Package {
- require => File["/etc/apt/apt.conf.d/local-recommends"]
+ require => File['/etc/apt/apt.conf.d/local-recommends']
}
File {
- owner => root,
- group => root,
- mode => 444,
- ensure => file,
+ owner => root,
+ group => root,
+ mode => '0444',
+ ensure => file,
}
Exec {
- path => "/usr/bin:/usr/sbin:/bin:/sbin"
+ path => '/usr/bin:/usr/sbin:/bin:/sbin'
}
-node default {
- $localinfo = yamlinfo('*', "/etc/puppet/modules/debian-org/misc/local.yaml")
- $nodeinfo = nodeinfo($::fqdn, "/etc/puppet/modules/debian-org/misc/local.yaml")
- $allnodeinfo = allnodeinfo("sshRSAHostKey ipHostNumber", "purpose mXRecord physicalHost purpose")
- notice( sprintf("hoster for %s is %s", $::fqdn, getfromhash($nodeinfo, 'hoster', 'name') ) )
-
- include munin-node
- include syslog-ng
- include sudo
- include ssh
- include debian-org
- include monit
- include apt-keys
- include ntp
- include ntpdate
- include ssl
- include motd
-
- case $::hostname {
- finzi,fano,fasch,field: { include kfreebsd }
- }
-
- if $::smartarraycontroller {
- include debian-proliant
- }
-
- if $::productname == 'PowerEdge 2850' {
- include megactl
- }
-
- if $::mptraid {
- include raidmpt
- }
-
- if $::kvmdomain {
- include acpi
- }
-
- if $::mta == 'exim4' {
- case getfromhash($nodeinfo, 'heavy_exim') {
- true: { include exim::mx }
- default: { include exim }
- }
- }
-
- if getfromhash($nodeinfo, 'puppetmaster') {
- include puppetmaster
- }
-
- if getfromhash($nodeinfo, 'muninmaster') {
- include munin-node::master
- }
-
- case getfromhash($nodeinfo, 'nagiosmaster') {
- true: { include nagios::server }
- default: { include nagios::client }
- }
-
- if $::apache2 {
- if getfromhash($nodeinfo, 'apache2_security_mirror') {
- include apache2::security_mirror
- }
- if getfromhash($nodeinfo, 'apache2_www_mirror') {
- include apache2::www_mirror
- }
- if getfromhash($nodeinfo, 'apache2_backports_mirror') {
- include apache2::backports_mirror
- }
- if getfromhash($nodeinfo, 'apache2_ftp-upcoming_mirror') {
- include apache2::ftp-upcoming_mirror
- }
- include apache2
- }
-
- if $::rsyncd {
- include rsyncd-log
- }
-
-
- if getfromhash($nodeinfo, 'buildd') {
- include buildd
- }
-
- case $::hostname {
- ravel,senfl,orff,draghi,diamond: { include named::authoritative }
- geo1,geo2,geo3: { include named::geodns }
- liszt: { include named::recursor }
- }
-
- case $::hostname {
- franck,master,lobos,samosa,spohr,widor: { include unbound }
- }
-
- if $::lsbdistcodename != 'lenny' {
- include unbound
- }
-
- include resolv
-
- if $::kernel == 'Linux' {
- include ferm
- include ferm::per-host
- }
-
- case $::hostname {
- diabelli,nono,spohr: { include dacs }
- }
-
- case $::hostname {
- beethoven,duarte,spohr,stabile: {
- include nfs-server
- }
- }
-
- if $::brokenhosts {
- include hosts
- }
-
- if $::portforwarder_user_exists {
- include portforwarder
- }
-
- include samhain
-
- case $::hostname {
- chopin,geo3,soler,wieck: {
- include debian-radvd
- }
- }
-
- if $::kernel == 'Linux' {
- include entropykey
- }
-
- if ($::postgres84 or $::postgres90) {
- include postgres
- }
+Service {
+ hasrestart => true,
+ hasstatus => true,
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+node default {
+ include site
+ include munin
+ include syslog-ng
+ include sudo
+ include ssh
+ include debian-org
+ include monit
+ include apt-keys
+ include ntp
+ include ntpdate
+ include ssl
+ include motd
+ include hardware
+ include nagios::client
+ include resolv
+
+ if $::hostname in [finzi,fano,fasch,field] {
+ include kfreebsd
+ }
+
+ if $::kvmdomain {
+ include acpi
+ }
+
+ if $::mta == 'exim4' {
+ if getfromhash($site::nodeinfo, 'heavy_exim') {
+ include exim::mx
+ } else {
+ include exim
+ }
+ }
+
+ if $::lsbdistcodename != 'lenny' {
+ include unbound
+ }
+
+ if getfromhash($site::nodeinfo, 'puppetmaster') {
+ include puppetmaster
+ }
+
+ if getfromhash($site::nodeinfo, 'muninmaster') {
+ include munin::master
+ }
+
+ if getfromhash($site::nodeinfo, 'nagiosmaster') {
+ include nagios::server
+ }
+
+ if getfromhash($site::nodeinfo, 'buildd') {
+ include buildd
+ }
+
+ if $::hostname in [chopin,franck,morricone,bizet] {
+ include roles::dakmaster
+ }
+
+ if getfromhash($site::nodeinfo, 'apache2_security_mirror') {
+ include roles::security_mirror
+ }
+
+ if getfromhash($site::nodeinfo, 'apache2_www_mirror') {
+ include roles::www_mirror
+ }
+
+ if getfromhash($site::nodeinfo, 'apache2_backports_mirror') {
+ include roles::backports_mirror
+ }
+
+ if getfromhash($site::nodeinfo, 'apache2_ftp-upcoming_mirror') {
+ include roles::ftp-upcoming_mirror
+ }
+
+ if $::apache2 {
+ include apache2
+ }
+
+ if $::rsyncd {
+ include rsyncd-log
+ }
+
+ if $::hostname in [ravel,senfl,orff,draghi,diamond] {
+ include named::authoritative
+ } elsif $::hostname in [geo1,geo2,geo3] {
+ include named::geodns
+ } elsif $::hostname == 'liszt' {
+ include named::recursor
+ }
+
+ if $::kernel == 'Linux' {
+ include ferm
+ include ferm::per-host
+ include entropykey
+ }
+
+ if $::hostname in [diabelli,nono,spohr] {
+ include dacs
+ }
+
+ if $::hostname in [beethoven,duarte,spohr,stabile] {
+ include nfs-server
+ }
+
+ if $::brokenhosts {
+ include hosts
+ }
+
+ if $::portforwarder_user_exists {
+ include portforwarder
+ }
+
+ include samhain
+
+ if $::hostname in [chopin,geo3,soler,wieck] {
+ include debian-org::radvd
+ }
+
+ if ($::postgres84 or $::postgres90) {
+ include postgres
+ }
+
+ if $::spamd {
+ munin::check { 'spamassassin': }
+ }
+
+ if $::vsftpd {
+ package { 'logtail':
+ ensure => installed
+ }
+ munin::check { 'vsftpd': }
+ munin::check { 'ps_vsftpd':
+ script => 'ps_'
+ }
+ }
+}
class acpi {
- if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
- package {
- acpid: ensure => installed
- }
+ if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
+ package { 'acpid':
+ ensure => installed
+ }
- if $lsbdistcodename != 'lenny' {
- package {
- acpi-support-base: ensure => installed
- }
- }
- }
+ if $::lsbdistcodename != 'lenny' {
+ package { 'acpi-support-base':
+ ensure => installed
+ }
+ }
+ }
}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# SSL Protocol support:
+# List the protocol versions which clients are allowed to
+# connect with. Disable SSLv2 by default (cf. RFC 6176).
+SSLProtocol all -SSLv2
+
+#
+# Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl .crl
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
+SSLHonorCipherOrder on
+
+# Add STS
+Header add Strict-Transport-Security "max-age=604800"
+
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-<IfModule mod_info.c>
- <Location /server-info>
- SetHandler server-info
- order deny,allow
- deny from all
- allow from localhost
- </Location>
-</IfModule>
-
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# Disable access to the entire file system except for the directories that
-# are explicitly allowed later.
-#
-# This currently breaks the configurations that come with some web application
-# Debian packages. It will be made the default for the release after lenny.
-#
-#<Directory />
-# AllowOverride None
-# Order Deny,Allow
-# Deny from all
-#</Directory>
-
-
-# Changing the following options will not really affect the security of the
-# server, but might make attacks slightly more difficult in some cases.
-
-#
-# ServerTokens
-# This directive configures what you return as the Server HTTP response
-# Header. The default is 'Full' which sends information about the OS-Type
-# and compiled in modules.
-# Set to one of: Full | OS | Minimal | Minor | Major | Prod
-# where Full conveys the most information, and Prod the least.
-#
-#ServerTokens Minimal
-ServerTokens ProductOnly
-
-#
-# Optionally add a line containing the server version and virtual host
-# name to server-generated pages (internal error documents, FTP directory
-# listings, mod_status and mod_info output etc., but not CGI generated
-# documents or custom error documents).
-# Set to "EMail" to also include a mailto: link to the ServerAdmin.
-# Set to one of: On | Off | EMail
-#
-#ServerSignature Off
-ServerSignature On
-
-#
-# Allow TRACE method
-#
-# Set to "extended" to also reflect the request body (only for testing and
-# diagnostic purposes).
-#
-# Set to one of: On | Off | extended
-#
-TraceEnable Off
-#TraceEnable On
-
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-<IfModule mod_status.c>
- #
- # Allow server status reports generated by mod_status,
- # with the URL of http://servername/server-status
- # Change the ".example.com" to match your domain to enable.
- #
- ExtendedStatus on
- <Location /server-status>
- SetHandler server-status
- Order deny,allow
- Deny from all
- Allow from 127.0.0.1
- </Location>
-</IfModule>
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-<VirtualHost *:80>
- ServerName backports.debian.org
- ServerAdmin debian-admin@debian.org
-
- ErrorLog /var/log/apache2/backports.debian.org-error.log
- CustomLog /var/log/apache2/backports.debian.org-access.log combined
-
- <IfModule mod_userdir.c>
- UserDir disabled
- </IfModule>
-
- Alias /debian-backports /srv/mirrors/backports.debian.org/
-
- RewriteEngine On
- RewriteRule ^/debian-backports($|/.*) - [L]
- RewriteRule ^/(.*) http://backports-master.debian.org/$1 [R]
-</VirtualHost>
-# vim:set syn=apache:
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-
-# SSL Engine Switch:
-# Enable/Disable SSL for this virtual host.
-SSLEngine on
-
-# SSL Protocol support:
-# List the protocol versions which clients are allowed to
-# connect with. Disable SSLv2 by default (cf. RFC 6176).
-SSLProtocol all -SSLv2
-
-#
-# Some MIME-types for downloading Certificates and CRLs
-#
-AddType application/x-x509-ca-cert .crt
-AddType application/x-pkcs7-crl .crl
-
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
-SSLHonorCipherOrder on
-
-# Add STS
-Header add Strict-Transport-Security "max-age=604800"
-
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-<VirtualHost *:80>
- ServerAdmin ftpmaster@debian.org
- DocumentRoot /srv/mirrors/buildd-all
- ServerName ftp-upcoming.debian.org
-
- ErrorLog /var/log/apache2/ftp-upcoming.debian.org-error.log
- LogLevel warn
- CustomLog /var/log/apache2/ftp-upcoming.debian.org-access.log combined
-
- IndexOptions FancyIndexing NameWidth=*
-</VirtualHost>
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-<Directory /org/security.debian.org/ftp>
- IndexOptions NameWidth=* +SuppressDescription
- Options +FollowSymLinks
- Options +Indexes
- FileETag MTime Size
-</Directory>
-
-<VirtualHost *:80>
- ServerAdmin debian-admin@debian.org
- DocumentRoot /org/security.debian.org/ftp
- ServerPath /debian-security
- ServerName security.debian.org
- ServerAlias security.ipv6.debian.org
- ServerAlias security.eu.debian.org
- ServerAlias security.us.debian.org
- ServerAlias security.na.debian.org
- ServerAlias security.geo.debian.org
- ServerAlias security-nagios.debian.org
-
- Alias /debian-security /org/security.debian.org/ftp
-
- RewriteEngine on
- RewriteRule ^/$ http://www.debian.org/security/
-
- # Possible values include: debug, info, notice, warn, error, crit,
- # alert, emerg.
- LogLevel warn
-
- CustomLog /var/log/apache2/security.debian.org-access.log combined
- ServerSignature On
-
-</VirtualHost>
-
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# www.backports.org is the historical place for the backports
-# website and archive. It is now a CNAME to backports.debian.org -
-# redirect http requests.
-
-<VirtualHost *:80>
- ServerName www.backports.org
- ServerAlias lists.backports.org
- ServerAdmin debian-admin@debian.org
-
- ErrorLog /var/log/apache2/www.backports.org-error.log
- CustomLog /var/log/apache2/www.backports.org-access.log combined
-
- <IfModule mod_userdir.c>
- UserDir disabled
- </IfModule>
-
- RedirectPermanent /debian/ http://backports.debian.org/debian-backports/
- RedirectPermanent /backports.org/ http://backports.debian.org/debian-backports/
- RedirectPermanent /debian-backports/ http://backports.debian.org/debian-backports/
- RedirectPermanent / http://backports-master.debian.org/
-</VirtualHost>
-# vim:set syn=apache:
-
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# Need to turn on negotiation_module
-<Directory /srv/www.debian.org/www/>
- Options +MultiViews +FollowSymLinks +Indexes
- AddHandler type-map var
- # Make sure that the srm.conf directive is commented out.
- AddDefaultCharSet Off
- AllowOverride AuthConfig FileInfo
-
- # Serve icons as image/x-icon
- AddType image/x-icon .ico
-
- # Serve RSS feeds as application/rss+xml
- AddType application/rss+xml .rdf
-
- # Nice caching..
- ExpiresActive On
- ExpiresDefault "access plus 1 day"
- ExpiresByType image/gif "access plus 1 week"
- ExpiresByType image/jpeg "access plus 1 week"
- ExpiresByType image/png "access plus 1 week"
- ExpiresByType image/x-icon "access plus 1 week"
-
- # FileEtag needs to be the same across mirrors (used for caching, ignore inode)
- FileEtag MTime Size
-
- # language stuff, for web site translations
- # for boot-floppies docs only: sk
- AddLanguage en .en
- AddLanguage en-us .en-us
- AddLanguage en-gb .en-gb
- AddLanguage ar .ar
- AddLanguage bg .bg
- AddLanguage ca .ca
- AddLanguage cs .cs
- AddLanguage da .da
- AddLanguage de .de
- AddLanguage el .el
- AddLanguage eo .eo
- AddLanguage es .es
- AddLanguage fi .fi
- AddLanguage fr .fr
- AddLanguage hr .hr
- AddLanguage hu .hu
- AddLanguage hy .hy
- AddLanguage id .id
- AddLanguage it .it
- AddLanguage ja .ja
- AddLanguage ko .ko
- AddLanguage lt .lt
- AddLanguage nl .nl
- AddLanguage no .no
- AddLanguage nb .nb
- AddLanguage pl .pl
- AddLanguage pt .pt
- AddLanguage pt-br .pt
- AddLanguage ro .ro
- AddLanguage ru .ru
- AddLanguage sk .sk
- AddLanguage sl .sl
- AddLanguage sv .sv
- AddLanguage tr .tr
- AddLanguage uk .uk
- AddLanguage vi .vi
- AddLanguage zh-CN .zh-cn
- AddLanguage zh-HK .zh-hk
- AddLanguage zh-TW .zh-tw
- LanguagePriority en fr de it es ja pl hr da pt pt-br fi zh-cn zh-hk zh-tw cs sv ko no nb ru tr eo ar nl hu ro sk el ca en-us en-gb id lt sl bg uk hy vi
-
- DirectoryIndex maintenance index index.html index.shtml index.htm
-
- <Files *.html.es>
- ForceType text/html
- </Files>
-
- <Files *.pdf.es>
- ForceType application/pdf
- </Files>
-
- <Files *.txt.es>
- ForceType text/plain
- </Files>
-</Directory>
-
-<VirtualHost *:80>
- ServerName www.nl.debian.org
- ServerAdmin webmaster@debian.org
- ServerAlias www.debian.com www.debian.de www.*.debian.org newwww.deb.at www.debian.net debian.net debian.org www.debian.at www.debian.eu debian.eu
- DocumentRoot /srv/www.debian.org/www/
- ErrorLog /var/log/apache2/www-other.debian.org-error.log
- CustomLog /var/log/apache2/www-other.debian.org-access.log combined
- RewriteLog /var/log/apache2/www-other.debian.org-redirect.log
- RewriteLogLevel 1
-
- RewriteEngine on
- RewriteRule ^/(.*)$ http://www.debian.org/$1 [R=301,L]
-</VirtualHost>
-
-<VirtualHost *:80>
- ServerName www.debian.org
- ServerAdmin webmaster@debian.org
- ServerAlias www-*.debian.org
- DocumentRoot /srv/www.debian.org/www/
- ErrorLog /var/log/apache2/www.debian.org-error.log
- CustomLog /var/log/apache2/www.debian.org-access.log combined
-
- # CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each
- # document that was negotiated on the basis of content. This asks proxy
- # servers not to cache the document. Uncommenting the following line disables
- # this behavior, and proxies will be allowed to cache the documents.
- CacheNegotiatedDocs On
-
-# Custom Error
- ErrorDocument 404 /devel/website/errors/404
- RewriteCond %{DOCUMENT_ROOT}/devel/website/errors/404.$2.html -f
- RewriteRule ^/(?!devel/website/errors/)(.*/)?404\.(.+)\.html$ /devel/website/errors/404.$2.html [L]
-
-# the joys of backwards compatibility
- RedirectPermanent /cgi-bin/cvsweb http://cvs.debian.org
- RedirectPermanent /Lists-Archives http://lists.debian.org
- RedirectPermanent /search http://search.debian.org
- RedirectPermanent /Packages http://packages.debian.org
- RedirectPermanent /lintian http://lintian.debian.org
-
- RedirectPermanent /SPI http://www.spi-inc.org
-# RedirectPermanent /OpenHardware http://www.openhardware.org
- RedirectPermanent /OpenSource http://www.opensource.org
-
- RedirectPermanent /Bugs/db/ix/pseudopackages.html /Bugs/pseudo-packages
- RewriteEngine on
- RewriteRule ^/Bugs/db/pa/l([^/]+).html$ http://bugs.debian.org/$1
- RewriteRule ^/Bugs/db/[[:digit:]][[:digit:]]/([[:digit:]][[:digit:]][[:digit:]]+).html$ http://bugs.debian.org/$1
- RewriteRule ^/Bugs/db/ma/l([^/]+).html$ http://bugs.debian.org/cgi-bin/pkgreport.cgi?maintenc=$1
-
- Userdir http://people.debian.org/~*/
-
- RedirectPermanent /devel/todo/ /devel/wnpp/help_requested_bypop
- RedirectPermanent /doc/FAQ /doc/manuals/debian-faq
- RedirectPermanent /doc/manuals/debian-fr-howto /doc/manuals/fr/debian-fr-howto
- RedirectPermanent /doc/manuals/reference /doc/manuals/debian-reference
- RedirectPermanent /doc/packaging-manuals/developers-reference /doc/manuals/developers-reference
- RedirectPermanent /doc/packaging-manuals/packaging-tutorial /doc/manuals/packaging-tutorial
- RedirectPermanent /doc/prospective-packages /devel/wnpp/
- RedirectPermanent /devel/maintainer_contacts /intro/organization
- RedirectPermanent /devel/debian-installer/gtk-frontend http://wiki.debian.org/DebianInstaller/GUI
- RedirectPermanent /zh/ /international/Chinese/
- RedirectPermanent /chinese/ /international/Chinese/
- RedirectPermanent /devel/help /devel/join/
- RedirectPermanent /distrib/books /doc/books
- RedirectPermanent /distrib/floppyinst /distrib/netinst
- RedirectPermanent /distrib/netboot /distrib/netinst
- RedirectPermanent /distrib/vendors /CD/vendors/
- RedirectPermanent /distrib/cd /CD/
- RedirectPermanent /distrib/cdinfo /CD/vendors/info
- RedirectPermanent /related_links /misc/related_links
- RedirectPermanent /ports/laptops /misc/laptops/
- RedirectPermanent /misc/README.mirrors /mirror/list
- RedirectPermanent /misc/README.non-US /mirror/list.non-US
- RedirectPermanent /intl /international
- RedirectPermanent /ports/armel /ports/arm
- RedirectPermanent /ports/mipsel /ports/mips
- RedirectPermanent /ports/kfreebsd-amd64 /ports/kfreebsd-gnu
- RedirectPermanent /ports/kfreebsd-i386 /ports/kfreebsd-gnu
- RedirectPermanent /ports/sparc64 /ports/sparc
- RedirectPermanent /mirror/mirrors_full.html /mirror/list-full.html
- RedirectPermanent /mirrors /mirror
- RedirectPermanent /News/project /News/weekly
- RedirectPermanent /releases/2.0 /releases/hamm
- RedirectPermanent /releases/2.1 /releases/slink
- RedirectPermanent /releases/2.2 /releases/potato
- RedirectPermanent /releases/3.0 /releases/woody
- RedirectPermanent /releases/3.1 /releases/sarge
- RedirectPermanent /releases/4.0 /releases/etch
- RedirectPermanent /releases/5.0 /releases/lenny
- RedirectPermanent /releases/6.0 /releases/squeeze
- RedirectPermanent /releases/unstable /releases/sid
-
- RewriteRule ^/ports/freebsd(.*) /ports/kfreebsd-gnu/ [R=301]
- RewriteRule ^/devel/debian-installer/report-template(.*) /releases/stable/i386/ch05s04.html#submit-bug [NE,R=301]
- RewriteRule ^/devel/debian-installer/hooks(.*) http://d-i.alioth.debian.org/doc/internals/apb.html [R=301]
- RewriteRule ^/doc/packaging-manuals/mime-policy(.*) /doc/debian-policy/ch-opersys.html#s-mime [NE,R=301]
-
- RewriteRule ^/volatile/index.* - [S=1]
- RewriteRule ^/volatile/.+ /volatile/ [L,R=301]
- RewriteRule ^/devel/debian-volatile/.* /volatile/ [R=301]
-
-# Offer a Redirect to DSA without knowing year #474730
- RewriteMap dsa txt:/srv/www.debian.org/www/security/map-dsa.txt
- RewriteRule ^/security/dsa-(\d+)(\..*)? /security/${dsa:$1}$2 [R=301]
-
-# Compatibility after SGML -> DocBook
-# Debian Reference #624239
- RewriteMap reference txt:/srv/www.debian.org/www/doc/map-reference.txt
- RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/ch-support$1 !-f
- RewriteRule ^/doc/manuals/debian-reference/ch-support(.*) /support$1 [L,R=301]
- RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/${reference:$1}$2 -f
- RewriteRule ^/doc/manuals/debian-reference/ch-([^\.]+)(.+) /doc/manuals/debian-reference/${reference:$1}$2 [L,R=301]
- RewriteRule ^/doc/manuals/debian-reference/ch-([^\.]+)$ /doc/manuals/debian-reference/${reference:$1} [R=301]
- RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/apa$1 -f
- RewriteRule ^/doc/manuals/debian-reference/ap-appendix(.+) /doc/manuals/debian-reference/apa$1 [L,R=301]
- RewriteRule ^/doc/manuals/debian-reference/ap-appendix$ /doc/manuals/debian-reference/apa [R=301]
- RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/footnotes$1 !-f
- RewriteRule ^/doc/manuals/debian-reference/footnotes(.+) /doc/manuals/debian-reference/index$1 [L,R=301]
- RewriteRule ^/doc/manuals/debian-reference/footnotes$ /doc/manuals/debian-reference/ [R=301]
-# New Maintainers' Guide
- RewriteRule ^/doc/(manuals/)?maint-guide/ch-(.*) /doc/manuals/maint-guide/$2 [R=301]
- RewriteRule ^/doc/(manuals/)?maint-guide/footnotes(.*) /doc/manuals/maint-guide/index$2 [R=301]
-
-# Canonical place for manuals under /doc/manuals/
- RewriteCond %{DOCUMENT_ROOT}/doc/manuals/$1 -d
- RewriteRule ^/doc/([^/]+)/?(.*)? /doc/manuals/$1/$2 [L,R=301]
-
-</VirtualHost>
+++ /dev/null
-; configuration for php suhosin module
-extension=suhosin.so
-
-;;;;;;;;;;;;;;;;;;;
-; Module Settings ;
-;;;;;;;;;;;;;;;;;;;
-; the following values are the internal default settings and set implicit
-; feel free to modify to your needs
-
-[suhosin]
-; Logging Configuration
-;suhosin.log.syslog.facility = 9
-;suhosin.log.syslog.priority = 1
-;suhosin.log.script = 0
-;suhosin.log.phpscript = 0
-;suhosin.log.script.name =
-;suhosin.log.phpscript.name =
-;suhosin.log.use-x-forwarded-for = off
-
-; Executor Options
-;suhosin.executor.max_depth = 0
-;suhosin.executor.include.max_traversal = 0
-;suhosin.executor.include.whitelist =
-;suhosin.executor.include.blacklist =
-;suhosin.executor.func.whitelist =
-;suhosin.executor.func.blacklist =
-;suhosin.executor.eval.whitelist =
-;suhosin.executor.eval.blacklist =
-;suhosin.executor.disable_emodifier = off
-;suhosin.executor.allow_symlink = off
-
-; Misc Options
-;suhosin.simulation = off
-;suhosin.apc_bug_workaround = off
-;suhosin.sql.bailout_on_error = off
-;suhosin.sql.user_prefix =
-;suhosin.sql.user_postfix =
-;suhosin.multiheader = off
-;suhosin.mail.protect = 0
-;suhosin.memory_limit = 0
-
-; Transparent Encryption Options
-;suhosin.session.encrypt = on
-;suhosin.session.cryptkey =
-;suhosin.session.cryptua = on
-;suhosin.session.cryptdocroot = on
-;suhosin.session.cryptraddr = 0
-;suhosin.session.checkraddr = 0
-;suhosin.cookie.encrypt = on
-;suhosin.cookie.cryptkey =
-;suhosin.cookie.cryptua = on
-;suhosin.cookie.cryptdocroot = on
-;suhosin.cookie.cryptraddr = 0
-;suhosin.cookie.checkraddr = 0
-;suhosin.cookie.cryptlist =
-;suhosin.cookie.plainlist =
-
-; Filtering Options
-;suhosin.filter.action =
-;suhosin.cookie.max_array_depth = 100
-;suhosin.cookie.max_array_index_length = 64
-;suhosin.cookie.max_name_length = 64
-;suhosin.cookie.max_totalname_length = 256
-;suhosin.cookie.max_value_length = 10000
-;suhosin.cookie.max_vars = 100
-;suhosin.cookie.disallow_nul = on
-;suhosin.get.max_array_depth = 50
-;suhosin.get.max_array_index_length = 64
-;suhosin.get.max_name_length = 64
-;suhosin.get.max_totalname_length = 256
-suhosin.get.max_value_length = 4096
-;suhosin.get.max_vars = 100
-;suhosin.get.disallow_nul = on
-;suhosin.post.max_array_depth = 100
-;suhosin.post.max_array_index_length = 64
-;suhosin.post.max_name_length = 64
-;suhosin.post.max_totalname_length = 256
-;suhosin.post.max_value_length = 65000
-;suhosin.post.max_vars = 200
-;suhosin.post.disallow_nul = on
-;suhosin.request.max_array_depth = 100
-;suhosin.request.max_array_index_length = 64
-;suhosin.request.max_totalname_length = 256
-;suhosin.request.max_value_length = 65000
-;suhosin.request.max_vars = 200
-;suhosin.request.max_varname_length = 64
-;suhosin.request.disallow_nul = on
-;suhosin.upload.max_uploads = 25
-;suhosin.upload.disallow_elf = on
-;suhosin.upload.disallow_binary = off
-;suhosin.upload.remove_binary = off
-;suhosin.upload.verification_script =
-;suhosin.session.max_id_length = 128
-
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<IfModule mod_info.c>
+ <Location /server-info>
+ SetHandler server-info
+ order deny,allow
+ deny from all
+ allow from localhost
+ </Location>
+</IfModule>
+
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# Disable access to the entire file system except for the directories that
+# are explicitly allowed later.
+#
+# This currently breaks the configurations that come with some web application
+# Debian packages. It will be made the default for the release after lenny.
+#
+#<Directory />
+# AllowOverride None
+# Order Deny,Allow
+# Deny from all
+#</Directory>
+
+
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of: Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+#ServerTokens Minimal
+ServerTokens ProductOnly
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of: On | Off | EMail
+#
+#ServerSignature Off
+ServerSignature On
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of: On | Off | extended
+#
+TraceEnable Off
+#TraceEnable On
+
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<IfModule mod_status.c>
+ #
+ # Allow server status reports generated by mod_status,
+ # with the URL of http://servername/server-status
+ # Change the ".example.com" to match your domain to enable.
