puppet 4 foo
authorroot <root@handel.debian.org>
Sat, 18 Mar 2017 18:46:43 +0000 (18:46 +0000)
committerMartin Zobel-Helas <zobel@debian.org>
Sat, 18 Mar 2017 18:53:00 +0000 (19:53 +0100)
Signed-off-by: root <root@handel.debian.org>
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
162 files changed:
manifests/site.pp
modules/acpi/manifests/init.pp
modules/apache2/manifests/init.pp
modules/apache2/manifests/site.pp
modules/apache2/templates/default-index.html
modules/apache2/templates/disabled-index.html
modules/apache2/templates/puppet-config.erb
modules/bacula/manifests/client.pp
modules/bacula/manifests/storage-per-node.pp [deleted file]
modules/bacula/manifests/storage_per_node.pp [new file with mode: 0644]
modules/bacula/templates/bacula-fd.conf.erb
modules/bacula/templates/bacula-idle-restart.erb
modules/debian-org/files/apt.conf.d/local-compression [deleted file]
modules/debian-org/files/apt.conf.d/local-langs [deleted file]
modules/debian-org/files/apt.conf.d/local-pdiffs [deleted file]
modules/debian-org/files/apt.conf.d/local-recommends [deleted file]
modules/debian-org/files/apt.preferences [deleted file]
modules/debian-org/files/basic-ssh_known_hosts [deleted file]
modules/debian-org/files/check_for_updates [deleted file]
modules/debian-org/files/db.debian.org.gpg [deleted file]
modules/debian-org/files/dsa-puppet-stuff.cron.ignore [deleted file]
modules/debian-org/files/etc.profile.d/timeout.sh [deleted file]
modules/debian-org/files/etc.zsh/zprofile [deleted file]
modules/debian-org/files/molly-guard/10-check-kvm [deleted file]
modules/debian-org/files/molly-guard/15-acquire-reboot-lock [deleted file]
modules/debian-org/files/nsswitch.conf [deleted file]
modules/debian-org/files/puppet.default [deleted file]
modules/debian-org/files/root-dotfiles/bashrc [deleted file]
modules/debian-org/files/root-dotfiles/profile [deleted file]
modules/debian-org/files/root-dotfiles/screenrc [deleted file]
modules/debian-org/files/root-dotfiles/selected_editor [deleted file]
modules/debian-org/files/root-dotfiles/tmux.conf [deleted file]
modules/debian-org/files/root-dotfiles/vimrc [deleted file]
modules/debian-org/files/timezone [deleted file]
modules/debian-org/files/ud-replicated.service [deleted file]
modules/debian-org/lib/facter/architecture.rb [deleted file]
modules/debian-org/lib/facter/cluster.rb [deleted file]
modules/debian-org/lib/facter/debsso.rb [deleted file]
modules/debian-org/lib/facter/hosts.rb [deleted file]
modules/debian-org/lib/facter/ipaddresses.rb [deleted file]
modules/debian-org/lib/facter/lsb-for-bsd.rb [deleted file]
modules/debian-org/lib/facter/mounts.rb [deleted file]
modules/debian-org/lib/facter/mta.rb [deleted file]
modules/debian-org/lib/facter/onion-services.rb [deleted file]
modules/debian-org/lib/facter/os-for-bsd.rb [deleted file]
modules/debian-org/lib/facter/paths.rb [deleted file]
modules/debian-org/lib/facter/raidarray.rb [deleted file]
modules/debian-org/lib/facter/roleaccounts.rb [deleted file]
modules/debian-org/lib/facter/servertype.rb [deleted file]
modules/debian-org/lib/facter/software.rb [deleted file]
modules/debian-org/lib/facter/system-hw.rb [deleted file]
modules/debian-org/manifests/apt.pp [deleted file]
modules/debian-org/manifests/init.pp [deleted file]
modules/debian-org/manifests/radvd.pp [deleted file]
modules/debian-org/misc/hoster.yaml [deleted file]
modules/debian-org/misc/local.yaml [deleted file]
modules/debian-org/templates/debian_facts.yaml.erb [deleted file]
modules/debian-org/templates/dsa-puppet-stuff.cron.erb [deleted file]
modules/debian-org/templates/ldap.conf.erb [deleted file]
modules/debian-org/templates/pam.common-session-noninteractive.erb [deleted file]
modules/debian-org/templates/pam.common-session.erb [deleted file]
modules/debian-org/templates/puppet.conf.erb [deleted file]
modules/debian-org/templates/rc.local.erb [deleted file]
modules/debian_org/files/apt.conf.d/local-compression [new file with mode: 0644]
modules/debian_org/files/apt.conf.d/local-langs [new file with mode: 0644]
modules/debian_org/files/apt.conf.d/local-pdiffs [new file with mode: 0644]
modules/debian_org/files/apt.conf.d/local-recommends [new file with mode: 0644]
modules/debian_org/files/apt.preferences [new file with mode: 0644]
modules/debian_org/files/basic-ssh_known_hosts [new file with mode: 0644]
modules/debian_org/files/check_for_updates [new file with mode: 0755]
modules/debian_org/files/db.debian.org.gpg [new file with mode: 0644]
modules/debian_org/files/dsa-puppet-stuff.cron.ignore [new file with mode: 0644]
modules/debian_org/files/etc.profile.d/timeout.sh [new file with mode: 0755]
modules/debian_org/files/etc.zsh/zprofile [new file with mode: 0644]
modules/debian_org/files/molly-guard/10-check-kvm [new file with mode: 0644]
modules/debian_org/files/molly-guard/15-acquire-reboot-lock [new file with mode: 0644]
modules/debian_org/files/nsswitch.conf [new file with mode: 0644]
modules/debian_org/files/puppet.default [new file with mode: 0644]
