node default {
include site
include munin
- include syslog-ng
+ include syslog_ng
include sudo
include ssh
- include debian-org
+ include debian_org
include monit
include time
include ssl
include bacula::storage
}
- if $::kernel == Linux {
+ if $::kernel == 'Linux' {
include linux
include acpi
} elsif $::kernel == 'GNU/kFreeBSD' {
}
if $::hostname in [geo3,wieck] {
- include debian-org::radvd
+ include debian_org::radvd
}
if ($::postgres) {
class acpi {
if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
- if ($::lsbmajdistrelease >= 8) {
+ if ($::lsbmajdistrelease >= '8') {
package { 'acpid':
ensure => purged
}
apache2::module { 'mpm_prefork': ensure => absent }
apache2::module { 'mpm_worker': }
}
- if $::lsbmajdistrelease > 7 {
+ if $::lsbmajdistrelease > '7' {
file { '/etc/apache2/mods-available/mpm_worker.conf':
content => template('apache2/mpm_worker.erb'),
}
}
}
- if $::lsbmajdistrelease <= 7 {
+ if $::lsbmajdistrelease <= '7' {
$symlink = "/etc/apache2/sites-enabled/${name}"
} else {
$symlink = "/etc/apache2/sites-enabled/${name}.conf"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
- <TITLE>Welcome to <%= hostname %>!</TITLE>
+ <TITLE>Welcome to <%= @hostname %>!</TITLE>
</HEAD>
<BODY>
-<H1>Welcome to <%= hostname %>!</H1>
+<H1>Welcome to <%= @hostname %>!</H1>
-This is <%= hostname %>, a system run by and for the <a href="https://www.debian.org/">Debian Project</a>.
+This is <%=
@hostname %>, a system run by and for the <a href="https://www.debian.org/">Debian Project</a>.
She does stuff.
What kind of stuff and who our kind sponsors are you might learn on
-<a href="https://db.debian.org/machines.cgi?host=<%= hostname %>">db.debian.org</a>.
+<a href="https://db.debian.org/machines.cgi?host=<%= @hostname %>">db.debian.org</a>.
<P>
<HR NOSHADE />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
- <TITLE>Welcome to <%= hostname %>!</TITLE>
+ <TITLE>Welcome to <%= @hostname %>!</TITLE>
</HEAD>
<BODY>
-<H1>Welcome to <%= hostname %>!</H1>
+<H1>Welcome to <%= @hostname %>!</H1>
-This is <%= hostname %>, a system run by and for the <a href="https://www.debian.org/">Debian Project</a>.
+This is <%=
@hostname %>, a system run by and for the <a href="https://www.debian.org/">Debian Project</a>.
<P>
The service you have requested is currently disabled.
<P>
The reason for that and who our kind sponsors are you might learn on
-<a href="https://db.debian.org/machines.cgi?host=<%= hostname %>">db.debian.org</a>.
+<a href="https://db.debian.org/machines.cgi?host=<%= @hostname %>">db.debian.org</a>.
<P>
<HR NOSHADE />
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS
<% end -%>
- <%- if has_variable?("apache2deb9") && apache2deb9 == "true" -%>
+ <%- if has_variable?("apache2deb9") && @apache2deb9 == "true" -%>
SSLUseStapling On
# the default size is 32k, but we make it 1M.
class bacula::client inherits bacula {
- @@bacula::storage-per-node { $::fqdn: }
+ @@bacula::storage_per_node { $::fqdn: }
if ! getfromhash($site::nodeinfo, 'not-bacula-client') {
@@bacula::node { $::fqdn:
require => Package['bacula-fd'],
notify => Service['bacula-fd'],
}
- if ($::lsbmajdistrelease >= 9 and $systemd) {
+ if ($::lsbmajdistrelease >= '9' and $systemd) {
file { '/etc/systemd/system/bacula-fd.service.d':
ensure => directory,
mode => '0755',
+++ /dev/null
-define bacula::storage-per-node() {
-
- include bacula
-
- $bacula_filestor_device = $bacula::bacula_filestor_device
- $bacula_filestor_name = $bacula::bacula_filestor_name
- $bacula_backup_path = $bacula::bacula_backup_path
-
- $bacula_client_name = "${name}-fd"
- $client = $name
-
- file {
- "/etc/bacula/storage-conf.d/${name}.conf":
- content => template('bacula/storage-per-client.conf.erb'),
- mode => '0440',
- group => bacula,
- notify => Exec['bacula-sd restart-when-idle'],
- ;
- "${bacula_backup_path}/${name}":
- ensure => directory,
- mode => '0755',
- owner => bacula,
- group => bacula,
- ;
- }
-}
-
--- /dev/null
+define bacula::storage_per_node() {
+
+ include bacula
+
+ $bacula_filestor_device = $bacula::bacula_filestor_device
+ $bacula_filestor_name = $bacula::bacula_filestor_name
+ $bacula_backup_path = $bacula::bacula_backup_path
+
+ $bacula_client_name = "${name}-fd"
+ $client = $name
+
+ file {
+ "/etc/bacula/storage-conf.d/${name}.conf":
+ content => template('bacula/storage-per-client.conf.erb'),
+ mode => '0440',
+ group => bacula,
+ notify => Exec['bacula-sd restart-when-idle'],
+ ;
+ "${bacula_backup_path}/${name}":
+ ensure => directory,
+ mode => '0755',
+ owner => bacula,
+ group => bacula,
+ ;
+ }
+}
+
# List Directors who are permitted to contact this File daemon
Director {
- Name = <%= bacula_director_name %>
- Password = "<%= bacula_client_secret %>"
+ Name = <%= @bacula_director_name %>
+ Password = "<%= @bacula_client_secret %>"
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
- TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
- TLS CA Certificate File = "<%= bacula_ca_path %>"
+ TLS Allowed CN = "clientcerts/<%= @bacula_director_address %>"
+ TLS CA Certificate File = "<%= @bacula_ca_path %>"
# This is a server certificate, used for incoming director connections.
- TLS Certificate = "<%= bacula_ssl_server_cert %>"
- TLS Key = "<%= bacula_ssl_server_key %>"
+ TLS Certificate = "<%= @bacula_ssl_server_cert %>"
+ TLS Key = "<%= @bacula_ssl_server_key %>"
}
# "Global" File daemon configuration specifications
FileDaemon {
- Name = <%= bacula_client_name %>
- FDport = <%= bacula_client_port %>
+ Name = <%= @bacula_client_name %>
+ FDport = <%= @bacula_client_port %>
WorkingDirectory = /var/lib/bacula
Pid Directory = /var/run/bacula
Maximum Concurrent Jobs = 20
- FDAddress = <%= fqdn %>
+ FDAddress = <%= @fqdn %>
#Maximum Network Buffer Size = 524288
TLS Enable = yes
TLS Require = yes
- TLS CA Certificate File = "<%= bacula_ca_path %>"
+ TLS CA Certificate File = "<%= @bacula_ca_path %>"
# This is a client certificate, used by the client to connect to the storage daemon
- TLS Certificate = "<%= bacula_ssl_client_cert %>"
- TLS Key = "<%= bacula_ssl_client_key %>"
+ TLS Certificate = "<%= @bacula_ssl_client_cert %>"
+ TLS Key = "<%= @bacula_ssl_client_key %>"
<%- if scope.lookupvar('site::nodeinfo')['hoster']['name'] == "brown" -%>
# broken firewall
# Send all messages except skipped files back to Director
Messages {
Name = Standard
- director = <%=bacula_director_name%> = all, !skipped, !restored
+ director = <%= @bacula_director_name %> = all, !skipped, !restored
}
set -e
if [ "$1" = "fd" ];then
- PORT=<%= bacula_client_port %>
+ PORT=<%= @bacula_client_port %>
DIR="bacula-fd"
elif [ "$1" = "sd" ]; then
- PORT=<%= bacula_storage_port %>
+ PORT=<%= @bacula_storage_port %>
DIR="bacula-sd"
else
# Usage
+++ /dev/null
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-Acquire {
- CompressionTypes
- {
- bz2 "bzip2";
- lzma "lzma";
- gz "gzip";
-
- Order { "gz"; "lzma"; "bz2"; };
- };
-};
+++ /dev/null
-Acquire::Languages { "en"; "none"; };
+++ /dev/null
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-Acquire::PDiffs "false";
+++ /dev/null
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-APT::Install-Recommends 0;
+++ /dev/null
-Explanation:
-Explanation: THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-Explanation: USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-Explanation:
-Package: *
-Pin: release o=Debian Backports
-Pin-Priority: 200
-
-Package: sbuild
-Pin: release o=buildd.debian.org
-Pin-Priority: 500
-
-Package: buildd
-Pin: release o=buildd.debian.org
-Pin-Priority: 500
-
-Package: libsbuild-perl
-Pin: release o=buildd.debian.org
-Pin-Priority: 500
-
-Package: *
-Pin: release o=buildd.debian.org
-Pin-Priority: -1
+++ /dev/null
-draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106,2001:41b8:202:deb:1a1a:0:52c3:4b6a ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi
+++ /dev/null
-#!/bin/bash
-
-parse_dates () {
- while read url file junk; do
- url=$(echo $url | sed -e "s/'//g")
- url_time=$(date -d "$(curl -sqI ${url} | grep Last-Modified: | sed -e 's/Last-Modified: //')" +%s)
- if [ ! -f "/var/lib/apt/lists/${file}" ]; then
- return 0
- fi
- file_time=$(stat -c %Y /var/lib/apt/lists/${file})
- if [ $url_time -gt $file_time ]; then
- return 0
- fi
- done
- return 1
-}
-
-su nobody -c 'apt-get update -s --print-uris' | grep 'Release ' | parse_dates
-exit $?
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-# this is a list of patterns, one per line, of things that puppet's
-# cron output shouldn't mail to us.
-
-^v6: error fetching interface information: Device not found$
-^pcilib: Cannot open /proc/bus/pci$
-^lspci: Cannot find any working access method\.$
-^can't open /proc/dma at /usr/bin/lsdev line 32\.$
-^/usr/lib/ruby/1.9.1/rubygems/custom_require\.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead\.$
-^/usr/lib/ruby/vendor_ruby/puppet/provider/service/freebsd\.rb:[8910]*: warning: class variable access from toplevel$
-^/usr/lib/ruby/vendor_ruby/puppet/provider/service/bsd\.rb:12: warning: class variable access from toplevel$
-^/usr/lib/ruby/vendor_ruby/puppet/type/tidy\.rb:1[0-9][0-9]: warning: class variable access from toplevel$
+++ /dev/null
-TMOUT=129600 # a day and a half (36 hrs)
-export TMOUT
+++ /dev/null
-#
-# THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-# USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-#
-
-# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1).
-#
-# This file is sourced only for login shells (i.e. shells
-# invoked with "-" as the first character of argv[0], and
-# shells invoked with the -l flag.)
-#
-# Global Order: zshenv, zprofile, zshrc, zlogin
-
-if [ -e /etc/profile.d/timeout.sh ]; then
- . /etc/profile.d/timeout.sh
-fi
+++ /dev/null
-#!/bin/sh
-
-KVMCOUNT=`pgrep -cx '^(qemu-)?kvm$'`
-if [ $KVMCOUNT != 0 ]; then
- echo "Found $KVMCOUNT qemu-kvm instances running, aborting $MOLLYGUARD_CMD!"
- exit 1
-fi
+++ /dev/null
-#!/bin/bash
-
-# Copyright 2012 Peter Palfrader
-
-l=/var/run/reboot-lock
-exec 3> $l
-
-if ! flock --exclusive -w 0 3; then
- echo >&2 "Cannot acquire reboot lock."
- exit 1
-fi
-echo "Reboot lock acquired."
-
-ppid="$PPID"
-(
- while kill -0 "$ppid" 2>/dev/null; do
- sleep 1
- done
-) &
-disown
-exit 0
+++ /dev/null
-# /etc/nsswitch.conf
-#
-# Example configuration of GNU Name Service Switch functionality.
-# If you have the `glibc-doc-reference' and `info' packages installed, try:
-# `info libc "Name Service Switch"' for information about this file.
-
-passwd: compat db
-group: db compat
-shadow: compat db
-
-hosts: files dns
-networks: files
-
-protocols: db files
-services: db files
-ethers: db files
-rpc: db files
-
-netgroup: nis
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# Defaults for puppet - sourced by /etc/init.d/puppet
-
-# Start puppet on boot?
-START=no
-exit 0
-
-# Startup options
-DAEMON_OPTS="-w 5 --factsync"
+++ /dev/null
-# ~/.bashrc: executed by bash(1) for non-login shells.
-
-## THIS FILE IS UNDER PUPPET CONTROL.
-## LOCAL CHANGES WILL BE OVERWRITTEN.
-
-if [ "$PS1" ]; then
- typeset HISTCONTROL=ignoreboth
- typeset HISTSIZE=50000
-
- export LS_OPTIONS='--color=auto'
- eval "`dircolors`"
- alias ls='ls $LS_OPTIONS'
- alias ll='ls $LS_OPTIONS -l'
- alias l='ls $LS_OPTIONS -lA'
-
- if [ -f /usr/share/bash-completion/bash_completion ]; then
- . /usr/share/bash-completion/bash_completion
- fi
-
- PATH="$PATH:/usr/lib/nagios/plugins"
-fi
-
-# vim: set ft=sh ts=2 sw=2 et ai si:
+++ /dev/null
-# ~/.profile: executed by Bourne-compatible login shells.
-
-## THIS FILE IS UNDER PUPPET CONTROL.
-## LOCAL CHANGES WILL BE OVERWRITTEN.
-
-if [ "$BASH" ]; then
- if [ -f ~/.bashrc ]; then
- . ~/.bashrc
- fi
- if [ "$PS1" ]; then
- PS1='${debian_chroot:+[$debian_chroot] }\h:\w\$ '
- fi
-fi
-
-mesg n
-
-# vim: set ft=sh ts=2 sw=2 et ai si:
+++ /dev/null
-
-## THIS FILE IS UNDER PUPPET CONTROL.
-## LOCAL CHANGES WILL BE OVERWRITTEN.
-
-
-startup_message off
-deflogin on
-#vbell off
-defscrollback 10000
-defnonblock 5
-
-## set these terminals up to be 'optimal' instead of vt100
-#termcapinfo xterm*|linux*|rxvt*|Eterm* OP
-
-caption always " %?%F%{r}%?%H%{r}%?%F*%: %? %{rd}| %{r}$LOGNAME%{d} | %{b}%-Lw%{b}%50>%{kw}%n%f* %t %{-}%+Lw%<"
-
-# fix screens copy&paste (background-color-erase to on)
-defbce on
-
-# xterm, and urxvt on weasel's jessie systems
-bindkey "^[[1;5D" prev
-bindkey "^[[1;5C" next
-bindkey "^[[1;5A" focus up
-bindkey "^[[1;5B" focus down
-
-# urxvt default Ctrl+left/right/up/down on weasel's stretch systems
-bindkey "^[Od" prev
-bindkey "^[Oc" next
-bindkey "^[Oa" focus up
-bindkey "^[Ob" focus down
-
-# gnome terminal (in screen:
-#bindkey "^[n" screen
-#bindkey "^[O5D" prev
-#bindkey "^[O5C" next
-#bindkey "^[O5A" focus up
-#bindkey "^[O5B" focus down
-
-# urxvt shift+left/right
-#bindkey "^[[d" prev
-#bindkey "^[[c" next
-#bindkey "^[[a" focus up
-#bindkey "^[[b" focus down
+++ /dev/null
-SELECTED_EDITOR="/usr/bin/vim"
+++ /dev/null
-# mess with the status window
-set -g status-bg colour109
-set -g status-right "[#T]"
-setw -g window-status-current-bg white
-
-bind -n C-Right next-window
-bind -n C-Left previous-window
-
-bind -n C-Up select-pane -U
-bind -n C-Down select-pane -D
-bind | split-window -h
-bind - split-window -v
-
-#set -g default-terminal "screen-it"
-set -g xterm-keys on
-set -sg escape-time 0
+++ /dev/null
-" ~/.vimrc - ViM configuration file
-
-" THIS FILE IS UNDER PUPPET CONTROL.
-" LOCAL CHANGES WILL BE OVERWRITTEN.
-
-runtime! debian.vim
-filetype plugin on
-set ai
-:set nocompatible
-:syn on
-:set title
-:set pastetoggle=<F10>
-:set listchars=tab:»·,trail:·
-:set list
-:nmap <F11> :set invlist<return>
-:imap <F11> <C-O>:set invlist<return>
-:set clipboard^=autoselectml guioptions+=A
-let g:Imap_UsePlaceHolders = 1
-let g:Imap_FreezeImap = 1
-:hi MatchParen ctermbg=black
-colorscheme peachpuff
-
-map <F3> :n<return>
-map <F2> :N<return>
-map <F5> :wn<return>
-map <F4> :wN<return>
-map fd ggV/^-- <CR><up>gq
-
-nnoremap <silent> <C-M> :make<return>
-
-nnoremap <silent> <S-left> :bprevious<return>
-nnoremap <silent> <S-right> :bnext<return>
-inoremap <silent> <S-left> <C-O>:bprevious<return>
-inoremap <silent> <S-right> <C-O>:bnext<return>
-
-nnoremap <silent> <C-left> :bprevious<return>
-nnoremap <silent> <C-right> :bnext<return>
-inoremap <silent> <C-left> <C-O>:bprevious<return>
-inoremap <silent> <C-right> <C-O>:bnext<return>
-
-nnoremap <silent> <Esc>[1;2D :bprevious<return>
-nnoremap <silent> <Esc>[1;2C :bnext<return>
-inoremap <silent> <Esc>[1;2D <C-O>:bprevious<return>
-inoremap <silent> <Esc>[1;2C <C-O>:bnext<return>
-
-nnoremap <silent> <Esc>[D :bprevious<return>
-nnoremap <silent> <Esc>[C :bnext<return>
-inoremap <silent> <Esc>[D <C-O>:bprevious<return>
-inoremap <silent> <Esc>[C <C-O>:bnext<return>
-
-nnoremap <silent> <Esc>[d :bprevious<return>
-nnoremap <silent> <Esc>[c :bnext<return>
-inoremap <silent> <Esc>[d <C-O>:bprevious<return>
-inoremap <silent> <Esc>[c <C-O>:bnext<return>
-
-" nnoremap <space><space> :bnew<return>
-nnoremap <silent> <space><left> :bprevious<return>
-nnoremap <silent> <space><right> :bnext<return>
-
-if &term =~ '^screen'
- " tmux will send xterm-style keys when xterm-keys is on
- execute "set <xUp>=\e[1;*A"
- execute "set <xDown>=\e[1;*B"
- execute "set <xRight>=\e[1;*C"
- execute "set <xLeft>=\e[1;*D"
-endif
-
-
-
-" wild/tab behavior
-" =================
-set wildmode=longest,list:longest,list:full
-
-" spelling stuff
-" ==============
-set spellfile=~/.vim.spell.en.add
-:nmap <F8> :set invspell<return>
-:imap <F8> <C-O>:set invspell<return>
-
-" Searching and highlighting
-" ==========================
-hi Search cterm=NONE ctermfg=yellow ctermbg=19
-set hlsearch
-nnoremap <CR> :noh<CR><CR>
-
-set tabpagemax=50
-" Do not close buffers we don't see
-set hidden
+++ /dev/null
-[Unit]
-Description=Userdir-Ldap Replication Daemon
-Wants=syslog.service
-
-[Service]
-ExecStart=/usr/bin/ud-replicated -d
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-Facter.add(:architecture) do
- confine :kernel => 'GNU/kFreeBSD'
- setcode do
- model = Facter.value(:hardwaremodel)
- case model
- when 'x86_64' then "amd64"
- when /(i[3456]86|pentium)/ then "i386"
- else
- model
- end
- end
-end
-
-Facter.add(:debarchitecture) do
- setcode do
- %x{/usr/bin/dpkg --print-architecture}.chomp
- end
-end
-
+++ /dev/null
-if FileTest.exist?('/usr/sbin/gnt-cluster') and FileTest.exist?('/var/lib/ganeti/ssconf_cluster_name')
- begin
- if system('/usr/sbin/gnt-cluster getmaster >/dev/null')
- Facter.add('cluster') do
- setcode do
- open('/var/lib/ganeti/ssconf_cluster_name').read().chomp()
- end
- end
- Facter.add('cluster_nodes') do
- setcode do
- open('/var/lib/ganeti/ssconf_node_list').read().split().join(" ")
- end
- end
- end
- rescue Exception => e
- end
-end
+++ /dev/null
-begin
- require 'etc'
-
- Facter.add("debsso_skac_crl") do
- setcode do
- crl = nil
- crlfile = '/srv/sso.debian.org/debsso/data/spkac_ca/ca.crl'
- if FileTest.exist?(crlfile)
- crl = File.open(crlfile).read
- end
- crl
- end
- end
-
-rescue Exception => e
-end
-# vim:set et:
-# vim:set ts=4:
-# vim:set shiftwidth=4:
+++ /dev/null
-Facter.add("brokenhosts") do
- brokenhosts = true
- if FileTest.exist?("/etc/hosts")
- IO.foreach("/etc/hosts") do |x|
- x.split.each do |y|
- if y == Facter.value("fqdn")
- brokenhosts = false
- break
- end
- end
- end
- end
- setcode do
- if brokenhosts
- true
- else
- ''
- end
- end
-end
-
-
+++ /dev/null
-Facter.add("v4ips") do
- confine :kernel => :linux
- addrs = []
- if FileTest.exist?("/bin/ip")
- %x{ip addr list}.each_line do |line|
- next unless line =~ /\s+inet/
- next if line =~ /scope (link|host)/
- if line =~ /\s+inet\s+(\S+)\/\d{1,2} .*/
- addrs << $1
- end
- end
- end
- ret = addrs.join(",")
- if ret.empty?
- ret = ''
- end
- setcode do
- ret
- end
-end
-
-Facter.add("v4ips") do
- confine :kernel => 'GNU/kFreeBSD'
- setcode do
- addrs = []
- output = %x{/sbin/ifconfig}
-
- output.split(/^\S/).each { |str|
- if str =~ /inet ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/
- tmp = $1
- unless tmp =~ /127\./
- addrs << tmp
- break
- end
- end
- }
-
- ret = addrs.join(",")
- if ret.empty?
- ret = ''
- end
- ret
- end
-end
-
-Facter.add("v6ips") do
- confine :kernel => :linux
- addrs = []
- if FileTest.exist?("/bin/ip")
- %x{ip addr list}.each_line do |line|
- next unless line =~ /\s+inet/
- next if line =~ /scope (link|host)/
- if line =~ /\s+inet6\s+(\S+)\/\d{1,3} .*/
- addrs << $1
- end
- end
- end
- ret = addrs.join(",")
- if ret.empty?