+ #
+ ExtendedStatus on
+ <Location /server-status>
+ SetHandler server-status
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.1
+ </Location>
+</IfModule>
--- /dev/null
+; configuration for php suhosin module
+extension=suhosin.so
+
+;;;;;;;;;;;;;;;;;;;
+; Module Settings ;
+;;;;;;;;;;;;;;;;;;;
+; the following values are the internal default settings and set implicit
+; feel free to modify to your needs
+
+[suhosin]
+; Logging Configuration
+;suhosin.log.syslog.facility = 9
+;suhosin.log.syslog.priority = 1
+;suhosin.log.script = 0
+;suhosin.log.phpscript = 0
+;suhosin.log.script.name =
+;suhosin.log.phpscript.name =
+;suhosin.log.use-x-forwarded-for = off
+
+; Executor Options
+;suhosin.executor.max_depth = 0
+;suhosin.executor.include.max_traversal = 0
+;suhosin.executor.include.whitelist =
+;suhosin.executor.include.blacklist =
+;suhosin.executor.func.whitelist =
+;suhosin.executor.func.blacklist =
+;suhosin.executor.eval.whitelist =
+;suhosin.executor.eval.blacklist =
+;suhosin.executor.disable_emodifier = off
+;suhosin.executor.allow_symlink = off
+
+; Misc Options
+;suhosin.simulation = off
+;suhosin.apc_bug_workaround = off
+;suhosin.sql.bailout_on_error = off
+;suhosin.sql.user_prefix =
+;suhosin.sql.user_postfix =
+;suhosin.multiheader = off
+;suhosin.mail.protect = 0
+;suhosin.memory_limit = 0
+
+; Transparent Encryption Options
+;suhosin.session.encrypt = on
+;suhosin.session.cryptkey =
+;suhosin.session.cryptua = on
+;suhosin.session.cryptdocroot = on
+;suhosin.session.cryptraddr = 0
+;suhosin.session.checkraddr = 0
+;suhosin.cookie.encrypt = on
+;suhosin.cookie.cryptkey =
+;suhosin.cookie.cryptua = on
+;suhosin.cookie.cryptdocroot = on
+;suhosin.cookie.cryptraddr = 0
+;suhosin.cookie.checkraddr = 0
+;suhosin.cookie.cryptlist =
+;suhosin.cookie.plainlist =
+
+; Filtering Options
+;suhosin.filter.action =
+;suhosin.cookie.max_array_depth = 100
+;suhosin.cookie.max_array_index_length = 64
+;suhosin.cookie.max_name_length = 64
+;suhosin.cookie.max_totalname_length = 256
+;suhosin.cookie.max_value_length = 10000
+;suhosin.cookie.max_vars = 100
+;suhosin.cookie.disallow_nul = on
+;suhosin.get.max_array_depth = 50
+;suhosin.get.max_array_index_length = 64
+;suhosin.get.max_name_length = 64
+;suhosin.get.max_totalname_length = 256
+suhosin.get.max_value_length = 4096
+;suhosin.get.max_vars = 100
+;suhosin.get.disallow_nul = on
+;suhosin.post.max_array_depth = 100
+;suhosin.post.max_array_index_length = 64
+;suhosin.post.max_name_length = 64
+;suhosin.post.max_totalname_length = 256
+;suhosin.post.max_value_length = 65000
+;suhosin.post.max_vars = 200
+;suhosin.post.disallow_nul = on
+;suhosin.request.max_array_depth = 100
+;suhosin.request.max_array_index_length = 64
+;suhosin.request.max_totalname_length = 256
+;suhosin.request.max_value_length = 65000
+;suhosin.request.max_vars = 200
+;suhosin.request.max_varname_length = 64
+;suhosin.request.disallow_nul = on
+;suhosin.upload.max_uploads = 25
+;suhosin.upload.disallow_elf = on
+;suhosin.upload.disallow_binary = off
+;suhosin.upload.remove_binary = off
+;suhosin.upload.verification_script =
+;suhosin.session.max_id_length = 128
+
+++ /dev/null
-class apache2::backports_mirror {
- include apache2
- file {
- "/etc/apache2/sites-available/backports.debian.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/backports.debian.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/backports.debian.org" ];
- "/etc/apache2/sites-available/www.backports.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/www.backports.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/www.backports.org" ];
-
- }
-
- activate_apache_site {
- "010-backports.debian.org": site => "backports.debian.org";
- "010-www.backports.org": site => "www.backports.org";
- }
-
- enable_module {
- "rewrite":;
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
--- /dev/null
+define apache2::config($config = undef, $template = undef, $ensure = present) {
+
+ include apache2
+
+ if ! ($config or $template) {
+ err ( "No configuration found for ${name}" )
+ }
+
+ case $ensure {
+ present: {}
+ absent: {}
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+
+ if $template {
+ file { "/etc/apache2/conf.d/${name}":
+ ensure => $ensure,
+ content => template($template),
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+ } else {
+ file { "/etc/apache2/conf.d/${name}":
+ ensure => $ensure,
+ source => $config,
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+ }
+}
--- /dev/null
+class apache2::dynamic {
+ @ferm::rule { 'dsa-http-limit':
+ prio => '20',
+ description => 'limit HTTP DOS',
+ chain => 'http_limit',
+ rule => 'mod limit limit-burst 60 limit 15/minute jump ACCEPT;
+ jump DROP'
+ }
+
+ @ferm::rule { 'dsa-http-soso':
+ prio => '21',
+ description => 'slow soso spider',
+ chain => 'limit_sosospider',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-yahoo':
+ prio => '21',
+ description => 'slow yahoo spider',
+ chain => 'limit_yahoo',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-google':
+ prio => '21',
+ description => 'slow google spider',
+ chain => 'limit_google',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-bing':
+ prio => '21',
+ description => 'slow bing spider',
+ chain => 'limit_bing',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-baidu':
+ prio => '21',
+ description => 'slow baidu spider',
+ chain => 'limit_baidu',
+ rule => 'mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
+ jump http_limit'
+ }
+
+ @ferm::rule { 'dsa-http-rules':
+ prio => '22',
+ description => 'http subchain',
+ chain => 'http',
+ rule => '
+ saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo;
+ saddr 124.115.0.0/21 jump limit_sosospider;
+ saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing;
+ saddr (66.249.64.0/19) jump limit_google;
+ saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16) jump limit_baidu;
+
+ mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
+ mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
+ mod recent name HTTPDOS set jump log_or_drop'
+ }
+
+ @ferm::rule { 'dsa-http':
+ prio => '23',
+ description => 'Allow web access',
+ rule => 'proto tcp dport (http https) jump http'
+ }
+}
+++ /dev/null
-class apache2::ftp-upcoming_mirror {
- include apache2
- file {
- "/etc/apache2/sites-available/ftp-upcoming.debian.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/ftp-upcoming.debian.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/ftp-upcoming.debian.org" ];
-
- }
-
- activate_apache_site {
- "010-ftp-upcoming.debian.org": site => "ftp-upcoming.debian.org";
- }
-
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class apache2 {
- activate_munin_check {
- "apache_accesses":;
- "apache_processes":;
- "apache_volume":;
- "apache_servers":;
- "ps_apache2": script => "ps_";
- }
-
- package {
- "apache2": ensure => installed;
- }
-
- case $php5 {
- "true": {
- package {
- "php5-suhosin": ensure => installed;
- }
-
- file { "/etc/php5/conf.d/suhosin.ini":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/php5/conf.d/suhosin.ini",
- "puppet:///modules/apache2/common/etc/php5/conf.d/suhosin.ini" ],
- require => Package["apache2", "php5-suhosin"],
- notify => Exec["force-reload-apache2"];
- }
- }
- }
-
- define activate_apache_site($ensure=present, $site=$name) {
- case $site {
- "": { $base = $name }
- default: { $base = $site }
- }
-
- case $ensure {
- present: {
- file { "/etc/apache2/sites-enabled/$name":
- ensure => "/etc/apache2/sites-available/$base",
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- }
- }
- absent: {
- file { "/etc/apache2/sites-enabled/$name":
- ensure => $ensure,
- notify => Exec["reload-apache2"];
- }
- }
- default: { err ( "Unknown ensure value: '$ensure'" ) }
- }
- }
-
- define enable_module($ensure=present) {
- case $ensure {
- present: {
- exec {
- "/usr/sbin/a2enmod $name":
- unless => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'",
- notify => Exec["force-reload-apache2"],
- }
- }
- absent: {
- exec {
- "/usr/sbin/a2dismod $name":
- onlyif => "/bin/sh -c '[ -L /etc/apache2/mods-enabled/${name}.load ]'",
- notify => Exec["force-reload-apache2"],
- }
- }
- default: { err ( "Unknown ensure value: '$ensure'" ) }
- }
- }
-
- enable_module {
- "info":;
- "status":;
- }
-
- activate_apache_site {
- "00-default": site => "default-debian.org";
- "000-default": ensure => absent;
- }
-
- file {
- "/etc/apache2/conf.d/ressource-limits":
- content => template("apache2/ressource-limits.erb"),
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- "/etc/apache2/conf.d/security":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/security",
- "puppet:///modules/apache2/common/etc/apache2/conf.d/security" ],
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- "/etc/apache2/conf.d/local-serverinfo":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/local-serverinfo",
- "puppet:///modules/apache2/common/etc/apache2/conf.d/local-serverinfo" ],
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- "/etc/apache2/conf.d/server-status":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/conf.d/server-status",
- "puppet:///modules/apache2/common/etc/apache2/conf.d/server-status" ],
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
-
- "/etc/apache2/sites-available/default-debian.org":
- content => template("apache2/default-debian.org.erb"),
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
-
- "/etc/apache2/sites-available/common-ssl.inc":
- source => [ "puppet:///modules/apache2/per-host/$fqdn//etc/apache2/sites-available/common-ssl.inc",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/common-ssl.inc" ],
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
-
- "/etc/logrotate.d/apache2":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/logrotate.d/apache2",
- "puppet:///modules/apache2/common/etc/logrotate.d/apache2" ];
-
- "/srv/www":
- mode => 755,
- ensure => directory;
- "/srv/www/default.debian.org":
- mode => 755,
- ensure => directory;
- "/srv/www/default.debian.org/htdocs":
- mode => 755,
- ensure => directory;
- "/srv/www/default.debian.org/htdocs/index.html":
- content => template("apache2/default-index.html");
-
- # sometimes this is a symlink
- #"/var/log/apache2":
- # mode => 755,
- # ensure => directory;
- }
-
- exec {
- "reload-apache2":
- command => "/etc/init.d/apache2 reload",
- refreshonly => true;
- "force-reload-apache2":
- command => "/etc/init.d/apache2 force-reload",
- refreshonly => true;
- }
- case $hostname {
- chopin,franck,morricone,bizet: {
- package {
- "libapache2-mod-macro": ensure => installed;
- }
- enable_module {
- "macro":;
- }
- file {
- "/etc/apache2/conf.d/puppet-builddlist":
- content => template("apache2/conf-builddlist.erb"),
- require => Package["apache2"],
- notify => Exec["reload-apache2"];
- }
- }
- }
-
- case $hostname {
- busoni,duarte,holter,lindberg,master,powell,rore: {
- @ferm::rule { "dsa-http-limit":
- prio => "20",
- description => "limit HTTP DOS",
- chain => 'http_limit',
- rule => '
- mod limit limit-burst 60 limit 15/minute jump ACCEPT;
- jump DROP'
- }
- @ferm::rule { "dsa-http-soso":
- prio => "21",
- description => "slow soso spider",
- chain => 'limit_sosospider',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 21 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-yahoo":
- prio => "21",
- description => "slow yahoo spider",
- chain => 'limit_yahoo',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-google":
- prio => "21",
- description => "slow google spider",
- chain => 'limit_google',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 19 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-bing":
- prio => "21",
- description => "slow bing spider",
- chain => 'limit_bing',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-baidu":
- prio => "21",
- description => "slow baidu spider",
- chain => 'limit_baidu',
- rule => '
- mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP;
- jump http_limit'
- }
- @ferm::rule { "dsa-http-rules":
- prio => "22",
- description => "http subchain",
- chain => 'http',
- rule => '
- saddr ( 74.6.22.182 74.6.18.240 67.195.0.0/16 ) jump limit_yahoo;
- saddr 124.115.0.0/21 jump limit_sosospider;
- saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing;
- saddr (66.249.64.0/19) jump limit_google;
- saddr (123.125.71.0/24 119.63.192.0/21 180.76.0.0/16) jump limit_baidu;
-
- mod recent name HTTPDOS update seconds 1800 jump log_or_drop;
- mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT;
- mod recent name HTTPDOS set jump log_or_drop'
- }
- @ferm::rule { "dsa-http":
- prio => "23",
- description => "Allow web access",
- rule => "proto tcp dport (http https) jump http"
- }
- }
- default: {
- @ferm::rule { "dsa-http":
- prio => "23",
- description => "Allow web access",
- rule => "&SERVICE(tcp, (http https))"
- }
- }
- }
- @ferm::rule { "dsa-http-v6":
- domain => "(ip6)",
- prio => "23",
- description => "Allow web access",
- rule => "&SERVICE(tcp, (http https))"
- }
+
+ package { 'apache2':
+ ensure => installed,
+ }
+
+ service { 'apache2':
+ ensure => running,
+ require => Package['apache2'],
+ }
+
+ apache2::module { 'info': }
+ apache2::module { 'status': }
+
+ apache2::site { '00-default':
+ site => 'default-debian.org',
+ template => 'apache2/default-debian.org.erb',
+ }
+
+ apache2::site { '000-default':
+ ensure => absent,
+ }
+
+ apache2::config { 'ressource-limits':
+ template => 'apache2/ressource-limits.erb',
+ }
+
+ apache2::config { 'security':
+ config => 'puppet:///modules/apache2/security',
+ }
+
+ apache2::config { 'local-serverinfo':
+ config => 'puppet:///modules/apache2/local-serverinfo',
+ }
+
+ apache2::config { 'server-status':
+ config => 'puppet:///modules/apache2/server-status',
+ }
+
+ file { '/etc/apache2/sites-available/common-ssl.inc':
+ source => 'puppet:///modules/apache2/common-ssl.inc',
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+
+ file { '/etc/logrotate.d/apache2':
+ source => 'puppet:///modules/apache2/apache2.logrotate',
+ }
+
+ file { [ '/srv/www', '/srv/www/default.debian.org', '/srv/www/default.debian.org/htdocs' ]:
+ ensure => directory,
+ mode => '0755',
+ }
+
+ file { '/srv/www/default.debian.org/htdocs/index.html':
+ content => template('apache2/default-index.html'),
+ }
+
+ munin::check { 'apache_accesses': }
+ munin::check { 'apache_processes': }
+ munin::check { 'apache_volume': }
+ munin::check { 'apache_servers': }
+ munin::check { 'ps_apache2':
+ script => 'ps_',
+ }
+
+ if $php5 {
+ package { 'php5-suhosin':
+ ensure => installed,
+ require => Package['apache2'],
+ }
+
+ file { '/etc/php5/conf.d/suhosin.ini':
+ source => 'puppet:///modules/apache2/suhosin.ini',
+ require => Package['php5-suhosin'],
+ notify => Service['apache2'],
+ }
+ }
+
+ if $::hostname in [busoni,duarte,holter,lindberg,master,powell,rore] {
+ include apache2::dynamic
+ } else {
+ @ferm::rule { 'dsa-http':
+ prio => '23',
+ description => 'Allow web access',
+ rule => '&SERVICE(tcp, (http https))'
+ }
+ }
+
+ @ferm::rule { 'dsa-http-v6':
+ domain => '(ip6)',
+ prio => '23',
+ description => 'Allow web access',
+ rule => '&SERVICE(tcp, (http https))'
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
--- /dev/null
+define apache2::module ($ensure = present) {
+ case $ensure {
+ present: {
+ exec { "/usr/sbin/a2enmod ${name}":
+ creates => "/etc/apache2/mods-enabled/${name}.load",
+ notify => Service['apache2']
+ }
+ }
+ absent: {
+ exec { "/usr/sbin/a2dismod ${name}":
+ onlyif => "test -L /etc/apache2/mods-enabled/${name}.load",
+ notify => Service['apache2']
+ }
+ }
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+}
+++ /dev/null
-class apache2::security_mirror {
- include apache2
- file {
- "/etc/apache2/sites-available/security.debian.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/security.debian.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/security.debian.org" ];
-
- }
-
- activate_apache_site {
- "010-security.debian.org": site => "security.debian.org";
- "security.debian.org": ensure => absent;
- }
-
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
--- /dev/null
+define apache2::site (
+ $config = undef,
+ $template = undef,
+ $ensure = present,
+ $site = undef
+) {
+
+ include apache2
+
+ if ! ($config or $template) {
+ err ( "No configuration found for ${name}" )
+ }
+
+ if $site {
+ $base = $site
+ } else {
+ $base = $name
+ }
+
+ $target = "/etc/apache2/sites-available/${base}"
+
+ $link_target = $ensure ? {
+ present => $target,
+ absent => absent,
+ default => err ( "Unknown ensure value: '$ensure'" ),
+ }
+
+ if $template {
+ file { $target:
+ ensure => $ensure,
+ content => template($template),
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+ } else {
+ file { $target:
+ ensure => $ensure,
+ source => $config,
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+ }
+
+ file { "/etc/apache2/sites-enabled/${name}":
+ ensure => $link_target,
+ notify => Service['apache2'],
+ }
+}
+++ /dev/null
-class apache2::www_mirror {
- include apache2
- file {
- "/etc/apache2/sites-available/www.debian.org":
- source => [ "puppet:///modules/apache2/per-host/$fqdn/etc/apache2/sites-available/www.debian.org",
- "puppet:///modules/apache2/common/etc/apache2/sites-available/www.debian.org" ],
- notify => Exec["reload-apache2"],
- ;
- }
-
- activate_apache_site {
- "010-www.debian.org": site => "www.debian.org";
- "www.debian.org": ensure => absent;
- }
-
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-<Macro DebianBuilddHostList>
-
-<%=
- lines = []
-
- allnodeinfo.keys.sort.each do |node|
- next unless allnodeinfo[node]['purpose']
- if allnodeinfo[node]['purpose'].include?('buildd')
- lines << " # #{allnodeinfo[node]['hostname'].to_s}"
- allnodeinfo[node]['ipHostNumber'].each do |addr|
- lines << " allow from #{addr}"
- end
- end
- end
-
- lines.join("\n")
-# vim:set et:
-# vim:set sts=2 ts=2:
-# vim:set shiftwidth=2:
-%>
-</Macro>
+++ /dev/null
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQGiBEMIgw4RBADueqAzlq+rQT9JYSSWnNzo6C+9crI8lzW/fcl2Q3PO97MOQTOx
-Qsf/lOh0Ku7O+VdBa+BwVPuUkSw6wTY5Ku1y/6r1BQzJ9oHkryDDJXsHzKhpdyFc
-/lD4hNGqRkiNg5ulwAI0O1eqffPWDmeR9ZzSsqM40f1U4TNLfPAu1viWxwCgnbWz
-onY6RqSYlRsDQaPsNTwieVEEAJeX2FGgNepD1SvfEremAkWCrYYlSZI76iTIf6bd
-kGkWqIT0vJyE2MNenhDJ2ebbHJVFmL9x8S3m1daC4Zwnacm7aoCY/QgMJ+Js1Fex
-Acev48W9KHgpVbFMd1t8KAwRbmFcQf0C/FZUbE7xScpTxS4z3SsMOuRyfnGpDOi6
-m/SnA/9wpquf3pPwbPykzKWNJEDouiJgt0zaFLauKDPeyTWeJ6htaAPDglArewdq
-bJ9M8QgLFtzjhg/fBQlRRUk7YP4OYtp1OdPkg2D/1rPQNySWlDf21T3N/K8ydKhR
-bYi+AsPuJLQUi3d+lVTFOebaL9felePvDC2/Eod7PSD1/rnkZ7Q0QmFja3BvcnRz
-Lm9yZyBBcmNoaXZlIEtleSA8ZnRwLW1hc3RlckBiYWNrcG9ydHMub3JnPohGBBAR
-AgAGBQJDgImkAAoJEHFe1qB+e4rJ2x4An2oI4xJpDvOx8uDIo9ihG1M0MpUqAJ9S
-cqVUmiyYSPtu8MwcZecy9kmOIYheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD
-FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AniaEBvlr4oVFMrGgPiye7iE/jv68AJ48
-OkIfwcKJt7N8ImPAboeimFvWgIheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD
-FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AnjdB14rGa/rzz1ohwsi1oEnDRYuyAJ44
-Nv8MTPjOaeEZArQ0flg8OXwF34hGBBARAgAGBQJEeI+KAAoJEHvDNTBle/A9pDwA
-mwVpbaoH1hebV4MgXIpRvTQiL2keAJ9ryd2LvhbPd5EZM1C3Nsar2/2CgIhGBBAR
-AgAGBQJHE7HYAAoJEGvFvIY3KyPVlwEAoJyGuJ/SsJTlyIVbulWYp3U/uZQTAJ4l
-40SrE/wwDeSIrhWNkmmNPbnz54hGBBARAgAGBQJHKneLAAoJEBRrPPJWJbOATcsA
-n3I8y3pJN6jkmnhUQepfa7jJoDY2AKClHVXYuNZpc2jZKyruwgwck+jCabkCDQRD
-CIMREAgAzXu6DGSDAz4JH+mlthtiQwNZFU8bjWanGT3DL6zubxwc3ZQmRaMOiVuv
-JUuaJv8fdGRSvp09dP2/x5mzq2rACiEnDwZssNSK5sigxgy2W9zeO9bOtg6bhqZL
-wlsL8Y2xZhyGL3qGeP4zL1QbXZ1QdJuO90Xu7GWYS6Wsj+Y6dUsZFYvTZwSiLkEm
-gFUTxkNue3DQtZ/KNkwoKc+aqU+S7gDNStQDvTNtR6IV11KbKcY1iQ0B2bkh4zSh
-WwloIr83V6huAhfH8GA7UW6saRJAof5DJWUb+PRmU2TAOOlyZoM4nMH+sFFDPOeG
-8fbecwlox5BRTMqcCB5ELbQXoVZT+wADBQf/ffI9R53f9USQkhsSak+k82JjRo9h
-qKAvPwBv3fDhMYqX3XRmwgNeax2y6Ub0AQkDhIC6eJILP5hTb2gjpmYYP7YE/7F1
-h37lUg7dDYeyPQF54mUXPnIg3uQ/V9HBTY+ZW8rsVe1KRvPAuVFU77FfCvIFdLSX
-Vi1HSUcGv9Y7Kk4Tkr7vzKshlcIp6zZrO0Y3t/+ekBwTTQqEoUylVYkCSt3z6bjp
-VWbepkL88rbqJnPueTATw9shjbFYaND8cXZox9tQmlOIZ6gDeH1YvFf7ObRLxULm
-7C6hwik6agtXWkNABVXSxM6MB4hcP9QC+FEhK6y/7wC3SyNRBuFujDG1aohJBBgR
-AgAJBQJDCIMRAhsMAAoJEOqOiyEWuhNsVVMAoJ1gbL0PHVf7yDwMjO3HuJBErxLd
-AJ4v9ojJnvJu2yUl4W586soBm+wsLg==
-=n4L0
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug
-9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g
-picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6
-SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq
-CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S
-H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW
-VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ
-k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU
-gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu
-Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYCGwMGCwkIBwMCBBUCCAMEFgID
-AQIeAQIXgAUCS7uHvAUJB4XptQAKCRC+p88QvSsO4EsWAJsHsiccMVwWatQWuk2G
-M3MdAZLDCwCfYma5XoZnyFv27h5LxGo+57xU44Y=
-=2WKp
------END PGP PUBLIC KEY BLOCK-----
+++ /dev/null
-class apt-keys {
- file {
- "/etc/apt/trusted-keys.d/":
- ensure => directory,
- purge => true,
- notify => Exec["apt-keys-update"],
- ;
-
- "/etc/apt/trusted-keys.d/backports.org.asc":
- source => "puppet:///modules/apt-keys/backports.org.asc",
- mode => 664,
- notify => Exec["apt-keys-update"],
- ;
- "/etc/apt/trusted-keys.d/db.debian.org.asc":
- source => "puppet:///modules/apt-keys/db.debian.org.asc",
- mode => 664,
- notify => Exec["apt-keys-update"],
- ;
- }
-
- exec { "apt-keys-update":
- command => '/bin/true && for keyfile in /etc/apt/trusted-keys.d/*; do apt-key add $keyfile; done',
- refreshonly => true
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class buildd {
- package {
- "schroot": ensure => installed;
- "sbuild": ensure => installed;
- "apt-transport-https": ensure => installed;
- "debootstrap": ensure => installed;
- "dupload": ensure => installed;
- }
+ package { [
+ 'schroot',
+ 'sbuild',
+ 'apt-transport-https',
+ 'debootstrap',
+ 'dupload'
+ ]:
+ ensure => installed
+ }
- file {
- "/etc/apt/preferences.d/buildd":
- ensure => absent
- ;
+ site::linux_module { 'dm_snapshot': }
- "/etc/apt/sources.list.d/buildd.list":
- content => template("buildd/etc/apt/sources.list.d/buildd.list.erb"),
- require => Package["apt-transport-https"],
- notify => Exec["apt-get update"],
- ;
+ site::aptrepo { 'buildd':
+ content => template('buildd/etc/apt/sources.list.d/buildd.list.erb'),
+ key => 'puppet:///modules/buildd/buildd.debian.org.asc',
+ }
- "/etc/apt/trusted-keys.d/buildd.debian.org.asc":
- source => "puppet:///modules/buildd/buildd.debian.org.asc",
- mode => 664,
- notify => Exec["apt-keys-update"],
- ;
- "/etc/schroot/mount-defaults":
- content => template("buildd/etc/schroot/mount-defaults.erb"),
- require => Package["sbuild"]
- ;
- "/etc/cron.d/dsa-buildd":
- source => "puppet:///modules/buildd/cron.d-dsa-buildd",
- require => Package["debian.org"]
- ;
- "/etc/dupload.conf":
- source => "puppet:///modules/buildd/dupload.conf",
- require => Package["dupload"]
- ;
- "/etc/default/schroot":
- source => "puppet:///modules/buildd/default-schroot",
- require => Package["schroot"]
- ;
- }
-
- case $kernel {
- Linux: { linux_module { "dm_snapshot": ensure => present; } }
- }
+ file { '/etc/apt/preferences.d/buildd':
+ ensure => absent
+ }
+ file { '/etc/schroot/mount-defaults':
+ content => template('buildd/etc/schroot/mount-defaults.erb'),
+ require => Package['sbuild'],
+ }
+ file { '/etc/schroot/mount-defaults':
+ content => template('buildd/etc/schroot/mount-defaults.erb'),
+ require => Package['sbuild'],
+ }
+ file { '/etc/cron.d/dsa-buildd':
+ source => 'puppet:///modules/buildd/cron.d-dsa-buildd',
+ require => Package['debian.org']
+ }
+ file { '/etc/dupload.conf':
+ source => 'puppet:///modules/buildd/dupload.conf',
+ require => Package['dupload'],
+ }
+ file { '/etc/default/schroot':
+ source => 'puppet:///modules/buildd/default-schroot',
+ require => Package['schroot']
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
# (CHROOT_PATH)
#
# <file system> <mount point> <type> <options> <dump> <pass>
-<% if nodeinfo['ldap'].has_key?('architecture') and nodeinfo['ldap']['architecture'][0].start_with?('kfreebsd') -%>
+<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
# kFreeBSD version
proc /proc linprocfs defaults 0 0
dev /dev devfs rw,bind 0 0
class clamav {
- package {
- "clamav-daemon": ensure => installed;
- "clamav-freshclam": ensure => installed;
- "clamav-unofficial-sigs": ensure => installed;
- }
- file {
- "/etc/clamav-unofficial-sigs.dsa.conf":
- require => Package["clamav-unofficial-sigs"],
- source => [ "puppet:///modules/clamav/clamav-unofficial-sigs.dsa.conf" ]
- ;
- "/etc/clamav-unofficial-sigs.conf":
- require => Package["clamav-unofficial-sigs"],
- source => [ "puppet:///modules/clamav/clamav-unofficial-sigs.conf" ]
- ;
- "/var/lib/clamav/mbl.ndb":
- ensure => absent,
- ;
- }
-}
+ package { [
+ 'clamav-daemon',
+ 'clamav-freshclam',
+ 'clamav-unofficial-sigs'
+ ]:
+ ensure => installed
+ }
+
+ file { '/var/lib/clamav/mbl.ndb':
+ ensure => absent
+ }
+ file { '/etc/clamav-unofficial-sigs.dsa.conf':
+ require => Package['clamav-unofficial-sigs'],
+ source => [ 'puppet:///modules/clamav/clamav-unofficial-sigs.dsa.conf' ]
+ }
+ file { '/etc/clamav-unofficial-sigs.conf':
+ require => Package['clamav-unofficial-sigs'],
+ source => [ 'puppet:///modules/clamav/clamav-unofficial-sigs.conf' ]
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+}
class dacs {
- package {
- "dacs": ensure => installed;
- "libapache2-mod-dacs": ensure => installed;
- }
-
- file {
- "/var/log/dacs":
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 770,
- purge => true
- ;
- "/etc/dacs/federations":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/acls":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/groups":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/groups/DACS":
- require => Package["libapache2-mod-dacs"],
- ensure => directory,
- owner => root,
- group => www-data,
- mode => 750,
- purge => true
- ;
-
- "/etc/dacs/federations/site.conf":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/site.conf",
- "puppet:///modules/dacs/common/site.conf" ],
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/dacs.conf":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/dacs.conf",
- "puppet:///modules/dacs/common/dacs.conf" ],
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/acls/revocations":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/revocations",
- "puppet:///modules/dacs/common/revocations" ],
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/groups/DACS/jurisdictions.grp":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/jurisdictions.grp",
- "puppet:///modules/dacs/common/jurisdictions.grp" ],
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0",
- "puppet:///modules/dacs/common/acl-noauth.0" ],
- mode => 640,
- owner => root,
- group => www-data,
- notify => Exec["dacsacl"]
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0":
- require => Package["libapache2-mod-dacs"],
- source => [ "puppet:///modules/dacs/per-host/$fqdn/acl-private.0",
- "puppet:///modules/dacs/common/acl-private.0" ],
- mode => 640,
- owner => root,
- group => www-data,
- notify => Exec["dacsacl"]
- ;
-
- "/etc/dacs/federations/debian.org/federation_keyfile":
- require => Package["libapache2-mod-dacs"],
- source => "puppet:///modules/dacs/private/debian.org_federation_keyfile",
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- "/etc/dacs/federations/debian.org/DEBIAN/jurisdiction_keyfile":
- require => Package["libapache2-mod-dacs"],
- source => "puppet:///modules/dacs/private/DEBIAN_jurisdiction_keyfile",
- mode => 640,
- owner => root,
- group => www-data
- ;
-
- }
-
- exec {
- "dacsacl":
- command => "dacsacl -sc /etc/dacs/federations/site.conf -c /etc/dacs/federations/debian.org/DEBIAN/dacs.conf -uj DEBIAN && chown root:www-data /etc/dacs/federations/debian.org/DEBIAN/acls/INDEX",
- refreshonly => true,
- }
-
+ package { 'dacs':
+ ensure => installed,
+ }
+ package { 'libapache2-mod-dacs':
+ ensure => installed,
+ }
+
+ file { '/var/log/dacs':
+ ensure => directory,
+ owner => root,
+ group => www-data,
+ mode => '0770',
+ purge => true,
+ }
+ file { [
+ '/etc/dacs/federations',
+ '/etc/dacs/federations/debian.org/',
+ '/etc/dacs/federations/debian.org/DEBIAN',
+ '/etc/dacs/federations/debian.org/DEBIAN/acls',
+ '/etc/dacs/federations/debian.org/DEBIAN/groups',
+ '/etc/dacs/federations/debian.org/DEBIAN/groups/DACS'
+ ]:
+ ensure => directory,
+ owner => root,
+ group => www-data,
+ mode => '0750',
+ require => Package['libapache2-mod-dacs'],
+ purge => true
+ }
+ file { '/etc/dacs/federations/site.conf':
+ source => 'puppet:///modules/dacs/common/site.conf',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/dacs.conf':
+ source => 'puppet:///modules/dacs/common/dacs.conf',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/acls/revocations':
+ source => 'puppet:///modules/dacs/common/revocations',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/groups/DACS/jurisdictions.grp':
+ source => 'puppet:///modules/dacs/common/jurisdictions.grp',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/acls/acl-noauth.0':
+ source => [ 'puppet:///modules/dacs/per-host/$fqdn/acl-noauth.0',
+ 'puppet:///modules/dacs/common/acl-noauth.0' ],
+ mode => '0640',
+ owner => root,
+ group => www-data,
+ notify => Exec['dacsacl']
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/acls/acl-private.0':
+ source => [ 'puppet:///modules/dacs/per-host/$fqdn/acl-private.0',
+ 'puppet:///modules/dacs/common/acl-private.0' ],
+ mode => '0640',
+ owner => root,
+ group => www-data,
+ notify => Exec['dacsacl']
+ }
+ file { '/etc/dacs/federations/debian.org/federation_keyfile':
+ source => 'puppet:///modules/dacs/private/debian.org_federation_keyfile',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+ file { '/etc/dacs/federations/debian.org/DEBIAN/jurisdiction_keyfile':
+ source => 'puppet:///modules/dacs/private/DEBIAN_jurisdiction_keyfile',
+ mode => '0640',
+ owner => root,
+ group => www-data
+ }
+
+ exec { 'dacsacl':
+ command => 'dacsacl -sc /etc/dacs/federations/site.conf -c /etc/dacs/federations/debian.org/DEBIAN/dacs.conf -uj DEBIAN && chown root:www-data /etc/dacs/federations/debian.org/DEBIAN/acls/INDEX',
+ refreshonly => true,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
--- /dev/null
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQGiBEMIgw4RBADueqAzlq+rQT9JYSSWnNzo6C+9crI8lzW/fcl2Q3PO97MOQTOx
+Qsf/lOh0Ku7O+VdBa+BwVPuUkSw6wTY5Ku1y/6r1BQzJ9oHkryDDJXsHzKhpdyFc
+/lD4hNGqRkiNg5ulwAI0O1eqffPWDmeR9ZzSsqM40f1U4TNLfPAu1viWxwCgnbWz
+onY6RqSYlRsDQaPsNTwieVEEAJeX2FGgNepD1SvfEremAkWCrYYlSZI76iTIf6bd
+kGkWqIT0vJyE2MNenhDJ2ebbHJVFmL9x8S3m1daC4Zwnacm7aoCY/QgMJ+Js1Fex
+Acev48W9KHgpVbFMd1t8KAwRbmFcQf0C/FZUbE7xScpTxS4z3SsMOuRyfnGpDOi6
+m/SnA/9wpquf3pPwbPykzKWNJEDouiJgt0zaFLauKDPeyTWeJ6htaAPDglArewdq
+bJ9M8QgLFtzjhg/fBQlRRUk7YP4OYtp1OdPkg2D/1rPQNySWlDf21T3N/K8ydKhR
+bYi+AsPuJLQUi3d+lVTFOebaL9felePvDC2/Eod7PSD1/rnkZ7Q0QmFja3BvcnRz
+Lm9yZyBBcmNoaXZlIEtleSA8ZnRwLW1hc3RlckBiYWNrcG9ydHMub3JnPohGBBAR
+AgAGBQJDgImkAAoJEHFe1qB+e4rJ2x4An2oI4xJpDvOx8uDIo9ihG1M0MpUqAJ9S
+cqVUmiyYSPtu8MwcZecy9kmOIYheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD
+FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AniaEBvlr4oVFMrGgPiye7iE/jv68AJ48
+OkIfwcKJt7N8ImPAboeimFvWgIheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD
+FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AnjdB14rGa/rzz1ohwsi1oEnDRYuyAJ44
+Nv8MTPjOaeEZArQ0flg8OXwF34hGBBARAgAGBQJEeI+KAAoJEHvDNTBle/A9pDwA
+mwVpbaoH1hebV4MgXIpRvTQiL2keAJ9ryd2LvhbPd5EZM1C3Nsar2/2CgIhGBBAR
+AgAGBQJHE7HYAAoJEGvFvIY3KyPVlwEAoJyGuJ/SsJTlyIVbulWYp3U/uZQTAJ4l
+40SrE/wwDeSIrhWNkmmNPbnz54hGBBARAgAGBQJHKneLAAoJEBRrPPJWJbOATcsA
+n3I8y3pJN6jkmnhUQepfa7jJoDY2AKClHVXYuNZpc2jZKyruwgwck+jCabkCDQRD
+CIMREAgAzXu6DGSDAz4JH+mlthtiQwNZFU8bjWanGT3DL6zubxwc3ZQmRaMOiVuv
+JUuaJv8fdGRSvp09dP2/x5mzq2rACiEnDwZssNSK5sigxgy2W9zeO9bOtg6bhqZL
+wlsL8Y2xZhyGL3qGeP4zL1QbXZ1QdJuO90Xu7GWYS6Wsj+Y6dUsZFYvTZwSiLkEm
+gFUTxkNue3DQtZ/KNkwoKc+aqU+S7gDNStQDvTNtR6IV11KbKcY1iQ0B2bkh4zSh
+WwloIr83V6huAhfH8GA7UW6saRJAof5DJWUb+PRmU2TAOOlyZoM4nMH+sFFDPOeG
+8fbecwlox5BRTMqcCB5ELbQXoVZT+wADBQf/ffI9R53f9USQkhsSak+k82JjRo9h
+qKAvPwBv3fDhMYqX3XRmwgNeax2y6Ub0AQkDhIC6eJILP5hTb2gjpmYYP7YE/7F1
+h37lUg7dDYeyPQF54mUXPnIg3uQ/V9HBTY+ZW8rsVe1KRvPAuVFU77FfCvIFdLSX
+Vi1HSUcGv9Y7Kk4Tkr7vzKshlcIp6zZrO0Y3t/+ekBwTTQqEoUylVYkCSt3z6bjp
+VWbepkL88rbqJnPueTATw9shjbFYaND8cXZox9tQmlOIZ6gDeH1YvFf7ObRLxULm
+7C6hwik6agtXWkNABVXSxM6MB4hcP9QC+FEhK6y/7wC3SyNRBuFujDG1aohJBBgR
+AgAJBQJDCIMRAhsMAAoJEOqOiyEWuhNsVVMAoJ1gbL0PHVf7yDwMjO3HuJBErxLd
+AJ4v9ojJnvJu2yUl4W586soBm+wsLg==
+=n4L0
+-----END PGP PUBLIC KEY BLOCK-----
--- /dev/null
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug
+9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g
+picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6
+SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq
+CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S
+H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW
+VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ
+k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU
+gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu
+Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYCGwMGCwkIBwMCBBUCCAMEFgID
+AQIeAQIXgAUCS7uHvAUJB4XptQAKCRC+p88QvSsO4EsWAJsHsiccMVwWatQWuk2G
+M3MdAZLDCwCfYma5XoZnyFv27h5LxGo+57xU44Y=
+=2WKp
+-----END PGP PUBLIC KEY BLOCK-----
end
ret = addrs.join(",")
if ret.empty?
