 6ade7d06..59a3bbb0 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -51,6 +51,7 @@ class site_nagios::server inherits nagios::base { create_resources ( site_nagios::add_host, $hosts ) - include site_nagios::apache + include site_nagios::server::apache + include site_nagios::server::check_mk include site_shorewall::monitor } diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp index c6676d76..75bd4538 100644 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -1,24 +1,42 @@ class site_nagios::server::check_mk { + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + $seckey = $ssh_hash['monitor']['private_key'] + $all_hosts = '"localhost", "plain1"' + + package { 'check-mk-server': + ensure => installed, + } + # override paths to use the system check_mk rather than OMD class { 'check_mk::config': - site => '', - etc_dir => '/etc', - bin_dir => '/usr/bin', - host_groups => undef + site => '', + etc_dir => '/etc', + nagios_subdir => 'nagios3', + bin_dir => '/usr/bin', + host_groups => undef, + require => Package['check-mk-server'] } file { - '/etc/nagios/check_mk': - ensure => directory, - owner => root, - group => root, - mode => '0755'; - - '/etc/nagios/check_mk/.ssh': - ensure => directory, - owner => root, - group => root, - mode => '0755'; + '/etc/check_mk/conf.d/use_ssh.mk': + source => 'puppet:///modules/site_check_mk/use_ssh.mk', + notify => Exec['check_mk-refresh']; + '/etc/check_mk/all_hosts_static': + content => $all_hosts, + notify => Exec['check_mk-refresh']; + '/etc/check_mk/.ssh': + ensure => directory; + '/etc/check_mk/.ssh/id_rsa': + content => $seckey, + owner => 'nagios', + mode => '0600'; + '/etc/check_mk/.ssh/id_rsa.pub': + content => "${type} ${pubkey} monitor", + owner => 'nagios', + mode => '0644'; } + } -- cgit v1.2.3 From b733f9b49b48f700673d4a4a98832a6c00a39dbf Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 21:29:46 +0100 Subject: updated LEAP archive signing key 0x1E34A1828E207901 --- puppet/modules/site_apt/files/keys/leap_key.asc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc index b69251f0..b6b5077b 100644 --- a/puppet/modules/site_apt/files/keys/leap_key.asc +++ b/puppet/modules/site_apt/files/keys/leap_key.asc @@ -1,5 +1,5 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.11 (GNU/Linux) +Version: GnuPG v1.4.14 (GNU/Linux) mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ @@ -36,7 +36,19 @@ y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw -F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp +F5dbD8pcfT/RjYkCPQQTAQoAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUC +UvT9ZgUJA8NuBQAKCRAeNKGCjiB5AXB+D/9k/BzZdAczQ3/v7hKrN9y3/D8kOEYK +rF8HdcBOH522sN6mqvm7wGkf3RmNSi731m6vzlbBSonrAT5KDMpj+THOmUcY29V5 +a1YOgFCCkToOfl+LmlLiuqfrGCJyE28MKMrsi2zMBKhsSxhvcI0EhJkQpPBu8gUs +XW1GSHuh5CYzwf/i8eNDpVrhHjRF0AVCOWIq52LTR62QchR+6ci/wVDHWd9Ase5X +8rxNnt2/pCbgATklQbmRcQS6efTVk3oXk1DZ8M46vayJ1g2BFuIi7pohiekLAAAt +MCwRKHTHvtPkGAUAEXExPGS78qHxLHIau2VCtSBxm+bQX+ZyCMANDpI+ZTFp1APJ +9SpbtGozuQOpWFjWY1rERunrbyWHIb2DuVVNKGiHlkMJB76zzysvbIPYWx1RqD6s +KFJBkjrM0xn8H+D6qzwzGfmX1Yaw12oYA6pcai4aK5sO7KHt+THAxYAcVF7qxGU7 +lnDifM56hrH/DbE5InlDC8OUqDysj0cHacRee+ZYtj7TiEykWfP5RrZCLQ7L6Jd/ +HtgQti/9TVUaFkIlQCfvF+l4BYZQYvnhx3MVK7ChKLmy6AVQLWnDrBrDvl07HLvW +6pslRzVHfWyIYng0pZ0HvK+MpQztCoUcDK470mjlpAtjNHuyKh6r6TtaiVK8MgbR +Sx/NMHb1/PXQJrkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT @@ -59,5 +71,5 @@ Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4 JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw== -=4STg +=Om8x -----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From cac0061fe20ab42c9efee4dd80ec6a940c03c54e Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 21:32:19 +0100 Subject: added local check_mk dir /etc/nagios3/local to nagios.cfg --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 753d1610..61d9f2da 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -25,6 +25,9 @@ log_file=/var/log/nagios3/nagios.log # Puppet-managed configuration files cfg_dir=/etc/nagios3/conf.d +# check-mk managed configuration files +cfg_dir=/etc/nagios3/local + # Debian also defaults to using the check commands defined by the debian # nagios-plugins package cfg_dir=/etc/nagios-plugins/config -- cgit v1.2.3 From 313b91b77cf4496d7cc31c46ef1e8e69ed53610c Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 8 Feb 2014 00:04:23 +0100 Subject: restricted check_mk ssh login a bit more --- puppet/modules/site_nagios/manifests/client.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp index cb72db54..ff569142 100644 --- a/puppet/modules/site_nagios/manifests/client.pp +++ b/puppet/modules/site_nagios/manifests/client.pp @@ -16,7 +16,7 @@ class site_nagios::client { owner => 'root', group => 'root', mode => '0600', - content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ${type} ${pubkey} monitor" + content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" } } -- cgit v1.2.3 From f2f019d402345d6133cdfb6274d4b78d44e08ec9 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 8 Feb 2014 13:59:37 +0100 Subject: reload nagios after check_mk --- puppet/modules/site_nagios/manifests/server/check_mk.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp index 75bd4538..02cb8407 100644 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -20,6 +20,8 @@ class site_nagios::server::check_mk { require => Package['check-mk-server'] } + Exec['check_mk-reload'] -> Service['nagios'] + file { '/etc/check_mk/conf.d/use_ssh.mk': source => 'puppet:///modules/site_check_mk/use_ssh.mk', -- cgit v1.2.3 From 6720bdba0c67893de713eee7f753fb582d06aa61 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 8 Feb 2014 14:00:10 +0100 Subject: disable purging of /etc/nagios3 and /etc/nagios3/conf.d --- puppet/modules/site_nagios/manifests/server/purge.pp | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp index 39735cd3..18993586 100644 --- a/puppet/modules/site_nagios/manifests/server/purge.pp +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -1,7 +1,17 @@ -class site_nagios::server::purge { - exec {'purge_conf.d': - command => '/bin/rm -rf /etc/nagios3/conf.d/*', - onlyif => 'test -e /etc/nagios3/conf.d' +class site_nagios::server::purge inherits nagios::base { + # we don't want to get /etc/nagios3 and /etc/nagios3/conf.d + # purged, cause the check-mk-config-nagios3 package + # places its templates in /etc/nagios3/conf.d/check_mk, + # and check_mk -O updated it's nagios config in /etc/nagios3/conf.d/check_mk + File['nagios_cfgdir'] { + purge => false + } + File['nagios_confd'] { + purge => false } + exec {'purge_conf.d': + command => '/bin/rm -f /etc/nagios3/conf.d/nagios_*', + onlyif => 'find /etc/nagios3/conf.d/ | grep -q "/etc/nagios3/conf.d/nagios_"' + } } -- cgit v1.2.3 From 665db30f37838bcebbfdc368f65ed369282c31b8 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 9 Feb 2014 17:04:58 -0800 Subject: deploy a valid /etc/ssh/ssh_known_hosts for all nodes (requires new leap_cli) --- puppet/modules/site_sshd/manifests/init.pp | 9 +++++++++ puppet/modules/site_sshd/manifests/known_hosts.pp | 11 +++++++++++ puppet/modules/site_sshd/templates/ssh_known_hosts.erb | 5 +++++ 3 files changed, 25 insertions(+) create mode 100644 puppet/modules/site_sshd/manifests/known_hosts.pp create mode 100644 puppet/modules/site_sshd/templates/ssh_known_hosts.erb (limited to 'puppet') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 90dd2d0e..d2b13822 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,6 @@ class site_sshd { $ssh = hiera_hash('ssh') + $hosts = hiera_hash('hosts') ## ## SETUP AUTHORIZED KEYS @@ -11,6 +12,14 @@ class site_sshd { keys => $authorized_keys } + ## + ## SETUP KNOWN HOSTS + ## + + class { 'site_sshd::known_hosts': + hosts => $hosts + } + ## ## OPTIONAL MOSH SUPPORT ## diff --git a/puppet/modules/site_sshd/manifests/known_hosts.pp b/puppet/modules/site_sshd/manifests/known_hosts.pp new file mode 100644 index 00000000..290ffd0b --- /dev/null +++ b/puppet/modules/site_sshd/manifests/known_hosts.pp @@ -0,0 +1,11 @@ +class site_sshd::known_hosts ($hosts) { + # these owner and permissions seem odd to me, but it is what is defined + # in modules/sshd/manifests/client/base.pp, so we are going to stick with it. + file { '/etc/ssh/ssh_known_hosts': + ensure => present, + owner => root, + group => 0, + mode => '0644', + content => template('site_sshd/ssh_known_hosts.erb'); + } +} diff --git a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb new file mode 100644 index 00000000..c5a71378 --- /dev/null +++ b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb @@ -0,0 +1,5 @@ +# This file is generated by Puppet + +<% hosts.sort.each do |name, hash| -%> +<%=name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%> +<% end -%> -- cgit v1.2.3 From 8054778e83fbc1f5a34dcaee4b364b8ded44dbab Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Feb 2014 14:44:01 +0100 Subject: use default value for hiera lookup (#5118) --- puppet/modules/site_sshd/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index d2b13822..d2de41c8 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,6 +1,6 @@ class site_sshd { $ssh = hiera_hash('ssh') - $hosts = hiera_hash('hosts') + $hosts = hiera('hosts', '') ## ## SETUP AUTHORIZED KEYS -- cgit v1.2.3 From df342b1d4a12ea14aaaede6d876cca16028ba9a2 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Feb 2014 18:33:05 +0100 Subject: add all nodes to check_mk main.mk config --- puppet/modules/site_nagios/manifests/server/check_mk.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp index 02cb8407..5e0795c1 100644 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -4,7 +4,10 @@ class site_nagios::server::check_mk { $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] $seckey = $ssh_hash['monitor']['private_key'] - $all_hosts = '"localhost", "plain1"' + + $nagios_hiera = hiera_hash('nagios') + $hosts = $nagios_hiera['hosts'] + $all_hosts = inline_template("<% @hosts.keys.sort.each do |key| -%>\"<%= key %>\", <% end -%>") package { 'check-mk-server': ensure => installed, -- cgit v1.2.3 From 6255e58bf9ff3489bf2707bc2be9759ec5c7db68 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 15:36:12 +0100 Subject: move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096) --- puppet/modules/site_apache/manifests/common.pp | 26 ++++++++ .../site_apache/templates/vhosts.d/common.conf.erb | 72 ++++++++++++++++++++++ .../templates/vhosts.d/leap_webapp.conf.erb | 67 -------------------- puppet/modules/site_nagios/manifests/server.pp | 16 +++-- puppet/modules/site_webapp/manifests/apache.pp | 18 +----- 5 files changed, 111 insertions(+), 88 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/common.pp create mode 100644 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb delete mode 100644 puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb (limited to 'puppet') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp new file mode 100644 index 00000000..72f24838 --- /dev/null +++ b/puppet/modules/site_apache/manifests/common.pp @@ -0,0 +1,26 @@ +class site_apache::common { + # installs x509 cert + key and common config + # that both nagios + leap webapp use + + $web_domain = hiera('domain') + $domain_name = $web_domain['name'] + + include x509::variables + include site_config::x509::commercial::cert + include site_config::x509::commercial::key + include site_config::x509::commercial::ca + + Class['Site_config::X509::Commercial::Key'] ~> Service[apache] + Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] + Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] + + include site_apache::module::rewrite + + class { '::apache': no_default_site => true, ssl => true } + + apache::vhost::file { + 'common': + content => template('site_apache/vhosts.d/common.conf.erb') + } + +} diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb new file mode 100644 index 00000000..30f0a6b1 --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -0,0 +1,72 @@ + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= domain_name %> + ServerAlias <%= domain %> + ServerAlias www.<%= domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + +<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> + Header always unset X-Powered-By + Header always unset X-Runtime + + +<% if (defined? @services) and (@services.include? 'webapp') -%> + DocumentRoot /srv/leap/webapp/public + + RewriteEngine On + # Check for maintenance file and redirect all requests + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + +<% end -%> + + +<% if (defined? @services) and (@services.include? 'monitor') -%> + + <% if (defined? @services) and (@services.include? 'webapp') -%> + PassengerEnabled off + <% end -%> + AllowOverride all + # Nagios won't work with setting this option to "DENY", + # as set in conf.d/security (#4169). Therefor we allow + # it here, only for nagios. + Header set X-Frame-Options: "ALLOW" + +<% end -%> + + diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb deleted file mode 100644 index a001552a..00000000 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ /dev/null @@ -1,67 +0,0 @@ - - ServerName <%= domain %> - ServerAlias www.<%= domain %> - RewriteEngine On - RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] - - - - ServerName <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> - - SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH - SSLHonorCipherOrder on - - SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt - - RequestHeader set X_FORWARDED_PROTO 'https' - - -<% if @webapp['secure'] -%> - Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" -<% end -%> - Header always unset X-Powered-By - Header always unset X-Runtime - - - DocumentRoot /srv/leap/webapp/public - - RewriteEngine On - # Check for maintenance file and redirect all requests - RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f - RewriteCond %{SCRIPT_FILENAME} !maintenance.html - RewriteCond %{REQUEST_URI} !/images/maintenance.jpg - RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] - - # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt - AllowEncodedSlashes on - PassengerAllowEncodedSlashes on - PassengerFriendlyErrorPages off - SetEnv TMPDIR /var/tmp - - # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) - - Header unset ETag - FileETag None - ExpiresActive On - ExpiresDefault "access plus 1 year" - - - <% if (defined? @services) and (@services.include? 'monitor') -%> - - PassengerEnabled off - AllowOverride all - # Nagios won't work with setting this option to "DENY", - # as set in conf.d/security (#4169). Therefor we allow - # it here, only for nagios. - Header set X-Frame-Options: "ALLOW" - - <% end -%> - - diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 3e1ef7e7..b1e8a8cb 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -11,18 +11,26 @@ class site_nagios::server inherits nagios::base { include nagios::defaults include nagios::base - #Class ['nagios'] -> Class ['nagios::defaults'] - class {'nagios::apache': + class {'nagios': + # don't manage apache class from nagios, cause we already include + # it in site_apache::common + httpd => 'absent', allow_external_cmd => true, stored_config => false, - #before => Class ['nagios::defaults'] } + file { '/etc/apache2/conf.d/nagios3.conf': + ensure => link, + target => '/usr/share/doc/nagios3-common/examples/apache2.conf', + notify => Service['apache'] + } + + include site_apache::common include site_apache::module::headers File ['nagios_htpasswd'] { source => undef, - content => "nagiosadmin:$nagiosadmin_pw", + content => "nagiosadmin:${nagiosadmin_pw}", mode => '0640', } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d327877a..21243d34 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -7,30 +7,14 @@ class site_webapp::apache { $web_domain = hiera('domain') $domain_name = $web_domain['name'] - include x509::variables - include site_config::x509::commercial::cert - include site_config::x509::commercial::key - include site_config::x509::commercial::ca - - Class['Site_config::X509::Commercial::Key'] ~> Service[apache] - Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] - Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] - - class { '::apache': no_default_site => true, ssl => true } - + include site_apache::common include site_apache::module::headers - include site_apache::module::rewrite include site_apache::module::alias include site_apache::module::expires include site_apache::module::removeip class { 'passenger': use_munin => false } - apache::vhost::file { - 'leap_webapp': - content => template('site_apache/vhosts.d/leap_webapp.conf.erb') - } - apache::vhost::file { 'api': content => template('site_apache/vhosts.d/api.conf.erb') -- cgit v1.2.3 From 0b3e87cd6916d4ca4404fd2b375d21468d17f343 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 10 Feb 2014 15:43:39 -0800 Subject: turn off StrictHostKeyChecking for vagrant ssh clients --- puppet/modules/site_sshd/manifests/init.pp | 15 +++++++++++--- puppet/modules/site_sshd/manifests/known_hosts.pp | 11 ----------- puppet/modules/site_sshd/templates/ssh_config.erb | 23 ++++++++++++++++++++++ .../site_sshd/templates/ssh_known_hosts.erb | 6 ++++-- 4 files changed, 39 insertions(+), 16 deletions(-) delete mode 100644 puppet/modules/site_sshd/manifests/known_hosts.pp create mode 100644 puppet/modules/site_sshd/templates/ssh_config.erb (limited to 'puppet') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index d2b13822..2bcde603 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -13,11 +13,20 @@ class site_sshd { } ## - ## SETUP KNOWN HOSTS + ## SETUP KNOWN HOSTS and SSH_CONFIG ## - class { 'site_sshd::known_hosts': - hosts => $hosts + file { + '/etc/ssh/ssh_known_hosts': + owner => root, + group => root, + mode => '0644', + content => template('site_sshd/ssh_known_hosts.erb'); + '/etc/ssh/ssh_config': + owner => root, + group => root, + mode => '0644', + content => template('site_sshd/ssh_config.erb'); } ## diff --git a/puppet/modules/site_sshd/manifests/known_hosts.pp b/puppet/modules/site_sshd/manifests/known_hosts.pp deleted file mode 100644 index 290ffd0b..00000000 --- a/puppet/modules/site_sshd/manifests/known_hosts.pp +++ /dev/null @@ -1,11 +0,0 @@ -class site_sshd::known_hosts ($hosts) { - # these owner and permissions seem odd to me, but it is what is defined - # in modules/sshd/manifests/client/base.pp, so we are going to stick with it. - file { '/etc/ssh/ssh_known_hosts': - ensure => present, - owner => root, - group => 0, - mode => '0644', - content => template('site_sshd/ssh_known_hosts.erb'); - } -} diff --git a/puppet/modules/site_sshd/templates/ssh_config.erb b/puppet/modules/site_sshd/templates/ssh_config.erb new file mode 100644 index 00000000..7e967413 --- /dev/null +++ b/puppet/modules/site_sshd/templates/ssh_config.erb @@ -0,0 +1,23 @@ +# This file is generated by Puppet +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +Host * + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no +<% if scope.lookupvar('::site_config::params::environment') == 'local' -%> + # + # Vagrant nodes should have strict host key checking + # turned off. The problem is that the host key for a vagrant + # node is specific to the particular instance of the vagrant + # node you have running locally. For this reason, we can't + # track the host keys, or your host key for vpn1 would conflict + # with my host key for vpn1. + # + StrictHostKeyChecking no +<% end -%> + diff --git a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb index c5a71378..002ab732 100644 --- a/puppet/modules/site_sshd/templates/ssh_known_hosts.erb +++ b/puppet/modules/site_sshd/templates/ssh_known_hosts.erb @@ -1,5 +1,7 @@ # This file is generated by Puppet -<% hosts.sort.each do |name, hash| -%> -<%=name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%> +<% @hosts.sort.each do |name, hash| -%> +<% if hash['host_pub_key'] -%> +<%= name%>,<%=hash['domain_full']%>,<%=hash['domain_internal']%>,<%=hash['ip_address']%> <%=hash['host_pub_key']%> +<% end -%> <% end -%> -- cgit v1.2.3 From 27cd293b4ed3f3632044e914375a45a5345e8cee Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 11 Feb 2014 14:00:45 +0100 Subject: use instead of , because we cannot use public ips in DC --- puppet/modules/site_check_mk/files/use_ssh.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/use_ssh.mk b/puppet/modules/site_check_mk/files/use_ssh.mk index dbdcd4b5..a10e67a3 100644 --- a/puppet/modules/site_check_mk/files/use_ssh.mk +++ b/puppet/modules/site_check_mk/files/use_ssh.mk @@ -1,5 +1,5 @@ # http://mathias-kettner.de/checkmk_datasource_programs.html datasource_programs = [ - ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa check_mk_agent", ALL_HOSTS ), + ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa check_mk_agent", ALL_HOSTS ), ] -- cgit v1.2.3 From 9a13819dbe7c8e8a51f802356e6fbebe32a7a11f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 11 Feb 2014 17:39:12 +0100 Subject: use use_ssh.mk as template, include ssh port --- puppet/modules/site_check_mk/files/use_ssh.mk | 5 ----- puppet/modules/site_check_mk/templates/use_ssh.mk | 5 +++++ puppet/modules/site_nagios/manifests/server/check_mk.pp | 5 +++-- 3 files changed, 8 insertions(+), 7 deletions(-) delete mode 100644 puppet/modules/site_check_mk/files/use_ssh.mk create mode 100644 puppet/modules/site_check_mk/templates/use_ssh.mk (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/use_ssh.mk b/puppet/modules/site_check_mk/files/use_ssh.mk deleted file mode 100644 index a10e67a3..00000000 --- a/puppet/modules/site_check_mk/files/use_ssh.mk +++ /dev/null @@ -1,5 +0,0 @@ -# http://mathias-kettner.de/checkmk_datasource_programs.html -datasource_programs = [ - ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa check_mk_agent", ALL_HOSTS ), -] - diff --git a/puppet/modules/site_check_mk/templates/use_ssh.mk b/puppet/modules/site_check_mk/templates/use_ssh.mk new file mode 100644 index 00000000..4c5523db --- /dev/null +++ b/puppet/modules/site_check_mk/templates/use_ssh.mk @@ -0,0 +1,5 @@ +# http://mathias-kettner.de/checkmk_datasource_programs.html +datasource_programs = [ + ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa -p <%= @ssh_port %> check_mk_agent", ALL_HOSTS ), +] + diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp index 5e0795c1..f0fd3a76 100644 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ b/puppet/modules/site_nagios/manifests/server/check_mk.pp @@ -4,6 +4,7 @@ class site_nagios::server::check_mk { $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] $seckey = $ssh_hash['monitor']['private_key'] + $ssh_port = $ssh_hash['port'] $nagios_hiera = hiera_hash('nagios') $hosts = $nagios_hiera['hosts'] @@ -27,8 +28,8 @@ class site_nagios::server::check_mk { file { '/etc/check_mk/conf.d/use_ssh.mk': - source => 'puppet:///modules/site_check_mk/use_ssh.mk', - notify => Exec['check_mk-refresh']; + content => template('site_check_mk/use_ssh.mk'), + notify => Exec['check_mk-refresh']; '/etc/check_mk/all_hosts_static': content => $all_hosts, notify => Exec['check_mk-refresh']; -- cgit v1.2.3 From 142eee6d9162c762c35fb79312ec572ce274b6d0 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 11 Feb 2014 17:39:37 +0100 Subject: properly purge nagios3/conf.d dir --- puppet/modules/site_nagios/manifests/server/purge.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp index 18993586..1c12cfb0 100644 --- a/puppet/modules/site_nagios/manifests/server/purge.pp +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -10,8 +10,9 @@ class site_nagios::server::purge inherits nagios::base { purge => false } + # only purge find in the /etc/nagios3/conf.d/ dir, not in any subdir exec {'purge_conf.d': - command => '/bin/rm -f /etc/nagios3/conf.d/nagios_*', - onlyif => 'find /etc/nagios3/conf.d/ | grep -q "/etc/nagios3/conf.d/nagios_"' + command => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f -exec rm {} \;', + onlyif => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f | grep -q "/etc/nagios3/conf.d"' } } -- cgit v1.2.3 From 902d1dbcbd0761f0dea9c2af1b04d69673d65a9e Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 12:38:36 +0100 Subject: added puppet/bin/apply_on_node.sh to debug puppet on node this is useful for debugging puppet with higher verbosit or debug output. i put it into puppet/bin/ because puppet/ will get synced to a node. --- puppet/bin/apply_on_node.sh | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100755 puppet/bin/apply_on_node.sh (limited to 'puppet') diff --git a/puppet/bin/apply_on_node.sh b/puppet/bin/apply_on_node.sh new file mode 100755 index 00000000..09e5b035 --- /dev/null +++ b/puppet/bin/apply_on_node.