- ret = ''
- end
- setcode do
- ret
- end
-end
-
+++ /dev/null
-{ "LSBRelease" => %r{^LSB Version:\t(.*)$},
- "LSBDistId" => %r{^Distributor ID:\t(.*)$},
- "LSBDistRelease" => %r{^Release:\t(.*)$},
- "LSBDistDescription" => %r{^Description:\t(.*)$},
- "LSBDistCodeName" => %r{^Codename:\t(.*)$}
-}.each do |fact, pattern|
- Facter.add(fact) do
- confine :kernel => 'GNU/kFreeBSD'
- setcode do
- unless defined?(lsbdata) and defined?(lsbtime) and (Time.now.to_i - lsbtime.to_i < 5)
- type = nil
- lsbtime = Time.now
- lsbdata = Facter::Util::Resolution.exec('lsb_release -a 2>/dev/null')
- end
-
- if pattern.match(lsbdata)
- $1
- else
- nil
- end
- end
- end
-end
-
+++ /dev/null
-begin
- require 'filesystem'
-
- Facter.add("mounts") do
- ignorefs = ["NFS", "nfs", "nfs4", "nfsd", "afs", "binfmt_misc", "proc", "smbfs",
- "autofs", "iso9660", "ncpfs", "coda", "devpts", "ftpfs", "devfs",
- "mfs", "shfs", "sysfs", "cifs", "lustre_lite", "tmpfs", "usbfs", "udf",
- "fusectl", "fuse.snapshotfs", "rpc_pipefs", "devtmpfs"]
- mountpoints = []
- FileSystem.mounts.each do |m|
- if ((not ignorefs.include?(m.fstype)) && (m.options !~ /bind/))
- mountpoints << m.mount
- end
- end
- setcode do
- mountpoints.uniq.sort.join(',')
- end
- end
-
-rescue Exception => e
-end
+++ /dev/null
-Facter.add("mta") do
- setcode do
- mta = "exim4"
- if FileTest.exist?("/usr/sbin/postfix")
- mta = "postfix"
- end
- mta
- end
-end
+++ /dev/null
-begin
- require 'json'
-
- Facter.add("onion_tor_service_hostname") do
- services = {}
-
- Dir['/var/lib/tor/onion/*/hostname'].each do |p|
- dir = File.dirname(p)
- service = File.basename(dir)
- hostname = IO.read(p).chomp
- services[service] = hostname
- end
- setcode do
- services.to_json
- end
- end
-
- Facter.add("onion_balance_service_hostname") do
- services = {}
-
- Dir['/etc/onionbalance/private_keys/*.key'].each do |p|
- service = File.basename(p, '.key')
- begin
- services[service] = IO.popen(['/usr/local/bin/tor-onion-name', p]).read.chomp
- rescue Errno::ENOENT
- end
- end
- setcode do
- services.to_json
- end
- end
-
-
-rescue Exception => e
-end
+++ /dev/null
-Facter.add(:operatingsystem) do
- confine :kernel => 'GNU/kFreeBSD'
- setcode do
- if FileTest.exists?("/etc/debian_version")
- "Debian"
- end
- end
-end
+++ /dev/null
-
-%w{/srv/build-trees
- /srv/buildd
- /etc/ssh/ssh_host_ed25519_key
- /srv/mirrors/debian
- /srv/mirrors/debian-debug
- /srv/mirrors/debian-ports
- /srv/mirrors/debian-security
- /dev/hwrng
-}.each do |path|
- Facter.add("has" + path.gsub(/[\/-]/,'_')) do
- setcode do
- if FileTest.exist?(path)
- true
- else
- ''
- end
- end
- end
-end
+++ /dev/null
-Facter.add("smartarraycontroller") do
- confine :kernel => :linux
- setcode do
- if FileTest.exist?("/dev/cciss/")
- true
- elsif FileTest.exist?("/sys/module/hpsa/")
- true
- else
- ''
- end
- end
-end
-
-Facter.add("ThreeWarecontroller") do
- confine :kernel => :linux
- setcode do
- is3w = ''
- if FileTest.exist?("/proc/scsi/scsi")
- IO.foreach("/proc/scsi/scsi") { |x|
- is3w = true if x =~ /Vendor: 3ware/
- }
- end
- is3w
- end
-end
-
-Facter.add("megaraid") do
- confine :kernel => :linux
- setcode do
- if FileTest.exist?("/dev/megadev0")
- true
- else
- ''
- end
- end
-end
-
-Facter.add("mptraid") do
- confine :kernel => :linux
- setcode do
- if FileTest.exist?("/dev/mptctl") or FileTest.exist?("/dev/mpt0") or FileTest.exist?("/proc/mpt/summary")
- true
- else
- ''
- end
- end
-end
-
-Facter.add("aacraid") do
- confine :kernel => :linux
- setcode do
- if FileTest.exist?("/dev/aac0")
- true
- else
- ''
- end
- end
-end
-
-Facter.add("swraid") do
- confine :kernel => :linux
- setcode do
- swraid = ''
- if FileTest.exist?("/proc/mdstat") && FileTest.exist?("/sbin/mdadm")
- IO.foreach("/proc/mdstat") { |x|
- swraid = true if x =~ /md[0-9]+ : active/
- }
- end
- swraid
- end
-end
-
+++ /dev/null
-begin
- require 'etc'
-
- Facter.add("postgresql_key") do
- setcode do
- key = nil
- keyfile = '/var/lib/postgresql/.ssh/id_rsa.pub'
- if FileTest.exist?(keyfile)
- key = File.open(keyfile).read.chomp
- end
- key
- end
- end
-
- Facter.add("staticsync_key") do
- setcode do
- key = nil
- keyfile = '/home/staticsync/.ssh/id_rsa.pub'
- if FileTest.exist?(keyfile)
- key = File.open(keyfile).read.chomp
- end
- key
- end
- end
-
- Facter.add("staticsync_user_exists") do
- setcode do
- result = ''
- begin
- if Etc.getpwnam('staticsync')
- result = true
- end
- rescue ArgumentError
- end
- result
- end
- end
-
-
- Facter.add("weblogsync_key") do
- setcode do
- key = nil
- keyfile = '/home/weblogsync/.ssh/id_rsa.pub'
- if FileTest.exist?(keyfile)
- key = File.open(keyfile).read.chomp
- end
- key
- end
- end
-
- Facter.add("weblogsync_user_exists") do
- setcode do
- result = ''
- begin
- if Etc.getpwnam('weblogsync')
- result = true
- end
- rescue ArgumentError
- end
- result
- end
- end
-
-
- Facter.add("buildd_key") do
- setcode do
- key = nil
- keyfile = '/home/buildd/.ssh/id_rsa.pub'
- if FileTest.exist?(keyfile)
- key = File.open(keyfile).read.chomp
- end
- key
- end
- end
-
- Facter.add("buildd_user_exists") do
- setcode do
- result = ''
- begin
- if Etc.getpwnam('buildd')
- result = true
- end
- rescue ArgumentError
- end
- result
- end
- end
-
- Facter.add("portforwarder_key") do
- setcode do
- key = nil
- keyfile = '/home/portforwarder/.ssh/id_rsa.pub'
- if FileTest.exist?(keyfile)
- key = File.open(keyfile).read.chomp
- end
- key
- end
- end
-
- Facter.add("portforwarder_user_exists") do
- setcode do
- result = ''
- begin
- if Etc.getpwnam('portforwarder')
- result = true
- end
- rescue ArgumentError
- end
- result
- end
- end
-
-
-
-rescue Exception => e
-end
-# vim:set et:
-# vim:set ts=4:
-# vim:set shiftwidth=4:
+++ /dev/null
-Facter.add("kvmdomain") do
- setcode do
- result = ''
- if File.new('/proc/cpuinfo').read().index('QEMU Virtual CPU')
- result = true
- end
- result
- end
-end
+++ /dev/null
-Facter.add("apache2") do
- setcode do
- if FileTest.exist?("/usr/sbin/apache2")
- true
- else
- ''
- end
- end
-end
-Facter.add("apache2deb9") do
- setcode do
- # jessie (deb8) has 2.4.10-.., stretch (deb9) will have 2.4.23 or later.
- if FileTest.exist?("/usr/sbin/apache2") and system("dpkg --compare-versions $(dpkg-query -W -f='${Version}\n' apache2-bin) gt 2.4.15")
- true
- else
- ''
- end
- end
-end
-Facter.add("clamd") do
- setcode do
- if FileTest.exist?("/usr/sbin/clamd")
- true
- else
- ''
- end
- end
-end
-Facter.add("exim4") do
- setcode do
- if FileTest.exist?("/usr/sbin/exim4")
- true
- else
- ''
- end
- end
-end
-Facter.add("postfix") do
- setcode do
- if FileTest.exist?("/usr/sbin/postfix")
- true
- else
- ''
- end
- end
-end
-Facter.add("postgres") do
- setcode do
- pg = (FileTest.exist?("/usr/lib/postgresql/8.1/bin/postgres") or
- FileTest.exist?("/usr/lib/postgresql/8.3/bin/postgres") or
- FileTest.exist?("/usr/lib/postgresql/8.4/bin/postgres") or
- FileTest.exist?("/usr/lib/postgresql/9.0/bin/postgres") or
- FileTest.exist?("/usr/lib/postgresql/9.1/bin/postgres") or
- FileTest.exist?("/usr/lib/postgresql/9.2/bin/postgres"))
- if pg
- true
- else
- ''
- end
- end
-end
-Facter.add("postgrey") do
- setcode do
- if FileTest.exist?("/usr/sbin/postgrey")
- true
- else
- ''
- end
- end
-end
-Facter.add("greylistd") do
- setcode do
- FileTest.exist?("/usr/sbin/greylistd")
- end
-end
-Facter.add("policydweight") do
- setcode do
- if FileTest.exist?("/usr/sbin/policyd-weight")
- true
- else
- ''
- end
- end
-end
-Facter.add("spamd") do
- setcode do
- if FileTest.exist?("/usr/sbin/spamd")
- true
- else
- ''
- end
- end
-end
-Facter.add("php5") do
- php = (FileTest.exist?("/usr/lib/apache2/modules/libphp5.so") or
- FileTest.exist?("/usr/bin/php5") or
- FileTest.exist?("/usr/bin/php5-cgi") or
- FileTest.exist?("/usr/lib/cgi-bin/php5"))
- setcode do
- if php
- true
- else
- ''
- end
- end
-end
-Facter.add("php5suhosin") do
- suhosin=(FileTest.exist?("/usr/lib/php5/20060613/suhosin.so") or
- FileTest.exist?("/usr/lib/php5/20060613+lfs/suhosin.so"))
- setcode do
- if suhosin
- true
- else
- ''
- end
- end
-end
-Facter.add("syslogversion") do
- setcode do
- %x{dpkg-query -W -f='${Version}\n' syslog-ng | cut -b1-3}.chomp
- end
-end
-Facter.add("unbound") do
- unbound=(FileTest.exist?("/usr/sbin/unbound") and
- FileTest.exist?("/var/lib/unbound/root.key"))
- setcode do
- if unbound
- true
- else
- ''
- end
- end
-end
-Facter.add("munin_async") do
- setcode do
- FileTest.exist?("/usr/share/munin/munin-async")
- end
-end
-Facter.add("samhain") do
- setcode do
- if FileTest.exist?("/usr/sbin/samhain")
- true
- else
- ''
- end
- end
-end
-Facter.add("systemd") do
- setcode do
- init = '/sbin/init'
- if File.symlink?(init) and File.readlink(init) == "/lib/systemd/systemd"
- true
- else
- ''
- end
- end
-end
-Facter.add("tor_ge_0_2_9") do
- setcode do
- system(%{dpkg -l tor >/dev/null 2>&1 && dpkg --compare-versions $(dpkg-query -W -f='${Version}' tor) ge 0.2.9})
- end
-end
+++ /dev/null
-Facter.add("systemproductname") do
- confine :kernel => :linux
- setcode do
- if FileTest.exist?("/usr/sbin/dmidecode")
- %x{/usr/sbin/dmidecode -s system-product-name}.chomp.strip
- else
- ''
- end
- end
-end
-
-Facter.add("hw_can_temp_sensors") do
- confine :kernel => :linux
- setcode do
- if FileTest.exist?("/sys/devices/virtual/thermal/thermal_zone0/temp")
- true
- else
- ''
- end
- end
-end
+++ /dev/null
-# == Class: debian-org
-#
-# Stuff common to all debian.org servers
-#
-class debian-org::apt {
- if $::lsbmajdistrelease <= 7 {
- $mungedcodename = $::lsbdistcodename
- } elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
- $mungedcodename = "${::lsbdistcodename}-kfreebsd"
- } else {
- $mungedcodename = $::lsbdistcodename
- }
-
- if $::lsbmajdistrelease <= 8 {
- $fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/'
- } else {
- $fallbackmirror = 'http://deb.debian.org/debian/'
- }
-
- if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
- $mirror = [ getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'), $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
- } else {
- $mirror = [ $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
- }
-
- site::aptrepo { 'debian':
- url => $mirror,
- suite => [ $mungedcodename, "${::lsbdistcodename}-backports", "${::lsbdistcodename}-updates" ],
- components => ['main','contrib','non-free']
- }
- site::aptrepo { 'security':
- url => [ 'http://security-cdn.debian.org/', 'http://security.anycast-test.mirrors.debian.org/debian-security/', 'http://security.debian.org/' ],
- suite => "${mungedcodename}/updates",
- components => ['main','contrib','non-free']
- }
-
- if has_role('experimental_apache') {
- $dbdosuites = [ 'debian-all', $::lsbdistcodename, 'jessie-apache2' ]
- } else {
- $dbdosuites = [ 'debian-all', $::lsbdistcodename ]
- }
- site::aptrepo { 'db.debian.org':
- url => 'http://db.debian.org/debian-admin',
- suite => $dbdosuites,
- components => 'main',
- key => 'puppet:///modules/debian-org/db.debian.org.gpg',
- }
-
- if ($::hostname in [] or $::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
- site::aptrepo { 'proposed-updates':
- url => $mirror,
- suite => "${mungedcodename}-proposed-updates",
- components => ['main','contrib','non-free']
- }
- } else {
- site::aptrepo { 'proposed-updates':
- ensure => absent,
- }
- }
-
- site::aptrepo { 'debian-cdn':
- ensure => absent,
- }
- site::aptrepo { 'debian.org':
- ensure => absent,
- }
- site::aptrepo { 'debian2':
- ensure => absent,
- }
- site::aptrepo { 'backports2.debian.org':
- ensure => absent,
- }
- site::aptrepo { 'backports.debian.org':
- ensure => absent,
- }
- site::aptrepo { 'volatile':
- ensure => absent,
- }
- site::aptrepo { 'db.debian.org-suite':
- ensure => absent,
- }
- site::aptrepo { 'debian-lts':
- ensure => absent,
- }
-
-
-
-
- file { '/etc/apt/trusted-keys.d':
- ensure => absent,
- force => true,
- }
-
- file { '/etc/apt/trusted.gpg':
- mode => '0600',
- content => "",
- }
-
- file { '/etc/apt/preferences':
- source => 'puppet:///modules/debian-org/apt.preferences',
- }
- file { '/etc/apt/apt.conf.d/local-compression':
- source => 'puppet:///modules/debian-org/apt.conf.d/local-compression',
- }
- file { '/etc/apt/apt.conf.d/local-recommends':
- source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends',
- }
- file { '/etc/apt/apt.conf.d/local-pdiffs':
- source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs',
- }
- file { '/etc/apt/apt.conf.d/local-langs':
- source => 'puppet:///modules/debian-org/apt.conf.d/local-langs',
- }
-
- exec { 'apt-get update':
- path => '/usr/bin:/usr/sbin:/bin:/sbin',
- onlyif => '/usr/local/bin/check_for_updates',
- require => File['/usr/local/bin/check_for_updates']
- }
- Exec['apt-get update']->Package<| tag == extra_repo |>
-}
+++ /dev/null
-# == Class: debian-org
-#
-# Stuff common to all debian.org servers
-#
-class debian-org {
- include debian-org::apt
-
- if $systemd {
- include systemd
- $servicefiles = 'present'
- } else {
- $servicefiles = 'absent'
- }
-
- $debianadmin = [
- 'debian-archive-debian-samhain-reports@master.debian.org',
- 'debian-admin@ftbfs.de',
- 'weasel@debian.org',
- 'steve@lobefin.net',
- 'zumbi@oron.es'
- ]
-
- package { [
- 'klogd',
- 'sysklogd',
- 'rsyslog',
- 'os-prober',
- 'apt-listchanges',
- ]:
- ensure => purged,
- }
- package { [
- 'debian.org',
- 'dsa-munin-plugins',
- ]:
- ensure => installed,
- tag => extra_repo,
- }
- file { '/etc/ssh/ssh_known_hosts':
- ensure => present,
- replace => false,
- mode => '0644',
- source => 'puppet:///modules/debian-org/basic-ssh_known_hosts'
- }
-
- if ($::lsbmajdistrelease >= 8) {
- $rubyfs_package = 'ruby-filesystem'
- } else {
- $rubyfs_package = 'libfilesystem-ruby1.9'
- }
- package { [
- 'apt-utils',
- 'bash-completion',
- 'dnsutils',
- 'less',
- 'lsb-release',
- $rubyfs_package,
- 'mtr-tiny',
- 'nload',
- 'pciutils',
- 'lldpd',
- ]:
- ensure => installed,
- }
-
- munin::check { [
- 'cpu',
- 'entropy',
- 'forks',
- 'interrupts',
- 'iostat',
- 'irqstats',
- 'load',
- 'memory',
- 'open_files',
- 'open_inodes',
- 'processes',
- 'swap',
- 'uptime',
- 'vmstat',
- ]:
- }
-
- if getfromhash($site::nodeinfo, 'broken-rtc') {
- package { 'fake-hwclock':
- ensure => installed,
- tag => extra_repo,
- }
- }
-
- package { 'molly-guard':
- ensure => installed,
- }
- file { '/etc/molly-guard/run.d/10-check-kvm':
- mode => '0755',
- source => 'puppet:///modules/debian-org/molly-guard/10-check-kvm',
- require => Package['molly-guard'],
- }
- file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
- mode => '0755',
- source => 'puppet:///modules/debian-org/molly-guard/15-acquire-reboot-lock',
- require => Package['molly-guard'],
- }
-
- augeas { 'inittab_replicate':
- context => '/files/etc/inittab',
- changes => [
- 'set ud/runlevels 2345',
- 'set ud/action respawn',
- 'set ud/process "/usr/bin/ud-replicated -d"',
- ],
- notify => Exec['init q'],
- }
-
-
- file { '/etc/facter':
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => 'puppet:///files/empty/',
- }
- file { '/etc/facter/facts.d':
- ensure => directory,
- }
- file { '/etc/facter/facts.d/debian_facts.yaml':
- content => template('debian-org/debian_facts.yaml.erb')
- }
- file { '/etc/timezone':
- source => 'puppet:///modules/debian-org/timezone',
- notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
- }
- if $::hostname == handel {
- include puppetmaster::db
- $dbpassword = $puppetmaster::db::password
- }
- file { '/etc/puppet/puppet.conf':
- content => template('debian-org/puppet.conf.erb'),
- mode => 0440,
- group => 'puppet',
- }
- file { '/etc/default/puppet':
- source => 'puppet:///modules/debian-org/puppet.default',
- }
- file { '/etc/systemd':
- ensure => directory,
- mode => 0755,
- }
- file { '/etc/systemd/system':
- ensure => directory,
- mode => 0755,
- }
- file { '/etc/systemd/system/ud-replicated.service':
- ensure => $servicefiles,
- source => 'puppet:///modules/debian-org/ud-replicated.service',
- notify => Exec['systemctl daemon-reload'],
- }
- if $systemd {
- file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
- ensure => 'link',
- target => '../ud-replicated.service',
- notify => Exec['systemctl daemon-reload'],
- }
- }
- file { '/etc/systemd/system/puppet.service':
- ensure => 'link',
- target => '/dev/null',
- notify => Exec['systemctl daemon-reload'],
- }
- file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount':
- ensure => 'link',
- target => '/dev/null',
- notify => Exec['systemctl daemon-reload'],
- }
-
- file { '/etc/cron.d/dsa-puppet-stuff':
- content => template('debian-org/dsa-puppet-stuff.cron.erb'),
- require => Package['debian.org'],
- }
- file { '/etc/ldap/ldap.conf':
- require => Package['debian.org'],
- content => template('debian-org/ldap.conf.erb'),
- }
- file { '/etc/pam.d/common-session':
- require => Package['debian.org'],
- content => template('debian-org/pam.common-session.erb'),
- }
- file { '/etc/pam.d/common-session-noninteractive':
- require => Package['debian.org'],
- content => template('debian-org/pam.common-session-noninteractive.erb'),
- }
- file { '/etc/rc.local':
- mode => '0755',
- content => template('debian-org/rc.local.erb'),
- notify => Exec['service rc.local restart'],
- }
- file { '/etc/dsa':
- ensure => directory,
- mode => '0755',
- }
- file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
- source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore',
- require => Package['debian.org']
- }
- file { '/etc/nsswitch.conf':
- mode => '0755',
- source => 'puppet:///modules/debian-org/nsswitch.conf',
- }
-
- file { '/etc/profile.d/timeout.sh':
- mode => '0555',
- source => 'puppet:///modules/debian-org/etc.profile.d/timeout.sh',
- }
- file { '/etc/zsh':
- ensure => directory,
- }
- file { '/etc/zsh/zprofile':
- mode => '0444',
- source => 'puppet:///modules/debian-org/etc.zsh/zprofile',
- }
-
- # set mmap_min_addr to 4096 to mitigate
- # Linux NULL-pointer dereference exploits
- site::sysctl { 'mmap_min_addr':
- ensure => absent
- }
- site::sysctl { 'perf_event_paranoid':
- key => 'kernel.perf_event_paranoid',
- value => '2',
- }
- site::sysctl { 'puppet-vfs_cache_pressure':
- key => 'vm.vfs_cache_pressure',
- value => '10',
- }
- site::alternative { 'editor':
- linkto => '/usr/bin/vim.basic',
- }
- site::alternative { 'view':
- linkto => '/usr/bin/vim.basic',
- }
- mailalias { 'samhain-reports':
- ensure => present,
- recipient => $debianadmin,
- require => Package['debian.org']
- }
-
- file { '/usr/local/bin/check_for_updates':
- source => 'puppet:///modules/debian-org/check_for_updates',
- mode => '0755',
- owner => root,
- group => root,
- }
-
- exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
- path => '/usr/bin:/usr/sbin:/bin:/sbin',
- refreshonly => true
- }
- exec { 'service puppetmaster restart':
- refreshonly => true
- }
- exec { 'service rc.local restart':
- refreshonly => true
- }
- exec { 'init q':
- refreshonly => true
- }
-
- exec { 'systemctl daemon-reload':
- refreshonly => true,
- onlyif => "test -x /bin/systemctl"
- }
-
- exec { 'systemd-tmpfiles --create --exclude-prefix=/dev':
- refreshonly => true,
- onlyif => "test -x /bin/systemd-tmpfiles"
- }
-
- tidy { '/var/lib/puppet/clientbucket/':
- age => '2w',
- recurse => 9,
- type => ctime,
- matches => [ 'paths', 'contents' ],
- schedule => weekly
- }
-
- file { '/root/.bashrc':
- source => 'puppet:///modules/debian-org/root-dotfiles/bashrc',
- }
- file { '/root/.profile':
- source => 'puppet:///modules/debian-org/root-dotfiles/profile',
- }
- file { '/root/.selected_editor':
- source => 'puppet:///modules/debian-org/root-dotfiles/selected_editor',
- }
- file { '/root/.screenrc':
- source => 'puppet:///modules/debian-org/root-dotfiles/screenrc',
- }
- file { '/root/.tmux.conf':
- source => 'puppet:///modules/debian-org/root-dotfiles/tmux.conf',
- }
- file { '/root/.vimrc':
- source => 'puppet:///modules/debian-org/root-dotfiles/vimrc',
- }
-}
+++ /dev/null
-class debian-org::radvd {
- site::sysctl { 'dsa-accept-ra-default':
- key => 'net.ipv6.conf.default.accept_ra',
- value => 0,
- }
- site::sysctl { 'dsa-accept-ra-all':
- key => 'net.ipv6.conf.all.accept_ra',
- value => 0,
- }
-}
+++ /dev/null
----
-1und1-sec:
- netrange:
- - 195.20.242.64/26
- - 212.227.126.32/27
- - 2001:8d8:2:1::/64
-accumu:
- netrange:
- - 130.236.0.0/14
- - 2001:06B0:000E::/48
-aql:
- netrange:
- - 141.170.6.144/28
- mirror-debian: http://ftp.uk.debian.org/debian/
-arm:
- netrange:
- - 217.140.96.0/22
- entropy_provider_hoster: sil
- mirror-debian: http://mirror.bytemark.co.uk/debian/
-brown:
- netrange:
- - 138.16.160.0/24
- # all hosts have their own recursor
- #mirror-debian: file:///srv/ftp-master.debian.org/mirror/ftp-master/
- mirror-debian: http://ftp.us.debian.org/debian
-br:
- # rename to c3sl
- # University Federal do Parana (.br)
- netrange:
- - 200.17.192.0/19
-bytemark:
- netrange:
- - 5.153.231.0/24
- - 89.16.160.112/29
- - 2001:41c8:1000::/48
- - 2001:41c8:61::/125
- mirror-debian: http://mirror.bm.debian.org/debian
-carnet:
- netrange:
- - 193.198.0.0/16
-anu:
- netrange:
- - 150.203.164.0/24
- - 2001:388:1034:2900::/64
- #mirror-debian: http://mirror.linux.org.au/debian
- #mirror-debian: http://ftp.au.debian.org/debian
-conova:
- netrange:
- - 217.196.149.224/28
- mirror-debian: http://mirror.netcologne.de/debian/
-csail:
- netrange:
- - 128.31.0.0/24
- mirror-debian: http://debian.csail.mit.edu/debian/
-dgi:
- netrange:
- - 93.94.130.128/26
-freenet:
- netrange:
- - 62.104.0.0/16
-gatech:
- netrange:
- - 128.61.240.0/23
- mirror-debian: http://debian.gtisc.gatech.edu/debian/
-grnet:
- netrange:
- - 194.177.211.192/27
- - 2001:648:2ffc:deb::/64
- mirror-debian: http://ftp.gr.debian.org/debian/
-helsinki:
- netrange:
- - 193.167.160.0/23
- # all hosts have their own recursor
-isc:
- netrange:
- - 149.20.0.0/16
- - 2001:4F8::/32
-uni-karlsruhe:
- # rename to karlsruhe
- netrange:
- - 129.143.160.0/29
- - 2001:7c0:400:1337::/64
- mirror-debian: http://ftp-stud.hs-esslingen.de/debian/
-linaro:
- netrange:
- - 64.28.108.83/32
- - 64.28.108.84/32
- - 64.28.108.85/32
- mirror-debian: http://ftp.us.debian.org/debian/
-'man-da':
- netrange:
- - 82.195.75.64/26
- - 2001:41b8:202:deb::/64
- #mirror-debian: http://debian.netcologne.de/debian/ [currently unstable]
- mirror-debian: http://ftp.de.debian.org/debian/
-leaseweb:
- netrange:
- - 185.17.185.176/28
- #mirror-debian: http://mirror.nl.leaseweb.net/debian/
-marist:
- netrange:
- - 148.100.0.0/16
- mirror-debian: http://ftp.us.debian.org/debian/
-osuosl:
- netrange:
- - 140.211.0.0/16
- mirror-debian: http://debian.osuosl.org/debian
-sakura:
- netrange:
- - 133.242.99.74/32
-sanger:
- netrange:
- - 193.62.202.24/29
- #resolvoptions: [single-request]
- mirror-debian: http://mirror.bytemark.co.uk/debian/
-scanplus:
- netrange:
- - 212.211.132.0/26
- - 212.211.132.248/29
- - 2001:a78::/64
-sil:
- netrange:
- - 86.59.118.144/28