- ret = 'no'
+ ret = ''
end
setcode do
ret
ret = addrs.join(",")
if ret.empty?
- ret = 'no'
+ ret = ''
end
ret
end
end
ret = addrs.join(",")
if ret.empty?
- ret = 'no'
+ ret = ''
end
setcode do
ret
-define sysctl($key, $value, $ensure=present) {
- file {
- "/etc/sysctl.d/$name.conf":
- ensure => $ensure,
- owner => root,
- group => root,
- mode => 0644,
- content => "$key = $value\n",
- notify => Exec["procps restart"],
- }
-}
+class debian-org {
-define set_alternatives($linkto) {
- exec {
- "/usr/sbin/update-alternatives --set $name $linkto":
- unless => "/bin/sh -c '! [ -e $linkto ] || ! [ -e /etc/alternatives/$name ] || ([ -L /etc/alternatives/$name ] && [ /etc/alternatives/$name -ef $linkto ])'"
- }
-}
+ $debianadmin = [
+ 'debian-archive-debian-samhain-reports@master.debian.org',
+ 'debian-admin@ftbfs.de',
+ 'weasel@debian.org',
+ 'steve@lobefin.net',
+ 'paravoid@debian.org'
+ ]
-define linux_module ($ensure) {
- case $ensure {
- present: {
- exec { "append_module_${name}":
- command => "echo '${name}' >> /etc/modules",
- unless => "grep -q -F -x '${name}' /etc/modules",
- }
- }
- absent: {
- exec { "remove_module_${name}":
- command => "sed -i -e'/^${name}\$/d' /etc/modules",
- onlyif => "grep -q -F -x '${name}' /etc/modules",
- }
- }
- default: {
- err("invalid ensure value ${ensure}")
- }
- }
-}
+ package { [
+ 'apt-utils',
+ 'bash-completion',
+ 'debian.org',
+ 'dnsutils',
+ 'dsa-munin-plugins',
+ 'klogd',
+ 'less',
+ 'lsb-release',
+ 'libfilesystem-ruby1.8',
+ 'molly-guard',
+ 'mtr-tiny',
+ 'nload',
+ 'pciutils',
+ 'rsyslog',
+ 'sysklogd',
+ ]:
+ ensure => installed,
+ }
+ munin::check { [
+ 'cpu',
+ 'entropy',
+ 'forks',
+ 'interrupts',
+ 'iostat',
+ 'irqstats',
+ 'load',
+ 'memory',
+ 'ntp_offset',
+ 'ntp_states',
+ 'open_files',
+ 'open_inodes',
+ 'processes',
+ 'swap',
+ 'uptime',
+ 'vmstat',
+ ]:
+ }
-class debian-org {
- $debianadmin = [ "debian-archive-debian-samhain-reports@master.debian.org", "debian-admin@ftbfs.de", "weasel@debian.org", "steve@lobefin.net", "paravoid@debian.org" ]
- package {
- "apt-utils": ensure => installed;
- "bash-completion": ensure => installed;
- "debian.org": ensure => installed;
- "dnsutils": ensure => installed;
- "dsa-munin-plugins": ensure => installed;
- "klogd": ensure => purged;
- "less": ensure => installed;
- "lsb-release": ensure => installed;
- "libfilesystem-ruby1.8": ensure => installed;
- "molly-guard": ensure => installed;
- "mtr-tiny": ensure => installed;
- "nload": ensure => installed;
- "pciutils": ensure => installed;
- "rsyslog": ensure => purged;
- "sysklogd": ensure => purged;
- }
- case getfromhash($nodeinfo, 'broken-rtc') {
- true: {
- package {
- fake-hwclock: ensure => installed;
- }
- }
- }
- case $debarchitecture {
- "armhf": {}
- default: {
- file {
- "/etc/apt/sources.list.d/security.list":
- content => template("debian-org/etc/apt/sources.list.d/security.list.erb"),
- notify => Exec["apt-get update"];
- "/etc/apt/sources.list.d/backports.org.list":
- content => template("debian-org/etc/apt/sources.list.d/backports.org.list.erb"),
- notify => Exec["apt-get update"];
- "/etc/apt/sources.list.d/volatile.list":
- content => template("debian-org/etc/apt/sources.list.d/volatile.list.erb"),
- notify => Exec["apt-get update"];
- }
- }
- }
- file {
- "/etc/apt/preferences":
- source => "puppet:///modules/debian-org/apt.preferences";
- "/etc/apt/sources.list.d/debian.org.list":
- content => template("debian-org/etc/apt/sources.list.d/debian.org.list.erb"),
- notify => Exec["apt-get update"];
- "/etc/apt/apt.conf.d/local-compression":
- source => "puppet:///modules/debian-org/apt.conf.d/local-compression";
- "/etc/apt/apt.conf.d/local-recommends":
- source => "puppet:///modules/debian-org/apt.conf.d/local-recommends";
- "/etc/apt/apt.conf.d/local-pdiffs":
- source => "puppet:///modules/debian-org/apt.conf.d/local-pdiffs";
- "/etc/timezone":
- source => "puppet:///modules/debian-org/timezone",
- notify => Exec["dpkg-reconfigure tzdata -pcritical -fnoninteractive"];
- "/etc/puppet/puppet.conf":
- # require => Package["puppet"],
- source => "puppet:///modules/debian-org/puppet.conf"
- ;
- "/etc/default/puppet":
- # require => Package["puppet"],
- source => "puppet:///modules/debian-org/puppet.default"
- ;
+ if getfromhash($site::nodeinfo, 'broken-rtc') {
+ package { 'fake-hwclock':
+ ensure => installed
+ }
+ }
- "/etc/cron.d/dsa-puppet-stuff":
- source => "puppet:///modules/debian-org/dsa-puppet-stuff.cron",
- require => Package["debian.org"]
- ;
- "/etc/ldap/ldap.conf":
- require => Package["debian.org"],
- source => "puppet:///modules/debian-org/ldap.conf",
- ;
- "/etc/pam.d/common-session":
- require => Package["debian.org"],
- content => template("debian-org/pam.common-session.erb"),
- ;
- "/etc/rc.local":
- mode => 0755,
- source => "puppet:///modules/debian-org/rc.local",
- notify => Exec["rc.local start"],
- ;
- "/etc/molly-guard/run.d/15-acquire-reboot-lock":
- mode => 0755,
- source => "puppet:///modules/debian-org/molly-guard-acquire-reboot-lock",
- require => Package["molly-guard"],
- ;
+ # This really means 'not wheezy'
- "/etc/dsa":
- mode => 0755,
- ensure => directory,
- ;
- "/etc/dsa/cron.ignore.dsa-puppet-stuff":
- source => "puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore",
- require => Package["debian.org"]
- ;
- }
-
- # set mmap_min_addr to 4096 to mitigate
- # Linux NULL-pointer dereference exploits
- sysctl {
- "mmap_min_addr" :
- key => "vm.mmap_min_addr",
- value => 4096,
- }
-
- set_alternatives {
- "editor":
- linkto => "/usr/bin/vim.basic",
- }
-
- mailalias {
- "samhain-reports":
- recipient => $debianadmin,
- ensure => present;
- }
+ if $::debarchitecture != 'armhf' {
+ site::aptrepo { 'security':
+ template => 'debian-org/etc/apt/sources.list.d/security.list.erb',
+ }
+ site::aptrepo { 'backports.org':
+ template => 'debian-org/etc/apt/sources.list.d/backports.org.list.erb',
+ key => 'puppet:///modules/debian-org/backports.org.asc',
+ }
+ site::aptrepo { 'volatile':
+ template => 'debian-org/etc/apt/sources.list.d/volatile.list.erb',
+ }
+ }
- exec {
- "dpkg-reconfigure tzdata -pcritical -fnoninteractive":
- path => "/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "apt-get update":
- command => 'apt-get update',
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "puppetmaster restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "rc.local start":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "procps restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "init q":
- refreshonly => true;
- }
-}
+ site::aptrepo { 'debian.org':
+ template => 'debian-org/etc/apt/sources.list.d/debian.org.list.erb',
+ key => 'puppet:///modules/debian-org/db.debian.org.asc',
+ }
-class debian-proliant inherits debian-org {
- package {
- "hpacucli": ensure => installed;
- "hp-health": ensure => installed;
- "arrayprobe": ensure => installed;
- }
- case $lsbdistcodename {
- 'lenny': {
- package {
- "cpqarrayd": ensure => installed;
- }
- }
- }
- case $debarchitecture {
- "amd64": {
- package { "lib32gcc1": ensure => installed; }
- }
- }
- file {
- "/etc/apt/sources.list.d/debian.restricted.list":
- content => template("debian-org/etc/apt/sources.list.d/debian.restricted.list.erb"),
- notify => Exec["apt-get update"];
- }
-}
+ file { '/etc/apt/preferences':
+ source => 'puppet:///modules/debian-org/apt.preferences',
+ }
+ file { '/etc/apt/trusted-keys.d/':
+ ensure => directory,
+ purge => true,
+ }
+ file { '/etc/apt/apt.conf.d/local-compression':
+ source => 'puppet:///modules/debian-org/apt.conf.d/local-compression',
+ }
+ file { '/etc/apt/apt.conf.d/local-recommends':
+ source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends',
+ }
+ file { '/etc/apt/apt.conf.d/local-pdiffs':
+ source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs',
+ }
+ file { '/etc/timezone':
+ source => 'puppet:///modules/debian-org/timezone',
+ notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
+ }
+ file { '/etc/puppet/puppet.conf':
+ source => 'puppet:///modules/debian-org/puppet.conf',
+ }
+ file { '/etc/default/puppet':
+ source => 'puppet:///modules/debian-org/puppet.default',
+ }
+ file { '/etc/cron.d/dsa-puppet-stuff':
+ source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron',
+ require => Package['debian.org'],
+ }
+ file { '/etc/ldap/ldap.conf':
+ require => Package['debian.org'],
+ source => 'puppet:///modules/debian-org/ldap.conf',
+ }
+ file { '/etc/pam.d/common-session':
+ require => Package['debian.org'],
+ content => template('debian-org/pam.common-session.erb'),
+ }
+ file { '/etc/rc.local':
+ mode => '0755',
+ source => 'puppet:///modules/debian-org/rc.local',
+ notify => Exec['rc.local start'],
+ }
+ file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
+ mode => '0755',
+ source => 'puppet:///modules/debian-org/molly-guard-acquire-reboot-lock',
+ require => Package['molly-guard'],
+ }
+ file { '/etc/dsa':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
+ source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore',
+ require => Package['debian.org']
+ }
+
+ # set mmap_min_addr to 4096 to mitigate
+ # Linux NULL-pointer dereference exploits
+ site::sysctl { 'mmap_min_addr':
+ key => 'vm.mmap_min_addr',
+ value => '4096',
+ }
+ site::alternative { 'editor':
+ linkto => '/usr/bin/vim.basic',
+ }
+ mailalias { 'samhain-reports':
+ ensure => present,
+ recipient => $debianadmin,
+ }
+
+ exec { 'apt-get update':
+ path => '/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true,
+ }-> Package <| |>
-class debian-radvd inherits debian-org {
- sysctl {
- "dsa-accept-ra-default" :
- key => "net.ipv6.conf.default.accept_ra",
- value => 0,
- }
- sysctl {
- "dsa-accept-ra-all" :
- key => "net.ipv6.conf.all.accept_ra",
- value => 0,
- }
+ exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
+ path => '/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true
+ }
+ exec { 'puppetmaster restart':
+ path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true
+ }
+ exec { 'rc.local start':
+ path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true
+ }
+ exec { 'init q':
+ refreshonly => true
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
--- /dev/null
+class debian-org::proliant {
+
+ site::aptrepo { 'debian.restricted':
+ template => 'debian-org/etc/apt/sources.list.d/debian.restricted.list.erb',
+ }
+
+ package { 'hpacucli':
+ ensure => installed,
+ }
+ package { 'hp-health':
+ ensure => installed,
+ }
+ package { 'arrayprobe':
+ ensure => installed,
+ }
+
+ if $::lsbdistcodename == 'lenny' {
+ package { 'cpqarrayd':
+ ensure => installed,
+ }
+ }
+
+ if $::debarchitecture == 'amd64' {
+ package { 'lib32gcc1':
+ ensure => installed,
+ }
+ }
+}
+
+
--- /dev/null
+class debian-org::radvd {
+ site::sysctl { 'dsa-accept-ra-default':
+ key => 'net.ipv6.conf.default.accept_ra',
+ value => 0,
+ }
+ site::sysctl { 'dsa-accept-ra-all':
+ key => 'net.ipv6.conf.all.accept_ra',
+ value => 0,
+ }
+}
-class entropykey::provider {
- package {
- "ekeyd": ensure => installed;
- }
-
- file {
- "/etc/entropykey/ekeyd.conf":
- source => "puppet:///modules/entropykey/ekeyd.conf",
- notify => Exec['restart_ekeyd'],
- require => [ Package['ekeyd'] ],
- ;
- # our CRL expires after a while (2 or 4 weeks?), so we have
- # to restart stunnel so it loads the new CRL.
- "/etc/cron.weekly/stunnel-ekey-restart":
- content => "#!/bin/sh\n# This file is under puppet control\nenv -i /etc/init.d/stunnel4 restart puppet-ekeyd > /dev/null\n",
- mode => "555",
- ;
- }
-
- exec {
- "restart_ekeyd":
- command => "true && cd / && env -i /etc/init.d/ekeyd restart",
- require => [ File['/etc/entropykey/ekeyd.conf'] ],
- refreshonly => true,
- ;
- }
-
- include "stunnel4"
- stunnel4::stunnel_server {
- "ekeyd":
- accept => 18888,
- connect => "127.0.0.1:8888",
- ;
- }
-}
-
-class entropykey::local_consumer {
- package {
- "ekeyd-egd-linux": ensure => installed;
- }
-
- file {
- "/etc/default/ekeyd-egd-linux":
- source => "puppet:///modules/entropykey/ekeyd-egd-linux",
- notify => Exec['restart_ekeyd-egd-linux'],
- require => [ Package['ekeyd-egd-linux'] ],
- ;
- }
-
- exec {
- "restart_ekeyd-egd-linux":
- command => "true && cd / && env -i /etc/init.d/ekeyd-egd-linux restart",
- require => [ File['/etc/default/ekeyd-egd-linux'] ],
- refreshonly => true,
- ;
- }
-}
-
-class entropykey::remote_consumer inherits entropykey::local_consumer {
- include "stunnel4"
- stunnel4::stunnel_client {
- "ekeyd":
- accept => "127.0.0.1:8888",
- connecthost => "${entropy_provider}",
- connectport => 18888,
- ;
- }
-}
-
class entropykey {
- case getfromhash($nodeinfo, 'entropy_key') {
- true: { include entropykey::provider }
- }
- $entropy_provider = entropy_provider($fqdn, $nodeinfo)
- case $entropy_provider {
- false: {}
- local: { include entropykey::local_consumer }
- default: { include entropykey::remote_consumer }
- }
+ if getfromhash($site::nodeinfo, 'entropy_key') {
+ include entropykey::provider
+ }
+
+ $entropy_provider = entropy_provider($::fqdn, $site::nodeinfo)
+ case $entropy_provider {
+ false: {}
+ local: { include entropykey::local_consumer }
+ default: {
+ class { 'entropykey::remote_consumer':
+ entropy_provider => $entropy_provider,
+ }
+ }
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
--- /dev/null
+class entropykey::local_consumer {
+
+ package { 'ekeyd-egd-linux': ensure => installed }
+
+ file { '/etc/default/ekeyd-egd-linux':
+ source => 'puppet:///modules/entropykey/ekeyd-egd-linux',
+ notify => Service['ekeyd-egd-linux'],
+ require => Package['ekeyd-egd-linux'],
+ }
+
+ service { 'ekeyd-egd-linux':
+ require => File['/etc/default/ekeyd-egd-linux'],
+ }
+}
--- /dev/null
+class entropykey::provider {
+
+ package { 'ekeyd': ensure => installed }
+
+ file { '/etc/entropykey/ekeyd.conf':
+ source => 'puppet:///modules/entropykey/ekeyd.conf',
+ notify => Service['ekeyd'],
+ require => Package['ekeyd'],
+ }
+
+ # our CRL expires after a while (2 or 4 weeks?), so we have
+ # to restart stunnel so it loads the new CRL.
+ file { '/etc/cron.weekly/stunnel-ekey-restart':
+ content => '#!/bin/sh\n# This file is under puppet control\nenv -i /etc/init.d/stunnel4 restart puppet-ekeyd > /dev/null\n',
+ mode => '0555',
+ }
+
+ service { 'ekeyd':
+ ensure => running,
+ require => File['/etc/entropykey/ekeyd.conf'],
+ }
+
+ stunnel4::stunnel_server { 'ekeyd':
+ accept => 18888,
+ connect => '127.0.0.1:8888',
+ }
+}
--- /dev/null
+class entropykey::remote_consumer ($entropy_provider) inherits entropykey::local_consumer {
+
+ stunnel4::stunnel_client { 'ekeyd':
+ accept => '127.0.0.1:8888',
+ connecthost => $entropy_provider,
+ connectport => 18888,
+ }
+}
class exim {
- activate_munin_check {
- "ps_exim4": script => "ps_";
- "exim_mailqueue":;
- "exim_mailstats":;
- "postfix_mailqueue": ensure => absent;
- "postfix_mailstats": ensure => absent;
- "postfix_mailvolume": ensure => absent;
- }
+ munin::check { 'ps_exim4': script => 'ps_' }
+ munin::check { 'exim_mailqueue': }
+ munin::check { 'exim_mailstats': }
- package { exim4-daemon-heavy: ensure => installed }
+ munin::check { 'postfix_mailqueue': ensure => absent }
+ munin::check { 'postfix_mailstats': ensure => absent }
+ munin::check { 'postfix_mailvolume': ensure => absent }
- file {
- "/etc/exim4/":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- purge => true
- ;
- "/etc/exim4/Git":
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/exim4/conf.d":
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/exim4/ssl":
- ensure => directory,
- owner => root,
- group => Debian-exim,
- mode => 750,
- require => Package["exim4-daemon-heavy"],
- purge => true
- ;
- "/etc/mailname":
- content => template("exim/mailname.erb"),
- ;
- "/etc/exim4/exim4.conf":
- content => template("exim/eximconf.erb"),
- require => Package["exim4-daemon-heavy"],
- notify => Exec["exim4 reload"]
- ;
- "/etc/exim4/manualroute":
- require => Package["exim4-daemon-heavy"],
- content => template("exim/manualroute.erb")
- ;
- "/etc/exim4/host_blacklist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/host_blacklist",
- "puppet:///modules/exim/common/host_blacklist" ]
- ;
- "/etc/exim4/blacklist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/blacklist",
- "puppet:///modules/exim/common/blacklist" ]
- ;
- "/etc/exim4/callout_users":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/callout_users",
- "puppet:///modules/exim/common/callout_users" ]
- ;
- "/etc/exim4/grey_users":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/grey_users",
- "puppet:///modules/exim/common/grey_users" ]
- ;
- "/etc/exim4/helo-check":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/helo-check",
- "puppet:///modules/exim/common/helo-check" ]
- ;
- "/etc/exim4/locals":
- require => Package["exim4-daemon-heavy"],
- content => template("exim/locals.erb")
- ;
- "/etc/exim4/localusers":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/localusers",
- "puppet:///modules/exim/common/localusers" ]
- ;
- "/etc/exim4/rbllist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/rbllist",
- "puppet:///modules/exim/common/rbllist" ]
- ;
- "/etc/exim4/rhsbllist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/rhsbllist",
- "puppet:///modules/exim/common/rhsbllist" ]
- ;
- "/etc/exim4/virtualdomains":
- require => Package["exim4-daemon-heavy"],
- content => template("exim/virtualdomains.erb")
- ;
- "/etc/exim4/whitelist":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/whitelist",
- "puppet:///modules/exim/common/whitelist" ]
- ;
- "/etc/exim4/submission-domains":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/submission-domains",
- "puppet:///modules/exim/common/submission-domains" ]
- ;
- "/etc/logrotate.d/exim4-base":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/logrotate-exim4-base",
- "puppet:///modules/exim/common/logrotate-exim4-base" ]
- ;
- "/etc/logrotate.d/exim4-paniclog":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/per-host/$fqdn/logrotate-exim4-paniclog",
- "puppet:///modules/exim/common/logrotate-exim4-paniclog" ]
- ;
- "/etc/exim4/ssl/thishost.crt":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///modules/exim/certs/$fqdn.crt",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/etc/exim4/ssl/thishost.key":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///modules/exim/certs/$fqdn.key",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/etc/exim4/ssl/ca.crt":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///modules/exim/certs/ca.crt",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/etc/exim4/ssl/ca.crl":
- require => Package["exim4-daemon-heavy"],
- source => "puppet:///modules/exim/certs/ca.crl",
- owner => root,
- group => Debian-exim,
- mode => 640
- ;
- "/var/log/exim4":
- mode => 2750,
- ensure => directory,
- owner => Debian-exim,
- group => maillog
- ;
- }
+ package { 'exim4-daemon-heavy': ensure => installed }
- exec { "exim4 reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ service { 'exim4':
+ ensure => running,
+ require => File['/etc/exim4/exim4.conf'],
+ }
- case getfromhash($nodeinfo, 'mail_port') {
- /^(\d+)$/: { $mail_port = $1 }
- default: { $mail_port = 'smtp' }
- }
+ file { '/etc/exim4/':
+ ensure => directory,
+ mode => '0755',
+ require => Package['exim4-daemon-heavy'],
+ purge => true,
+ }
+ file { '/etc/exim4/Git':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/exim4/conf.d':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/exim4/ssl':
+ ensure => directory,
+ group => Debian-exim,
+ mode => '0750',
+ purge => true,
+ }
+ file { '/etc/exim4/exim4.conf':
+ content => template('exim/eximconf.erb'),
+ notify => Service['exim4'],
+ }
+ file { '/etc/mailname':
+ content => template('exim/mailname.erb'),
+ }
+ file { '/etc/exim4/manualroute':
+ content => template('exim/manualroute.erb')
+ }
+ file { '/etc/exim4/locals':
+ content => template('exim/locals.erb')
+ }
+ file { '/etc/exim4/virtualdomains':
+ content => template('exim/virtualdomains.erb'),
+ }
+ file { '/etc/exim4/submission-domains':
+ content => template('exim/common/submission-domains.erb'),
+ }
+ file { '/etc/exim4/host_blacklist':
+ source => 'puppet:///modules/exim/common/host_blacklist',
+ }
+ file { '/etc/exim4/blacklist':
+ source => 'puppet:///modules/exim/common/blacklist',
+ }
+ file { '/etc/exim4/callout_users':
+ source => 'puppet:///modules/exim/common/callout_users',
+ }
+ file { '/etc/exim4/grey_users':
+ source => 'puppet:///modules/exim/common/grey_users',
+ }
+ file { '/etc/exim4/helo-check':
+ source => 'puppet:///modules/exim/common/helo-check',
+ }
+ file { '/etc/exim4/localusers':
+ source => 'puppet:///modules/exim/common/localusers',
+ }
+ file { '/etc/exim4/rbllist':
+ source => 'puppet:///modules/exim/common/rbllist',
+ }
+ file { '/etc/exim4/rhsbllist':
+ source => 'puppet:///modules/exim/common/rhsbllist',
+ }
+ file { '/etc/exim4/whitelist':
+ source => 'puppet:///modules/exim/common/whitelist',
+ }
+ file { '/etc/logrotate.d/exim4-base':
+ source => 'puppet:///modules/exim/common/logrotate-exim4-base',
+ }
+ file { '/etc/logrotate.d/exim4-paniclog':
+ source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog'
+ }
+ file { '/etc/exim4/ssl/thishost.crt':
+ source => "puppet:///modules/exim/certs/${::fqdn}.crt",
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/thishost.key':
+ source => "puppet:///modules/exim/certs/${::fqdn}.key",
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/ca.crt':
+ source => 'puppet:///modules/exim/certs/ca.crt',
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/etc/exim4/ssl/ca.crl':
+ source => 'puppet:///modules/exim/certs/ca.crl',
+ group => Debian-exim,
+ mode => '0640',
+ }
+ file { '/var/log/exim4':
+ ensure => directory,
+ mode => '2750',
+ owner => Debian-exim,
+ group => maillog,
+ }
+
+ case getfromhash($site::nodeinfo, 'mail_port') {
+ /^(\d+)$/: { $mail_port = $1 }
+ default: { $mail_port = 'smtp' }
+ }
+
+ @ferm::rule { 'dsa-exim':
+ description => 'Allow SMTP',
+ rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)'
+ }
+
+ @ferm::rule { 'dsa-exim-v6':
+ description => 'Allow SMTP',
+ domain => 'ip6',
+ rule => '&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)'
+ }
+
+ # Do we actually want this? I'm only doing it because it's harmless
+ # and makes the logs quiet. There are better ways of making logs quiet,
+ # though.
+ @ferm::rule { 'dsa-ident':
+ domain => '(ip ip6)',
+ description => 'Allow ident access',
+ rule => '&SERVICE(tcp, 113)'
+ }
- @ferm::rule { "dsa-exim":
- description => "Allow SMTP",
- rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_SOURCES)"
- }
- @ferm::rule { "dsa-exim-v6":
- description => "Allow SMTP",
- domain => "ip6",
- rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
- }
- # Do we actually want this? I'm only doing it because it's harmless
- # and makes the logs quiet. There are better ways of making logs quiet,
- # though.
- @ferm::rule { "dsa-ident":
- domain => "(ip ip6)",
- description => "Allow ident access",
- rule => "&SERVICE(tcp, 113)"
- }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class exim::mx inherits exim {
- include clamav
- include postgrey
+ include clamav
+ include postgrey
- file {
- "/etc/exim4/ccTLD.txt":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/common/ccTLD.txt" ]
- ;
- "/etc/exim4/surbl_whitelist.txt":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/common/surbl_whitelist.txt" ]
- ;
- "/etc/exim4/exim_surbl.pl":
- require => Package["exim4-daemon-heavy"],
- source => [ "puppet:///modules/exim/common/exim_surbl.pl" ],
- notify => Exec["exim4 restart"]
- ;
- }
- exec { "exim4 restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
- @ferm::rule { "dsa-exim-submission":
- description => "Allow SMTP",
- rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)"
- }
- @ferm::rule { "dsa-exim-v6-submission":
- description => "Allow SMTP",
- domain => "ip6",
- rule => "&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)"
- }
-}
+ file { '/etc/exim4/ccTLD.txt':
+ source => 'puppet:///modules/exim/common/ccTLD.txt',
+ }
+ file { '/etc/exim4/surbl_whitelist.txt':
+ source => 'puppet:///modules/exim/common/surbl_whitelist.txt',
+ }
+ file { '/etc/exim4/exim_surbl.pl':
+ source => 'puppet:///modules/exim/common/exim_surbl.pl',
+ notify => Service['exim4'],
+ }
+
+ @ferm::rule { 'dsa-exim-submission':
+ description => 'Allow SMTP',
+ rule => '&SERVICE_RANGE(tcp, submission, \$SMTP_SOURCES)'
+ }
+ @ferm::rule { 'dsa-exim-v6-submission':
+ description => 'Allow SMTP',
+ domain => 'ip6',
+ rule => '&SERVICE_RANGE(tcp, submission, \$SMTP_V6_SOURCES)',
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+}
# flushing' operations, but should be populated with a list
# of trusted machines. Wildcards are not permitted
# bsmtp_domains - Domains that we deliver locally via bsmtp
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
# mailhubdomains - Domains for which we are the MX, but the mail is relayed
# elsewhere. This is designed for use with small volume or
# restricted machines that need to use a smarthost for mail
# MAIN CONFIGURATION SETTINGS #
######################################################################
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
perl_startup = do '/etc/exim4/exim_surbl.pl'
<%- end -%>
acl_smtp_helo = check_helo
acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}}
acl_smtp_data = check_message
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
acl_smtp_mime = acl_check_mime
<%- end -%>
acl_smtp_predata = acl_check_predata
hostlist debianhosts = <; ; 127.0.0.1 ; ::1 ; /var/lib/misc/thishost/debianhosts ; 89.16.166.49 ; 82.195.75.76 ; 2001:41b8:202:deb:bab5:0:52c3:4b4c
-hostlist reservedaddrs = <%= nodeinfo['reservedaddrs'] %>
+hostlist reservedaddrs = <%= scope.lookupvar('site::nodeinfo')['reservedaddrs'] %>
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
# Domains we relay for; that is domains that aren't considered local but we
# accept mail for them.
domainlist mailhubdomains = lsearch;/etc/exim4/manualroute
message_size_limit = 100M
message_logs = false
smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}}
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
smtp_accept_max = 300
smtp_accept_queue = 200
smtp_accept_queue_per_connection = 50
delay_warning =
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
message_body_visible = 5000
queue_run_max = 50
deliver_queue_load_max = 50
out = "daemon_smtp_ports = "
ports << 25
-if nodeinfo['bugsmaster'] or nodeinfo['bugsmx']
+if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx']
ports << 587
end
-if not nodeinfo['mail_port'].to_s.empty?
- ports << nodeinfo['mail_port']
+if not scope.lookupvar('site::nodeinfo')['mail_port'].to_s.empty?