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +# Script to use on a node for debugging +# Usage: ./apply_on_node.sh +# +# Example: ./apply_on_node.sh --debug --verbose + +ROOTDIR='/srv/leap' +PLATFORM="$ROOTDIR" +MODULEPATH="$PLATFORM/puppet/modules" +LOG=/var/log/leap.log + +# example tags to use +#TAGS='--tags=leap_base,leap_service,leap_slow' +#TAGS='--tags=leap_base,leap_slow' +#TAGS='--tags=leap_base,leap_service' + +####### +# Setup +####### + +puppet apply -v --confdir $PLATFORM/puppet --libdir $PLATFORM/puppet/lib --modulepath=$MODULEPATH $PLATFORM/puppet/manifests/setup.pp $TAGS $@ |tee $LOG 2>&1 + +######### +# site.pp +######### + +puppet apply -v --confdir $PLATFORM/puppet --libdir $PLATFORM/puppet/lib --modulepath=$MODULEPATH $PLATFORM/puppet/manifests/site.pp $TAGS $@ |tee $LOG 2>&1 + + -- cgit v1.2.3 From 15ddd997572a4845f5a16f1af16c5ce5b7ac4c11 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 21:29:46 +0100 Subject: updated LEAP archive signing key 0x1E34A1828E207901 --- puppet/modules/site_apt/files/keys/leap_key.asc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc index b69251f0..b6b5077b 100644 --- a/puppet/modules/site_apt/files/keys/leap_key.asc +++ b/puppet/modules/site_apt/files/keys/leap_key.asc @@ -1,5 +1,5 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.11 (GNU/Linux) +Version: GnuPG v1.4.14 (GNU/Linux) mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ @@ -36,7 +36,19 @@ y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw -F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp +F5dbD8pcfT/RjYkCPQQTAQoAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUC +UvT9ZgUJA8NuBQAKCRAeNKGCjiB5AXB+D/9k/BzZdAczQ3/v7hKrN9y3/D8kOEYK +rF8HdcBOH522sN6mqvm7wGkf3RmNSi731m6vzlbBSonrAT5KDMpj+THOmUcY29V5 +a1YOgFCCkToOfl+LmlLiuqfrGCJyE28MKMrsi2zMBKhsSxhvcI0EhJkQpPBu8gUs +XW1GSHuh5CYzwf/i8eNDpVrhHjRF0AVCOWIq52LTR62QchR+6ci/wVDHWd9Ase5X +8rxNnt2/pCbgATklQbmRcQS6efTVk3oXk1DZ8M46vayJ1g2BFuIi7pohiekLAAAt +MCwRKHTHvtPkGAUAEXExPGS78qHxLHIau2VCtSBxm+bQX+ZyCMANDpI+ZTFp1APJ +9SpbtGozuQOpWFjWY1rERunrbyWHIb2DuVVNKGiHlkMJB76zzysvbIPYWx1RqD6s +KFJBkjrM0xn8H+D6qzwzGfmX1Yaw12oYA6pcai4aK5sO7KHt+THAxYAcVF7qxGU7 +lnDifM56hrH/DbE5InlDC8OUqDysj0cHacRee+ZYtj7TiEykWfP5RrZCLQ7L6Jd/ +HtgQti/9TVUaFkIlQCfvF+l4BYZQYvnhx3MVK7ChKLmy6AVQLWnDrBrDvl07HLvW +6pslRzVHfWyIYng0pZ0HvK+MpQztCoUcDK470mjlpAtjNHuyKh6r6TtaiVK8MgbR +Sx/NMHb1/PXQJrkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT @@ -59,5 +71,5 @@ Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4 JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw== -=4STg +=Om8x -----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From 251c250fe5cf44c99a74d4359cb29b0bf165f3af Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 7 Feb 2014 21:29:46 +0100 Subject: updated LEAP archive signing key 0x1E34A1828E207901 --- puppet/modules/site_apt/files/keys/leap_key.asc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc index b69251f0..b6b5077b 100644 --- a/puppet/modules/site_apt/files/keys/leap_key.asc +++ b/puppet/modules/site_apt/files/keys/leap_key.asc @@ -1,5 +1,5 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.11 (GNU/Linux) +Version: GnuPG v1.4.14 (GNU/Linux) mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ @@ -36,7 +36,19 @@ y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw -F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp +F5dbD8pcfT/RjYkCPQQTAQoAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUC +UvT9ZgUJA8NuBQAKCRAeNKGCjiB5AXB+D/9k/BzZdAczQ3/v7hKrN9y3/D8kOEYK +rF8HdcBOH522sN6mqvm7wGkf3RmNSi731m6vzlbBSonrAT5KDMpj+THOmUcY29V5 +a1YOgFCCkToOfl+LmlLiuqfrGCJyE28MKMrsi2zMBKhsSxhvcI0EhJkQpPBu8gUs +XW1GSHuh5CYzwf/i8eNDpVrhHjRF0AVCOWIq52LTR62QchR+6ci/wVDHWd9Ase5X +8rxNnt2/pCbgATklQbmRcQS6efTVk3oXk1DZ8M46vayJ1g2BFuIi7pohiekLAAAt +MCwRKHTHvtPkGAUAEXExPGS78qHxLHIau2VCtSBxm+bQX+ZyCMANDpI+ZTFp1APJ +9SpbtGozuQOpWFjWY1rERunrbyWHIb2DuVVNKGiHlkMJB76zzysvbIPYWx1RqD6s +KFJBkjrM0xn8H+D6qzwzGfmX1Yaw12oYA6pcai4aK5sO7KHt+THAxYAcVF7qxGU7 +lnDifM56hrH/DbE5InlDC8OUqDysj0cHacRee+ZYtj7TiEykWfP5RrZCLQ7L6Jd/ +HtgQti/9TVUaFkIlQCfvF+l4BYZQYvnhx3MVK7ChKLmy6AVQLWnDrBrDvl07HLvW +6pslRzVHfWyIYng0pZ0HvK+MpQztCoUcDK470mjlpAtjNHuyKh6r6TtaiVK8MgbR +Sx/NMHb1/PXQJrkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT @@ -59,5 +71,5 @@ Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4 JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw== -=4STg +=Om8x -----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From efc3e3eaa0788271cf61155d7e9be4d46e6e9d47 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 16:26:59 +0100 Subject: moved check_mk server and client class to site_check_mk module --- puppet/modules/site_check_mk/manifests/client.pp | 24 +++++++++++ puppet/modules/site_check_mk/manifests/server.pp | 48 ++++++++++++++++++++++ puppet/modules/site_config/manifests/default.pp | 2 +- puppet/modules/site_nagios/manifests/client.pp | 22 ---------- puppet/modules/site_nagios/manifests/init.pp | 2 +- puppet/modules/site_nagios/manifests/server.pp | 2 +- .../site_nagios/manifests/server/check_mk.pp | 48 ---------------------- 7 files changed, 75 insertions(+), 73 deletions(-) create mode 100644 puppet/modules/site_check_mk/manifests/client.pp create mode 100644 puppet/modules/site_check_mk/manifests/server.pp delete mode 100644 puppet/modules/site_nagios/manifests/client.pp delete mode 100644 puppet/modules/site_nagios/manifests/server/check_mk.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/client.pp b/puppet/modules/site_check_mk/manifests/client.pp new file mode 100644 index 00000000..ae269168 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/client.pp @@ -0,0 +1,24 @@ +class site_check_mk::client { + + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + + include site_apt::preferences::check_mk + + class { 'check_mk::agent': + agent_package_name => 'check-mk-agent', + agent_logwatch_package_name => 'check-mk-agent-logwatch', + method => 'ssh', + homedir => '/etc/nagios/check_mk', + register_agent => false + } + + file { '/root/.ssh/authorized_keys2': + owner => 'root', + group => 'root', + mode => '0600', + content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" + } + +} diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp new file mode 100644 index 00000000..625fc688 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -0,0 +1,48 @@ +class site_check_mk::server { + + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + $seckey = $ssh_hash['monitor']['private_key'] + $ssh_port = $ssh_hash['port'] + + $nagios_hiera = hiera_hash('nagios') + $hosts = $nagios_hiera['hosts'] + $all_hosts = inline_template("<% @hosts.keys.sort.each do |key| -%>\"<%= key %>\", <% end -%>") + + package { 'check-mk-server': + ensure => installed, + } + + # override paths to use the system check_mk rather than OMD + class { 'check_mk::config': + site => '', + etc_dir => '/etc', + nagios_subdir => 'nagios3', + bin_dir => '/usr/bin', + host_groups => undef, + require => Package['check-mk-server'] + } + + Exec['check_mk-reload'] -> Service['nagios'] + + file { + '/etc/check_mk/conf.d/use_ssh.mk': + content => template('site_check_mk/use_ssh.mk'), + notify => Exec['check_mk-refresh']; + '/etc/check_mk/all_hosts_static': + content => $all_hosts, + notify => Exec['check_mk-refresh']; + '/etc/check_mk/.ssh': + ensure => directory; + '/etc/check_mk/.ssh/id_rsa': + content => $seckey, + owner => 'nagios', + mode => '0600'; + '/etc/check_mk/.ssh/id_rsa.pub': + content => "${type} ${pubkey} monitor", + owner => 'nagios', + mode => '0644'; + } + include check_mk::agent::local_checks +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index a09a30d2..25f9b3f8 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -87,5 +87,5 @@ class site_config::default { include ::site_custom } - include site_nagios::client + include site_check_mk::client } diff --git a/puppet/modules/site_nagios/manifests/client.pp b/puppet/modules/site_nagios/manifests/client.pp deleted file mode 100644 index ff569142..00000000 --- a/puppet/modules/site_nagios/manifests/client.pp +++ /dev/null @@ -1,22 +0,0 @@ -class site_nagios::client { - - $ssh_hash = hiera('ssh') - $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] - $type = $ssh_hash['authorized_keys']['monitor']['type'] - - class { 'check_mk::agent': - agent_package_name => 'check-mk-agent', - agent_logwatch_package_name => 'check-mk-agent-logwatch', - method => 'ssh', - homedir => '/etc/nagios/check_mk', - register_agent => false - } - - file { '/root/.ssh/authorized_keys2': - owner => 'root', - group => 'root', - mode => '0600', - content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" - } - -} diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index c3cfa02e..eb08cdcb 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,6 +1,6 @@ class site_nagios { tag 'leap_service' Class['site_config::default'] -> Class['site_nagios'] - + include site_nagios::server } diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index d740d8b7..b1795826 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -46,6 +46,6 @@ class site_nagios::server inherits nagios::base { create_resources ( site_nagios::add_host, $hosts ) include site_nagios::server::apache - include site_nagios::server::check_mk + include site_check_mk::server include site_shorewall::monitor } diff --git a/puppet/modules/site_nagios/manifests/server/check_mk.pp b/puppet/modules/site_nagios/manifests/server/check_mk.pp deleted file mode 100644 index f0fd3a76..00000000 --- a/puppet/modules/site_nagios/manifests/server/check_mk.pp +++ /dev/null @@ -1,48 +0,0 @@ -class site_nagios::server::check_mk { - - $ssh_hash = hiera('ssh') - $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] - $type = $ssh_hash['authorized_keys']['monitor']['type'] - $seckey = $ssh_hash['monitor']['private_key'] - $ssh_port = $ssh_hash['port'] - - $nagios_hiera = hiera_hash('nagios') - $hosts = $nagios_hiera['hosts'] - $all_hosts = inline_template("<% @hosts.keys.sort.each do |key| -%>\"<%= key %>\", <% end -%>") - - package { 'check-mk-server': - ensure => installed, - } - - # override paths to use the system check_mk rather than OMD - class { 'check_mk::config': - site => '', - etc_dir => '/etc', - nagios_subdir => 'nagios3', - bin_dir => '/usr/bin', - host_groups => undef, - require => Package['check-mk-server'] - } - - Exec['check_mk-reload'] -> Service['nagios'] - - file { - '/etc/check_mk/conf.d/use_ssh.mk': - content => template('site_check_mk/use_ssh.mk'), - notify => Exec['check_mk-refresh']; - '/etc/check_mk/all_hosts_static': - content => $all_hosts, - notify => Exec['check_mk-refresh']; - '/etc/check_mk/.ssh': - ensure => directory; - '/etc/check_mk/.ssh/id_rsa': - content => $seckey, - owner => 'nagios', - mode => '0600'; - '/etc/check_mk/.ssh/id_rsa.pub': - content => "${type} ${pubkey} monitor", - owner => 'nagios', - mode => '0644'; - } - -} -- cgit v1.2.3 From cafa3fc37229ad9fa8e78c1a06ef6e5444ba3ebb Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 16:36:57 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index 382cb6d2..f9e49426 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit 382cb6d2ab5fe05b9db7e4178cd16b71685bef59 +Subproject commit f9e494265f6c7b83ab9ef418e40cc7aac5589563 -- cgit v1.2.3 From 6d1a379f59612b79ddfbc10cac79cb5dfdafae58 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 16:51:46 +0100 Subject: added apt::preferences file for check-mk-\* to install from backports --- puppet/modules/site_apt/manifests/preferences/check_mk.pp | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 puppet/modules/site_apt/manifests/preferences/check_mk.pp (limited to 'puppet') diff --git a/puppet/modules/site_apt/manifests/preferences/check_mk.pp b/puppet/modules/site_apt/manifests/preferences/check_mk.pp new file mode 100644 index 00000000..580e0d3f --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/check_mk.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::check_mk { + + apt::preferences_snippet { 'check-mk': + package => 'check-mk-*', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + +} -- cgit v1.2.3 From 060124b047ac44f9f54573a389fea6c5b6ab18ea Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 18:14:19 +0100 Subject: renamed site_check_mk::client to site_check_mk::agent --- puppet/modules/site_check_mk/manifests/agent.pp | 24 ++++++++++++++++++++++++ puppet/modules/site_check_mk/manifests/client.pp | 24 ------------------------ puppet/modules/site_config/manifests/default.pp | 2 +- 3 files changed, 25 insertions(+), 25 deletions(-) create mode 100644 puppet/modules/site_check_mk/manifests/agent.pp delete mode 100644 puppet/modules/site_check_mk/manifests/client.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp new file mode 100644 index 00000000..bb0cb167 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -0,0 +1,24 @@ +class site_check_mk::agent { + + $ssh_hash = hiera('ssh') + $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] + $type = $ssh_hash['authorized_keys']['monitor']['type'] + + include site_apt::preferences::check_mk + + class { 'check_mk::agent': + agent_package_name => 'check-mk-agent', + agent_logwatch_package_name => 'check-mk-agent-logwatch', + method => 'ssh', + homedir => '/etc/nagios/check_mk', + register_agent => false + } + + file { '/root/.ssh/authorized_keys2': + owner => 'root', + group => 'root', + mode => '0600', + content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" + } + +} diff --git a/puppet/modules/site_check_mk/manifests/client.pp b/puppet/modules/site_check_mk/manifests/client.pp deleted file mode 100644 index ae269168..00000000 --- a/puppet/modules/site_check_mk/manifests/client.pp +++ /dev/null @@ -1,24 +0,0 @@ -class site_check_mk::client { - - $ssh_hash = hiera('ssh') - $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] - $type = $ssh_hash['authorized_keys']['monitor']['type'] - - include site_apt::preferences::check_mk - - class { 'check_mk::agent': - agent_package_name => 'check-mk-agent', - agent_logwatch_package_name => 'check-mk-agent-logwatch', - method => 'ssh', - homedir => '/etc/nagios/check_mk', - register_agent => false - } - - file { '/root/.ssh/authorized_keys2': - owner => 'root', - group => 'root', - mode => '0600', - content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" - } - -} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 25f9b3f8..53cc60f6 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -87,5 +87,5 @@ class site_config::default { include ::site_custom } - include site_check_mk::client + include site_check_mk::agent } -- cgit v1.2.3 From 1c8c4f6f3b68ba1da13e6b6374c6c55fe8214789 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Feb 2014 18:45:17 +0100 Subject: execute nagios plugins locally with mrpe --- puppet/modules/site_check_mk/manifests/agent.pp | 1 + puppet/modules/site_check_mk/manifests/agent/mrpe.pp | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 puppet/modules/site_check_mk/manifests/agent/mrpe.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index bb0cb167..ac5a7ebd 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -21,4 +21,5 @@ class site_check_mk::agent { content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" } + include site_check_mk::agent::mrpe } diff --git a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp new file mode 100644 index 00000000..37df7f74 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp @@ -0,0 +1,17 @@ +class site_check_mk::agent::mrpe { + # check_mk can use standard nagios plugins using + # a wrapper called mrpe + # see http://mathias-kettner.de/checkmk_mrpe.html + + package { 'nagios-plugins-basic': + ensure => latest, + } + + file { '/etc/check_mk/mrpe.cfg': + ensure => present + } -> + file_line { 'Apt': + line => 'APT /usr/lib/nagios/plugins/check_apt', + path => '/etc/check_mk/mrpe.cfg', + } +} -- cgit v1.2.3 From 12cea40d5dffe5aa6e269c05773ed49d9f00a9ea Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Feb 2014 00:10:09 +0100 Subject: added site_check_mk::agent::couchdb and site_check_mk::agent::soledad for local checks --- puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 17 +++++++++++++++++ puppet/modules/site_check_mk/manifests/agent/soledad.pp | 10 ++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 2 ++ puppet/modules/soledad/manifests/init.pp | 2 ++ 4 files changed, 31 insertions(+) create mode 100644 puppet/modules/site_check_mk/manifests/agent/couchdb.pp create mode 100644 puppet/modules/site_check_mk/manifests/agent/soledad.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp new file mode 100644 index 00000000..5b50e5a9 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -0,0 +1,17 @@ +class site_check_mk::agent::couchdb { + + # local custom checks + file { '/usr/lib/check_mk_agent/local/check_bigcouch_errors.sh': + ensure => link, + target => '/srv/leap/couchdb/scripts/tests/check_bigcouch_errors.sh', + require => Vcsrepo['/srv/leap/couchdb/scripts'] + } + + # local nagios plugin checks via mrpe + file_line { + 'Tapicero_Procs': + line => 'Tapicero_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero', + path => '/etc/check_mk/mrpe.cfg'; + } + +} diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp new file mode 100644 index 00000000..d75ae732 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp @@ -0,0 +1,10 @@ +class site_check_mk::agent::soledad { + + # local nagios plugin checks via mrpe + file_line { + 'Soledad_Procs': + line => 'Soledad_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a soledad', + path => '/etc/check_mk/mrpe.cfg'; + } + +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 137b661f..a9512577 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -107,4 +107,6 @@ class site_couchdb { } if $couchdb_backup { include site_couchdb::backup } + + include site_check_mk::agent::couchdb } diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp index 7d44c8b4..35adc28e 100644 --- a/puppet/modules/soledad/manifests/init.pp +++ b/puppet/modules/soledad/manifests/init.pp @@ -27,4 +27,6 @@ class soledad { require => User['soledad']; } + include site_check_mk::agent::soledad + } -- cgit v1.2.3 From c1d1d9d7cf6fefd1203cc09a66c2e0230b930b5e Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Feb 2014 14:44:01 +0100 Subject: use default value for hiera lookup (#5118) --- puppet/modules/site_sshd/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 2bcde603..d9bc1d51 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,6 +1,6 @@ class site_sshd { $ssh = hiera_hash('ssh') - $hosts = hiera_hash('hosts') + $hosts = hiera('hosts', '') ## ## SETUP AUTHORIZED KEYS -- cgit v1.2.3 From d0eea33d88a6ffcbe01544678372d80e8c8de51f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 14 Feb 2014 17:38:02 +0100 Subject: Include check_mk monitor pubkey in /root/.ssh/authorized_keys instead of creating a /root/.ssh/authorized_keys2 see https://review.leap.se/r/148/#comment153 --- puppet/modules/site_check_mk/manifests/agent.pp | 7 ------- puppet/modules/site_sshd/templates/authorized_keys.erb | 4 ++++ 2 files changed, 4 insertions(+), 7 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index ac5a7ebd..75188c7b 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -14,12 +14,5 @@ class site_check_mk::agent { register_agent => false } - file { '/root/.ssh/authorized_keys2': - owner => 'root', - group => 'root', - mode => '0600', - content => "command=\"/usr/bin/check_mk_agent\",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, ${type} ${pubkey} monitor" - } - include site_check_mk::agent::mrpe } diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb index 3c65e8ab..69f4d8e6 100644 --- a/puppet/modules/site_sshd/templates/authorized_keys.erb +++ b/puppet/modules/site_sshd/templates/authorized_keys.erb @@ -2,5 +2,9 @@ # all manually added keys will be overridden <% keys.sort.each do |user, hash| -%> +<% if user == 'monitor' -%> +command="/usr/bin/check_mk_agent",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty,no-user-rc, <%=hash['type']-%> <%=hash['key']%> <%=user%> +<% else -%> <%=hash['type']-%> <%=hash['key']%> <%=user%> +<% end -%> <% end -%> -- cgit v1.2.3 From 2436fddb4a63075f74f295bacd23128c766beb4c Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 17 Feb 2014 13:50:42 +0100 Subject: Remove adding of hosts from site_nagios::server (Feature #5132) because now, check_mk will add the hosts --- puppet/modules/site_check_mk/manifests/server.pp | 2 +- puppet/modules/site_nagios/manifests/add_host.pp | 32 ---------------------- .../site_nagios/manifests/add_host_services.pp | 26 ++++++++++++++++++ puppet/modules/site_nagios/manifests/server.pp | 2 +- 4 files changed, 28 insertions(+), 34 deletions(-) delete mode 100644 puppet/modules/site_nagios/manifests/add_host.pp create mode 100644 puppet/modules/site_nagios/manifests/add_host_services.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 625fc688..e77862e5 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -8,7 +8,7 @@ class site_check_mk::server { $nagios_hiera = hiera_hash('nagios') $hosts = $nagios_hiera['hosts'] - $all_hosts = inline_template("<% @hosts.keys.sort.each do |key| -%>\"<%= key %>\", <% end -%>") + $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') package { 'check-mk-server': ensure => installed, diff --git a/puppet/modules/site_nagios/manifests/add_host.pp b/puppet/modules/site_nagios/manifests/add_host.pp deleted file mode 100644 index 94352de4..00000000 --- a/puppet/modules/site_nagios/manifests/add_host.pp +++ /dev/null @@ -1,32 +0,0 @@ -define site_nagios::add_host ( - $domain_internal, - $ip_address, - $services, - $openvpn_gateway_address='' ) { - - $nagios_hostname = $domain_internal - - # Add Nagios host - nagios_host { $nagios_hostname: - address => $ip_address, - use => 'generic-host', - } - - # Add Nagios service - - # First, we need to turn the serice array into hash, using a "hash template" - # see https://github.com/ashak/puppet-resource-looping - $nagios_service_hashpart = { - 'hostname' => $nagios_hostname, - 'ip_address' => $ip_address, - 'openvpn_gw' => $openvpn_gateway_address, - } - $dynamic_parameters = { - 'service' => '%s' - } - $nagios_servicename = "${nagios_hostname}_%s" - - $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) - - create_resources ( site_nagios::add_service, $nagios_service_hash ) -} diff --git a/puppet/modules/site_nagios/manifests/add_host_services.pp b/puppet/modules/site_nagios/manifests/add_host_services.pp new file mode 100644 index 00000000..2d615ff1 --- /dev/null +++ b/puppet/modules/site_nagios/manifests/add_host_services.pp @@ -0,0 +1,26 @@ +define site_nagios::add_host_services ( + $domain_internal, + $ip_address, + $services, + $openvpn_gateway_address='' ) { + + $nagios_hostname = $domain_internal + + # Add Nagios service + + # First, we need to turn the serice array into hash, using a "hash template" + # see https://github.com/ashak/puppet-resource-looping + $nagios_service_hashpart = { + 'hostname' => $nagios_hostname, + 'ip_address' => $ip_address, + 'openvpn_gw' => $openvpn_gateway_address, + } + $dynamic_parameters = { + 'service' => '%s' + } + $nagios_servicename = "${nagios_hostname}_%s" + + $nagios_service_hash = create_resources_hash_from($nagios_servicename, $services, $nagios_service_hashpart, $dynamic_parameters) + + create_resources ( site_nagios::add_service, $nagios_service_hash ) +} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index b1795826..ca38d7fc 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -43,7 +43,7 @@ class site_nagios::server inherits nagios::base { group => 'nagios', } - create_resources ( site_nagios::add_host, $hosts ) + create_resources ( site_nagios::add_host_services, $hosts ) include site_nagios::server::apache include site_check_mk::server -- cgit v1.2.3 From 91bee3e81439cca0536856094edc7ceee7da60ff Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Feb 2014 08:32:14 +0100 Subject: set up logwatch.d directory, added for soledad logwatch config --- puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg | 4 ++++ puppet/modules/site_check_mk/manifests/agent/soledad.pp | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg new file mode 100644 index 00000000..54b782d3 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg @@ -0,0 +1,4 @@ +/var/log/soledad.log + C WSGI application error + C error + diff --git a/puppet/modules/site_check_mk/manifests/agent/soledad.pp b/puppet/modules/site_check_mk/manifests/agent/soledad.pp index d75ae732..cbae81fe 100644 --- a/puppet/modules/site_check_mk/manifests/agent/soledad.pp +++ b/puppet/modules/site_check_mk/manifests/agent/soledad.pp @@ -1,5 +1,9 @@ class site_check_mk::agent::soledad { + file { '/etc/check_mk/logwatch.d/soledad.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/soledad.cfg', + } + # local nagios plugin checks via mrpe file_line { 'Soledad_Procs': -- cgit v1.2.3 From 6007c2e5b8556460471d4cae9206a950dd184fec Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Feb 2014 15:14:04 +0100 Subject: added mk_logwatch.1.2.4 (#5135) --- .../files/agent/plugins/mk_logwatch.1.2.4 | 374 +++++++++++++++++++++ puppet/modules/site_check_mk/manifests/agent.pp | 1 + .../site_check_mk/manifests/agent/logwatch.pp | 11 + 3 files changed, 386 insertions(+) create mode 100755 puppet/modules/site_check_mk/files/agent/plugins/mk_logwatch.1.2.4 create mode 100644 puppet/modules/site_check_mk/manifests/agent/logwatch.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/plugins/mk_logwatch.1.2.4 b/puppet/modules/site_check_mk/files/agent/plugins/mk_logwatch.1.2.4 new file mode 100755 index 00000000..3dbca322 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/plugins/mk_logwatch.1.2.4 @@ -0,0 +1,374 @@ +#!/usr/bin/python +# -*- encoding: utf-8; py-indent-offset: 4 -*- +# +------------------------------------------------------------------+ +# | ____ _ _ __ __ _ __ | +# | / ___| |__ ___ ___| | __ | \/ | |/ / | +# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / | +# | | |___| | | | __/ (__| < | | | | . \ | +# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ | +# | | +# | Copyright Mathias Kettner 2010 mk@mathias-kettner.de | +# +------------------------------------------------------------------+ +# +# This file is part of Check_MK. +# The official homepage is at http://mathias-kettner.de/check_mk. +# +# check_mk is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation in version 2. check_mk is distributed +# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with- +# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more de- +# ails. You should have received a copy of the GNU General Public +# License along with GNU Make; see the file COPYING. If not, write +# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, +# Boston, MA 02110-1301 USA. + +# Call with -d for debug mode: colored output, no saving of status + +import sys, os, re, time +import glob + +if '-d' in sys.argv[1:] or '--debug' in sys.argv[1:]: + tty_red = '\033[1;31m' + tty_green = '\033[1;32m' + tty_yellow = '\033[1;33m' + tty_blue = '\033[1;34m' + tty_normal = '\033[0m' + debug = True +else: + tty_red = '' + tty_green = '' + tty_yellow = '' + tty_blue = '' + tty_normal = '' + debug = False + +# The configuration file and status file are searched +# in the directory named by the environment variable +# LOGWATCH_DIR. If that is not set, MK_CONFDIR is used. +# If that is not set either, the current directory ist +# used. +logwatch_dir = os.getenv("LOGWATCH_DIR") +if not logwatch_dir: + logwatch_dir = os.getenv("MK_CONFDIR") + if not logwatch_dir: + logwatch_dir = "." + +print "<<>>" + +config_filename = logwatch_dir + "/logwatch.cfg" +status_filename = logwatch_dir + "/logwatch.state" +config_dir = logwatch_dir + "/logwatch.d/*.cfg" + +def is_not_comment(line): + if line.lstrip().startswith('#') or \ + line.strip() == '': + return False + return True + +def parse_filenames(line): + return line.split() + +def parse_pattern(level, pattern): + if level not in [ 'C', 'W', 'I', 'O' ]: + raise(Exception("Invalid pattern line '%s'" % line)) + try: + compiled = re.compile(pattern) + except: + raise(Exception("Invalid regular expression in line '%s'" % line)) + return (level, compiled) + +def read_config(): + config_lines = [ line.rstrip() for line in filter(is_not_comment, file(config_filename).readlines()) ] + # Add config from a logwatch.d folder + for config_file in glob.glob(config_dir): + config_lines += [ line.rstrip() for line in filter(is_not_comment, file(config_file).readlines()) ] + + have_filenames = False + config = [] + + for line in config_lines: + rewrite = False + if line[0].isspace(): # pattern line + if not have_filenames: + raise Exception("Missing logfile names") + level, pattern = line.split(None, 1) + if level == 'A': + cont_list.append(parse_cont_pattern(pattern)) + elif level == 'R': + rewrite_list.append(pattern) + else: + level, compiled = parse_pattern(level, pattern) + cont_list = [] # List of continuation patterns + rewrite_list = [] # List of rewrite patterns + patterns.append((level, compiled, cont_list, rewrite_list)) + else: # filename line + patterns = [] + config.append((parse_filenames(line), patterns)) + have_filenames = True + return config + +def parse_cont_pattern(pattern): + try: + return int(pattern) + except: + try: + return re.compile(pattern) + except: + if debug: + raise + raise Exception("Invalid regular expression in line '%s'" % pattern) + +# structure of statusfile +# # LOGFILE OFFSET INODE +# /var/log/messages|7767698|32455445 +# /var/test/x12134.log|12345|32444355 +def read_status(): + if debug: + return {} + + status = {} + for line in file(status_filename): + # TODO: Remove variants with spaces. rsplit is + # not portable. split fails if logfilename contains + # spaces + inode = -1 + try: + parts = line.split('|') + filename = parts[0] + offset = parts[1] + if len(parts) >= 3: + inode = parts[2] + + except: + try: + filename, offset = line.rsplit(None, 1) + except: + filename, offset = line.split(None, 1) + status[filename] = int(offset), int(inode) + return status + +def save_status(status): + f = file(status_filename, "w") + for filename, (offset, inode) in status.items(): + f.write("%s|%d|%d\n" % (filename, offset, inode)) + +pushed_back_line = None +def next_line(f): + global pushed_back_line + if pushed_back_line != None: + line = pushed_back_line + pushed_back_line = None + return line + else: + try: + line = f.next() + return line + except: + return None + + +def process_logfile(logfile, patterns): + global pushed_back_line + + # Look at which file offset we have finished scanning + # the logfile last time. If we have never seen this file + # before, we set the offset to -1 + offset, prev_inode = status.get(logfile, (-1, -1)) + try: + fl = os.open(logfile, os.O_RDONLY) + inode = os.fstat(fl)[1] # 1 = st_ino + except: + if debug: + raise + print "[[[%s:cannotopen]]]" % logfile + return + + print "[[[%s]]]" % logfile + + # Seek to the current end in order to determine file size + current_end = os.lseek(fl, 0, 2) # os.SEEK_END not available in Python 2.4 + status[logfile] = current_end, inode + + # If we have never seen this file before, we just set the + # current pointer to the file end. We do not want to make + # a fuss about ancient log messages... + if offset == -1: + if not debug: + return + else: + offset = 0 + + + # If the inode of the logfile has changed it has appearently + # been started from new (logfile rotation). At least we must + # assume that. In some rare cases (restore of a backup, etc) + # we are wrong and resend old log messages + if prev_inode >= 0 and inode != prev_inode: + offset = 0 + + # Our previously stored offset is the current end -> + # no new lines in this file + if offset == current_end: + return # nothing new + + # If our offset is beyond the current end, the logfile has been + # truncated or wrapped while keeping the same inode. We assume + # that it contains all new data in that case and restart from + # offset 0. + if offset > current_end: + offset = 0 + + # now seek to offset where interesting data begins + os.lseek(fl, offset, 0) # os.SEEK_SET not available in Python 2.4 + f = os.fdopen(fl) + worst = -1 + outputtxt = "" + lines_parsed = 0 + start_time = time.time() + + while True: + line = next_line(f) + if line == None: + break # End of file + + lines_parsed += 1 + # Check if maximum number of new log messages is exceeded + if opt_maxlines != None and lines_parsed > opt_maxlines: + outputtxt += "%s Maximum number (%d) of new log messages exceeded.