- - 2001:858:2:2::/64
- mirror-debian: http://ftp.at.debian.org/debian/
-ubc:
- netrange:
- - 209.87.16.0/24
- - 2607:F8F0:614:1::/64
- # old range:
- - 206.12.19.0/24
- - 2607:f8f0:610:4000::/64
- mirror-debian: http://mirror-ubc.debian.org/debian/
-ugent:
- netrange:
- - 157.193.0.0/16
-umn:
- netrange:
- - 128.101.240.212
-unicamp:
- netrange:
- - 177.220.0.0/17
- mirror-debian: http://ftp.br.debian.org/debian/
-utwente:
- netrange:
- - 130.89.0.0/16
- - 2001:0610:1908::/48
- # broken with dnssec
-xs4all:
- # should be deleted
- netrange:
- - 194.109.137.216/29
- - 2001:888:2000:12::/64
-ynic:
- netrange:
- - 144.32.168.64/28
- mirror-debian: http://ftp.uk.debian.org/debian
-zivit:
- netrange:
- - 80.245.144.0/22
- mirror-debian: http://debian.netcologne.de/debian/
-
-# vim:set et sts=2 ts=2 sw=2:
+++ /dev/null
----
-nameinfo:
- aagaard.debian.org: Thorvald Aagaard (June 8th, 1877 - March 22nd, 1937)
- abel.debian.org: Carl Friedrich Abel (1723 - 1787)
- acker.debian.org: Dieter Acker (November 3rd, 1940 - May 27th, 2006)
- adayevskaya.debian.org: Ella Georgiyevna Adayevskaya (February, 22nd 1846 [O.S. February 10th] - July 26th, 1926)
- antheil.debian.org: George Antheil (1900 - 1959)
- arnold.debian.org: Malcolm Henry Arnold (1921 - 2006)
- asachi.debian.org: Elena Asachi (1789 - 1877)
- barriere.debian.org: Jean-Baptiste Barrière (May 2nd, 1707 - June 6th, 1747)
- beach.debian.org: Amy Marcy Cheney Beach (September 5th, 1867 - December 27th, 1944)
- beethoven.debian.org: Ludwig van Beethoven (December 16th, 1770 - March 26th, 1827)
- bendel.debian.org: Franz Bendel (March 23rd, 1833 - July 3rd, 1874)
- binet.debian.org: Jocelyne Binet (September 27th, 1923 - January 13th, 1968)
- boott.debian.org: Francis Boott (June 24th, 1813 - March 1st, 1904)
- busoni.debian.org: Ferruccio Dante Michelangiolo Benvenuto Busoni (April 1st, 1866 - July 27th, 1924)
- buxtehude.debian.org: Dieterich Buxtehude (c. 1637 to 1639 - May 9th, 1707)
- byrd.debian.org: William Byrd (1543 - July 4th, 1623)
- casulana.debian.org: Maddalena Casulana (c. 1544 - c. 1590)
- clementi.debian.org: Muzio Clementi (January 23rd, 1752 - March 10th, 1832)
- coccia.debian.org: Maria Rosa Coccia (January 4th, 1759 - November 1833)
- czerny.debian.org: Carl Czerny (February 21st, 1791 - July 15th, 1857)
- danzi.debian.org: Franz Ignaz Danzi (June 15th, 1763 - April 13th, 1826)
- delfin.debian.org: Carmelina Delfin (c. 1900 - after 1948)
- diabelli.debian.org: Anton Diabelli (September 5th, 1781 - April 7th, 1858)
- dinis.debian.org: Dinis of Portugal (October 9th, 1261 - January 7th, 1325)
- dillon.debian.org: Fannie Charles Dillon (March 16th, 1881 - February 21st, 1947)
- donizetti.debian.org: Gaetano Donizetti (November 29th, 1797 - April 8th, 1848)
- draghi.debian.org: Antonio Draghi (1635 - January 16th, 1700)
- eberlin.debian.org: Johann Ernst Eberlin (March 1702 27th - June 19th, 1762)
- eller.debian.org: Heino Eller (March 7th, 1887 - June 16th, 1970)
- elgar.debian.org: Edward Elgar (1857 - 1934)
- falla.debian.org: Manuel de Falla y Matheu (November 23rd, 1876 - November 14th, 1946)
- fano.debian.org: Guido Alberto Fano (March 18th, 1875 - August 14th, 1961)
- fasolo.debian.org: Giovanni Battista Fasolo, O.F.M. (ca. 1598 - after 1664)
- fayrfax.debian.org: Robert Fayrfax (April 23rd, 1464 - October 24th, 1521)
- fils.debian.org: Anton Fils (September 22nd, 1733 (baptized) - March 14th, 1760 (buried))
- finzi.debian.org: Gerald Raphael Finzi (July 14th, 1901 - September 27th, 1956)
- fischer.debian.org: Johann Caspar Ferdinand Fischer (September 9th, 1656 - August 27th, 1746)
- gideon.debian.org: Miriam Gideon (October 23rd, 1906 - June 18th, 1996)
- gigault.debian.org: Nicolas Gigault (ca. 1627 - August 20th, 1707)
- gombert.debian.org: Nicolas Gombert (c. 1495 - c. 1560)
- gretchaninov: Alexander Tikhonovich Gretchaninov (October 25th, 1864 - January 3rd, 1956)
- handel.debian.org: Georg Friedrich Händel (February 23rd, 1685 - April 14th, 1759)
- harris.debian.org: Sir William Henry Harris (March 28th, 1883 - September 6th, 1973)
- hartmann.debian.org: Karl Amadeus Hartmann (August 2nd, 1905 - December 5th, 1963)
- hasse.debian.org: Johann Adolph Hasse (March 25th, 1699 - December 16th, 1783)
- henze.debian.org: Hans Werner Henze (July 1st, 1926 - October 27th, 2012)
- hoiby.debian.org: Lee Henry Hoiby (February 17th, 1926 - March 28th, 2011)
- jerea.debian.org: Hilda Jerea (March 17th, 1916 - May 14th, 1980)
- kaufmann.debian.org: Georg Friedrich Kauffmann (February 14th, 1679 - February 27th, 1735)
- klecker.debian.org: Dedicated to Joel 'Espy' Klecker (1979 - July 11th, 2000)
- lindsay.debian.org: Maria Lindsay Bliss (May 15th, 1827 - April 3rd, 1898)
- lotti.debian.org: Antonio Lotti (ca. 1667 - January 5th, 1740)
- lully.debian.org: Jean-Baptiste de Lully (November 28th, 1632 - March 22nd, 1687)
- mailly.debian.org: Alphonse Jean Ernest Mailly (November 27th, 1833 - January 10th, 1918)
- melartin.debian.org: Erkki Melartin (February 7th, 1875 - February 14th, 1937)
- menotti.debian.org: Gian Carlo Menotti (July 7th, 1911 - February 1st, 2007)
- manziarly.debian.org: Marcelle de Manziarly (October 1st/13th, 1899 - May 12th, 1989)
- mekeel.debian.org: Joyce Mekeel (July 6th, 1931 - Dec 29th, 1997)
- milanollo.debian.org: Teresa Milanollo (August 28th, 1827 - October 25th, 1904)
- minkus.debian.org: Ludwig Minkus (March 23rd 1826 - December 7th, 1917)
- muffat.debian.org: George Muffat (June 1st, 1653 - February 23rd, 1704)
- nono.debian.org: Luigi Nono (January 29th, 1924 - May 8th, 1990)
- olin.debian.org: Elisabeth Olin (December 1740 - March 26th, 1828)
- paradis.debian.org: Maria Theresia Paradis (May 15th, 1759 - February 1st, 1824)
- partch.debian.org: Harry Partch (June 24th, 1901 - September 3rd, 1974)
- pejacevic: Dora Pejačević (September 10th, 1885 - March 5th, 1923)
- petrova.debian.org: Mara Petrova (May 15th, 1921 - June 7th. 1997)
- pettersson.debian.org: Gustav Allan Pettersson (September 19th, 1911 - June 20th, 1980)
- philp.debian.org: Elizabeth Philp (1827 - November 26th, 1885)
- picconi.debian.org: Maria Antonietta Picconi (September 23rd, 1869 - 1926)
- pieta.debian.org: Michielina della Pietà (fl. ca. 1700 - 1744)
- pinel.debian.org: Julie Pinel (fl. 1710 - 1737)
- pizzetti.debian.org: Ildebrando Pizzetti (20 September 1880 - 13 February 1968)
- plummer.debian.org: John Plummer (c. 1410 - c. 1483)
- porpora.debian.org: Niccolò (Antonio) Porpora (17 August 1686 - 3 March 1768)
- porta.debian.org: Giovanni Porta (c. 1675 - 21 June 1755)
- praetorius.debian.org: Hieronymus Praetorius (August 10th, 1560 - January 27th, 1629)
- prokofiev.debian.org: Sergei Sergeyevich Prokofiev (April 27th, 1891 - March 5th, 1953)
- quantz.debian.org: Johann Joachim Quantz (January 30th, 1697 - July 12th, 1773)
- rachmaninoff: Sergei Vasilievich Rachmaninoff (1 April 1873 - 28 March 1943)
- rainier.debian.org: Ivy Priaulx Rainier (February 3rd, 1903 - October 10th, 1986)
- rapoport.debian.org: Eda Rothstein Rapoport (December 25th, 1890 - May 9th, 1968)
- reger.debian.org: Johann Baptist Joseph Maximilian Reger (March 19th, 1873 - May 11th, 1916)
- respighi.debian.org: Elsa Respighi (née Olivieri-Sangiacomo) (March 24th, 1894 - March 17th, 1996)
- sallinen.debian.org: Aulis Sallinen (born April 9, 1935)
- santoro.debian.org: Cláudio Santoro (November 23rd, 1919 - March 27th, 1989)
- schumann.debian.org: Robert Alexander Schumann (June 8th, 1810 - July 29th, 1856)
- sechter.debian.org: Simon Sechter (October 11th, 1788 - September 10th, 1867)
- seger.debian.org: Josef Seger (March 21st, 1716 - April 22nd, 1782)
- senfter.debian.org: Johanna Senfter (November, 27th, 1879 - August 11th, 1961)
- setoguchi.debian.org: 瀬戸口藤吉, Tokichi Setoguchi (June 28th, 1868 - November 8th, 1941)
- sibelius.debian.org: Jean Sibelius (December 8th, 1865 - September 20th, 1957)
- smetana.debian.org: Bedřich Smetana (March 2nd, 1824 - May 12th, 1884)
- sonntag.debian.org: Brunhilde Sonntag (September 27th, 1936 - December 18th, 2002)
- sor.debian.org: Fernando Sor (February 14th, 1778 - July 10th, 1839)
- soriano.debian.org: Francesco Soriano (1548 or 1549 - July 19th, 1621)
- stockhausen.debian.org: Karlheinz Stockhausen (August 22nd, 1928 - December 5th, 2007)
- storace.debian.org: Stephen Storace (April 4th, 1762 - March 19th, 1796)
- spontini.debian.org: Gaspare Luigi Pacifico Spontini (November 14th, 1774 - January 24th, 1851)
- tate.debian.org: Phyllis Tate (April 6th, 1911 - May 29th, 1987)
- tchaikovsky.debian.org: Pyotr Ilyich Tchaikovsky (Пётр Ильич Чайковский) (May 7th, 1840 - November 6th, 1893)
- ticharich.debian.org: Zdenka Ticharich (September 26th, 1900 - February 15th, 1979)
- tye.debian.org: Christopher Tye (c.1505 - 1573)
- ullmann.debian.org: Viktor Ullmann (January 1st, 1898 - October 17th, 1944)
- usper.debian.org: Francesco Usper (November 1st, 1561 - February 24th, 1641)
- vento.debian.org: Ivo de Vento (1543/1545 - 1575)
- vittoria.debian.org: Tomás Luis da Vittoria (ca. 1548 - August 27th, 1611)
- vogler.debian.org: Georg Joseph Vogler (June 15th, 1749 - May 6th, 1814)
- wieck.debian.org: Clara Josephine Wieck (September 13th, 1819 - May 20th, 1896)
- wilder.debian.org: Alec Wilder (February 16th, 1907 - December 24th, 1980)
- wolkenstein.debian.org: Oswald von Wolkenstein (1377 - August 2nd, 1445)
- wuiet.debian.org: Caroline Wuiet (1766 - 1835)
- zandonai.debian.org: Riccardo Zandonai (May 30th, 1883 - June 5th, 1944)
- zani.debian.org: Andrea Teodoro Zani (November 11th, 1696 - September 28th, 1757)
- zelenka.debian.org: Jan Dismas Zelenka (October 16th, 1679 - December 23rd, 1745)
- zemlinsky.debian.org: Alexander von Zemlinsky (October 14th, 1871 - March 15th 1942)
-footer:
- dummy: foo
- #zandonai.debian.org: "Debian s390 buildd system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
- #zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
-host_settings:
- heavy_exim:
- # mail front-ends
- - mailly.debian.org
- - muffat.debian.org
- # other mail receivers
- - buxtehude.debian.org
- - draghi.debian.org
- - master.debian.org
- - nono.debian.org
- - picconi.debian.org
- - pinel.debian.org
- - quantz.debian.org
- - reger.debian.org
- - tye.debian.org
- - vento.debian.org
- - wuiet.debian.org
- not-bacula-client:
- # porterbox
- - abel.debian.org
- - asachi.debian.org
- - barriere.debian.org
- - binet.debian.org
- - eller.debian.org
- - falla.debian.org
- - fischer.debian.org
- - harris.debian.org
- - minkus.debian.org
- - partch.debian.org
- - pizzetti.debian.org
- - plummer.debian.org
- - smetana.debian.org
- - zelenka.debian.org
- # buildd
- - antheil.debian.org
- - arm-arm-01.debian.org
- - arm-arm-02.debian.org
- - arm-arm-03.debian.org
- - arm-arm-04.debian.org
- - arm-conova-01.debian.org
- - arm-conova-02.debian.org
- - arm-conova-03.debian.org
- - arm-conova-04.debian.org
- - arm-linaro-01.debian.org
- - arm-linaro-03.debian.org
- - arnold.debian.org
- - eberlin.debian.org
- - fano.debian.org
- - fayrfax.debian.org
- - fils.debian.org
- - finzi.debian.org
- - hartmann.debian.org
- - hasse.debian.org
- - henze.debian.org
- - hoiby.debian.org
- - mips-aql-01.debian.org
- - mips-aql-02.debian.org
- - mips-aql-04.debian.org
- - mips-aql-05.debian.org
- - mips-aql-06.debian.org
- - mips-sil-01.debian.org
- - mips-manda-01.debian.org
- - mipsel-aql-01.debian.org
- - mipsel-aql-02.debian.org
- - mipsel-aql-03.debian.org
- - mipsel-manda-01.debian.org
- - mipsel-manda-02.debian.org
- - mipsel-manda-03.debian.org
- - mipsel-sil-01.debian.org
- - porpora.debian.org
- - powerpc-osuosl-01.debian.org
- - powerpc-unicamp-01.debian.org
- - ppc64el-osuosl-01.debian.org
- - ppc64el-unicamp-01.debian.org
- - praetorius.debian.org
- - spontini.debian.org
- - x86-grnet-01.debian.org
- - zandonai.debian.org
- - zani.debian.org
- - zemlinsky.debian.org
- - x86-bm-01.debian.org
- - x86-csail-01.debian.org
- - x86-csail-02.debian.org
- - x86-ubc-01.debian.org
- broken-rtc:
- - abel.debian.org
- - antheil.debian.org
- - arm-arm-01.debian.org
- - arm-arm-02.debian.org
- - arm-arm-03.debian.org
- - arnold.debian.org
- - eller.debian.org
- - harris.debian.org
- - hasse.debian.org
- - henze.debian.org
- - hoiby.debian.org
- - mips-aql-01.debian.org
- - mips-aql-02.debian.org
- - mips-aql-04.debian.org
- - mips-aql-05.debian.org
- - mips-aql-06.debian.org
- - mips-manda-01.debian.org
- - mips-sil-01.debian.org
- - mipsel-aql-03.debian.org
- - mipsel-manda-03.debian.org
- - mipsel-sil-01.debian.org
- mail_port:
- klecker.debian.org: 2025
- zani.debian.org: 587
- no_munin:
- - fano.debian.org
- entropy_key:
- - czerny.debian.org
- - grnet-node01.debian.org
- # - ubc-bl2.debian.org
- - storace.debian.org
- buildd_master:
- - wuiet.debian.org
+++ /dev/null
----
-hoster: <%= scope.lookupvar('site::nodeinfo')['hoster']['name'] %>
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-SHELL=/bin/bash
-@hourly root [ ! -d /var/cache/dsa ] || touch /var/cache/dsa/cron.alive
-<% if @lsbmajdistrelease <= '7' -%>
-34 */4 * * * root if [ -x /usr/sbin/puppetd ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/sbin/puppetd -o --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
-<% else -%>
-34 */4 * * * root if [ -x /usr/bin/puppet ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/bin/puppet agent --onetime --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
-<% end -%>
-
-@hourly root sleep $(( $RANDOM \% 300 )); if [ -x /usr/lib/nagios/plugins/dsa-check-stunnel-sanity ] && [ -e /etc/stunnel/puppet-ekeyd.conf ] && ! /usr/lib/nagios/plugins/dsa-check-stunnel-sanity > /dev/null && grep -q '^client = yes' /etc/stunnel/puppet-ekeyd.conf; then /usr/sbin/service stunnel4 restart > /dev/null; fi
-
-@daily munin-async [ -d /var/lib/munin-async ] && find /var/lib/munin-async -maxdepth 1 -type f -mtime +30 -delete
-
-@daily root [ -d /var/lib/puppet/clientbucket ] && find /var/lib/puppet/clientbucket -type f -mtime +60 -delete && find /var/lib/puppet/clientbucket -type d -empty -delete
-
-@hourly root ! [ -x /usr/local/sbin/ntp-restart-if-required ] || /usr/local/sbin/ntp-restart-if-required
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# LDAP Defaults
-#
-
-# See ldap.conf(5) for details
-# This file should be world readable but not world writable.
-
-#BASE dc=example,dc=com
-#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
-
-#SIZELIMIT 12
-#TIMELIMIT 15
-#DEREF never
-
-URI ldap://db.debian.org
-BASE dc=debian,dc=org
-
-TLS_CACERT /etc/ssl/ca-debian/ca-certificates.crt
-TLS_REQCERT hard
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# /etc/pam.d/common-session-noninteractive - session-related modules
-# common to all non-interactive services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of all non-interactive sessions.
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules. See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session [default=1] pam_permit.so
-# here's the fallback if no module succeeds
-session requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session required pam_unix.so
-# end of pam-auth-update config
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# /etc/pam.d/common-session - session-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules. See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session [default=1] pam_permit.so
-# here's the fallback if no module succeeds
-session requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session required pam_unix.so
-# end of pam-auth-update config
-session [success=1 default=ignore] pam_succeed_if.so quiet_fail quiet_success home = /nonexistent
-session optional pam_mkhomedir.so skel=/etc/skel umask=0022
-session optional pam_systemd.so
-session optional pam_permit.so
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-[main]
-logdir=/var/log/puppet
-vardir=/var/lib/puppet
-ssldir=/var/lib/puppet/ssl
-rundir=/var/run/puppet
-factpath=$vardir/lib/facter
-pluginsync=true
-# This is the default environment for all clients
-environment=production
-
-<%- if scope.lookupvar('::hostname') == 'handel' -%>
-modulepath=/etc/puppet/modules:/etc/puppet/3rdparty/modules:/usr/share/puppet/modules
-
-[master]
-environments = production,staging
-reports = store
-config_version = cat /etc/puppet/.config-version
-storeconfigs = true
-thin_storeconfigs = true
-dbadapter=mysql
-dbuser=puppet
-dbpassword=<%= scope.lookupvar('dbpassword') %>
-dbserver=localhost
-
-[production]
-manifestdir=/srv/puppet.debian.org/stages/production/manifests
-fileserverconfig=/srv/puppet.debian.org/stages/production/fileserver.conf
-modulepath=/srv/puppet.debian.org/stages/production/modules:/srv/puppet.debian.org/stages/production/3rdparty/modules
-
-[staging]
-manifestdir=/srv/puppet.debian.org/stages/staging/manifests
-fileserverconfig=/srv/puppet.debian.org/stages/staging/fileserver.conf
-modulepath=/srv/puppet.debian.org/stages/staging/modules:/srv/puppet.debian.org/stages/staging/3rdparty/modules
-<%- end -%>
-
-[agent]
-environments = development,testing,production,staging
-report = true
-configtimeout = 240
+++ /dev/null
-#!/bin/bash
-
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-<%- if hostname == "zani" then -%>
- if [ -n "$(awk '$4 == "dasdb1" && $3 == "249999" {print}' /proc/partitions)" ]; then
- mkswap /dev/dasdb1 && swapon -p 30 /dev/dasdb1
- fi
- if [ -n "$(awk '$4 == "dasdc1" && $3 == "249999" {print}' /proc/partitions)" ]; then
- mkswap /dev/dasdc1 && swapon -p 30 /dev/dasdc1
- fi
-<%- end -%>
-<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
- ( sleep 120;
- service syslog-ng restart;
- sleep 5;
- init q
- ) & disown
-<%- end -%>
-
-if [ -e /proc/sys/kernel/modules_disabled ]; then
- ( sleep 60;
- echo 1 > /proc/sys/kernel/modules_disabled || true
- ) & disown
-fi
-
-touch /var/run/reboot-lock
--- /dev/null
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+Acquire {
+ CompressionTypes
+ {
+ bz2 "bzip2";
+ lzma "lzma";
+ gz "gzip";
+
+ Order { "gz"; "lzma"; "bz2"; };
+ };
+};
--- /dev/null
+Acquire::Languages { "en"; "none"; };
--- /dev/null
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+Acquire::PDiffs "false";
--- /dev/null
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+APT::Install-Recommends 0;
--- /dev/null
+Explanation:
+Explanation: THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+Explanation: USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+Explanation:
+Package: *
+Pin: release o=Debian Backports
+Pin-Priority: 200
+
+Package: sbuild
+Pin: release o=buildd.debian.org
+Pin-Priority: 500
+
+Package: buildd
+Pin: release o=buildd.debian.org
+Pin-Priority: 500
+
+Package: libsbuild-perl
+Pin: release o=buildd.debian.org
+Pin-Priority: 500
+
+Package: *
+Pin: release o=buildd.debian.org
+Pin-Priority: -1
--- /dev/null
+draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106,2001:41b8:202:deb:1a1a:0:52c3:4b6a ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi
--- /dev/null
+#!/bin/bash
+
+parse_dates () {
+ while read url file junk; do
+ url=$(echo $url | sed -e "s/'//g")
+ url_time=$(date -d "$(curl -sqI ${url} | grep Last-Modified: | sed -e 's/Last-Modified: //')" +%s)
+ if [ ! -f "/var/lib/apt/lists/${file}" ]; then
+ return 0
+ fi
+ file_time=$(stat -c %Y /var/lib/apt/lists/${file})
+ if [ $url_time -gt $file_time ]; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+su nobody -c 'apt-get update -s --print-uris' | grep 'Release ' | parse_dates
+exit $?
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+# this is a list of patterns, one per line, of things that puppet's
+# cron output shouldn't mail to us.
+
+^v6: error fetching interface information: Device not found$
+^pcilib: Cannot open /proc/bus/pci$
+^lspci: Cannot find any working access method\.$
+^can't open /proc/dma at /usr/bin/lsdev line 32\.$
+^/usr/lib/ruby/1.9.1/rubygems/custom_require\.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead\.$
+^/usr/lib/ruby/vendor_ruby/puppet/provider/service/freebsd\.rb:[8910]*: warning: class variable access from toplevel$
+^/usr/lib/ruby/vendor_ruby/puppet/provider/service/bsd\.rb:12: warning: class variable access from toplevel$
+^/usr/lib/ruby/vendor_ruby/puppet/type/tidy\.rb:1[0-9][0-9]: warning: class variable access from toplevel$
--- /dev/null
+TMOUT=129600 # a day and a half (36 hrs)
+export TMOUT
--- /dev/null
+#
+# THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+# USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+#
+
+# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1).
+#
+# This file is sourced only for login shells (i.e. shells
+# invoked with "-" as the first character of argv[0], and
+# shells invoked with the -l flag.)
+#
+# Global Order: zshenv, zprofile, zshrc, zlogin
+
+if [ -e /etc/profile.d/timeout.sh ]; then
+ . /etc/profile.d/timeout.sh
+fi
--- /dev/null
+#!/bin/sh
+
+KVMCOUNT=`pgrep -cx '^(qemu-)?kvm$'`
+if [ $KVMCOUNT != 0 ]; then
+ echo "Found $KVMCOUNT qemu-kvm instances running, aborting $MOLLYGUARD_CMD!"
+ exit 1
+fi
--- /dev/null
+#!/bin/bash
+
+# Copyright 2012 Peter Palfrader
+
+l=/var/run/reboot-lock
+exec 3> $l
+
+if ! flock --exclusive -w 0 3; then
+ echo >&2 "Cannot acquire reboot lock."
+ exit 1
+fi
+echo "Reboot lock acquired."
+
+ppid="$PPID"
+(
+ while kill -0 "$ppid" 2>/dev/null; do
+ sleep 1
+ done
+) &
+disown
+exit 0
--- /dev/null
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd: compat db
+group: db compat
+shadow: compat db
+
+hosts: files dns
+networks: files
+
+protocols: db files
+services: db files
+ethers: db files
+rpc: db files
+
+netgroup: nis
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# Defaults for puppet - sourced by /etc/init.d/puppet
+
+# Start puppet on boot?
+START=no
+exit 0
+
+# Startup options
+DAEMON_OPTS="-w 5 --factsync"
--- /dev/null
+# ~/.bashrc: executed by bash(1) for non-login shells.
+
+## THIS FILE IS UNDER PUPPET CONTROL.
+## LOCAL CHANGES WILL BE OVERWRITTEN.
+
+if [ "$PS1" ]; then
+ typeset HISTCONTROL=ignoreboth
+ typeset HISTSIZE=50000
+
+ export LS_OPTIONS='--color=auto'
+ eval "`dircolors`"
+ alias ls='ls $LS_OPTIONS'
+ alias ll='ls $LS_OPTIONS -l'
+ alias l='ls $LS_OPTIONS -lA'
+
+ if [ -f /usr/share/bash-completion/bash_completion ]; then
+ . /usr/share/bash-completion/bash_completion
+ fi
+
+ PATH="$PATH:/usr/lib/nagios/plugins"
+fi
+
+# vim: set ft=sh ts=2 sw=2 et ai si:
--- /dev/null
+# ~/.profile: executed by Bourne-compatible login shells.
+
+## THIS FILE IS UNDER PUPPET CONTROL.
+## LOCAL CHANGES WILL BE OVERWRITTEN.
+
+if [ "$BASH" ]; then
+ if [ -f ~/.bashrc ]; then
+ . ~/.bashrc
+ fi
+ if [ "$PS1" ]; then
+ PS1='${debian_chroot:+[$debian_chroot] }\h:\w\$ '
+ fi
+fi
+
+mesg n
+
+# vim: set ft=sh ts=2 sw=2 et ai si:
--- /dev/null
+
+## THIS FILE IS UNDER PUPPET CONTROL.
+## LOCAL CHANGES WILL BE OVERWRITTEN.