+ ports << scope.lookupvar('site::nodeinfo')['mail_port']
end
-if nodeinfo['mailrelay']
- ports << nodeinfo['smarthost_port']
+if scope.lookupvar('site::nodeinfo')['mailrelay']
+ ports << scope.lookupvar('site::nodeinfo')['smarthost_port']
end
out += ports.uniq.sort.join(" : ")
hosts = !+debianhosts
set acl_m_rprf = localonly
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
warn local_parts = +local_only_users
domains = +mailhubdomains
hosts = !+debianhosts
<%- end -%>
accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
warn domains = rt.debian.org
set acl_m_rprf = RTMail
accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
<%- end -%>
-<%- if nodeinfo['bugsmx'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['bugsmx'] -%>
warn domains = bugs.debian.org
set acl_m_rprf = BugsMail
accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
<%- end -%>
-<%- if nodeinfo['packagesmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%>
warn domains = packages.debian.org
set acl_m_rprf = PackagesMail
accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
<%- end -%>
-<%- if nodeinfo['packagesqamaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%>
warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org
set acl_m_rprf = PTSOwner
warn set acl_c_scr = 0
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept verify = certificate
<%- end -%>
-<%- if nodeinfo['smarthost'].empty? -%>
+<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%>
# These are in HELO acl so that they are only run once. They increment a counter,
# so we don't want it to increment per rcpt to.
# We do this by testing for an empty sending host field.
accept hosts = +debianhosts
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept verify = certificate
<%- end -%>
endpass
verify = recipient
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept domains = +mailhubdomains
endpass
verify = recipient/callout=30s,defer_ok,use_sender,no_cache
#!!# ACL that is used after the RCPT command
check_recipient:
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept verify = certificate
<%- end -%>
warn condition = ${if eq{$acl_m_prf}{localonly}}
set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
-<%- if nodeinfo['packagesmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%>
warn condition = ${if eq {$acl_m_prf}{PackagesMail}}
condition = ${if eq {$sender_address}{$local_part@$domain}}
message = X-Packages-FromTo-Same: yes
condition = ${if eq{$acl_m_act}{450}{yes}{no}}
<%- end -%>
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
warn condition = ${if eq{$acl_m_prf}{RTMail}}
set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}{match{$local_part}{3520}}{match{$local_part}{3645}}} {RTMailRecipientHasSubaddress}}}}
# temporary hack because weasel screwed up and gave people an rt-3520@ address, which doesn't really work normally. and rt-3645
senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}}
message = We have blacklisted <$sender_address>. Please stop mailing us
-<%- if nodeinfo['smarthost'].empty? -%>
+<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%>
deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
dnslists = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
-<%- if nodeinfo['smarthost'].empty? -%>
+<%- if scope.lookupvar('site::nodeinfo')['smarthost'].empty? -%>
deny domains = +handled_domains
local_parts = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\
!verify = sender/callout=90s,maxwait=300s
<%- end -%>
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
accept domains = +mailhubdomains
endpass
verify = recipient/callout=30s,defer_ok,use_sender,no_cache
deny message = relay not permitted
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
acl_check_mime:
accept verify = certificate
# header. Take their crack pipe away.
drop condition = ${if match{${lc:$h_From:}}{\Npostmaster@([^.]+\.)?debian\.org\N}}
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
deny condition = ${if eq {$acl_m_prf}{RTMail}}
condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \
{!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \
message = messages to the Request Tracker system require a subject tag or a subaddress
<%- end -%>
-<%- if nodeinfo['packagesqamaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesqamaster'] -%>
deny !hosts = +debianhosts : 217.196.43.134
condition = ${if eq {$acl_m_prf}{PTSMail}}
condition = ${if def:h_X-PTS-Approved:{false}{true}}
message = X-malware detected: $malware_name
<%- end -%>
-<%- if nodeinfo.has_key?('heavy_exim') and nodeinfo['heavy_exim'] -%>
+<%- if scope.lookupvar('site::nodeinfo').has_key?('heavy_exim') and scope.lookupvar('site::nodeinfo')['heavy_exim'] -%>
discard condition = ${if <{$message_size}{256000}}
condition = ${if eq {$acl_m_prf}{blackhole}}
set acl_m_srb = ${perl{surblspamcheck}}
!verify = header_sender
message = No valid sender found in the From:, Sender: and Reply-to: headers
-<%- if nodeinfo['packagesmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%>
deny message = Congratulations, you scored $spam_score points.
log_message = spam: $spam_score points.
condition = ${if eq {$acl_m_prf}{PackagesMail}}
# An address is passed to each in turn until it is accepted. #
######################################################################
-<%- if nodeinfo['mailrelay'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['mailrelay'] -%>
relay_manualroute:
driver = manualroute
domains = +mailhubdomains
<%=
out = ""
-if not nodeinfo['smarthost'].empty?
+if not scope.lookupvar('site::nodeinfo')['smarthost'].empty?
out = '
smarthost:
debug_print = "R: smarthost for $local_part@$domain"
driver = manualroute
domains = !+handled_domains
transport = remote_smtp_smarthost
- route_list = * ' + nodeinfo['smarthost']
- if nodeinfo['smarthost'] == 'mailout.debian.org'
+ route_list = * ' + scope.lookupvar('site::nodeinfo')['smarthost']
+ if scope.lookupvar('site::nodeinfo')['smarthost'] == 'mailout.debian.org'
out += '/MX'
end
out += '
# Everything before here should apply only to the local domains with a
# domains= rule
-<%- if nodeinfo['packagesmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['packagesmaster'] -%>
# This router delivers for packages.d.o
packages:
debug_print = "R: packages for $local_part@$domain"
no_more
<%- end -%>
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
# This router delivers for rt.d.o
rt_force_new_verbose:
debug_print = "R: rt for $local_part+new@$domain"
<%=
out = ""
-if nodeinfo['bugsmaster'] or nodeinfo['bugsmx']
+if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx']
domain = 'bugs.debian.org'
- if nodeinfo['bugsmaster']
+ if scope.lookupvar('site::nodeinfo')['bugsmaster']
domain = 'bugs-master.debian.org'
end
out = '
<%=
out = ""
-if not nodeinfo['smarthost'].empty?
+if not scope.lookupvar('site::nodeinfo')['smarthost'].empty?
out = '
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
delay_after_cutoff = false
port = '
- out += nodeinfo['smarthost_port'].to_s + "\n"
+ out += scope.lookupvar('site::nodeinfo')['smarthost_port'].to_s + "\n"
if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
out += ' tls_tempfail_tryclear = false
- hosts_require_tls = ' + nodeinfo['smarthost'] + '
+ hosts_require_tls = ' + scope.lookupvar('site::nodeinfo')['smarthost'] + '
tls_certificate = /etc/exim4/ssl/thishost.crt
tls_privatekey = /etc/exim4/ssl/thishost.key
'
{$value}fail}\
}}
-<%- if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['bugsmaster'] or scope.lookupvar('site::nodeinfo')['bugsmx'] -%>
bugs_pipe:
driver = pipe
command = /org/bugs.debian.org/mail/run-procmail
user = debbugs
<%- end -%>
-<%- if nodeinfo['rtmaster'] -%>
+<%- if scope.lookupvar('site::nodeinfo')['rtmaster'] -%>
rt_pipe:
debug_print = "T: rt_pipe for $local_part${local_part_suffix}@$domain"
driver = pipe
routes = []
extraroutes = []
-if nodeinfo['mailrelay']
+if scope.lookupvar('site::nodeinfo')['mailrelay']
mxmatches << 'mailout.debian.org'
extraroutes = [ "keyring.debian.org:\t\tkaufmann.debian.org" ]
end
mxregex = Regexp.new('^\d+\s+(.*)\.$')
-allnodeinfo.keys.sort.each do |host|
- next unless allnodeinfo[host]['mXRecord']
- allnodeinfo[host]['mXRecord'].each do |mx|
+scope.lookupvar('site::allnodeinfo').keys.sort.each do |host|
+ next unless scope.lookupvar('site::allnodeinfo')[host]['mXRecord']
+ scope.lookupvar('site::allnodeinfo')[host]['mXRecord'].each do |mx|
mxmatch = mxregex.match(mx)
if mxmatches.include?(mxmatch[1])
route = host + ":\t\t" + host
- if localinfo.has_key?(host) and localinfo[host].has_key?('mail_port') and localinfo[host]['mail_port'].to_s != ''
- route += "::" + localinfo[host]['mail_port'].to_s
+ if scope.lookupvar('site::localinfo').has_key?(host) and scope.lookupvar('site::localinfo')[host].has_key?('mail_port') and scope.lookupvar('site::localinfo')[host]['mail_port'].to_s != ''
+ route += "::" + scope.lookupvar('site::localinfo')[host]['mail_port'].to_s
end
routes << route
end
--- /dev/null
+##
+### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+### USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+###
+
+<%= if scope.lookupvar('::hostname') == 'busoni' %>
+bugs.debian.org
+<%= end %>
class ferm::ftp {
- @ferm::rule { "dsa-ftp":
- domain => "(ip ip6)",
- description => "Allow ftp access",
- rule => "&SERVICE(tcp, 21)"
- }
+ @ferm::rule { 'dsa-ftp':
+ domain => '(ip ip6)',
+ description => 'Allow ftp access',
+ rule => '&SERVICE(tcp, 21)',
+ }
}
class ferm {
- define rule($domain="ip", $table="filter", $chain="INPUT", $rule, $description="", $prio="00", $notarule=false) {
- file {
- "/etc/ferm/dsa.d/${prio}_${name}":
- ensure => present,
- owner => root,
- group => root,
- mode => 0400,
- content => template("ferm/ferm-rule.erb"),
- notify => Exec["ferm restart"],
- }
- }
+ # realize (i.e. enable) all @ferm::rule virtual resources
+ Ferm::Rule <| |>
- # realize (i.e. enable) all @ferm::rule virtual resources
- Ferm::Rule <| |>
+ File { mode => '0400' }
- package {
- ferm: ensure => installed;
- ulogd: ensure => installed;
- }
+ package { 'ferm':
+ ensure => installed
+ }
+ package { 'ulogd':
+ ensure => installed
+ }
- file {
- "/etc/ferm/dsa.d":
- ensure => directory,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/",
- notify => Exec["ferm restart"],
- require => Package["ferm"];
- "/etc/ferm":
- ensure => directory,
- mode => 0755;
- "/etc/ferm/conf.d":
- ensure => directory,
- require => Package["ferm"];
- "/etc/default/ferm":
- source => "puppet:///modules/ferm/ferm.default",
- require => Package["ferm"],
- notify => Exec["ferm restart"];
- "/etc/ferm/ferm.conf":
- source => "puppet:///modules/ferm/ferm.conf",
- require => Package["ferm"],
- mode => 0400,
- notify => Exec["ferm restart"];
- "/etc/ferm/conf.d/me.conf":
- content => template("ferm/me.conf.erb"),
- require => Package["ferm"],
- mode => 0400,
- notify => Exec["ferm restart"];
- "/etc/ferm/conf.d/defs.conf":
- content => template("ferm/defs.conf.erb"),
- require => Package["ferm"],
- mode => 0400,
- notify => Exec["ferm restart"];
- "/etc/ferm/conf.d/interfaces.conf":
- content => template("ferm/interfaces.conf.erb"),
- require => Package["ferm"],
- mode => 0400,
- notify => Exec["ferm restart"];
- "/etc/logrotate.d/ulogd":
- source => "puppet:///modules/ferm/logrotate-ulogd",
- require => Package["debian.org"],
- ;
- }
+ service { 'ferm':
+ hasstatus => false,
+ status => '/bin/true',
+ refreshonly => true,
+ }
- $munin_ips = split(regsubst($v4ips, '([^,]+)', 'ip_\1', 'G'), ',')
+ $munin_ips = split(regsubst($v4ips, '([^,]+)', 'ip_\1', 'G'), ',')
- activate_munin_check {
- $munin_ips: script => "ip_";
- }
+ munin::check { $munin_ips: script => 'ip_', }
- define munin_ipv6_plugin() {
- file {
- "/etc/munin/plugins/$name":
- content => "#!/bin/bash\n# This file is under puppet control\n. /usr/share/munin/plugins/ip_\n",
- mode => 555,
- notify => Exec["munin-node restart"],
- ;
- }
- }
- case $v6ips {
- 'no': {}
- default: {
- $munin6_ips = split(regsubst($v6ips, '([^,]+)', 'ip_\1', 'G'), ',')
- munin_ipv6_plugin {
- $munin6_ips: ;
- }
- # get rid of old stuff
- $munin6_ip6s = split(regsubst($v6ips, '([^,]+)', 'ip6_\1', 'G'), ',')
- activate_munin_check {
- $munin6_ip6s: ensure => absent;
- }
- }
- }
+ if $v6ips {
+ $munin6_ips = split(regsubst($v6ips, '([^,]+)', 'ip_\1', 'G'), ',')
+ munin::check { $munin6_ips: script => 'ip_', }
+ }
+ # get rid of old stuff
+ $munin6_ip6s = split(regsubst($v6ips, '([^,]+)', 'ip6_\1', 'G'), ',')
+ munin::check { $munin6_ip6s: ensure => absent }
- case getfromhash($nodeinfo, 'buildd') {
- true: {
- file {
- "/etc/ferm/conf.d/load_ftp_conntrack.conf":
- source => "puppet:///modules/ferm/conntrack_ftp.conf",
- require => Package["ferm"],
- notify => Exec["ferm restart"];
- }
- }
- }
+ file { '/etc/ferm':
+ ensure => directory,
+ notify => Service['ferm'],
+ require => Package['ferm'],
+ mode => '0755'
+ }
+ file { '/etc/ferm/dsa.d':
+ ensure => directory,
+ purge => true,
+ force => true,
+ recurse => true,
+ source => 'puppet:///files/empty/',
+ }
+ file { '/etc/ferm/conf.d':
+ ensure => directory,
+ }
+ file { '/etc/default/ferm':
+ source => 'puppet:///modules/ferm/ferm.default',
+ require => Package['ferm'],
+ notify => Service['ferm'],
+ }
+ file { '/etc/ferm/ferm.conf':
+ source => 'puppet:///modules/ferm/ferm.conf',
+ }
+ file { '/etc/ferm/conf.d/me.conf':
+ content => template('ferm/me.conf.erb'),
+ }
+ file { '/etc/ferm/conf.d/defs.conf':
+ content => template('ferm/defs.conf.erb'),
+ }
+ file { '/etc/ferm/conf.d/interfaces.conf':
+ content => template('ferm/interfaces.conf.erb'),
+ }
+ file { '/etc/logrotate.d/ulogd':
+ source => 'puppet:///modules/ferm/logrotate-ulogd',
+ require => Package['debian.org'],
+ }
+
+ if getfromhash($site::nodeinfo, 'buildd') {
+ file { '/etc/ferm/conf.d/load_ftp_conntrack.conf':
+ source => 'puppet:///modules/ferm/conntrack_ftp.conf',
+ }
+ }
- exec {
- "ferm restart":
- command => "/etc/init.d/ferm restart",
- refreshonly => true,
- }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+++ /dev/null
-class ferm::nfs-server {
- @ferm::rule { "dsa-portmap":
- domain => "(ip ip6)",
- description => "Allow portmap access",
- rule => "&TCP_UDP_SERVICE(111)"
- }
- @ferm::rule { "dsa-nfs":
- domain => "(ip ip6)",
- description => "Allow nfsd access",
- rule => "&TCP_UDP_SERVICE(2049)"
- }
- @ferm::rule { "dsa-status":
- domain => "(ip ip6)",
- description => "Allow statd access",
- rule => "&TCP_UDP_SERVICE(10000)"
- }
- @ferm::rule { "dsa-mountd":
- domain => "(ip ip6)",
- description => "Allow mountd access",
- rule => "&TCP_UDP_SERVICE(10002)"
- }
- @ferm::rule { "dsa-lockd":
- domain => "(ip ip6)",
- description => "Allow lockd access",
- rule => "&TCP_UDP_SERVICE(10003)"
- }
-}
class ferm::per-host {
- case $::hostname {
- ancina,zandonai,zelenka: {
- include ferm::zivit
- }
- }
-
- case $::hostname {
- chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile,bizet: {
- include ferm::ftp
- }
- }
+ if $::hostname in [ancina,zandonai,zelenka] {
+ include ferm::zivit
+ }
- case $::hostname {
- piatti,samosa: {
- @ferm::rule { "dsa-udd-stunnel":
- description => "port 8080 for udd stunnel",
- rule => "&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))"
- }
- }
- danzi: {
- @ferm::rule {
- "dsa-postgres-danzi":
- description => "Allow postgress access",
- rule => "&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))"
- ;
- "dsa-postgres2-danzi":
- description => "Allow postgress access2",
- rule => "&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))"
- ;
- "dsa-postgres3-danzi":
- description => "Allow postgress access2",
- rule => "&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))"
- ;
- }
+ if $::hostname in [chopin,franck,gluck,kassia,klecker,lobos,morricone,ravel,ries,rietz,saens,schein,santoro,steffani,valente,villa,wieck,stabile,bizet] {
+ include ferm::ftp
+ }
- }
- abel,alwyn,rietz: {
- @ferm::rule { "dsa-tftp":
- description => "Allow tftp access",
- rule => "&SERVICE(udp, 69)"
- }
- }
- paganini: {
- @ferm::rule { "dsa-dhcp":
- description => "Allow dhcp access",
- rule => "&SERVICE(udp, 67)"
- }
- @ferm::rule { "dsa-tftp":
- description => "Allow tftp access",
- rule => "&SERVICE(udp, 69)"
- }
- }
- handel: {
- @ferm::rule { "dsa-puppet":
- description => "Allow puppet access",
- rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)"
- }
- @ferm::rule { "dsa-puppet-v6":
- domain => 'ip6',
- description => "Allow puppet access",
- rule => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)"
- }
- }
- powell: {
- @ferm::rule { "dsa-powell-v6-tunnel":
- description => "Allow powell to use V6 tunnel broker",
- rule => "proto ipv6 saddr 212.227.117.6 jump ACCEPT"
- }
- @ferm::rule { "dsa-powell-btseed":
- domain => "(ip ip6)",
- description => "Allow powell to seed BT",
- rule => "proto tcp dport 8000:8100 jump ACCEPT"
- }
- }
- heininen,lotti: {
- @ferm::rule { "dsa-syslog":
- description => "Allow syslog access",
- rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)"
- }
- @ferm::rule { "dsa-syslog-v6":
- domain => 'ip6',
- description => "Allow syslog access",
- rule => "&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)"
- }
- }
- kaufmann: {
- @ferm::rule { "dsa-hkp":
- domain => "(ip ip6)",
- description => "Allow hkp access",
- rule => "&SERVICE(tcp, 11371)"
- }
- }
- gombert: {
- @ferm::rule { "dsa-infinoted":
- domain => "(ip ip6)",
- description => "Allow infinoted access",
- rule => "&SERVICE(tcp, 6523)"
- }
- }
- bendel,liszt: {
- @ferm::rule { "smtp":
- domain => "(ip ip6)",
- description => "Allow smtp access",
- rule => "&SERVICE(tcp, 25)"
- }
- }
- draghi: {
- #@ferm::rule { "dsa-bind":
- # domain => "(ip ip6)",
- # description => "Allow nameserver access",
- # rule => "&TCP_UDP_SERVICE(53)"
- #}
- @ferm::rule { "dsa-finger":
- domain => "(ip ip6)",
- description => "Allow finger access",
- rule => "&SERVICE(tcp, 79)"
- }
- @ferm::rule { "dsa-ldap":
- domain => "(ip ip6)",
- description => "Allow ldap access",
- rule => "&SERVICE(tcp, 389)"
- }
- @ferm::rule { "dsa-ldaps":
- domain => "(ip ip6)",
- description => "Allow ldaps access",
- rule => "&SERVICE(tcp, 636)"
- }
- }
- cilea: {
- file {
- "/etc/ferm/conf.d/load_sip_conntrack.conf":
- source => "puppet:///modules/ferm/conntrack_sip.conf",
- require => Package["ferm"],
- notify => Exec["ferm restart"];
- }
- @ferm::rule { "dsa-sip":
- domain => "(ip ip6)",
- description => "Allow sip access",
- rule => "&TCP_UDP_SERVICE(5060)"
- }
- @ferm::rule { "dsa-sipx":
- domain => "(ip ip6)",
- description => "Allow sipx access",
- rule => "&TCP_UDP_SERVICE(5080)"
- }
- }
- scelsi: {
- @ferm::rule { "dc11-icecast":
- domain => "(ip ip6)",
- description => "Allow icecast access",
- rule => "&SERVICE(tcp, 8000)"
- }
+ case $::hostname {
+ piatti,samosa: {
+ @ferm::rule { 'dsa-udd-stunnel':
+ description => 'port 8080 for udd stunnel',
+ rule => '&SERVICE_RANGE(tcp, http-alt, ( 192.25.206.16 70.103.162.29 217.196.43.134 ))'
+ }
+ }
+ danzi: {
+ @ferm::rule { 'dsa-postgres-danzi':
+ description => 'Allow postgress access',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 ))'
+ }
+ @ferm::rule { 'dsa-postgres2-danzi':
+ description => 'Allow postgress access2',
+ rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 ))'
+ }
+ @ferm::rule { 'dsa-postgres3-danzi':
+ description => 'Allow postgress access2',
+ rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 ))'
+ }
+ }
+ abel,alwyn,rietz: {
+ @ferm::rule { 'dsa-tftp':
+ description => 'Allow tftp access',
+ rule => '&SERVICE(udp, 69)'
+ }
+ }
+ paganini: {
+ @ferm::rule { 'dsa-dhcp':
+ description => 'Allow dhcp access',
+ rule => '&SERVICE(udp, 67)'
+ }
+ @ferm::rule { 'dsa-tftp':
+ description => 'Allow tftp access',
+ rule => '&SERVICE(udp, 69)'
+ }
+ }
+ handel: {
+ @ferm::rule { 'dsa-puppet':
+ description => 'Allow puppet access',
+ rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V4)'
+ }
+ @ferm::rule { 'dsa-puppet-v6':
+ domain => 'ip6',
+ description => 'Allow puppet access',
+ rule => '&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)'
+ }
+ }
+ powell: {
+ @ferm::rule { 'dsa-powell-v6-tunnel':
+ description => 'Allow powell to use V6 tunnel broker',
+ rule => 'proto ipv6 saddr 212.227.117.6 jump ACCEPT'
+ }
+ @ferm::rule { 'dsa-powell-btseed':
+ domain => '(ip ip6)',
+ description => 'Allow powell to seed BT',
+ rule => 'proto tcp dport 8000:8100 jump ACCEPT'
+ }
+ }
+ heininen,lotti: {
+ @ferm::rule { 'dsa-syslog':
+ description => 'Allow syslog access',
+ rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V4)'
+ }
+ @ferm::rule { 'dsa-syslog-v6':
+ domain => 'ip6',
+ description => 'Allow syslog access',
+ rule => '&SERVICE_RANGE(tcp, 5140, \$HOST_DEBIAN_V6)'
+ }
+ }
+ kaufmann: {
+ @ferm::rule { 'dsa-hkp':
+ domain => '(ip ip6)',
+ description => 'Allow hkp access',
+ rule => '&SERVICE(tcp, 11371)'
+ }
+ }
+ gombert: {
+ @ferm::rule { 'dsa-infinoted':
+ domain => '(ip ip6)',
+ description => 'Allow infinoted access',
+ rule => '&SERVICE(tcp, 6523)'
+ }
+ }
+ bendel,liszt: {
+ @ferm::rule { 'smtp':
+ domain => '(ip ip6)',
+ description => 'Allow smtp access',
+ rule => '&SERVICE(tcp, 25)'
+ }
+ }
+ draghi: {
+ #@ferm::rule { 'dsa-bind':
+ # domain => '(ip ip6)',
+ # description => 'Allow nameserver access',
+ # rule => '&TCP_UDP_SERVICE(53)'
+ #}
+ @ferm::rule { 'dsa-finger':
+ domain => '(ip ip6)',
+ description => 'Allow finger access',
+ rule => '&SERVICE(tcp, 79)'
+ }
+ @ferm::rule { 'dsa-ldap':
+ domain => '(ip ip6)',
+ description => 'Allow ldap access',
+ rule => '&SERVICE(tcp, 389)'
+ }
+ @ferm::rule { 'dsa-ldaps':
+ domain => '(ip ip6)',
+ description => 'Allow ldaps access',
+ rule => '&SERVICE(tcp, 636)'
+ }
+ }
+ cilea: {
+ file {
+ '/etc/ferm/conf.d/load_sip_conntrack.conf':
+ source => 'puppet:///modules/ferm/conntrack_sip.conf',
+ require => Package['ferm'],
+ notify => Exec['ferm restart'];
+ }
+ @ferm::rule { 'dsa-sip':
+ domain => '(ip ip6)',
+ description => 'Allow sip access',
+ rule => '&TCP_UDP_SERVICE(5060)'
+ }
+ @ferm::rule { 'dsa-sipx':
+ domain => '(ip ip6)',
+ description => 'Allow sipx access',
+ rule => '&TCP_UDP_SERVICE(5080)'
+ }
+ }
+ scelsi: {
+ @ferm::rule { 'dc11-icecast':
+ domain => '(ip ip6)',
+ description => 'Allow icecast access',
+ rule => '&SERVICE(tcp, 8000)'
+ }
+ }
+ default: {}
}
- }
- case $hostname { rautavaara,luchesi: {
- @ferm::rule { "dsa-to-kfreebsd":
- description => "Traffic routed to kfreebsd hosts",
- chain => 'to-kfreebsd',
- rule => 'proto icmp ACCEPT;
- source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
- source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
- source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
- source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
- source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
- '
- }
- @ferm::rule { "dsa-from-kfreebsd":
- description => "Traffic routed from kfreebsd vlan/bridge",
- chain => 'from-kfreebsd',
- rule => 'proto icmp ACCEPT;
- proto tcp dport (21 22 80 53 443) ACCEPT;
- proto udp dport (53 123) ACCEPT;
- proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
- proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost
- proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
- proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
- '
- }
- }}
- case $hostname {
- rautavaara: {
- @ferm::rule { "dsa-routing":
- description => "forward chain",
- chain => "FORWARD",
- rule => '
- def $ADDRESS_FASCH=194.177.211.201;
- def $ADDRESS_FIELD=194.177.211.210;
- def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
+ if $::hostname in [rautavaara,luchesi] {
+ @ferm::rule { 'dsa-to-kfreebsd':
+ description => 'Traffic routed to kfreebsd hosts',
+ chain => 'to-kfreebsd',
+ rule => 'proto icmp ACCEPT;
+source ($FREEBSD_SSH_ACCESS $HOST_NAGIOS_V4) proto tcp dport 22 ACCEPT;
+source ($HOST_MAILRELAY_V4 $HOST_NAGIOS_V4) proto tcp dport 25 ACCEPT;
+source ($HOST_MUNIN_V4 $HOST_NAGIOS_V4) proto tcp dport 4949 ACCEPT;
+source ($HOST_NAGIOS_V4) proto tcp dport 5666 ACCEPT;
+source ($HOST_NAGIOS_V4) proto udp dport ntp ACCEPT
+'
+ }
+ @ferm::rule { 'dsa-from-kfreebsd':
+ description => 'Traffic routed from kfreebsd vlan/bridge',
+ chain => 'from-kfreebsd',
+ rule => 'proto icmp ACCEPT;
+proto tcp dport (21 22 80 53 443) ACCEPT;
+proto udp dport (53 123) ACCEPT;
+proto tcp dport 8140 daddr 82.195.75.104 ACCEPT; # puppethost
+proto tcp dport 5140 daddr (82.195.75.98 206.12.19.121) ACCEPT; # loghost
+proto tcp dport 11371 daddr 82.195.75.107 ACCEPT; # keyring host
+proto tcp dport (25 submission) daddr ($HOST_MAILRELAY_V4) ACCEPT
+'
+ }
+ }
+ case $::hostname {
+ rautavaara: {
+ @ferm::rule { 'dsa-routing':
+ description => 'forward chain',
+ chain => 'FORWARD',
+ rule => 'def $ADDRESS_FASCH=194.177.211.201;
+def $ADDRESS_FIELD=194.177.211.210;
+def $FREEBSD_HOSTS=($ADDRESS_FASCH $ADDRESS_FIELD);
- policy ACCEPT;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- interface vlan11 outerface eth0 jump from-kfreebsd;
- interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
- ULOG ulog-prefix "REJECT FORWARD: ";
- REJECT reject-with icmp-admin-prohibited
- '
- }
- }
- luchesi: {
- @ferm::rule { "dsa-routing":
- description => "forward chain",
- chain => "FORWARD",
- rule => '
- def $ADDRESS_FANO=206.12.19.110;
- def $ADDRESS_FINZI=206.12.19.111;
- def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
+policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface vlan11 outerface eth0 jump from-kfreebsd;
+interface eth0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
+ULOG ulog-prefix "REJECT FORWARD: ";
+REJECT reject-with icmp-admin-prohibited
+'
+ }
+ }
+ luchesi: {
+ @ferm::rule { 'dsa-routing':
+ description => 'forward chain',
+ chain => 'FORWARD',
+ rule => 'def $ADDRESS_FANO=206.12.19.110;
+def $ADDRESS_FINZI=206.12.19.111;
+def $FREEBSD_HOSTS=($ADDRESS_FANO $ADDRESS_FINZI);
- policy ACCEPT;
- mod state state (ESTABLISHED RELATED) ACCEPT;
- interface br0 outerface br0 ACCEPT;
+policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface br0 outerface br0 ACCEPT;
- interface br2 outerface br0 jump from-kfreebsd;
- interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
- ULOG ulog-prefix "REJECT FORWARD: ";
- REJECT reject-with icmp-admin-prohibited
- '
- }
- }
- }
+interface br2 outerface br0 jump from-kfreebsd;
+interface br0 destination ($FREEBSD_HOSTS) jump to-kfreebsd;
+ULOG ulog-prefix "REJECT FORWARD: ";
+REJECT reject-with icmp-admin-prohibited
+'
+ }
+ }
+ default: {}
+ }
- # redirect snapshot into varnish
- case $::hostname {
- sibelius: {
- @ferm::rule { "dsa-snapshot-varnish":
- rule => '&SERVICE(tcp, 6081)',
- }
- @ferm::rule { "dsa-nat-snapshot-varnish":
- table => 'nat',
- chain => 'PREROUTING',
- rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
- }
- }
- stabile: {
- @ferm::rule { "dsa-snapshot-varnish":
- rule => '&SERVICE(tcp, 6081)',
- }
- @ferm::rule { "dsa-nat-snapshot-varnish":
- table => 'nat',
- chain => 'PREROUTING',
- rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
- }
- }
- }
+ # redirect snapshot into varnish
+ case $::hostname {
+ sibelius: {
+ @ferm::rule { 'dsa-snapshot-varnish':
+ rule => '&SERVICE(tcp, 6081)',
+ }
+ @ferm::rule { 'dsa-nat-snapshot-varnish':
+ table => 'nat',
+ chain => 'PREROUTING',
+ rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
+ }
+ }
+ stabile: {
+ @ferm::rule { 'dsa-snapshot-varnish':
+ rule => '&SERVICE(tcp, 6081)',
+ }
+ @ferm::rule { 'dsa-nat-snapshot-varnish':
+ table => 'nat',
+ chain => 'PREROUTING',
+ rule => 'proto tcp daddr 206.12.19.150 dport 80 REDIRECT to-ports 6081',
+ }
+ }
+ default: {}
+ }
- if $::rsyncd == 'true' {
- include ferm::rsync
- }
+ if $::rsyncd == true {
+ include ferm::rsync
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class ferm::rsync {
- @ferm::rule { "dsa-rsync":
- domain => "(ip ip6)",
- description => "Allow rsync access",
- rule => "&SERVICE(tcp, 873)"
- }
+ @ferm::rule { 'dsa-rsync':
+ domain => '(ip ip6)',
+ description => 'Allow rsync access',
+ rule => '&SERVICE(tcp, 873)'
+ }
}
--- /dev/null
+define ferm::rule(
+ $rule,
+ $domain='ip',
+ $table='filter',
+ $chain='INPUT',
+ $description='',
+ $prio='00',
+ $notarule=false
+) {
+ file {
+ "/etc/ferm/dsa.d/${prio}_${name}":
+ ensure => present,
+ mode => '0400',
+ content => template('ferm/ferm-rule.erb'),
+ notify => Service['ferm'],
+ }
+}
+
+
class ferm::zivit {
- @ferm::rule { "dsa-zivit-rrdcollect":
- description => "port 6666 for rrdcollect for zivit",
- rule => "&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))"
- }
- @ferm::rule { "dsa-zivit-zabbix":
- description => "port 10050 for zabbix for zivit",
- rule => "&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))"
- }
- @ferm::rule { "dsa-time":
- description => "Allow time access",
- rule => "&SERVICE_RANGE(tcp, time, \$HOST_NAGIOS_V4)"
- }
+ @ferm::rule { 'dsa-zivit-rrdcollect':
+ description => 'port 6666 for rrdcollect for zivit',
+ rule => '&SERVICE_RANGE(tcp, 6666, ( 10.130.18.71 ))'
+ }
+ @ferm::rule { 'dsa-zivit-zabbix':
+ description => 'port 10050 for zabbix for zivit',
+ rule => '&SERVICE_RANGE(tcp, 10050, ( 10.130.18.76 ))'
+ }
+ @ferm::rule { 'dsa-time':
+ description => 'Allow time access',
+ rule => '&SERVICE_RANGE(tcp, time, \$HOST_NAGIOS_V4)'
+ }
}
@def $HOST_MAILRELAY_V4 = (<%=
mailrelay = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['mailrelay']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['mailrelay']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
mailrelay << ip
end
@def $HOST_MAILRELAY_V6 = (<%=
mailrelay = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['mailrelay']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['mailrelay']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
mailrelay << ip
end
@def $HOST_NAGIOS_V4 = (<%=
nagii = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
nagii << ip
end
@def $HOST_NAGIOS_V6 = (<%=
nagii = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
nagii << ip
end
@def $HOST_MUNIN_V4 = (<%=
munins = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['muninmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['muninmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
munins << ip
end
@def $HOST_MUNIN_V6 = (<%=
munins = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['muninmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['muninmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
munins << ip
end
@def $HOST_DB_V6 = (<%=
dbs = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['dbmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['dbmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
dbs << ip
end
@def $HOST_DB_V4 = (<%=
dbs = []
- localinfo.keys.sort.each do |node|
- if localinfo[node]['dbmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['dbmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
dbs << ip
end
@def $HOST_DEBIAN_V4 = (<%=
dbs = []
- allnodeinfo.keys.sort.each do |node|
- next unless allnodeinfo[node].has_key?('ipHostNumber')
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ next unless scope.lookupvar('site::allnodeinfo')[node].has_key?('ipHostNumber')
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /:/
dbs << ip
end
@def $HOST_DEBIAN_V6 = (<%=
dbs = []
- allnodeinfo.keys.sort.each do |node|
- next unless allnodeinfo[node].has_key?('ipHostNumber')
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ next unless scope.lookupvar('site::allnodeinfo')[node].has_key?('ipHostNumber')
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
next if ip =~ /\./
dbs << ip
end
%>);
def $MUNIN6_IPS = (<%=
begin
- v6ips == 'no' ? '' : v6ips.split(',').join(' ')
+ v6ips == '' ? '' : v6ips.split(',').join(' ')
rescue
''
end
restricted_purposes = {'kvm host', 'central syslog server', 'puppet master', 'jumphost'}
restrict_ssh = %w{lebrun logtest01 geo1 geo2 geo3 beethoven tchaikovsky schroeder rossini draghi}
-if (nodeinfo['ldap'].has_key?('purpose')) then
- nodeinfo['ldap']['purpose'].each do |purp|
+if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose')) then
+ scope.lookupvar('site::nodeinfo')['ldap']['purpose'].each do |purp|
if restricted_purposes.include?(purp) then
restrict_ssh << hostname
end
smtp4allowed = []
smtp6allowed = []
-if not nodeinfo['smarthost'].empty?