\n" % ( + opt_overflow, opt_maxlines) + worst = max(worst, opt_overflow_level) + os.lseek(fl, 0, 2) # Seek to end of file, skip all other messages + break + + # Check if maximum processing time (per file) is exceeded. Check only + # every 100'th line in order to save system calls + if opt_maxtime != None and lines_parsed % 100 == 10 \ + and time.time() - start_time > opt_maxtime: + outputtxt += "%s Maximum parsing time (%.1f sec) of this log file exceeded.\n" % ( + opt_overflow, opt_maxtime) + worst = max(worst, opt_overflow_level) + os.lseek(fl, 0, 2) # Seek to end of file, skip all other messages + break + + level = "." + for lev, pattern, cont_patterns, replacements in patterns: + matches = pattern.search(line[:-1]) + if matches: + level = lev + levelint = {'C': 2, 'W': 1, 'O': 0, 'I': -1, '.': -1}[lev] + worst = max(levelint, worst) + + # Check for continuation lines + for cont_pattern in cont_patterns: + if type(cont_pattern) == int: # add that many lines + for x in range(cont_pattern): + cont_line = next_line(f) + if cont_line == None: # end of file + break + line = line[:-1] + "\1" + cont_line + + else: # pattern is regex + while True: + cont_line = next_line(f) + if cont_line == None: # end of file + break + elif cont_pattern.search(cont_line[:-1]): + line = line[:-1] + "\1" + cont_line + else: + pushed_back_line = cont_line # sorry for stealing this line + break + + # Replacement + for replace in replacements: + line = replace.replace('\\0', line) + "\n" + for nr, group in enumerate(matches.groups()): + line = line.replace('\\%d' % (nr+1), group) + + break # matching rule found and executed + + color = {'C': tty_red, 'W': tty_yellow, 'O': tty_green, 'I': tty_blue, '.': ''}[level] + if debug: + line = line.replace("\1", "\nCONT:") + if level == "I": + level = "." + if opt_nocontext and level == '.': + continue + outputtxt += "%s%s %s%s\n" % (color, level, line[:-1], tty_normal) + + new_offset = os.lseek(fl, 0, 1) # os.SEEK_CUR not available in Python 2.4 + status[logfile] = new_offset, inode + + # output all lines if at least one warning, error or ok has been found + if worst > -1: + sys.stdout.write(outputtxt) + sys.stdout.flush() + +try: + config = read_config() +except Exception, e: + if debug: + raise + print "CANNOT READ CONFIG FILE: %s" % e + sys.exit(1) + +# Simply ignore errors in the status file. In case of a corrupted status file we simply begin +# with an empty status. That keeps the monitoring up and running - even if we might loose a +# message in the extreme case of a corrupted status file. +try: + status = read_status() +except Exception, e: + status = {} + + +# The filename line may contain options like 'maxlines=100' or 'maxtime=10' +for filenames, patterns in config: + # Initialize options with default values + opt_maxlines = None + opt_maxtime = None + opt_regex = None + opt_overflow = 'C' + opt_overflow_level = 2 + opt_nocontext = False + try: + options = [ o.split('=', 1) for o in filenames if '=' in o ] + for key, value in options: + if key == 'maxlines': + opt_maxlines = int(value) + elif key == 'maxtime': + opt_maxtime = float(value) + elif key == 'overflow': + if value not in [ 'C', 'I', 'W', 'O' ]: + raise Exception("Invalid value %s for overflow. Allowed are C, I, O and W" % value) + opt_overflow = value + opt_overflow_level = {'C':2, 'W':1, 'O':0, 'I':0}[value] + elif key == 'regex': + opt_regex = re.compile(value) + elif key == 'iregex': + opt_regex = re.compile(value, re.I) + elif key == 'nocontext': + opt_nocontext = True + else: + raise Exception("Invalid option %s" % key) + except Exception, e: + if debug: + raise + print "INVALID CONFIGURATION: %s" % e + sys.exit(1) + + + for glob in filenames: + if '=' in glob: + continue + logfiles = [ l.strip() for l in os.popen("ls %s 2>/dev/null" % glob).readlines() ] + if opt_regex: + logfiles = [ f for f in logfiles if opt_regex.search(f) ] + if len(logfiles) == 0: + print '[[[%s:missing]]]' % glob + else: + for logfile in logfiles: + process_logfile(logfile, patterns) + +if not debug: + save_status(status) diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index 75188c7b..a29923c1 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -15,4 +15,5 @@ class site_check_mk::agent { } include site_check_mk::agent::mrpe + include site_check_mk::agent::logwatch } diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp new file mode 100644 index 00000000..763b01a7 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -0,0 +1,11 @@ +class site_check_mk::agent::logwatch { + # Deploy mk_logwatch 1.2.4 so we can split the config + # into multiple config files in /etc/check_mk/logwatch.d + # see https://leap.se/code/issues/5135 + + file { '/usr/lib/check_mk_agent/plugins/mk_logwatch': + source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', + mode => '0755' + } + +} -- cgit v1.2.3 From 20e1830ab70c2f63d240f909ab5622476b095ec9 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Feb 2014 15:39:51 +0100 Subject: add site_check_mk::agent::tapicero, site_check_mk::agent::couchdb --- .../modules/site_check_mk/files/agent/logwatch/couchdb.cfg | 9 +++++++++ puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 12 +++++------- puppet/modules/site_check_mk/manifests/agent/tapicero.pp | 10 ++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 1 + 4 files changed, 25 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/tapicero.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg new file mode 100644 index 00000000..0911d09a --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg @@ -0,0 +1,9 @@ +/opt/bigcouch/var/log/bigcouch.log + C Uncaught error in HTTP request: {exit, + C Uncaught error in HTTP request: {exit,normal} + C Uncaught error in HTTP request: {error, + C Response abnormally terminated: {nodedown, + C rexi_DOWN,noproc + C rexi_DOWN,noconnection + C error + W Shutting down group server diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index 5b50e5a9..c954292a 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -1,5 +1,10 @@ class site_check_mk::agent::couchdb { + file { '/etc/check_mk/logwatch.d/couchdb.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/couchdb.cfg', + } + + # local custom checks file { '/usr/lib/check_mk_agent/local/check_bigcouch_errors.sh': ensure => link, @@ -7,11 +12,4 @@ class site_check_mk::agent::couchdb { require => Vcsrepo['/srv/leap/couchdb/scripts'] } - # local nagios plugin checks via mrpe - file_line { - 'Tapicero_Procs': - line => 'Tapicero_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero', - path => '/etc/check_mk/mrpe.cfg'; - } - } diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp new file mode 100644 index 00000000..2379881c --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -0,0 +1,10 @@ +class site_check_mk::agent::tapicero { + + # local nagios plugin checks via mrpe + file_line { + 'Tapicero_Procs': + line => 'Tapicero_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero', + path => '/etc/check_mk/mrpe.cfg'; + } + +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index a9512577..e4c0211b 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -109,4 +109,5 @@ class site_couchdb { if $couchdb_backup { include site_couchdb::backup } include site_check_mk::agent::couchdb + include site_check_mk::agent::tapicero } -- cgit v1.2.3 From 9d19be450d84e1fd281cbfc0f795ca411a2f5879 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 19 Feb 2014 15:51:09 +0100 Subject: set up logwatch.d directory --- puppet/modules/site_check_mk/manifests/agent/logwatch.pp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp index 763b01a7..67db5a12 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -8,4 +8,8 @@ class site_check_mk::agent::logwatch { mode => '0755' } + file { '/etc/check_mk/logwatch.d': + ensure => directory + } + } -- cgit v1.2.3 From 867fce7a855ceef8891b5f9bea1f71c6663cd403 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Feb 2014 00:05:17 +0100 Subject: include site_check_mk::agent::soledad from soledad::server and not from soledad class (Feature #5149) cause leap_mk includes the soledad class --- puppet/modules/soledad/manifests/init.pp | 3 --- puppet/modules/soledad/manifests/server.pp | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp index 35adc28e..7cf0b729 100644 --- a/puppet/modules/soledad/manifests/init.pp +++ b/puppet/modules/soledad/manifests/init.pp @@ -26,7 +26,4 @@ class soledad { group => 'soledad', require => User['soledad']; } - - include site_check_mk::agent::soledad - } diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 572cad44..1137080f 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -59,4 +59,5 @@ class soledad::server { } include site_shorewall::soledad + include site_check_mk::agent::soledad } -- cgit v1.2.3 From 6bb879a46c754958d07b530cf62d69a01537ccba Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Feb 2014 00:31:39 +0100 Subject: added tapicero logwatch check --- puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg | 5 +++++ puppet/modules/site_check_mk/manifests/agent/tapicero.pp | 4 ++++ 2 files changed, 9 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg new file mode 100644 index 00000000..9402de9b --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg @@ -0,0 +1,5 @@ +/var/log/syslog + C tapicero.*RestClient::InternalServerError: + C tapicero.*RestClient::PreconditionFailed: + C tapicero.*failed + W tapicero.*Couch stream ended unexpectedly. diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp index 2379881c..088900f4 100644 --- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -1,5 +1,9 @@ class site_check_mk::agent::tapicero { + file { '/etc/check_mk/logwatch.d/tapicero.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg', + } + # local nagios plugin checks via mrpe file_line { 'Tapicero_Procs': -- cgit v1.2.3 From c0d0a5a0af891c360dded0c508591cf50899bc66 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 20 Feb 2014 17:07:48 +0100 Subject: now using concanated check_mk logwatch files where needed (#5155) --- .../files/agent/logwatch/logwatch.cfg | 31 ++++++++++++++++++++++ .../site_check_mk/files/agent/logwatch/syslog.cfg | 5 ++++ .../files/agent/logwatch/tapicero.cfg | 1 - .../site_check_mk/manifests/agent/logwatch.pp | 21 ++++++++++++++- .../manifests/agent/logwatch/syslog.pp | 13 +++++++++ .../site_check_mk/manifests/agent/tapicero.pp | 6 +++-- 6 files changed, 73 insertions(+), 4 deletions(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg new file mode 100644 index 00000000..c4acae40 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg @@ -0,0 +1,31 @@ +# This file is managed by Puppet. DO NOT EDIT. + +# logwatch.cfg +# This file configures mk_logwatch. Define your logfiles +# and patterns to be looked for here. + +# Name one or more logfiles +/var/log/messages +# Patterns are indented with one space are prefixed with: +# C: Critical messages +# W: Warning messages +# I: ignore these lines (OK) +# The first match decided. Lines that do not match any pattern +# are ignored + C Fail event detected on md device + I mdadm.*: Rebuild.*event detected + W mdadm\[ + W ata.*hard resetting link + W ata.*soft reset failed (.*FIS failed) + W device-mapper: thin:.*reached low water mark + C device-mapper: thin:.*no free space + +/var/log/auth.log + W sshd.*Corrupted MAC on input + +/var/log/kern.log + C panic + C Oops + W generic protection rip + W .*Unrecovered read error - auto reallocate failed + diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg new file mode 100644 index 00000000..3703b5e1 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg @@ -0,0 +1,5 @@ +/var/log/syslog + C panic + C Oops + W generic protection rip + W .*Unrecovered read error - auto reallocate failed diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg index 9402de9b..4e3808eb 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg @@ -1,4 +1,3 @@ -/var/log/syslog C tapicero.*RestClient::InternalServerError: C tapicero.*RestClient::PreconditionFailed: C tapicero.*failed diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp index 67db5a12..38514af2 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -8,8 +8,27 @@ class site_check_mk::agent::logwatch { mode => '0755' } + # only config files that watch a distinct logfile should go in logwatch.d/ file { '/etc/check_mk/logwatch.d': - ensure => directory + ensure => directory, + recurse => true, + purge => true, } + # service that share a common logfile (i.e. /var/log/syslog) need to get + # concanated in one file, otherwise the last file sourced will override + # the config before + # see mk_logwatch: "logwatch.cfg overwrites config files in logwatch.d", + # https://leap.se/code/issues/5155 + + # first, we need to deploy a custom logwatch.cfg that doesn't include + # a section about /var/log/syslog + + file { '/etc/check_mk/logwatch.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/logwatch.cfg', + require => Package['check_mk-agent-logwatch'] + } + + include concat::setup + include site_check_mk::agent::logwatch::syslog } diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp new file mode 100644 index 00000000..ac3dda64 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp @@ -0,0 +1,13 @@ +class site_check_mk::agent::logwatch::syslog { + + concat { '/etc/check_mk/logwatch.d/syslog.cfg': + warn => true + } + + concat::fragment { 'syslog_header': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '01'; + } + +} diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp index 088900f4..dc785e52 100644 --- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -1,7 +1,9 @@ class site_check_mk::agent::tapicero { - file { '/etc/check_mk/logwatch.d/tapicero.cfg': - source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg', + concat::fragment { 'syslog_tapicero': + source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; } # local nagios plugin checks via mrpe -- cgit v1.2.3 From 2c2091cbfbe7a65234e985b3d004b4c3ec73c560 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 15:00:17 +0100 Subject: create 'messages' db to store messages to the clients such as payment reminders reviewed by azul --- puppet/modules/site_couchdb/manifests/create_dbs.pp | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp index b0ebca4d..41500d3a 100644 --- a/puppet/modules/site_couchdb/manifests/create_dbs.pp +++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp @@ -59,4 +59,12 @@ class site_couchdb::create_dbs { members => "{ \"names\": [], \"roles\": [\"users\"] }", require => Couchdb::Query::Setup['localhost'] } + + ## messages db + ## store messages to the clients such as payment reminders + ## r/w: webapp + couchdb::create_db { 'messages': + members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [] }", + require => Couchdb::Query::Setup['localhost'] + } } -- cgit v1.2.3 From face1d929175b94e26ca11858e3b055873fdde92 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 26 Feb 2014 14:55:47 +0100 Subject: update design docs, include messages (#5188) --- .../site_couchdb/files/designs/messages/Message.json | 18 ++++++++++++++++++ .../modules/site_couchdb/files/designs/users/User.json | 6 +++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_couchdb/files/designs/messages/Message.json (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/designs/messages/Message.json b/puppet/modules/site_couchdb/files/designs/messages/Message.json new file mode 100644 index 00000000..7bcd74c7 --- /dev/null +++ b/puppet/modules/site_couchdb/files/designs/messages/Message.json @@ -0,0 +1,18 @@ +{ + "_id": "_design/Message", + "language": "javascript", + "views": { + "by_user_ids_to_show_and_created_at": { + "map": "// not using at moment\n// call with something like Message.by_user_ids_to_show_and_created_at.startkey([user_id, start_date]).endkey([user_id,end_date])\nfunction (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit([userId, doc.created_at], 1);\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "by_user_ids_to_show": { + "map": "function (doc) {\n if (doc.type === 'Message' && doc.user_ids_to_show && Array.isArray(doc.user_ids_to_show)) {\n doc.user_ids_to_show.forEach(function (userId) {\n emit(userId, 1);\n });\n }\n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, + "all": { + "map": " function(doc) {\n if (doc['type'] == 'Message') {\n emit(doc._id, null);\n }\n }\n" + } + }, + "couchrest-hash": "0967e7cc5bb1e61edc1c085f6f0cecbf" +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/users/User.json b/puppet/modules/site_couchdb/files/designs/users/User.json index c99666cb..4089ad97 100644 --- a/puppet/modules/site_couchdb/files/designs/users/User.json +++ b/puppet/modules/site_couchdb/files/designs/users/User.json @@ -9,10 +9,14 @@ "all": { "map": " function(doc) {\n if (doc['type'] == 'User') {\n emit(doc._id, null);\n }\n }\n" }, + "by_created_at_and_one_month_warning_not_sent": { + "map": "function (doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null) && (doc['one_month_warning_sent'] == null)) {\n emit(doc['created_at'], 1);\n } \n}\n", + "reduce": "function(key, values, rereduce) { return sum(values); }" + }, "by_created_at": { "map": " function(doc) {\n if ((doc['type'] == 'User') && (doc['created_at'] != null)) {\n emit(doc['created_at'], 1);\n }\n }\n", "reduce": "_sum" } }, - "couchrest-hash": "3bdbcd85b928ad911e0c89a8924e015c" + "couchrest-hash": "61840ab3ec0f94ef8bbd6dd208db3b70" } \ No newline at end of file -- cgit v1.2.3 From 2b875d23a3d2a53c9276dfee1a71085967dec4c0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 24 Feb 2014 13:45:50 +0100 Subject: One monitor node for non-local environments and one for local environment (Feature #2981), wip also, use the configured ssh port for every node --- puppet/modules/site_check_mk/manifests/server.pp | 5 +++-- puppet/modules/site_check_mk/templates/use_ssh.mk | 5 +++-- puppet/modules/site_nagios/manifests/add_host_services.pp | 2 ++ puppet/modules/site_nagios/manifests/server.pp | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index e77862e5..4bbeb850 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -4,10 +4,11 @@ class site_check_mk::server { $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] $seckey = $ssh_hash['monitor']['private_key'] - $ssh_port = $ssh_hash['port'] $nagios_hiera = hiera_hash('nagios') - $hosts = $nagios_hiera['hosts'] + $nagios_hosts = $nagios_hiera['hosts'] + + $hosts = hiera_hash('hosts') $all_hosts = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>') package { 'check-mk-server': diff --git a/puppet/modules/site_check_mk/templates/use_ssh.mk b/puppet/modules/site_check_mk/templates/use_ssh.mk index 4c5523db..0bebebcf 100644 --- a/puppet/modules/site_check_mk/templates/use_ssh.mk +++ b/puppet/modules/site_check_mk/templates/use_ssh.mk @@ -1,5 +1,6 @@ # http://mathias-kettner.de/checkmk_datasource_programs.html datasource_programs = [ - ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa -p <%= @ssh_port %> check_mk_agent", ALL_HOSTS ), -] +<% nagios_hosts.sort.each do |name,config| %> + ( "ssh -l root -i /etc/check_mk/.ssh/id_rsa -p <%=config['ssh_port']%> <%=config['domain_internal']%> check_mk_agent", [ "<%=config['domain_internal']%>" ], ),<%- end -%> +] diff --git a/puppet/modules/site_nagios/manifests/add_host_services.pp b/puppet/modules/site_nagios/manifests/add_host_services.pp index 2d615ff1..279809d1 100644 --- a/puppet/modules/site_nagios/manifests/add_host_services.pp +++ b/puppet/modules/site_nagios/manifests/add_host_services.pp @@ -1,7 +1,9 @@ define site_nagios::add_host_services ( + $domain_full_suffix, $domain_internal, $ip_address, $services, + $ssh_port, $openvpn_gateway_address='' ) { $nagios_hostname = $domain_internal diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index ca38d7fc..9aae8ae8 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -7,7 +7,7 @@ class site_nagios::server inherits nagios::base { $nagios_hiera = hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) - $hosts = $nagios_hiera['hosts'] + $nagios_hosts = $nagios_hiera['hosts'] include nagios::defaults include nagios::base @@ -43,7 +43,7 @@ class site_nagios::server inherits nagios::base { group => 'nagios', } - create_resources ( site_nagios::add_host_services, $hosts ) + create_resources ( site_nagios::add_host_services, $nagios_hosts ) include site_nagios::server::apache include site_check_mk::server -- cgit v1.2.3 From 5372bba5dd503cb4fe9620bc342992c94863c8e6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 12:35:51 +0100 Subject: monitor connection attempts from disallowed bigcouch node --- puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg index 0911d09a..ee64b3c0 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg @@ -6,4 +6,5 @@ C rexi_DOWN,noproc C rexi_DOWN,noconnection C error + C Connection attempt from disallowed node W Shutting down group server -- cgit v1.2.3 From a81ce0750dbd5b000739e28279639e382ce347a2 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 12:36:36 +0100 Subject: don't use syslog for nagios log, cause it will clutter logwatch with false-positive warnings --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 61d9f2da..9bd3da28 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -251,7 +251,7 @@ log_archive_path=/var/log/nagios3/archives # If you want messages logged to the syslog facility, as well as the # Nagios log file set this option to 1. If not, set it to 0. -use_syslog=1 +use_syslog=0 -- cgit v1.2.3 From 59b09ce45333778619baca2bd4e34e5beba63584 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 13:55:15 +0100 Subject: we use logwatch now to check for bigcouch errors --- puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 9 --------- 1 file changed, 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index c954292a..cc166d42 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -3,13 +3,4 @@ class site_check_mk::agent::couchdb { file { '/etc/check_mk/logwatch.d/couchdb.cfg': source => 'puppet:///modules/site_check_mk/agent/logwatch/couchdb.cfg', } - - - # local custom checks - file { '/usr/lib/check_mk_agent/local/check_bigcouch_errors.sh': - ensure => link, - target => '/srv/leap/couchdb/scripts/tests/check_bigcouch_errors.sh', - require => Vcsrepo['/srv/leap/couchdb/scripts'] - } - } -- cgit v1.2.3 From 299c059c239936901c4b234f78e89d99ce94e19c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 13:58:52 +0100 Subject: renamed logwatch/couchdb.cfg to logwatch/bigcouch.cfg --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 10 ++++++++++ puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg | 10 ---------- puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 5 +++-- 3 files changed, 13 insertions(+), 12 deletions(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg delete mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg new file mode 100644 index 00000000..ee64b3c0 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -0,0 +1,10 @@ +/opt/bigcouch/var/log/bigcouch.log + C Uncaught error in HTTP request: {exit, + C Uncaught error in HTTP request: {exit,normal} + C Uncaught error in HTTP request: {error, + C Response abnormally terminated: {nodedown, + C rexi_DOWN,noproc + C rexi_DOWN,noconnection + C error + C Connection attempt from disallowed node + W Shutting down group server diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg deleted file mode 100644 index ee64b3c0..00000000 --- a/puppet/modules/site_check_mk/files/agent/logwatch/couchdb.cfg +++ /dev/null @@ -1,10 +0,0 @@ -/opt/bigcouch/var/log/bigcouch.log - C Uncaught error in HTTP request: {exit, - C Uncaught error in HTTP request: {exit,normal} - C Uncaught error in HTTP request: {error, - C Response abnormally terminated: {nodedown, - C rexi_DOWN,noproc - C rexi_DOWN,noconnection - C error - C Connection attempt from disallowed node - W Shutting down group server diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index cc166d42..f2d286ca 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -1,6 +1,7 @@ class site_check_mk::agent::couchdb { - file { '/etc/check_mk/logwatch.d/couchdb.cfg': - source => 'puppet:///modules/site_check_mk/agent/logwatch/couchdb.cfg', + file { '/etc/check_mk/logwatch.d/bigcouch.