Merge branch 'master' of git+ssh://zobel@puppet.debian.org/srv/puppet.debian.org...

diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp
index 706d40e..5283098 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -33,9 +33,10 @@ class apache2 {
                "/srv/www/default.debian.org/htdocs/index.html":
                        content => template("apache2/default-index.html");
 
-               "/var/log/apache2":
-                       mode    => 755,
-                       ensure  => directory;
+               # sometimes this is a symlink
+               #"/var/log/apache2":
+               #       mode    => 755,
+               #       ensure  => directory;
        }
 
        exec { "apache2 reload":

diff --git a/modules/clamav/files/clamav-unofficial-sigs.conf b/modules/clamav/files/clamav-unofficial-sigs.conf
new file mode 100644 (file)
index 0000000..17f4919
--- /dev/null
+++ b/modules/clamav/files/clamav-unofficial-sigs.conf
@@ -0,0 +1,13 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# Source all the configuration files from upstream, Debian and elsewhere
+for f in /usr/share/clamav-unofficial-sigs/conf.d/*.conf ; do
+        if [ -s "$f" ] ; then
+                . $f
+        fi
+done
+
+. /etc/clamav-unofficial-sigs.dsa.conf

diff --git a/modules/clamav/files/clamav-unofficial-sigs.dsa.conf b/modules/clamav/files/clamav-unofficial-sigs.dsa.conf
new file mode 100644 (file)
index 0000000..cacf200
--- /dev/null
+++ b/modules/clamav/files/clamav-unofficial-sigs.dsa.conf
@@ -0,0 +1,22 @@
+ss_dbs="
+   junk.ndb
+   jurlbl.ndb
+   lott.ndb
+   phish.ndb
+   rogue.hdb
+   sanesecurity.ftm
+   scam.ndb
+   spam.ldb
+   spamimg.hdb
+   spear.ndb
+   winnow_malware.hdb
+   winnow_malware_links.ndb
+   winnow_phish_complete_url.ndb
+"
+
+si_dbs="
+   honeynet.hdb
+   securiteinfo.hdb
+   vx.hdb
+"
+

diff --git a/modules/clamav/manifests/init.pp b/modules/clamav/manifests/init.pp
index 591bbf5..fa7e17e 100644 (file)
--- a/modules/clamav/manifests/init.pp
+++ b/modules/clamav/manifests/init.pp
@@ -3,5 +3,15 @@ class clamav {
               "clamav-freshclam": ensure => installed;
               "clamav-unofficial-sigs": ensure => installed;
     }
+    file {
+        "/etc/clamav-unofficial-sigs.dsa.conf":
+          require => Package["clamav-unofficial-sigs"],
+          source  => [ "puppet:///clamav/clamav-unofficial-sigs.dsa.conf" ]
+          ;
+        "/etc/clamav-unofficial-sigs.conf":
+          require => Package["clamav-unofficial-sigs"],
+          source  => [ "puppet:///clamav/clamav-unofficial-sigs.conf" ]
+          ;
+    }
 }
 

diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml
index 716bb2e..5ea87ee 100644 (file)
--- a/modules/debian-org/misc/local.yaml
+++ b/modules/debian-org/misc/local.yaml
@@ -77,22 +77,22 @@ footer:
   zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
 services:
   bugsmaster: rietz.debian.org
-  qamaster: merkel.debian.org
   mailrelay: spohr.debian.org
-  rtmaster: spohr.debian.org
   packagesmaster: powell.debian.org
   packagesqamaster: master.debian.org
+  qamaster: merkel.debian.org
+  rtmaster: spohr.debian.org
 host_settings:
   heavy_exim:
-    - raff.debian.org
-    - merkel.debian.org
-    - spohr.debian.org
     - draghi.debian.org
+    - klecker.debian.org
     - master.debian.org
+    - merkel.debian.org
+    - powell.debian.org
+    - raff.debian.org
     - ries.debian.org
     - rietz.debian.org
-    - klecker.debian.org
-    - powell.debian.org
+    - spohr.debian.org
   apache2_defaultconfig:
     - bellini.debian.org
     - carver.debian.org
@@ -126,18 +126,18 @@ host_settings:
     - lafayette.debian.org
     - malo.debian.org
     - murphy.debian.org
+    - paer.debian.org
     - praetorius.debian.org
     - puccini.debian.org
-    - paer.debian.org
   smarthost:
-    ancina.debian.org: mailout.debian.org
     allegri.debian.org: mailout.debian.org
+    ancina.debian.org: mailout.debian.org
     piatti.debian.org: mailout.debian.org
   mail_port:
-    ancina.debian.org: 2025
     allegri.debian.org: 2025
-    piatti.debian.org: 2025
+    ancina.debian.org: 2025
     kassia.debian.org: 587
+    piatti.debian.org: 2025
   reservedaddrs:
     ball.debian.org: "0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : 172.16.0.0/12 : 192.0.0.0/17 : 192.168.0.0/16 : 224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5"
 ---

diff --git a/modules/exim/files/per-host/spohr.debian.org/manualroute b/modules/exim/files/per-host/spohr.debian.org/manualroute
index cb67d7d..4fd6d62 100644 (file)
--- a/modules/exim/files/per-host/spohr.debian.org/manualroute
+++ b/modules/exim/files/per-host/spohr.debian.org/manualroute
@@ -16,4 +16,3 @@ piatti.debian.org:          piatti.debian.org::2025
 # postfix:
 verdi.debian.org:           verdi.debian.org::2025
 volatile.debian.org:        verdi.debian.org::2025
-volatile-master.debian.org: verdi.debian.org::2025

diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb
index 59c37c8..b3c251c 100644 (file)
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -367,6 +367,30 @@ out
 
   accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
 
+  warn    domains        = +virtual_domains
+          condition      = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}}
+          condition      = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{markup}}
+          set acl_m_rprf = markup
+
+  accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+  warn    condition      = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{markup}}
+          set acl_m_rprf = markup
+
+  accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+  warn    condition      = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{blackhole}}
+          set acl_m_rprf = blackhole
+
+  accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+  warn    domains        = +virtual_domains
+          condition      = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}}
+          condition      = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{blackhole}}
+          set acl_m_rprf = blackhole
+
+  accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
   warn    set acl_m_rprf = normal
 
   accept
@@ -857,6 +881,14 @@ if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
 out='
 acl_check_mime:
 
+  warn   condition     = ${if <{$message_size}{256000}}
+         condition     = ${if eq {$acl_m_prf}{markup}}
+         set acl_m_srb = ${perl{surblspamcheck}}
+         condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}
+         message       = X-Surbl-Hit: $primary_hostname: $acl_m_srb
+
+  accept condition     = ${if eq {$acl_m_prf}{markup}}
+
   deny   condition     = ${if <{$message_size}{256000}}
          set acl_m_srb = ${perl{surblspamcheck}}
          condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}
@@ -934,10 +966,16 @@ out
 out = ""
 if has_variable?("clamd") && clamd == "true"
 out = '
-  deny    
+  # FIXME: make blackhole work
+  deny    condition       = ${if eq {$acl_m_prf}{markup}{no}{yes}}
          demime          = *
           malware         = */defer_ok
           message         = malware detected: $malware_name: message rejected
+
+  warn    condition       = ${if eq {$acl_m_prf}{markup}}
+         demime          = *
+          malware         = */defer_ok
+          message         = X-malware detected: $malware_name
 '
 end
 out
@@ -946,6 +984,14 @@ out
 out=''
 if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
 out='
+  warn   condition     = ${if <{$message_size}{256000}}
+         condition     = ${if eq {$acl_m_prf}{markup}}
+         set acl_m_srb = ${perl{surblspamcheck}}
+         condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}
+         message       = X-Surbl-Hit: $primary_hostname: $acl_m_srb
+
+  accept condition     = ${if eq {$acl_m_prf}{markup}}
+
   deny   condition     = ${if <{$message_size}{256000}}
          set acl_m_srb = ${perl{surblspamcheck}}
          condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}

diff --git a/modules/exim/templates/virtualdomains.erb b/modules/exim/templates/virtualdomains.erb
index 9456942..f368ea4 100644 (file)
--- a/modules/exim/templates/virtualdomains.erb
+++ b/modules/exim/templates/virtualdomains.erb
@@ -54,6 +54,8 @@ admin.debian.org: user=mail_admin group=mail_admin directory=/org/admin.debian.o
 
         when "tartini.debian.org" then "forums.debian.net: user=forums group=forums directory=/srv/forums.debian.net/mail"
 
+        when "valente.debian.org" then "volatile.debian.org: user=volatile group=volatile directory=/srv/volatile-master.debian.org/mail"
+
         when "widor.debian.org" then "wiki.debian.org: user=wiki group=wikiadm directory=/org/wiki.debian.org/mail"
 end
 vdoms

diff --git a/modules/nagios/files/per-host/dijkstra/obsolete-packages-ignore.d-hostspecific b/modules/nagios/files/per-host/dijkstra/obsolete-packages-ignore.d-hostspecific
new file mode 100644 (file)
index 0000000..4586eb0
--- /dev/null
+++ b/modules/nagios/files/per-host/dijkstra/obsolete-packages-ignore.d-hostspecific
@@ -0,0 +1,6 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+kvm

diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb
index 882646c..0b1377d 100644 (file)
--- a/modules/samhain/templates/samhainrc.erb
+++ b/modules/samhain/templates/samhainrc.erb
@@ -260,6 +260,8 @@ if not nodeinfo['heavy_exim'].empty?
 file=/etc/exim4/surbl_whitelist.txt
 file=/etc/exim4/exim_surbl.pl
 file=/etc/exim4/ccTLD.txt
+file=/etc/clamav-unofficial-sigs.conf
+file=/etc/clamav-unofficial-sigs.dsa.conf
 '
 end
 out

diff --git a/modules/sudo/files/common/sudoers b/modules/sudo/files/common/sudoers
index 40a785e..595cfd5 100644 (file)
--- a/modules/sudo/files/common/sudoers
+++ b/modules/sudo/files/common/sudoers
@@ -75,6 +75,7 @@ nagios                bellini,cimarosa=(ALL)  NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD,
 %secretary     ALL=(secretary) ALL
 %snapshot      ALL=(snapshot)  ALL
 %uddadm                ALL=(udd)       ALL
+%volatile      ALL=(volatile)  ALL
 %wbadm         ALL=(wbadm)     ALL
 %wikiadm       ALL=(wiki)      ALL
 QACORE         QAHOSTS=(qa)    ALL