+if not scope.lookupvar('site::nodeinfo')['smarthost'].empty?
smtp4allowed << %w{$HOST_MAILRELAY_V4 $HOST_NAGIOS_V4}
smtp6allowed << %w{$HOST_MAILRELAY_V6 $HOST_NAGIOS_V6}
end
--- /dev/null
+class hardware {
+ if $::smartarraycontroller {
+ include debian::proliant
+ }
+
+ if $::productname == 'PowerEdge 2850' {
+ include megactl
+ }
+
+ if $::mptraid {
+ include raidmpt
+ }
+
+}
class hosts {
-
- file {
- "/etc/hosts": content => template("hosts/etc-hosts.erb");
- }
+ file { '/etc/hosts':
+ content => template('hosts/etc-hosts.erb')
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class kfreebsd {
- file {
- "/etc/cron.d/dsa-killruby":
- source => [ "puppet:///modules/kfreebsd/dsa-killruby" ],
- ;
- }
- sysctl {
- "maxfiles" :
- key => "kern.maxfiles",
- value => 65536,
- }
+ file { '/etc/cron.d/dsa-killruby':
+ source => 'puppet:///modules/kfreebsd/dsa-killruby',
+ }
+
+ site::sysctl { 'maxfiles':
+ key => 'kern.maxfiles',
+ value => 65536,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class megactl {
- package {
- megactl: ensure => installed;
- }
- file {
- "/etc/apt/sources.list.d/debian.restricted.list":
- content => template("debian-org/etc/apt/sources.list.d/debian.restricted.list.erb"),
- notify => Exec["apt-get update"];
- }
+ package { 'megactl':
+ ensure => installed
+ }
+
+ site::aptrepo { 'debian.restricted':
+ template => 'debian-org/etc/apt/sources.list.d/debian.restricted.list.erb',
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class monit {
- package { "monit": ensure => installed }
- $cmd = $::lsbdistcodename ? {
- 'sid' => '/usr/bin/monit',
- 'wheezy' => '/usr/bin/monit',
- default => '/usr/sbin/monit',
- }
-
- augeas { "inittab":
- context => "/files/etc/inittab",
- changes => [ "set mo/runlevels 2345",
- "set mo/action respawn",
- "set mo/process \"$cmd -d 300 -I -c /etc/monit/monitrc -s /var/lib/monit/monit.state\"",
- ],
- notify => Exec["init q"],
- }
-
- file {
- #"/etc/rc2.d/K99monit":
- # ensure => "../init.d/monit";
- #"/etc/rc2.d/S99monit":
- # ensure => absent;
-
- "/etc/monit/":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- purge => true
- ;
-
- "/etc/monit/monitrc":
- content => template("monit/monitrc.erb"),
- require => Package["monit"],
- notify => Exec["monit stop"],
- mode => 400
- ;
-
- "/etc/monit/monit.d":
- ensure => directory,
- owner => root,
- group => root,
- mode => 750,
- purge => true
- ;
-
- "/etc/monit/monit.d/01puppet":
- source => "puppet:///modules/monit/puppet",
- require => Package["monit"],
- notify => Exec["monit stop"],
- mode => 440
- ;
-
- "/etc/monit/monit.d/00debian.org":
- source => "puppet:///modules/monit/debianorg",
- require => Package["monit"],
- notify => Exec["monit stop"],
- mode => 440
- ;
-
- "/etc/default/monit":
- content => template("monit/default.erb"),
- require => Package["monit"],
- notify => Exec["monit stop"]
- ;
- }
- exec { "monit stop":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ package { 'monit':
+ ensure => installed
+ }
+
+ $cmd = $::lsbdistcodename ? {
+ 'sid' => '/usr/bin/monit',
+ 'wheezy' => '/usr/bin/monit',
+ default => '/usr/sbin/monit',
+ }
+
+ augeas { 'inittab':
+ context => '/files/etc/inittab',
+ changes => [ 'set mo/runlevels 2345',
+ 'set mo/action respawn',
+ "set mo/process \"$cmd -d 300 -I -c /etc/monit/monitrc -s /var/lib/monit/monit.state\"",
+ ],
+ notify => Exec['init q'],
+ }
+
+ file { [ '/etc/monit/', '/etc/monit/monit.d']:
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => '0755',
+ purge => true,
+ notify => Exec['monit stop'],
+ require => Package['monit'],
+ }
+ file { '/etc/monit/monitrc':
+ content => template('monit/monitrc.erb'),
+ mode => '0400'
+ }
+ file { '/etc/monit/monit.d/01puppet':
+ source => 'puppet:///modules/monit/puppet',
+ mode => '0440'
+ }
+ file { '/etc/monit/monit.d/00debian.org':
+ source => 'puppet:///modules/monit/debianorg',
+ mode => '0440'
+ }
+ file { '/etc/default/monit':
+ content => template('monit/default.erb'),
+ require => Package['monit'],
+ notify => Exec['monit stop']
+ }
+
+ exec { 'monit stop':
+ path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true,
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class motd {
- file { "/etc/motd.tail":
- notify => Exec["updatemotd"],
- content => template("motd/motd.erb") ;
- "/etc/motd":
- ensure => "/var/run/motd";
+
+ file { '/etc/motd.tail':
+ notify => Exec['updatemotd'],
+ content => template('motd/motd.erb')
+ }
+ file { '/etc/motd':
+ ensure => link,
+ target => '/var/run/motd'
+ }
+
+ exec { 'updatemotd':
+ command => 'uname -snrvm > /var/run/motd && cat /etc/motd.tail >> /var/run/motd',
+ refreshonly => true,
}
- exec { "updatemotd":
- command => "uname -snrvm > /var/run/motd && cat /etc/motd.tail >> /var/run/motd",
- refreshonly => true
- }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
end
purp = ''
-if nodeinfo.has_key?('nameinfo')
- purp += wrap(nodeinfo['nameinfo']) + "\n\n"
+if scope.lookupvar('site::nodeinfo').has_key?('nameinfo')
+ purp += wrap(scope.lookupvar('site::nodeinfo')['nameinfo']) + "\n\n"
end
purp += 'Welcome to ' + fqdn
-if (nodeinfo['ldap'].has_key?('purpose'))
- p = nodeinfo['ldap']['purpose'].clone()
+if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose'))
+ p = scope.lookupvar('site::nodeinfo')['ldap']['purpose'].clone()
extra = ''
if p.delete('buildd')
purp += ", the Debian "
- if nodeinfo['ldap'].has_key?('architecture')
- purp += nodeinfo['ldap']['architecture'][0]
+ if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture')
+ purp += scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0]
end
purp += " build daemon"
end
if p.delete('porterbox')
purp += ", the Debian "
- if nodeinfo['ldap'].has_key?('architecture')
- purp += nodeinfo['ldap']['architecture'][0]
+ if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture')
+ purp += scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0]
end
purp += " porterbox"
extra += "\n"
extra += "See 'dchroot -l' or 'schroot -l' for a list of available chroots.\n"
- if nodeinfo['ldap'].has_key?('admin')
+ if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('admin')
extra += "Please contact #{nodeinfo['ldap']['admin'][0]} for install requests,\n"
extra += "following the recommendations in <URL:http://dsa.debian.org/doc/install-req/>.\n"
end
if p.size() > 0
purp += ", used for the following services:\n"
- nodeinfo['ldap']['purpose'].sort.each do |l|
+ scope.lookupvar('site::nodeinfo')['ldap']['purpose'].sort.each do |l|
l = markup(l)
purp += "\t" + l + "\n"
end
purp += "\n"
-if (nodeinfo['ldap'].has_key?('physicalHost'))
+if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('physicalHost'))
purp += wrap("This virtual server runs on the physical host #{nodeinfo['ldap']['physicalHost'][0]}, " +
"which is hosted at #{nodeinfo['hoster']['longname']}."
)
-elsif nodeinfo['hoster']['name']
+elsif scope.lookupvar('site::nodeinfo')['hoster']['name']
purp += wrap("This server is hosted at #{nodeinfo['hoster']['longname']}.")
end
vms = []
-allnodeinfo.keys.sort.each do |node|
- if allnodeinfo[node]['physicalHost'] and allnodeinfo[node]['physicalHost'].include?(fqdn)
+scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(fqdn)
vms << node
end
end
purp += "\nThe following virtual machines run on this system:\n"
vms.each do |node|
purp += "\t- #{node}"
- if allnodeinfo[node]['purpose']
+ if scope.lookupvar('site::allnodeinfo')[node]['purpose']
purp += ":\n"
- allnodeinfo[node]['purpose'].sort.each do |l|
+ scope.lookupvar('site::allnodeinfo')[node]['purpose'].sort.each do |l|
l = markup(l)
purp += "\t " + l + "\n"
end
end
-if nodeinfo.has_key?('footer')
- purp += "\n" + wrap(nodeinfo['footer']) + "\n"
+if scope.lookupvar('site::nodeinfo').has_key?('footer')
+ purp += "\n" + wrap(scope.lookupvar('site::nodeinfo')['footer']) + "\n"
end
purp
-%>
+++ /dev/null
-#!/bin/sh
-
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# Calls the appropriate df plugin while filtering out short-lived entries
-# like the sbuild/schroot filesystems.
-
-# Copyright 2011 Peter Palfrader
-#
-# Permission is hereby granted, free of charge, to any person obtaining
-# a copy of this software and associated documentation files (the
-# "Software"), to deal in the Software without restriction, including
-# without limitation the rights to use, copy, modify, merge, publish,
-# distribute, sublicense, and/or sell copies of the Software, and to
-# permit persons to whom the Software is furnished to do so, subject to
-# the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-case "${0##*/}" in
- df) plugin=/usr/share/munin/plugins/df ; filter='^_dev\.|^_run|^_lib_init_rw|_sbuild_|_schroot_' ;;
- df_abs) plugin=/usr/share/munin/plugins/df_abs ; filter='^tmpfs|^udev|_sbuild_|_schroot_' ;;
- df_inode) plugin=/usr/share/munin/plugins/df_inode ; filter='^_dev\.|^_run|^_lib_init_rw|_sbuild_|_schroot_' ;;
- *) echo >&2 "$0: Do not know which plugin to call based on script name."; exit 1 ;;
-esac
-
-"$plugin" "$@" | egrep -v "$filter"
+++ /dev/null
-define activate_munin_check($ensure=present, $script = none) {
- case $script {
- none: { $link = $name }
- default: { $link = $script }
- }
-
- case $ensure {
- present: {
- file { "/etc/munin/plugins/$name":
- ensure => "/usr/share/munin/plugins/$link",
- notify => Exec["munin-node restart"];
- }
- }
- default: {
- file { "/etc/munin/plugins/$name":
- ensure => $ensure,
- notify => Exec["munin-node restart"];
- }
- }
- }
-}
-
-class munin-node {
-
- package { munin-node: ensure => installed }
-
- activate_munin_check {
- "cpu":;
- "entropy":;
- "forks":;
- "interrupts":;
- "iostat":;
- "irqstats":;
- "load":;
- "memory":;
- "ntp_offset":;
- "ntp_states":;
- "open_files":;
- "open_inodes":;
- "processes":;
- "swap":;
- "uptime":;
- "vmstat":;
- }
-
- case $spamd {
- "true": {
- activate_munin_check { "spamassassin":; }
- }
- }
-
- case $vsftpd {
- "true": {
- package {
- "logtail": ensure => installed;
- }
- activate_munin_check {
- "vsftpd":;
- "ps_vsftpd": script => "ps_";
- }
- }
- }
-
- file {
- "/etc/munin/munin-node.conf":
- content => template("munin-node/munin-node.conf.erb"),
- require => Package["munin-node"],
- notify => Exec["munin-node restart"];
-
- "/etc/munin/plugin-conf.d/munin-node":
- content => template("munin-node/munin-node.plugin.conf.erb"),
- require => Package["munin-node"],
- notify => Exec["munin-node restart"];
-
- "/etc/munin/plugins/df":
- source => "puppet:///modules/munin-node/df-wrap",
- mode => 555,
- require => Package["munin-node"],
- notify => Exec["munin-node restart"]
- ;
- "/etc/munin/plugins/df_abs":
- source => "puppet:///modules/munin-node/df-wrap",
- mode => 555,
- require => Package["munin-node"],
- notify => Exec["munin-node restart"]
- ;
- "/etc/munin/plugins/df_inode":
- source => "puppet:///modules/munin-node/df-wrap",
- mode => 555,
- require => Package["munin-node"],
- notify => Exec["munin-node restart"]
- ;
- }
-
- exec { "munin-node restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
- @ferm::rule { "dsa-munin-v4":
- description => "Allow munin from munin master",
- rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }",
- notarule => true,
- }
- @ferm::rule { "dsa-munin-v6":
- description => "Allow munin from munin master",
- domain => "ip6",
- rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }",
- notarule => true,
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+++ /dev/null
-class munin-node::master inherits munin-node {
-
- package { munin: ensure => installed }
-
- file {
- "/etc/munin/munin.conf":
- content => template("munin-node/munin.conf.erb"),
- require => Package["munin"];
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# Example config-file for munin-node
-#
-
-log_level 4
-log_file /var/log/munin/munin-node.log
-port 4949
-pid_file /var/run/munin/munin-node.pid
-background 1
-setsid 1
-
-# Which port to bind to;
-host *
-user root
-group root
-setsid yes
-
-# Regexps for files to ignore
-
-ignore_file ~$
-ignore_file \.bak$
-ignore_file %$
-ignore_file \.dpkg-(tmp|new|old|dist)$
-ignore_file \.rpm(save|new)$
-
-# Set this if the client doesn't report the correct hostname when
-# telnetting to localhost, port 4949
-#
-#host_name localhost.localdomain
-
-# A list of addresses that are allowed to connect. This must be a
-# regular expression, due to brain damage in Net::Server, which
-# doesn't understand CIDR-style network notation. You may repeat
-# the allow line as many times as you'd like
-
-<%=
-str = ''
-localinfo.keys.sort.each do |node|
- if localinfo[node]['muninmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
- str += "allow ^" + ip.split('.').join('\.') + "$\n"
- end
- end
-end
-str
--%>
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-[apt]
-user root
-
-[courier_mta_mailqueue]
-group daemon
-
-[courier_mta_mailstats]
-group adm, maillog
-
-[courier_mta_mailvolume]
-group adm, maillog
-
-[cps*]
-user root
-<%=
-out = ""
-if has_variable?("mta") and mta == "exim4"
- out="
-[exim_mail*]
-user Debian-exim
-group maillog"
-end
-out
-%>
-<%=
-out = ""
-if has_variable?("vsftpd") and vsftpd == "true"
- out="
-[vsftpd]
-user root
-"
-end
-out
-%>
-[fw_conntrack]
-user root
-
-[fw_forwarded_local]
-user root
-
-[hddtemp_smartctl]
-user root
-
-[if_*]
-user root
-
-[if_err_*]
-user nobody
-
-[ip_*]
-user root
-
-[ip6_*]
-user root
-
-[mysql*]
-user root
-env.mysqlopts --defaults-extra-file=/etc/mysql/debian.cnf
-
-[df*]
-env.exclude none unknown iso9660 squashfs udf romfs ramfs debugfs
-env.warning 92
-env.critical 98
-
-<%=
-out = ""
-if has_variable?("mta") and mta == "postfix"
- out="
-[postfix_mailqueue]
-user postfix
-
-[postfix_mailstats]
-group adm, maillog
-
-[postfix_mailvolume]
-group adm, maillog
-env.logfile mail.log"
-end
-out
-%>
-
-[smart_*]
-user root
-
-[vlan*]
-user root
-
-[spamassassin]
-group maillog
-
-[bind*]
-group bind
-<%=
-out = case hostname
- when "geo1","geo2","geo3" then "env.logfile /var/log/bind9/geoip-query.log"
- else "env.logfile /var/log/bind9/named-query.log"
-end
-out
-%>
-
-# filter out all the short-lived sbuild/schroot filesystems for diskstats:
-[diskstats]
-env.exclude sbuild,schroot
+++ /dev/null
-##
-### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-### USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-dbdir /var/lib/munin
-htmldir /var/cache/munin/www
-logdir /var/log/munin
-rundir /var/run/munin
-tmpldir /etc/munin/templates
-graph_strategy cgi
-
-<%= out = ''
- localinfo.keys.sort.each do |node|
- if not localinfo[node]['no_munin']
- out += '[' + node + ']
- address ' + node + '
-
-'
- end
- end
-out
-%>
--- /dev/null
+#!/bin/sh
+
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# Calls the appropriate df plugin while filtering out short-lived entries
+# like the sbuild/schroot filesystems.
+
+# Copyright 2011 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+case "${0##*/}" in
+ df) plugin=/usr/share/munin/plugins/df ; filter='^_dev\.|^_run|^_lib_init_rw|_sbuild_|_schroot_' ;;
+ df_abs) plugin=/usr/share/munin/plugins/df_abs ; filter='^tmpfs|^udev|_sbuild_|_schroot_' ;;
+ df_inode) plugin=/usr/share/munin/plugins/df_inode ; filter='^_dev\.|^_run|^_lib_init_rw|_sbuild_|_schroot_' ;;
+ *) echo >&2 "$0: Do not know which plugin to call based on script name."; exit 1 ;;
+esac
+
+"$plugin" "$@" | egrep -v "$filter"
--- /dev/null
+define munin::check($ensure = present, $script = undef) {
+
+ if $script {
+ $link = $script
+ } else {
+ $link = $name
+ }
+
+ $link_target = $ensure ? {
+ present => "/usr/share/munin/plugins/${link}"
+ absent => absent,
+ default => err ( "Unknown ensure value: '$ensure'" ),
+ }
+
+ file { "/etc/munin/plugins/${name}":
+ ensure => $link_target,
+ require => Package['munin-node'],
+ notify => Service['munin-node'],
+ }
+}
+
+
--- /dev/null
+class munin {
+
+ package { 'munin-node':
+ ensure => installed
+ }
+
+ service { 'munin-node':
+ ensure => running,
+ require => Package['munin-node'],
+ }
+
+ file { '/etc/munin/munin-node.conf':
+ content => template('munin/munin-node.conf.erb')
+ require => Package['munin-node'],
+ notify => Service['munin-node'],
+ }
+
+ file { '/etc/munin/plugin-conf.d/munin-node':
+ content => template('munin/munin-node.plugin.conf.erb'),
+ require => Package['munin-node'],
+ notify => Service['munin-node'],
+ }
+
+ file { [ '/etc/munin/plugins/df', '/etc/munin/plugins/df_abs', '/etc/munin/plugins/df_inode' ]:
+ source => 'puppet:///modules/munin/df-wrap',
+ mode => '0555',
+ require => Package['munin-node'],
+ notify => Service['munin-node'],
+ }
+
+ @ferm::rule { 'dsa-munin-v4':
+ description => 'Allow munin from munin master',
+ rule => 'proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }',
+ notarule => true,
+ }
+
+ @ferm::rule { 'dsa-munin-v6':
+ description => 'Allow munin from munin master',
+ domain => 'ip6',
+ rule => 'proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }',
+ notarule => true,
+ }
+}
--- /dev/null
+class munin::master {
+
+ package { 'munin':
+ ensure => installed
+ }
+
+ file { '/etc/munin/munin.conf':
+ content => template('munin/munin.conf.erb'),
+ require => Package['munin'];
+ }
+}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# Example config-file for munin-node
+#
+
+log_level 4
+log_file /var/log/munin/munin-node.log
+port 4949
+pid_file /var/run/munin/munin-node.pid
+background 1
+setsid 1
+
+# Which port to bind to;
+host *
+user root
+group root
+setsid yes
+
+# Regexps for files to ignore
+
+ignore_file ~$
+ignore_file \.bak$
+ignore_file %$
+ignore_file \.dpkg-(tmp|new|old|dist)$
+ignore_file \.rpm(save|new)$
+
+# Set this if the client doesn't report the correct hostname when
+# telnetting to localhost, port 4949
+#
+#host_name localhost.localdomain
+
+# A list of addresses that are allowed to connect. This must be a
+# regular expression, due to brain damage in Net::Server, which
+# doesn't understand CIDR-style network notation. You may repeat
+# the allow line as many times as you'd like
+
+<%=
+str = ''
+scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['muninmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
+ str += "allow ^" + ip.split('.').join('\.') + "$\n"
+ end
+ end
+end
+str
+-%>
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+[apt]
+user root
+
+[courier_mta_mailqueue]
+group daemon
+
+[courier_mta_mailstats]
+group adm, maillog
+
+[courier_mta_mailvolume]
+group adm, maillog
+
+[cps*]
+user root
+<%=
+out = ""
+if has_variable?("mta") and mta == "exim4"
+ out="
+[exim_mail*]
+user Debian-exim
+group maillog"
+end
+out
+%>
+<%=
+out = ""
+if has_variable?("vsftpd") and vsftpd == "true"
+ out="
+[vsftpd]
+user root
+"
+end
+out
+%>
+[fw_conntrack]
+user root
+
+[fw_forwarded_local]
+user root
+
+[hddtemp_smartctl]
+user root
+
+[if_*]
+user root
+
+[if_err_*]
+user nobody
+
+[ip_*]
+user root
+
+[ip6_*]
+user root
+
+[mysql*]
+user root
+env.mysqlopts --defaults-extra-file=/etc/mysql/debian.cnf
+
+[df*]
+env.exclude none unknown iso9660 squashfs udf romfs ramfs debugfs
+env.warning 92
+env.critical 98
+
+<%=
+out = ""
+if has_variable?("mta") and mta == "postfix"
+ out="
+[postfix_mailqueue]
+user postfix
+
+[postfix_mailstats]
+group adm, maillog
+
+[postfix_mailvolume]
+group adm, maillog
+env.logfile mail.log"
+end
+out
+%>
+
+[smart_*]
+user root
+
+[vlan*]
+user root
+
+[spamassassin]
+group maillog
+
+[bind*]
+group bind
+<%=
+out = case hostname
+ when "geo1","geo2","geo3" then "env.logfile /var/log/bind9/geoip-query.log"
+ else "env.logfile /var/log/bind9/named-query.log"
+end
+out
+%>
+
+# filter out all the short-lived sbuild/schroot filesystems for diskstats:
+[diskstats]
+env.exclude sbuild,schroot
--- /dev/null
+##
+### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+### USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+dbdir /var/lib/munin
+htmldir /var/cache/munin/www
+logdir /var/log/munin
+rundir /var/run/munin
+tmpldir /etc/munin/templates
+graph_strategy cgi
+
+<%= out = ''
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if not scope.lookupvar('site::localinfo')[node]['no_munin']
+ out += '[' + node + ']
+ address ' + node + '
+
+'
+ end
+ end
+out
+%>
class nagios::client inherits nagios {
- package {
- dsa-nagios-nrpe-config: ensure => purged;
- dsa-nagios-checks: ensure => installed;
- }
- file {
- "/etc/default/nagios-nrpe-server":
- source => [ "puppet:///modules/nagios/per-host/$fqdn/default",
- "puppet:///modules/nagios/common/default" ],
- require => Package["nagios-nrpe-server"],
- notify => Exec["nagios-nrpe-server restart"],
- ;
- "/etc/default/nagios-nrpe":
- ensure => absent,
- notify => Exec["nagios-nrpe-server restart"],
- ;
- "/etc/nagios/nrpe.cfg":
- content => template("nagios/nrpe.cfg.erb"),
- require => Package["nagios-nrpe-server"],
- notify => Exec["service nagios-nrpe-server reload"],
- ;
- "/etc/nagios/nrpe.d":
- mode => 755,
- require => Package["nagios-nrpe-server"],
- ensure => directory,
- ;
- "/etc/nagios/nrpe.d/debianorg.cfg":
- content => template("nagios/inc-debian.org.erb"),
- require => Package["nagios-nrpe-server"],
- notify => Exec["service nagios-nrpe-server reload"],
- ;
- "/etc/nagios/nrpe.d/nrpe_dsa.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/nrpe_dsa.cfg" ],
- require => Package["dsa-nagios-checks"],
- notify => Exec["service nagios-nrpe-server reload"],
- ;
+ package { 'dsa-nagios-nrpe-config':
+ ensure => purged
+ }
+ package { 'dsa-nagios-checks':
+ ensure => installed
+ }
- "/etc/nagios/obsolete-packages-ignore":
- source => [ "puppet:///modules/nagios/per-host/$fqdn/obsolete-packages-ignore",
- "puppet:///modules/nagios/common/obsolete-packages-ignore" ],
- require => Package["dsa-nagios-checks"],
- ;
+ service { 'nagios-nrpe-server':
+ ensure => running,
+ hasstatus => false,
+ pattern => 'nrpe',
+ }
- "/etc/nagios/obsolete-packages-ignore.d/hostspecific":
- content => template("nagios/obsolete-packages-ignore.d-hostspecific.erb"),
- require => Package["dsa-nagios-checks"],
- ;
- }
+ @ferm::rule { 'dsa-nagios-v4':
+ description => 'Allow nrpe from nagios master',
+ rule => 'proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }',
+ notarule => true,
+ }
+ @ferm::rule { 'dsa-nagios-v6':
+ description => 'Allow nrpe from nagios master',
+ domain => 'ip6',
+ rule => 'proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }',
+ notarule => true,
+ }
- exec {
- "nagios-nrpe-server restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- "service nagios-nrpe-server reload":
-# remove after lenny EOL (lenny has no service binary)
-# -cut-
- command => "/etc/init.d/nagios-nrpe-server reload",
-# -cut-
- refreshonly => true,
- ;
- }
+ file { '/etc/default/nagios-nrpe-server':
+ source => 'puppet:///modules/nagios/common/default',
+ require => Package['nagios-nrpe-server'],
+ notify => Service['nagios-nrpe-server'],
+ }
+ file { '/etc/default/nagios-nrpe':
+ ensure => absent,
+ notify => Service['nagios-nrpe-server'],
+ }
+ file { '/etc/nagios/':
+ ensure => directory,
+ require => Package['nagios-nrpe-server'],
+ notify => Service['nagios-nrpe-server'],
+ }
+ file { '/etc/nagios/nrpe.cfg':
+ content => template('nagios/nrpe.cfg.erb'),
+ }
+ file { '/etc/nagios/nrpe.d':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/nagios/nrpe.d/debianorg.cfg':
+ content => template('nagios/inc-debian.org.erb'),
+ }
+ file { '/etc/nagios/nrpe.d/nrpe_dsa.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/nrpe_dsa.cfg',
+ }
+ file { '/etc/nagios/obsolete-packages-ignore':
+ source => 'puppet:///modules/nagios/common/obsolete-packages-ignore',
+ require => Package['dsa-nagios-checks'],
+ }
+ file { '/etc/nagios/obsolete-packages-ignore.d/hostspecific':
+ content => template('nagios/obsolete-packages-ignore.d-hostspecific.erb'),
+ require => Package['dsa-nagios-checks'],
+ }
- @ferm::rule {
- "dsa-nagios-v4":
- description => "Allow nrpe from nagios master",
- rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }",
- notarule => true,
- ;
- "dsa-nagios-v6":
- description => "Allow nrpe from nagios master",
- domain => "ip6",
- rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }",
- notarule => true,
- ;
- }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class nagios {
- package {
- nagios-nrpe-server: ensure => installed;
+ package { 'nagios-nrpe-server':
+ ensure => installed
}
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
-class nagios::server inherits nagios::client {
- package {
- nagios3: ensure => installed;
- nagios-nrpe-plugin: ensure => installed;
- nagios-plugins: ensure => installed;
- nagios-images: ensure => installed;
- }
-
- file {
- "/etc/nagios-plugins/config/local-dsa-checkcommands.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
-
- "/etc/nagios3/cgi.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/cgi.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/nagios.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/nagios.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
+class nagios::server {
- "/etc/nagios3/puppetconf.d":
- mode => 755,
- require => Package["nagios3"],
- ensure => directory;
-
- "/etc/nagios3/puppetconf.d/contacts.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/generic-host.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/generic-service.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/timeperiods.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
-
- "/etc/nagios3/puppetconf.d/auto-dependencies.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-hostgroups.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-hosts.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-servicegroups.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
- "/etc/nagios3/puppetconf.d/auto-services.cfg":
- source => [ "puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg" ],
- require => Package["nagios3"],
- notify => Exec["nagios3 reload"];
+ package { [
+ 'nagios3',
+ 'nagios-nrpe-plugin',
+ 'nagios-plugins',
+ 'nagios-images'
+ ]
+ ensure => installed
+ }
+ service { 'nagios3':
+ ensure => running,
}
- exec { "nagios3 reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
+ file { '/etc/nagios-plugins/config':
+ ensure => directory,
+ require => Package['nagios3'],
+ notify => Service['nagios3'],
+ }
+ file { '/etc/nagios3':
+ ensure => directory,