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', } + } -- cgit v1.2.3 From 3df2e8761ce6c54f6914d24e7acd24634d43c44d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 14:00:47 +0100 Subject: added some error checking to logwatch/syslog.cfg --- puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg index 3703b5e1..52c479ef 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg @@ -1,5 +1,8 @@ /var/log/syslog C panic C Oops + I Error: Driver 'pcspkr' is already registered, aborting... + C Error + C error W generic protection rip W .*Unrecovered read error - auto reallocate failed -- cgit v1.2.3 From ee83c7227f64bab9a36ecbfd86049bc3153b3760 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 14:03:28 +0100 Subject: moved logwatch/tapicero.cfg to logwatch/syslog/tapicero.cfg --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 4 ++++ puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg | 4 ---- puppet/modules/site_check_mk/manifests/agent/tapicero.pp | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg delete mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg new file mode 100644 index 00000000..4e3808eb --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -0,0 +1,4 @@ + C tapicero.*RestClient::InternalServerError: + C tapicero.*RestClient::PreconditionFailed: + C tapicero.*failed + W tapicero.*Couch stream ended unexpectedly. diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg deleted file mode 100644 index 4e3808eb..00000000 --- a/puppet/modules/site_check_mk/files/agent/logwatch/tapicero.cfg +++ /dev/null @@ -1,4 +0,0 @@ - C tapicero.*RestClient::InternalServerError: - C tapicero.*RestClient::PreconditionFailed: - C tapicero.*failed - W tapicero.*Couch stream ended unexpectedly. diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp index dc785e52..369ed00b 100644 --- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp +++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp @@ -1,7 +1,7 @@ class site_check_mk::agent::tapicero { concat::fragment { 'syslog_tapicero': - source => 'puppet:///modules/site_check_mk/agent/logwatch/tapicero.cfg', + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/tapicero.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', order => '02'; } -- cgit v1.2.3 From 91365fb3b9b455253484fca6ffbc3dac8361e5b9 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 15:11:56 +0100 Subject: check syslog for /usr/local/bin/couch-doc-update failures --- .../modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg | 2 ++ puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg new file mode 100644 index 00000000..5f8d5b95 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg @@ -0,0 +1,2 @@ + C /usr/local/bin/couch-doc-update.*failed + C /usr/local/bin/couch-doc-update.*ERROR diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index f2d286ca..9456efcc 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -4,4 +4,10 @@ class site_check_mk::agent::couchdb { source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', } + concat::fragment { 'syslog_couchdb': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/couchdb.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + } -- cgit v1.2.3 From 42512cc9428afcd7d949e373e75da4f0d9fc8086 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 16:02:53 +0100 Subject: check syslog for stunnel failures --- .../site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 3 +++ puppet/modules/site_check_mk/manifests/agent/stunnel.pp | 9 +++++++++ puppet/modules/site_stunnel/manifests/clients.pp | 2 ++ 3 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/stunnel.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg new file mode 100644 index 00000000..31c229b7 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -0,0 +1,3 @@ +# check for stunnel failures + C stunnel:.*Connection refused + C stunnel:.*Connection reset by peer diff --git a/puppet/modules/site_check_mk/manifests/agent/stunnel.pp b/puppet/modules/site_check_mk/manifests/agent/stunnel.pp new file mode 100644 index 00000000..64022824 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/stunnel.pp @@ -0,0 +1,9 @@ +class site_check_mk::agent::stunnel { + + concat::fragment { 'syslog_stunnel': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/stunnel.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + +} diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index 791fdbc5..837665a3 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -28,4 +28,6 @@ define site_stunnel::clients ( Class['Site_config::X509::Ca'] ]; } + + include site_check_mk::agent::stunnel } -- cgit v1.2.3 From 40b13221967368060773af008f791ca7a053d18d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 16:27:57 +0100 Subject: set /usr/lib/nagios/plugins/check_icmp to setuid root (Feature #5171) --- puppet/modules/site_check_mk/manifests/server.pp | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 4bbeb850..0c98cd5a 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -44,6 +44,13 @@ class site_check_mk::server { content => "${type} ${pubkey} monitor", owner => 'nagios', mode => '0644'; + # check_icmp must be suid root or called by sudo + # see https://leap.se/code/issues/5171 + '/usr/lib/nagios/plugins/check_icmp': + mode => '4755', + require => Package['nagios-plugins-basic']; } + + include check_mk::agent::local_checks } -- cgit v1.2.3 From 0a6fbced6f2177464c000fc79a90c03171a3bcf6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 16:45:33 +0100 Subject: complete nagios monitoring for couchdb (Feature #2175) --- puppet/modules/site_check_mk/manifests/agent/couchdb.pp | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index 9456efcc..97e4a777 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -1,13 +1,25 @@ class site_check_mk::agent::couchdb { + # watch logs file { '/etc/check_mk/logwatch.d/bigcouch.cfg': source => 'puppet:///modules/site_check_mk/agent/logwatch/bigcouch.cfg', } - concat::fragment { 'syslog_couchdb': source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/couchdb.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', order => '02'; } + + # check bigcouch processes + file_line { + 'Bigcouch_epmd_procs': + line => 'Bigcouch_epmd_procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/epmd', + path => '/etc/check_mk/mrpe.cfg'; + 'Bigcouch_beam_procs': + line => 'Bigcouch_beam_procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a /opt/bigcouch/erts-5.9.1/bin/beam', + path => '/etc/check_mk/mrpe.cfg'; + } + + } -- cgit v1.2.3 From 5cc2e0d7a10c088d024bf0e5e4538b31a7d2844c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 17:19:36 +0100 Subject: nagios monitoring of haproxy nodes (Feature #2657) --- puppet/modules/site_check_mk/manifests/agent/haproxy.pp | 12 ++++++++++++ .../manifests/agent/package/nagios_plugins_contrib.pp | 5 +++++ puppet/modules/site_haproxy/files/haproxy-stats.cfg | 6 ++++++ puppet/modules/site_haproxy/manifests/init.pp | 7 +++++++ 4 files changed, 30 insertions(+) create mode 100644 puppet/modules/site_check_mk/manifests/agent/haproxy.pp create mode 100644 puppet/modules/site_check_mk/manifests/agent/package/nagios_plugins_contrib.pp create mode 100644 puppet/modules/site_haproxy/files/haproxy-stats.cfg (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/haproxy.pp b/puppet/modules/site_check_mk/manifests/agent/haproxy.pp new file mode 100644 index 00000000..e7986db1 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/haproxy.pp @@ -0,0 +1,12 @@ +class site_check_mk::agent::haproxy { + + include site_check_mk::agent::package::nagios_plugins_contrib + + # local nagios plugin checks via mrpe + file_line { + 'haproxy': + line => 'Haproxy /usr/lib/nagios/plugins/check_haproxy -u "http://localhost:8000/haproxy;csv"', + path => '/etc/check_mk/mrpe.cfg'; + } + +} diff --git a/puppet/modules/site_check_mk/manifests/agent/package/nagios_plugins_contrib.pp b/puppet/modules/site_check_mk/manifests/agent/package/nagios_plugins_contrib.pp new file mode 100644 index 00000000..95a60d17 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/package/nagios_plugins_contrib.pp @@ -0,0 +1,5 @@ +class site_check_mk::agent::package::nagios_plugins_contrib { + package { 'nagios-plugins-contrib': + ensure => installed, + } +} diff --git a/puppet/modules/site_haproxy/files/haproxy-stats.cfg b/puppet/modules/site_haproxy/files/haproxy-stats.cfg new file mode 100644 index 00000000..e6335ba2 --- /dev/null +++ b/puppet/modules/site_haproxy/files/haproxy-stats.cfg @@ -0,0 +1,6 @@ +# provide access to stats for the nagios plugin +listen stats 127.0.0.1:8000 + mode http + stats enable + stats uri /haproxy + diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 602e26be..1a681373 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -22,4 +22,11 @@ class site_haproxy { } } + # monitor haproxy + concat::fragment { 'stats': + target => '/etc/haproxy/haproxy.cfg', + order => '90', + source => 'puppet:///modules/site_haproxy/haproxy-stats.cfg'; + } + include site_check_mk::agent::haproxy } -- cgit v1.2.3 From 835d1f9699507e9e40cae32ffc90940e26bed3ee Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Feb 2014 17:58:48 +0100 Subject: nagios: check open files for bigcouch process (Feature #4965) --- .../agent/nagios_plugins/check_unix_open_fds.pl | 322 +++++++++++++++++++++ puppet/modules/site_check_mk/manifests/agent.pp | 4 + .../site_check_mk/manifests/agent/couchdb.pp | 11 + .../manifests/agent/package/perl_plugin.pp | 5 + 4 files changed, 342 insertions(+) create mode 100755 puppet/modules/site_check_mk/files/agent/nagios_plugins/check_unix_open_fds.pl create mode 100644 puppet/modules/site_check_mk/manifests/agent/package/perl_plugin.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/nagios_plugins/check_unix_open_fds.pl b/puppet/modules/site_check_mk/files/agent/nagios_plugins/check_unix_open_fds.pl new file mode 100755 index 00000000..06163d49 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/nagios_plugins/check_unix_open_fds.pl @@ -0,0 +1,322 @@ +#!/usr/bin/perl -w + +# check_unix_open_fds Nagios Plugin +# +# TComm - Carlos Peris Pla +# +# This nagios plugin is free software, and comes with ABSOLUTELY +# NO WARRANTY. It may be used, redistributed and/or modified under +# the terms of the GNU General Public Licence (see +# http://www.fsf.org/licensing/licenses/gpl.txt). + + +# MODULE DECLARATION + +use strict; +use Nagios::Plugin; + + +# FUNCTION DECLARATION + +sub CreateNagiosManager (); +sub CheckArguments (); +sub PerformCheck (); + + +# CONSTANT DEFINITION + +use constant NAME => 'check_unix_open_fds'; +use constant VERSION => '0.1b'; +use constant USAGE => "Usage:\ncheck_unix_open_fds -w -c \n". + "\t\t[-V ]\n"; +use constant BLURB => "This plugin checks, in UNIX systems with the command lsof installed and with its SUID bit activated, the number\n". + "of file descriptors opened by an application and its processes.\n"; +use constant LICENSE => "This nagios plugin is free software, and comes with ABSOLUTELY\n". + "no WARRANTY. It may be used, redistributed and/or modified under\n". + "the terms of the GNU General Public Licence\n". + "(see http://www.fsf.org/licensing/licenses/gpl.txt).\n"; +use constant EXAMPLE => "\n\n". + "Example:\n". + "\n". + "check_unix_open_fds -a /usr/local/nagios/bin/ndo2db -w 20,75 -c 25,85\n". + "\n". + "It returns CRITICAL if number of file descriptors opened by ndo2db is higher than 85,\n". + "if not it returns WARNING if number of file descriptors opened by ndo2db is higher \n". + "than 75, if not it returns CRITICAL if number of file descriptors opened by any process\n". + "of ndo2db is higher than 25, if not it returns WARNING if number of file descriptors \n". + "opened by any process of ndo2db is higher than 20.\n". + "In other cases it returns OK if check has been performed succesfully.\n\n"; + + +# VARIABLE DEFINITION + +my $Nagios; +my $Error; +my $PluginResult; +my $PluginOutput; +my @WVRange; +my @CVRange; + + +# MAIN FUNCTION + +# Get command line arguments +$Nagios = &CreateNagiosManager(USAGE, VERSION, BLURB, LICENSE, NAME, EXAMPLE); +eval {$Nagios->getopts}; + +if (!$@) { + # Command line parsed + if (&CheckArguments($Nagios, \$Error, \@WVRange, \@CVRange)) { + # Argument checking passed + $PluginResult = &PerformCheck($Nagios, \$PluginOutput, \@WVRange, \@CVRange) + } + else { + # Error checking arguments + $PluginOutput = $Error; + $PluginResult = UNKNOWN; + } + $Nagios->nagios_exit($PluginResult,$PluginOutput); +} +else { + # Error parsing command line + $Nagios->nagios_exit(UNKNOWN,$@); +} + + + +# FUNCTION DEFINITIONS + +# Creates and configures a Nagios plugin object +# Input: strings (usage, version, blurb, license, name and example) to configure argument parsing functionality +# Return value: reference to a Nagios plugin object + +sub CreateNagiosManager() { + # Create GetOpt object + my $Nagios = Nagios::Plugin->new(usage => $_[0], version => $_[1], blurb => $_[2], license => $_[3], plugin => $_[4], extra => $_[5]); + + # Add argument units + $Nagios->add_arg(spec => 'application|a=s', + help => 'Application path for which you want to check the number of open file descriptors', + required => 1); + + # Add argument warning + $Nagios->add_arg(spec => 'warning|w=s', + help => "Warning thresholds. Format: ", + required => 1); + # Add argument critical + $Nagios->add_arg(spec => 'critical|c=s', + help => "Critical thresholds. Format: ", + required => 1); + + # Return value + return $Nagios; +} + + +# Checks argument values and sets some default values +# Input: Nagios Plugin object +# Output: reference to Error description string, Memory Unit, Swap Unit, reference to WVRange ($_[4]), reference to CVRange ($_[5]) +# Return value: True if arguments ok, false if not + +sub CheckArguments() { + my ($Nagios, $Error, $WVRange, $CVRange) = @_; + my $commas; + my $units; + my $i; + my $firstpos; + my $secondpos; + + # Check Warning thresholds list + $commas = $Nagios->opts->warning =~ tr/,//; + if ($commas !=1){ + ${$Error} = "Invalid Warning list format. One comma is expected."; + return 0; + } + else{ + $i=0; + $firstpos=0; + my $warning=$Nagios->opts->warning; + while ($warning =~ /[,]/g) { + $secondpos=pos $warning; + if ($secondpos - $firstpos==1){ + @{$WVRange}[$i] = "~:"; + } + else{ + @{$WVRange}[$i] = substr $Nagios->opts->warning, $firstpos, ($secondpos-$firstpos-1); + } + $firstpos=$secondpos; + $i++ + } + if (length($Nagios->opts->warning) - $firstpos==0){#La coma es el ultimo elemento del string + @{$WVRange}[$i] = "~:"; + } + else{ + @{$WVRange}[$i] = substr $Nagios->opts->warning, $firstpos, (length($Nagios->opts->warning)-$firstpos); + } + + if (@{$WVRange}[0] !~/^(@?(\d+|(\d+|~):(\d+)?))?$/){ + ${$Error} = "Invalid Process Warning threshold in ${$WVRange[0]}"; + return 0; + }if (@{$WVRange}[1] !~/^(@?(\d+|(\d+|~):(\d+)?))?$/){ + ${$Error} = "Invalid Application Warning threshold in ${$WVRange[1]}"; + return 0; + } + } + + # Check Critical thresholds list + $commas = $Nagios->opts->critical =~ tr/,//; + if ($commas !=1){ + ${$Error} = "Invalid Critical list format. One comma is expected."; + return 0; + } + else{ + $i=0; + $firstpos=0; + my $critical=$Nagios->opts->critical; + while ($critical =~ /[,]/g) { + $secondpos=pos $critical ; + if ($secondpos - $firstpos==1){ + @{$CVRange}[$i] = "~:"; + } + else{ + @{$CVRange}[$i] =substr $Nagios->opts->critical, $firstpos, ($secondpos-$firstpos-1); + } + $firstpos=$secondpos; + $i++ + } + if (length($Nagios->opts->critical) - $firstpos==0){#La coma es el ultimo elemento del string + @{$CVRange}[$i] = "~:"; + } + else{ + @{$CVRange}[$i] = substr $Nagios->opts->critical, $firstpos, (length($Nagios->opts->critical)-$firstpos); + } + + if (@{$CVRange}[0] !~/^(@?(\d+|(\d+|~):(\d+)?))?$/) { + ${$Error} = "Invalid Process Critical threshold in @{$CVRange}[0]"; + return 0; + } + if (@{$CVRange}[1] !~/^(@?(\d+|(\d+|~):(\d+)?))?$/) { + ${$Error} = "Invalid Application Critical threshold in @{$CVRange}[1]"; + return 0; + } + } + + return 1; +} + + +# Performs whole check: +# Input: Nagios Plugin object, reference to Plugin output string, Application, referece to WVRange, reference to CVRange +# Output: Plugin output string +# Return value: Plugin return value + +sub PerformCheck() { + my ($Nagios, $PluginOutput, $WVRange, $CVRange) = @_; + my $Application; + my @AppNameSplitted; + my $ApplicationName; + my $PsCommand; + my $PsResult; + my @PsResultLines; + my $ProcLine; + my $ProcPid; + my $LsofCommand; + my $LsofResult; + my $ProcCount = 0; + my $FDCount = 0; + my $ProcFDAvg = 0; + my $PerProcMaxFD = 0; + my $ProcOKFlag = 0; + my $ProcWarningFlag = 0; + my $ProcCriticalFlag = 0; + my $OKFlag = 0; + my $WarningFlag = 0; + my $CriticalFlag = 0; + my $LastWarningProcFDs = 0; + my $LastWarningProc = -1; + my $LastCriticalProcFDs = 0; + my $LastCriticalProc = -1; + my $ProcPluginReturnValue = UNKNOWN; + my $AppPluginReturnValue = UNKNOWN; + my $PluginReturnValue = UNKNOWN; + my $PerformanceData = ""; + my $PerfdataUnit = "FDs"; + + $Application = $Nagios->opts->application; + $PsCommand = "ps -eaf | grep $Application"; + $PsResult = `$PsCommand`; + @AppNameSplitted = split(/\//, $Application); + $ApplicationName = $AppNameSplitted[$#AppNameSplitted]; + @PsResultLines = split(/\n/, $PsResult); + if ( $#PsResultLines > 1 ) { + foreach my $Proc (split(/\n/, $PsResult)) { + if ($Proc !~ /check_unix_open_fds/ && $Proc !~ / grep /) { + $ProcCount += 1; + $ProcPid = (split(/\s+/, $Proc))[1]; + $LsofCommand = "lsof -p $ProcPid | wc -l"; + $LsofResult = `$LsofCommand`; + $LsofResult = ($LsofResult > 0 ) ? ($LsofResult - 1) : 0; + $FDCount += $LsofResult; + if ($LsofResult >= $PerProcMaxFD) { $PerProcMaxFD = $LsofResult; } + $ProcPluginReturnValue = $Nagios->check_threshold(check => $LsofResult,warning => @{$WVRange}[0],critical => @{$CVRange}[0]); + if ($ProcPluginReturnValue eq OK) { + $ProcOKFlag = 1; + } + elsif ($ProcPluginReturnValue eq WARNING) { + $ProcWarningFlag = 1; + if ($LsofResult >= $LastWarningProcFDs) { + $LastWarningProcFDs = $LsofResult; + $LastWarningProc = $ProcPid; + } + } + #if ($LsofResult >= $PCT) { + elsif ($ProcPluginReturnValue eq CRITICAL) { + $ProcCriticalFlag = 1; + if ($LsofResult >= $LastCriticalProcFDs) { + $LastCriticalProcFDs = $LsofResult; + $LastCriticalProc = $ProcPid; + } + } + } + } + if ($ProcCount) { $ProcFDAvg = int($FDCount / $ProcCount); } + $AppPluginReturnValue = $Nagios->check_threshold(check => $FDCount,warning => @{$WVRange}[1],critical => @{$CVRange}[1]); + #if ($FDCount >= $TWT) { + if ($AppPluginReturnValue eq OK) { $OKFlag = 1; } + elsif ($AppPluginReturnValue eq WARNING) { $WarningFlag = 1; } + elsif ($AppPluginReturnValue eq CRITICAL) { $CriticalFlag = 1; } + + # PluginReturnValue and PluginOutput + if ($CriticalFlag) { + $PluginReturnValue = CRITICAL; + ${$PluginOutput} .= "$ApplicationName handling $FDCount files (critical threshold set to @{$CVRange}[1])"; + } + elsif ($WarningFlag) { + $PluginReturnValue = WARNING; + ${$PluginOutput} .= "$ApplicationName handling $FDCount files (warning threshold set to @{$WVRange}[1])"; + } + elsif ($ProcCriticalFlag) { + $PluginReturnValue = CRITICAL; + ${$PluginOutput} .= "Process ID $LastCriticalProc handling $LastCriticalProcFDs files (critical threshold set to @{$CVRange}[0])"; + } + elsif ($ProcWarningFlag) { + $PluginReturnValue = WARNING; + ${$PluginOutput} .= "Process ID $LastWarningProc handling $LastWarningProcFDs files (warning threshold set to @{$WVRange}[0])"; + } + elsif ($OKFlag && $ProcOKFlag) { + $PluginReturnValue = OK; + ${$PluginOutput} .= "$ApplicationName handling $FDCount files"; + } + } + else { + ${$PluginOutput} .= "No existe la aplicacion $ApplicationName"; + } + + + $PerformanceData .= "ProcCount=$ProcCount$PerfdataUnit FDCount=$FDCount$PerfdataUnit ProcFDAvg=$ProcFDAvg$PerfdataUnit PerProcMaxFD=$PerProcMaxFD$PerfdataUnit"; + + # Output with performance data: + ${$PluginOutput} .= " | $PerformanceData"; + + return $PluginReturnValue; +} diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index a29923c1..efb05b37 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -14,6 +14,10 @@ class site_check_mk::agent { register_agent => false } + file { [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]: + ensure => directory, + } + include site_check_mk::agent::mrpe include site_check_mk::agent::logwatch } diff --git a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp index 97e4a777..01e2b886 100644 --- a/puppet/modules/site_check_mk/manifests/agent/couchdb.pp +++ b/puppet/modules/site_check_mk/manifests/agent/couchdb.pp @@ -21,5 +21,16 @@ class site_check_mk::agent::couchdb { path => '/etc/check_mk/mrpe.cfg'; } + # check open files for bigcouch proc + include site_check_mk::agent::package::perl_plugin + file { '/srv/leap/nagios/plugins/check_unix_open_fds.pl': + source => 'puppet:///modules/site_check_mk/agent/nagios_plugins/check_unix_open_fds.pl', + mode => '0755' + } + file_line { + 'Bigcouch_open_files': + line => 'Bigcouch_open_files /srv/leap/nagios/plugins/check_unix_open_fds.pl -a beam -w 750,750 -c 1000,1000', + path => '/etc/check_mk/mrpe.cfg'; + } } diff --git a/puppet/modules/site_check_mk/manifests/agent/package/perl_plugin.pp b/puppet/modules/site_check_mk/manifests/agent/package/perl_plugin.pp new file mode 100644 index 00000000..4feda375 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/package/perl_plugin.pp @@ -0,0 +1,5 @@ +class site_check_mk::agent::package::perl_plugin { + package { 'libnagios-plugin-perl': + ensure => installed, + } +} -- cgit v1.2.3 From 0daa46300cddc6c56e07b42c131852e839235a7f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 14:02:39 +0100 Subject: ignore logwatch pattern for tapicero: 412 Precondition Failed while creating user db (Bug #5168) --- .../modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index 4e3808eb..9983d27c 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -1,4 +1,7 @@ C tapicero.*RestClient::InternalServerError: - C tapicero.*RestClient::PreconditionFailed: +# possible race condition between multiple tapicero +# instances, so we ignore it +# see https://leap.se/code/issues/5168 + I tapicero.*RestClient::PreconditionFailed: C tapicero.*failed W tapicero.*Couch stream ended unexpectedly. -- cgit v1.2.3 From 877e6daa7e281c27114759482879e6f8c6903283 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 14:08:48 +0100 Subject: ignore logwatch pattern 'sunnel: SSL_shutdown: Connection reset by peer' --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg index 31c229b7..cf7ebca8 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -1,3 +1,5 @@ # check for stunnel failures C stunnel:.*Connection refused - C stunnel:.*Connection reset by peer +# this is a temporary failure and happens very often, so we +# ignore it + I stunnel:.*Connection reset by peer -- cgit v1.2.3 From 5b15447055de66f30bc7f036a588dec4638b9a7d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 14:52:04 +0100 Subject: check syslog for webapp errors --- .../modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg | 2 ++ puppet/modules/site_check_mk/manifests/agent/webapp.pp | 9 +++++++++ puppet/modules/site_webapp/manifests/init.pp | 2 +- 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/webapp.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg new file mode 100644 index 00000000..14fcf34a --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg @@ -0,0 +1,2 @@ +# check for webapp errors + C webapp.*Could not connect to couch database messages due to 401 Unauthorized: {"error":"unauthorized","reason":"You are not a server admin."} diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp new file mode 100644 index 00000000..dc2baf19 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -0,0 +1,9 @@ +class site_check_mk::agent::webapp { + + concat::fragment { 'syslog_webapp': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/webapp.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f8216aa4..d02a7261 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -157,5 +157,5 @@ class site_webapp { } include site_shorewall::webapp - + include site_check_mk::agent::webapp } -- cgit v1.2.3 From fa75c9406b1c4cfeccca046ba01d108b681e53fe Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 15:20:34 +0100 Subject: ignore RoutingErrors that rails throw when it can't handle a url (#5173) --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg index 14fcf34a..00f9c7fd 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/webapp.cfg @@ -1,2 +1,5 @@ # check for webapp errors C webapp.*Could not connect to couch database messages due to 401 Unauthorized: {"error":"unauthorized","reason":"You are not a server admin."} +# ignore RoutingErrors that rails throw when it can't handle a url +# see https://leap.se/code/issues/5173 + I webapp.*ActionController::RoutingError -- cgit v1.2.3 From fdb0e27d6df35b511e4883becf3bc2afb945550b Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 15:30:54 +0100 Subject: check syslog for 'Undefined' logpattern --- puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg index 52c479ef..f3505c1c 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg @@ -1,4 +1,5 @@ /var/log/syslog +# some general patterns C panic C Oops I Error: Driver 'pcspkr' is already registered, aborting... @@ -6,3 +7,6 @@ C error W generic protection rip W .*Unrecovered read error - auto reallocate failed +# 401 Unauthorized error logged by webapp and possible other +# applications + C Unauthorized -- cgit v1.2.3 From 66cc1345c3af4e814d98c8e4b90d90158ac9d399 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 26 Feb 2014 15:53:12 +0100 Subject: ignore valid log patterns from bigcouch.log --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index ee64b3c0..a1eb1312 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -8,3 +8,8 @@ C error C Connection attempt from disallowed node W Shutting down group server +# ignore requests that are fine + I undefined - -.*200$ + I undefined - -.*201$ + I 127.0.0.1 undefined.* ok + I 127.0.0.1 localhost:5984 .