+
+
+startup_message off
+deflogin on
+#vbell off
+defscrollback 10000
+defnonblock 5
+
+## set these terminals up to be 'optimal' instead of vt100
+#termcapinfo xterm*|linux*|rxvt*|Eterm* OP
+
+caption always " %?%F%{r}%?%H%{r}%?%F*%: %? %{rd}| %{r}$LOGNAME%{d} | %{b}%-Lw%{b}%50>%{kw}%n%f* %t %{-}%+Lw%<"
+
+# fix screens copy&paste (background-color-erase to on)
+defbce on
+
+# xterm, and urxvt on weasel's jessie systems
+bindkey "^[[1;5D" prev
+bindkey "^[[1;5C" next
+bindkey "^[[1;5A" focus up
+bindkey "^[[1;5B" focus down
+
+# urxvt default Ctrl+left/right/up/down on weasel's stretch systems
+bindkey "^[Od" prev
+bindkey "^[Oc" next
+bindkey "^[Oa" focus up
+bindkey "^[Ob" focus down
+
+# gnome terminal (in screen:
+#bindkey "^[n" screen
+#bindkey "^[O5D" prev
+#bindkey "^[O5C" next
+#bindkey "^[O5A" focus up
+#bindkey "^[O5B" focus down
+
+# urxvt shift+left/right
+#bindkey "^[[d" prev
+#bindkey "^[[c" next
+#bindkey "^[[a" focus up
+#bindkey "^[[b" focus down
--- /dev/null
+SELECTED_EDITOR="/usr/bin/vim"
--- /dev/null
+# mess with the status window
+set -g status-bg colour109
+set -g status-right "[#T]"
+setw -g window-status-current-bg white
+
+bind -n C-Right next-window
+bind -n C-Left previous-window
+
+bind -n C-Up select-pane -U
+bind -n C-Down select-pane -D
+bind | split-window -h
+bind - split-window -v
+
+#set -g default-terminal "screen-it"
+set -g xterm-keys on
+set -sg escape-time 0
--- /dev/null
+" ~/.vimrc - ViM configuration file
+
+" THIS FILE IS UNDER PUPPET CONTROL.
+" LOCAL CHANGES WILL BE OVERWRITTEN.
+
+runtime! debian.vim
+filetype plugin on
+set ai
+:set nocompatible
+:syn on
+:set title
+:set pastetoggle=<F10>
+:set listchars=tab:»·,trail:·
+:set list
+:nmap <F11> :set invlist<return>
+:imap <F11> <C-O>:set invlist<return>
+:set clipboard^=autoselectml guioptions+=A
+let g:Imap_UsePlaceHolders = 1
+let g:Imap_FreezeImap = 1
+:hi MatchParen ctermbg=black
+colorscheme peachpuff
+
+map <F3> :n<return>
+map <F2> :N<return>
+map <F5> :wn<return>
+map <F4> :wN<return>
+map fd ggV/^-- <CR><up>gq
+
+nnoremap <silent> <C-M> :make<return>
+
+nnoremap <silent> <S-left> :bprevious<return>
+nnoremap <silent> <S-right> :bnext<return>
+inoremap <silent> <S-left> <C-O>:bprevious<return>
+inoremap <silent> <S-right> <C-O>:bnext<return>
+
+nnoremap <silent> <C-left> :bprevious<return>
+nnoremap <silent> <C-right> :bnext<return>
+inoremap <silent> <C-left> <C-O>:bprevious<return>
+inoremap <silent> <C-right> <C-O>:bnext<return>
+
+nnoremap <silent> <Esc>[1;2D :bprevious<return>
+nnoremap <silent> <Esc>[1;2C :bnext<return>
+inoremap <silent> <Esc>[1;2D <C-O>:bprevious<return>
+inoremap <silent> <Esc>[1;2C <C-O>:bnext<return>
+
+nnoremap <silent> <Esc>[D :bprevious<return>
+nnoremap <silent> <Esc>[C :bnext<return>
+inoremap <silent> <Esc>[D <C-O>:bprevious<return>
+inoremap <silent> <Esc>[C <C-O>:bnext<return>
+
+nnoremap <silent> <Esc>[d :bprevious<return>
+nnoremap <silent> <Esc>[c :bnext<return>
+inoremap <silent> <Esc>[d <C-O>:bprevious<return>
+inoremap <silent> <Esc>[c <C-O>:bnext<return>
+
+" nnoremap <space><space> :bnew<return>
+nnoremap <silent> <space><left> :bprevious<return>
+nnoremap <silent> <space><right> :bnext<return>
+
+if &term =~ '^screen'
+ " tmux will send xterm-style keys when xterm-keys is on
+ execute "set <xUp>=\e[1;*A"
+ execute "set <xDown>=\e[1;*B"
+ execute "set <xRight>=\e[1;*C"
+ execute "set <xLeft>=\e[1;*D"
+endif
+
+
+
+" wild/tab behavior
+" =================
+set wildmode=longest,list:longest,list:full
+
+" spelling stuff
+" ==============
+set spellfile=~/.vim.spell.en.add
+:nmap <F8> :set invspell<return>
+:imap <F8> <C-O>:set invspell<return>
+
+" Searching and highlighting
+" ==========================
+hi Search cterm=NONE ctermfg=yellow ctermbg=19
+set hlsearch
+nnoremap <CR> :noh<CR><CR>
+
+set tabpagemax=50
+" Do not close buffers we don't see
+set hidden
--- /dev/null
+[Unit]
+Description=Userdir-Ldap Replication Daemon
+Wants=syslog.service
+
+[Service]
+ExecStart=/usr/bin/ud-replicated -d
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+Facter.add(:architecture) do
+ confine :kernel => 'GNU/kFreeBSD'
+ setcode do
+ model = Facter.value(:hardwaremodel)
+ case model
+ when 'x86_64' then "amd64"
+ when /(i[3456]86|pentium)/ then "i386"
+ else
+ model
+ end
+ end
+end
+
+Facter.add(:debarchitecture) do
+ setcode do
+ %x{/usr/bin/dpkg --print-architecture}.chomp
+ end
+end
+
--- /dev/null
+if FileTest.exist?('/usr/sbin/gnt-cluster') and FileTest.exist?('/var/lib/ganeti/ssconf_cluster_name')
+ begin
+ if system('/usr/sbin/gnt-cluster getmaster >/dev/null')
+ Facter.add('cluster') do
+ setcode do
+ open('/var/lib/ganeti/ssconf_cluster_name').read().chomp()
+ end
+ end
+ Facter.add('cluster_nodes') do
+ setcode do
+ open('/var/lib/ganeti/ssconf_node_list').read().split().join(" ")
+ end
+ end
+ end
+ rescue Exception => e
+ end
+end
--- /dev/null
+begin
+ require 'etc'
+
+ Facter.add("debsso_skac_crl") do
+ setcode do
+ crl = nil
+ crlfile = '/srv/sso.debian.org/debsso/data/spkac_ca/ca.crl'
+ if FileTest.exist?(crlfile)
+ crl = File.open(crlfile).read
+ end
+ crl
+ end
+ end
+
+rescue Exception => e
+end
+# vim:set et:
+# vim:set ts=4:
+# vim:set shiftwidth=4:
--- /dev/null
+Facter.add("brokenhosts") do
+ brokenhosts = true
+ if FileTest.exist?("/etc/hosts")
+ IO.foreach("/etc/hosts") do |x|
+ x.split.each do |y|
+ if y == Facter.value("fqdn")
+ brokenhosts = false
+ break
+ end
+ end
+ end
+ end
+ setcode do
+ if brokenhosts
+ true
+ else
+ false
+ end
+ end
+end
+
+
--- /dev/null
+Facter.add("v4ips") do
+ confine :kernel => :linux
+ addrs = []
+ if FileTest.exist?("/bin/ip")
+ %x{ip addr list}.each_line do |line|
+ next unless line =~ /\s+inet/
+ next if line =~ /scope (link|host)/
+ if line =~ /\s+inet\s+(\S+)\/\d{1,2} .*/
+ addrs << $1
+ end
+ end
+ end
+ ret = addrs.join(",")
+ if ret.empty?
+ ret = ''
+ end
+ setcode do
+ ret
+ end
+end
+
+Facter.add("v4ips") do
+ confine :kernel => 'GNU/kFreeBSD'
+ setcode do
+ addrs = []
+ output = %x{/sbin/ifconfig}
+
+ output.split(/^\S/).each { |str|
+ if str =~ /inet ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/
+ tmp = $1
+ unless tmp =~ /127\./
+ addrs << tmp
+ break
+ end
+ end
+ }
+
+ ret = addrs.join(",")
+ if ret.empty?
+ ret = ''
+ end
+ ret
+ end
+end
+
+Facter.add("v6ips") do
+ confine :kernel => :linux
+ addrs = []
+ if FileTest.exist?("/bin/ip")
+ %x{ip addr list}.each_line do |line|
+ next unless line =~ /\s+inet/
+ next if line =~ /scope (link|host)/
+ if line =~ /\s+inet6\s+(\S+)\/\d{1,3} .*/
+ addrs << $1
+ end
+ end
+ end
+ ret = addrs.join(",")
+ if ret.empty?
+ ret = ''
+ end
+ setcode do
+ ret
+ end
+end
+
--- /dev/null
+{ "LSBRelease" => %r{^LSB Version:\t(.*)$},
+ "LSBDistId" => %r{^Distributor ID:\t(.*)$},
+ "LSBDistRelease" => %r{^Release:\t(.*)$},
+ "LSBDistDescription" => %r{^Description:\t(.*)$},
+ "LSBDistCodeName" => %r{^Codename:\t(.*)$}
+}.each do |fact, pattern|
+ Facter.add(fact) do
+ confine :kernel => 'GNU/kFreeBSD'
+ setcode do
+ unless defined?(lsbdata) and defined?(lsbtime) and (Time.now.to_i - lsbtime.to_i < 5)
+ type = nil
+ lsbtime = Time.now
+ lsbdata = Facter::Util::Resolution.exec('lsb_release -a 2>/dev/null')
+ end
+
+ if pattern.match(lsbdata)
+ $1
+ else
+ nil
+ end
+ end
+ end
+end
+
--- /dev/null
+begin
+ require 'filesystem'
+
+ Facter.add("mounts") do
+ ignorefs = ["NFS", "nfs", "nfs4", "nfsd", "afs", "binfmt_misc", "proc", "smbfs",
+ "autofs", "iso9660", "ncpfs", "coda", "devpts", "ftpfs", "devfs",
+ "mfs", "shfs", "sysfs", "cifs", "lustre_lite", "tmpfs", "usbfs", "udf",
+ "fusectl", "fuse.snapshotfs", "rpc_pipefs", "devtmpfs"]
+ mountpoints = []
+ FileSystem.mounts.each do |m|
+ if ((not ignorefs.include?(m.fstype)) && (m.options !~ /bind/))
+ mountpoints << m.mount
+ end
+ end
+ setcode do
+ mountpoints.uniq.sort.join(',')
+ end
+ end
+
+rescue Exception => e
+end
--- /dev/null
+Facter.add("mta") do
+ setcode do
+ mta = "exim4"
+ if FileTest.exist?("/usr/sbin/postfix")
+ mta = "postfix"
+ end
+ mta
+ end
+end
--- /dev/null
+begin
+ require 'json'
+
+ Facter.add("onion_tor_service_hostname") do
+ services = {}
+
+ Dir['/var/lib/tor/onion/*/hostname'].each do |p|
+ dir = File.dirname(p)
+ service = File.basename(dir)
+ hostname = IO.read(p).chomp
+ services[service] = hostname
+ end
+ setcode do
+ services.to_json
+ end
+ end
+
+ Facter.add("onion_balance_service_hostname") do
+ services = {}
+
+ Dir['/etc/onionbalance/private_keys/*.key'].each do |p|
+ service = File.basename(p, '.key')
+ begin
+ services[service] = IO.popen(['/usr/local/bin/tor-onion-name', p]).read.chomp
+ rescue Errno::ENOENT
+ end
+ end
+ setcode do
+ services.to_json
+ end
+ end
+
+
+rescue Exception => e
+end
--- /dev/null
+Facter.add(:operatingsystem) do
+ confine :kernel => 'GNU/kFreeBSD'
+ setcode do
+ if FileTest.exists?("/etc/debian_version")
+ "Debian"
+ end
+ end
+end
--- /dev/null
+
+%w{/srv/build-trees
+ /srv/buildd
+ /etc/ssh/ssh_host_ed25519_key
+ /srv/mirrors/debian
+ /srv/mirrors/debian-debug
+ /srv/mirrors/debian-ports
+ /srv/mirrors/debian-security
+ /dev/hwrng
+}.each do |path|
+ Facter.add("has" + path.gsub(/[\/-]/,'_')) do
+ setcode do
+ if FileTest.exist?(path)
+ true
+ else
+ false
+ end
+ end
+ end
+end
--- /dev/null
+Facter.add("smartarraycontroller") do
+ confine :kernel => :linux
+ setcode do
+ if FileTest.exist?("/dev/cciss/")
+ true
+ elsif FileTest.exist?("/sys/module/hpsa/")
+ true
+ else
+ false
+ end
+ end
+end
+
+Facter.add("ThreeWarecontroller") do
+ confine :kernel => :linux
+ setcode do
+ is3w = false
+ if FileTest.exist?("/proc/scsi/scsi")
+ IO.foreach("/proc/scsi/scsi") { |x|
+ is3w = true if x =~ /Vendor: 3ware/
+ }
+ end
+ is3w
+ end
+end
+
+Facter.add("megaraid") do
+ confine :kernel => :linux
+ setcode do
+ if FileTest.exist?("/dev/megadev0")
+ true
+ else
+ false
+ end
+ end
+end
+
+Facter.add("mptraid") do
+ confine :kernel => :linux
+ setcode do
+ if FileTest.exist?("/dev/mptctl") or FileTest.exist?("/dev/mpt0") or FileTest.exist?("/proc/mpt/summary")
+ true
+ else
+ false
+ end
+ end
+end
+
+Facter.add("aacraid") do
+ confine :kernel => :linux
+ setcode do
+ if FileTest.exist?("/dev/aac0")
+ true
+ else
+ false
+ end
+ end
+end
+
+Facter.add("swraid") do
+ confine :kernel => :linux
+ setcode do
+ swraid = false
+ if FileTest.exist?("/proc/mdstat") && FileTest.exist?("/sbin/mdadm")
+ IO.foreach("/proc/mdstat") { |x|
+ swraid = true if x =~ /md[0-9]+ : active/
+ }
+ end
+ swraid
+ end
+end
+
--- /dev/null
+begin
+ require 'etc'
+
+ Facter.add("postgresql_key") do
+ setcode do
+ key = nil
+ keyfile = '/var/lib/postgresql/.ssh/id_rsa.pub'
+ if FileTest.exist?(keyfile)
+ key = File.open(keyfile).read.chomp
+ end
+ key
+ end
+ end
+
+ Facter.add("staticsync_key") do
+ setcode do
+ key = nil
+ keyfile = '/home/staticsync/.ssh/id_rsa.pub'
+ if FileTest.exist?(keyfile)
+ key = File.open(keyfile).read.chomp
+ end
+ key
+ end
+ end
+
+ Facter.add("staticsync_user_exists") do
+ setcode do
+ result = false
+ begin
+ if Etc.getpwnam('staticsync')
+ result = true
+ end
+ rescue ArgumentError
+ end
+ result
+ end
+ end
+
+
+ Facter.add("weblogsync_key") do
+ setcode do
+ key = nil
+ keyfile = '/home/weblogsync/.ssh/id_rsa.pub'
+ if FileTest.exist?(keyfile)
+ key = File.open(keyfile).read.chomp
+ end
+ key
+ end
+ end
+
+ Facter.add("weblogsync_user_exists") do
+ setcode do
+ result = false
+ begin
+ if Etc.getpwnam('weblogsync')
+ result = true
+ end
+ rescue ArgumentError
+ end
+ result
+ end
+ end
+
+
+ Facter.add("buildd_key") do
+ setcode do
+ key = nil
+ keyfile = '/home/buildd/.ssh/id_rsa.pub'
+ if FileTest.exist?(keyfile)
+ key = File.open(keyfile).read.chomp
+ end
+ key
+ end
+ end
+
+ Facter.add("buildd_user_exists") do
+ setcode do
+ result = false
+ begin
+ if Etc.getpwnam('buildd')
+ result = true
+ end
+ rescue ArgumentError
+ end
+ result
+ end
+ end
+
+ Facter.add("portforwarder_key") do
+ setcode do
+ key = nil
+ keyfile = '/home/portforwarder/.ssh/id_rsa.pub'
+ if FileTest.exist?(keyfile)
+ key = File.open(keyfile).read.chomp
+ end
+ key
+ end
+ end
+
+ Facter.add("portforwarder_user_exists") do
+ setcode do
+ result = false
+ begin
+ if Etc.getpwnam('portforwarder')
+ result = true
+ end
+ rescue ArgumentError
+ end
+ result
+ end
+ end
+
+
+
+rescue Exception => e
+end
+# vim:set et:
+# vim:set ts=4:
+# vim:set shiftwidth=4:
--- /dev/null
+Facter.add("kvmdomain") do
+ setcode do
+ result = false
+ if File.new('/proc/cpuinfo').read().index('QEMU Virtual CPU')
+ result = true
+ end
+ result
+ end
+end
--- /dev/null
+Facter.add("apache2") do
+ setcode do
+ if FileTest.exist?("/usr/sbin/apache2")
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("apache2deb9") do
+ setcode do
+ # jessie (deb8) has 2.4.10-.., stretch (deb9) will have 2.4.23 or later.
+ if FileTest.exist?("/usr/sbin/apache2") and system("dpkg --compare-versions $(dpkg-query -W -f='${Version}\n' apache2-bin) gt 2.4.15")
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("clamd") do
+ setcode do
+ if FileTest.exist?("/usr/sbin/clamd")
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("exim4") do
+ setcode do
+ if FileTest.exist?("/usr/sbin/exim4")
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("postfix") do
+ setcode do
+ if FileTest.exist?("/usr/sbin/postfix")
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("postgres") do
+ setcode do
+ pg = (FileTest.exist?("/usr/lib/postgresql/8.1/bin/postgres") or
+ FileTest.exist?("/usr/lib/postgresql/8.3/bin/postgres") or
+ FileTest.exist?("/usr/lib/postgresql/8.4/bin/postgres") or
+ FileTest.exist?("/usr/lib/postgresql/9.0/bin/postgres") or
+ FileTest.exist?("/usr/lib/postgresql/9.1/bin/postgres") or
+ FileTest.exist?("/usr/lib/postgresql/9.2/bin/postgres"))
+ if pg
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("postgrey") do
+ setcode do
+ if FileTest.exist?("/usr/sbin/postgrey")
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("greylistd") do
+ setcode do
+ FileTest.exist?("/usr/sbin/greylistd")
+ end
+end
+Facter.add("policydweight") do
+ setcode do
+ if FileTest.exist?("/usr/sbin/policyd-weight")
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("spamd") do
+ setcode do
+ if FileTest.exist?("/usr/sbin/spamd")
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("php5") do
+ php = (FileTest.exist?("/usr/lib/apache2/modules/libphp5.so") or
+ FileTest.exist?("/usr/bin/php5") or
+ FileTest.exist?("/usr/bin/php5-cgi") or
+ FileTest.exist?("/usr/lib/cgi-bin/php5"))
+ setcode do
+ if php
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("php5suhosin") do
+ suhosin=(FileTest.exist?("/usr/lib/php5/20060613/suhosin.so") or
+ FileTest.exist?("/usr/lib/php5/20060613+lfs/suhosin.so"))
+ setcode do
+ if suhosin
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("syslogversion") do
+ setcode do
+ %x{dpkg-query -W -f='${Version}\n' syslog-ng | cut -b1-3}.chomp
+ end
+end
+Facter.add("unbound") do
+ unbound=(FileTest.exist?("/usr/sbin/unbound") and
+ FileTest.exist?("/var/lib/unbound/root.key"))
+ setcode do
+ if unbound
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("munin_async") do
+ setcode do
+ FileTest.exist?("/usr/share/munin/munin-async")
+ end
+end
+Facter.add("samhain") do
+ setcode do
+ if FileTest.exist?("/usr/sbin/samhain")
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("systemd") do
+ setcode do
+ init = '/sbin/init'
+ if File.symlink?(init) and File.readlink(init) == "/lib/systemd/systemd"
+ true
+ else
+ false
+ end
+ end
+end
+Facter.add("tor_ge_0_2_9") do
+ setcode do
+ system(%{dpkg -l tor >/dev/null 2>&1 && dpkg --compare-versions $(dpkg-query -W -f='${Version}' tor) ge 0.2.9})
+ end
+end
--- /dev/null
+Facter.add("systemproductname") do
+ confine :kernel => :linux
+ setcode do
+ if FileTest.exist?("/usr/sbin/dmidecode")
+ %x{/usr/sbin/dmidecode -s system-product-name}.chomp.strip
+ else
+ false
+ end
+ end
+end
+
+Facter.add("hw_can_temp_sensors") do
+ confine :kernel => :linux
+ setcode do
+ if FileTest.exist?("/sys/devices/virtual/thermal/thermal_zone0/temp")
+ true
+ else
+ false
+ end
+ end
+end
--- /dev/null
+# == Class: debian_org
+#
+# Stuff common to all debian.org servers
+#
+class debian_org::apt {
+ if $::lsbmajdistrelease <= '7' {
+ $mungedcodename = $::lsbdistcodename
+ } elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
+ $mungedcodename = "${::lsbdistcodename}-kfreebsd"
+ } else {
+ $mungedcodename = $::lsbdistcodename
+ }
+
+ if $::lsbmajdistrelease <= '8' {
+ $fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/'
+ } else {
+ $fallbackmirror = 'http://deb.debian.org/debian/'
+ }
+
+ if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
+ $mirror = [ getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'), $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
+ } else {
+ $mirror = [ $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
+ }
+
+ site::aptrepo { 'debian':
+ url => $mirror,
+ suite => [ $mungedcodename, "${::lsbdistcodename}-backports", "${::lsbdistcodename}-updates" ],
+ components => ['main','contrib','non-free']
+ }
+ site::aptrepo { 'security':
+ url => [ 'http://security-cdn.debian.org/', 'http://security.anycast-test.mirrors.debian.org/debian-security/', 'http://security.debian.org/' ],
+ suite => "${mungedcodename}/updates",
+ components => ['main','contrib','non-free']
+ }
+
+ if has_role('experimental_apache') {
+ $dbdosuites = [ 'debian-all', $::lsbdistcodename, 'jessie-apache2' ]
+ } else {
+ $dbdosuites = [ 'debian-all', $::lsbdistcodename ]
+ }
+ site::aptrepo { 'db.debian.org':
+ url => 'http://db.debian.org/debian-admin',
+ suite => $dbdosuites,
+ components => 'main',
+ key => 'puppet:///modules/debian_org/db.debian.org.gpg',
+ }
+
+ if ($::hostname in [] or $::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
+ site::aptrepo { 'proposed-updates':
+ url => $mirror,
+ suite => "${mungedcodename}-proposed-updates",
+ components => ['main','contrib','non-free']
+ }
+ } else {
+ site::aptrepo { 'proposed-updates':
+ ensure => absent,
+ }
+ }
+
+ site::aptrepo { 'debian-cdn':
+ ensure => absent,
+ }
+ site::aptrepo { 'debian.org':
+ ensure => absent,
+ }
+ site::aptrepo { 'debian2':
+ ensure => absent,
+ }
+ site::aptrepo { 'backports2.debian.org':
+ ensure => absent,
+ }
+ site::aptrepo { 'backports.debian.org':
+ ensure => absent,
+ }
+ site::aptrepo { 'volatile':
+ ensure => absent,
+ }
+ site::aptrepo { 'db.debian.org-suite':
+ ensure => absent,
+ }
+ site::aptrepo { 'debian-lts':
+ ensure => absent,
+ }
+
+
+
+
+ file { '/etc/apt/trusted-keys.d':
+ ensure => absent,
+ force => true,
+ }
+
+ file { '/etc/apt/trusted.gpg':
+ mode => '0600',
+ content => "",
+ }
+
+ file { '/etc/apt/preferences':
+ source => 'puppet:///modules/debian_org/apt.preferences',
+ }
+ file { '/etc/apt/apt.conf.d/local-compression':
+ source => 'puppet:///modules/debian_org/apt.conf.d/local-compression',
+ }
+ file { '/etc/apt/apt.conf.d/local-recommends':
+ source => 'puppet:///modules/debian_org/apt.conf.d/local-recommends',
+ }
+ file { '/etc/apt/apt.conf.d/local-pdiffs':
+ source => 'puppet:///modules/debian_org/apt.conf.d/local-pdiffs',
+ }
+ file { '/etc/apt/apt.conf.d/local-langs':
+ source => 'puppet:///modules/debian_org/apt.conf.d/local-langs',
+ }
+
+ exec { 'apt-get update':
+ path => '/usr/bin:/usr/sbin:/bin:/sbin',
+ onlyif => '/usr/local/bin/check_for_updates',
+ require => File['/usr/local/bin/check_for_updates']
+ }
+ Exec['apt-get update']->Package<| tag == extra_repo |>
+}
--- /dev/null
+# == Class: debian_org
+#
+# Stuff common to all debian.org servers
+#
+class debian_org {
+ include debian_org::apt
+
+ if $systemd {
+ include systemd
+ $servicefiles = 'present'
+ } else {
+ $servicefiles = 'absent'
+ }
+
+ $debianadmin = [
+ 'debian-archive-debian-samhain-reports@master.debian.org',
+ 'debian-admin@ftbfs.de',
+ 'weasel@debian.org',
+ 'steve@lobefin.net',
+ 'zumbi@oron.es'
+ ]
+
+ package { [
+ 'klogd',
+ 'sysklogd',
+ 'rsyslog',
+ 'os-prober',
+ 'apt-listchanges',
+ ]:
+ ensure => purged,
+ }
+ package { [
+ 'debian.org',
+ 'dsa-munin-plugins',
+ ]:
+ ensure => installed,
+ tag => extra_repo,
+ }
+ file { '/etc/ssh/ssh_known_hosts':
+ ensure => present,
+ replace => false,
+ mode => '0644',
+ source => 'puppet:///modules/debian_org/basic-ssh_known_hosts'
+ }
+
+ if ($::lsbmajdistrelease >= '8') {
+ $rubyfs_package = 'ruby-filesystem'
+ } else {
+ $rubyfs_package = 'libfilesystem-ruby1.9'
+ }
+ package { [
+ 'apt-utils',
+ 'bash-completion',
+ 'dnsutils',
+ 'less',
+ 'lsb-release',
+ $rubyfs_package,
+ 'mtr-tiny',
+ 'nload',
+ 'pciutils',
+ 'lldpd',
+ ]:
+ ensure => installed,
+ }
+
+ munin::check { [
+ 'cpu',
+ 'entropy',
+ 'forks',
+ 'interrupts',
+ 'iostat',
+ 'irqstats',
+ 'load',
+ 'memory',
+ 'open_files',
+ 'open_inodes',
+ 'processes',
+ 'swap',
+ 'uptime',
+ 'vmstat',
+ ]:
+ }
+
+ if getfromhash($site::nodeinfo, 'broken-rtc') {
+ package { 'fake-hwclock':
+ ensure => installed,
+ tag => extra_repo,
+ }
+ }
+
+ package { 'molly-guard':
+ ensure => installed,
+ }
+ file { '/etc/molly-guard/run.d/10-check-kvm':
+ mode => '0755',
+ source => 'puppet:///modules/debian_org/molly-guard/10-check-kvm',
+ require => Package['molly-guard'],
+ }
+ file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
+ mode => '0755',
+ source => 'puppet:///modules/debian_org/molly-guard/15-acquire-reboot-lock',
+ require => Package['molly-guard'],
+ }
+
+ augeas { 'inittab_replicate':
+ context => '/files/etc/inittab',
+ changes => [
+ 'set ud/runlevels 2345',
+ 'set ud/action respawn',
+ 'set ud/process "/usr/bin/ud-replicated -d"',
+ ],
+ notify => Exec['init q'],
+ }
+
+
+ file { '/etc/facter':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/facter/facts.d':
+ ensure => directory,
+ }
+ file { '/etc/facter/facts.d/debian_facts.yaml':
+ content => template('debian_org/debian_facts.yaml.erb')
+ }
+ file { '/etc/timezone':
+ source => 'puppet:///modules/debian_org/timezone',
+ notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
+ }
+ if $::hostname == handel {
+ include puppetmaster::db
+ $dbpassword = $puppetmaster::db::password
+ }
+ file { '/etc/puppet/puppet.conf':
+ content => template('debian_org/puppet.conf.erb'),
+ mode => 0440,
+ group => 'puppet',
+ }
+ file { '/etc/default/puppet':
+ source => 'puppet:///modules/debian_org/puppet.default',
+ }
+ file { '/etc/systemd':
+ ensure => directory,
+ mode => 0755,
+ }
+ file { '/etc/systemd/system':
+ ensure => directory,
+ mode => 0755,
+ }
+ file { '/etc/systemd/system/ud-replicated.service':
+ ensure => $servicefiles,
+ source => 'puppet:///modules/debian_org/ud-replicated.service',
+ notify => Exec['systemctl daemon-reload'],
+ }
+ if $systemd {
+ file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
+ ensure => 'link',
+ target => '../ud-replicated.service',
+ notify => Exec['systemctl daemon-reload'],
+ }
+ }
+ file { '/etc/systemd/system/puppet.service':
+ ensure => 'link',
+ target => '/dev/null',
+ notify => Exec['systemctl daemon-reload'],
+ }
+ file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount':
+ ensure => 'link',
+ target => '/dev/null',
+ notify => Exec['systemctl daemon-reload'],
+ }
+
+ file { '/etc/cron.d/dsa-puppet-stuff':
+ content => template('debian_org/dsa-puppet-stuff.cron.erb'),
+ require => Package['debian.org'],
+ }
+ file { '/etc/ldap/ldap.conf':
+ require => Package['debian.org'],
+ content => template('debian_org/ldap.conf.erb'),
+ }
+ file { '/etc/pam.d/common-session':
+ require => Package['debian.org'],
+ content => template('debian_org/pam.common-session.erb'),
+ }
+ file { '/etc/pam.d/common-session-noninteractive':
+ require => Package['debian.org'],
+ content => template('debian_org/pam.common-session-noninteractive.erb'),
+ }
+ file { '/etc/rc.local':
+ mode => '0755',
+ content => template('debian_org/rc.local.erb'),
+ notify => Exec['service rc.local restart'],
+ }