+ require => Package['nagios3'],
+ notify => Service['nagios3'],
+ }
+ file { '/etc/nagios3/puppetconf.d':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/nagios-plugins/config/local-dsa-checkcommands.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/checkcommands.cfg',
+ }
+ file { '/etc/nagios-plugins/config/local-dsa-eventhandlers.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/eventhandlers.cfg',
+ }
+ file { '/etc/nagios3/cgi.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/cgi.cfg',
+ }
+ file { '/etc/nagios3/nagios.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/nagios.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/contacts.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/contacts.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/generic-host.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-host.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/generic-service.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/generic-service.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/timeperiods.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/static/conf.d/timeperiods.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-dependencies.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-dependencies.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostextinfo.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-hostgroups.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hostgroups.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-hosts.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-hosts.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-serviceextinfo.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-servicegroups.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-servicegroups.cfg',
+ }
+ file { '/etc/nagios3/puppetconf.d/auto-services.cfg':
+ source => 'puppet:///modules/nagios/dsa-nagios/generated/auto-services.cfg',
}
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
<%=
nagii = []
-localinfo.keys.sort.each do |node|
- if localinfo[node]['nagiosmaster'] or localinfo[node]['extranrpeclient']
- nagii << allnodeinfo[node]['ipHostNumber']
+scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['nagiosmaster'] or scope.lookupvar('site::localinfo')[node]['extranrpeclient']
+ nagii << scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber']
end
end
class named::authoritative inherits named {
- file {
- "/etc/bind/named.conf.debian-zones":
- source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.debian-zones",
- "puppet:///modules/named/common/named.conf.debian-zones" ],
- notify => Exec["bind9 reload"];
- "/etc/bind/named.conf.options":
- content => template("named/named.conf.options.erb"),
- notify => Exec["bind9 reload"];
- }
- file { "/etc/bind/named.conf.shared-keys":
- mode => 640,
- owner => root,
- group => bind,
- }
+ file { '/etc/bind/named.conf.debian-zones':
+ source => 'puppet:///modules/named/common/named.conf.debian-zones',
+ notify => Service['bind9'],
+ }
+ file { '/etc/bind/named.conf.options':
+ content => template('named/named.conf.options.erb'),
+ notify => Service['bind9'],
+ }
+ file { '/etc/bind/named.conf.shared-keys':
+ mode => '0640',
+ owner => root,
+ group => bind,
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class named::geodns inherits named {
- activate_munin_check {
- "bind_views": script => bind;
- }
+ munin::check { 'bind_views':
+ script => bind
+ }
- file {
- "/etc/bind/named.conf.options":
- content => template("named/named.conf.options.erb"),
- notify => Exec["bind9 reload"];
- "/etc/apt/sources.list.d/geoip.list":
- content => template("debian-org/etc/apt/sources.list.d/geoip.list.erb"),
- notify => Exec["apt-get update"],
- ;
- "/etc/bind/named.conf.local":
- source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.local",
- "puppet:///modules/named/common/named.conf.local" ],
- require => Package["bind9"],
- notify => Exec["bind9 restart"],
- owner => root,
- group => root,
- ;
- "/etc/bind/named.conf.acl":
- source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.acl",
- "puppet:///modules/named/common/named.conf.acl" ],
- require => Package["bind9"],
- notify => Exec["bind9 restart"],
- owner => root,
- group => root,
- ;
- "/etc/bind/geodns":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- "/etc/bind/geodns/zonefiles":
- ensure => directory,
- owner => geodnssync,
- group => geodnssync,
- mode => 755,
- ;
- "/etc/bind/geodns/named.conf.geo":
- source => [ "puppet:///modules/named/per-host/$fqdn/named.conf.geo",
- "puppet:///modules/named/common/named.conf.geo" ],
- require => Package["bind9"],
- notify => Exec["bind9 restart"],
- owner => root,
- group => root,
- ;
- "/etc/bind/geodns/trigger":
- source => [ "puppet:///modules/named/per-host/$fqdn/trigger",
- "puppet:///modules/named/common/trigger" ],
- owner => root,
- group => root,
- mode => 555,
- ;
- "/etc/ssh/userkeys/geodnssync":
- source => [ "puppet:///modules/named/per-host/$fqdn/authorized_keys",
- "puppet:///modules/named/common/authorized_keys" ],
- owner => root,
- group => geodnssync,
- mode => 440,
- ;
- "/etc/cron.d/dsa-boot-geodnssync":
- source => [ "puppet:///modules/named/per-host/$fqdn/cron-geo",
- "puppet:///modules/named/common/cron-geo" ],
- owner => root,
- group => root,
- ;
- }
-}
+ site::aptrepo { 'geoip':
+ template => 'debian-org/etc/apt/sources.list.d/geoip.list.erb',
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ file { '/etc/bind/':
+ ensure => directory,
+ require => Package['bind9'],
+ notify => Service['bind9'],
+ }
+ file { '/etc/bind/geodns':
+ ensure => directory,
+ }
+ file { '/etc/bind/named.conf.options':
+ content => template('named/named.conf.options.erb'),
+ }
+ file { '/etc/bind/named.conf.local':
+ source => 'puppet:///modules/named/common/named.conf.local',
+ }
+ file { '/etc/bind/named.conf.acl':
+ source => 'puppet:///modules/named/common/named.conf.acl',
+ }
+ file { '/etc/bind/geodns/zonefiles':
+ ensure => directory,
+ owner => geodnssync,
+ group => geodnssync,
+ mode => '0755',
+ }
+ file { '/etc/bind/geodns/named.conf.geo':
+ source => 'puppet:///modules/named/common/named.conf.geo',
+ }
+ file { '/etc/bind/geodns/trigger':
+ source => 'puppet:///modules/named/common/trigger',
+ }
+ file { '/etc/ssh/userkeys/geodnssync':
+ source => 'puppet:///modules/named/common/authorized_keys',
+ group => geodnssync,
+ mode => '0440',
+ }
+ file { '/etc/cron.d/dsa-boot-geodnssync':
+ source => 'puppet:///modules/named/common/cron-geo'
+ }
+}
class named {
- activate_munin_check {
- "bind":;
- }
- package {
- bind9: ensure => installed;
- }
+ munin::check { 'bind': }
- exec {
- "bind9 restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- "bind9 reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- }
- file {
- "/var/log/bind9":
- ensure => directory,
- owner => bind,
- group => bind,
- mode => 775,
- ;
- }
- @ferm::rule { "dsa-bind":
- domain => "(ip ip6)",
- description => "Allow nameserver access",
- rule => "&TCP_UDP_SERVICE(53)"
- }
-}
+ package { 'bind9':
+ ensure => installed
+ }
+
+ service { 'bind9':
+ ensure => running,
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ @ferm::rule { 'dsa-bind':
+ domain => '(ip ip6)',
+ description => 'Allow nameserver access',
+ rule => '&TCP_UDP_SERVICE(53)'
+ }
+
+ file { '/var/log/bind9':
+ ensure => directory,
+ owner => bind,
+ group => bind,
+ mode => '0775',
+ }
+}
class named::recursor inherits named {
- file {
- "/etc/bind/named.conf.options":
- content => template("named/named.conf.options.erb"),
- notify => Exec["bind9 reload"];
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ file { '/etc/bind/named.conf.options':
+ content => template('named/named.conf.options.erb'),
+ notify => Service['bind9'],
+ }
+}
acl Nagios {
<%=
str = ''
- localinfo.keys.sort.each do |node|
- if localinfo[node]['nagiosmaster']
- allnodeinfo[node]['ipHostNumber'].each do |ip|
+ scope.lookupvar('site::localinfo').keys.sort.each do |node|
+ if scope.lookupvar('site::localinfo')[node]['nagiosmaster']
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |ip|
str += "\t" + ip + "/32;\n"
end
end
class nfs-server {
- include ferm::nfs-server
+ package { [
+ 'nfs-common',
+ 'nfs-kernel-server'
+ ]:
+ ensure => installed
+ }
- package {
- nfs-common: ensure => installed;
- nfs-kernel-server: ensure => installed;
- }
+ service { 'nfs-common':
+ hasstatus => false,
+ status => '/bin/true',
+ refreshonly => true,
+ }
+ service { 'nfs-kernel-server':
+ hasstatus => false,
+ status => '/bin/true',
+ refreshonly => true,
+ }
- file {
- "/etc/default/nfs-common":
- source => "puppet:///modules/nfs-server/nfs-common.default",
- require => Package["nfs-common"],
- notify => Exec["nfs-common restart"];
- "/etc/default/nfs-kernel-server":
- source => "puppet:///modules/nfs-server/nfs-kernel-server.default",
- require => Package["nfs-kernel-server"],
- notify => Exec["nfs-kernel-server restart"];
- "/etc/modprobe.d/lockd.local":
- source => "puppet:///modules/nfs-server/lockd.local.modprobe";
- }
+ @ferm::rule { 'dsa-portmap':
+ domain => '(ip ip6)',
+ description => 'Allow portmap access',
+ rule => '&TCP_UDP_SERVICE(111)'
+ }
+ @ferm::rule { 'dsa-nfs':
+ domain => '(ip ip6)',
+ description => 'Allow nfsd access',
+ rule => '&TCP_UDP_SERVICE(2049)'
+ }
+ @ferm::rule { 'dsa-status':
+ domain => '(ip ip6)',
+ description => 'Allow statd access',
+ rule => '&TCP_UDP_SERVICE(10000)'
+ }
+ @ferm::rule { 'dsa-mountd':
+ domain => '(ip ip6)',
+ description => 'Allow mountd access',
+ rule => '&TCP_UDP_SERVICE(10002)'
+ }
+ @ferm::rule { 'dsa-lockd':
+ domain => '(ip ip6)',
+ description => 'Allow lockd access',
+ rule => '&TCP_UDP_SERVICE(10003)'
+ }
- exec {
- "nfs-common restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- "nfs-kernel-server restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- }
+ file { '/etc/default/nfs-common':
+ source => 'puppet:///modules/nfs-server/nfs-common.default',
+ require => Package['nfs-common'],
+ notify => Service['nfs-common'],
+ }
+ file { '/etc/default/nfs-kernel-server':
+ source => 'puppet:///modules/nfs-server/nfs-kernel-server.default',
+ require => Package['nfs-kernel-server'],
+ notify => Service['nfs-kernel-server'],
+ }
+ file { '/etc/modprobe.d/lockd.local':
+ source => 'puppet:///modules/nfs-server/lockd.local.modprobe'
+ }
}
--- /dev/null
+class ntp::client {
+ file { '/etc/default/ntp':
+ source => 'puppet:///modules/ntp/etc-default-ntp',
+ require => Package['ntp'],
+ notify => Service['ntp']
+ }
+ file { '/etc/ntp.keys.d/':
+ ensure => directory,
+ require => Package['ntp'],
+ notify => Service['ntp']
+ }
+ file { '/etc/ntp.keys.d/ntpkey_iff_merikanto':
+ source => 'puppet:///modules/ntp/ntpkey_iff_merikanto.pub',
+ }
+ file { '/etc/ntp.keys.d/ntpkey_iff_orff':
+ source => 'puppet:///modules/ntp/ntpkey_iff_orff.pub',
+ }
+ file { '/etc/ntp.keys.d/ntpkey_iff_ravel':
+ source => 'puppet:///modules/ntp/ntpkey_iff_ravel.pub',
+ }
+ file { '/etc/ntp.keys.d/ntpkey_iff_busoni':
+ source => 'puppet:///modules/ntp/ntpkey_iff_busoni.pub',
+ }
+}
class ntp {
- package { ntp: ensure => installed }
- file {
- "/var/lib/ntp/":
- ensure => directory,
- owner => ntp,
- group => ntp,
- mode => 755,
- require => Package["ntp"]
- ;
- "/var/lib/ntp":
- ensure => directory,
- owner => ntp,
- group => ntp,
- mode => 755,
- require => Package["ntp"]
- ;
- "/etc/ntp.conf":
- owner => root,
- group => root,
- mode => 444,
- content => template("ntp/ntp.conf"),
- notify => Exec["ntp restart"],
- require => Package["ntp"]
- ;
- "/etc/ntp.keys.d":
- owner => root,
- group => ntp,
- mode => 750,
- ensure => directory,
- require => Package["ntp"]
- ;
- }
- case getfromhash($nodeinfo, 'timeserver') {
- true: {
- file {
- "/var/lib/ntp/leap-seconds.list":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/leap-seconds.list" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- }
- }
- default: {
- file {
- "/etc/default/ntp":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/etc-default-ntp" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- "/etc/ntp.keys.d/ntpkey_iff_merikanto":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/ntpkey_iff_merikanto.pub" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- "/etc/ntp.keys.d/ntpkey_iff_orff":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/ntpkey_iff_orff.pub" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- "/etc/ntp.keys.d/ntpkey_iff_ravel":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/ntpkey_iff_ravel.pub" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- "/etc/ntp.keys.d/ntpkey_iff_busoni":
- owner => root,
- group => root,
- mode => 444,
- source => [ "puppet:///modules/ntp/ntpkey_iff_busoni.pub" ],
- require => Package["ntp"],
- notify => Exec["ntp restart"],
- ;
- }
- }
- }
+ package { 'ntp':
+ ensure => installed
+ }
+ service { 'ntp':
+ ensure => running,
+ require => Package['ntp']
+ }
- exec { "ntp restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
- @ferm::rule { "dsa-ntp":
- domain => "(ip ip6)",
- description => "Allow ntp access",
- rule => "&SERVICE(udp, 123)"
- }
+ @ferm::rule { 'dsa-ntp':
+ domain => '(ip ip6)',
+ description => 'Allow ntp access',
+ rule => '&SERVICE(udp, 123)'
+ }
+
+ file { '/var/lib/ntp':
+ ensure => directory,
+ owner => ntp,
+ group => ntp,
+ mode => '0755',
+ require => Package['ntp']
+ }
+ file { '/etc/ntp.conf':
+ content => template('ntp/ntp.conf'),
+ notify => Service['ntp'],
+ require => Package['ntp']
+ }
+ file { '/etc/ntp.keys.d':
+ ensure => directory,
+ group => ntp,
+ mode => '0750',
+ notify => Service['ntp'],
+ require => Package['ntp']
+ }
+
+ if getfromhash($site::nodeinfo, 'timeserver') {
+ include ntp::timeserver
+ } else {
+ include ntp::client
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
--- /dev/null
+class ntp::timeserver {
+ file { '/var/lib/ntp/leap-seconds.list':
+ source => 'puppet:///modules/ntp/leap-seconds.list',
+ require => Package['ntp'],
+ notify => Service['ntp'],
+ }
+}
crypto randfile /dev/urandom
keysdir /etc/ntp.keys.d
-<% if nodeinfo['timeserver'] -%>
+<% if scope.lookupvar('site::nodeinfo')['timeserver'] -%>
server 0.debian.pool.ntp.org iburst dynamic
server 1.debian.pool.ntp.org iburst dynamic
server 2.debian.pool.ntp.org iburst dynamic
<% end -%>
<% elsif fqdn == "ancina.debian.org" -%>
server ntp.ugent.be iburst dynamic
-<% elsif nodeinfo['misc']['natted'] -%>
+<% elsif scope.lookupvar('site::nodeinfo')['misc']['natted'] -%>
# autokey doesn't work behind nat
# merikanto's and orff's ipv4 IP, hard coded for the benefit of hosts
class ntpdate {
- case getfromhash($nodeinfo, 'broken-rtc') {
- true: {
- package {
- ntpdate: ensure => installed;
- lockfile-progs: ensure => installed;
- }
- file {
- "/etc/default/ntpdate":
- owner => root,
- group => root,
- mode => 444,
- content => template("ntpdate/etc-default-ntpdate.erb"),
- ;
- }
- }
- }
+
+ if getfromhash($site::nodeinfo, 'broken-rtc') {
+ package { [
+ 'ntpdate',
+ 'lockfile-progs'
+ ]:
+ ensure => installed
+ }
+
+ file { '/etc/default/ntpdate':
+ content => template('ntpdate/etc-default-ntpdate.erb'),
+ }
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class portforwarder {
- # do not depend on xinetd, yet. it might uninstall other inetds
- # for now this will have to be done manually
- file {
- "/etc/ssh/userkeys/portforwarder":
- content => template("portforwarder/authorized_keys.erb"),
- mode => 444,
- ;
- "/etc/xinetd.d":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- "/etc/xinetd.d/dsa-portforwader":
- content => template("portforwarder/xinetd.erb"),
- notify => Exec["xinetd reload"]
- ;
- }
+ # do not depend on xinetd, yet. it might uninstall other inetds
+ # for now this will have to be done manually
+ file { '/etc/ssh/userkeys/portforwarder':
+ content => template('portforwarder/authorized_keys.erb'),
+ }
+ file { '/etc/xinetd.d':
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => '0755',
+ }
+ file { '/etc/xinetd.d/dsa-portforwader':
+ content => template('portforwarder/xinetd.erb'),
+ notify => Exec['xinetd reload']
+ }
- exec {
- "xinetd reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- }
+ exec { 'xinetd reload':
+ path => '/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin',
+ refreshonly => true,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
if allowed_ports.length > 0
sshkey = getportforwarderkey(sourcehost)
- remote_ip = allnodeinfo[sourcehost]['ipHostNumber'].join(',')
+ remote_ip = scope.lookupvar('site::allnodeinfo')[sourcehost]['ipHostNumber'].join(',')
local_bind = '127.101.%d.%d'%[ (sourcehost.hash / 256 % 256), sourcehost.hash % 256 ]
lines << "# from #{sourcehost}"
class postgres {
- activate_munin_check {
- "postgres_bgwriter":;
- "postgres_connections_db":;
- "postgres_cache_ALL": script => "postgres_cache_";
- "postgres_querylength_ALL": script => "postgres_querylength_";
- "postgres_size_ALL": script => "postgres_size_";
- }
- file {
- "/etc/munin/plugin-conf.d/local-postgres":
- source => "puppet:///modules/postgres/plugin.conf",
- ;
- }
-}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ munin::check { 'postgres_bgwriter': }
+ munin::check { 'postgres_connections_db': }
+ munin::check { 'postgres_cache_ALL':
+ script => 'postgres_cache_'
+ }
+ munin::check { 'postgres_querylength_ALL':
+ script => 'postgres_querylength_'
+ }
+ munin::check { 'postgres_size_ALL':
+ script => 'postgres_size_'
+ }
+ file { '/etc/munin/plugin-conf.d/local-postgres':
+ source => 'puppet:///modules/postgres/plugin.conf',
+ }
+}
class postgrey {
- package { "postgrey": ensure => installed; }
- file {
- "/etc/default/postgrey":
- source => "puppet:///modules/postgrey/default",
- require => Package["postgrey"],
- notify => Exec["postgrey restart"]
- ;
- }
+ package { 'postgrey':
+ ensure => installed
+ }
- exec { "postgrey restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ service { 'postgrey':
+ ensure => running,
+ require => Package['postgrey']
+ }
+
+ file { '/etc/default/postgrey':
+ source => 'puppet:///modules/postgrey/default',
+ require => Package['postgrey'],
+ notify => Service['postgrey']
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
end
v6ips = lookupvar('v6ips')
- if v6ips and v6ips != "no"
+ if v6ips and v6ips != ""
nodeinfo['misc']['v6addrs'] = v6ips.split(',')
end
end
class puppetmaster {
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class raidmpt {
- package {
- mpt-status: ensure => installed;
- }
- file {
- "/etc/default/mpt-statusd":
- content => "# This file is under puppet control\nRUN_DAEMON=no\n",
- notify => Exec["mpt-statusd-stop"],
- ;
- }
- exec {
- "mpt-statusd-stop":
- command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"',
- refreshonly => true,
- ;
- }
+ package { 'mpt-status':
+ ensure => installed
+ }
+
+ file { '/etc/default/mpt-statusd':
+ content => "# This file is under puppet control\nRUN_DAEMON=no\n",
+ notify => Exec['mpt-statusd-stop'],
+ }
+
+ exec { 'mpt-statusd-stop':
+ command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"',
+ refreshonly => true,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class resolv {
- file { "/etc/resolv.conf":
- content => template("resolv/resolv.conf.erb");
+
+ file { '/etc/resolv.conf':
+ content => template('resolv/resolv.conf.erb');
}
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
nameservers << "127.0.0.1"
end
-nameservers += nodeinfo['hoster']['nameservers'] if nodeinfo['hoster']['nameservers']
-searchpaths += nodeinfo['hoster']['searchpaths'] if nodeinfo['hoster']['searchpaths']
-options += nodeinfo['hoster']['resolvoptions'] if nodeinfo['hoster']['resolvoptions']
+nameservers += scope.lookupvar('site::nodeinfo')['hoster']['nameservers'] if scope.lookupvar('site::nodeinfo')['hoster']['nameservers']
+searchpaths += scope.lookupvar('site::nodeinfo')['hoster']['searchpaths'] if scope.lookupvar('site::nodeinfo')['hoster']['searchpaths']
+options += scope.lookupvar('site::nodeinfo')['hoster']['resolvoptions'] if scope.lookupvar('site::nodeinfo')['hoster']['resolvoptions']
searchpaths << "debian.org"
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<VirtualHost *:80>
+ ServerName backports.debian.org
+ ServerAdmin debian-admin@debian.org
+
+ ErrorLog /var/log/apache2/backports.debian.org-error.log
+ CustomLog /var/log/apache2/backports.debian.org-access.log combined
+
+ <IfModule mod_userdir.c>
+ UserDir disabled
+ </IfModule>
+
+ Alias /debian-backports /srv/mirrors/backports.debian.org/
+
+ RewriteEngine On
+ RewriteRule ^/debian-backports($|/.*) - [L]
+ RewriteRule ^/(.*) http://backports-master.debian.org/$1 [R]
+</VirtualHost>
+# vim:set syn=apache:
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# www.backports.org is the historical place for the backports
+# website and archive. It is now a CNAME to backports.debian.org -
+# redirect http requests.
+
+<VirtualHost *:80>
+ ServerName www.backports.org
+ ServerAlias lists.backports.org
+ ServerAdmin debian-admin@debian.org
+
+ ErrorLog /var/log/apache2/www.backports.org-error.log
+ CustomLog /var/log/apache2/www.backports.org-access.log combined
+
+ <IfModule mod_userdir.c>
+ UserDir disabled
+ </IfModule>
+
+ RedirectPermanent /debian/ http://backports.debian.org/debian-backports/
+ RedirectPermanent /backports.org/ http://backports.debian.org/debian-backports/
+ RedirectPermanent /debian-backports/ http://backports.debian.org/debian-backports/
+ RedirectPermanent / http://backports-master.debian.org/
+</VirtualHost>
+# vim:set syn=apache:
+
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<VirtualHost *:80>
+ ServerAdmin ftpmaster@debian.org
+ DocumentRoot /srv/mirrors/buildd-all
+ ServerName ftp-upcoming.debian.org
+
+ ErrorLog /var/log/apache2/ftp-upcoming.debian.org-error.log
+ LogLevel warn
+ CustomLog /var/log/apache2/ftp-upcoming.debian.org-access.log combined
+
+ IndexOptions FancyIndexing NameWidth=*
+</VirtualHost>
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<Directory /org/security.debian.org/ftp>
+ IndexOptions NameWidth=* +SuppressDescription
+ Options +FollowSymLinks
+ Options +Indexes
+ FileETag MTime Size
+</Directory>
+
+<VirtualHost *:80>
+ ServerAdmin debian-admin@debian.org
+ DocumentRoot /org/security.debian.org/ftp
+ ServerPath /debian-security
+ ServerName security.debian.org
+ ServerAlias security.ipv6.debian.org
+ ServerAlias security.eu.debian.org
+ ServerAlias security.us.debian.org
+ ServerAlias security.na.debian.org
+ ServerAlias security.geo.debian.org
+ ServerAlias security-nagios.debian.org
+
+ Alias /debian-security /org/security.debian.org/ftp
+
+ RewriteEngine on
+ RewriteRule ^/$ http://www.debian.org/security/
+
+ # Possible values include: debug, info, notice, warn, error, crit,
+ # alert, emerg.
+ LogLevel warn
+
+ CustomLog /var/log/apache2/security.debian.org-access.log combined
+ ServerSignature On
+
+</VirtualHost>
+
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# Need to turn on negotiation_module
+<Directory /srv/www.debian.org/www/>
+ Options +MultiViews +FollowSymLinks +Indexes
+ AddHandler type-map var
+ # Make sure that the srm.conf directive is commented out.
+ AddDefaultCharSet Off
+ AllowOverride AuthConfig FileInfo
+
+ # Serve icons as image/x-icon
+ AddType image/x-icon .ico
+
+ # Serve RSS feeds as application/rss+xml
+ AddType application/rss+xml .rdf
+
+ # Nice caching..
+ ExpiresActive On
+ ExpiresDefault "access plus 1 day"
+ ExpiresByType image/gif "access plus 1 week"
+ ExpiresByType image/jpeg "access plus 1 week"
+ ExpiresByType image/png "access plus 1 week"
+ ExpiresByType image/x-icon "access plus 1 week"
+
+ # FileEtag needs to be the same across mirrors (used for caching, ignore inode)
+ FileEtag MTime Size
+
+ # language stuff, for web site translations
+ # for boot-floppies docs only: sk
+ AddLanguage en .en
+ AddLanguage en-us .en-us
+ AddLanguage en-gb .en-gb
+ AddLanguage ar .ar
+ AddLanguage bg .bg
+ AddLanguage ca .ca
+ AddLanguage cs .cs
+ AddLanguage da .da
+ AddLanguage de .de
+ AddLanguage el .el
+ AddLanguage eo .eo
+ AddLanguage es .es
+ AddLanguage fi .fi
+ AddLanguage fr .fr
+ AddLanguage hr .hr
+ AddLanguage hu .hu
+ AddLanguage hy .hy
+ AddLanguage id .id
+ AddLanguage it .it
+ AddLanguage ja .ja
+ AddLanguage ko .ko
+ AddLanguage lt .lt
+ AddLanguage nl .nl
+ AddLanguage no .no
+ AddLanguage nb .nb
+ AddLanguage pl .pl
+ AddLanguage pt .pt
+ AddLanguage pt-br .pt
+ AddLanguage ro .ro
+ AddLanguage ru .ru
+ AddLanguage sk .sk
+ AddLanguage sl .sl
+ AddLanguage sv .sv
+ AddLanguage tr .tr
+ AddLanguage uk .uk
+ AddLanguage vi .vi
+ AddLanguage zh-CN .zh-cn
+ AddLanguage zh-HK .zh-hk
+ AddLanguage zh-TW .zh-tw
+ LanguagePriority en fr de it es ja pl hr da pt pt-br fi zh-cn zh-hk zh-tw cs sv ko no nb ru tr eo ar nl hu ro sk el ca en-us en-gb id lt sl bg uk hy vi
+
+ DirectoryIndex maintenance index index.html index.shtml index.htm
+
+ <Files *.html.es>
+ ForceType text/html
+ </Files>
+
+ <Files *.pdf.es>
+ ForceType application/pdf
+ </Files>
+
+ <Files *.txt.es>
+ ForceType text/plain
+ </Files>
+</Directory>
+
+<VirtualHost *:80>
+ ServerName www.nl.debian.org
+ ServerAdmin webmaster@debian.org
+ ServerAlias www.debian.com www.debian.de www.*.debian.org newwww.deb.at www.debian.net debian.net debian.org www.debian.at www.debian.eu debian.eu
+ DocumentRoot /srv/www.debian.org/www/
+ ErrorLog /var/log/apache2/www-other.debian.org-error.log
+ CustomLog /var/log/apache2/www-other.debian.org-access.log combined
+ RewriteLog /var/log/apache2/www-other.debian.org-redirect.log
+ RewriteLogLevel 1
+
+ RewriteEngine on
+ RewriteRule ^/(.*)$ http://www.debian.org/$1 [R=301,L]
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName www.debian.org
+ ServerAdmin webmaster@debian.org
+ ServerAlias www-*.debian.org
+ DocumentRoot /srv/www.debian.org/www/
+ ErrorLog /var/log/apache2/www.debian.org-error.log
+ CustomLog /var/log/apache2/www.debian.org-access.log combined
+
+ # CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each
+ # document that was negotiated on the basis of content. This asks proxy
+ # servers not to cache the document. Uncommenting the following line disables
+ # this behavior, and proxies will be allowed to cache the documents.