modules/debian_org/files/root-dotfiles/bashrc [new file with mode: 0644]
modules/debian_org/files/root-dotfiles/profile [new file with mode: 0644]
modules/debian_org/files/root-dotfiles/screenrc [new file with mode: 0644]
modules/debian_org/files/root-dotfiles/selected_editor [new file with mode: 0644]
modules/debian_org/files/root-dotfiles/tmux.conf [new file with mode: 0644]
modules/debian_org/files/root-dotfiles/vimrc [new file with mode: 0644]
modules/debian_org/files/timezone [new file with mode: 0644]
modules/debian_org/files/ud-replicated.service [new file with mode: 0644]
modules/debian_org/lib/facter/architecture.rb [new file with mode: 0644]
modules/debian_org/lib/facter/cluster.rb [new file with mode: 0644]
modules/debian_org/lib/facter/debsso.rb [new file with mode: 0644]
modules/debian_org/lib/facter/hosts.rb [new file with mode: 0644]
modules/debian_org/lib/facter/ipaddresses.rb [new file with mode: 0644]
modules/debian_org/lib/facter/lsb-for-bsd.rb [new file with mode: 0644]
modules/debian_org/lib/facter/mounts.rb [new file with mode: 0644]
modules/debian_org/lib/facter/mta.rb [new file with mode: 0644]
modules/debian_org/lib/facter/onion-services.rb [new file with mode: 0644]
modules/debian_org/lib/facter/os-for-bsd.rb [new file with mode: 0644]
modules/debian_org/lib/facter/paths.rb [new file with mode: 0644]
modules/debian_org/lib/facter/raidarray.rb [new file with mode: 0644]
modules/debian_org/lib/facter/roleaccounts.rb [new file with mode: 0644]
modules/debian_org/lib/facter/servertype.rb [new file with mode: 0644]
modules/debian_org/lib/facter/software.rb [new file with mode: 0644]
modules/debian_org/lib/facter/system-hw.rb [new file with mode: 0644]
modules/debian_org/manifests/apt.pp [new file with mode: 0644]
modules/debian_org/manifests/init.pp [new file with mode: 0644]
modules/debian_org/manifests/radvd.pp [new file with mode: 0644]
modules/debian_org/misc/hoster.yaml [new file with mode: 0644]
modules/debian_org/misc/local.yaml [new file with mode: 0644]
modules/debian_org/templates/debian_facts.yaml.erb [new file with mode: 0644]
modules/debian_org/templates/dsa-puppet-stuff.cron.erb [new file with mode: 0644]
modules/debian_org/templates/ldap.conf.erb [new file with mode: 0644]
modules/debian_org/templates/pam.common-session-noninteractive.erb [new file with mode: 0644]
modules/debian_org/templates/pam.common-session.erb [new file with mode: 0644]
modules/debian_org/templates/puppet.conf.erb [new file with mode: 0644]
modules/debian_org/templates/rc.local.erb [new file with mode: 0755]
modules/exim/manifests/init.pp
modules/exim/templates/eximconf.erb
modules/exim/templates/mailname.erb
modules/ferm/manifests/init.pp
modules/ferm/manifests/per-host.pp [deleted file]
modules/ferm/manifests/per_host.pp [new file with mode: 0644]
modules/ferm/manifests/rule.pp
modules/ferm/templates/ferm-rule.erb [deleted file]
modules/ferm/templates/ferm_rule.erb [new file with mode: 0644]
modules/ferm/templates/me.conf.erb
modules/hosts/templates/etc-hosts.erb
modules/linux/manifests/init.pp
modules/monit/manifests/init.pp
modules/motd/templates/motd.erb
modules/munin/manifests/master-per-node.pp [deleted file]
modules/munin/manifests/master_per_node.pp [new file with mode: 0644]
modules/munin/munin.conf_per_node.erb [new file with mode: 0644]
modules/munin/templates/munin-node.plugin.conf.erb
modules/munin/templates/munin.conf-per-node.erb [deleted file]
modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb
modules/popcon/templates/popularity-contest.conf.erb
modules/portforwarder/templates/authorized_keys.erb
modules/portforwarder/templates/xinetd.erb
modules/puppetmaster/lib/puppet/parser/functions/entropy_provider.rb
modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb
modules/resolv/templates/resolv.conf.erb
modules/rng-tools/manifests/init.pp [deleted file]
modules/rng_tools/manifests/init.pp [new file with mode: 0644]
modules/samhain/templates/samhainrc.erb
modules/site/manifests/init.pp
modules/site/manifests/sysctl.pp
modules/ssh/manifests/init.pp
modules/ssh/templates/authorized_keys.erb
modules/ssh/templates/ssh_config.erb
modules/ssh/templates/sshd_config.erb
modules/stunnel4/templates/stunnel.conf.erb
modules/syslog-ng/files/syslog-ng.default [deleted file]
modules/syslog-ng/files/syslog-ng.logrotate [deleted file]
modules/syslog-ng/files/syslog-ng.logrotate.loggers [deleted file]
modules/syslog-ng/files/syslog-ng.service [deleted file]
modules/syslog-ng/manifests/init.pp [deleted file]
modules/syslog-ng/templates/syslog-ng.conf.erb [deleted file]
modules/syslog_ng/files/syslog-ng.default [new file with mode: 0644]
modules/syslog_ng/files/syslog-ng.logrotate [new file with mode: 0644]
modules/syslog_ng/files/syslog-ng.logrotate.loggers [new file with mode: 0644]
modules/syslog_ng/files/syslog-ng.service [new file with mode: 0644]
modules/syslog_ng/manifests/init.pp [new file with mode: 0644]
modules/syslog_ng/templates/syslog-ng.conf.erb [new file with mode: 0644]