* ok -- cgit v1.2.3 From 2887bbbac9f350c0912e3b2bf8fd643994eaee84 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Feb 2014 16:41:05 +0100 Subject: include "127.0.1.1 @domain_public @api['domain']" in /etc/hosts for nagios webapp log check --- puppet/modules/site_config/manifests/hosts.pp | 1 + puppet/modules/site_config/templates/hosts | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index a3ce0c1f..e5d4dd70 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -3,6 +3,7 @@ class site_config::hosts() { $hostname = hiera('name') $domain_hash = hiera('domain') $domain_public = $domain_hash['full_suffix'] + $api = hiera('api', '') file { '/etc/hostname': ensure => present, diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index c0a2740f..bfcabaa5 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,7 +1,8 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> +127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> <% if (defined? @services) and (@services.include? 'webapp') -%><%= @domain_public %> <%= @api['domain'] %><% end -%> + <%- if @hosts then -%> <% @hosts.keys.sort.each do |name| -%> -- cgit v1.2.3 From 2209afd630a75335e26516c6d9fa1c796bca8a49 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 27 Feb 2014 18:01:34 +0100 Subject: check webapp login (Feature #5172) --- puppet/modules/site_check_mk/manifests/agent/webapp.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index dc2baf19..48fa0828 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -1,5 +1,14 @@ class site_check_mk::agent::webapp { + # check webapp login + package { 'python-srp': ensure => installed } + file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': + ensure => link, + target => '/srv/leap/webapp/test/nagios/webapp_login.py' + } + + + # check syslog concat::fragment { 'syslog_webapp': source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/webapp.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', -- cgit v1.2.3 From 2630c998af6e4d03c3bcc3f4566093aed533dd0c Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 22:57:23 +0100 Subject: leap_mx: watch /var/mail/vmail/Maildir instead of /var/mail/vmai (Feature #5223) --- puppet/modules/leap_mx/templates/mx.conf.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/leap_mx/templates/mx.conf.erb b/puppet/modules/leap_mx/templates/mx.conf.erb index bf1e6421..e05bc150 100644 --- a/puppet/modules/leap_mx/templates/mx.conf.erb +++ b/puppet/modules/leap_mx/templates/mx.conf.erb @@ -1,5 +1,5 @@ [mail1] -path=/var/mail/vmail +path=/var/mail/vmail/Maildir recursive=True [couchdb] @@ -12,4 +12,4 @@ port=<%= @couchdb_port %> port=4242 [check recipient] -port=2244 \ No newline at end of file +port=2244 -- cgit v1.2.3 From 89c5fd126f73dff0bd4258ec51ad03f523d64ade Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 00:40:07 +0100 Subject: install more needed packages for webapp login check --- puppet/modules/site_check_mk/manifests/agent/webapp.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index 48fa0828..932d6bb9 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -1,7 +1,9 @@ class site_check_mk::agent::webapp { # check webapp login - package { 'python-srp': ensure => installed } + package { [ 'python-srp', 'python-requests', 'python-yaml' ]: + ensure => installed + } file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': ensure => link, target => '/srv/leap/webapp/test/nagios/webapp_login.py' -- cgit v1.2.3 From 08f0fa4c8b1853db04835f407350c052ccfdb3d8 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 00:41:44 +0100 Subject: don't displa ycontext for errors in bigcouch.log (reported too many context lines), ignore patterns first --- .../modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index a1eb1312..92c5eb5a 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -1,4 +1,9 @@ -/opt/bigcouch/var/log/bigcouch.log +/opt/bigcouch/var/log/bigcouch.log nocontext=1 +# ignore requests that are fine + I undefined - -.*200$ + I undefined - -.*201$ + I 127.0.0.1 undefined.* ok + I 127.0.0.1 localhost:5984 .* ok C Uncaught error in HTTP request: {exit, C Uncaught error in HTTP request: {exit,normal} C Uncaught error in HTTP request: {error, @@ -8,8 +13,3 @@ C error C Connection attempt from disallowed node W Shutting down group server -# ignore requests that are fine - I undefined - -.*200$ - I undefined - -.*201$ - I 127.0.0.1 undefined.* ok - I 127.0.0.1 localhost:5984 .* ok -- cgit v1.2.3 From f802fcdc7396d8a3b804be6480adb8611638f2c0 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 01:18:33 +0100 Subject: Make leap_cli tests accessible for check_mk (Feature #5148) --- .../files/agent/local_checks/all_hosts/run_node_tests.sh | 5 +++++ puppet/modules/site_check_mk/manifests/agent.pp | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/local_checks/all_hosts/run_node_tests.sh (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/all_hosts/run_node_tests.sh b/puppet/modules/site_check_mk/files/agent/local_checks/all_hosts/run_node_tests.sh new file mode 100644 index 00000000..1dd0afc9 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/local_checks/all_hosts/run_node_tests.sh @@ -0,0 +1,5 @@ +#!/bin/sh +# +# runs node tests + +/srv/leap/bin/run_tests --checkmk diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index efb05b37..b752182e 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -18,6 +18,11 @@ class site_check_mk::agent { ensure => directory, } + file { '/usr/lib/check_mk_agent/local/run_node_tests.sh': + source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh', + mode => '0755' + } + include site_check_mk::agent::mrpe include site_check_mk::agent::logwatch } -- cgit v1.2.3 From c7af5055fd9f255357a8dcd6e318c7a15a3b709c Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 21:53:12 +0100 Subject: check leap_mx queue --- .../files/agent/local_checks/mx/check_leap_mx.sh | 33 ++++++++++++++++++++++ puppet/modules/site_check_mk/manifests/agent/mx.pp | 8 ++++++ puppet/modules/site_mx/manifests/init.pp | 1 + 3 files changed, 42 insertions(+) create mode 100755 puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh create mode 100644 puppet/modules/site_check_mk/manifests/agent/mx.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh new file mode 100755 index 00000000..2958d2ed --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh @@ -0,0 +1,33 @@ +#!/bin/bash + + +WARN=1 +CRIT=5 + +# in minutes +MAXAGE=10 + +STATUS[0]='OK' +STATUS[1]='Warning' +STATUS[2]='Critical' +CHECKNAME='Leap_MX_Queue' + +WATCHDIR='/var/mail/vmail/Maildir/new/' + + +total=`find $WATCHDIR -type f -mmin +$MAXAGE | wc -l` + +if [ $total -lt $WARN ] +then + exitcode=0 +else + if [ $total -le $CRIT ] + then + exitcode=1 + else + exitcode=2 + fi +fi + +echo "$exitcode $CHECKNAME stale_files=$total ${STATUS[exitcode]}: $total stale files (>=$MAXAGE min) in $WATCHDIR." + diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp new file mode 100644 index 00000000..c4d3ea13 --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -0,0 +1,8 @@ +class site_check_mk::agent::mx { + + file { '/usr/lib/check_mk_agent/local/check_leap_mx.sh': + source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', + mode => '0755' + } + +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index cdb84b54..3949c787 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -15,4 +15,5 @@ class site_mx { include site_shorewall::service::smtp include site_mx::couchdb include leap_mx + include site_check_mk::agent::mx } -- cgit v1.2.3 From 34b7c8ebb3462fea880c848d960261cabd4a6a9f Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 22:56:16 +0100 Subject: check soledad.log for 'Timing out client:' --- puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg index 54b782d3..0f4c9469 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg @@ -1,4 +1,4 @@ /var/log/soledad.log C WSGI application error C error - + W Timing out client: -- cgit v1.2.3 From efb262a0337493b7a7954ccdd72119d8519370af Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 28 Feb 2014 23:05:52 +0100 Subject: check leap_mx (Feature #5175) --- .../modules/site_check_mk/files/agent/logwatch/leap_mx.cfg | 4 ++++ puppet/modules/site_check_mk/manifests/agent/mx.pp | 14 ++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg new file mode 100644 index 00000000..c71c5392 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/leap_mx.cfg @@ -0,0 +1,4 @@ +/var/log/leap_mx.log + W Don't know how to deliver mail + W No public key, stopping the processing chain + diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp index c4d3ea13..2dd50400 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mx.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -1,5 +1,19 @@ class site_check_mk::agent::mx { + # watch logs + file { '/etc/check_mk/logwatch.d/leap_mx.cfg': + source => 'puppet:///modules/site_check_mk/agent/logwatch/leap_mx.cfg', + } + + # local nagios plugin checks via mrpe + file_line { + 'Leap_MX_Procs': + line => 'Leap_MX_Procs /usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a leap_mx', + path => '/etc/check_mk/mrpe.cfg'; + } + + + # check stale files in queue dir file { '/usr/lib/check_mk_agent/local/check_leap_mx.sh': source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', mode => '0755' -- cgit v1.2.3 From 5dd248238cdf5ab27232ecf426aada05503d2b10 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:17:02 +0100 Subject: check syslog for bigcouch restarts --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 92c5eb5a..3f6cc413 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -13,3 +13,4 @@ C error C Connection attempt from disallowed node W Shutting down group server + W Apache CouchDB has started -- cgit v1.2.3 From 8811b41222a98037eaae9bb0de1835c3c0282178 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:18:41 +0100 Subject: check soledad.log also for Upper case pattern 'Error' --- puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg index 0f4c9469..623d1e46 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg @@ -1,4 +1,5 @@ /var/log/soledad.log C WSGI application error + C Error C error W Timing out client: -- cgit v1.2.3 From ba6edc92bc27f219401b5610d2f99d679fbc865f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:19:32 +0100 Subject: check syslog for bigcouch error "epmd: got partial packet only on file descriptor" --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg index 5f8d5b95..c92b5af7 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg @@ -1,2 +1,4 @@ C /usr/local/bin/couch-doc-update.*failed C /usr/local/bin/couch-doc-update.*ERROR + W epmd: got partial packet only on file descriptor + -- cgit v1.2.3 From 0152667c246e1f835021ad13f3df00a6c08eb5c0 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:20:56 +0100 Subject: ignore stunnel pattern "Peer suddenly disconnected" (#5218) --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg index cf7ebca8..a4e428b4 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -3,3 +3,4 @@ # this is a temporary failure and happens very often, so we # ignore it I stunnel:.*Connection reset by peer + I stunnel:.*Peer suddenly disconnected -- cgit v1.2.3 From 984939c4a74b71ce67db27a035ca5017f82c416f Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 17:32:42 +0100 Subject: move generic syslog patterns to the end of syslog.cfg so we can ignore patterns first --- puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg | 12 ------------ .../site_check_mk/files/agent/logwatch/syslog_header.cfg | 1 + .../site_check_mk/files/agent/logwatch/syslog_tail.cfg | 11 +++++++++++ .../modules/site_check_mk/manifests/agent/logwatch/syslog.pp | 7 ++++++- 4 files changed, 18 insertions(+), 13 deletions(-) delete mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog_header.cfg create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg deleted file mode 100644 index f3505c1c..00000000 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog.cfg +++ /dev/null @@ -1,12 +0,0 @@ -/var/log/syslog -# some general patterns - C panic - C Oops - I Error: Driver 'pcspkr' is already registered, aborting... - C Error - C error - W generic protection rip - W .*Unrecovered read error - auto reallocate failed -# 401 Unauthorized error logged by webapp and possible other -# applications - C Unauthorized diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_header.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_header.cfg new file mode 100644 index 00000000..f60d752b --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_header.cfg @@ -0,0 +1 @@ +/var/log/syslog diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg new file mode 100644 index 00000000..450b9e90 --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog_tail.cfg @@ -0,0 +1,11 @@ +# some general patterns + C panic + C Oops + I Error: Driver 'pcspkr' is already registered, aborting... + C Error + C error + W generic protection rip + W .*Unrecovered read error - auto reallocate failed +# 401 Unauthorized error logged by webapp and possible other +# applications + C Unauthorized diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp index ac3dda64..c927780d 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch/syslog.pp @@ -5,9 +5,14 @@ class site_check_mk::agent::logwatch::syslog { } concat::fragment { 'syslog_header': - source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog.cfg', + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_header.cfg', target => '/etc/check_mk/logwatch.d/syslog.cfg', order => '01'; } + concat::fragment { 'syslog_tail': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog_tail.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '99'; + } } -- cgit v1.2.3 From 851aaacb3ba3e746dd966e9477b7a3a289b0bf61 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 3 Mar 2014 23:17:56 +0100 Subject: ignore "Uncaught error in HTTP request: {exit, normal}" error (#5226) --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 3f6cc413..96bf190c 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -4,8 +4,11 @@ I undefined - -.*201$ I 127.0.0.1 undefined.* ok I 127.0.0.1 localhost:5984 .* ok - C Uncaught error in HTTP request: {exit, - C Uncaught error in HTTP request: {exit,normal} + # ignore "Uncaught error in HTTP request: {exit, normal}" error + # it's suppressed in later versions of bigcouch anhow + # see https://leap.se/code/issues/5226 + I Uncaught error in HTTP request: {exit,normal} + I Uncaught error in HTTP request: {exit, C Uncaught error in HTTP request: {error, C Response abnormally terminated: {nodedown, C rexi_DOWN,noproc -- cgit v1.2.3 From 236d996a76b42fdf1adbc519813e2318571cbf08 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 00:37:46 +0100 Subject: ignore 'epmd: got partial packet only on file descriptor' (#5244) --- puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg index c92b5af7..a5438e61 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg @@ -1,4 +1,7 @@ C /usr/local/bin/couch-doc-update.*failed C /usr/local/bin/couch-doc-update.*ERROR - W epmd: got partial packet only on file descriptor +# on one-node bigcouch setups, we'll get this msg +# a lot, so we ignore it here until we fix +# https://leap.se/code/issues/5244 + I epmd: got partial packet only on file descriptor -- cgit v1.2.3 From 3ffaf0bc613228f9639f50c6ace966778af52111 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 01:02:34 +0100 Subject: ignore stunnel 'Connection refused' errors that happen too often until we fix #5218 --- .../site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg index a4e428b4..865c9b9b 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -1,6 +1,9 @@ # check for stunnel failures - C stunnel:.*Connection refused -# this is a temporary failure and happens very often, so we -# ignore it +# +# those are temporary failure and happen very often, so we +# ignore them until we tuned stunnel timeouts/logging, +# see https://leap.se/code/issues/5218 I stunnel:.*Connection reset by peer I stunnel:.*Peer suddenly disconnected + I stunnel:.*Connection refused + -- cgit v1.2.3 From f6c633699adbce362b3101ea3b140083e8698f3a Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 13:43:47 +0100 Subject: watch syslog for stunnel issues on couch nodes --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 87c35f05..91f1e3aa 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -107,4 +107,6 @@ class site_couchdb::stunnel { } create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults) + + include site_check_mk::agent::stunnel } -- cgit v1.2.3 From 02a2a74058de9e541822a88e7b5872cdb5cbe45f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 13:48:06 +0100 Subject: ignore failing creation of user-dbs by tapicero, see #5168 --- .../modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index 9983d27c..a39cb504 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -3,5 +3,11 @@ # instances, so we ignore it # see https://leap.se/code/issues/5168 I tapicero.*RestClient::PreconditionFailed: +# until we can analyze multiline patterns with +# check_mk logwatch, we unfortunatly need ignore this +# line too, which shows up in combination with the +# above PreconditionFailed error. +# see https://leap.se/code/issues/4821#note-5 + I tapicero.*Creating database.*failed due to: C tapicero.*failed W tapicero.*Couch stream ended unexpectedly. -- cgit v1.2.3 From e85bc5c99fc2d1d09a86aa7a5c8ad4038dd2de47 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 14:57:01 +0100 Subject: ignore bigcouch 'Shutting down group server' error (#5246) --- puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg index 96bf190c..28f333b0 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/bigcouch.cfg @@ -4,6 +4,8 @@ I undefined - -.*201$ I 127.0.0.1 undefined.* ok I 127.0.0.1 localhost:5984 .* ok + # https://leap.se/code/issues/5246 + I Shutting down group server # ignore "Uncaught error in HTTP request: {exit, normal}" error # it's suppressed in later versions of bigcouch anhow # see https://leap.se/code/issues/5226 @@ -15,5 +17,4 @@ C rexi_DOWN,noconnection C error C Connection attempt from disallowed node - W Shutting down group server W Apache CouchDB has started -- cgit v1.2.3 From 32217e18179687cd4adde350379c57c7f96ca59f Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 15:16:39 +0100 Subject: fix check_mk resource dependencies (Bug #5145) --- .../modules/site_check_mk/manifests/agent/logwatch.pp | 6 ++++-- puppet/modules/site_check_mk/manifests/agent/mrpe.pp | 3 ++- puppet/modules/site_check_mk/manifests/server.pp | 19 +++++++++++++------ 3 files changed, 19 insertions(+), 9 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp index 38514af2..4c249e6f 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -4,8 +4,9 @@ class site_check_mk::agent::logwatch { # see https://leap.se/code/issues/5135 file { '/usr/lib/check_mk_agent/plugins/mk_logwatch': - source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', - mode => '0755' + source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', + mode => '0755', + require => Package['check-mk-agent'] } # only config files that watch a distinct logfile should go in logwatch.d/ @@ -13,6 +14,7 @@ class site_check_mk::agent::logwatch { ensure => directory, recurse => true, purge => true, + require => Package['check-mk-server'] } # service that share a common logfile (i.e. /var/log/syslog) need to get diff --git a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp index 37df7f74..7222e4e1 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp @@ -8,7 +8,8 @@ class site_check_mk::agent::mrpe { } file { '/etc/check_mk/mrpe.cfg': - ensure => present + ensure => present, + require => Package['check-mk-server'] } -> file_line { 'Apt': line => 'APT /usr/lib/nagios/plugins/check_apt', diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index 0c98cd5a..d1bc5930 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -25,25 +25,32 @@ class site_check_mk::server { require => Package['check-mk-server'] } - Exec['check_mk-reload'] -> Service['nagios'] + Exec['check_mk-reload'] -> + Exec['check_mk-refresh-inventory-daily'] -> + Service['nagios'] file { '/etc/check_mk/conf.d/use_ssh.mk': content => template('site_check_mk/use_ssh.mk'), - notify => Exec['check_mk-refresh']; + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/all_hosts_static': content => $all_hosts, - notify => Exec['check_mk-refresh']; + notify => Exec['check_mk-refresh'], + require => Package['check-mk-server']; '/etc/check_mk/.ssh': - ensure => directory; + ensure => directory, + require => Package['check-mk-server']; '/etc/check_mk/.ssh/id_rsa': content => $seckey, owner => 'nagios', - mode => '0600'; + mode => '0600', + require => Package['check-mk-server']; '/etc/check_mk/.ssh/id_rsa.pub': content => "${type} ${pubkey} monitor", owner => 'nagios', - mode => '0644'; + mode => '0644', + require => Package['check-mk-server']; # check_icmp must be suid root or called by sudo # see https://leap.se/code/issues/5171 '/usr/lib/nagios/plugins/check_icmp': -- cgit v1.2.3 From e603adab7cd31177e133487ba817300ce68a1e5c Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 15:49:58 +0100 Subject: fix duplicate declarations in /etc/nagios3/conf.d/ on first deploy (Bug #5129) --- puppet/modules/site_nagios/manifests/server.pp | 4 +--- puppet/modules/site_nagios/manifests/server/purge.pp | 5 +++-- 2 files changed, 4 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 9aae8ae8..7106c36a 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -1,9 +1,7 @@ class site_nagios::server inherits nagios::base { # First, purge old nagios config (see #1467) - class { 'site_nagios::server::purge': - stage => setup - } + class { 'site_nagios::server::purge': } $nagios_hiera = hiera('nagios') $nagiosadmin_pw = htpasswd_sha1($nagios_hiera['nagiosadmin_pw']) diff --git a/puppet/modules/site_nagios/manifests/server/purge.pp b/puppet/modules/site_nagios/manifests/server/purge.pp index 1c12cfb0..6815a703 100644 --- a/puppet/modules/site_nagios/manifests/server/purge.pp +++ b/puppet/modules/site_nagios/manifests/server/purge.pp @@ -10,9 +10,10 @@ class site_nagios::server::purge inherits nagios::base { purge => false } - # only purge find in the /etc/nagios3/conf.d/ dir, not in any subdir + # only purge files in the /etc/nagios3/conf.d/ dir, not in any subdir exec {'purge_conf.d': command => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f -exec rm {} \;', - onlyif => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f | grep -q "/etc/nagios3/conf.d"' + onlyif => '/usr/bin/find /etc/nagios3/conf.d/ -maxdepth 1 -type f | grep -q "/etc/nagios3/conf.d"', + require => Package['nagios'] } } -- cgit v1.2.3 From 8c43ea97e565cc7a76ea15964249a9fb6edccbfb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 16:37:24 +0100 Subject: don't use storedconfigs for check_mk, requires current check_mk module (#5253) --- puppet/modules/site_check_mk/manifests/server.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp index d1bc5930..e544ef0d 100644 --- a/puppet/modules/site_check_mk/manifests/server.pp +++ b/puppet/modules/site_check_mk/manifests/server.pp @@ -17,12 +17,13 @@ class site_check_mk::server { # override paths to use the system check_mk rather than OMD class { 'check_mk::config': - site => '', - etc_dir => '/etc', - nagios_subdir => 'nagios3', - bin_dir => '/usr/bin', - host_groups => undef, - require => Package['check-mk-server'] + site => '', + etc_dir => '/etc', + nagios_subdir => 'nagios3', + bin_dir => '/usr/bin', + host_groups => undef, + use_storedconfigs => false, + require => Package['check-mk-server'] } Exec['check_mk-reload'] -> -- cgit v1.2.3 From c1dca55e9a9a6827ffcce120523e7a27e113f3c7 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 16:45:18 +0100 Subject: use curly brackets for variables in check_leap_mx.sh output, see https://review.leap.se/r/160/#comment156 --- .../modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh index 2958d2ed..b8687c9a 100755 --- a/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh +++ b/puppet/modules/site_check_mk/files/agent/local_checks/mx/check_leap_mx.sh @@ -29,5 +29,5 @@ else fi fi -echo "$exitcode $CHECKNAME stale_files=$total ${STATUS[exitcode]}: $total stale files (>=$MAXAGE min) in $WATCHDIR." +echo "${exitcode} ${CHECKNAME} stale_files=${total} ${STATUS[exitcode]}: ${total} stale files (>=${MAXAGE} min) in ${WATCHDIR}." -- cgit v1.2.3 From 313d4c2d3b2cccf6894d7cf5c01f6c63ac4e5f65 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 18:21:29 +0100 Subject: updated submodule check_mk --- puppet/modules/check_mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/check_mk b/puppet/modules/check_mk index f9e49426..5c11597a 160000 --- a/puppet/modules/check_mk +++ b/puppet/modules/check_mk @@ -1 +1 @@ -Subproject commit f9e494265f6c7b83ab9ef418e40cc7aac5589563 +Subproject commit 5c11597a055858b5ddc1ce8f7f8db249f5f1b336 -- cgit v1.2.3 From 3b7c8e273a0e75e58c736b2eacf89b4c7b9d81e5 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 4 Mar 2014 18:56:10 +0100 Subject: remove trailing whitespaces from logwatch config files --- puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg | 2 +- puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg | 2 +- puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg | 4 ++-- puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg index c4acae40..4f16d1bd 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/logwatch.cfg @@ -8,7 +8,7 @@ /var/log/messages # Patterns are indented with one space are prefixed with: # C: Critical messages -# W: Warning messages +# W: Warning messages # I: ignore these lines (OK) # The first match decided. Lines that do not match any pattern # are ignored diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg index a5438e61..f546135a 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/couchdb.cfg @@ -1,7 +1,7 @@ C /usr/local/bin/couch-doc-update.*failed C /usr/local/bin/couch-doc-update.*ERROR # on one-node bigcouch setups, we'll get this msg -# a lot, so we ignore it here until we fix +# a lot, so we ignore it here until we fix # https://leap.se/code/issues/5244 I epmd: got partial packet only on file descriptor diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg index 865c9b9b..eb3131f2 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/stunnel.cfg @@ -1,7 +1,7 @@ # check for stunnel failures # -# those are temporary failure and happen very often, so we -# ignore them until we tuned stunnel timeouts/logging, +# these are temporary failures and happen very often, so we +# ignore them until we tuned stunnel timeouts/logging, # see https://leap.se/code/issues/5218 I stunnel:.*Connection reset by peer I stunnel:.*Peer suddenly disconnected diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index a39cb504..7f43a18c 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -3,7 +3,7 @@ # instances, so we ignore it # see https://leap.se/code/issues/5168 I tapicero.