+ CacheNegotiatedDocs On
+
+# Custom Error
+ ErrorDocument 404 /devel/website/errors/404
+ RewriteCond %{DOCUMENT_ROOT}/devel/website/errors/404.$2.html -f
+ RewriteRule ^/(?!devel/website/errors/)(.*/)?404\.(.+)\.html$ /devel/website/errors/404.$2.html [L]
+
+# the joys of backwards compatibility
+ RedirectPermanent /cgi-bin/cvsweb http://cvs.debian.org
+ RedirectPermanent /Lists-Archives http://lists.debian.org
+ RedirectPermanent /search http://search.debian.org
+ RedirectPermanent /Packages http://packages.debian.org
+ RedirectPermanent /lintian http://lintian.debian.org
+
+ RedirectPermanent /SPI http://www.spi-inc.org
+# RedirectPermanent /OpenHardware http://www.openhardware.org
+ RedirectPermanent /OpenSource http://www.opensource.org
+
+ RedirectPermanent /Bugs/db/ix/pseudopackages.html /Bugs/pseudo-packages
+ RewriteEngine on
+ RewriteRule ^/Bugs/db/pa/l([^/]+).html$ http://bugs.debian.org/$1
+ RewriteRule ^/Bugs/db/[[:digit:]][[:digit:]]/([[:digit:]][[:digit:]][[:digit:]]+).html$ http://bugs.debian.org/$1
+ RewriteRule ^/Bugs/db/ma/l([^/]+).html$ http://bugs.debian.org/cgi-bin/pkgreport.cgi?maintenc=$1
+
+ Userdir http://people.debian.org/~*/
+
+ RedirectPermanent /devel/todo/ /devel/wnpp/help_requested_bypop
+ RedirectPermanent /doc/FAQ /doc/manuals/debian-faq
+ RedirectPermanent /doc/manuals/debian-fr-howto /doc/manuals/fr/debian-fr-howto
+ RedirectPermanent /doc/manuals/reference /doc/manuals/debian-reference
+ RedirectPermanent /doc/packaging-manuals/developers-reference /doc/manuals/developers-reference
+ RedirectPermanent /doc/packaging-manuals/packaging-tutorial /doc/manuals/packaging-tutorial
+ RedirectPermanent /doc/prospective-packages /devel/wnpp/
+ RedirectPermanent /devel/maintainer_contacts /intro/organization
+ RedirectPermanent /devel/debian-installer/gtk-frontend http://wiki.debian.org/DebianInstaller/GUI
+ RedirectPermanent /zh/ /international/Chinese/
+ RedirectPermanent /chinese/ /international/Chinese/
+ RedirectPermanent /devel/help /devel/join/
+ RedirectPermanent /distrib/books /doc/books
+ RedirectPermanent /distrib/floppyinst /distrib/netinst
+ RedirectPermanent /distrib/netboot /distrib/netinst
+ RedirectPermanent /distrib/vendors /CD/vendors/
+ RedirectPermanent /distrib/cd /CD/
+ RedirectPermanent /distrib/cdinfo /CD/vendors/info
+ RedirectPermanent /related_links /misc/related_links
+ RedirectPermanent /ports/laptops /misc/laptops/
+ RedirectPermanent /misc/README.mirrors /mirror/list
+ RedirectPermanent /misc/README.non-US /mirror/list.non-US
+ RedirectPermanent /intl /international
+ RedirectPermanent /ports/armel /ports/arm
+ RedirectPermanent /ports/mipsel /ports/mips
+ RedirectPermanent /ports/kfreebsd-amd64 /ports/kfreebsd-gnu
+ RedirectPermanent /ports/kfreebsd-i386 /ports/kfreebsd-gnu
+ RedirectPermanent /ports/sparc64 /ports/sparc
+ RedirectPermanent /mirror/mirrors_full.html /mirror/list-full.html
+ RedirectPermanent /mirrors /mirror
+ RedirectPermanent /News/project /News/weekly
+ RedirectPermanent /releases/2.0 /releases/hamm
+ RedirectPermanent /releases/2.1 /releases/slink
+ RedirectPermanent /releases/2.2 /releases/potato
+ RedirectPermanent /releases/3.0 /releases/woody
+ RedirectPermanent /releases/3.1 /releases/sarge
+ RedirectPermanent /releases/4.0 /releases/etch
+ RedirectPermanent /releases/5.0 /releases/lenny
+ RedirectPermanent /releases/6.0 /releases/squeeze
+ RedirectPermanent /releases/unstable /releases/sid
+
+ RewriteRule ^/ports/freebsd(.*) /ports/kfreebsd-gnu/ [R=301]
+ RewriteRule ^/devel/debian-installer/report-template(.*) /releases/stable/i386/ch05s04.html#submit-bug [NE,R=301]
+ RewriteRule ^/devel/debian-installer/hooks(.*) http://d-i.alioth.debian.org/doc/internals/apb.html [R=301]
+ RewriteRule ^/doc/packaging-manuals/mime-policy(.*) /doc/debian-policy/ch-opersys.html#s-mime [NE,R=301]
+
+ RewriteRule ^/volatile/index.* - [S=1]
+ RewriteRule ^/volatile/.+ /volatile/ [L,R=301]
+ RewriteRule ^/devel/debian-volatile/.* /volatile/ [R=301]
+
+# Offer a Redirect to DSA without knowing year #474730
+ RewriteMap dsa txt:/srv/www.debian.org/www/security/map-dsa.txt
+ RewriteRule ^/security/dsa-(\d+)(\..*)? /security/${dsa:$1}$2 [R=301]
+
+# Compatibility after SGML -> DocBook
+# Debian Reference #624239
+ RewriteMap reference txt:/srv/www.debian.org/www/doc/map-reference.txt
+ RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/ch-support$1 !-f
+ RewriteRule ^/doc/manuals/debian-reference/ch-support(.*) /support$1 [L,R=301]
+ RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/${reference:$1}$2 -f
+ RewriteRule ^/doc/manuals/debian-reference/ch-([^\.]+)(.+) /doc/manuals/debian-reference/${reference:$1}$2 [L,R=301]
+ RewriteRule ^/doc/manuals/debian-reference/ch-([^\.]+)$ /doc/manuals/debian-reference/${reference:$1} [R=301]
+ RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/apa$1 -f
+ RewriteRule ^/doc/manuals/debian-reference/ap-appendix(.+) /doc/manuals/debian-reference/apa$1 [L,R=301]
+ RewriteRule ^/doc/manuals/debian-reference/ap-appendix$ /doc/manuals/debian-reference/apa [R=301]
+ RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/footnotes$1 !-f
+ RewriteRule ^/doc/manuals/debian-reference/footnotes(.+) /doc/manuals/debian-reference/index$1 [L,R=301]
+ RewriteRule ^/doc/manuals/debian-reference/footnotes$ /doc/manuals/debian-reference/ [R=301]
+# New Maintainers' Guide
+ RewriteRule ^/doc/(manuals/)?maint-guide/ch-(.*) /doc/manuals/maint-guide/$2 [R=301]
+ RewriteRule ^/doc/(manuals/)?maint-guide/footnotes(.*) /doc/manuals/maint-guide/index$2 [R=301]
+
+# Canonical place for manuals under /doc/manuals/
+ RewriteCond %{DOCUMENT_ROOT}/doc/manuals/$1 -d
+ RewriteRule ^/doc/([^/]+)/?(.*)? /doc/manuals/$1/$2 [L,R=301]
+
+</VirtualHost>
--- /dev/null
+class roles::backports_mirror {
+ apache2::site { '010-backports.debian.org':
+ site => 'backports.debian.org',
+ config => 'puppet:///modules/roles/backports_mirror/backports.debian.org',
+ }
+
+ apache2::site { '010-www.backports.org':
+ site => 'www.backports.org',
+ config => 'puppet:///modules/roles/backports_mirror/www.backports.org',
+ }
+
+ apache2::module { 'rewrite': }
+}
--- /dev/null
+class roles::dakmaster {
+
+ package { 'libapache2-mod-macro':
+ ensure => installed,
+ }
+
+ apache2::module { 'macro': }
+
+ apache2::config { 'puppet-builddlist':
+ template => 'roles/conf-builddlist.erb',
+ }
+
+}
--- /dev/null
+class roles::ftp-upcoming_mirror {
+
+ apache2::site { '010-ftp-upcoming.debian.org':
+ site => 'ftp-upcoming.debian.org',
+ config => 'puppet:///modules/roles/ftp-upcoming_mirror/ftp-upcoming.debian.org',
+ }
+}
--- /dev/null
+class roles::security_mirror {
+
+ apache2::site { '010-security.debian.org':
+ site => 'security.debian.org',
+ config => 'puppet:///modules/roles/security_mirror/security.debian.org'
+ }
+
+ apache2::site { 'security.debian.org':
+ ensure => absent,
+ }
+}
--- /dev/null
+class roles::www_mirror {
+
+ apache2::site { '010-www.debian.org':
+ site => 'www.debian.org',
+ config => 'puppet:///modules/roles/www_mirror/www.debian.org',
+ }
+
+ apache2::site { 'www.debian.org':
+ ensure => absent,
+ }
+}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<Macro DebianBuilddHostList>
+
+<%=
+ lines = []
+
+ scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ next unless scope.lookupvar('site::allnodeinfo')[node]['purpose']
+ if scope.lookupvar('site::allnodeinfo')[node]['purpose'].include?('buildd')
+ lines << " # #{scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s}"
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr|
+ lines << " allow from #{addr}"
+ end
+ end
+ end
+
+ lines.join("\n")
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
+%>
+</Macro>
class rsyncd-log {
- file {
- "/etc/logrotate.d/dsa-rsyncd":
- source => "puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd",
- require => Package["debian.org"],
- ;
- "/var/log/rsyncd":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- }
+ file { '/etc/logrotate.d/dsa-rsyncd':
+ source => 'puppet:///modules/rsyncd-log/logrotate.d-dsa-rsyncd',
+ require => Package['debian.org'],
+ }
+ file { '/var/log/rsyncd':
+ ensure => directory,
+ mode => '0755',
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class samhain {
- package { samhain: ensure => installed }
+ package { 'samhain':
+ ensure => installed
+ }
- file { "/etc/samhain/samhainrc":
- content => template("samhain/samhainrc.erb"),
- require => Package["samhain"],
- notify => Exec["samhain reload"],
- }
+ service { 'samhain':
+ ensure => running
+ }
- exec { "samhain reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ file { '/etc/samhain/samhainrc':
+ content => template('samhain/samhainrc.erb'),
+ require => Package['samhain'],
+ notify => Service['samhain']
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
-
# RedefIgnoreNone=(no default)
# RedefUser0=(no default)
# RedefUser1=(no default)
-<% if nodeinfo['buildd'] -%>
+<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
IgnoreMissing=/etc/lvm/archive/.*.vg
<% end -%>
file=/etc/nagios/nrpe.d
file=/etc/nagios/obsolete-packages-ignore.d
file=/etc/bind/geodns
-<% if nodeinfo['nagiosmaster'] -%>
+<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%>
file=/etc/nagios3/puppetconf.d
<% end -%>
file=/etc/puppet
file=/etc/ferm/conf.d
file=/etc/ferm/dsa.d
file=/etc/rc.local
-<% unless lsbdistcodename == 'lenny' %>
+<% unless scope.lookupvar('::lsbdistcodename') == 'lenny' %>
file=/etc/unbound
<% end -%>
file=/etc/dsa
## This file might be created or removed by the system sometimes.
##
file=/etc/resolv.conf
-<% if nodeinfo['buildd'] -%>
+<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
file=/etc/dupload.conf
<% end -%>
file=/etc/resolv.conf.pcmcia.save
file=/etc/dsa/cron.ignore.dsa-puppet-stuff
<%=
out=""
-if nodeinfo['heavy_exim']
+if scope.lookupvar('site::nodeinfo')['heavy_exim']
out = '
file=/etc/exim4/surbl_whitelist.txt
file=/etc/exim4/exim_surbl.pl
file=/etc/monit/monit.d/00debian.org
file=/etc/cron.d/dsa-puppet-stuff
file=/etc/cron.d/dsa-buildd
-<% if nodeinfo['nagiosmaster'] -%>
+<% if scope.lookupvar('site::nodeinfo')['nagiosmaster'] -%>
file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg
file=/etc/nagios3/puppetconf.d/auto-hosts.cfg
file=/etc/nagios3/puppetconf.d/auto-services.cfg
file=/etc/nagios3/puppetconf.d/auto-servicegroups.cfg
file=/etc/nagios3/puppetconf.d/contacts.cfg
<% end -%>
-<% if nodeinfo['muninmaster'] -%>
+<% if scope.lookupvar('site::nodeinfo')['muninmaster'] -%>
file=/etc/munin/munin.conf
<% end -%>
-<% if nodeinfo['puppetmaster'] -%>
+<% if scope.lookupvar('site::nodeinfo')['puppetmaster'] -%>
dir=8/etc/puppet
<% end -%>
<% if classes.include?('named::geodns') -%>
dir=1/etc/bind
file=/etc/bind/named.conf.debian-zones
<% end -%>
-<% if fqdn == "dijkstra.debian.org" -%>
+<% if scope.lookupvar('::fqdn') == "dijkstra.debian.org" -%>
dir=4/etc/dsa-kvm
<% end -%>
-<% if nodeinfo['buildd'] -%>
+<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
dir=3/etc/lvm
<% end -%>
dir=1/etc/ferm/dsa.d
file=/etc/ferm/conf.d/defs.conf
file=/etc/ferm/ferm.conf
dir=2/etc/ssl/debian
-<% unless lsbdistcodename == 'lenny' %>
+<% unless scope.lookupvar('::lsbdistcodename') == 'lenny' %>
file=/etc/unbound/unbound.conf
<% end -%>
--- /dev/null
+define site::alternative ($linkto, $ensure = present) {
+ case $ensure {
+ present: {
+ exec {
+ "/usr/sbin/update-alternatives --set ${name} ${linkto}":
+ unless => "[ $(update-alternatives --query ${name} | grep ^Value | awk '{print \$2}') = ${linkto} ]",
+ }
+ }
+ absent: {
+ exec {
+ "/usr/sbin/update-alternatives --remove ${name} ${linkto}":
+ unless => "[ $(update-alternatives --query ${name} | grep ^Value | awk '{print \$2}') != ${linkto} ]",
+ }
+ }
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+}
--- /dev/null
+class site::aptrepo ($key = undef, $template = undef, $config = undef, $ensure = present) {
+
+ if $key {
+ exec { "apt-key-update-${name}":
+ command => "apt-key add /etc/apt/trusted-keys.d/${name}",
+ refreshonly => true,
+ }
+
+ file { "/etc/apt/trusted-keys.d/${name}":
+ source => $key,
+ mode => '0664',
+ notify => Exec["apt-key-update-${name}"]
+ }
+ }
+
+ case $ensure {
+ present: {}
+ absent: {}
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+
+ if ! ($template or $config) {
+ err ( "Can't find configuration for ${name}" )
+ }
+
+ if $template {
+ file { "/etc/apt/sources.list.d/${name}.list":
+ ensure => $ensure,
+ content => template($template),
+ notify => Exec['apt-get update'],
+ }
+ } else {
+ file { "/etc/apt/sources.list.d/${name}.list":
+ ensure => $ensure,
+ source => $config,
+ notify => Exec['apt-get update'],
+ }
+ }
+}
--- /dev/null
+class site {
+
+ $localinfo = yamlinfo('*', '/etc/puppet/modules/debian-org/misc/local.yaml')
+ $nodeinfo = nodeinfo($::fqdn, '/etc/puppet/modules/debian-org/misc/local.yaml')
+ $allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose')
+ notice( sprintf('hoster for %s is %s', $::fqdn, getfromhash($nodeinfo, 'hoster', 'name') ) )
+
+ service { 'procps':
+ hasstatus => false,
+ status => '/bin/true',
+ refreshonly => true,
+ }
+}
--- /dev/null
+define site::linux_module ($ensure = present) {
+ case $ensure {
+ present: {
+ exec { "append_module_${name}":
+ command => "echo '${name}' >> /etc/modules",
+ unless => "grep -q -F -x '${name}' /etc/modules",
+ }
+ }
+ absent: {
+ exec { "remove_module_${name}":
+ command => "sed -i -e'/^${name}\$/d' /etc/modules",
+ onlyif => "grep -q -F -x '${name}' /etc/modules",
+ }
+ }
+ default: {
+ err("invalid ensure value ${ensure}")
+ }
+ }
+}
--- /dev/null
+define site::sysctl ($key, $value, $ensure = present) {
+ include site
+ case $ensure {
+ present: {}
+ absent: {}
+ default: { err ( "Unknown ensure value: '$ensure'" ) }
+ }
+
+ file {
+ "/etc/sysctl.d/${name}.conf":
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0644',
+ content => "${key} = ${value}\n",
+ notify => Service['procps']
+ }
+}
class ssh {
- package {
- openssh-client: ensure => installed;
- openssh-server: ensure => installed;
- }
- file { "/etc/ssh/ssh_config":
- content => template("ssh/ssh_config.erb"),
- require => Package["openssh-client"]
- ;
- "/etc/ssh/sshd_config":
- content => template("ssh/sshd_config.erb"),
- require => Package["openssh-server"],
- notify => Exec["ssh restart"]
- ;
- "/etc/ssh/userkeys":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- "/etc/ssh/userkeys/root":
- content => template("ssh/authorized_keys.erb"),
- mode => 444,
- require => Package["openssh-server"]
- ;
+ package { [ 'openssh-client', 'openssh-server']:
+ ensure => installed
+ }
+
+ service { 'ssh':
+ ensure => running
}
- exec { "ssh restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- }
+ @ferm::rule { 'dsa-ssh':
+ description => 'Allow SSH from DSA',
+ rule => '&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)'
+ }
+ @ferm::rule { 'dsa-ssh-v6':
+ description => 'Allow SSH from DSA',
+ domain => 'ip6',
+ rule => '&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)'
+ }
- @ferm::rule { "dsa-ssh":
- description => "Allow SSH from DSA",
- rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_SOURCES)"
- }
- @ferm::rule { "dsa-ssh-v6":
- description => "Allow SSH from DSA",
- domain => "ip6",
- rule => "&SERVICE_RANGE(tcp, ssh, \$SSH_V6_SOURCES)"
- }
+ file { '/etc/ssh/ssh_config':
+ content => template('ssh/ssh_config.erb'),
+ require => Package['openssh-client']
+ }
+ file { '/etc/ssh/sshd_config':
+ content => template('ssh/sshd_config.erb'),
+ require => Package['openssh-server'],
+ notify => Service['ssh']
+ }
+ file { '/etc/ssh/userkeys':
+ ensure => directory,
+ mode => '0755',
+ require => Package['openssh-server']
+ }
+ file { '/etc/ssh/userkeys/root':
+ content => template('ssh/authorized_keys.erb'),
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
# local admin
-<%= hosterkeys = case nodeinfo['hoster']['name']
+<%= hosterkeys = case scope.lookupvar('site::nodeinfo')['hoster']['name']
when "ubcece" then
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvEEyxznxleAhk98K7SkAeAKWibijL5uFjIl1+tr8rz+XmFsjabTK2+hQXkgzmU+jqQ2+MPp6btfAq9Oe27GQYWUFfsAZMRb907dReFQYPKbPhQZoo5LUfkrCiR3tD0Nm2JfepTV0079K1+Q50EMImttwbI94FfSoSgTxgF4rCoLpUgmF0IHDR1+kTGow7YnuS1Y/I1zKAbofg8KBGXOLArkcZbxArt25Y2wlnE+ZHIb3Rn3pYc3/KmPPvEQy9IkR/uzzkWSaCBVMFJEO0ejjWrV4HR64GlKUPQ0CekSYn1EErY55CF5sWkasXhflluwSf7b+/jedDM1A1Vrp9Z/F8Q== chrisd"
end
<%= machine_keys = case fqdn
when "beethoven.debian.org" then
out = ''
- allnodeinfo.keys.sort.each do |node|
- out += '# ' + allnodeinfo[node]['hostname'].to_s + '
-command="/usr/lib/da-backup/da-backup-ssh-wrap ' + allnodeinfo[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + allnodeinfo[node]['ipHostNumber'].join(',') + '" ' + allnodeinfo[node]['sshRSAHostKey'].to_s + '
+ scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
+ out += '# ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s + '
+command="/usr/lib/da-backup/da-backup-ssh-wrap ' + scope.lookupvar('site::allnodeinfo')[node]['hostname'].to_s + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="' + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].join(',') + '" ' + scope.lookupvar('site::allnodeinfo')[node]['sshRSAHostKey'].to_s + '
'
end
class ssl {
- package { openssl: ensure => installed }
- file {
- "/etc/ssl/debian":
- ensure => directory,
- mode => 755,
- purge => true,
- recurse => true,
- force => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/ssl/debian/certs":
- ensure => directory,
- mode => 755,
- source => "puppet:///files/empty/"
- ;
- "/etc/ssl/debian/crls":
- ensure => directory,
- mode => 755,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/ssl/debian/keys":
- ensure => directory,
- mode => 750,
- purge => true,
- force => true,
- recurse => true,
- source => "puppet:///files/empty/"
- ;
- "/etc/ssl/debian/certs/thishost.crt":
- source => "puppet:///modules/ssl/clientcerts/$fqdn.client.crt",
- notify => Exec["c_rehash /etc/ssl/debian/certs"],
- ;
- "/etc/ssl/debian/keys/thishost.key":
- source => "puppet:///modules/ssl/clientcerts/$fqdn.key",
- mode => 640
- ;
- "/etc/ssl/debian/certs/ca.crt":
- source => "puppet:///modules/ssl/clientcerts/ca.crt",
- notify => Exec["c_rehash /etc/ssl/debian/certs"],
- ;
- "/etc/ssl/debian/crls/ca.crl":
- source => "puppet:///modules/ssl/clientcerts/ca.crl",
- ;
- }
+ package { 'openssl':
+ ensure => installed
+ }
- exec { "c_rehash /etc/ssl/debian/certs":
- refreshonly => true,
- }
+ file { '/etc/ssl/debian':
+ ensure => directory,
+ mode => '0755',
+ purge => true,
+ recurse => true,
+ force => true,
+ source => 'puppet:///files/empty/'
+ }
+ file { '/etc/ssl/debian/certs':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/ssl/debian/crls':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/ssl/debian/keys':
+ ensure => directory,
+ mode => '0750',
+ }
+ file { '/etc/ssl/debian/certs/thishost.crt':
+ source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
+ notify => Exec['c_rehash /etc/ssl/debian/certs'],
+ }
+ file { '/etc/ssl/debian/keys/thishost.key':
+ source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
+ mode => '0640'
+ }
+ file { '/etc/ssl/debian/certs/ca.crt':
+ source => 'puppet:///modules/ssl/clientcerts/ca.crt',
+ notify => Exec['c_rehash /etc/ssl/debian/certs'],
+ }
+ file { '/etc/ssl/debian/crls/ca.crl':
+ source => 'puppet:///modules/ssl/clientcerts/ca.crl',
+ }
+
+ exec { 'c_rehash /etc/ssl/debian/certs':
+ refreshonly => true,
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
--- /dev/null
+define stunnel4::client($accept, $connecthost, $connectport) {
+
+ include stunnel4
+
+ file { "/etc/stunnel/puppet-${name}-peer.pem":
+ content => generate('/bin/cat', "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
+ '/etc/puppet/modules/exim/files/certs/ca.crt'),
+ notify => Exec["restart_stunnel_${name}"],
+ }
+
+ stunnel_generic { $name:
+ client => true,
+ verify => 3,
+ cafile => "/etc/stunnel/puppet-${name}-peer.pem",
+ accept => $accept,
+ connect => "${connecthost}:${connectport}",
+ }
+}
+
--- /dev/null
+define stunnel4::generic ($client, $verify, $cafile, $accept, $connect, $crlfile=false, $local=false) {
+
+ include stunnel4
+
+ file { "/etc/stunnel/puppet-${name}.conf":
+ content => template('stunnel4/stunnel.conf.erb'),
+ notify => Exec["restart_stunnel_${name}"],
+ }
+
+ if $client {
+ $certfile = '/etc/ssl/debian/certs/thishost.crt'
+ $keyfile = '/etc/ssl/debian/keys/thishost.key'
+ } else {
+ $certfile = '/etc/exim4/ssl/thishost.crt'
+ $keyfile = '/etc/exim4/ssl/thishost.key'
+ }
+
+ exec { "restart_stunnel_${name}":
+ command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}",
+ require => [
+ File['/etc/stunnel/stunnel.conf'],
+ File['/etc/init.d/stunnel4'],
+ Exec['enable_stunnel4'],
+ Exec['kill_file_override'],
+ Package['stunnel4']
+ ],
+ subscribe => [ File[$certfile], File[$keyfile] ],
+ refreshonly => true,
+ }
+}
class stunnel4 {
- define stunnel_generic($client, $verify, $cafile, $crlfile=false, $accept, $connect, $local=false) {
- file {
- "/etc/stunnel":
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- ;
- "/etc/stunnel/puppet-${name}.conf":
- content => template("stunnel4/stunnel.conf.erb"),
- notify => Exec["restart_stunnel_${name}"],
- ;
- "/etc/init.d/stunnel4":
- source => "puppet:///modules/stunnel4/etc-init.d-stunnel4",
- mode => 555,
- ;
- }
- case $client {
- true: {
- $certfile = "/etc/ssl/debian/certs/thishost.crt"
- $keyfile = "/etc/ssl/debian/keys/thishost.key"
- }
- default: {
- $certfile = "/etc/exim4/ssl/thishost.crt"
- $keyfile = "/etc/exim4/ssl/thishost.key"
- }
- }
-
- exec {
- "restart_stunnel_${name}":
- command => "true && cd / && env -i /etc/init.d/stunnel4 restart puppet-${name}",
- require => [ File['/etc/stunnel/stunnel.conf'],
- File['/etc/init.d/stunnel4'],
- Exec['enable_stunnel4'],
- Exec['kill_file_override'],
- Package['stunnel4']
- ],
- subscribe => [ File[$certfile],
- File[$keyfile]
- ],
- refreshonly => true,
- ;
- }
- }
-
- # define an stunnel listener, listening for SSL connections on $accept,
- # connecting to plaintext service $connect using local source address $local
- #
- # unfortunately stunnel is really bad about verifying its peer,
- # all we can be certain of is that they are signed by our CA,
- # not who they are. So do not use in places where the identity of
- # the caller is important. Use dsa-portforwarder for that.
- define stunnel_server($accept, $connect, $local = "127.0.0.1") {
- stunnel_generic {
- "${name}":
- client => false,
- verify => 2,
- cafile => "/etc/exim4/ssl/ca.crt",
- crlfile => "/etc/exim4/ssl/crl.crt",
- accept => "${accept}",
- connect => "${connect}",
- ;
- }
- @ferm::rule {
- "stunnel-${name}":
- description => "stunnel ${name}",
- rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)",
- ;
- "stunnel-${name}-v6":
- domain => 'ip6',
- description => "stunnel ${name}",
- rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)",
- ;
- }
- }
- define stunnel_client($accept, $connecthost, $connectport) {
- file {
- "/etc/stunnel/puppet-${name}-peer.pem":
- # source => "puppet:///modules/exim/certs/${connecthost}.crt",
- content => generate("/bin/cat", "/etc/puppet/modules/exim/files/certs/${connecthost}.crt",
- "/etc/puppet/modules/exim/files/certs/ca.crt"),
- notify => Exec["restart_stunnel_${name}"],
- ;
- }
- stunnel_generic {
- "${name}":
- client => true,
- verify => 3,
- cafile => "/etc/stunnel/puppet-${name}-peer.pem",
- accept => "${accept}",
- connect => "${connecthost}:${connectport}",
- ;
- }
- }
-
-
- package {
- "stunnel4": ensure => installed;
- }
-
- file {
- "/etc/stunnel/stunnel.conf":
- ensure => absent,
- require => [ Package['stunnel4'] ],
- ;
- }
-
- exec {
- "enable_stunnel4":
- command => "sed -i -e 's/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet' /etc/default/stunnel4",
- unless => "grep -q '^ENABLED=1' /etc/default/stunnel4",
- require => [ Package['stunnel4'] ],
- ;
- "kill_file_override":
- command => "sed -i -e 's/^FILES=/#&/' /etc/default/stunnel4",
- onlyif => "grep -q '^FILES=' /etc/default/stunnel4",
- require => [ Package['stunnel4'] ],
- ;
- }
+ package { 'stunnel4':
+ ensure => installed
+ }
+
+ file { '/etc/stunnel':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/init.d/stunnel4':
+ source => 'puppet:///modules/stunnel4/etc-init.d-stunnel4',
+ mode => '0555',
+ }
+ file { '/etc/stunnel/stunnel.conf':
+ ensure => absent,
+ require => Package['stunnel4'],
+ }
+
+ exec { 'enable_stunnel4':
+ command => 'sed -i -e \'s/^ENABLED=/#&/; \$a ENABLED=1 # added by puppet\' /etc/default/stunnel4',
+ unless => 'grep -q \'^ENABLED=1\' /etc/default/stunnel4',
+ require => Package['stunnel4'],
+ }
+ exec { 'kill_file_override':
+ command => 'sed -i -e \'s/^FILES=/#&/\' /etc/default/stunnel4',
+ onlyif => 'grep -q \'^FILES=\' /etc/default/stunnel4',
+ require => Package['stunnel4'],
+ }
}
-
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
--- /dev/null
+define stunnel4::server($accept, $connect, $local = '127.0.0.1') {
+# define an stunnel listener, listening for SSL connections on $accept,
+# connecting to plaintext service $connect using local source address $local
+#
+# unfortunately stunnel is really bad about verifying its peer,
+# all we can be certain of is that they are signed by our CA,
+# not who they are. So do not use in places where the identity of
+# the caller is important. Use dsa-portforwarder for that.
+
+ include stunnel4
+
+ stunnel_generic { $name:
+ client => false,
+ verify => 2,
+ cafile => '/etc/exim4/ssl/ca.crt',
+ crlfile => '/etc/exim4/ssl/crl.crt',
+ accept => $accept,
+ connect => $connect
+ }
+
+ @ferm::rule {
+ "stunnel-${name}":
+ description => "stunnel ${name}",
+ rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)"
+ }
+ @ferm::rule { "stunnel-${name}-v6":
+ domain => 'ip6',
+ description => "stunnel ${name}",
+ rule => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)"
+ }
+
+}
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-#%PAM-1.0
-
-auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
-auth required pam_unix.so nullok_secure try_first_pass
-@include common-account
-
-session required pam_permit.so
-session required pam_limits.so
+++ /dev/null
-# /etc/sudoers
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-###################################################################
-###################################################################
-###################################################################
-##
-## PLEASE EDIT THIS FILE WITH THE visudo COMMAND TO ENSURE IT
-## IS SYNTACTICALLY VALID.
-##
-## /usr/sbin/visudo -f sudoers
-##
-###################################################################
-###################################################################
-###################################################################
-
-Defaults env_reset
-Defaults passprompt="[sudo] password for %u on %h: "
-Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-
-# Host alias specification
-Host_Alias QAHOSTS = master, quantz, stabile
-Host_Alias WEBHOSTS = wolkenstein
-Host_Alias SECHOSTS = chopin
-Host_Alias FTPHOSTS = franck, morricone, bizet
-Host_Alias ZIVITHOSTS = zelenka, zandonai
-Host_Alias AACRAIDHOSTS = bellini, morricone, paganini, respighi, vivaldi, beethoven, pettersson
-Host_Alias MEGARAIDHOSTS = grieg, rautavaara, sibelius
-Host_Alias MPTRAIDHOSTS = master, fasch, holter, barber, biber, cilea, vitry, krenek, scelsi, orff, field
-Host_Alias MEGACTLHOSTS = lindberg, englund, heininen, nielsen
-Host_Alias LISTHOSTS = liszt, bendel
-
-# Cmnd alias specification
-
-# User privilege specification
-root ALL=(ALL) ALL
-
-
-# DSA and local admins
-%adm ALL=(ALL) ALL
-%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none, /usr/sbin/upgrade-porter-chroots
-
-%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL
-
-# nagios
-nagios ALL=(ALL) NOPASSWD: /etc/init.d/ekeyd-egd-linux restart
-nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup ""
-# with smartarray controllers
-nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli ""
-nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe ""
-nagios franck=(ALL) NOPASSWD: /usr/bin/arrayprobe -f /dev/cciss/c1d0
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd all show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9]\:[0-9] show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9] show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9][0-9] show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] show status
-nagios franck=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=1 enclosure 1E\:1 show detail
-
-# other raid controllers
-nagios powell=(ALL) NOPASSWD: /usr/local/sbin/areca-cli vsf info
-nagios puccini=(ALL) NOPASSWD: /usr/local/bin/tw_cli info c0 u0 status
-nagios MPTRAIDHOSTS=(ALL) NOPASSWD: /usr/sbin/mpt-status -s
-nagios AACRAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD, /usr/local/bin/arcconf GETCONFIG 1 AD
-nagios MEGARAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/megarc -AllAdpInfo -nolog, /usr/local/bin/megarc -dispCfg -a0 -nolog
-nagios MEGACTLHOSTS=(ALL) NOPASSWD: /usr/sbin/megactl -Hv
-# other nagios things
-nagios beethoven=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg ""
-
-# groups and their role accounts
-%auditor ALL=(accounting) ALL
-%backports ALL=(backports) ALL
-%buildd ALL=(buildd) ALL
-%d-i ALL=(d-i) ALL
-%dde ALL=(dde) ALL
-%ddtp ALL=(ddtp) ALL
-%debadmin ALL=(dak) ALL
-%debbugs ALL=(debbugs) ALL
-%debbugs ALL=(debbugs-mirror) ALL
-%debian-cd ALL=(debian-cd) ALL
-%debian-i18n ALL=(debian-i18n) ALL
-%debian-release ALL=(release) ALL
-%debtags ALL=(debtags) ALL
-%debvoip cilea=(freeswitch) ALL
-%debwww ALL=(debwww) ALL
-%btslink ALL=(btslink) ALL
-%emdebian ALL=(emdebian) ALL
-%forums ALL=(forums) ALL
-%keyring ALL=(keyring) ALL
-%lintian ALL=(lintian) ALL
-%listweb ALL=(listweb) ALL
-%list LISTHOSTS=(list) ALL
-%mirroradm ALL=(archvsync) ALL
-%nm ALL=(nm) ALL
-%patch-tracker ALL=(patch-tracker) ALL
-%piuparts ALL=(piupartsm) ALL
-%piuparts ALL=(piupartss) ALL
-%pkg_maint ALL=(pkg_user) ALL
-%planet ALL=(planet) ALL
-%popcon ALL=(popcon) ALL
-%search ALL=(search) ALL
-%secretary ALL=(secretary) ALL
-%sectracker ALL=(sectracker) ALL
-%security SECHOSTS=(mail_security) ALL
-%snapshot ALL=(snapshot) ALL
-%uddadm ALL=(udd) ALL
-%volatile ALL=(volatile) ALL
-%wbadm ALL=(wbadm) ALL
-%mujeres ALL=(women) ALL
-%wikiadm ALL=(wiki) ALL
-%qa-core QAHOSTS=(qa) ALL
-%gobby gombert=(gobby) ALL
-
-# the dak user gets to run stuff as dak-unpriv (for things like lintian checks)
-dak ALL=(dak-unpriv) NOPASSWD: ALL
-
-# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost
-%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update
-
-# buildd
-# FIXME: change that ALL for hosts to a hostlist of buildds?
-Defaults:buildd env_reset,env_keep+="APT_CONFIG DEBIAN_FRONTEND"
-buildd ALL=(ALL) NOPASSWD: ALL
-
-# The piuparts slave needs to handle chroots
-piupartss piatti=(ALL) NOPASSWD: ALL
-# trigger of mirror run for packages
-pkg_user powell=(archvsync) NOPASSWD: /home/archvsync/bin/pushpdo
-# on draghi, the domains git thing will run bind9 reload afterwards
-%dnsadm draghi,orff=(root) NOPASSWD: /etc/init.d/bind9 reload
-%dnsadm draghi,orff=(geodnssync) NOPASSWD: /usr/bin/make -C /srv/dns.debian.org/geo
-%adm draghi=(puppet) NOPASSWD: /usr/bin/make -s -C /srv/db.debian.org/var/gitnagios/dsa-nagios/config install
-# remote power to babylon5 in the same rack:
-joerg unger=(ALL) /usr/bin/sispmctl -t [12], /usr/bin/sispmctl -g [12]
-# wbadm can update all buildd* users' keys on buildd.d.o
-%wbadm grieg=(root) /usr/local/bin/update-buildd-sshkeys
-wbadm grieg=(postgres) NOPASSWD: /usr/bin/pg_dumpall --cluster 8.4/wanna-build
-# mirror push
-dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors
-planet senfl=(archvsync) NOPASSWD: /home/archvsync/bin/runplanet ""
-# archvsync triggers snapshot
-archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger
-archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger
-# allow the debbugs-mirror user on rietz to release the afs volume so changes make it to the read-only replicas
-debbugs-mirror rietz=(root) NOPASSWD: /usr/bin/vos release -id srv.mirrors.bugs -localauth
-# dak stuff
-%debian-release FTPHOSTS=(dak) /usr/local/bin/dak transitions --import *
-%ftpteam FTPHOSTS=(dak) /usr/local/bin/dak transitions --import *
-# security
-%security SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR]
-%sec_public SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR]
-%sec_public SECHOSTS=(dak) NOPASSWD: /home/dak/trigger_mirror
-dak SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/signal_security
-# web stuff
-debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors
-%press WEBHOSTS=(debwww) /org/www.debian.org/update-part News
-# more list stuff
-%list LISTHOSTS=(root) /usr/sbin/postfix reload
-%list LISTHOSTS=(root) /usr/sbin/qshape, /usr/sbin/postsuper
-%list LISTHOSTS=(root) /etc/init.d/spamassassin, /etc/init.d/amavis
-%list LISTHOSTS=(amavis) NOPASSWD: /usr/bin/sa-learn
-%list LISTHOSTS=(amavis) ALL
-# geodns may reload bind
-geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload
-geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig
-# fossology
-%fossy vivaldi=(root) /etc/init.d/fossology
-%fossy vivaldi=(fossy) ALL
-
-# Porter work
-%porter-armel abel,agricola=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-armel harris=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-amd64 barriere,pergolesi=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-hppa paer=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-ia64 merulo=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-mips eder,gabrielli=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-ppc partch=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-s390 zelenka=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-sparc smetana,sperger=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+++ /dev/null
-# /etc/sudoers
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-###################################################################
-###################################################################
-###################################################################
-##
-## PLEASE EDIT THIS FILE WITH THE visudo COMMAND TO ENSURE IT
-## IS SYNTACTICALLY VALID.