index 178fc2d..28a443c 100644 (file)
@@ -21,10 +21,10 @@ Service {
 node default {
        include site
        include munin
-       include syslog-ng
+       include syslog_ng
        include sudo
        include ssh
-       include debian-org
+       include debian_org
        include monit
        include time
        include ssl
@@ -69,7 +69,7 @@ node default {
                include bacula::storage
        }
 
-       if $::kernel == Linux {
+       if $::kernel == 'Linux' {
                include linux
                include acpi
        } elsif $::kernel == 'GNU/kFreeBSD' {
@@ -113,7 +113,7 @@ node default {
        }
 
        if $::hostname in [geo3,wieck] {
-               include debian-org::radvd
+               include debian_org::radvd
        }
 
        if ($::postgres) {
index feadbe3..f2c621b 100644 (file)
@@ -1,6 +1,6 @@
 class acpi {
        if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
-               if ($::lsbmajdistrelease >= 8) {
+               if ($::lsbmajdistrelease >= '8') {
                        package { 'acpid':
                                ensure => purged
                        }
index 2e75927..19400ad 100644 (file)
@@ -105,7 +105,7 @@ class apache2 {
                apache2::module { 'mpm_prefork': ensure => absent }
                apache2::module { 'mpm_worker': }
        }
-       if $::lsbmajdistrelease > 7 {
+       if $::lsbmajdistrelease > '7' {
                file { '/etc/apache2/mods-available/mpm_worker.conf':
                        content => template('apache2/mpm_worker.erb'),
                }
index 2a7257b..ff1ee20 100644 (file)
@@ -46,7 +46,7 @@ define apache2::site (
                }
        }
 