*RestClient::PreconditionFailed: -# until we can analyze multiline patterns with +# until we can analyze multiline patterns with # check_mk logwatch, we unfortunatly need ignore this # line too, which shows up in combination with the # above PreconditionFailed error. -- cgit v1.2.3 From 8bf1fa304a047fd74538345d1ffa5c2c4312dd55 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Mar 2014 16:08:41 +0100 Subject: use the right package dependencies for site_check_mk::agent class and subclasses --- puppet/modules/site_check_mk/manifests/agent/logwatch.pp | 4 ++-- puppet/modules/site_check_mk/manifests/agent/mrpe.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp index 4c249e6f..423cace2 100644 --- a/puppet/modules/site_check_mk/manifests/agent/logwatch.pp +++ b/puppet/modules/site_check_mk/manifests/agent/logwatch.pp @@ -6,7 +6,7 @@ class site_check_mk::agent::logwatch { file { '/usr/lib/check_mk_agent/plugins/mk_logwatch': source => 'puppet:///modules/site_check_mk/agent/plugins/mk_logwatch.1.2.4', mode => '0755', - require => Package['check-mk-agent'] + require => Package['check-mk-agent-logwatch'] } # only config files that watch a distinct logfile should go in logwatch.d/ @@ -14,7 +14,7 @@ class site_check_mk::agent::logwatch { ensure => directory, recurse => true, purge => true, - require => Package['check-mk-server'] + require => Package['check-mk-agent-logwatch'] } # service that share a common logfile (i.e. /var/log/syslog) need to get diff --git a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp index 7222e4e1..6921574f 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mrpe.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mrpe.pp @@ -9,7 +9,7 @@ class site_check_mk::agent::mrpe { file { '/etc/check_mk/mrpe.cfg': ensure => present, - require => Package['check-mk-server'] + require => Package['check-mk-agent'] } -> file_line { 'Apt': line => 'APT /usr/lib/nagios/plugins/check_apt', -- cgit v1.2.3 From a9f757f169611ce9ab65a6e0053e88fd744bfb7b Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Mar 2014 16:27:54 +0100 Subject: updated submodule rubygems (#3827) --- puppet/modules/rubygems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems index 1e5ed3db..ef820cfe 160000 --- a/puppet/modules/rubygems +++ b/puppet/modules/rubygems @@ -1 +1 @@ -Subproject commit 1e5ed3dbef9381bb9d5e2a7b4957bb3f5288d6a8 +Subproject commit ef820cfec3321d17be99ef814318adb4e3cc1e91 -- cgit v1.2.3 From c209a38a687f57cc9728492928fc9ae1ea53a723 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 5 Mar 2014 16:27:54 +0100 Subject: updated submodule rubygems (#3827) --- puppet/modules/rubygems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems index 7e0240ac..ef820cfe 160000 --- a/puppet/modules/rubygems +++ b/puppet/modules/rubygems @@ -1 +1 @@ -Subproject commit 7e0240acce5a338e7cc2b55f1f8ba749634c5da4 +Subproject commit ef820cfec3321d17be99ef814318adb4e3cc1e91 -- cgit v1.2.3 From 8d6b36eff5fcdd39bf1065eb481a0f98a6135696 Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 12 Mar 2014 03:20:54 +0200 Subject: DirPortFrontPage serves a static webpage only when Tor node is exit. See leap.se/code/issues/5241 --- puppet/modules/site_tor/manifests/init.pp | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index b6e73a23..28bc5240 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -19,12 +19,17 @@ class site_tor { my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', } - tor::daemon::directory { $::hostname: port => 80 } - - include site_shorewall::tor - - if ( $tor_type != 'exit' ) { + if ( $tor_type == 'exit'){ + tor::daemon::directory { $::hostname: port => 80 } + } + else { + tor::daemon::directory { $::hostname: + port => 80, + port_front_page => ''; + } include site_tor::disable_exit } + include site_shorewall::tor + } -- cgit v1.2.3 From 507391adf853ea39daac4772143fc5aa4abef47b Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 12 Mar 2014 04:16:17 +0200 Subject: Indentation fix. --- puppet/modules/site_tor/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 28bc5240..02368a0e 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -24,7 +24,7 @@ class site_tor { } else { tor::daemon::directory { $::hostname: - port => 80, + port => 80, port_front_page => ''; } include site_tor::disable_exit -- cgit v1.2.3 From 0b3cba122d0393540ca1625e56047ac67f457314 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 12 Mar 2014 23:49:32 +0100 Subject: check if soledad is working (Feature #5239) --- puppet/modules/site_check_mk/manifests/agent/webapp.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index 932d6bb9..cb160d83 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -1,13 +1,17 @@ class site_check_mk::agent::webapp { - # check webapp login - package { [ 'python-srp', 'python-requests', 'python-yaml' ]: + # check webapp login + soledad sync + package { [ 'python-srp', 'python-requests', 'python-yaml', 'python-u1db' ]: ensure => installed } file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': ensure => link, target => '/srv/leap/webapp/test/nagios/webapp_login.py' } + file { '/usr/lib/check_mk_agent/local/soledad_sync.py': + ensure => link, + target => '/srv/leap/webapp/test/nagios/soledad_sync.py' + } # check syslog -- cgit v1.2.3 From 42cd675108ab480787ad821625fa6cccf599d2ce Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 20:14:26 +0100 Subject: removed trailing whitespaces in nagios.cfg --- .../site_nagios/files/configs/Debian/nagios.cfg | 84 +++++++++++----------- 1 file changed, 42 insertions(+), 42 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 9bd3da28..0bc69bc1 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -1,6 +1,6 @@ ############################################################################## # -# NAGIOS.CFG - Sample Main Config File for Nagios +# NAGIOS.CFG - Sample Main Config File for Nagios # # ############################################################################## @@ -8,7 +8,7 @@ # LOG FILE # This is the main log file where service and host events are logged -# for historical purposes. This should be the first option specified +# for historical purposes. This should be the first option specified # in the config file!!! log_file=/var/log/nagios3/nagios.log @@ -36,7 +36,7 @@ cfg_dir=/etc/nagios-plugins/config # OBJECT CACHE FILE # This option determines where object definitions are cached when -# Nagios starts/restarts. The CGIs read object definitions from +# Nagios starts/restarts. The CGIs read object definitions from # this cache file (rather than looking at the object config files # directly) in order to prevent inconsistencies that can occur # when the config files are modified after Nagios starts. @@ -52,7 +52,7 @@ object_cache_file=/var/cache/nagios3/objects.cache # file. You can then start Nagios with the -u option to have it read # object definitions from this precached file, rather than the standard # object configuration files (see the cfg_file and cfg_dir options above). -# Using a precached object file can speed up the time needed to (re)start +# Using a precached object file can speed up the time needed to (re)start # the Nagios process if you've got a large and/or complex configuration. # Read the documentation section on optimizing Nagios to find our more # about how this feature works. @@ -86,7 +86,7 @@ status_file=/var/cache/nagios3/status.dat # STATUS FILE UPDATE INTERVAL # This option determines the frequency (in seconds) that -# Nagios will periodically dump program, host, and +# Nagios will periodically dump program, host, and # service status data. status_update_interval=10 @@ -94,7 +94,7 @@ status_update_interval=10 # NAGIOS USER -# This determines the effective user that Nagios should run as. +# This determines the effective user that Nagios should run as. # You can either supply a username or a UID. nagios_user=nagios @@ -102,7 +102,7 @@ nagios_user=nagios # NAGIOS GROUP -# This determines the effective group that Nagios should run as. +# This determines the effective group that Nagios should run as. # You can either supply a group name or a GID. nagios_group=nagios @@ -128,7 +128,7 @@ check_external_commands=1 # Nagios to check for external commands every minute. If you specify a # number followed by an "s" (i.e. 15s), this will be interpreted to mean # actual seconds rather than a multiple of the interval_length variable. -# Note: In addition to reading the external command file at regularly +# Note: In addition to reading the external command file at regularly # scheduled intervals, Nagios will also check for external commands after # event handlers are executed. # NOTE: Setting this value to -1 causes Nagios to check the external @@ -143,7 +143,7 @@ command_check_interval=-1 # This is the file that Nagios checks for external command requests. # It is also where the command CGI will write commands that are submitted # by users, so it must be writeable by the user that the web server -# is running as (usually 'nobody'). Permissions should be set at the +# is running as (usually 'nobody'). Permissions should be set at the # directory level instead of on the file, as the file is deleted every # time its contents are processed. # Debian Users: In case you didn't read README.Debian yet, _NOW_ is the @@ -155,9 +155,9 @@ command_file=/var/lib/nagios3/rw/nagios.cmd # EXTERNAL COMMAND BUFFER SLOTS # This settings is used to tweak the number of items or "slots" that -# the Nagios daemon should allocate to the buffer that holds incoming -# external commands before they are processed. As external commands -# are processed by the daemon, they are removed from the buffer. +# the Nagios daemon should allocate to the buffer that holds incoming +# external commands before they are processed. As external commands +# are processed by the daemon, they are removed from the buffer. external_command_buffer_slots=4096 @@ -240,7 +240,7 @@ log_rotation_method=d # LOG ARCHIVE PATH -# This is the directory where archived (rotated) log files should be +# This is the directory where archived (rotated) log files should be # placed (assuming you've chosen to do log rotation). log_archive_path=/var/log/nagios3/archives @@ -403,7 +403,7 @@ max_host_check_spread=30 # MAXIMUM CONCURRENT SERVICE CHECKS -# This option allows you to specify the maximum number of +# This option allows you to specify the maximum number of # service checks that can be run in parallel at any given time. # Specifying a value of 1 for this variable essentially prevents # any service checks from being parallelized. A value of 0 @@ -425,7 +425,7 @@ check_result_reaper_frequency=10 # MAX CHECK RESULT REAPER TIME # This is the max amount of time (in seconds) that a single -# check result reaper event will be allowed to run before +# check result reaper event will be allowed to run before # returning control back to Nagios so it can perform other # duties. @@ -439,7 +439,7 @@ max_check_result_reaper_time=30 # service checks that have not yet been processed. # # Note: Make sure that only one instance of Nagios has access -# to this directory! +# to this directory! check_result_path=/var/lib/nagios3/spool/checkresults @@ -448,7 +448,7 @@ check_result_path=/var/lib/nagios3/spool/checkresults # MAX CHECK RESULT FILE AGE # This option determines the maximum age (in seconds) which check -# result files are considered to be valid. Files older than this +# result files are considered to be valid. Files older than this # threshold will be mercilessly deleted without further processing. max_check_result_file_age=3600 @@ -510,14 +510,14 @@ enable_predictive_service_dependency_checks=1 # SOFT STATE DEPENDENCIES -# This option determines whether or not Nagios will use soft state -# information when checking host and service dependencies. Normally -# Nagios will only use the latest hard host or service state when +# This option determines whether or not Nagios will use soft state +# information when checking host and service dependencies. Normally +# Nagios will only use the latest hard host or service state when # checking dependencies. If you want it to use the latest state (regardless -# of whether its a soft or hard state type), enable this option. +# of whether its a soft or hard state type), enable this option. # Values: -# 0 = Don't use soft state dependencies (default) -# 1 = Use soft state dependencies +# 0 = Don't use soft state dependencies (default) +# 1 = Use soft state dependencies soft_state_dependencies=0 @@ -535,7 +535,7 @@ soft_state_dependencies=0 # This option determines whether or not Nagios will attempt to # automatically reschedule active host and service checks to # "smooth" them out over time. This can help balance the load on -# the monitoring server. +# the monitoring server. # WARNING: THIS IS AN EXPERIMENTAL FEATURE - IT CAN DEGRADE # PERFORMANCE, RATHER THAN INCREASE IT, IF USED IMPROPERLY @@ -598,7 +598,7 @@ perfdata_timeout=5 # This setting determines whether or not Nagios will save state # information for services and hosts before it shuts down. Upon # startup Nagios will reload all saved service and host state -# information before starting to monitor. This is useful for +# information before starting to monitor. This is useful for # maintaining long-term data on state statistics, etc, but will # slow Nagios down a bit when it (re)starts. Since its only # a one-time penalty, I think its well worth the additional @@ -610,7 +610,7 @@ retain_state_information=1 # STATE RETENTION FILE # This is the file that Nagios should use to store host and -# service state information before it shuts down. The state +# service state information before it shuts down. The state # information in this file is also read immediately prior to # starting to monitor the network when Nagios is restarted. # This file is used only if the preserve_state_information @@ -633,7 +633,7 @@ retention_update_interval=60 # USE RETAINED PROGRAM STATE -# This setting determines whether or not Nagios will set +# This setting determines whether or not Nagios will set # program status variables based on the values saved in the # retention file. If you want to use retained program status # information, set this value to 1. If not, set this value @@ -660,7 +660,7 @@ use_retained_scheduling_info=1 # program restarts. # # The values of the masks are bitwise ANDs of values specified -# by the "MODATTR_" definitions found in include/common.h. +# by the "MODATTR_" definitions found in include/common.h. # For example, if you do not want the current enabled/disabled state # of flap detection and event handlers for hosts to be retained, you # would use a value of 24 for the host attribute mask... @@ -711,7 +711,7 @@ use_aggressive_host_checking=0 # SERVICE CHECK EXECUTION OPTION # This determines whether or not Nagios will actively execute -# service checks when it initially starts. If this option is +# service checks when it initially starts. If this option is # disabled, checks are not actively made, but Nagios can still # receive and process passive check results that come in. Unless # you're implementing redundant hosts or have a special need for @@ -733,7 +733,7 @@ accept_passive_service_checks=1 # HOST CHECK EXECUTION OPTION # This determines whether or not Nagios will actively execute -# host checks when it initially starts. If this option is +# host checks when it initially starts. If this option is # disabled, checks are not actively made, but Nagios can still # receive and process passive check results that come in. Unless # you're implementing redundant hosts or have a special need for @@ -790,7 +790,7 @@ process_performance_data=0 # These commands are run after every host and service check is # performed. These commands are executed only if the # enable_performance_data option (above) is set to 1. The command -# argument is the short name of a command definition that you +# argument is the short name of a command definition that you # define in your host configuration file. Read the HTML docs for # more information on performance data. @@ -870,7 +870,7 @@ obsess_over_services=0 # OBSESSIVE COMPULSIVE SERVICE PROCESSOR COMMAND # This is the command that is run for every service check that is # processed by Nagios. This command is executed only if the -# obsess_over_services option (above) is set to 1. The command +# obsess_over_services option (above) is set to 1. The command # argument is the short name of a command definition that you # define in your host configuration file. Read the HTML docs for # more information on implementing distributed monitoring. @@ -894,7 +894,7 @@ obsess_over_hosts=0 # OBSESSIVE COMPULSIVE HOST PROCESSOR COMMAND # This is the command that is run for every host check that is # processed by Nagios. This command is executed only if the -# obsess_over_hosts option (above) is set to 1. The command +# obsess_over_hosts option (above) is set to 1. The command # argument is the short name of a command definition that you # define in your host configuration file. Read the HTML docs for # more information on implementing distributed monitoring. @@ -933,9 +933,9 @@ passive_host_checks_are_soft=0 # ORPHANED HOST/SERVICE CHECK OPTIONS -# These options determine whether or not Nagios will periodically +# These options determine whether or not Nagios will periodically # check for orphaned host service checks. Since service checks are -# not rescheduled until the results of their previous execution +# not rescheduled until the results of their previous execution # instance are processed, there exists a possibility that some # checks may never get rescheduled. A similar situation exists for # host checks, although the exact scheduling details differ a bit @@ -1003,9 +1003,9 @@ additional_freshness_latency=15 # FLAP DETECTION OPTION # This option determines whether or not Nagios will try -# and detect hosts and services that are "flapping". +# and detect hosts and services that are "flapping". # Flapping occurs when a host or service changes between -# states too frequently. When Nagios detects that a +# states too frequently. When Nagios detects that a # host or service is flapping, it will temporarily suppress # notifications for that host/service until it stops # flapping. Flap detection is very experimental, so read @@ -1049,7 +1049,7 @@ date_format=iso8601 # the system configured timezone. # # NOTE: In order to display the correct timezone in the CGIs, you -# will also need to alter the Apache directives for the CGI path +# will also need to alter the Apache directives for the CGI path # to include your timezone. Example: # # @@ -1086,7 +1086,7 @@ enable_embedded_perl=1 # This option determines whether or not Nagios will process Perl plugins # and scripts with the embedded Perl interpreter if the plugins/scripts # do not explicitly indicate whether or not it is okay to do so. Read -# the HTML documentation on the embedded Perl interpreter for more +# the HTML documentation on the embedded Perl interpreter for more # information on how this option works. use_embedded_perl_implicitly=1 @@ -1133,7 +1133,7 @@ use_regexp_matching=0 # "TRUE" REGULAR EXPRESSION MATCHING -# This option controls whether or not "true" regular expression +# This option controls whether or not "true" regular expression # matching takes place in the object config files. This option # only has an effect if regular expression matching is enabled # (see above). If this option is DISABLED, regular expression @@ -1186,7 +1186,7 @@ use_large_installation_tweaks=0 # This option determines whether or not Nagios will make all standard # macros available as environment variables when host/service checks # and system commands (event handlers, notifications, etc.) are -# executed. Enabling this option can cause performance issues in +# executed. Enabling this option can cause performance issues in # large installations, as it will consume a bit more memory and (more # importantly) consume more CPU. # Values: 1 - Enable environment variable macros (default) @@ -1227,7 +1227,7 @@ enable_environment_macros=1 # This option determines how much (if any) debugging information will # be written to the debug file. OR values together to log multiple # types of information. -# Values: +# Values: # -1 = Everything # 0 = Nothing # 1 = Functions -- cgit v1.2.3 From 75d169a2e709c891613cd9ca759469a8b951e580 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 20:19:07 +0100 Subject: Dont't archive nagios logs (#5324) --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 0bc69bc1..e46ebf62 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -235,7 +235,7 @@ event_broker_options=-1 # w = Weekly rotation (midnight on Saturday evening) # m = Monthly rotation (midnight last day of month) -log_rotation_method=d +log_rotation_method=n -- cgit v1.2.3 From a7ff480b5946f30445add762839118d878a775de Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 20:32:45 +0100 Subject: Dont't archive nagios logs, use logrotate for it (Feature #5324) --- puppet/modules/site_nagios/manifests/server.pp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index 7106c36a..85443917 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -46,4 +46,13 @@ class site_nagios::server inherits nagios::base { include site_nagios::server::apache include site_check_mk::server include site_shorewall::monitor + + augeas { + 'logrotate_nagios': + context => '/files/etc/logrotate.d/nagios/rule', + changes => [ 'set file /var/log/nagios3/nagios.log', 'set rotate 7', + 'set schedule daily', 'set compress compress', + 'set missingok missingok', 'set ifempty notifempty', + 'set copytruncate copytruncate' ] + } } -- cgit v1.2.3 From cb003cfff3002e111eced280b5a664c327a4ab11 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 21:23:57 +0100 Subject: deploy automatic compaction via platform (Feature #4798) --- puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp | 8 ++++++++ puppet/modules/site_couchdb/manifests/init.pp | 6 ++++++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp b/puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp new file mode 100644 index 00000000..84aab4ef --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch/compaction.pp @@ -0,0 +1,8 @@ +class site_couchdb::bigcouch::compaction { + cron { + 'compact_all_shards': + command => '/srv/leap/couchdb/scripts/bigcouch_compact_all_shards.sh >> /var/log/bigcouch/compaction.log', + hour => 3, + minute => 17; + } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index e4c0211b..c67ce8c8 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -94,6 +94,7 @@ class site_couchdb { include site_couchdb::add_users include site_couchdb::designs include site_couchdb::logrotate + include site_couchdb::bigcouch::compaction include site_shorewall::couchdb include site_shorewall::couchdb::bigcouch @@ -110,4 +111,9 @@ class site_couchdb { include site_check_mk::agent::couchdb include site_check_mk::agent::tapicero + + file { '/var/log/bigcouch': + ensure => directory + } + } -- cgit v1.2.3 From 8b207aba9c12d1e4b6320ee800de60578b9521cd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 13 Mar 2014 22:02:01 +0100 Subject: catch errors when tapicero fails to create a userdb (Feature #5306) --- .../modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg index 7f43a18c..93ce0311 100644 --- a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/tapicero.cfg @@ -3,11 +3,6 @@ # instances, so we ignore it # see https://leap.se/code/issues/5168 I tapicero.*RestClient::PreconditionFailed: -# until we can analyze multiline patterns with -# check_mk logwatch, we unfortunatly need ignore this -# line too, which shows up in combination with the -# above PreconditionFailed error. -# see https://leap.se/code/issues/4821#note-5 - I tapicero.*Creating database.*failed due to: + C tapicero.*Creating database.*failed due to: C tapicero.*failed W tapicero.*Couch stream ended unexpectedly. -- cgit v1.2.3 From 222fd1568d7af9ea953a4d6179578da5994ea1fd Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 20 Mar 2014 13:10:44 -0700 Subject: allow ability to customize openvpn security stuff: tls-cipher, auth, and cipher config options. --- puppet/modules/site_openvpn/manifests/init.pp | 33 +++++++++++++--------- .../site_openvpn/manifests/server_config.pp | 8 +++--- 2 files changed, 23 insertions(+), 18 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 42146741..abcac41c 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -27,22 +27,23 @@ class site_openvpn { Class['site_config::default'] -> Class['site_openvpn'] - $openvpn_config = hiera('openvpn') - $openvpn_ports = $openvpn_config['ports'] + $openvpn = hiera('openvpn') + $openvpn_ports = $openvpn['ports'] + $openvpn_config = $openvpn['configuration'] if $::ec2_instance_id { $openvpn_gateway_address = $::ipaddress } else { - $openvpn_gateway_address = $openvpn_config['gateway_address'] - if $openvpn_config['second_gateway_address'] { - $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + $openvpn_gateway_address = $openvpn['gateway_address'] + if $openvpn['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn['second_gateway_address'] } else { $openvpn_second_gateway_address = undef } } - $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] - $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix'] + $openvpn_allow_unlimited = $openvpn['allow_unlimited'] + $openvpn_unlimited_prefix = $openvpn['unlimited_prefix'] $openvpn_unlimited_tcp_network_prefix = '10.41.0' $openvpn_unlimited_tcp_netmask = '255.255.248.0' $openvpn_unlimited_tcp_cidr = '21' @@ -51,9 +52,9 @@ class site_openvpn { $openvpn_unlimited_udp_cidr = '21' if !