+ file { '/etc/dsa':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
+ source => 'puppet:///modules/debian_org/dsa-puppet-stuff.cron.ignore',
+ require => Package['debian.org']
+ }
+ file { '/etc/nsswitch.conf':
+ mode => '0755',
+ source => 'puppet:///modules/debian_org/nsswitch.conf',
+ }
+
+ file { '/etc/profile.d/timeout.sh':
+ mode => '0555',
+ source => 'puppet:///modules/debian_org/etc.profile.d/timeout.sh',
+ }
+ file { '/etc/zsh':
+ ensure => directory,
+ }
+ file { '/etc/zsh/zprofile':
+ mode => '0444',
+ source => 'puppet:///modules/debian_org/etc.zsh/zprofile',
+ }
+
+ # set mmap_min_addr to 4096 to mitigate
+ # Linux NULL-pointer dereference exploits
+ site::sysctl { 'mmap_min_addr':
+ ensure => absent
+ }
+ site::sysctl { 'perf_event_paranoid':
+ key => 'kernel.perf_event_paranoid',
+ value => '2',
+ }
+ site::sysctl { 'puppet-vfs_cache_pressure':
+ key => 'vm.vfs_cache_pressure',
+ value => '10',
+ }
+ site::alternative { 'editor':
+ linkto => '/usr/bin/vim.basic',
+ }
+ site::alternative { 'view':
+ linkto => '/usr/bin/vim.basic',
+ }
+ mailalias { 'samhain-reports':
+ ensure => present,
+ recipient => $debianadmin,
+ require => Package['debian.org']
+ }
+
+ file { '/usr/local/bin/check_for_updates':
+ source => 'puppet:///modules/debian_org/check_for_updates',
+ mode => '0755',
+ owner => root,
+ group => root,
+ }
+
+ exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
+ path => '/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true
+ }
+ exec { 'service puppetmaster restart':
+ refreshonly => true
+ }
+ exec { 'service rc.local restart':
+ refreshonly => true
+ }
+ exec { 'init q':
+ refreshonly => true
+ }
+
+ exec { 'systemctl daemon-reload':
+ refreshonly => true,
+ onlyif => "test -x /bin/systemctl"
+ }
+
+ exec { 'systemd-tmpfiles --create --exclude-prefix=/dev':
+ refreshonly => true,
+ onlyif => "test -x /bin/systemd-tmpfiles"
+ }
+
+ tidy { '/var/lib/puppet/clientbucket/':
+ age => '2w',
+ recurse => 9,
+ type => ctime,
+ matches => [ 'paths', 'contents' ],
+ schedule => weekly
+ }
+
+ file { '/root/.bashrc':
+ source => 'puppet:///modules/debian_org/root-dotfiles/bashrc',
+ }
+ file { '/root/.profile':
+ source => 'puppet:///modules/debian_org/root-dotfiles/profile',
+ }
+ file { '/root/.selected_editor':
+ source => 'puppet:///modules/debian_org/root-dotfiles/selected_editor',
+ }
+ file { '/root/.screenrc':
+ source => 'puppet:///modules/debian_org/root-dotfiles/screenrc',
+ }
+ file { '/root/.tmux.conf':
+ source => 'puppet:///modules/debian_org/root-dotfiles/tmux.conf',
+ }
+ file { '/root/.vimrc':
+ source => 'puppet:///modules/debian_org/root-dotfiles/vimrc',
+ }
+}
--- /dev/null
+class debian-org::radvd {
+ site::sysctl { 'dsa-accept-ra-default':
+ key => 'net.ipv6.conf.default.accept_ra',
+ value => 0,
+ }
+ site::sysctl { 'dsa-accept-ra-all':
+ key => 'net.ipv6.conf.all.accept_ra',
+ value => 0,
+ }
+}
--- /dev/null
+---
+1und1-sec:
+ netrange:
+ - 195.20.242.64/26
+ - 212.227.126.32/27
+ - 2001:8d8:2:1::/64
+accumu:
+ netrange:
+ - 130.236.0.0/14
+ - 2001:06B0:000E::/48
+aql:
+ netrange:
+ - 141.170.6.144/28
+ mirror-debian: http://ftp.uk.debian.org/debian/
+arm:
+ netrange:
+ - 217.140.96.0/22
+ entropy_provider_hoster: sil
+ mirror-debian: http://mirror.bytemark.co.uk/debian/
+brown:
+ netrange:
+ - 138.16.160.0/24
+ # all hosts have their own recursor
+ #mirror-debian: file:///srv/ftp-master.debian.org/mirror/ftp-master/
+ mirror-debian: http://ftp.us.debian.org/debian
+br:
+ # rename to c3sl
+ # University Federal do Parana (.br)
+ netrange:
+ - 200.17.192.0/19
+bytemark:
+ netrange:
+ - 5.153.231.0/24
+ - 89.16.160.112/29
+ - 2001:41c8:1000::/48
+ - 2001:41c8:61::/125
+ mirror-debian: http://mirror.bm.debian.org/debian
+carnet:
+ netrange:
+ - 193.198.0.0/16
+anu:
+ netrange:
+ - 150.203.164.0/24
+ - 2001:388:1034:2900::/64
+ #mirror-debian: http://mirror.linux.org.au/debian
+ #mirror-debian: http://ftp.au.debian.org/debian
+conova:
+ netrange:
+ - 217.196.149.224/28
+ mirror-debian: http://mirror.netcologne.de/debian/
+csail:
+ netrange:
+ - 128.31.0.0/24
+ mirror-debian: http://debian.csail.mit.edu/debian/
+dgi:
+ netrange:
+ - 93.94.130.128/26
+freenet:
+ netrange:
+ - 62.104.0.0/16
+gatech:
+ netrange:
+ - 128.61.240.0/23
+ mirror-debian: http://debian.gtisc.gatech.edu/debian/
+grnet:
+ netrange:
+ - 194.177.211.192/27
+ - 2001:648:2ffc:deb::/64
+ mirror-debian: http://ftp.gr.debian.org/debian/
+helsinki:
+ netrange:
+ - 193.167.160.0/23
+ # all hosts have their own recursor
+isc:
+ netrange:
+ - 149.20.0.0/16
+ - 2001:4F8::/32
+uni-karlsruhe:
+ # rename to karlsruhe
+ netrange:
+ - 129.143.160.0/29
+ - 2001:7c0:400:1337::/64
+ mirror-debian: http://ftp-stud.hs-esslingen.de/debian/
+linaro:
+ netrange:
+ - 64.28.108.83/32
+ - 64.28.108.84/32
+ - 64.28.108.85/32
+ mirror-debian: http://ftp.us.debian.org/debian/
+'man-da':
+ netrange:
+ - 82.195.75.64/26
+ - 2001:41b8:202:deb::/64
+ #mirror-debian: http://debian.netcologne.de/debian/ [currently unstable]
+ mirror-debian: http://ftp.de.debian.org/debian/
+leaseweb:
+ netrange:
+ - 185.17.185.176/28
+ #mirror-debian: http://mirror.nl.leaseweb.net/debian/
+marist:
+ netrange:
+ - 148.100.0.0/16
+ mirror-debian: http://ftp.us.debian.org/debian/
+osuosl:
+ netrange:
+ - 140.211.0.0/16
+ mirror-debian: http://debian.osuosl.org/debian
+sakura:
+ netrange:
+ - 133.242.99.74/32
+sanger:
+ netrange:
+ - 193.62.202.24/29
+ #resolvoptions: [single-request]
+ mirror-debian: http://mirror.bytemark.co.uk/debian/
+scanplus:
+ netrange:
+ - 212.211.132.0/26
+ - 212.211.132.248/29
+ - 2001:a78::/64
+sil:
+ netrange:
+ - 86.59.118.144/28
+ - 2001:858:2:2::/64
+ mirror-debian: http://ftp.at.debian.org/debian/
+ubc:
+ netrange:
+ - 209.87.16.0/24
+ - 2607:F8F0:614:1::/64
+ # old range:
+ - 206.12.19.0/24
+ - 2607:f8f0:610:4000::/64
+ mirror-debian: http://mirror-ubc.debian.org/debian/
+ugent:
+ netrange:
+ - 157.193.0.0/16
+umn:
+ netrange:
+ - 128.101.240.212
+unicamp:
+ netrange:
+ - 177.220.0.0/17
+ mirror-debian: http://ftp.br.debian.org/debian/
+utwente:
+ netrange:
+ - 130.89.0.0/16
+ - 2001:0610:1908::/48
+ # broken with dnssec
+xs4all:
+ # should be deleted
+ netrange:
+ - 194.109.137.216/29
+ - 2001:888:2000:12::/64
+ynic:
+ netrange:
+ - 144.32.168.64/28
+ mirror-debian: http://ftp.uk.debian.org/debian
+zivit:
+ netrange:
+ - 80.245.144.0/22
+ mirror-debian: http://debian.netcologne.de/debian/
+
+# vim:set et sts=2 ts=2 sw=2:
--- /dev/null
+---
+nameinfo:
+ aagaard.debian.org: Thorvald Aagaard (June 8th, 1877 - March 22nd, 1937)
+ abel.debian.org: Carl Friedrich Abel (1723 - 1787)
+ acker.debian.org: Dieter Acker (November 3rd, 1940 - May 27th, 2006)
+ adayevskaya.debian.org: Ella Georgiyevna Adayevskaya (February, 22nd 1846 [O.S. February 10th] - July 26th, 1926)
+ antheil.debian.org: George Antheil (1900 - 1959)
+ arnold.debian.org: Malcolm Henry Arnold (1921 - 2006)
+ asachi.debian.org: Elena Asachi (1789 - 1877)
+ barriere.debian.org: Jean-Baptiste Barrière (May 2nd, 1707 - June 6th, 1747)
+ beach.debian.org: Amy Marcy Cheney Beach (September 5th, 1867 - December 27th, 1944)
+ beethoven.debian.org: Ludwig van Beethoven (December 16th, 1770 - March 26th, 1827)
+ bendel.debian.org: Franz Bendel (March 23rd, 1833 - July 3rd, 1874)
+ binet.debian.org: Jocelyne Binet (September 27th, 1923 - January 13th, 1968)
+ boott.debian.org: Francis Boott (June 24th, 1813 - March 1st, 1904)
+ busoni.debian.org: Ferruccio Dante Michelangiolo Benvenuto Busoni (April 1st, 1866 - July 27th, 1924)
+ buxtehude.debian.org: Dieterich Buxtehude (c. 1637 to 1639 - May 9th, 1707)
+ byrd.debian.org: William Byrd (1543 - July 4th, 1623)
+ casulana.debian.org: Maddalena Casulana (c. 1544 - c. 1590)
+ clementi.debian.org: Muzio Clementi (January 23rd, 1752 - March 10th, 1832)
+ coccia.debian.org: Maria Rosa Coccia (January 4th, 1759 - November 1833)
+ czerny.debian.org: Carl Czerny (February 21st, 1791 - July 15th, 1857)
+ danzi.debian.org: Franz Ignaz Danzi (June 15th, 1763 - April 13th, 1826)
+ delfin.debian.org: Carmelina Delfin (c. 1900 - after 1948)
+ diabelli.debian.org: Anton Diabelli (September 5th, 1781 - April 7th, 1858)
+ dinis.debian.org: Dinis of Portugal (October 9th, 1261 - January 7th, 1325)
+ dillon.debian.org: Fannie Charles Dillon (March 16th, 1881 - February 21st, 1947)
+ donizetti.debian.org: Gaetano Donizetti (November 29th, 1797 - April 8th, 1848)
+ draghi.debian.org: Antonio Draghi (1635 - January 16th, 1700)
+ eberlin.debian.org: Johann Ernst Eberlin (March 1702 27th - June 19th, 1762)
+ eller.debian.org: Heino Eller (March 7th, 1887 - June 16th, 1970)
+ elgar.debian.org: Edward Elgar (1857 - 1934)
+ falla.debian.org: Manuel de Falla y Matheu (November 23rd, 1876 - November 14th, 1946)
+ fano.debian.org: Guido Alberto Fano (March 18th, 1875 - August 14th, 1961)
+ fasolo.debian.org: Giovanni Battista Fasolo, O.F.M. (ca. 1598 - after 1664)
+ fayrfax.debian.org: Robert Fayrfax (April 23rd, 1464 - October 24th, 1521)
+ fils.debian.org: Anton Fils (September 22nd, 1733 (baptized) - March 14th, 1760 (buried))
+ finzi.debian.org: Gerald Raphael Finzi (July 14th, 1901 - September 27th, 1956)
+ fischer.debian.org: Johann Caspar Ferdinand Fischer (September 9th, 1656 - August 27th, 1746)
+ gideon.debian.org: Miriam Gideon (October 23rd, 1906 - June 18th, 1996)
+ gigault.debian.org: Nicolas Gigault (ca. 1627 - August 20th, 1707)
+ gombert.debian.org: Nicolas Gombert (c. 1495 - c. 1560)
+ gretchaninov: Alexander Tikhonovich Gretchaninov (October 25th, 1864 - January 3rd, 1956)
+ handel.debian.org: Georg Friedrich Händel (February 23rd, 1685 - April 14th, 1759)
+ harris.debian.org: Sir William Henry Harris (March 28th, 1883 - September 6th, 1973)
+ hartmann.debian.org: Karl Amadeus Hartmann (August 2nd, 1905 - December 5th, 1963)
+ hasse.debian.org: Johann Adolph Hasse (March 25th, 1699 - December 16th, 1783)
+ henze.debian.org: Hans Werner Henze (July 1st, 1926 - October 27th, 2012)
+ hoiby.debian.org: Lee Henry Hoiby (February 17th, 1926 - March 28th, 2011)
+ jerea.debian.org: Hilda Jerea (March 17th, 1916 - May 14th, 1980)
+ kaufmann.debian.org: Georg Friedrich Kauffmann (February 14th, 1679 - February 27th, 1735)
+ klecker.debian.org: Dedicated to Joel 'Espy' Klecker (1979 - July 11th, 2000)
+ lindsay.debian.org: Maria Lindsay Bliss (May 15th, 1827 - April 3rd, 1898)
+ lotti.debian.org: Antonio Lotti (ca. 1667 - January 5th, 1740)
+ lully.debian.org: Jean-Baptiste de Lully (November 28th, 1632 - March 22nd, 1687)
+ mailly.debian.org: Alphonse Jean Ernest Mailly (November 27th, 1833 - January 10th, 1918)
+ melartin.debian.org: Erkki Melartin (February 7th, 1875 - February 14th, 1937)
+ menotti.debian.org: Gian Carlo Menotti (July 7th, 1911 - February 1st, 2007)
+ manziarly.debian.org: Marcelle de Manziarly (October 1st/13th, 1899 - May 12th, 1989)
+ mekeel.debian.org: Joyce Mekeel (July 6th, 1931 - Dec 29th, 1997)
+ milanollo.debian.org: Teresa Milanollo (August 28th, 1827 - October 25th, 1904)
+ minkus.debian.org: Ludwig Minkus (March 23rd 1826 - December 7th, 1917)
+ muffat.debian.org: George Muffat (June 1st, 1653 - February 23rd, 1704)
+ nono.debian.org: Luigi Nono (January 29th, 1924 - May 8th, 1990)
+ olin.debian.org: Elisabeth Olin (December 1740 - March 26th, 1828)
+ paradis.debian.org: Maria Theresia Paradis (May 15th, 1759 - February 1st, 1824)
+ partch.debian.org: Harry Partch (June 24th, 1901 - September 3rd, 1974)
+ pejacevic: Dora Pejačević (September 10th, 1885 - March 5th, 1923)
+ petrova.debian.org: Mara Petrova (May 15th, 1921 - June 7th. 1997)
+ pettersson.debian.org: Gustav Allan Pettersson (September 19th, 1911 - June 20th, 1980)
+ philp.debian.org: Elizabeth Philp (1827 - November 26th, 1885)
+ picconi.debian.org: Maria Antonietta Picconi (September 23rd, 1869 - 1926)
+ pieta.debian.org: Michielina della Pietà (fl. ca. 1700 - 1744)
+ pinel.debian.org: Julie Pinel (fl. 1710 - 1737)
+ pizzetti.debian.org: Ildebrando Pizzetti (20 September 1880 - 13 February 1968)
+ plummer.debian.org: John Plummer (c. 1410 - c. 1483)
+ porpora.debian.org: Niccolò (Antonio) Porpora (17 August 1686 - 3 March 1768)
+ porta.debian.org: Giovanni Porta (c. 1675 - 21 June 1755)
+ praetorius.debian.org: Hieronymus Praetorius (August 10th, 1560 - January 27th, 1629)
+ prokofiev.debian.org: Sergei Sergeyevich Prokofiev (April 27th, 1891 - March 5th, 1953)
+ quantz.debian.org: Johann Joachim Quantz (January 30th, 1697 - July 12th, 1773)
+ rachmaninoff: Sergei Vasilievich Rachmaninoff (1 April 1873 - 28 March 1943)
+ rainier.debian.org: Ivy Priaulx Rainier (February 3rd, 1903 - October 10th, 1986)
+ rapoport.debian.org: Eda Rothstein Rapoport (December 25th, 1890 - May 9th, 1968)
+ reger.debian.org: Johann Baptist Joseph Maximilian Reger (March 19th, 1873 - May 11th, 1916)
+ respighi.debian.org: Elsa Respighi (née Olivieri-Sangiacomo) (March 24th, 1894 - March 17th, 1996)
+ sallinen.debian.org: Aulis Sallinen (born April 9, 1935)
+ santoro.debian.org: Cláudio Santoro (November 23rd, 1919 - March 27th, 1989)
+ schumann.debian.org: Robert Alexander Schumann (June 8th, 1810 - July 29th, 1856)
+ sechter.debian.org: Simon Sechter (October 11th, 1788 - September 10th, 1867)
+ seger.debian.org: Josef Seger (March 21st, 1716 - April 22nd, 1782)
+ senfter.debian.org: Johanna Senfter (November, 27th, 1879 - August 11th, 1961)
+ setoguchi.debian.org: 瀬戸口藤吉, Tokichi Setoguchi (June 28th, 1868 - November 8th, 1941)
+ sibelius.debian.org: Jean Sibelius (December 8th, 1865 - September 20th, 1957)
+ smetana.debian.org: Bedřich Smetana (March 2nd, 1824 - May 12th, 1884)
+ sonntag.debian.org: Brunhilde Sonntag (September 27th, 1936 - December 18th, 2002)
+ sor.debian.org: Fernando Sor (February 14th, 1778 - July 10th, 1839)
+ soriano.debian.org: Francesco Soriano (1548 or 1549 - July 19th, 1621)
+ stockhausen.debian.org: Karlheinz Stockhausen (August 22nd, 1928 - December 5th, 2007)
+ storace.debian.org: Stephen Storace (April 4th, 1762 - March 19th, 1796)
+ spontini.debian.org: Gaspare Luigi Pacifico Spontini (November 14th, 1774 - January 24th, 1851)
+ tate.debian.org: Phyllis Tate (April 6th, 1911 - May 29th, 1987)
+ tchaikovsky.debian.org: Pyotr Ilyich Tchaikovsky (Пётр Ильич Чайковский) (May 7th, 1840 - November 6th, 1893)
+ ticharich.debian.org: Zdenka Ticharich (September 26th, 1900 - February 15th, 1979)
+ tye.debian.org: Christopher Tye (c.1505 - 1573)
+ ullmann.debian.org: Viktor Ullmann (January 1st, 1898 - October 17th, 1944)
+ usper.debian.org: Francesco Usper (November 1st, 1561 - February 24th, 1641)
+ vento.debian.org: Ivo de Vento (1543/1545 - 1575)
+ vittoria.debian.org: Tomás Luis da Vittoria (ca. 1548 - August 27th, 1611)
+ vogler.debian.org: Georg Joseph Vogler (June 15th, 1749 - May 6th, 1814)
+ wieck.debian.org: Clara Josephine Wieck (September 13th, 1819 - May 20th, 1896)
+ wilder.debian.org: Alec Wilder (February 16th, 1907 - December 24th, 1980)
+ wolkenstein.debian.org: Oswald von Wolkenstein (1377 - August 2nd, 1445)
+ wuiet.debian.org: Caroline Wuiet (1766 - 1835)
+ zandonai.debian.org: Riccardo Zandonai (May 30th, 1883 - June 5th, 1944)
+ zani.debian.org: Andrea Teodoro Zani (November 11th, 1696 - September 28th, 1757)
+ zelenka.debian.org: Jan Dismas Zelenka (October 16th, 1679 - December 23rd, 1745)
+ zemlinsky.debian.org: Alexander von Zemlinsky (October 14th, 1871 - March 15th 1942)
+footer:
+ dummy: foo
+ #zandonai.debian.org: "Debian s390 buildd system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
+ #zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
+host_settings:
+ heavy_exim:
+ # mail front-ends
+ - mailly.debian.org
+ - muffat.debian.org
+ # other mail receivers
+ - buxtehude.debian.org
+ - draghi.debian.org
+ - master.debian.org
+ - nono.debian.org
+ - picconi.debian.org
+ - pinel.debian.org
+ - quantz.debian.org
+ - reger.debian.org
+ - tye.debian.org
+ - vento.debian.org
+ - wuiet.debian.org
+ not-bacula-client:
+ # porterbox
+ - abel.debian.org
+ - asachi.debian.org
+ - barriere.debian.org
+ - binet.debian.org
+ - eller.debian.org
+ - falla.debian.org
+ - fischer.debian.org
+ - harris.debian.org
+ - minkus.debian.org
+ - partch.debian.org
+ - pizzetti.debian.org
+ - plummer.debian.org
+ - smetana.debian.org
+ - zelenka.debian.org
+ # buildd
+ - antheil.debian.org
+ - arm-arm-01.debian.org
+ - arm-arm-02.debian.org
+ - arm-arm-03.debian.org
+ - arm-arm-04.debian.org
+ - arm-conova-01.debian.org
+ - arm-conova-02.debian.org
+ - arm-conova-03.debian.org
+ - arm-conova-04.debian.org
+ - arm-linaro-01.debian.org
+ - arm-linaro-03.debian.org
+ - arnold.debian.org
+ - eberlin.debian.org
+ - fano.debian.org
+ - fayrfax.debian.org
+ - fils.debian.org
+ - finzi.debian.org
+ - hartmann.debian.org
+ - hasse.debian.org
+ - henze.debian.org
+ - hoiby.debian.org
+ - mips-aql-01.debian.org
+ - mips-aql-02.debian.org
+ - mips-aql-04.debian.org
+ - mips-aql-05.debian.org
+ - mips-aql-06.debian.org
+ - mips-sil-01.debian.org
+ - mips-manda-01.debian.org
+ - mipsel-aql-01.debian.org
+ - mipsel-aql-02.debian.org
+ - mipsel-aql-03.debian.org
+ - mipsel-manda-01.debian.org
+ - mipsel-manda-02.debian.org
+ - mipsel-manda-03.debian.org
+ - mipsel-sil-01.debian.org
+ - porpora.debian.org
+ - powerpc-osuosl-01.debian.org
+ - powerpc-unicamp-01.debian.org
+ - ppc64el-osuosl-01.debian.org
+ - ppc64el-unicamp-01.debian.org
+ - praetorius.debian.org
+ - spontini.debian.org
+ - x86-grnet-01.debian.org
+ - zandonai.debian.org
+ - zani.debian.org
+ - zemlinsky.debian.org
+ - x86-bm-01.debian.org
+ - x86-csail-01.debian.org
+ - x86-csail-02.debian.org
+ - x86-ubc-01.debian.org
+ broken-rtc:
+ - abel.debian.org
+ - antheil.debian.org
+ - arm-arm-01.debian.org
+ - arm-arm-02.debian.org
+ - arm-arm-03.debian.org
+ - arnold.debian.org
+ - eller.debian.org
+ - harris.debian.org
+ - hasse.debian.org
+ - henze.debian.org
+ - hoiby.debian.org
+ - mips-aql-01.debian.org
+ - mips-aql-02.debian.org
+ - mips-aql-04.debian.org
+ - mips-aql-05.debian.org
+ - mips-aql-06.debian.org
+ - mips-manda-01.debian.org
+ - mips-sil-01.debian.org
+ - mipsel-aql-03.debian.org
+ - mipsel-manda-03.debian.org
+ - mipsel-sil-01.debian.org
+ mail_port:
+ klecker.debian.org: 2025
+ zani.debian.org: 587
+ no_munin:
+ - fano.debian.org
+ entropy_key:
+ - czerny.debian.org
+ - grnet-node01.debian.org
+ # - ubc-bl2.debian.org
+ - storace.debian.org
+ buildd_master:
+ - wuiet.debian.org
--- /dev/null
+---
+hoster: <%= scope.lookupvar('site::nodeinfo')['hoster']['name'] %>
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+SHELL=/bin/bash
+@hourly root [ ! -d /var/cache/dsa ] || touch /var/cache/dsa/cron.alive
+<% if @lsbmajdistrelease <= '7' -%>
+34 */4 * * * root if [ -x /usr/sbin/puppetd ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/sbin/puppetd -o --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
+<% else -%>
+34 */4 * * * root if [ -x /usr/bin/puppet ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/bin/puppet agent --onetime --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
+<% end -%>
+
+@hourly root sleep $(( $RANDOM \% 300 )); if [ -x /usr/lib/nagios/plugins/dsa-check-stunnel-sanity ] && [ -e /etc/stunnel/puppet-ekeyd.conf ] && ! /usr/lib/nagios/plugins/dsa-check-stunnel-sanity > /dev/null && grep -q '^client = yes' /etc/stunnel/puppet-ekeyd.conf; then /usr/sbin/service stunnel4 restart > /dev/null; fi
+
+@daily munin-async [ -d /var/lib/munin-async ] && find /var/lib/munin-async -maxdepth 1 -type f -mtime +30 -delete
+
+@daily root [ -d /var/lib/puppet/clientbucket ] && find /var/lib/puppet/clientbucket -type f -mtime +60 -delete && find /var/lib/puppet/clientbucket -type d -empty -delete
+
+@hourly root ! [ -x /usr/local/sbin/ntp-restart-if-required ] || /usr/local/sbin/ntp-restart-if-required
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE dc=example,dc=com
+#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT 12
+#TIMELIMIT 15
+#DEREF never
+
+URI ldap://db.debian.org
+BASE dc=debian,dc=org
+
+TLS_CACERT /etc/ssl/ca-debian/ca-certificates.crt
+TLS_REQCERT hard
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
+# end of pam-auth-update config
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session [default=1] pam_permit.so
+# here's the fallback if no module succeeds
+session requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
+# end of pam-auth-update config
+session [success=1 default=ignore] pam_succeed_if.so quiet_fail quiet_success home = /nonexistent
+session optional pam_mkhomedir.so skel=/etc/skel umask=0022
+session optional pam_systemd.so
+session optional pam_permit.so
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+[main]
+logdir=/var/log/puppet
+vardir=/var/lib/puppet
+ssldir=/var/lib/puppet/ssl
+rundir=/var/run/puppet
+factpath=$vardir/lib/facter
+pluginsync=true
+# This is the default environment for all clients
+environment=production
+
+<%- if scope.lookupvar('::hostname') == 'handel' -%>
+modulepath=/etc/puppet/modules:/etc/puppet/3rdparty/modules:/usr/share/puppet/modules
+
+[master]
+environments = production,staging
+reports = store
+config_version = cat /etc/puppet/.config-version
+storeconfigs = true
+thin_storeconfigs = true
+dbadapter=mysql
+dbuser=puppet
+dbpassword=<%= scope.lookupvar('dbpassword') %>
+dbserver=localhost
+
+[production]
+manifestdir=/srv/puppet.debian.org/stages/production/manifests
+fileserverconfig=/srv/puppet.debian.org/stages/production/fileserver.conf
+modulepath=/srv/puppet.debian.org/stages/production/modules:/srv/puppet.debian.org/stages/production/3rdparty/modules
+
+[staging]
+manifestdir=/srv/puppet.debian.org/stages/staging/manifests
+fileserverconfig=/srv/puppet.debian.org/stages/staging/fileserver.conf
+modulepath=/srv/puppet.debian.org/stages/staging/modules:/srv/puppet.debian.org/stages/staging/3rdparty/modules
+<%- end -%>
+
+[agent]
+environments = development,testing,production,staging
+report = true
+configtimeout = 240
+<%- if has_variable?("puppetversion") and @puppetversion.to_s == "3.7.2" -%>
+stringify_facts = false
+<%- end -%>
--- /dev/null
+#!/bin/bash
+
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+<%- if @hostname == "zani" then -%>
+ if [ -n "$(awk '$4 == "dasdb1" && $3 == "249999" {print}' /proc/partitions)" ]; then
+ mkswap /dev/dasdb1 && swapon -p 30 /dev/dasdb1
+ fi
+ if [ -n "$(awk '$4 == "dasdc1" && $3 == "249999" {print}' /proc/partitions)" ]; then
+ mkswap /dev/dasdc1 && swapon -p 30 /dev/dasdc1
+ fi
+<%- end -%>
+<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
+ ( sleep 120;
+ service syslog-ng restart;
+ sleep 5;
+ init q
+ ) & disown
+<%- end -%>
+
+if [ -e /proc/sys/kernel/modules_disabled ]; then
+ ( sleep 60;
+ echo 1 > /proc/sys/kernel/modules_disabled || true
+ ) & disown
+fi
+
+touch /var/run/reboot-lock
}
file { '/etc/exim4/ssl':
ensure => directory,
- group => Debian-exim,
+ group => 'Debian-exim',
mode => '0750',
purge => true,
}
}
file { '/etc/exim4/ssl/thishost.crt':
source => "puppet:///modules/exim/certs/${::fqdn}.crt",
- group => Debian-exim,
+ group => 'Debian-exim',
mode => '0640',
}
file { '/etc/exim4/ssl/thishost.key':
source => "puppet:///modules/exim/certs/${::fqdn}.key",
- group => Debian-exim,
+ group => 'Debian-exim',
mode => '0640',
}
file { '/etc/exim4/ssl/ca.crt':
source => 'puppet:///modules/exim/certs/ca.crt',
- group => Debian-exim,
+ group => 'Debian-exim',
mode => '0640',
}
file { '/etc/exim4/ssl/ca.crl':
source => 'puppet:///modules/exim/certs/ca.crl',
- group => Debian-exim,
+ group => 'Debian-exim',
mode => '0640',
}
file { '/var/log/exim4':
ensure => directory,
mode => '2750',
- owner => Debian-exim,
+ owner => 'Debian-exim',
group => maillog,
}
<%- end -%>
queue_list_requires_admin = false
-<%- if has_variable?("clamd") && clamd == "true" -%>
+<%- if has_variable?("clamd") && @clamd == "true" -%>
av_scanner = clamd:/var/run/clamav/clamd.ctl