-       if $::lsbmajdistrelease <= 7 {
+       if $::lsbmajdistrelease <= '7' {
                $symlink = "/etc/apache2/sites-enabled/${name}"
        } else {
                $symlink = "/etc/apache2/sites-enabled/${name}.conf"
index ffb58f7..c8c9c40 100644 (file)
@@ -1,16 +1,16 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
 <HTML>
 <HEAD>
-   <TITLE>Welcome to <%= hostname %>!</TITLE>
+   <TITLE>Welcome to <%= @hostname %>!</TITLE>
 </HEAD>
 <BODY>
 
-<H1>Welcome to <%= hostname %>!</H1>
+<H1>Welcome to <%= @hostname %>!</H1>
 
-This is <%= hostname %>, a system run by and for the <a href="https://www.debian.org/">Debian Project</a>.
+This is <%= @hostname %>, a system run by and for the <a href="https://www.debian.org/">Debian Project</a>.
 She does stuff.
 What kind of stuff and who our kind sponsors are you might learn on
-<a href="https://db.debian.org/machines.cgi?host=<%= hostname %>">db.debian.org</a>.
+<a href="https://db.debian.org/machines.cgi?host=<%= @hostname %>">db.debian.org</a>.
 
 <P>
 <HR NOSHADE />
index b9a3c72..104efd4 100644 (file)
@@ -1,18 +1,18 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
 <HTML>
 <HEAD>
-   <TITLE>Welcome to <%= hostname %>!</TITLE>
+   <TITLE>Welcome to <%= @hostname %>!</TITLE>
 </HEAD>
 <BODY>
 
-<H1>Welcome to <%= hostname %>!</H1>
+<H1>Welcome to <%= @hostname %>!</H1>
 
-This is <%= hostname %>, a system run by and for the <a href="https://www.debian.org/">Debian Project</a>.
+This is <%= @hostname %>, a system run by and for the <a href="https://www.debian.org/">Debian Project</a>.
 <P>
 The service you have requested is currently disabled.
 <P>
 The reason for that and who our kind sponsors are you might learn on
-<a href="https://db.debian.org/machines.cgi?host=<%= hostname %>">db.debian.org</a>.
+<a href="https://db.debian.org/machines.cgi?host=<%= @hostname %>">db.debian.org</a>.
 
 <P>
 <HR NOSHADE />
index 966ff3f..3a7134d 100644 (file)
@@ -10,7 +10,7 @@
     SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS
   <% end -%>
 
-  <%- if has_variable?("apache2deb9") && apache2deb9 == "true" -%>
+  <%- if has_variable?("apache2deb9") && @apache2deb9 == "true" -%>
     SSLUseStapling On
 
     # the default size is 32k, but we make it 1M.
index 230b29f..05234fc 100644 (file)
@@ -1,5 +1,5 @@
 class bacula::client inherits bacula {
-       @@bacula::storage-per-node { $::fqdn: }
+       @@bacula::storage_per_node { $::fqdn: }
 
        if ! getfromhash($site::nodeinfo, 'not-bacula-client') {
                @@bacula::node { $::fqdn:
@@ -50,7 +50,7 @@ class bacula::client inherits bacula {
                require => Package['bacula-fd'],
                notify  => Service['bacula-fd'],
        }
-       if ($::lsbmajdistrelease >= 9 and $systemd) {
+       if ($::lsbmajdistrelease >= '9' and $systemd) {
                file { '/etc/systemd/system/bacula-fd.service.d':
                        ensure  => directory,
                        mode    => '0755',
diff --git a/modules/bacula/manifests/storage-per-node.pp b/modules/bacula/manifests/storage-per-node.pp
deleted file mode 100644 (file)
index 501921d..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
-define bacula::storage-per-node() {
-
-       include bacula
-
-       $bacula_filestor_device = $bacula::bacula_filestor_device
-       $bacula_filestor_name   = $bacula::bacula_filestor_name
-       $bacula_backup_path     = $bacula::bacula_backup_path
-
-       $bacula_client_name   = "${name}-fd"
-       $client               = $name
-
-       file {
-               "/etc/bacula/storage-conf.d/${name}.conf":
-                       content => template('bacula/storage-per-client.conf.erb'),
-                       mode    => '0440',
-                       group   => bacula,
-                       notify  => Exec['bacula-sd restart-when-idle'],
-                       ;
-               "${bacula_backup_path}/${name}":
-                       ensure  => directory,
-                       mode    => '0755',
-                       owner   => bacula,
-                       group   => bacula,
-                       ;
-       }
-}
-
diff --git a/modules/bacula/manifests/storage_per_node.pp b/modules/bacula/manifests/storage_per_node.pp
new file mode 100644 (file)
index 0000000..0a00945
--- /dev/null
@@ -0,0 +1,27 @@
+define bacula::storage_per_node() {
+
+       include bacula
+
+       $bacula_filestor_device = $bacula::bacula_filestor_device
+       $bacula_filestor_name   = $bacula::bacula_filestor_name
+       $bacula_backup_path     = $bacula::bacula_backup_path
+
+       $bacula_client_name   = "${name}-fd"
+       $client               = $name
+
+       file {
+               "/etc/bacula/storage-conf.d/${name}.conf":
+                       content => template('bacula/storage-per-client.conf.erb'),
+                       mode    => '0440',
+                       group   => bacula,
+                       notify  => Exec['bacula-sd restart-when-idle'],
+                       ;
+               "${bacula_backup_path}/${name}":
+                       ensure  => directory,
+                       mode    => '0755',
+                       owner   => bacula,
+                       group   => bacula,
+                       ;
+       }
+}
+
index 3597a0c..116d3c5 100644 (file)
@@ -6,35 +6,35 @@
 