-##
-## /usr/sbin/visudo -f sudoers
-##
-###################################################################
-###################################################################
-###################################################################
-
-Defaults env_reset
-Defaults passprompt="[sudo] password for %u on %h: "
-
-# Host alias specification
-Host_Alias QAHOSTS = master, quantz, stabile
-Host_Alias WEBHOSTS = wolkenstein
-Host_Alias SECHOSTS = chopin
-Host_Alias FTPHOSTS = franck, morricone
-Host_Alias ZIVITHOSTS = zelenka, zandonai
-Host_Alias AACRAIDHOSTS = bellini, morricone, paganini, respighi, vivaldi, beethoven, pettersson
-Host_Alias MEGARAIDHOSTS = grieg, rautavaara, sibelius
-Host_Alias MPTRAIDHOSTS = master, fasch, holter, barber, biber, cilea, vitry, krenek, scelsi, orff, field
-Host_Alias MEGACTLHOSTS = lindberg, englund, heininen
-
-# Cmnd alias specification
-
-# User privilege specification
-root ALL=(ALL) ALL
-
-
-# DSA and local admins
-%adm ALL=(ALL) ALL
-%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none, /usr/sbin/upgrade-porter-chroots
-
-%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL
-
-# nagios
-nagios ALL=(ALL) NOPASSWD: /etc/init.d/ekeyd-egd-linux restart
-nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup ""
-# with smartarray controllers
-nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli ""
-nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe ""
-nagios franck=(ALL) NOPASSWD: /usr/bin/arrayprobe -f /dev/cciss/c1d0
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd all show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9]\:[0-9] show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9] show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9][0-9] show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] show status
-nagios franck=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=1 enclosure 1E\:1 show detail
-
-# other raid controllers
-nagios powell=(ALL) NOPASSWD: /usr/local/sbin/areca-cli vsf info
-nagios puccini=(ALL) NOPASSWD: /usr/local/bin/tw_cli info c0 u0 status
-nagios MPTRAIDHOSTS=(ALL) NOPASSWD: /usr/sbin/mpt-status -s
-nagios AACRAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD, /usr/local/bin/arcconf GETCONFIG 1 AD
-nagios MEGARAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/megarc -AllAdpInfo -nolog, /usr/local/bin/megarc -dispCfg -a0 -nolog
-nagios MEGACTLHOSTS=(ALL) NOPASSWD: /usr/sbin/megactl -Hv
-# other nagios things
-nagios beethoven=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg ""
-
-# groups and their role accounts
-%auditor ALL=(accounting) ALL
-%backports ALL=(backports) ALL
-%buildd ALL=(buildd) ALL
-%d-i ALL=(d-i) ALL
-%dde ALL=(dde) ALL
-%ddtp ALL=(ddtp) ALL
-%debadmin ALL=(dak) ALL
-%debbugs ALL=(debbugs) ALL
-%debbugs ALL=(debbugs-mirror) ALL
-%debian-cd ALL=(debian-cd) ALL
-%debian-i18n ALL=(debian-i18n) ALL
-%debian-release ALL=(release) ALL
-%debtags ALL=(debtags) ALL
-%debvoip cilea=(freeswitch) ALL
-%debwww ALL=(debwww) ALL
-%btslink ALL=(btslink) ALL
-%emdebian ALL=(emdebian) ALL
-%forums ALL=(forums) ALL
-%keyring ALL=(keyring) ALL
-%lintian ALL=(lintian) ALL
-%listweb ALL=(listweb) ALL
-%list liszt=(list) ALL
-%mirroradm ALL=(archvsync) ALL
-%nm ALL=(nm) ALL
-%patch-tracker ALL=(patch-tracker) ALL
-%piuparts ALL=(piupartsm) ALL
-%piuparts ALL=(piupartss) ALL
-%pkg_maint ALL=(pkg_user) ALL
-%planet ALL=(planet) ALL
-%popcon ALL=(popcon) ALL
-%search ALL=(search) ALL
-%secretary ALL=(secretary) ALL
-%sectracker ALL=(sectracker) ALL
-%security SECHOSTS=(mail_security) ALL
-%snapshot ALL=(snapshot) ALL
-%uddadm ALL=(udd) ALL
-%volatile ALL=(volatile) ALL
-%wbadm ALL=(wbadm) ALL
-%mujeres ALL=(women) ALL
-%wikiadm ALL=(wiki) ALL
-%qa-core QAHOSTS=(qa) ALL
-%gobby gombert=(gobby) ALL
-
-# the dak user gets to run stuff as dak-unpriv (for things like lintian checks)
-dak ALL=(dak-unpriv) NOPASSWD: ALL
-
-# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost
-%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update
-
-# buildd
-# FIXME: change that ALL for hosts to a hostlist of buildds?
-Defaults:buildd env_reset,env_keep+="APT_CONFIG DEBIAN_FRONTEND"
-buildd ALL=(ALL) NOPASSWD: ALL
-
-# The piuparts slave needs to handle chroots
-piupartss piatti=(ALL) NOPASSWD: ALL
-# trigger of mirror run for packages
-pkg_user powell=(archvsync) NOPASSWD: /home/archvsync/bin/pushpdo
-# on draghi, the domains git thing will run bind9 reload afterwards
-%dnsadm draghi,orff=(root) NOPASSWD: /etc/init.d/bind9 reload
-%dnsadm draghi,orff=(geodnssync) NOPASSWD: /usr/bin/make -C /srv/dns.debian.org/geo
-%adm draghi=(puppet) NOPASSWD: /usr/bin/make -s -C /srv/db.debian.org/var/gitnagios/dsa-nagios/config install
-# remote power to babylon5 in the same rack:
-joerg unger=(ALL) /usr/bin/sispmctl -t [12], /usr/bin/sispmctl -g [12]
-# wbadm can update all buildd* users' keys on buildd.d.o
-%wbadm grieg=(root) /usr/local/bin/update-buildd-sshkeys
-wbadm grieg=(postgres) NOPASSWD: /usr/bin/pg_dumpall --cluster 8.4/wanna-build
-# mirror push
-dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors
-planet senfl=(archvsync) NOPASSWD: /home/archvsync/bin/runplanet ""
-# archvsync triggers snapshot
-archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger
-archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger
-# allow the debbugs-mirror user on rietz to release the afs volume so changes make it to the read-only replicas
-debbugs-mirror rietz=(root) NOPASSWD: /usr/bin/vos release -id srv.mirrors.bugs -localauth
-# dak stuff
-%debian-release FTPHOSTS=(dak) /usr/local/bin/dak transitions --import *
-%ftpteam FTPHOSTS=(dak) /usr/local/bin/dak transitions --import *
-# security
-%security SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR]
-%sec_public SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR]
-%sec_public SECHOSTS=(dak) NOPASSWD: /home/dak/trigger_mirror
-dak SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/signal_security
-# web stuff
-debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors
-%press WEBHOSTS=(debwww) /org/www.debian.org/update-part News
-# more list stuff
-%list liszt=(root) /usr/sbin/postfix reload
-%list liszt=(root) /usr/sbin/qshape, /usr/sbin/postsuper
-%list liszt=(root) /etc/init.d/spamassassin, /etc/init.d/amavis
-%list liszt=(amavis) NOPASSWD: /usr/bin/sa-learn
-%list liszt=(amavis) ALL
-# geodns may reload bind
-geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload
-geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig
-# fossology
-%fossy vivaldi=(root) /etc/init.d/fossology
-%fossy vivaldi=(fossy) ALL
-
-# Porter work
-%porter-armel abel,agricola=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-armel harris=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-amd64 pergolesi=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-hppa paer=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-ia64 merulo=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-mips gabrielli=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-s390 zelenka=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
-%porter-sparc smetana,sperger=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+#%PAM-1.0
+
+auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd
+auth required pam_unix.so nullok_secure try_first_pass
+@include common-account
+
+session required pam_permit.so
+session required pam_limits.so
--- /dev/null
+# /etc/sudoers
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+###################################################################
+###################################################################
+###################################################################
+##
+## PLEASE EDIT THIS FILE WITH THE visudo COMMAND TO ENSURE IT
+## IS SYNTACTICALLY VALID.
+##
+## /usr/sbin/visudo -f sudoers
+##
+###################################################################
+###################################################################
+###################################################################
+
+Defaults env_reset
+Defaults passprompt="[sudo] password for %u on %h: "
+Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Host alias specification
+Host_Alias QAHOSTS = master, quantz, stabile
+Host_Alias WEBHOSTS = wolkenstein
+Host_Alias SECHOSTS = chopin
+Host_Alias FTPHOSTS = franck, morricone, bizet
+Host_Alias ZIVITHOSTS = zelenka, zandonai
+Host_Alias AACRAIDHOSTS = bellini, morricone, paganini, respighi, vivaldi, beethoven, pettersson
+Host_Alias MEGARAIDHOSTS = grieg, rautavaara, sibelius
+Host_Alias MPTRAIDHOSTS = master, fasch, holter, barber, biber, cilea, vitry, krenek, scelsi, orff, field
+Host_Alias MEGACTLHOSTS = lindberg, englund, heininen, nielsen
+Host_Alias LISTHOSTS = liszt, bendel
+
+# Cmnd alias specification
+
+# User privilege specification
+root ALL=(ALL) ALL
+
+
+# DSA and local admins
+%adm ALL=(ALL) ALL
+%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none, /usr/sbin/upgrade-porter-chroots
+
+%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL
+
+# nagios
+nagios ALL=(ALL) NOPASSWD: /etc/init.d/ekeyd-egd-linux restart
+nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup ""
+# with smartarray controllers
+nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli ""
+nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe ""
+nagios franck=(ALL) NOPASSWD: /usr/bin/arrayprobe -f /dev/cciss/c1d0
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd all show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9]\:[0-9] show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9] show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9][0-9] show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] show status
+nagios franck=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=1 enclosure 1E\:1 show detail
+
+# other raid controllers
+nagios powell=(ALL) NOPASSWD: /usr/local/sbin/areca-cli vsf info
+nagios puccini=(ALL) NOPASSWD: /usr/local/bin/tw_cli info c0 u0 status
+nagios MPTRAIDHOSTS=(ALL) NOPASSWD: /usr/sbin/mpt-status -s
+nagios AACRAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD, /usr/local/bin/arcconf GETCONFIG 1 AD
+nagios MEGARAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/megarc -AllAdpInfo -nolog, /usr/local/bin/megarc -dispCfg -a0 -nolog
+nagios MEGACTLHOSTS=(ALL) NOPASSWD: /usr/sbin/megactl -Hv
+# other nagios things
+nagios beethoven=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg ""
+
+# groups and their role accounts
+%auditor ALL=(accounting) ALL
+%backports ALL=(backports) ALL
+%buildd ALL=(buildd) ALL
+%d-i ALL=(d-i) ALL
+%dde ALL=(dde) ALL
+%ddtp ALL=(ddtp) ALL
+%debadmin ALL=(dak) ALL
+%debbugs ALL=(debbugs) ALL
+%debbugs ALL=(debbugs-mirror) ALL
+%debian-cd ALL=(debian-cd) ALL
+%debian-i18n ALL=(debian-i18n) ALL
+%debian-release ALL=(release) ALL
+%debtags ALL=(debtags) ALL
+%debvoip cilea=(freeswitch) ALL
+%debwww ALL=(debwww) ALL
+%btslink ALL=(btslink) ALL
+%emdebian ALL=(emdebian) ALL
+%forums ALL=(forums) ALL
+%keyring ALL=(keyring) ALL
+%lintian ALL=(lintian) ALL
+%listweb ALL=(listweb) ALL
+%list LISTHOSTS=(list) ALL
+%mirroradm ALL=(archvsync) ALL
+%nm ALL=(nm) ALL
+%patch-tracker ALL=(patch-tracker) ALL
+%piuparts ALL=(piupartsm) ALL
+%piuparts ALL=(piupartss) ALL
+%pkg_maint ALL=(pkg_user) ALL
+%planet ALL=(planet) ALL
+%popcon ALL=(popcon) ALL
+%search ALL=(search) ALL
+%secretary ALL=(secretary) ALL
+%sectracker ALL=(sectracker) ALL
+%security SECHOSTS=(mail_security) ALL
+%snapshot ALL=(snapshot) ALL
+%uddadm ALL=(udd) ALL
+%volatile ALL=(volatile) ALL
+%wbadm ALL=(wbadm) ALL
+%mujeres ALL=(women) ALL
+%wikiadm ALL=(wiki) ALL
+%qa-core QAHOSTS=(qa) ALL
+%gobby gombert=(gobby) ALL
+
+# the dak user gets to run stuff as dak-unpriv (for things like lintian checks)
+dak ALL=(dak-unpriv) NOPASSWD: ALL
+
+# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost
+%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update
+
+# buildd
+# FIXME: change that ALL for hosts to a hostlist of buildds?
+Defaults:buildd env_reset,env_keep+="APT_CONFIG DEBIAN_FRONTEND"
+buildd ALL=(ALL) NOPASSWD: ALL
+
+# The piuparts slave needs to handle chroots
+piupartss piatti=(ALL) NOPASSWD: ALL
+# trigger of mirror run for packages
+pkg_user powell=(archvsync) NOPASSWD: /home/archvsync/bin/pushpdo
+# on draghi, the domains git thing will run bind9 reload afterwards
+%dnsadm draghi,orff=(root) NOPASSWD: /etc/init.d/bind9 reload
+%dnsadm draghi,orff=(geodnssync) NOPASSWD: /usr/bin/make -C /srv/dns.debian.org/geo
+%adm draghi=(puppet) NOPASSWD: /usr/bin/make -s -C /srv/db.debian.org/var/gitnagios/dsa-nagios/config install
+# remote power to babylon5 in the same rack:
+joerg unger=(ALL) /usr/bin/sispmctl -t [12], /usr/bin/sispmctl -g [12]
+# wbadm can update all buildd* users' keys on buildd.d.o
+%wbadm grieg=(root) /usr/local/bin/update-buildd-sshkeys
+wbadm grieg=(postgres) NOPASSWD: /usr/bin/pg_dumpall --cluster 8.4/wanna-build
+# mirror push
+dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors
+planet senfl=(archvsync) NOPASSWD: /home/archvsync/bin/runplanet ""
+# archvsync triggers snapshot
+archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger
+archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger
+# allow the debbugs-mirror user on rietz to release the afs volume so changes make it to the read-only replicas
+debbugs-mirror rietz=(root) NOPASSWD: /usr/bin/vos release -id srv.mirrors.bugs -localauth
+# dak stuff
+%debian-release FTPHOSTS=(dak) /usr/local/bin/dak transitions --import *
+%ftpteam FTPHOSTS=(dak) /usr/local/bin/dak transitions --import *
+# security
+%security SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR]
+%sec_public SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR]
+%sec_public SECHOSTS=(dak) NOPASSWD: /home/dak/trigger_mirror
+dak SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/signal_security
+# web stuff
+debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors
+%press WEBHOSTS=(debwww) /org/www.debian.org/update-part News
+# more list stuff
+%list LISTHOSTS=(root) /usr/sbin/postfix reload
+%list LISTHOSTS=(root) /usr/sbin/qshape, /usr/sbin/postsuper
+%list LISTHOSTS=(root) /etc/init.d/spamassassin, /etc/init.d/amavis
+%list LISTHOSTS=(amavis) NOPASSWD: /usr/bin/sa-learn
+%list LISTHOSTS=(amavis) ALL
+# geodns may reload bind
+geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload
+geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig
+# fossology
+%fossy vivaldi=(root) /etc/init.d/fossology
+%fossy vivaldi=(fossy) ALL
+
+# Porter work
+%porter-armel abel,agricola=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-armel harris=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-amd64 barriere,pergolesi=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-hppa paer=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-ia64 merulo=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-mips eder,gabrielli=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-ppc partch=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-s390 zelenka=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-sparc smetana,sperger=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
--- /dev/null
+# /etc/sudoers
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+###################################################################
+###################################################################
+###################################################################
+##
+## PLEASE EDIT THIS FILE WITH THE visudo COMMAND TO ENSURE IT
+## IS SYNTACTICALLY VALID.
+##
+## /usr/sbin/visudo -f sudoers
+##
+###################################################################
+###################################################################
+###################################################################
+
+Defaults env_reset
+Defaults passprompt="[sudo] password for %u on %h: "
+
+# Host alias specification
+Host_Alias QAHOSTS = master, quantz, stabile
+Host_Alias WEBHOSTS = wolkenstein
+Host_Alias SECHOSTS = chopin
+Host_Alias FTPHOSTS = franck, morricone
+Host_Alias ZIVITHOSTS = zelenka, zandonai
+Host_Alias AACRAIDHOSTS = bellini, morricone, paganini, respighi, vivaldi, beethoven, pettersson
+Host_Alias MEGARAIDHOSTS = grieg, rautavaara, sibelius
+Host_Alias MPTRAIDHOSTS = master, fasch, holter, barber, biber, cilea, vitry, krenek, scelsi, orff, field
+Host_Alias MEGACTLHOSTS = lindberg, englund, heininen
+
+# Cmnd alias specification
+
+# User privilege specification
+root ALL=(ALL) ALL
+
+
+# DSA and local admins
+%adm ALL=(ALL) ALL
+%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none, /usr/sbin/upgrade-porter-chroots
+
+%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL
+
+# nagios
+nagios ALL=(ALL) NOPASSWD: /etc/init.d/ekeyd-egd-linux restart
+nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup ""
+# with smartarray controllers
+nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli ""
+nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe ""
+nagios franck=(ALL) NOPASSWD: /usr/bin/arrayprobe -f /dev/cciss/c1d0
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd all show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9]\:[0-9] show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9] show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] pd [0-9][EIC]\:[0-9]\:[0-9][0-9] show
+nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[0129] show status
+nagios franck=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=1 enclosure 1E\:1 show detail
+
+# other raid controllers
+nagios powell=(ALL) NOPASSWD: /usr/local/sbin/areca-cli vsf info
+nagios puccini=(ALL) NOPASSWD: /usr/local/bin/tw_cli info c0 u0 status
+nagios MPTRAIDHOSTS=(ALL) NOPASSWD: /usr/sbin/mpt-status -s
+nagios AACRAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD, /usr/local/bin/arcconf GETCONFIG 1 AD
+nagios MEGARAIDHOSTS=(ALL) NOPASSWD: /usr/local/bin/megarc -AllAdpInfo -nolog, /usr/local/bin/megarc -dispCfg -a0 -nolog
+nagios MEGACTLHOSTS=(ALL) NOPASSWD: /usr/sbin/megactl -Hv
+# other nagios things
+nagios beethoven=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg ""
+
+# groups and their role accounts
+%auditor ALL=(accounting) ALL
+%backports ALL=(backports) ALL
+%buildd ALL=(buildd) ALL
+%d-i ALL=(d-i) ALL
+%dde ALL=(dde) ALL
+%ddtp ALL=(ddtp) ALL
+%debadmin ALL=(dak) ALL
+%debbugs ALL=(debbugs) ALL
+%debbugs ALL=(debbugs-mirror) ALL
+%debian-cd ALL=(debian-cd) ALL
+%debian-i18n ALL=(debian-i18n) ALL
+%debian-release ALL=(release) ALL
+%debtags ALL=(debtags) ALL
+%debvoip cilea=(freeswitch) ALL
+%debwww ALL=(debwww) ALL
+%btslink ALL=(btslink) ALL
+%emdebian ALL=(emdebian) ALL
+%forums ALL=(forums) ALL
+%keyring ALL=(keyring) ALL
+%lintian ALL=(lintian) ALL
+%listweb ALL=(listweb) ALL
+%list liszt=(list) ALL
+%mirroradm ALL=(archvsync) ALL
+%nm ALL=(nm) ALL
+%patch-tracker ALL=(patch-tracker) ALL
+%piuparts ALL=(piupartsm) ALL
+%piuparts ALL=(piupartss) ALL
+%pkg_maint ALL=(pkg_user) ALL
+%planet ALL=(planet) ALL
+%popcon ALL=(popcon) ALL
+%search ALL=(search) ALL
+%secretary ALL=(secretary) ALL
+%sectracker ALL=(sectracker) ALL
+%security SECHOSTS=(mail_security) ALL
+%snapshot ALL=(snapshot) ALL
+%uddadm ALL=(udd) ALL
+%volatile ALL=(volatile) ALL
+%wbadm ALL=(wbadm) ALL
+%mujeres ALL=(women) ALL
+%wikiadm ALL=(wiki) ALL
+%qa-core QAHOSTS=(qa) ALL
+%gobby gombert=(gobby) ALL
+
+# the dak user gets to run stuff as dak-unpriv (for things like lintian checks)
+dak ALL=(dak-unpriv) NOPASSWD: ALL
+
+# some groups are in apachectrl on "their" hosts so they can reload apache and update their vhost
+%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update
+
+# buildd
+# FIXME: change that ALL for hosts to a hostlist of buildds?
+Defaults:buildd env_reset,env_keep+="APT_CONFIG DEBIAN_FRONTEND"
+buildd ALL=(ALL) NOPASSWD: ALL
+
+# The piuparts slave needs to handle chroots
+piupartss piatti=(ALL) NOPASSWD: ALL
+# trigger of mirror run for packages
+pkg_user powell=(archvsync) NOPASSWD: /home/archvsync/bin/pushpdo
+# on draghi, the domains git thing will run bind9 reload afterwards
+%dnsadm draghi,orff=(root) NOPASSWD: /etc/init.d/bind9 reload
+%dnsadm draghi,orff=(geodnssync) NOPASSWD: /usr/bin/make -C /srv/dns.debian.org/geo
+%adm draghi=(puppet) NOPASSWD: /usr/bin/make -s -C /srv/db.debian.org/var/gitnagios/dsa-nagios/config install
+# remote power to babylon5 in the same rack:
+joerg unger=(ALL) /usr/bin/sispmctl -t [12], /usr/bin/sispmctl -g [12]
+# wbadm can update all buildd* users' keys on buildd.d.o
+%wbadm grieg=(root) /usr/local/bin/update-buildd-sshkeys
+wbadm grieg=(postgres) NOPASSWD: /usr/bin/pg_dumpall --cluster 8.4/wanna-build
+# mirror push
+dak FTPHOSTS,SECHOSTS=(archvsync) NOPASSWD:/home/archvsync/runmirrors
+planet senfl=(archvsync) NOPASSWD: /home/archvsync/bin/runplanet ""
+# archvsync triggers snapshot
+archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger
+archvsync sibelius,stabile=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger
+# allow the debbugs-mirror user on rietz to release the afs volume so changes make it to the read-only replicas
+debbugs-mirror rietz=(root) NOPASSWD: /usr/bin/vos release -id srv.mirrors.bugs -localauth
+# dak stuff
+%debian-release FTPHOSTS=(dak) /usr/local/bin/dak transitions --import *
+%ftpteam FTPHOSTS=(dak) /usr/local/bin/dak transitions --import *
+# security
+%security SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR]
+%sec_public SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR]
+%sec_public SECHOSTS=(dak) NOPASSWD: /home/dak/trigger_mirror
+dak SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/signal_security
+# web stuff
+debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors
+%press WEBHOSTS=(debwww) /org/www.debian.org/update-part News
+# more list stuff
+%list liszt=(root) /usr/sbin/postfix reload
+%list liszt=(root) /usr/sbin/qshape, /usr/sbin/postsuper
+%list liszt=(root) /etc/init.d/spamassassin, /etc/init.d/amavis
+%list liszt=(amavis) NOPASSWD: /usr/bin/sa-learn
+%list liszt=(amavis) ALL
+# geodns may reload bind
+geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload
+geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig
+# fossology
+%fossy vivaldi=(root) /etc/init.d/fossology
+%fossy vivaldi=(fossy) ALL
+
+# Porter work
+%porter-armel abel,agricola=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-armel harris=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-amd64 pergolesi=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-hppa paer=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-ia64 merulo=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-mips gabrielli=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-s390 zelenka=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
+%porter-sparc smetana,sperger=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot
class sudo {
- package { sudo: ensure => installed }
- file {
- "/etc/pam.d/sudo":
- source => [ "puppet:///modules/sudo/per-host/$fqdn/pam",
- "puppet:///modules/sudo/common/pam" ],
- require => Package["sudo"],
- ;
- }
+ package { 'sudo':
+ ensure => installed
+ }
- case $lsbdistcodename {
- 'lenny': {
- file {
- "/etc/sudoers":
- owner => root,
- group => root,
- mode => 440,
- source => [ "puppet:///modules/sudo/lenny/sudoers" ],
- require => Package["sudo"],
- ;
- }
- }
- default: {
- file {
- "/etc/sudoers":
- owner => root,
- group => root,
- mode => 440,
- source => [ "puppet:///modules/sudo/common/sudoers" ],
- require => Package["sudo"],
- ;
- }
- }
- }
+ file { '/etc/pam.d/sudo':
+ source => 'puppet:///modules/sudo/common/pam',
+ require => Package['sudo'],
+ }
+
+ file { '/etc/sudoers':
+ mode => '0440',
+ source => [ "puppet:///modules/sudo/sudoers.${::lsbdistcodename}",
+ 'puppet:///modules/sudo/sudoers' ],
+ require => Package['sudo'],
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class syslog-ng {
- package {
- "syslog-ng": ensure => installed;
- }
+ package { 'syslog-ng':
+ ensure => installed
+ }
- file {
- "/etc/syslog-ng/syslog-ng.conf":
- content => template("syslog-ng/syslog-ng.conf.erb"),
- require => Package["syslog-ng"],
- notify => Exec["syslog-ng reload"],
- ;
- "/etc/default/syslog-ng":
- require => Package["syslog-ng"],
- source => "puppet:///modules/syslog-ng/syslog-ng.default",
- notify => Exec["syslog-ng reload"],
- ;
- "/etc/logrotate.d/syslog-ng":
- require => Package["syslog-ng"],
- source => "puppet:///modules/syslog-ng/syslog-ng.logrotate",
- ;
- }
- exec {
- "syslog-ng reload":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true;
- }
+ service { 'syslog-ng':
+ ensure => running
+ }
+
+ file { '/etc/syslog-ng/syslog-ng.conf':
+ content => template('syslog-ng/syslog-ng.conf.erb'),
+ require => Package['syslog-ng'],
+ notify => Service['syslog-ng']
+ }
+ file { '/etc/default/syslog-ng':
+ source => 'puppet:///modules/syslog-ng/syslog-ng.default',
+ require => Package['syslog-ng'],
+ notify => Service['syslog-ng']
+ }
+ file { '/etc/logrotate.d/syslog-ng':
+ source => 'puppet:///modules/syslog-ng/syslog-ng.logrotate',
+ require => Package['syslog-ng']
+ }
}
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
class unbound {
- package {
- unbound: ensure => installed;
- }
- exec {
- "unbound restart":
- path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
- refreshonly => true,
- ;
- }
- file {
- "/var/lib/unbound":
- ensure => directory,
- owner => unbound,
- group => unbound,
- require => Package["unbound"],
- mode => 775,
- ;
- "/var/lib/unbound/root.key":
- ensure => present,
- replace => false,
- owner => unbound,
- group => unbound,
- mode => 644,
- source => [ "puppet:///modules/unbound/root.key" ],
- ;
- "/var/lib/unbound/debian.org.key":
- ensure => present,
- replace => false,
- owner => unbound,
- group => unbound,
- mode => 644,
- source => [ "puppet:///modules/unbound/debian.org.key" ],
- ;
- "/etc/unbound/unbound.conf":
- content => template("unbound/unbound.conf.erb"),
- require => [ Package["unbound"], File['/var/lib/unbound/root.key'], File['/var/lib/unbound/debian.org.key'] ],
- notify => Exec["unbound restart"],
- owner => root,
- group => root,
- ;
- }
+ package { 'unbound':
+ ensure => installed
+ }
- case getfromhash($nodeinfo, 'misc', 'resolver-recursive') {
- true: {
- case getfromhash($nodeinfo, 'hoster', 'allow_dns_query') {
- false: {}
- default: {
- @ferm::rule { "dsa-dns":
- domain => "ip",
- description => "Allow nameserver access",
- rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv4(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
- }
- @ferm::rule { "dsa-dns6":
- domain => "ip6",
- description => "Allow nameserver access",
- rule => sprintf("&TCP_UDP_SERVICE_RANGE(53, (%s))", join_spc(filter_ipv6(getfromhash($nodeinfo, 'hoster', 'allow_dns_query')))),
- }
- }
- }
- }
- }
-}
+ service { 'unbound':
+ ensure => running,
+ }
+
+ file { '/var/lib/unbound':
+ ensure => directory,
+ owner => unbound,
+ group => unbound,
+ require => Package['unbound'],
+ mode => '0775',
+ }
+ file { '/var/lib/unbound/root.key':
+ ensure => present,
+ replace => false,
+ owner => unbound,
+ group => unbound,
+ mode => '0644',
+ source => 'puppet:///modules/unbound/root.key'
+ }
+ file { '/var/lib/unbound/debian.org.key':
+ ensure => present,
+ replace => false,
+ owner => unbound,
+ group => unbound,
+ mode => '0644',
+ source => 'puppet:///modules/unbound/debian.org.key'
+ }
+ file { '/etc/unbound/unbound.conf':
+ content => template('unbound/unbound.conf.erb'),
+ require => [
+ Package['unbound'],
+ File['/var/lib/unbound/root.key'],
+ File['/var/lib/unbound/debian.org.key']
+ ],
+ notify => Service['unbound']
+ }
-# vim:set et:
-# vim:set sts=4 ts=4:
-# vim:set shiftwidth=4:
+ if getfromhash($site::nodeinfo, 'misc', 'resolver-recursive') {
+ if getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query') {
+ @ferm::rule { 'dsa-dns':
+ domain => 'ip',
+ description => 'Allow nameserver access',
+ rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv4(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+ }
+ @ferm::rule { 'dsa-dns6':
+ domain => 'ip6',
+ description => 'Allow nameserver access',
+ rule => sprintf('&TCP_UDP_SERVICE_RANGE(53, (%s))', join_spc(filter_ipv6(getfromhash($site::nodeinfo, 'hoster', 'allow_dns_query')))),
+ }
+ }
+ }
+}
<%=
out = []
- if nodeinfo['misc']['resolver-recursive'] and nodeinfo['hoster']['allow_dns_query']
+ if scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and scope.lookupvar('site::nodeinfo')['hoster']['allow_dns_query']
out << " interface: 0.0.0.0"
out << " interface: ::0"
out << ""
<%=
out = []
- if not nodeinfo['misc']['resolver-recursive'] and not nodeinfo['hoster']['nameservers_break_dnssec']
- forwarders = nodeinfo['hoster']['nameservers']
+ if not scope.lookupvar('site::nodeinfo')['misc']['resolver-recursive'] and not scope.lookupvar('site::nodeinfo')['hoster']['nameservers_break_dnssec']
+ forwarders = scope.lookupvar('site::nodeinfo')['hoster']['nameservers']
forwarders ||= []
out << 'forward-zone:'
projects / mirror / dsa-puppet.git / commitdiff