<%- end -%>
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
-<%- if has_variable?("policydweight") && policydweight == "true" -%>
+<%- if has_variable?("policydweight") && @policydweight == "true" -%>
# Check with policyd-weight - this only works with a version after etch's,
# sadly. etch's version attempts to hold the socket open, since that's what
# postfix expects. Exim, on the other hand, expects the remote side to close
<%- end -%>
-<%- if has_variable?("greylistd") && greylistd == "true" -%>
+<%- if has_variable?("greylistd") && @greylistd == "true" -%>
defer
message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
log_message = greylisted.
$local_part@$domain}\
{5s}{}{false}}
-<%- elsif has_variable?("postgrey") && postgrey == "true" -%>
+<%- elsif has_variable?("postgrey") && @postgrey == "true" -%>
# next three are greylisting, inspired by http://www.bebt.de/blog/debian/archives/2006/07/30/T06_12_27/index.html
# this adds acl_m_grey if there isn't one (so unique per message)
warn
condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
message = Your mailer is not RFC 2047 compliant: message rejected
-<%- if has_variable?("clamd") && clamd == "true" -%>
+<%- if has_variable?("clamd") && @clamd == "true" -%>
discard condition = ${if eq {$acl_m_prf}{blackhole}}
demime = *
malware = */defer_ok
-<%= fqdn %>
+<%= @fqdn %>
package { 'ferm':
ensure => installed
}
- if ($::lsbmajdistrelease >= 8) {
+ if ($::lsbmajdistrelease >= '8') {
package { 'ulogd2':
ensure => installed
}
content => template('ferm/interfaces.conf.erb'),
notify => Service['ferm'],
}
- if ($::lsbmajdistrelease >= 8) {
+ if ($::lsbmajdistrelease >= '8') {
augeas { 'logrotate_ulogd2':
context => '/files/etc/logrotate.d/ulogd2',
changes => [
+++ /dev/null
-class ferm::per-host {
- if $::hostname in [zandonai,zelenka] {
- include ferm::zivit
- }
-
- case $::hostname {
- czerny,clementi: {
- @ferm::rule { 'dsa-upsmon':
- description => 'Allow upsmon access',
- rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
- }
- }
- bendel: {
- @ferm::rule { 'listmaster-ontp-in':
- description => 'ONTP has a broken mail setup',
- table => 'filter',
- chain => 'INPUT',
- rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
- }
- @ferm::rule { 'listmaster-ontp-out':
- description => 'ONTP has a broken mail setup',
- table => 'filter',
- chain => 'OUTPUT',
- rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
- }
- }
- lotti,lully,loghost-grnet-01: {
- @ferm::rule { 'dsa-syslog':
- description => 'Allow syslog access',
- rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
- }
- @ferm::rule { 'dsa-syslog-v6':
- domain => 'ip6',
- description => 'Allow syslog access',
- rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
- }
- }
- kaufmann: {
- @ferm::rule { 'dsa-hkp':
- domain => '(ip ip6)',
- description => 'Allow hkp access',
- rule => '&SERVICE(tcp, 11371)'
- }
- }
- gombert: {
- @ferm::rule { 'dsa-infinoted':
- domain => '(ip ip6)',
- description => 'Allow infinoted access',
- rule => '&SERVICE(tcp, 6523)'
- }
- }
- draghi: {
- @ferm::rule { 'dsa-finger':
- domain => '(ip ip6)',
- description => 'Allow finger access',
- rule => '&SERVICE(tcp, 79)'
- }
- @ferm::rule { 'dsa-ldap':
- domain => '(ip ip6)',
- description => 'Allow ldap access',
- rule => '&SERVICE(tcp, 389)'
- }
- @ferm::rule { 'dsa-ldaps':
- domain => '(ip ip6)',
- description => 'Allow ldaps access',
- rule => '&SERVICE(tcp, 636)'
- }
- }
- sonntag: {
- @ferm::rule { 'dsa-bugs-search':
- description => 'port 1978 for bugs-search from bug web frontends',
- rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))'
- }
- }
- default: {}
- }
-
- # redirect snapshot into varnish
- case $::hostname {
- sibelius: {
- @ferm::rule { 'dsa-snapshot-varnish':
- rule => '&SERVICE(tcp, 6081)',
- }
- @ferm::rule { 'dsa-nat-snapshot-varnish':
- table => 'nat',
- chain => 'PREROUTING',
- rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
- }
- }
- lw07: {
- @ferm::rule { 'dsa-snapshot-varnish':
- rule => '&SERVICE(tcp, 6081)',
- }
- @ferm::rule { 'dsa-nat-snapshot-varnish':
- table => 'nat',
- chain => 'PREROUTING',
- rule => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
- }
- }
- default: {}
- }
- case $::hostname {
- bm-bl1,bm-bl2: {
- @ferm::rule { 'dsa-vrrp':
- rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
- }
- @ferm::rule { 'dsa-conntrackd':
- rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
- }
- @ferm::rule { 'dsa-bind-notrack-in':
- domain => 'ip',
- description => 'NOTRACK for nameserver traffic',
- table => 'raw',
- chain => 'PREROUTING',
- rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
- }
-
- @ferm::rule { 'dsa-bind-notrack-out':
- domain => 'ip',
- description => 'NOTRACK for nameserver traffic',
- table => 'raw',
- chain => 'OUTPUT',
- rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
- }
-
- @ferm::rule { 'dsa-bind-notrack-in6':
- domain => 'ip6',
- description => 'NOTRACK for nameserver traffic',
- table => 'raw',
- chain => 'PREROUTING',
- rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
- }
-
- @ferm::rule { 'dsa-bind-notrack-out6':
- domain => 'ip6',
- description => 'NOTRACK for nameserver traffic',
- table => 'raw',
- chain => 'OUTPUT',
- rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
- }
- }
- default: {}
- }
-
- # elasticsearch stuff
- case $::hostname {
- stockhausen: {
- @ferm::rule { 'dsa-elasticsearch-bendel':
- domain => '(ip)',
- description => 'Allow elasticsearch access from bendel',
- rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))'
- }
- @ferm::rule { 'dsa-elasticsearch-bendel6':
- domain => '(ip6)',
- description => 'Allow elasticsearch access from bendel',
- rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))'
- }
- }
- }
-
- # postgres stuff
- case $::hostname {
- ullmann: {
- @ferm::rule { 'dsa-postgres-udd':
- description => 'Allow postgress access',
- # quantz, moszumanska, master, coccia
- rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))'
- }
- @ferm::rule { 'dsa-postgres-udd6':
- domain => '(ip6)',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
- }
- }
- fasolo: {
- @ferm::rule { 'dsa-postgres-fasolo':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
- }
- @ferm::rule { 'dsa-postgres-fasolo6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
- }
-
- @ferm::rule { 'dsa-postgres-backup':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
- }
- @ferm::rule { 'dsa-postgres-backup6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
- }
- }
- bmdb1: {
- @ferm::rule { 'dsa-postgres-main':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
- }
- @ferm::rule { 'dsa-postgres-main6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
- }
- @ferm::rule { 'dsa-postgres-dak':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))'
- }
- @ferm::rule { 'dsa-postgres-dak6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
- }
- @ferm::rule { 'dsa-postgres-wannabuild':
- # wuiet, ullmann
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))'
- }
- @ferm::rule { 'dsa-postgres-wannabuild6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))'
- }
- @ferm::rule { 'dsa-postgres-bacula':
- # dinis
- description => 'Allow postgress access1',
- rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
- }
- @ferm::rule { 'dsa-postgres-bacula6':
- domain => 'ip6',
- description => 'Allow postgress access1',
- rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
- }
-
- @ferm::rule { 'dsa-postgres-backup':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V4 ))'
- }
- @ferm::rule { 'dsa-postgres-backup6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V6 ))'
- }
-
- @ferm::rule { 'dsa-postgres-dedup':
- # ubc, wuit
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
- }
- @ferm::rule { 'dsa-postgres-dedup6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
- }
-
- @ferm::rule { 'dsa-postgres-debsources':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))'
- }
- @ferm::rule { 'dsa-postgres-debsources6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))'
- }
- }
- danzi: {
- @ferm::rule { 'dsa-postgres-danzi':
- # ubc, wuit
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
- }
- @ferm::rule { 'dsa-postgres-danzi6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
- }
-
- @ferm::rule { 'dsa-postgres2-danzi':
- description => 'Allow postgress access2',
- rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))'
- }
- @ferm::rule { 'dsa-postgres3-danzi':
- description => 'Allow postgress access3',
- rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))'
- }
- @ferm::rule { 'dsa-postgres4-danzi':
- description => 'Allow postgress access4',
- rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))'
- }
-
- @ferm::rule { 'dsa-postgres-backup':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
- }
- @ferm::rule { 'dsa-postgres-backup6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
- }
- }
- seger: {
- @ferm::rule { 'dsa-postgres-backup':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
- }
- @ferm::rule { 'dsa-postgres-backup6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
- }
- }
- sibelius: {
- @ferm::rule { 'dsa-postgres-backup':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
- }
- @ferm::rule { 'dsa-postgres-backup6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
- }
- @ferm::rule { 'dsa-postgres-replication':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))'
- }
- @ferm::rule { 'dsa-postgres-replication6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))'
- }
- }
- lw07: {
- @ferm::rule { 'dsa-postgres-snapshot':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
- }
- @ferm::rule { 'dsa-postgres-snapshot6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
- }
- }
- melartin,vittoria: {
- @ferm::rule { 'dsa-postgres-backup':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
- }
- @ferm::rule { 'dsa-postgres-backup6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
- }
- }
- buxtehude: {
- @ferm::rule { 'dsa-postgres-backup':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V4 ))'
- }
- @ferm::rule { 'dsa-postgres-backup6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V6 ))'
- }
- }
- default: {}
- }
- # vpn fu
- case $::hostname {
- draghi: {
- @ferm::rule { 'dsa-vpn':
- description => 'Allow openvpn access',
- rule => '&SERVICE(udp, 17257)'
- }
- @ferm::rule { 'dsa-routing':
- description => 'forward chain',
- chain => 'FORWARD',
- rule => 'policy ACCEPT;
-mod state state (ESTABLISHED RELATED) ACCEPT;
-interface tun+ ACCEPT;
-REJECT reject-with icmp-admin-prohibited
-'
- }
- @ferm::rule { 'dsa-vpn-mark':
- table => 'mangle',
- chain => 'PREROUTING',
- rule => 'interface tun+ MARK set-mark 1',
- }
- @ferm::rule { 'dsa-vpn-nat':
- table => 'nat',
- chain => 'POSTROUTING',
- rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
- }
- }
- ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
- @ferm::rule { 'dsa-luca-fixme':
- description => 'Allow ssh access from mnt and vpn networks',
- rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
- }
- }
- default: {}
- }
- # tftp
- case $::hostname {
- abel: {
- @ferm::rule { 'dsa-tftp':
- description => 'Allow tftp access',
- rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
- }
- }
- master: {
- @ferm::rule { 'dsa-tftp':
- description => 'Allow tftp access',
- rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
- }
- }
- }
-}
--- /dev/null
+class ferm::per_host {
+ if $::hostname in [zandonai,zelenka] {
+ include ferm::zivit
+ }
+
+ case $::hostname {
+ czerny,clementi: {
+ @ferm::rule { 'dsa-upsmon':
+ description => 'Allow upsmon access',
+ rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
+ }
+ }
+ bendel: {
+ @ferm::rule { 'listmaster-ontp-in':
+ description => 'ONTP has a broken mail setup',
+ table => 'filter',
+ chain => 'INPUT',
+ rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
+ }
+ @ferm::rule { 'listmaster-ontp-out':
+ description => 'ONTP has a broken mail setup',
+ table => 'filter',
+ chain => 'OUTPUT',
+ rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
+ }
+ }
+ lotti,lully,loghost-grnet-01: {
+ @ferm::rule { 'dsa-syslog':
+ description => 'Allow syslog access',
+ rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
+ }
+ @ferm::rule { 'dsa-syslog-v6':
+ domain => 'ip6',
+ description => 'Allow syslog access',
+ rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
+ }
+ }
+ kaufmann: {
+ @ferm::rule { 'dsa-hkp':
+ domain => '(ip ip6)',
+ description => 'Allow hkp access',
+ rule => '&SERVICE(tcp, 11371)'
+ }
+ }
+ gombert: {
+ @ferm::rule { 'dsa-infinoted':
+ domain => '(ip ip6)',
+ description => 'Allow infinoted access',
+ rule => '&SERVICE(tcp, 6523)'
+ }
+ }
+ draghi: {
+ @ferm::rule { 'dsa-finger':
+ domain => '(ip ip6)',
+ description => 'Allow finger access',
+ rule => '&SERVICE(tcp, 79)'
+ }
+ @ferm::rule { 'dsa-ldap':
+ domain => '(ip ip6)',
+ description => 'Allow ldap access',
+ rule => '&SERVICE(tcp, 389)'
+ }
+ @ferm::rule { 'dsa-ldaps':
+ domain => '(ip ip6)',
+ description => 'Allow ldaps access',
+ rule => '&SERVICE(tcp, 636)'
+ }
+ }
+ sonntag: {
+ @ferm::rule { 'dsa-bugs-search':
+ description => 'port 1978 for bugs-search from bug web frontends',
+ rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))'
+ }
+ }
+ default: {}
+ }
+
+ # redirect snapshot into varnish
+ case $::hostname {
+ sibelius: {
+ @ferm::rule { 'dsa-snapshot-varnish':
+ rule => '&SERVICE(tcp, 6081)',
+ }
+ @ferm::rule { 'dsa-nat-snapshot-varnish':
+ table => 'nat',
+ chain => 'PREROUTING',
+ rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
+ }
+ }
+ lw07: {
+ @ferm::rule { 'dsa-snapshot-varnish':
+ rule => '&SERVICE(tcp, 6081)',
+ }
+ @ferm::rule { 'dsa-nat-snapshot-varnish':
+ table => 'nat',
+ chain => 'PREROUTING',
+ rule => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
+ }
+ }
+ default: {}
+ }
+ case $::hostname {
+ bm-bl1,bm-bl2: {
+ @ferm::rule { 'dsa-vrrp':
+ rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
+ }
+ @ferm::rule { 'dsa-conntrackd':
+ rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
+ }
+ @ferm::rule { 'dsa-bind-notrack-in':
+ domain => 'ip',
+ description => 'NOTRACK for nameserver traffic',
+ table => 'raw',
+ chain => 'PREROUTING',
+ rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
+ }
+
+ @ferm::rule { 'dsa-bind-notrack-out':
+ domain => 'ip',
+ description => 'NOTRACK for nameserver traffic',
+ table => 'raw',
+ chain => 'OUTPUT',
+ rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
+ }
+
+ @ferm::rule { 'dsa-bind-notrack-in6':
+ domain => 'ip6',
+ description => 'NOTRACK for nameserver traffic',
+ table => 'raw',
+ chain => 'PREROUTING',
+ rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
+ }
+
+ @ferm::rule { 'dsa-bind-notrack-out6':
+ domain => 'ip6',
+ description => 'NOTRACK for nameserver traffic',
+ table => 'raw',
+ chain => 'OUTPUT',
+ rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
+ }
+ }
+ default: {}
+ }
+
+ # elasticsearch stuff
+ case $::hostname {
+ stockhausen: {
+ @ferm::rule { 'dsa-elasticsearch-bendel':
+ domain => '(ip)',
+ description => 'Allow elasticsearch access from bendel',
+ rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))'
+ }
+ @ferm::rule { 'dsa-elasticsearch-bendel6':
+ domain => '(ip6)',
+ description => 'Allow elasticsearch access from bendel',
+ rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))'
+ }
+ }
+ }
+
+ # postgres stuff
+ case $::hostname {
+ ullmann: {
+ @ferm::rule { 'dsa-postgres-udd':
+ description => 'Allow postgress access',
+ # quantz, moszumanska, master, coccia
+ rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-udd6':
+ domain => '(ip6)',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
+ }
+ }
+ fasolo: {
+ @ferm::rule { 'dsa-postgres-fasolo':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-fasolo6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
+ }
+
+ @ferm::rule { 'dsa-postgres-backup':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
+ }
+ @ferm::rule { 'dsa-postgres-backup6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
+ }
+ }
+ bmdb1: {
+ @ferm::rule { 'dsa-postgres-main':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-main6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
+ }
+ @ferm::rule { 'dsa-postgres-dak':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-dak6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
+ }
+ @ferm::rule { 'dsa-postgres-wannabuild':
+ # wuiet, ullmann
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-wannabuild6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))'
+ }
+ @ferm::rule { 'dsa-postgres-bacula':
+ # dinis
+ description => 'Allow postgress access1',
+ rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-bacula6':
+ domain => 'ip6',
+ description => 'Allow postgress access1',
+ rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
+ }
+
+ @ferm::rule { 'dsa-postgres-backup':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V4 ))'
+ }
+ @ferm::rule { 'dsa-postgres-backup6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V6 ))'
+ }
+
+ @ferm::rule { 'dsa-postgres-dedup':
+ # ubc, wuit
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-dedup6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
+ }
+
+ @ferm::rule { 'dsa-postgres-debsources':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-debsources6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))'
+ }
+ }
+ danzi: {
+ @ferm::rule { 'dsa-postgres-danzi':
+ # ubc, wuit
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-danzi6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
+ }
+
+ @ferm::rule { 'dsa-postgres2-danzi':
+ description => 'Allow postgress access2',
+ rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))'
+ }
+ @ferm::rule { 'dsa-postgres3-danzi':
+ description => 'Allow postgress access3',
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))'
+ }
+ @ferm::rule { 'dsa-postgres4-danzi':
+ description => 'Allow postgress access4',
+ rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))'
+ }
+
+ @ferm::rule { 'dsa-postgres-backup':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
+ }
+ @ferm::rule { 'dsa-postgres-backup6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
+ }
+ }
+ seger: {
+ @ferm::rule { 'dsa-postgres-backup':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
+ }
+ @ferm::rule { 'dsa-postgres-backup6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
+ }
+ }
+ sibelius: {
+ @ferm::rule { 'dsa-postgres-backup':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
+ }
+ @ferm::rule { 'dsa-postgres-backup6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
+ }
+ @ferm::rule { 'dsa-postgres-replication':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))'
+ }
+ @ferm::rule { 'dsa-postgres-replication6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))'
+ }
+ }
+ lw07: {
+ @ferm::rule { 'dsa-postgres-snapshot':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
+ }
+ @ferm::rule { 'dsa-postgres-snapshot6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
+ }
+ }
+ melartin,vittoria: {
+ @ferm::rule { 'dsa-postgres-backup':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
+ }
+ @ferm::rule { 'dsa-postgres-backup6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
+ }
+ }
+ buxtehude: {
+ @ferm::rule { 'dsa-postgres-backup':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V4 ))'
+ }
+ @ferm::rule { 'dsa-postgres-backup6':
+ domain => 'ip6',
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V6 ))'
+ }
+ }
+ default: {}
+ }
+ # vpn fu
+ case $::hostname {
+ draghi: {
+ @ferm::rule { 'dsa-vpn':
+ description => 'Allow openvpn access',
+ rule => '&SERVICE(udp, 17257)'
+ }
+ @ferm::rule { 'dsa-routing':
+ description => 'forward chain',
+ chain => 'FORWARD',
+ rule => 'policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface tun+ ACCEPT;
+REJECT reject-with icmp-admin-prohibited
+'
+ }
+ @ferm::rule { 'dsa-vpn-mark':
+ table => 'mangle',
+ chain => 'PREROUTING',
+ rule => 'interface tun+ MARK set-mark 1',
+ }
+ @ferm::rule { 'dsa-vpn-nat':
+ table => 'nat',
+ chain => 'POSTROUTING',
+ rule => 'outerface !tun+ mod mark mark 1 MASQUERADE',
+ }
+ }
+ ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
+ @ferm::rule { 'dsa-luca-fixme':
+ description => 'Allow ssh access from mnt and vpn networks',
+ rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
+ }
+ }
+ default: {}
+ }
+ # tftp
+ case $::hostname {
+ abel: {
+ @ferm::rule { 'dsa-tftp':
+ description => 'Allow tftp access',
+ rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
+ }
+ }
+ master: {
+ @ferm::rule { 'dsa-tftp':
+ description => 'Allow tftp access',
+ rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
+ }
+ }
+ }
+}
"/etc/ferm/dsa.d/${prio}_${name}":
ensure => present,
mode => '0400',
- content => template('ferm/ferm-rule.erb'),
+ content => template('ferm/ferm_rule.erb'),
notify => Service['ferm'],
}
}
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-domain <%= domain %> {
- table <%= table %> {
- chain <%= chain %> {
- <%= rule %><% unless notarule -%>;<% end -%>
-
- }
- }
-}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+domain <%= @domain %> {
+ table <%= @table %> {
+ chain <%= @chain %> {
+ <%= @rule %><% unless @notarule -%>;<% end -%>
+
+ }
+ }
+}
ssh4allowed = []
ssh6allowed = []
-should_restrict = restrict_ssh.include?(hostname)
+should_restrict = restrict_ssh.include?(@hostname)
%w{dns_primary dns_geo}.each do |role_restrict|
if scope.function_has_role([role_restrict]) then
should_restrict = true
end
-if restrict_ssh.include?(hostname) then
+if restrict_ssh.include?(@hostname) then
ssh4allowed << %w{$DSA_IPS $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4}
ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6}
- if %w{draghi}.include?(hostname) then
+ if %w{draghi}.include?(@hostname) then
ssh4allowed << '$HOST_DEBIAN_V4'
ssh6allowed << '$HOST_DEBIAN_V6'
end
- if %w{adayevskaya}.include?(hostname) then
+ if %w{adayevskaya}.include?(@hostname) then
out << '@def $MFL_LOCAL = ( 130.83.226.60 );' # Michael Fladerer
ssh4allowed << '$MFL_LOCAL'
ssh4allowed << %w{$HOST_DEBIAN_V4}
##
127.0.0.1 localhost
-<%= ipaddress %> <%= fqdn %> <%= hostname %>
+<%= @ipaddress %> <%= @fqdn %> <%= @hostname %>
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
class linux {
include ferm
- include ferm::per-host
+ include ferm::per_host
include entropykey
- include rng-tools
+ include rng_tools
}
# include monit
#
class monit {
- if $::lsbmajdistrelease <= 7 {
+ if $::lsbmajdistrelease <= '7' {
package { 'monit':
ensure => installed
}
ninfo = scope.lookupvar('site::nodeinfo')
-extra = 'Welcome to ' + fqdn
+extra = 'Welcome to ' + @fqdn
if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose'))
p = scope.lookupvar('site::nodeinfo')['ldap']['purpose'].clone()
entries = ""
vms = []
scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
- if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(fqdn)
+ if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(@fqdn)
vms << node
end
end
+++ /dev/null
-define munin::master-per-node($ipaddress, $munin_async) {
- $client_fqdn = $name
- $client_ipaddress = $ipaddress
- $client_munin_async = $munin_async
-
- file { "/etc/munin/munin-conf.d/${name}.conf":
- content => template('munin/munin.conf-per-node.erb'),
- }
-}
--- /dev/null
+define munin::master_per_node($ipaddress, $munin_async) {
+ $client_fqdn = $name
+ $client_ipaddress = $ipaddress
+ $client_munin_async = $munin_async
+
+ file { "/etc/munin/munin-conf.d/${name}.conf":
+ content => template('munin/munin.conf_per_node.erb'),
+ }
+}
--- /dev/null
+##
+### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+[<%= client_fqdn %>]
+<%
+# variables are different whether or not they go via the stored config thing.