 # List Directors who are permitted to contact this File daemon
 Director {
-  Name = <%= bacula_director_name %>
-  Password = "<%= bacula_client_secret %>"
+  Name = <%= @bacula_director_name %>
+  Password = "<%= @bacula_client_secret %>"
 
   TLS Enable = yes
   TLS Require = yes
   TLS Verify Peer = yes
-  TLS Allowed CN = "clientcerts/<%= bacula_director_address %>"
-  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  TLS Allowed CN = "clientcerts/<%= @bacula_director_address %>"
+  TLS CA Certificate File = "<%= @bacula_ca_path %>"
   # This is a server certificate, used for incoming director connections.
-  TLS Certificate = "<%= bacula_ssl_server_cert %>"
-  TLS Key = "<%= bacula_ssl_server_key %>"
+  TLS Certificate = "<%= @bacula_ssl_server_cert %>"
+  TLS Key = "<%= @bacula_ssl_server_key %>"
 }
 
 # "Global" File daemon configuration specifications
 FileDaemon {
-  Name = <%= bacula_client_name %>
-  FDport = <%= bacula_client_port %>
+  Name = <%= @bacula_client_name %>
+  FDport = <%= @bacula_client_port %>
   WorkingDirectory = /var/lib/bacula
   Pid Directory = /var/run/bacula
   Maximum Concurrent Jobs = 20
-  FDAddress = <%= fqdn %>
+  FDAddress = <%= @fqdn %>
   #Maximum Network Buffer Size = 524288
 
   TLS Enable = yes
   TLS Require = yes
-  TLS CA Certificate File = "<%= bacula_ca_path %>"
+  TLS CA Certificate File = "<%= @bacula_ca_path %>"
   # This is a client certificate, used by the client to connect to the storage daemon
-  TLS Certificate = "<%= bacula_ssl_client_cert %>"
-  TLS Key = "<%= bacula_ssl_client_key %>"
+  TLS Certificate = "<%= @bacula_ssl_client_cert %>"
+  TLS Key = "<%= @bacula_ssl_client_key %>"
 
 <%- if scope.lookupvar('site::nodeinfo')['hoster']['name'] == "brown" -%>
   # broken firewall
@@ -45,5 +45,5 @@ FileDaemon {
 # Send all messages except skipped files back to Director
 Messages {
   Name = Standard
-  director = <%=bacula_director_name%> = all, !skipped, !restored
+  director = <%= @bacula_director_name %> = all, !skipped, !restored
 }
index a19101d..a99ff80 100644 (file)
 set -e
 