$::ec2_instance_id { - $openvpn_allow_limited = $openvpn_config['allow_limited'] - $openvpn_limited_prefix = $openvpn_config['limited_prefix'] - $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_allow_limited = $openvpn['allow_limited'] + $openvpn_limited_prefix = $openvpn['limited_prefix'] + $openvpn_rate_limit = $openvpn['rate_limit'] $openvpn_limited_tcp_network_prefix = '10.43.0' $openvpn_limited_tcp_netmask = '255.255.248.0' $openvpn_limited_tcp_cidr = '21' @@ -90,7 +91,8 @@ class site_openvpn { tls_remote => "\"${openvpn_unlimited_prefix}\"", server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000' + management => '127.0.0.1 1000', + config => $openvpn_config } site_openvpn::server_config { 'udp_config': port => '1194', @@ -99,7 +101,8 @@ class site_openvpn { tls_remote => "\"${openvpn_unlimited_prefix}\"", server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", - management => '127.0.0.1 1001' + management => '127.0.0.1 1001', + config => $openvpn_config } } else { tidy { '/etc/openvpn/tcp_config.conf': } @@ -114,7 +117,8 @@ class site_openvpn { tls_remote => "\"${openvpn_limited_prefix}\"", server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", - management => '127.0.0.1 1002' + management => '127.0.0.1 1002', + config => $openvpn_config } site_openvpn::server_config { 'limited_udp_config': port => '1194', @@ -123,7 +127,8 @@ class site_openvpn { tls_remote => "\"${openvpn_limited_prefix}\"", server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", - management => '127.0.0.1 1003' + management => '127.0.0.1 1003', + config => $openvpn_config } } else { tidy { '/etc/openvpn/limited_tcp_config.conf': } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index befeaef7..6246a836 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -54,7 +54,7 @@ define site_openvpn::server_config( $port, $proto, $local, $server, $push, - $management, $tls_remote = undef) { + $management, $config, $tls_remote = undef) { $openvpn_configname = $name @@ -96,15 +96,15 @@ define site_openvpn::server_config( server => $openvpn_configname; "tls-cipher ${openvpn_configname}": key => 'tls-cipher', - value => 'DHE-RSA-AES128-SHA', + value => $config['tls-cipher'], server => $openvpn_configname; "auth ${openvpn_configname}": key => 'auth', - value => 'SHA1', + value => $config['auth'], server => $openvpn_configname; "cipher ${openvpn_configname}": key => 'cipher', - value => 'AES-128-CBC', + value => $config['cipher'], server => $openvpn_configname; "dev ${openvpn_configname}": key => 'dev', -- cgit v1.2.3 From 482c3d5a77d05043f5276d4f19168d2b777d3ef0 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 23 Mar 2014 16:11:32 -0700 Subject: modules/site_static: part 1 - amber --- puppet/manifests/site.pp | 5 +++++ .../modules/site_config/manifests/packages/base.pp | 16 -------------- .../manifests/packages/build_essential.pp | 8 +++++++ .../site_config/manifests/packages/uninstall.pp | 20 +++++++++++++++++ puppet/modules/site_config/manifests/params.pp | 1 + puppet/modules/site_config/manifests/ruby/dev.pp | 2 ++ puppet/modules/site_static/README | 3 +++ puppet/modules/site_static/manifests/domain.pp | 9 ++++++++ puppet/modules/site_static/manifests/init.pp | 13 +++++++++++ puppet/modules/site_static/manifests/location.pp | 25 ++++++++++++++++++++++ 10 files changed, 86 insertions(+), 16 deletions(-) create mode 100644 puppet/modules/site_config/manifests/packages/build_essential.pp create mode 100644 puppet/modules/site_config/manifests/packages/uninstall.pp create mode 100644 puppet/modules/site_static/README create mode 100644 puppet/modules/site_static/manifests/domain.pp create mode 100644 puppet/modules/site_static/manifests/init.pp create mode 100644 puppet/modules/site_static/manifests/location.pp (limited to 'puppet') diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index def0a642..ff8f8c6c 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -38,3 +38,8 @@ if $services =~ /\bmx\b/ { include site_mx } +if $services =~ /\bstatic\b/ { + include site_static +} + +include site_config::packages::uninstall \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 9d416043..28aa4dbb 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -1,7 +1,5 @@ class site_config::packages::base { - include site_config::params - # base set of packages that we want to have installed everywhere package { [ 'etckeeper', 'screen', 'less', 'ntp' ]: ensure => installed, @@ -16,18 +14,4 @@ class site_config::packages::base { 'x11-utils', 'xterm' ]: ensure => absent; } - - if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { - $dev_packages_ensure = present - } else { - $dev_packages_ensure = absent - } - - # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079) - # dev_packages are needed for building gems on the webapp node - - package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $dev_packages_ensure - } } diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp new file mode 100644 index 00000000..c9efaafb --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -0,0 +1,8 @@ +# +# include this whenever you want to ensure build-essential package and related compilers are installed. +# +class site_config::packages::build_essential { + if $install_build_essential == undef { + $install_build_essential = true + } +} \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp new file mode 100644 index 00000000..2919cc96 --- /dev/null +++ b/puppet/modules/site_config/manifests/packages/uninstall.pp @@ -0,0 +1,20 @@ +# +# this should be included last to allow other modules to set $::install_build_packages +# +class site_config::packages::uninstall { + + if $site_config::packages::build_essential::install_essential == true { + $dev_packages_ensure = present + } else { + $dev_packages_ensure = absent + } + + # generally, dev packages are needed for installing ruby gems with native extensions. + # (nickserver, webapp, etc) + + package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $dev_packages_ensure + } + +} \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 5bdc0077..012b3ce0 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -8,6 +8,7 @@ class site_config::params { if $environment == 'local' { $interface = 'eth1' + include site_config::packages::build_essential } elsif hiera('interface','') != '' { $interface = hiera('interface') diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp index dbc77ae7..3ea6ca96 100644 --- a/puppet/modules/site_config/manifests/ruby/dev.pp +++ b/puppet/modules/site_config/manifests/ruby/dev.pp @@ -3,4 +3,6 @@ class site_config::ruby::dev inherits site_config::ruby { ruby_version => '1.9.3', install_dev => true } + # building gems locally probably requires build-essential and gcc: + include site_config::packages::build_essential } diff --git a/puppet/modules/site_static/README b/puppet/modules/site_static/README new file mode 100644 index 00000000..bc719782 --- /dev/null +++ b/puppet/modules/site_static/README @@ -0,0 +1,3 @@ +Deploy one or more static websites to a node. + +For now, it only supports `amber` based static sites. Should support plain html and jekyll in the future. diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp new file mode 100644 index 00000000..48284106 --- /dev/null +++ b/puppet/modules/site_static/manifests/domain.pp @@ -0,0 +1,9 @@ +define site_static::domain ( + $locations, + $ca_cert, + $key, + $cert, + $tls_only) { + + create_resources(site_static::location, $locations) +} diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp new file mode 100644 index 00000000..cc447cf7 --- /dev/null +++ b/puppet/modules/site_static/manifests/init.pp @@ -0,0 +1,13 @@ +class site_static { + tag 'leap_service' + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + + if (member($formats, 'amber')) { + include site_config::ruby::dev + rubygems::gem{'amber': } + } + + create_resources(site_static::domain, $domains) +} \ No newline at end of file diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp new file mode 100644 index 00000000..1ba6807e --- /dev/null +++ b/puppet/modules/site_static/manifests/location.pp @@ -0,0 +1,25 @@ +define site_static::location($path, $format, $source) { + + $file_path = "/srv/static/${name}" + + if ($format == 'amber') { + exec {"amber_build_${name}": + cwd => $file_path, + command => 'amber rebuild', + user => 'www-data', + timeout => 600, + subscribe => Vcsrepo[$file_path] + } + } + + vcsrepo { $file_path: + ensure => present, + force => true, + revision => $source['revision'], + provider => $source['type'], + source => $source['repo'], + owner => 'www-data', + group => 'www-data' + } + +} -- cgit v1.2.3 From b45d265a08884a65e7100e34067a0d8c390da8f0 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Mon, 24 Mar 2014 08:07:18 +0100 Subject: fixes #5360 adds admin@ as reserved address + linting --- puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp index aea66f78..83e27376 100644 --- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp +++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp @@ -1,11 +1,13 @@ +# Defines which mail addresses shouldn't be available and where they should fwd class site_postfix::mx::reserved_aliases { postfix::mailalias { - [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin', - 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www', - 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games', - 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', - 'ftp' ]: + [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron', + 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp', + 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql', + 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www', + 'www-data', + ]: ensure => present, recipient => 'root' } -- cgit v1.2.3 From 51f320178a58d7a05860cfd8d6129a16cd4ca9d8 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 24 Mar 2014 01:47:46 -0700 Subject: modules/site_static: part 2 - apache --- puppet/modules/site_static/manifests/domain.pp | 19 ++++ puppet/modules/site_static/manifests/init.pp | 4 + .../modules/site_static/templates/apache.conf.erb | 109 +++++++++++++++++++++ 3 files changed, 132 insertions(+) create mode 100644 puppet/modules/site_static/templates/apache.conf.erb (limited to 'puppet') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 48284106..8af2230f 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -5,5 +5,24 @@ define site_static::domain ( $cert, $tls_only) { + $domain = $name + $base_dir = '/srv/static' + create_resources(site_static::location, $locations) + + x509::cert { $domain: content => $cert } + x509::key { $domain: content => $key } + x509::ca { "${domain}_ca": content => $ca_cert } + + class { '::apache': no_default_site => true, ssl => true } + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + include site_apache::module::rewrite + + apache::vhost::file { $domain: + content => template('site_static/apache.conf.erb') + } + } diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index cc447cf7..91a4a7a9 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -10,4 +10,8 @@ class site_static { } create_resources(site_static::domain, $domains) + + include site_shorewall::defaults + include site_shorewall::service::http + include site_shorewall::service::https } \ No newline at end of file diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb new file mode 100644 index 00000000..76534911 --- /dev/null +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -0,0 +1,109 @@ +<%- + ## + ## An apache config for static websites. + ## + def location_directory(name, location) + if location['format'] == 'amber' + File.join(@base_dir, name, 'public') + else + File.join(@base_dir, name) + end + end + document_root = '/var/www' + @locations.each do |name, location| + if location['path'] == '/' + document_root = location_directory(name, location) + end + end +-%> + + + ServerName <%= @domain %> + ServerAlias www.<%= @domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= @domain %> + ServerAlias www.<%= @domain %> + + #RewriteLog "/var/log/apache2/rewrite.log" + #RewriteLogLevel 3 + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" + Header set X-Frame-Options "deny" + + SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key + SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt + SSLCertificateChainFile /etc/ssl/certs/<%= @domain %>_ca.pem + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot <%= document_root %> + +<%- @locations.each do |name, location| -%> + ## + ## <%= name %> + ## + <%- if location['path'] == '/' -%> + # Location / + <%- else -%> + Alias <%= location['path'] %> <%= location_directory(name, location) %> + > + <%- end -%> + # remove trailing slashes + RewriteEngine On + RewriteRule ^(.+)/$ /$1 [R=301,L] + + # e.g. /de/blah => /blah/index.de.html + RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f + RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L] + + # e.g. /de/foo/bar => /foo/bar.de.html + RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f + RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L] + + # e.g. /de => /index.de.html + RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f + RewriteRule ^/([a-z]{2})$ /index.$1.html [L] + + # e.g. /de/img.png => /img.png + RewriteCond %{DOCUMENT_ROOT}/$2 -f + RewriteRule ^/([a-z]{2})/(.*) /$2 [L] + + # Simulate "DirectorySlash On" + # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file) + RewriteCond %{DOCUMENT_ROOT}/$1 -d + RewriteRule ^/(.*[^/])$ /$1/ [PT] + <%- if location['path'] == '/' -%> + # end Location / + <%- else -%> + + <%- end -%> + > + ## + ## PERMISSIONS + ## + AllowOverride None + Order deny,allow + Allow from all + + ## + ## LOCALE SUPPORT (e.g. index.en.html) + ## + LanguagePriority en + ForceLanguagePriority Prefer Fallback + DirectoryIndex index + DirectorySlash Off + Options +MultiViews + + +<%- end -%> + + -- cgit v1.2.3 From 1ebece7b07ee721eb888873e47fa512a6a42f807 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Mar 2014 08:31:20 +0100 Subject: ignore openvpn TLS initialization errors (Feature #5374) --- .../site_check_mk/files/agent/logwatch/syslog/openvpn.cfg | 7 +++++++ puppet/modules/site_check_mk/manifests/agent/openvpn.pp | 10 ++++++++++ puppet/modules/site_openvpn/manifests/init.pp | 3 +++ 3 files changed, 20 insertions(+) create mode 100644 puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg create mode 100644 puppet/modules/site_check_mk/manifests/agent/openvpn.pp (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg new file mode 100644 index 00000000..d58e876d --- /dev/null +++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg @@ -0,0 +1,7 @@ +# ignore openvpn TLS initialization errors when clients +# suddenly hangup before properly establishing +# a tls connection + I ovpn-.*TLS Error: Unroutable control packet received from + I ovpn-.*TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) + I ovpn-.*TLS Error: TLS handshake failed + diff --git a/puppet/modules/site_check_mk/manifests/agent/openvpn.pp b/puppet/modules/site_check_mk/manifests/agent/openvpn.pp new file mode 100644 index 00000000..919a408d --- /dev/null +++ b/puppet/modules/site_check_mk/manifests/agent/openvpn.pp @@ -0,0 +1,10 @@ +class site_check_mk::agent::openvpn { + + # check syslog + concat::fragment { 'syslog_openpvn': + source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/openvpn.cfg', + target => '/etc/check_mk/logwatch.d/syslog.cfg', + order => '02'; + } + +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 42146741..4c2a3967 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -213,4 +213,7 @@ class site_openvpn { target => '/etc/default/openvpn', order => 10; } + + include site_check_mk::agent::openvpn + } -- cgit v1.2.3 From c946f47448e0b902d227492c33c5f56998a82875 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Mar 2014 22:25:08 +0100 Subject: couch node: same packages removed on every (second ?) puppetrun (Feature #5018) --- puppet/modules/site_config/manifests/packages/base.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp index 9d416043..9f802771 100644 --- a/puppet/modules/site_config/manifests/packages/base.pp +++ b/puppet/modules/site_config/manifests/packages/base.pp @@ -17,10 +17,12 @@ class site_config::packages::base { ensure => absent; } - if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ { - $dev_packages_ensure = present + if $::site_config::params::environment == 'local' + or $::services =~ /\bwebapp\b/ + or $::services =~ /\bcouchdb\b/ { + $dev_packages_ensure = present } else { - $dev_packages_ensure = absent + $dev_packages_ensure = absent } # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079) -- cgit v1.2.3 From 1457c4a85ad3e7f2fbdc6f969b801542b3396581 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 25 Mar 2014 23:42:19 +0100 Subject: Move setup.pp to a subclass (site_config::setup) (Feature #2993) --- puppet/manifests/setup.pp | 36 +----------------- puppet/manifests/site.pp | 1 + puppet/modules/site_config/manifests/default.pp | 26 ------------- puppet/modules/site_config/manifests/setup.pp | 49 +++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 61 deletions(-) create mode 100644 puppet/modules/site_config/manifests/setup.pp (limited to 'puppet') diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index f89b7032..4dd03203 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -1,39 +1,5 @@ # # this is applied before each run of site.pp # -$services = '' -Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } - -include site_config::params - -include concat::setup - -include site_config::hosts - -include site_config::initial_firewall - -include site_apt - -package { 'facter': - ensure => latest, - require => Exec['refresh_apt'] -} - -if hiera('squid_deb_proxy_client', false) { - include site_squid_deb_proxy::client -} - -# shorewall is installed/half-configured during setup.pp (Bug #3871) -# we need to include shorewall::interface{eth0} in setup.pp so -# packages can be installed during main puppetrun, even before shorewall -# is configured completly -if ( $::site_config::params::environment == 'local' ) { - include site_config::vagrant -} - -# if class site_custom::setup exists, include it. -# possibility for users to define custom puppet recipes -if defined( '::site_custom::setup') { - include ::site_custom::setup -} +include ::site_config::setup diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index def0a642..d83a189d 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,6 +5,7 @@ Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } $services=join(hiera_array('services', ['']), ' ') notice("Services for ${fqdn}: ${services}") +include site_config::setup include site_config::default # configure eip diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 53cc60f6..7e421a21 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -8,19 +8,12 @@ class site_config::default { include apt::update Package { require => Exec['apt_updated'] } - include stdlib - include site_config::slow - include concat::setup - # default class, used by all hosts include lsb, git - # configure apt - include site_apt - # configure sysctl parameters include site_config::sysctl @@ -35,21 +28,12 @@ class site_config::default { include site_config::dhclient } - if ( $::site_config::params::environment == 'local' ) { - include site_config::vagrant - } - # configure /etc/resolv.conf include site_config::resolvconf # configure caching, local resolver include site_config::caching_resolver - # configure /etc/hosts - class { 'site_config::hosts': - stage => setup, - } - # install/configure syslog include site_config::syslog @@ -67,16 +51,6 @@ class site_config::default { # set up core leap files and directories include site_config::files - # redundant declarations, remove if - # "Move setup.pp to a subclass (site_config::setup) (Feature #2993)" - # is solved. - - # if squid_deb_proxy_client is set to true, install and configure - # squid_deb_proxy_client for apt caching - if hiera('squid_deb_proxy_client', false) { - include site_squid_deb_proxy::client - } - if $::services !~ /\bmx\b/ { include site_postfix::satellite } diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp new file mode 100644 index 00000000..ffe01f53 --- /dev/null +++ b/puppet/modules/site_config/manifests/setup.pp @@ -0,0 +1,49 @@ +class site_config::setup { + + # + # this is applied before each run of site.pp + # + #$services = '' + + Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } + + include site_config::params + + include concat::setup + include stdlib + + # configure /etc/hosts + class { 'site_config::hosts': + stage => setup, + } + + include site_config::initial_firewall + + include site_apt + + package { 'facter': + ensure => latest, + require => Exec['refresh_apt'] + } + + # if squid_deb_proxy_client is set to true, install and configure + # squid_deb_proxy_client for apt caching + if hiera('squid_deb_proxy_client', false) { + include site_squid_deb_proxy::client + } + + # shorewall is installed/half-configured during setup.pp (Bug #3871) + # we need to include shorewall::interface{eth0} in setup.pp so + # packages can be installed during main puppetrun, even before shorewall + # is configured completly + if ( $::site_config::params::environment == 'local' ) { + include site_config::vagrant + } + + # if class site_custom::setup exists, include it. + # possibility for users to define custom puppet recipes + if defined( '::site_custom::setup') { + include ::site_custom::setup + } + +} -- cgit v1.2.3 From 1906f13a7df02522bcd83a3c25101555870b5279 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 1 Apr 2014 15:28:54 -0400 Subject: Include all the ips that are allowed to send mail through the relay in the mynetworks parameter. Previously we only allowed other mx servers to relay to each other, but this prevents system mail from non-mx nodes from getting out. Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343) Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b --- puppet/modules/site_postfix/manifests/mx.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index de89c26e..a37c7af9 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -4,7 +4,7 @@ class site_postfix::mx { $domain = $domain_hash['full_suffix'] $host_domain = $domain_hash['full'] $cert_name = hiera('name') - $mynetworks = join(hiera('mx_nodes'), ' ') + $mynetworks = join(hiera('mynetworks'), ' ') $root_mail_recipient = hiera ('contacts') $postfix_smtp_listen = 'all' -- cgit v1.2.3 From 905a5260ec476acd7d49ac47433aeaddb382527f Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 2 Apr 2014 13:29:29 +0200 Subject: couch design docs should be always deployed, not only on update of the design docs json files (Feature #5359) --- puppet/modules/site_couchdb/manifests/designs.pp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp index 83d6c8cd..9e88de64 100644 --- a/puppet/modules/site_couchdb/manifests/designs.pp +++ b/puppet/modules/site_couchdb/manifests/designs.pp @@ -12,9 +12,8 @@ class site_couchdb::designs { } exec { '/srv/leap/couchdb/scripts/load_design_documents.sh': - subscribe => File['/srv/leap/couchdb/designs'], - refreshonly => true, - require => Vcsrepo['/srv/leap/couchdb/scripts'] + require => Vcsrepo['/srv/leap/couchdb/scripts'], + refreshonly => false } } -- cgit v1.2.3 From b12c315edef56515321306a692d0f2098f4e8ee0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Apr 2014 12:38:28 -0400 Subject: Fix for satellite hosts that are unable to contact their relayhost because the DNS lookup is either impossible (.local domain), or incorrect (certain openstack/amazon/piston cloud configurations create this setup when the relayhost is in the same cluster as the satellite). Fixes #5225 Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1 --- puppet/modules/site_postfix/manifests/satellite.pp | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index 7be51b22..f5d5c7b7 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -10,5 +10,29 @@ class site_postfix::satellite { root_mail_recipient => $root_mail_recipient } + # There are special conditions for satellite hosts that will make them not be + # able to contact their relayhost: + # + # 1. they are on openstack/amazon/PC and are on the same cluster as the relay + # host, the MX lookup for the relay host will use the public IP, which cannot + # be contacted + # + # 2. When a domain is used that is not in DNS, because it is internal, + # a testing domain, etc. eg. a .local domain cannot be looked up in DNS + # + # to resolve this, so the satellite can contact the relayhost, we need to set + # the http://www.postfix.org/postconf.5.html#smtp_host_lookup to be 'native' + # which will cause the lookup to use the native naming service + # (nsswitch.conf), which typically defaults to 'files, dns' allowing the + # /etc/hosts to be consulted first, then DNS if the entry doesn't exist. + # + # NOTE: this will make it not possible to enable DANE support through DNSSEC + # with http://www.postfix.org/postconf.5.html#smtp_dns_support_level - but + # this parameter is not available until 2.11. If this ends up being important + # we could also make this an optional parameter for providers without + # dns / local domains + + postfix::config { 'smtp_host_lookup': value => 'native'; } + include site_postfix::mx::smtp_tls } -- cgit v1.2.3 From 5cca6d100ffd991e6f943d916361bf0497728d70 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Apr 2014 13:17:20 -0400 Subject: Update TLS apache vhost TLS configuration (#5137): . We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 5 +++-- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 5f1f4c1d..3360ac59 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -10,9 +10,10 @@ Listen 0.0.0.0:<%= api_port %> ServerName <%= api_domain %> SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index 30f0a6b1..ed430510 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -11,9 +11,10 @@ ServerAlias www.<%= domain %> SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt -- cgit v1.2.3 From 1551f785c5c7c515781995928eec7659365d8988 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Apr 2014 15:35:01 -0400 Subject: Force satellite hosts that only speak to relayhost to have a smtp_tls_security_level of 'encrypt', so it is not optional (#1902) Change-Id: I61ad0823e3eb8df6c224767d63f0911dcba42a16 --- puppet/modules/site_postfix/manifests/mx.pp | 4 ++++ puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 2 -- puppet/modules/site_postfix/manifests/satellite.pp | 11 ++++++++++- 3 files changed, 14 insertions(+), 3 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index a37c7af9..bdfee665 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -31,6 +31,10 @@ class site_postfix::mx { value => 'vmail'; 'smtpd_tls_received_header': value => 'yes'; + # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls + # because the satellites need to have a different value + 'smtp_tls_security_level': + value => 'may'; } include site_postfix::mx::smtpd_checks diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 3cc7ea72..d9b59f40 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -20,8 +20,6 @@ class site_postfix::mx::smtp_tls { value => 'sha1'; 'smtp_tls_session_cache_database': value => 'btree:${data_directory}/smtp_cache'; - 'smtp_tls_security_level': - value => 'may'; # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp index f5d5c7b7..5725e6b8 100644 --- a/puppet/modules/site_postfix/manifests/satellite.pp +++ b/puppet/modules/site_postfix/manifests/satellite.pp @@ -32,7 +32,16 @@ class site_postfix::satellite { # we could also make this an optional parameter for providers without # dns / local domains - postfix::config { 'smtp_host_lookup': value => 'native'; } + postfix::config { + 'smtp_host_lookup': + value => 'native'; + + # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls + # because the mx server has to have a different value + 'smtp_tls_security_level': + value => 'encrypt'; + } include site_postfix::mx::smtp_tls + } -- cgit v1.2.3 From c07e3d075149af0bbcd840ad0743df46d3baca5f Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 5 Apr 2014 11:39:03 -0700 Subject: update site_static to work with new amber and have better tls ciphers --- .../modules/site_static/templates/apache.conf.erb | 70 ++++++---------------- 1 file changed, 19 insertions(+), 51 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 76534911..2abe1a98 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -15,6 +15,7 @@ document_root = location_directory(name, location) end end + document_root = document_root.gsub(%r{^/|/$}, '') -%> @@ -32,9 +33,10 @@ #RewriteLogLevel 3 SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" Header set X-Frame-Options "deny" @@ -45,64 +47,30 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot <%= document_root %> + DocumentRoot "/<%= document_root %>/" + AccessFileName .htaccess <%- @locations.each do |name, location| -%> + <%- path = location['path'].gsub(%r{^/|/$}, '') -%> + <%- directory = location_directory(name, location) -%> ## ## <%= name %> ## - <%- if location['path'] == '/' -%> - # Location / - <%- else -%> - Alias <%= location['path'] %> <%= location_directory(name, location) %> - > - <%- end -%> - # remove trailing slashes - RewriteEngine On - RewriteRule ^(.