+# on the host that actually gets the config, client_munin_async is a String, saying "true",
+# from other hosts it's an actual boolean, i.e. an instance of either FalseClass or TrueClass
+%>
+<%- if has_variable?('client_munin_async') and ((client_munin_async.kind_of?(String) and client_munin_async == "true") or (client_munin_async.kind_of?(TrueClass))) %>
+ address ssh://munin-async@<%= client_fqdn %>/set-in-authkeys
+<%- else %>
+ address <%= client_ipaddress %>
+<%- end %>
user root
<%=
out = ""
-if has_variable?("mta") and mta == "exim4"
+if has_variable?("mta") and @mta == "exim4"
out="
[exim_mail*]
user Debian-exim
<%=
out = ""
-if has_variable?("mta") and mta == "postfix"
+if has_variable?("mta") and @mta == "postfix"
out="
[postfix_mailqueue]
user postfix
+++ /dev/null
-##
-### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-##
-
-[<%= client_fqdn %>]
-<%
-# variables are different whether or not they go via the stored config thing.
-# on the host that actually gets the config, client_munin_async is a String, saying "true",
-# from other hosts it's an actual boolean, i.e. an instance of either FalseClass or TrueClass
-%>
-<%- if has_variable?('client_munin_async') and ((client_munin_async.kind_of?(String) and client_munin_async == "true") or (client_munin_async.kind_of?(TrueClass))) %>
- address ssh://munin-async@<%= client_fqdn %>/set-in-authkeys
-<%- else %>
- address <%= client_ipaddress %>
-<%- end %>
<%=
ignore = []
-case fqdn
+case @fqdn
when /draghi.debian.org/ then ignore << %w{userdir-ldap userdir-ldap-cgi libheimdal-kadm5-perl django-ldapdb ud python-cdb python-nameparser python-django-ldapdb}
when "handel.debian.org" then ignore << %w{puppet-dashboard}
when "reger.debian.org" then ignore << %w{librt-extension-commandbymail-perl}
end
if @lsbmajdistrelease <= '8'
- case fqdn
+ case @fqdn
when /(acker|aagaard).debian.org/ then ignore << %w{qemu-efi}
end
end
USEHTTP="yes"
<%=
# hostids are 32 hexchars long
-id_short = popcon_host_id[0,32]
+id_short = @popcon_host_id[0,32]
# slightly biased, but meh
-day = (popcon_host_id[0].ord + 256*popcon_host_id[1].ord) % 7
+day = (@popcon_host_id[0].ord + 256*@popcon_host_id[1].ord) % 7
conf = []
conf << "MY_HOSTID=\"#{id_short}\""
##lines << "# sourcehost is #{sourcehost}"
services.each do |service|
##lines << "# targethost is #{service['target_host']}, my hostname #{hostname}, fqdn is #{fqdn}"
- next if service['target_host'] != fqdn
+ next if service['target_host'] != @fqdn
allowed_ports << service['target_port'] if service['target_port']
end
'
config = YAML.load(File.open('/etc/puppet/modules/portforwarder/misc/config.yaml').read)
-if config[fqdn]
+if config[@fqdn]
config[fqdn].each do |service|
target_port = service['target_port']
target_host = service['target_host']
next unless localinfo[node]['entropy_key']
addresses = allnodeinfo[node]['ipHostNumber']
- thishoster = function_whohosts([addresses, "/etc/puppet/modules/debian-org/misc/hoster.yaml"])
+ thishoster = function_whohosts([addresses, "/etc/puppet/modules/debian_org/misc/hoster.yaml"])
name = thishoster['name']
provider << node
unless nodeinfo['ldap']['ipHostNumber']
raise Puppet::ParseError, "Host #{host} does not have ipHostNumber values in ldap"
end
- nodeinfo['hoster'] = function_whohosts([nodeinfo['ldap']['ipHostNumber'], "/etc/puppet/modules/debian-org/misc/hoster.yaml"])
+ nodeinfo['hoster'] = function_whohosts([nodeinfo['ldap']['ipHostNumber'], "/etc/puppet/modules/debian_org/misc/hoster.yaml"])
nodeinfo['buildd'] = (nodeinfo['ldap']['purpose'].respond_to?('include?') && nodeinfo['ldap']['purpose'].include?('buildd'))
nodeinfo['timeserver'] = (nodeinfo['ldap']['purpose'].respond_to?('include?') && nodeinfo['ldap']['purpose'].include?('timeserver'))
nodeinfo['porterbox'] = (nodeinfo['ldap']['purpose'].respond_to?('include?') && nodeinfo['ldap']['purpose'].include?('porterbox'))
search <%= searchpaths.to_a.flatten.join(" ") %>
<%
nameservers = []
-if %w{draghi}.include?(hostname)
+if %w{draghi}.include?(@hostname)
nameservers << "127.0.0.1"
end
nameservers += @ns
+++ /dev/null
-class rng-tools {
- if $has_dev_hwrng {
- package { 'rng-tools':
- ensure => installed
- }
- service { 'rng-tools':
- ensure => running,
- require => Package['rng-tools']
- }
- }
-}
--- /dev/null
+class rng_tools {
+ if $has_dev_hwrng {
+ package { 'rng-tools':
+ ensure => installed
+ }
+ service { 'rng-tools':
+ ensure => running,
+ require => Package['rng-tools']
+ }
+ }
+}
file=/etc/ssh/userkeys/staticsync
<% end -%>
file=/etc/rsyncd
-<%- if hostname == "sibelius" then -%>
+<%- if @hostname == "sibelius" then -%>
file=/etc/tsm
file=/etc/tsm/TSM.PWD
<% end -%>
## Recipient (max. 8)
#
-SetMailAddress=samhain-reports@<%= fqdn -%>
+SetMailAddress=samhain-reports@<%= @fqdn -%>
SetMailRelay = localhost
class site {
- $localinfo = yamlinfo('*', '/etc/puppet/modules/debian-org/misc/local.yaml')
- $nodeinfo = nodeinfo($::fqdn, '/etc/puppet/modules/debian-org/misc/local.yaml')
+ $localinfo = yamlinfo('*', '/etc/puppet/modules/debian_org/misc/local.yaml')
+ $nodeinfo = nodeinfo($::fqdn, '/etc/puppet/modules/debian_org/misc/local.yaml')
$allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose')
$roles = hiera('roles')
-define site::sysctl ($key='', $value='', $target=Linux, $ensure = present) {
+define site::sysctl ($key='', $value='', $target='Linux', $ensure = present) {
include site
case $ensure {
present: { if ($key == "" or $value == "") { fail ( "Need to provide key and value" )} }
content => template('ssh/authorized_keys.erb'),
}
- if ($::lsbmajdistrelease >= 8) {
+ if ($::lsbmajdistrelease >= '8') {
if ! $has_etc_ssh_ssh_host_ed25519_key {
exec { 'create-ed25519-host-key':
command => 'ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -q -P "" -t ed25519',
%>
# local admin
-<%= localkeys = case fqdn
+<%= localkeys = case @fqdn
when "pettersson.debian.org" then "from=\"nixon.acc.umu.se\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwDw56/XK0/uQB+ZIOZIfZ3vpz9zLRuv6G0U4eU4VavqvaL0dXSNhGJLBDLlfpxtJYwYf/mSoK4WZasbbfHxz8jtIxK9c9aGkVA0GKT+xiHWB3J1SlwJaA7S7Ed8nNcG5PNOVd30BD5LimkS53Nz841e+MgZRuL9SfLALq7er03U= root@nixon"
end
localkeys
<%=
machine_keys = []
-case fqdn
+case @fqdn
when "storace.debian.org" then
roles['dabackup_client'].each do |node|
if allnodeinfo.has_key?(node)
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
VerifyHostKeyDNS yes
-<%- if (hostname == "sibelius") -%>
+<%- if (@hostname == "sibelius") -%>
ServerAliveInterval 450
<%- end -%>
# Used for the email-virtualdomains setup
# What ports, IPs and protocols we listen for
Port 22
-<%= extraports = case fqdn
+<%= extraports = case @fqdn
when "paradis.debian.org" then "
ListenAddress 0.0.0.0:22
ListenAddress [::]:22
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
-<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && has_etc_ssh_ssh_host_ed25519_key == "true" -%>
+<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key == "true" -%>
HostKey /etc/ssh/ssh_host_ed25519_key
<% end %>
#Privilege Separation is turned on for security
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
-<%- if client -%>
+<%- if @client -%>
cert = /etc/ssl/debian/certs/thishost.crt
key = /etc/ssl/private/thishost.key
<%- else -%>
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
-pid = /stunnel-<%= name %>.pid
+pid = /stunnel-<%= @name %>.pid
-verify = <%= verify %>
-CAfile = <%= cafile %>
-<%- if crlfile -%>
+verify = <%= @verify %>
+CAfile = <%= @cafile %>
+<%- if @crlfile -%>
CRLfile = /etc/exim4/ssl/ca.crl
<%- end -%>
; don't use a file, use syslog
; output = /var/log/stunnel4/stunnel.log
-client = <%= client ? "yes" : "no" %>
+client = <%= @client ? "yes" : "no" %>
socket = a:SO_LINGER=1:60
socket = a:SO_KEEPALIVE=1
-[<%= name %>-server]
-accept = <%= accept =~ /:/ ? accept : ":::#{accept}" %>
-connect = <%= connect %>
-<%- if local -%>
-local = <%= local %>
+[<%= @name %>-server]
+accept = <%= @accept =~ /:/ ? @accept : ":::#{accept}" %>
+connect = <%= @connect %>
+<%- if @local -%>
+local = <%= @local %>
<%- end -%>
; vim:ft=dosini
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# If a variable is not set here, then the corresponding
-# parameter will not be changed.
-# If a variables is set, then every invocation of
-# syslog-ng's init script will set them using dmesg.
-
-# log level of messages which should go to console
-# see <linux/kernel.h> for details
-#
-CONSOLE_LOG_LEVEL=2
-
-# Command line options to syslog-ng
-#SYSLOGNG_OPTS="--no-caps"
-
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-/var/log/auth.log {
- rotate 4
- missingok
- notifempty
- weekly
- compress
-}
-
-/var/log/cron.log {
- rotate 4
- weekly
- missingok
- notifempty
- compress
-}
-
-/var/log/daemon.log {
- rotate 7
- weekly
- missingok
- notifempty
- compress
-}
-
-/var/log/debug {
- rotate 4
- weekly
- missingok
- notifempty
- compress
-}
-
-/var/log/kern.log {
- rotate 4
- weekly
- missingok
- notifempty
- compress
-}
-
-/var/log/lpr.log {
- rotate 4
- weekly
- missingok
- notifempty
- compress
-}
-
-/var/log/mail.err {
- rotate 30
- daily
- dateext
- missingok
- notifempty
- compress
-}
-
-/var/log/mail.info {
- rotate 30
- daily
- dateext
- missingok
- notifempty
- compress
-}
-
-/var/log/mail.log {
- rotate 30
- daily
- dateext
- missingok
- notifempty
- compress
- # listmaster asked for this one
- delaycompress
-}
-
-/var/log/mail.warn {
- rotate 30
- daily
- dateext
- missingok
- notifempty
- compress
-}
-
-/var/log/messages {
- rotate 4
- weekly
- missingok
- notifempty
- compress
-}
-
-
-/var/log/user.log {
- rotate 4
- weekly
- missingok
- notifempty
- compress
-}
-
-/var/log/uucp.log {
- rotate 4
- missingok
- notifempty
- weekly
- compress
-}
-
-/var/log/syslog {
- rotate 7
- daily
- compress
- postrotate
- if [ -d /run/systemd/system ]; then
- /bin/systemctl reload syslog-ng.service >/dev/null
- else
- /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
- fi
- endscript
-}
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-/var/log/mail-all.log {
- rotate 4
- weekly
- missingok
- notifempty
- compress
-}
-
-/var/log/syslog-all {
- rotate 4
- missingok
- notifempty
- weekly
- compress
-}
-
-/var/log/auth-all.log {
- rotate 4
- missingok
- notifempty
- weekly
- compress
- postrotate
- /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
- endscript
-}
+++ /dev/null
-[Unit]
-Description=System Logger Daemon
-Documentation=man:syslog-ng(8)
-After=network-online.target unbound.service
-
-[Service]
-Type=notify
-ExecStart=/usr/sbin/syslog-ng -F
-ExecReload=/bin/kill -HUP $MAINPID
-StandardOutput=journal
-StandardError=journal
-Restart=always
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-class syslog-ng {
- package { 'syslog-ng':
- ensure => installed
- }
-
- service { 'syslog-ng':
- ensure => running,
- hasstatus => false,
- pattern => 'syslog-ng',
- }
-
- file { '/etc/syslog-ng/syslog-ng.conf':
- content => template('syslog-ng/syslog-ng.conf.erb'),
- require => Package['syslog-ng'],
- notify => Service['syslog-ng']
- }
- file { '/etc/default/syslog-ng':
- source => 'puppet:///modules/syslog-ng/syslog-ng.default',
- require => Package['syslog-ng'],
- notify => Service['syslog-ng']
- }
- file { '/etc/logrotate.d/syslog-ng':
- source => 'puppet:///modules/syslog-ng/syslog-ng.logrotate',
- require => Package['syslog-ng']
- }
- if $::hostname in [lotty,lully,loghost-grnet-01] {
- file { '/etc/logrotate.d/syslog-ng-loggers':
- source => 'puppet:///modules/syslog-ng/syslog-ng.logrotate.loggers',
- require => Package['syslog-ng']
- }
- }
- # while syslog-ng breaks on boot
-
- if $systemd {
- file { '/etc/systemd/system/syslog-ng.service':
- ensure => $servicefiles,
- source => 'puppet:///modules/syslog-ng/syslog-ng.service',
- notify => Exec['systemctl daemon-reload'],
- }
-
- file { '/etc/systemd/system/syslog.service':
- ensure => absent,
- notify => Exec['systemctl daemon-reload'],
- }
- }
-}
+++ /dev/null
-<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%>
-@version: 3.0
-<%- elsif has_variable?("syslogversion") and syslogversion.to_s == "3.5" -%>
-@version: 3.5
-@include "scl.conf"
-<%- else -%>
-@version: 3.3
-@include "scl.conf"
-<%- end -%>
-
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# Configuration file for syslog-ng under Debian
-#
-# attempts at reproducing default syslog behavior
-
-# the standard syslog levels are (in descending order of priority):
-# emerg alert crit err warning notice info debug
-# the aliases "error", "panic", and "warn" are deprecated
-# the "none" priority found in the original syslogd configuration is
-# only used in internal messages created by syslogd
-
-
-######
-# options
-
-options {
- # disable the chained hostname format in logs
- # (default is enabled)
- chain_hostnames(1);
-
- # the time to wait before a died connection is re-established
- # (default is 60)
- time_reopen(10);
-
- # the time to wait before an idle destination file is closed
- # (default is 60)
- time_reap(360);
-
- # the number of lines buffered before written to file
- # you might want to increase this if your disk isn't catching with
- # all the log messages you get or if you want less disk activity
- # (say on a laptop)
- # (default is 0)
- #sync(0);
-
- # the number of lines fitting in the output queue
-<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%>
- log_fifo_size(2048);
-<%- else -%>
- log_fifo_size(10000);
-<%- end -%>
-
- # enable or disable directory creation for destination files
- create_dirs(yes);
-
- # default owner, group, and permissions for log files
- # (defaults are 0, 0, 0600)
- #owner(root);
- group(adm);
- perm(0640);
-
- # default owner, group, and permissions for created directories
- # (defaults are 0, 0, 0700)
- #dir_owner(root);
- #dir_group(root);
- dir_perm(0755);
-
- # enable or disable DNS usage
- # syslog-ng blocks on DNS queries, so enabling DNS may lead to
- # a Denial of Service attack
- # (default is yes)
- use_dns(no);
-
- # maximum length of message in bytes
- # this is only limited by the program listening on the /dev/log Unix
- # socket, glibc can handle arbitrary length log messages, but -- for
- # example -- syslogd accepts only 1024 bytes
- # (default is 2048)
- #log_msg_size(2048);
-
- #Disable statistic log messages.
- stats_freq(0);
-
- # Some program send log messages through a private implementation.
- # and sometimes that implementation is bad. If this happen syslog-ng
- # may recognise the program name as hostname. Whit this option
- # we tell the syslog-ng that if a hostname match this regexp than that
- # is not a real hostname.
- bad_hostname("^gconfd$");
-
- keep_hostname(no);
-
- # We believe our own clock more than we believe the client clock.
- keep_timestamp(no);
-};
-
-
-######
-# sources
-
-# all known message sources
-source s_local {
- # message generated by Syslog-NG
- internal();
-<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%>
- # standard Linux log source (this is the default place for the syslog()
- # function to send logs to)
- unix-stream("/dev/log");
- # messages from the kernel
- file("/proc/kmsg" program_override("kernel: "));
-<%- else -%>
- system();
-<%- end -%>
-};
-
-<%- if (hostname == "lotti") || (hostname == "lully") || (hostname == "loghost-grnet-01") -%>
-source s_network {
- tcp6(port(5140) max-connections(400)
- tls( key_file("/etc/exim4/ssl/thishost.key")
- cert_file("/etc/exim4/ssl/thishost.crt")
- ca_dir("/etc/exim4/ssl/")
- )
- );
-};
-<%- end -%>
-
-
-######
-# destinations
-
-# some standard log files
-destination df_auth { file("/var/log/auth.log"); };
-destination df_syslog { file("/var/log/syslog"); };
-destination df_cron { file("/var/log/cron.log"); };
-destination df_daemon { file("/var/log/daemon.log"); };
-destination df_kern { file("/var/log/kern.log"); };
-destination df_lpr { file("/var/log/lpr.log"); };
-destination df_mail { file("/var/log/mail.log" group(maillog)); };
-# destination df_mail_info { file("/var/log/mail.info" group(maillog)); };
-destination df_mail_warn { file("/var/log/mail.warn" group(maillog)); };
-destination df_mail_err { file("/var/log/mail.err" group(maillog)); };
-destination df_user { file("/var/log/user.log" perm(0644)); };
-destination df_uucp { file("/var/log/uucp.log"); };
-
-# these files are meant for the mail system log files
-# and provide re-usable destinations for {mail,cron,...}.info,
-# {mail,cron,...}.notice, etc.
-destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
-destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
-destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
-destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
-destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
-
-# these files are meant for the news system, and are kept separated
-# because they should be owned by "news" instead of "root"
-destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };
-destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
-destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
-
-# some more classical and useful files found in standard syslog configurations
-destination df_debug { file("/var/log/debug"); };
-destination df_messages { file("/var/log/messages"); };
-
-<%- if kernel == 'Linux' -%>
-# pipes
-# a console to view log messages under X
-destination dp_xconsole { pipe("/dev/xconsole"); };
-
-<%- end -%>
-# consoles
-# this will send messages to everyone logged in
-destination du_all { usertty("*"); };
-
-
-######
-# filters
-
-# all messages from the auth and authpriv facilities
-filter f_auth { facility(auth, authpriv); };
-
-# all messages except from the auth and authpriv facilities
-filter f_syslog { not facility(auth, authpriv, mail); };
-
-# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
-# and uucp facilities
-filter f_cron { facility(cron); };
-filter f_daemon { facility(daemon); };
-filter f_kern { facility(kern); };
-filter f_lpr { facility(lpr); };
-filter f_mail { facility(mail); };
-filter f_news { facility(news); };
-filter f_user { facility(user); };
-filter f_uucp { facility(uucp); };
-
-# some filters to select messages of priority greater or equal to info, warn,
-# and err
-# (equivalents of syslogd's *.info, *.warn, and *.err)
-filter f_at_least_info { level(info..emerg); };
-filter f_at_least_notice { level(notice..emerg); };
-filter f_at_least_warn { level(warn..emerg); };
-filter f_at_least_err { level(err..emerg); };
-filter f_at_least_crit { level(crit..emerg); };
-
-# all messages of priority debug not coming from the auth, authpriv, news, and
-# mail facilities
-filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
-
-# all messages of info, notice, or warn priority not coming form the auth,
-# authpriv, cron, daemon, mail, and news facilities
-filter f_messages {
- level(info,notice,warn)
- and not facility(auth,authpriv,cron,daemon,mail,news);
-};
-
-# messages with priority emerg
-filter f_emerg { level(emerg); };
-
-<%- if kernel == 'Linux' -%>
-# complex filter for messages usually sent to the xconsole
-filter f_xconsole {
- facility(daemon,mail)
- or level(debug,info,notice,warn)
- or (facility(news)
- and level(crit,err,notice));
-};
-
-<%- end -%>
-
-# order matters if you use "flags(final);" to mark the end of processing in a
-# "log" statement
-
-###############################################################################
-########## ON LOG CLIENTS #####################################################
-###############################################################################
-###############################################################################
-###############################################################################
-# all log clients, including the log server, log their locally created
-# messages to the standard places.