 if [ "$1" = "fd" ];then
-    PORT=<%= bacula_client_port %>
+    PORT=<%= @bacula_client_port %>
     DIR="bacula-fd"
 elif [ "$1" = "sd" ]; then
-    PORT=<%= bacula_storage_port %>
+    PORT=<%= @bacula_storage_port %>
     DIR="bacula-sd"
 else
     # Usage
diff --git a/modules/debian-org/files/apt.conf.d/local-compression b/modules/debian-org/files/apt.conf.d/local-compression
deleted file mode 100644 (file)
index 818a6e2..0000000
+++ /dev/null
@@ -1,15 +0,0 @@
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-Acquire {
-  CompressionTypes
-  {
-    bz2 "bzip2";
-    lzma "lzma";
-    gz "gzip";
-
-    Order { "gz"; "lzma"; "bz2"; };
-  };
-};
diff --git a/modules/debian-org/files/apt.conf.d/local-langs b/modules/debian-org/files/apt.conf.d/local-langs
deleted file mode 100644 (file)
index 3e9ff30..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Acquire::Languages { "en"; "none"; };
diff --git a/modules/debian-org/files/apt.conf.d/local-pdiffs b/modules/debian-org/files/apt.conf.d/local-pdiffs
deleted file mode 100644 (file)
index 155daf9..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-Acquire::PDiffs "false";
diff --git a/modules/debian-org/files/apt.conf.d/local-recommends b/modules/debian-org/files/apt.conf.d/local-recommends
deleted file mode 100644 (file)
index aa0261c..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-APT::Install-Recommends 0;
diff --git a/modules/debian-org/files/apt.preferences b/modules/debian-org/files/apt.preferences
deleted file mode 100644 (file)
index 65d1172..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-Explanation:
-Explanation: THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-Explanation: USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-Explanation:
-Package: *
-Pin: release o=Debian Backports
-Pin-Priority: 200
-
-Package: sbuild
-Pin: release o=buildd.debian.org
-Pin-Priority: 500
-
-Package: buildd
-Pin: release o=buildd.debian.org
-Pin-Priority: 500
-
-Package: libsbuild-perl
-Pin: release o=buildd.debian.org
-Pin-Priority: 500
-
-Package: *
-Pin: release o=buildd.debian.org
-Pin-Priority: -1
diff --git a/modules/debian-org/files/basic-ssh_known_hosts b/modules/debian-org/files/basic-ssh_known_hosts
deleted file mode 100644 (file)
index 5f1d407..0000000
+++ /dev/null
@@ -1 +0,0 @@
-draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106,2001:41b8:202:deb:1a1a:0:52c3:4b6a ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi
diff --git a/modules/debian-org/files/check_for_updates b/modules/debian-org/files/check_for_updates
deleted file mode 100755 (executable)
index 7894da4..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-parse_dates () {
-       while read url file junk; do
-               url=$(echo $url | sed -e "s/'//g")
-               url_time=$(date -d "$(curl -sqI ${url} | grep Last-Modified: | sed -e 's/Last-Modified: //')" +%s)
-               if [ ! -f "/var/lib/apt/lists/${file}" ]; then
-                       return 0
-               fi
-               file_time=$(stat -c %Y /var/lib/apt/lists/${file})
-               if [ $url_time -gt $file_time ]; then
-                       return 0
-               fi
-       done
-       return 1
-}
-
-su nobody -c 'apt-get update -s --print-uris' | grep 'Release ' | parse_dates
-exit $?
diff --git a/modules/debian-org/files/db.debian.org.gpg b/modules/debian-org/files/db.debian.org.gpg
deleted file mode 100644 (file)
index 229cb63..0000000
Binary files a/modules/debian-org/files/db.debian.org.gpg and /dev/null differ
diff --git a/modules/debian-org/files/dsa-puppet-stuff.cron.ignore b/modules/debian-org/files/dsa-puppet-stuff.cron.ignore
deleted file mode 100644 (file)
index e348b0a..0000000
+++ /dev/null
@@ -1,15 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-# this is a list of patterns, one per line, of things that puppet's
-# cron output shouldn't mail to us.
-
-^v6: error fetching interface information: Device not found$