+)/$ /$1 [R=301,L] - - # e.g. /de/blah => /blah/index.de.html - RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L] - - # e.g. /de/foo/bar => /foo/bar.de.html - RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L] - - # e.g. /de => /index.de.html - RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f - RewriteRule ^/([a-z]{2})$ /index.$1.html [L] - - # e.g. /de/img.png => /img.png - RewriteCond %{DOCUMENT_ROOT}/$2 -f - RewriteRule ^/([a-z]{2})/(.*) /$2 [L] - - # Simulate "DirectorySlash On" - # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file) - RewriteCond %{DOCUMENT_ROOT}/$1 -d - RewriteRule ^/(.*[^/])$ /$1/ [PT] - <%- if location['path'] == '/' -%> - # end Location / + <%- if path == '' -%> + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + <%- else -%> - - <%- end -%> - > - ## - ## PERMISSIONS - ## - AllowOverride None + AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" + Alias /<%=path%> "/<%=directory%>/" + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews Order deny,allow Allow from all - - ## - ## LOCALE SUPPORT (e.g. index.en.html) - ## - LanguagePriority en - ForceLanguagePriority Prefer Fallback - DirectoryIndex index - DirectorySlash Off - Options +MultiViews + <%- end -%> <%- end -%> -- cgit v1.2.3 From bafcfdf7643bcfa5715b5517578e0d9ca2eb399e Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 5 Apr 2014 11:49:53 -0700 Subject: better system for optionally uninstalling build-essential package. closes https://leap.se/code/issues/5426 --- .../site_config/manifests/packages/build_essential.pp | 7 +++++-- .../site_config/manifests/packages/uninstall.pp | 18 +++++++----------- 2 files changed, 12 insertions(+), 13 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp index c9efaafb..7dfb8b03 100644 --- a/puppet/modules/site_config/manifests/packages/build_essential.pp +++ b/puppet/modules/site_config/manifests/packages/build_essential.pp @@ -2,7 +2,10 @@ # include this whenever you want to ensure build-essential package and related compilers are installed. # class site_config::packages::build_essential { - if $install_build_essential == undef { - $install_build_essential = true + if !defined(Package['build-essential']) { + package { + ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: + ensure => present + } } } \ No newline at end of file diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp index 2919cc96..12f527d9 100644 --- a/puppet/modules/site_config/manifests/packages/uninstall.pp +++ b/puppet/modules/site_config/manifests/packages/uninstall.pp @@ -1,20 +1,16 @@ # -# this should be included last to allow other modules to set $::install_build_packages +# Uninstall build-essential and compilers, unless they have been explicitly installed elsewhere. # class site_config::packages::uninstall { - - if $site_config::packages::build_essential::install_essential == true { - $dev_packages_ensure = present - } else { - $dev_packages_ensure = absent - } + tag 'leap_base' # generally, dev packages are needed for installing ruby gems with native extensions. # (nickserver, webapp, etc) - package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc', - 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: - ensure => $dev_packages_ensure + if !defined(Package['build-essential']) { + package { + ['build-essential', 'g++', 'g++-4.7', 'gcc', 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev']: + ensure => purged + } } - } \ No newline at end of file -- cgit v1.2.3 From 4a0feb8fa663c1c73c47f3298c1f303dffd942cc Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 5 Apr 2014 12:39:01 -0700 Subject: openvpn: allow for configurable keepalive (aka ping & ping-restart) closes https://leap.se/code/issues/4127 --- puppet/modules/site_openvpn/manifests/server_config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6246a836..b1f4997c 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -115,7 +115,7 @@ define site_openvpn::server_config( server => $openvpn_configname; "keepalive ${openvpn_configname}": key => 'keepalive', - value => '5 20', + value => $config['keepalive'], server => $openvpn_configname; "local ${openvpn_configname}": key => 'local', -- cgit v1.2.3 From e3d4c14648ff4e108cec28112c119ee7115a44cb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 8 Apr 2014 16:39:40 +0200 Subject: fix check_mk resource dependency deploy errors (Bug #5272) --- puppet/modules/site_check_mk/manifests/agent.pp | 20 ++++++++++---------- puppet/modules/site_check_mk/manifests/agent/mx.pp | 5 +++-- .../modules/site_check_mk/manifests/agent/webapp.pp | 10 ++++++---- 3 files changed, 19 insertions(+), 16 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_check_mk/manifests/agent.pp b/puppet/modules/site_check_mk/manifests/agent.pp index b752182e..589041eb 100644 --- a/puppet/modules/site_check_mk/manifests/agent.pp +++ b/puppet/modules/site_check_mk/manifests/agent.pp @@ -4,7 +4,7 @@ class site_check_mk::agent { $pubkey = $ssh_hash['authorized_keys']['monitor']['key'] $type = $ssh_hash['authorized_keys']['monitor']['type'] - include site_apt::preferences::check_mk + class { 'site_apt::preferences::check_mk': } -> class { 'check_mk::agent': agent_package_name => 'check-mk-agent', @@ -12,17 +12,17 @@ class site_check_mk::agent { method => 'ssh', homedir => '/etc/nagios/check_mk', register_agent => false - } + } -> - file { [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]: - ensure => directory, - } + class { 'site_check_mk::agent::mrpe': } -> + class { 'site_check_mk::agent::logwatch': } -> - file { '/usr/lib/check_mk_agent/local/run_node_tests.sh': - source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh', - mode => '0755' + file { + [ '/srv/leap/nagios', '/srv/leap/nagios/plugins' ]: + ensure => directory; + '/usr/lib/check_mk_agent/local/run_node_tests.sh': + source => 'puppet:///modules/site_check_mk/agent/local_checks/all_hosts/run_node_tests.sh', + mode => '0755'; } - include site_check_mk::agent::mrpe - include site_check_mk::agent::logwatch } diff --git a/puppet/modules/site_check_mk/manifests/agent/mx.pp b/puppet/modules/site_check_mk/manifests/agent/mx.pp index 2dd50400..35a4e9a5 100644 --- a/puppet/modules/site_check_mk/manifests/agent/mx.pp +++ b/puppet/modules/site_check_mk/manifests/agent/mx.pp @@ -15,8 +15,9 @@ class site_check_mk::agent::mx { # check stale files in queue dir file { '/usr/lib/check_mk_agent/local/check_leap_mx.sh': - source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', - mode => '0755' + source => 'puppet:///modules/site_check_mk/agent/local_checks/mx/check_leap_mx.sh', + mode => '0755', + require => Package['check_mk-agent'] } } diff --git a/puppet/modules/site_check_mk/manifests/agent/webapp.pp b/puppet/modules/site_check_mk/manifests/agent/webapp.pp index cb160d83..64f5ea6d 100644 --- a/puppet/modules/site_check_mk/manifests/agent/webapp.pp +++ b/puppet/modules/site_check_mk/manifests/agent/webapp.pp @@ -5,12 +5,14 @@ class site_check_mk::agent::webapp { ensure => installed } file { '/usr/lib/check_mk_agent/local/nagios-webapp_login.py': - ensure => link, - target => '/srv/leap/webapp/test/nagios/webapp_login.py' + ensure => link, + target => '/srv/leap/webapp/test/nagios/webapp_login.py', + require => Package['check_mk-agent'] } file { '/usr/lib/check_mk_agent/local/soledad_sync.py': - ensure => link, - target => '/srv/leap/webapp/test/nagios/soledad_sync.py' + ensure => link, + target => '/srv/leap/webapp/test/nagios/soledad_sync.py', + require => Package['check_mk-agent'] } -- cgit v1.2.3 From 740cb615eae69235a649583359e23d834df0d7b5 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 9 Apr 2014 11:53:26 +0200 Subject: #5315 update soledad design docs --- .../site_couchdb/files/designs/shared/docs.json | 14 +++++--------- .../site_couchdb/files/designs/shared/syncs.json | 16 ++++++++-------- .../files/designs/shared/transactions.json | 19 ++++++++++--------- 3 files changed, 23 insertions(+), 26 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/files/designs/shared/docs.json b/puppet/modules/site_couchdb/files/designs/shared/docs.json index 4aad02aa..004180cd 100644 --- a/puppet/modules/site_couchdb/files/designs/shared/docs.json +++ b/puppet/modules/site_couchdb/files/designs/shared/docs.json @@ -1,12 +1,8 @@ { - "views" : { - "get" : { - "map" : "function(doc) {\n if (doc.u1db_rev) {\n var is_tombstone = true;\n var has_conflicts = false;\n if (doc._attachments) {\n if (doc._attachments.u1db_content)\n is_tombstone = false;\n if (doc._attachments.u1db_conflicts)\n has_conflicts = true;\n }\n emit(doc._id,\n {\n \"couch_rev\": doc._rev,\n \"u1db_rev\": doc.u1db_rev,\n \"is_tombstone\": is_tombstone,\n \"has_conflicts\": has_conflicts,\n }\n );\n }\n}\n" + "_id": "_design/docs", + "views": { + "get": { + "map": "function(doc) {\n if (doc.u1db_rev) {\n var is_tombstone = true;\n var has_conflicts = false;\n if (doc._attachments) {\n if (doc._attachments.u1db_content)\n is_tombstone = false;\n if (doc._attachments.u1db_conflicts)\n has_conflicts = true;\n }\n emit(doc._id,\n {\n \"couch_rev\": doc._rev,\n \"u1db_rev\": doc.u1db_rev,\n \"is_tombstone\": is_tombstone,\n \"has_conflicts\": has_conflicts,\n }\n );\n }\n}\n" } - }, - "_id" : "_design/docs", - "updates" : { - "resolve_doc" : "function(doc, req){\n /* we expect to receive the following in `req.body`:\n * {\n * 'couch_rev': '',\n * 'conflicts': '',\n * }\n */\n var body = JSON.parse(req.body);\n\n // fail if no document was given\n if (!doc) {\n return [null, 'document does not exist']\n } \n\n // fail if couch revisions do not match\n if (body['couch_rev'] != null\n && doc['_rev'] != body['couch_rev']) {\n return [null, 'revision conflict']\n }\n\n // fail if conflicts were not sent\n if (body['conflicts'] == null)\n return [null, 'missing conflicts']\n\n // save conflicts as attachment if they were sent\n if (body['conflicts'] != null) {\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_conflicts = {\n content_type: \"application/octet-stream\",\n data: body['conflicts'] // should be base64 encoded\n }\n }\n // or delete attachment if there are no conflicts\n else if (doc._attachments && doc._attachments.u1db_conflicts)\n delete doc._attachments.u1db_conflicts;\n\n return [doc, 'ok'];\n}\n", - "put" : "function(doc, req){\n /* we expect to receive the following in `req.body`:\n * {\n * 'couch_rev': '',\n * 'u1db_rev': '',\n * 'content': '',\n * 'trans_id': ''\n * 'conflicts': '',\n * 'update_conflicts': \n * }\n */\n var body = JSON.parse(req.body);\n\n // create a new document document\n if (!doc) {\n doc = {}\n doc['_id'] = req['id'];\n }\n // or fail if couch revisions do not match\n else if (doc['_rev'] != body['couch_rev']) {\n // of fail if revisions do not match\n return [null, 'revision conflict']\n }\n\n // store u1db rev\n doc.u1db_rev = body['u1db_rev'];\n\n // save content as attachment\n if (body['content'] != null) {\n // save u1db content as attachment\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_content = {\n content_type: \"application/octet-stream\",\n data: body['content'] // should be base64 encoded\n };\n }\n // or delete the attachment if document is tombstone\n else if (doc._attachments &&\n doc._attachments.u1db_content)\n delete doc._attachments.u1db_content;\n\n // store the transaction id\n if (!doc.u1db_transactions)\n doc.u1db_transactions = [];\n var d = new Date();\n doc.u1db_transactions.push([d.getTime(), body['trans_id']]);\n\n // save conflicts as attachment if they were sent\n if (body['update_conflicts'])\n if (body['conflicts'] != null) {\n if (!doc._attachments)\n doc._attachments = {};\n doc._attachments.u1db_conflicts = {\n content_type: \"application/octet-stream\",\n data: body['conflicts'] // should be base64 encoded\n }\n } else {\n if(doc._attachments && doc._attachments.u1db_conflicts)\n delete doc._attachments.u1db_conflicts\n }\n\n return [doc, 'ok'];\n}\n" } -} +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/shared/syncs.json b/puppet/modules/site_couchdb/files/designs/shared/syncs.json index 0df5ff74..bab5622f 100644 --- a/puppet/modules/site_couchdb/files/designs/shared/syncs.json +++ b/puppet/modules/site_couchdb/files/designs/shared/syncs.json @@ -1,11 +1,11 @@ { - "views" : { - "log" : { - "map" : "function(doc) {\n if (doc._id == 'u1db_sync_log') {\n if (doc.syncs)\n doc.syncs.forEach(function (entry) {\n emit(entry[0],\n {\n 'known_generation': entry[1],\n 'known_transaction_id': entry[2]\n });\n });\n }\n}\n" + "_id": "_design/syncs", + "updates": { + "put": "function(doc, req){\n if (!doc) {\n doc = {}\n doc['_id'] = 'u1db_sync_log';\n doc['syncs'] = [];\n }\n body = JSON.parse(req.body);\n // remove outdated info\n doc['syncs'] = doc['syncs'].filter(\n function (entry) {\n return entry[0] != body['other_replica_uid'];\n }\n );\n // store u1db rev\n doc['syncs'].push([\n body['other_replica_uid'],\n body['other_generation'],\n body['other_transaction_id']\n ]);\n return [doc, 'ok'];\n}\n\n" + }, + "views": { + "log": { + "map": "function(doc) {\n if (doc._id == 'u1db_sync_log') {\n if (doc.syncs)\n doc.syncs.forEach(function (entry) {\n emit(entry[0],\n {\n 'known_generation': entry[1],\n 'known_transaction_id': entry[2]\n });\n });\n }\n}\n" } - }, - "_id" : "_design/syncs", - "updates" : { - "put" : "function(doc, req){\n if (!doc) {\n doc = {}\n doc['_id'] = 'u1db_sync_log';\n doc['syncs'] = [];\n }\n body = JSON.parse(req.body);\n // remove outdated info\n doc['syncs'] = doc['syncs'].filter(\n function (entry) {\n return entry[0] != body['other_replica_uid'];\n }\n );\n // store u1db rev\n doc['syncs'].push([\n body['other_replica_uid'],\n body['other_generation'],\n body['other_transaction_id']\n ]);\n return [doc, 'ok'];\n}\n\n" } -} +} \ No newline at end of file diff --git a/puppet/modules/site_couchdb/files/designs/shared/transactions.json b/puppet/modules/site_couchdb/files/designs/shared/transactions.json index 8fcb84d1..106ad46c 100644 --- a/puppet/modules/site_couchdb/files/designs/shared/transactions.json +++ b/puppet/modules/site_couchdb/files/designs/shared/transactions.json @@ -1,12 +1,13 @@ { - "lists" : { - "generation" : "function(head, req) {\n var row;\n var rows=[];\n // fetch all rows\n while(row = getRow()) {\n rows.push(row);\n }\n if (rows.length > 0)\n send(JSON.stringify({\n \"generation\": rows.length,\n \"doc_id\": rows[rows.length-1]['id'],\n \"transaction_id\": rows[rows.length-1]['value']\n }));\n else\n send(JSON.stringify({\n \"generation\": 0,\n \"doc_id\": \"\",\n \"transaction_id\": \"\",\n }));\n}\n", - "whats_changed" : "function(head, req) {\n var row;\n var gen = 1;\n var old_gen = 0;\n if (req.query.old_gen)\n old_gen = parseInt(req.query['old_gen']);\n send('{\"transactions\":[\\n');\n // fetch all rows\n while(row = getRow()) {\n if (gen > old_gen) {\n if (gen > old_gen+1)\n send(',\\n');\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": row[\"id\"],\n \"transaction_id\": row[\"value\"]\n }));\n }\n gen++;\n }\n send('\\n]}');\n}\n", - "trans_id_for_gen" : "function(head, req) {\n var row;\n var rows=[];\n var i = 1;\n var gen = 1;\n if (req.query.gen)\n gen = parseInt(req.query['gen']);\n // fetch all rows\n while(row = getRow())\n rows.push(row);\n if (gen <= rows.length)\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": rows[gen-1]['id'],\n \"transaction_id\": rows[gen-1]['value'],\n }));\n else\n send('{}');\n}\n" - }, - "views" : { - "log" : { - "map" : "function(doc) {\n if (doc.u1db_transactions)\n doc.u1db_transactions.forEach(function(t) {\n emit(t[0], // use timestamp as key so the results are ordered\n t[1]); // value is the transaction_id\n });\n}\n" + "_id": "_design/transactions", + "lists": { + "generation": "function(head, req) {\n var row;\n var rows=[];\n // fetch all rows\n while(row = getRow()) {\n rows.push(row);\n }\n if (rows.length > 0)\n send(JSON.stringify({\n \"generation\": rows.length,\n \"doc_id\": rows[rows.length-1]['id'],\n \"transaction_id\": rows[rows.length-1]['value']\n }));\n else\n send(JSON.stringify({\n \"generation\": 0,\n \"doc_id\": \"\",\n \"transaction_id\": \"\",\n }));\n}\n", + "trans_id_for_gen": "function(head, req) {\n var row;\n var rows=[];\n var i = 1;\n var gen = 1;\n if (req.query.gen)\n gen = parseInt(req.query['gen']);\n // fetch all rows\n while(row = getRow())\n rows.push(row);\n if (gen <= rows.length)\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": rows[gen-1]['id'],\n \"transaction_id\": rows[gen-1]['value'],\n }));\n else\n send('{}');\n}\n", + "whats_changed": "function(head, req) {\n var row;\n var gen = 1;\n var old_gen = 0;\n if (req.query.old_gen)\n old_gen = parseInt(req.query['old_gen']);\n send('{\"transactions\":[\\n');\n // fetch all rows\n while(row = getRow()) {\n if (gen > old_gen) {\n if (gen > old_gen+1)\n send(',\\n');\n send(JSON.stringify({\n \"generation\": gen,\n \"doc_id\": row[\"id\"],\n \"transaction_id\": row[\"value\"]\n }));\n }\n gen++;\n }\n send('\\n]}');\n}\n" + }, + "views": { + "log": { + "map": "function(doc) {\n if (doc.u1db_transactions)\n doc.u1db_transactions.forEach(function(t) {\n emit(t[0], // use timestamp as key so the results are ordered\n t[1]); // value is the transaction_id\n });\n}\n" } } -} +} \ No newline at end of file -- cgit v1.2.3 From f7d82cba6684f5c7939e0ad2e4c615bbd3660f30 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 12 Apr 2014 11:51:48 -0400 Subject: make the soledad service subscribe to package changes, cert and key changes (#5499) Change-Id: Ia0efb4c129a71504a717c20e2e260a1ed83f2223 --- puppet/modules/soledad/manifests/server.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 1137080f..394e6032 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -50,8 +50,8 @@ class soledad::server { enable => true, hasstatus => true, hasrestart => true, - require => [ - Class['soledad'], + require => Class['soledad'], + subscribe => [ Package['soledad-server'], Class['Site_config::X509::Key'], Class['Site_config::X509::Cert'], -- cgit v1.2.3 From dae324f316666f65907c02877ffd566df45641f6 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 15 Apr 2014 16:54:57 +0200 Subject: fix concat::setup (#5503) --- puppet/modules/site_config/manifests/setup.pp | 1 + puppet/modules/site_config/manifests/vagrant.pp | 1 + 2 files changed, 2 insertions(+) (limited to 'puppet') diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index ffe01f53..6d89be86 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -1,4 +1,5 @@ class site_config::setup { + tag 'leap_base' # # this is applied before each run of site.pp diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp index 04266735..8f50b305 100644 --- a/puppet/modules/site_config/manifests/vagrant.pp +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -1,6 +1,7 @@ class site_config::vagrant { # class for vagrant nodes + include site_shorewall::defaults # eth0 on vagrant nodes is the uplink if shorewall::interface { 'eth0': zone => 'net', -- cgit v1.2.3 From 5d3ece0ac0d02eb501f474bb37a59bb740c57c5d Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 8 Apr 2014 13:03:40 +0200 Subject: configure couchdb after starting shorewall (#53) --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index c67ce8c8..2bcd25dc 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -59,6 +59,7 @@ class site_couchdb { Class['site_config::default'] -> Class['couchdb::bigcouch::package::cloudant'] + -> Service['shorewall'] -> Service['couchdb'] -> Class['site_couchdb::stunnel'] -> File['/root/.netrc'] -- cgit v1.2.3 From 42d93c7a939902ace20ed5602317530473ece364 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 16 Apr 2014 16:58:32 -0400 Subject: add exec resources to run the couchdb tests to wait for nodes and cluster membership to settle, before attempting any operations (#5269, #4590, #3712) Change-Id: Ic9826dda1c242e705ce85ae218766496bdd8ecbd --- .../modules/site_couchdb/manifests/bigcouch/settle_cluster.pp | 11 +++++++++++ puppet/modules/site_couchdb/manifests/init.pp | 3 +++ 2 files changed, 14 insertions(+) create mode 100644 puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp b/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp new file mode 100644 index 00000000..aa843e2e --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch/settle_cluster.pp @@ -0,0 +1,11 @@ +class site_couchdb::bigcouch::settle_cluster { + + exec { 'wait_for_couch_nodes': + command => '/srv/leap/bin/run_tests --test CouchDB/Are_configured_nodes_online? --retry 6 --wait 10' + } + + exec { 'settle_cluster_membership': + command => '/srv/leap/bin/run_tests --test CouchDB/Is_cluster_membership_ok? --retry 6 --wait 10', + require => Exec['wait_for_couch_nodes'] + } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 2bcd25dc..8c790bd2 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -64,6 +64,7 @@ class site_couchdb { -> Class['site_couchdb::stunnel'] -> File['/root/.netrc'] -> Class['site_couchdb::bigcouch::add_nodes'] + -> Class['site_couchdb::bigcouch::settle_cluster'] -> Couchdb::Create_db['users'] -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] @@ -73,6 +74,8 @@ class site_couchdb { class { 'site_couchdb::bigcouch::add_nodes': } + class { 'site_couchdb::bigcouch::settle_cluster': } + # /etc/couchdb/couchdb.netrc is deployed by couchdb::query::setup # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) # and makes life easier for the admin (i.e. using curl/wget without -- cgit v1.2.3 From af1f6d6fc248b02ef51ceedb3257579f09c8febf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Apr 2014 09:35:17 -0400 Subject: Change couchdb ordering hints (#5269, #4590, #3712): . make the couchdb service start after the stunnels have been setup. This may improve the cluster membership coming online faster . replace the two Couchdb::Create_db ordering hints (for the 'users' and 'tokens' databases) with a generic Class['site_config::create_dbs'] hint. This makes it so we get the ordering hint for all databases, which we were not before, without having to individually list them . replace the two Couchdb::Add_user ordering hints (for the $couchdb_webapp_user and the $couchdb_soledad_user) with a generic ordering hint for Class['site_couchdb::add_users'] ordering hint. This makes it so we get the ordering hint for all the users, which we were not before, without having to individually list them Change-Id: Ia63e62d68d24e77a49d4ef928a2a8130ab7bccb9 --- puppet/modules/site_couchdb/manifests/init.pp | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 8c790bd2..d8e03e41 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -60,15 +60,13 @@ class site_couchdb { Class['site_config::default'] -> Class['couchdb::bigcouch::package::cloudant'] -> Service['shorewall'] - -> Service['couchdb'] -> Class['site_couchdb::stunnel'] + -> Service['couchdb'] -> File['/root/.netrc'] -> Class['site_couchdb::bigcouch::add_nodes'] -> Class['site_couchdb::bigcouch::settle_cluster'] - -> Couchdb::Create_db['users'] - -> Couchdb::Create_db['tokens'] - -> Couchdb::Add_user[$couchdb_webapp_user] - -> Couchdb::Add_user[$couchdb_soledad_user] + -> Class['site_couchdb::create_dbs'] + -> Class['site_couchdb::add_users'] class { 'site_couchdb::stunnel': } -- cgit v1.2.3 From ca34d880f65f62bf78623c80f6e76d1726f2068c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Apr 2014 11:56:36 -0400 Subject: change class instantiating to be includes and organizing things in the class to be more visually logical (#5269, #4590, #3712) Change-Id: I58c28c3bc62e67b25f33da3378e8146110471613 --- puppet/modules/site_couchdb/manifests/init.pp | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) (limited to 'puppet') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index d8e03e41..3614661d 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -68,12 +68,6 @@ class site_couchdb { -> Class['site_couchdb::create_dbs'] -> Class['site_couchdb::add_users'] - class { 'site_couchdb::stunnel': } - - class { 'site_couchdb::bigcouch::add_nodes': } - - class { 'site_couchdb::bigcouch::settle_cluster': } - # /etc/couchdb/couchdb.netrc is deployed by couchdb::query::setup # we symlink this to /root/.netrc for couchdb_scripts (eg. backup) # and makes life easier for the admin (i.e. using curl/wget without @@ -92,15 +86,6 @@ class site_couchdb { pw => $couchdb_admin_pw, } - include site_couchdb::create_dbs - include site_couchdb::add_users - include site_couchdb::designs - include site_couchdb::logrotate - include site_couchdb::bigcouch::compaction - - include site_shorewall::couchdb - include site_shorewall::couchdb::bigcouch - vcsrepo { '/srv/leap/couchdb/scripts': ensure => present, provider => git, @@ -109,8 +94,20 @@ class site_couchdb { require => File['/srv/leap/couchdb'] } + include site_couchdb::stunnel + include site_couchdb::bigcouch::add_nodes + include site_couchdb::bigcouch::settle_cluster + include site_couchdb::create_dbs + include site_couchdb::add_users + include site_couchdb::designs + include site_couchdb::logrotate + include site_couchdb::bigcouch::compaction + if $couchdb_backup { include site_couchdb::backup } + include site_shorewall::couchdb + include site_shorewall::couchdb::bigcouch + include site_check_mk::agent::couchdb include site_check_mk::agent::tapicero -- cgit v1.2.3 From 4295f334ea4f92d7fb47f7121a42633630c368d1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 17 Apr 2014 15:47:38 -0400 Subject: update couchdb submodule to get fix for timing issue that caused 409 Conflicts in certain situations (#5523) Change-Id: I1ca67e317a7eb84f64cb7b79daa2e500f0561707 --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet') diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 32dba50b..c8f5443e 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 32dba50beb0c24b9b883e495149b353aa70506c6 +Subproject commit c8f5443e0998d3d3d43505ff5a6fdf8c438d6c24 -- cgit v1.2.3