-
-# auth,authpriv.* /var/log/auth.log
-log {
- source(s_local);
- filter(f_auth);
- destination(df_auth);
-};
-
-# *.*;auth,authpriv.none -/var/log/syslog
-log {
- source(s_local);
- filter(f_syslog);
- destination(df_syslog);
-};
-
-# this is commented out in the default syslog.conf
-# cron.* /var/log/cron.log
-#log {
-# source(s_local);
-# filter(f_cron);
-# destination(df_cron);
-#};
-
-# daemon.* -/var/log/daemon.log
-log {
- source(s_local);
- filter(f_daemon);
- destination(df_daemon);
-};
-
-# kern.* -/var/log/kern.log
-log {
- source(s_local);
- filter(f_kern);
- destination(df_kern);
-};
-
-# lpr.* -/var/log/lpr.log
-log {
- source(s_local);
- filter(f_lpr);
- destination(df_lpr);
-};
-
-# mail.* -/var/log/mail.log
-log {
- source(s_local);
- filter(f_mail);
- destination(df_mail);
-};
-
-# user.* -/var/log/user.log
-log {
- source(s_local);
- filter(f_user);
- destination(df_user);
-};
-
-# uucp.* /var/log/uucp.log
-log {
- source(s_local);
- filter(f_uucp);
- destination(df_uucp);
-};
-
-# mail.info -/var/log/mail.info
-#log {
-# source(s_local);
-# filter(f_mail);
-# filter(f_at_least_info);
-# destination(df_mail_info);
-#};
-
-# mail.warn -/var/log/mail.warn
-log {
- source(s_local);
- filter(f_mail);
- filter(f_at_least_warn);
- destination(df_mail_warn);
-};
-
-# mail.err /var/log/mail.err
-log {
- source(s_local);
- filter(f_mail);
- filter(f_at_least_err);
- destination(df_mail_err);
-};
-
-# news.crit /var/log/news/news.crit
-log {
- source(s_local);
- filter(f_news);
- filter(f_at_least_crit);
- destination(df_news_dot_crit);
-};
-
-# news.err /var/log/news/news.err
-log {
- source(s_local);
- filter(f_news);
- filter(f_at_least_err);
- destination(df_news_dot_err);
-};
-
-# news.notice /var/log/news/news.notice
-log {
- source(s_local);
- filter(f_news);
- filter(f_at_least_notice);
- destination(df_news_dot_notice);
-};
-
-
-# *.=debug;\
-# auth,authpriv.none;\
-# news.none;mail.none -/var/log/debug
-log {
- source(s_local);
- filter(f_debug);
- destination(df_debug);
-};
-
-
-# *.=info;*.=notice;*.=warn;\
-# auth,authpriv.none;\
-# cron,daemon.none;\
-# mail,news.none -/var/log/messages
-log {
- source(s_local);
- filter(f_messages);
- destination(df_messages);
-};
-
-# *.emerg *
-log {
- source(s_local);
- filter(f_emerg);
- destination(du_all);
-};
-
-
-<%- if kernel == 'Linux' -%>
-# daemon.*;mail.*;\
-# news.crit;news.err;news.notice;\
-# *.=debug;*.=info;\
-# *.=notice;*.=warn |/dev/xconsole
-log {
- source(s_local);
- filter(f_xconsole);
- destination(dp_xconsole);
-};
-<%- end -%>
-
-
- <%- if hostname != "lotti" -%>
-destination loghost-lotti {
- tcp("lotti.debian.org" port (5140)
- tls( key_file("/etc/ssl/private/thishost.key")
- cert_file("/etc/ssl/debian/certs/thishost.crt")
- ca_dir("/etc/ssl/debian/certs/")
- )
- );
-};
- <%- end -%>
- <%- if hostname != "lully" -%>
-destination loghost-lully {
- tcp("lully.debian.org" port (5140)
- tls( key_file("/etc/ssl/private/thishost.key")
- cert_file("/etc/ssl/debian/certs/thishost.crt")
- ca_dir("/etc/ssl/debian/certs/")
- )
- );
-};
- <%- end -%>
- <%- if hostname != "loghost-grnet-01" -%>
-destination loghost-loghost-grnet-01 {
- tcp("loghost-grnet-01.debian.org" port (5140)
- tls( key_file("/etc/ssl/private/thishost.key")
- cert_file("/etc/ssl/debian/certs/thishost.crt")
- ca_dir("/etc/ssl/debian/certs/")
- )
- );
-};
- <%- end -%>
-
-log {
- source(s_local);
- <%- if hostname != "lotti" -%>
- destination(loghost-lotti);
- <%- end -%>
- <%- if hostname != "lully" -%>
- destination(loghost-lully);
- <%- end -%>
- <%- if hostname != "loghost-grnet-01" -%>
- destination(loghost-loghost-grnet-01);
- <%- end -%>
-};
-
-
-
-<%- if (hostname == "lotti") || (hostname == "lully") || (hostname == "loghost-grnet-01") -%>
-###############################################################################
-########## ON LOG HOST ########################################################
-###############################################################################
-###############################################################################
-#
-# The log server, additionally, also logs all local and remote messages to
-# a few special places.
-destination hostdest_auth { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/auth.log"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_syslog { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/syslog"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_cron { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/cron.log"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_daemon { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/daemon.log"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_kern { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/kern.log"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_lpr { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/lpr.log"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_mail { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/mail.log"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_news { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/news.log"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_user { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/user.log"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_uucp { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/uucp.log"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_debug { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/debug"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_messages { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/messages"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-
-
-#----------------------------------------------------------------------
-# Special catch all destination hostdest_sorting by host
-#----------------------------------------------------------------------
-destination hostdest_facility_dot_info { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.info"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_facility_dot_notice { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.notice"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_facility_dot_warn { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.warn"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_facility_dot_err { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.err"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_facility_dot_crit { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.crit"
- owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-
-
-#----------------------------------------------------------------------
-# Catch all log files
-#----------------------------------------------------------------------
-destination df_ALL_auth { file("/var/log/auth-all.log"); };
-destination df_ALL_mail { file("/var/log/mail-all.log"); };
-destination df_ALL_syslog { file("/var/log/syslog-all"); };
-
-log { source(s_local);
- source(s_network);
- filter(f_auth); destination(hostdest_auth); };
-log { source(s_local);
- source(s_network);
- filter(f_syslog); destination(hostdest_syslog); };
-log { source(s_local);
- source(s_network);
- filter(f_daemon); destination(hostdest_daemon); };
-log { source(s_local);
- source(s_network);
- filter(f_kern); destination(hostdest_kern); };
-log { source(s_local);
- source(s_network);
- filter(f_lpr); destination(hostdest_lpr); };
-log { source(s_local);
- source(s_network);
- filter(f_mail); destination(hostdest_mail); };
-log { source(s_local);
- source(s_network);
- filter(f_news); destination(hostdest_mail); };
-log { source(s_local);
- source(s_network);
- filter(f_user); destination(hostdest_user); };
-log { source(s_local);
- source(s_network);
- filter(f_uucp); destination(hostdest_uucp); };
-log { source(s_local);
- source(s_network);
- filter(f_debug); destination(hostdest_debug); };
-log { source(s_local);
- source(s_network);
- filter(f_messages); destination(hostdest_messages); };
-
-log { source(s_local);
- source(s_network);
- filter(f_mail); filter(f_at_least_info); destination(hostdest_facility_dot_info); };
-log { source(s_local);
- source(s_network);
- filter(f_mail); filter(f_at_least_warn); destination(hostdest_facility_dot_warn); };
-log { source(s_local);
- source(s_network);
- filter(f_mail); filter(f_at_least_err); destination(hostdest_facility_dot_err); };
-
-
-## catch all:
-log { source(s_local);
- source(s_network);
- filter(f_auth); destination(df_ALL_auth); };
-log { source(s_local);
- source(s_network);
- filter(f_mail); destination(df_ALL_mail); };
-log { source(s_local);
- source(s_network);
- filter(f_syslog); destination(df_ALL_syslog); };
-<%- end -%>
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# If a variable is not set here, then the corresponding
+# parameter will not be changed.
+# If a variables is set, then every invocation of
+# syslog-ng's init script will set them using dmesg.
+
+# log level of messages which should go to console
+# see <linux/kernel.h> for details
+#
+CONSOLE_LOG_LEVEL=2
+
+# Command line options to syslog-ng
+#SYSLOGNG_OPTS="--no-caps"
+
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+/var/log/auth.log {
+ rotate 4
+ missingok
+ notifempty
+ weekly
+ compress
+}
+
+/var/log/cron.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/daemon.log {
+ rotate 7
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/debug {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/kern.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/lpr.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/mail.err {
+ rotate 30
+ daily
+ dateext
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/mail.info {
+ rotate 30
+ daily
+ dateext
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/mail.log {
+ rotate 30
+ daily
+ dateext
+ missingok
+ notifempty
+ compress
+ # listmaster asked for this one
+ delaycompress
+}
+
+/var/log/mail.warn {
+ rotate 30
+ daily
+ dateext
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/messages {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+
+/var/log/user.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/uucp.log {
+ rotate 4
+ missingok
+ notifempty
+ weekly
+ compress
+}
+
+/var/log/syslog {
+ rotate 7
+ daily
+ compress
+ postrotate
+ if [ -d /run/systemd/system ]; then
+ /bin/systemctl reload syslog-ng.service >/dev/null
+ else
+ /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
+ fi
+ endscript
+}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+/var/log/mail-all.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/syslog-all {
+ rotate 4
+ missingok
+ notifempty
+ weekly
+ compress
+}
+
+/var/log/auth-all.log {
+ rotate 4
+ missingok
+ notifempty
+ weekly
+ compress
+ postrotate
+ /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
+ endscript
+}
--- /dev/null
+[Unit]
+Description=System Logger Daemon
+Documentation=man:syslog-ng(8)
+After=network-online.target unbound.service
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/syslog-ng -F
+ExecReload=/bin/kill -HUP $MAINPID
+StandardOutput=journal
+StandardError=journal
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+class syslog_ng {
+ package { 'syslog-ng':
+ ensure => installed
+ }
+
+ service { 'syslog-ng':
+ ensure => running,
+ hasstatus => false,
+ pattern => 'syslog-ng',
+ }
+
+ file { '/etc/syslog-ng/syslog-ng.conf':
+ content => template('syslog_ng/syslog-ng.conf.erb'),
+ require => Package['syslog-ng'],
+ notify => Service['syslog-ng']
+ }
+ file { '/etc/default/syslog-ng':
+ source => 'puppet:///modules/syslog_ng/syslog-ng.default',
+ require => Package['syslog-ng'],
+ notify => Service['syslog-ng']
+ }
+ file { '/etc/logrotate.d/syslog-ng':
+ source => 'puppet:///modules/syslog_ng/syslog-ng.logrotate',
+ require => Package['syslog-ng']
+ }
+ if $::hostname in [lotty,lully,loghost-grnet-01] {
+ file { '/etc/logrotate.d/syslog-ng-loggers':
+ source => 'puppet:///modules/syslog_ng/syslog-ng.logrotate.loggers',
+ require => Package['syslog-ng']
+ }
+ }
+ # while syslog-ng breaks on boot
+
+ if $systemd {
+ file { '/etc/systemd/system/syslog-ng.service':
+ ensure => $servicefiles,
+ source => 'puppet:///modules/syslog_ng/syslog-ng.service',
+ notify => Exec['systemctl daemon-reload'],
+ }
+
+ file { '/etc/systemd/system/syslog.service':
+ ensure => absent,
+ notify => Exec['systemctl daemon-reload'],
+ }
+ }
+}
--- /dev/null
+<%- if has_variable?("syslogversion") and @syslogversion.to_s == "3.1" -%>
+@version: 3.0
+<%- elsif has_variable?("syslogversion") and @syslogversion.to_s == "3.5" -%>
+@version: 3.5
+@include "scl.conf"
+<%- else -%>
+@version: 3.3
+@include "scl.conf"
+<%- end -%>
+
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# Configuration file for syslog-ng under Debian
+#
+# attempts at reproducing default syslog behavior
+
+# the standard syslog levels are (in descending order of priority):
+# emerg alert crit err warning notice info debug
+# the aliases "error", "panic", and "warn" are deprecated
+# the "none" priority found in the original syslogd configuration is
+# only used in internal messages created by syslogd
+
+
+######
+# options
+
+options {
+ # disable the chained hostname format in logs
+ # (default is enabled)
+ chain_hostnames(1);
+
+ # the time to wait before a died connection is re-established
+ # (default is 60)
+ time_reopen(10);
+
+ # the time to wait before an idle destination file is closed
+ # (default is 60)
+ time_reap(360);
+
+ # the number of lines buffered before written to file
+ # you might want to increase this if your disk isn't catching with
+ # all the log messages you get or if you want less disk activity
+ # (say on a laptop)
+ # (default is 0)
+ #sync(0);
+
+ # the number of lines fitting in the output queue
+<%- if has_variable?("syslogversion") and @syslogversion.to_s == "3.1" -%>
+ log_fifo_size(2048);
+<%- else -%>
+ log_fifo_size(10000);
+<%- end -%>
+
+ # enable or disable directory creation for destination files
+ create_dirs(yes);
+
+ # default owner, group, and permissions for log files
+ # (defaults are 0, 0, 0600)
+ #owner(root);
+ group(adm);
+ perm(0640);
+
+ # default owner, group, and permissions for created directories
+ # (defaults are 0, 0, 0700)
+ #dir_owner(root);
+ #dir_group(root);
+ dir_perm(0755);
+
+ # enable or disable DNS usage
+ # syslog-ng blocks on DNS queries, so enabling DNS may lead to
+ # a Denial of Service attack
+ # (default is yes)
+ use_dns(no);
+
+ # maximum length of message in bytes
+ # this is only limited by the program listening on the /dev/log Unix
+ # socket, glibc can handle arbitrary length log messages, but -- for
+ # example -- syslogd accepts only 1024 bytes
+ # (default is 2048)
+ #log_msg_size(2048);
+
+ #Disable statistic log messages.
+ stats_freq(0);
+
+ # Some program send log messages through a private implementation.
+ # and sometimes that implementation is bad. If this happen syslog-ng
+ # may recognise the program name as hostname. Whit this option
+ # we tell the syslog-ng that if a hostname match this regexp than that
+ # is not a real hostname.
+ bad_hostname("^gconfd$");
+
+ keep_hostname(no);
+
+ # We believe our own clock more than we believe the client clock.
+ keep_timestamp(no);
+};
+
+
+######
+# sources
+
+# all known message sources
+source s_local {
+ # message generated by Syslog-NG
+ internal();
+<%- if has_variable?("syslogversion") and @syslogversion.to_s == "3.1" -%>
+ # standard Linux log source (this is the default place for the syslog()
+ # function to send logs to)
+ unix-stream("/dev/log");
+ # messages from the kernel
+ file("/proc/kmsg" program_override("kernel: "));
+<%- else -%>
+ system();
+<%- end -%>
+};
+
+<%- if (@hostname == "lotti") || (@hostname == "lully") || (@hostname == "loghost-grnet-01") -%>
+source s_network {
+ tcp6(port(5140) max-connections(400)
+ tls( key_file("/etc/exim4/ssl/thishost.key")
+ cert_file("/etc/exim4/ssl/thishost.crt")
+ ca_dir("/etc/exim4/ssl/")
+ )
+ );
+};
+<%- end -%>
+
+
+######
+# destinations
+
+# some standard log files
+destination df_auth { file("/var/log/auth.log"); };
+destination df_syslog { file("/var/log/syslog"); };
+destination df_cron { file("/var/log/cron.log"); };
+destination df_daemon { file("/var/log/daemon.log"); };
+destination df_kern { file("/var/log/kern.log"); };
+destination df_lpr { file("/var/log/lpr.log"); };
+destination df_mail { file("/var/log/mail.log" group(maillog)); };
+# destination df_mail_info { file("/var/log/mail.info" group(maillog)); };
+destination df_mail_warn { file("/var/log/mail.warn" group(maillog)); };
+destination df_mail_err { file("/var/log/mail.err" group(maillog)); };
+destination df_user { file("/var/log/user.log" perm(0644)); };
+destination df_uucp { file("/var/log/uucp.log"); };
+
+# these files are meant for the mail system log files
+# and provide re-usable destinations for {mail,cron,...}.info,
+# {mail,cron,...}.notice, etc.
+destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
+destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
+destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
+destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
+destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
+
+# these files are meant for the news system, and are kept separated
+# because they should be owned by "news" instead of "root"
+destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };
+destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
+destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
+
+# some more classical and useful files found in standard syslog configurations
+destination df_debug { file("/var/log/debug"); };
+destination df_messages { file("/var/log/messages"); };
+
+<%- if @kernel == 'Linux' -%>
+# pipes
+# a console to view log messages under X
+destination dp_xconsole { pipe("/dev/xconsole"); };
+
+<%- end -%>
+# consoles
+# this will send messages to everyone logged in
+destination du_all { usertty("*"); };
+
+
+######
+# filters
+
+# all messages from the auth and authpriv facilities
+filter f_auth { facility(auth, authpriv); };
+
+# all messages except from the auth and authpriv facilities
+filter f_syslog { not facility(auth, authpriv, mail); };
+
+# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
+# and uucp facilities
+filter f_cron { facility(cron); };
+filter f_daemon { facility(daemon); };
+filter f_kern { facility(kern); };
+filter f_lpr { facility(lpr); };
+filter f_mail { facility(mail); };
+filter f_news { facility(news); };
+filter f_user { facility(user); };
+filter f_uucp { facility(uucp); };
+
+# some filters to select messages of priority greater or equal to info, warn,
+# and err
+# (equivalents of syslogd's *.info, *.warn, and *.err)
+filter f_at_least_info { level(info..emerg); };
+filter f_at_least_notice { level(notice..emerg); };
+filter f_at_least_warn { level(warn..emerg); };
+filter f_at_least_err { level(err..emerg); };
+filter f_at_least_crit { level(crit..emerg); };
+
+# all messages of priority debug not coming from the auth, authpriv, news, and
+# mail facilities
+filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
+
+# all messages of info, notice, or warn priority not coming form the auth,
+# authpriv, cron, daemon, mail, and news facilities
+filter f_messages {
+ level(info,notice,warn)
+ and not facility(auth,authpriv,cron,daemon,mail,news);
+};
+
+# messages with priority emerg
+filter f_emerg { level(emerg); };
+
+<%- if @kernel == 'Linux' -%>
+# complex filter for messages usually sent to the xconsole
+filter f_xconsole {
+ facility(daemon,mail)
+ or level(debug,info,notice,warn)
+ or (facility(news)
+ and level(crit,err,notice));
+};
+
+<%- end -%>
+
+# order matters if you use "flags(final);" to mark the end of processing in a
+# "log" statement
+
+###############################################################################
+########## ON LOG CLIENTS #####################################################
+###############################################################################
+###############################################################################
+###############################################################################
+# all log clients, including the log server, log their locally created
+# messages to the standard places.
+
+# auth,authpriv.* /var/log/auth.log
+log {
+ source(s_local);
+ filter(f_auth);
+ destination(df_auth);
+};
+
+# *.*;auth,authpriv.none -/var/log/syslog
+log {
+ source(s_local);
+ filter(f_syslog);
+ destination(df_syslog);
+};
+
+# this is commented out in the default syslog.conf
+# cron.* /var/log/cron.log
+#log {
+# source(s_local);
+# filter(f_cron);
+# destination(df_cron);
+#};
+
+# daemon.* -/var/log/daemon.log
+log {
+ source(s_local);
+ filter(f_daemon);
+ destination(df_daemon);
+};
+
+# kern.* -/var/log/kern.log
+log {
+ source(s_local);
+ filter(f_kern);
+ destination(df_kern);
+};
+
+# lpr.* -/var/log/lpr.log
+log {
+ source(s_local);
+ filter(f_lpr);
+ destination(df_lpr);
+};
+
+# mail.* -/var/log/mail.log
+log {
+ source(s_local);
+ filter(f_mail);
+ destination(df_mail);
+};
+
+# user.* -/var/log/user.log
+log {
+ source(s_local);
+ filter(f_user);
+ destination(df_user);
+};
+
+# uucp.* /var/log/uucp.log
+log {
+ source(s_local);
+ filter(f_uucp);
+ destination(df_uucp);
+};
+
+# mail.info -/var/log/mail.info
+#log {
+# source(s_local);
+# filter(f_mail);
+# filter(f_at_least_info);
+# destination(df_mail_info);
+#};
+
+# mail.warn -/var/log/mail.warn
+log {
+ source(s_local);
+ filter(f_mail);
+ filter(f_at_least_warn);
+ destination(df_mail_warn);
+};
+
+# mail.err /var/log/mail.err
+log {
+ source(s_local);
+ filter(f_mail);
+ filter(f_at_least_err);
+ destination(df_mail_err);
+};
+
+# news.crit /var/log/news/news.crit
+log {
+ source(s_local);
+ filter(f_news);
+ filter(f_at_least_crit);
+ destination(df_news_dot_crit);
+};
+
+# news.err /var/log/news/news.err
+log {
+ source(s_local);
+ filter(f_news);
+ filter(f_at_least_err);
+ destination(df_news_dot_err);
+};
+
+# news.notice /var/log/news/news.notice
+log {
+ source(s_local);
+ filter(f_news);
+ filter(f_at_least_notice);
+ destination(df_news_dot_notice);
+};
+
+
+# *.=debug;\
+# auth,authpriv.none;\
+# news.none;mail.none -/var/log/debug
+log {
+ source(s_local);
+ filter(f_debug);
+ destination(df_debug);
+};
+
+
+# *.=info;*.=notice;*.=warn;\
+# auth,authpriv.none;\
+# cron,daemon.none;\
+# mail,news.none -/var/log/messages
+log {
+ source(s_local);
+ filter(f_messages);
+ destination(df_messages);
+};
+
+# *.emerg *
+log {
+ source(s_local);
+ filter(f_emerg);
+ destination(du_all);
+};
+
+
+<%- if @kernel == 'Linux' -%>
+# daemon.*;mail.*;\
+# news.crit;news.err;news.notice;\
+# *.=debug;*.=info;\
+# *.=notice;*.=warn |/dev/xconsole
+log {
+ source(s_local);
+ filter(f_xconsole);
+ destination(dp_xconsole);
+};
+<%- end -%>
+
+
+ <%- if @hostname != "lotti" -%>
+destination loghost-lotti {
+ tcp("lotti.debian.org" port (5140)
+ tls( key_file("/etc/ssl/private/thishost.key")
+ cert_file("/etc/ssl/debian/certs/thishost.crt")
+ ca_dir("/etc/ssl/debian/certs/")
+ )
+ );
+};
+ <%- end -%>
+ <%- if @hostname != "lully" -%>
+destination loghost-lully {
+ tcp("lully.debian.org" port (5140)
+ tls( key_file("/etc/ssl/private/thishost.key")
+ cert_file("/etc/ssl/debian/certs/thishost.crt")
+ ca_dir("/etc/ssl/debian/certs/")
+ )
+ );
+};
+ <%- end -%>
+ <%- if @hostname != "loghost-grnet-01" -%>
+destination loghost-loghost-grnet-01 {
+ tcp("loghost-grnet-01.debian.org" port (5140)
+ tls( key_file("/etc/ssl/private/thishost.key")
+ cert_file("/etc/ssl/debian/certs/thishost.crt")
+ ca_dir("/etc/ssl/debian/certs/")
+ )
+ );
+};
+ <%- end -%>
+
+log {
+ source(s_local);
+ <%- if @hostname != "lotti" -%>
+ destination(loghost-lotti);
+ <%- end -%>
+ <%- if @hostname != "lully" -%>
+ destination(loghost-lully);
+ <%- end -%>
+ <%- if @hostname != "loghost-grnet-01" -%>
+ destination(loghost-loghost-grnet-01);
+ <%- end -%>
+};
+
+
+
+<%- if (@hostname == "lotti") || (@hostname == "lully") || (@hostname == "loghost-grnet-01") -%>
+###############################################################################
+########## ON LOG HOST ########################################################
+###############################################################################
+###############################################################################
+#
+# The log server, additionally, also logs all local and remote messages to
+# a few special places.
+destination hostdest_auth { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/auth.log"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_syslog { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/syslog"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_cron { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/cron.log"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_daemon { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/daemon.log"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_kern { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/kern.log"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_lpr { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/lpr.log"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_mail { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/mail.log"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_news { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/news.log"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_user { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/user.log"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_uucp { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/uucp.log"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_debug { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/debug"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_messages { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/messages"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+
+
+#----------------------------------------------------------------------
+# Special catch all destination hostdest_sorting by host
+#----------------------------------------------------------------------
+destination hostdest_facility_dot_info { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.info"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_facility_dot_notice { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.notice"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_facility_dot_warn { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.warn"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_facility_dot_err { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.err"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_facility_dot_crit { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.crit"
+ owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+
+
+#----------------------------------------------------------------------
+# Catch all log files
+#----------------------------------------------------------------------
+destination df_ALL_auth { file("/var/log/auth-all.log"); };
+destination df_ALL_mail { file("/var/log/mail-all.log"); };
+destination df_ALL_syslog { file("/var/log/syslog-all"); };
+
+log { source(s_local);
+ source(s_network);
+ filter(f_auth); destination(hostdest_auth); };
+log { source(s_local);
+ source(s_network);
+ filter(f_syslog); destination(hostdest_syslog); };
+log { source(s_local);
+ source(s_network);
+ filter(f_daemon); destination(hostdest_daemon); };
+log { source(s_local);
+ source(s_network);
+ filter(f_kern); destination(hostdest_kern); };
+log { source(s_local);
+ source(s_network);
+ filter(f_lpr); destination(hostdest_lpr); };
+log { source(s_local);
+ source(s_network);
+ filter(f_mail); destination(hostdest_mail); };
+log { source(s_local);
+ source(s_network);
+ filter(f_news); destination(hostdest_mail); };
+log { source(s_local);
+ source(s_network);
+ filter(f_user); destination(hostdest_user); };
+log { source(s_local);
+ source(s_network);
+ filter(f_uucp); destination(hostdest_uucp); };
+log { source(s_local);
+ source(s_network);
+ filter(f_debug); destination(hostdest_debug); };
+log { source(s_local);
+ source(s_network);
+ filter(f_messages); destination(hostdest_messages); };
+
+log { source(s_local);
+ source(s_network);
+ filter(f_mail); filter(f_at_least_info); destination(hostdest_facility_dot_info); };
+log { source(s_local);
+ source(s_network);
+ filter(f_mail); filter(f_at_least_warn); destination(hostdest_facility_dot_warn); };
+log { source(s_local);
+ source(s_network);
+ filter(f_mail); filter(f_at_least_err); destination(hostdest_facility_dot_err); };
+
+
+## catch all:
+log { source(s_local);
+ source(s_network);
+ filter(f_auth); destination(df_ALL_auth); };
+log { source(s_local);
+ source(s_network);
+ filter(f_mail); destination(df_ALL_mail); };
+log { source(s_local);
+ source(s_network);
+ filter(f_syslog); destination(df_ALL_syslog); };
+<%- end -%>
projects / mirror / dsa-puppet.git / commitdiff