-^pcilib: Cannot open /proc/bus/pci$
-^lspci: Cannot find any working access method\.$
-^can't open /proc/dma at /usr/bin/lsdev line 32\.$
-^/usr/lib/ruby/1.9.1/rubygems/custom_require\.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead\.$
-^/usr/lib/ruby/vendor_ruby/puppet/provider/service/freebsd\.rb:[8910]*: warning: class variable access from toplevel$
-^/usr/lib/ruby/vendor_ruby/puppet/provider/service/bsd\.rb:12: warning: class variable access from toplevel$
-^/usr/lib/ruby/vendor_ruby/puppet/type/tidy\.rb:1[0-9][0-9]: warning: class variable access from toplevel$
diff --git a/modules/debian-org/files/etc.profile.d/timeout.sh b/modules/debian-org/files/etc.profile.d/timeout.sh
deleted file mode 100755 (executable)
index 617579e..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-TMOUT=129600 # a day and a half (36 hrs)
-export TMOUT
diff --git a/modules/debian-org/files/etc.zsh/zprofile b/modules/debian-org/files/etc.zsh/zprofile
deleted file mode 100644 (file)
index 8ea4df3..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-# USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-#
-
-# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1).
-#
-# This file is sourced only for login shells (i.e. shells
-# invoked with "-" as the first character of argv[0], and
-# shells invoked with the -l flag.)
-#
-# Global Order: zshenv, zprofile, zshrc, zlogin
-
-if [ -e /etc/profile.d/timeout.sh ]; then
-  .  /etc/profile.d/timeout.sh
-fi
diff --git a/modules/debian-org/files/molly-guard/10-check-kvm b/modules/debian-org/files/molly-guard/10-check-kvm
deleted file mode 100644 (file)
index e9ed39c..0000000
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-KVMCOUNT=`pgrep -cx '^(qemu-)?kvm$'`
-if [ $KVMCOUNT != 0 ]; then
-       echo "Found $KVMCOUNT qemu-kvm instances running, aborting $MOLLYGUARD_CMD!"
-       exit 1
-fi
diff --git a/modules/debian-org/files/molly-guard/15-acquire-reboot-lock b/modules/debian-org/files/molly-guard/15-acquire-reboot-lock
deleted file mode 100644 (file)
index ebbac93..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-# Copyright 2012 Peter Palfrader
-
-l=/var/run/reboot-lock
-exec 3> $l
-
-if ! flock --exclusive -w 0  3; then
-       echo >&2 "Cannot acquire reboot lock."
-       exit 1
-fi
-echo "Reboot lock acquired."
-
-ppid="$PPID"
-(
-       while kill -0 "$ppid" 2>/dev/null; do
-               sleep 1
-       done
-) &
-disown
-exit 0
diff --git a/modules/debian-org/files/nsswitch.conf b/modules/debian-org/files/nsswitch.conf
deleted file mode 100644 (file)
index e6a644e..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-# /etc/nsswitch.conf
-#
-# Example configuration of GNU Name Service Switch functionality.
-# If you have the `glibc-doc-reference' and `info' packages installed, try:
-# `info libc "Name Service Switch"' for information about this file.
-
-passwd:         compat db
-group:          db compat
-shadow:         compat db
-
-hosts:          files dns
-networks:       files
-
-protocols:      db files
-services:       db files
-ethers:         db files
-rpc:            db files
-
-netgroup:       nis
diff --git a/modules/debian-org/files/puppet.default b/modules/debian-org/files/puppet.default
deleted file mode 100644 (file)
index dc0743f..0000000
+++ /dev/null
@@ -1,13 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# Defaults for puppet - sourced by /etc/init.d/puppet
-
-# Start puppet on boot?
-START=no
-exit 0
-
-# Startup options
-DAEMON_OPTS="-w 5 --factsync"
diff --git a/modules/debian-org/files/root-dotfiles/bashrc b/modules/debian-org/files/root-dotfiles/bashrc
deleted file mode 100644 (file)
index 048d944..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# ~/.bashrc: executed by bash(1) for non-login shells.
-
-## THIS FILE IS UNDER PUPPET CONTROL.
-## LOCAL CHANGES WILL BE OVERWRITTEN.
-
-if [ "$PS1" ]; then
-  typeset HISTCONTROL=ignoreboth
-  typeset HISTSIZE=50000
-
-  export LS_OPTIONS='--color=auto'
-  eval "`dircolors`"
-  alias ls='ls $LS_OPTIONS'
-  alias ll='ls $LS_OPTIONS -l'
-  alias l='ls $LS_OPTIONS -lA'
-
-  if [ -f /usr/share/bash-completion/bash_completion ]; then
-    . /usr/share/bash-completion/bash_completion
-  fi
-
-  PATH="$PATH:/usr/lib/nagios/plugins"
-fi
-
-# vim: set ft=sh ts=2 sw=2 et ai si:
diff --git a/modules/debian-org/files/root-dotfiles/profile b/modules/debian-org/files/root-dotfiles/profile
deleted file mode 100644 (file)
index e4bb8db..0000000
+++ /dev/null
@@ -1,17 +0,0 @@
-# ~/.profile: executed by Bourne-compatible login shells.
-
-## THIS FILE IS UNDER PUPPET CONTROL.
-## LOCAL CHANGES WILL BE OVERWRITTEN.
-
-if [ "$BASH" ]; then
-  if [ -f ~/.bashrc ]; then
-    . ~/.bashrc
-  fi
-  if [ "$PS1" ]; then
-    PS1='${debian_chroot:+[$debian_chroot] }\h:\w\$ '
-  fi
-fi
-
-mesg n
-
-# vim: set ft=sh ts=2 sw=2 et ai si:
diff --git a/modules/debian-org/files/root-dotfiles/screenrc b/modules/debian-org/files/root-dotfiles/screenrc
deleted file mode 100644 (file)
index d59cfb9..0000000
+++ /dev/null
@@ -1,43 +0,0 @@
-
-## THIS FILE IS UNDER PUPPET CONTROL.
-## LOCAL CHANGES WILL BE OVERWRITTEN.
-
-
-startup_message off
-deflogin on
-#vbell off
-defscrollback 10000
-defnonblock 5
-
-## set these terminals up to be 'optimal' instead of vt100
-#termcapinfo xterm*|linux*|rxvt*|Eterm* OP
-
-caption always " %?%F%{r}%?%H%{r}%?%F*%: %? %{rd}| %{r}$LOGNAME%{d} | %{b}%-Lw%{b}%50>%{kw}%n%f* %t %{-}%+Lw%<"
-
-# fix screens copy&paste (background-color-erase to on)
-defbce on
-
-# xterm, and urxvt on weasel's jessie systems
-bindkey "^[[1;5D" prev
-bindkey "^[[1;5C" next
-bindkey "^[[1;5A" focus up
-bindkey "^[[1;5B" focus down
-
-# urxvt default Ctrl+left/right/up/down on weasel's stretch systems
-bindkey "^[Od" prev
-bindkey "^[Oc" next
-bindkey "^[Oa" focus up
-bindkey "^[Ob" focus down
-
-# gnome terminal (in screen:
-#bindkey "^[n" screen
-#bindkey "^[O5D" prev
-#bindkey "^[O5C" next
-#bindkey "^[O5A" focus up
-#bindkey "^[O5B" focus down
-
-# urxvt shift+left/right
-#bindkey "^[[d" prev
-#bindkey "^[[c" next
-#bindkey "^[[a" focus up
-#bindkey "^[[b" focus down
diff --git a/modules/debian-org/files/root-dotfiles/selected_editor b/modules/debian-org/files/root-dotfiles/selected_editor
deleted file mode 100644 (file)
index 2cab271..0000000
+++ /dev/null
@@ -1 +0,0 @@
-SELECTED_EDITOR="/usr/bin/vim"
diff --git a/modules/debian-org/files/root-dotfiles/tmux.conf b/modules/debian-org/files/root-dotfiles/tmux.conf
deleted file mode 100644 (file)
index ecde616..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-# mess with the status window
-set -g status-bg colour109
-set -g status-right "[#T]"
-setw -g window-status-current-bg white
-
-bind -n C-Right next-window
-bind -n C-Left previous-window
-
-bind -n C-Up select-pane -U
-bind -n C-Down select-pane -D
-bind | split-window -h
-bind - split-window -v
-
-#set -g default-terminal "screen-it"
-set -g xterm-keys on
-set -sg escape-time 0
diff --git a/modules/debian-org/files/root-dotfiles/vimrc b/modules/debian-org/files/root-dotfiles/vimrc
deleted file mode 100644 (file)
index d99e4d6..0000000
+++ /dev/null
@@ -1,88 +0,0 @@
-" ~/.vimrc - ViM configuration file
-
-" THIS FILE IS UNDER PUPPET CONTROL.
-" LOCAL CHANGES WILL BE OVERWRITTEN.
-
-runtime! debian.vim
-filetype plugin on
-set ai
-:set nocompatible
-:syn on
-:set title
-:set pastetoggle=<F10>
-:set listchars=tab:»·,trail:·
-:set list
-:nmap <F11> :set invlist<return>
-:imap <F11> <C-O>:set invlist<return>
-:set clipboard^=autoselectml guioptions+=A
-let g:Imap_UsePlaceHolders = 1
-let g:Imap_FreezeImap = 1
-:hi MatchParen ctermbg=black
-colorscheme peachpuff
-
-map <F3> :n<return>
-map <F2> :N<return>
-map <F5> :wn<return>
-map <F4> :wN<return>
-map fd ggV/^-- <CR><up>gq
-
-nnoremap <silent> <C-M> :make<return>
-
-nnoremap <silent> <S-left> :bprevious<return>
-nnoremap <silent> <S-right> :bnext<return>
-inoremap <silent> <S-left> <C-O>:bprevious<return>
-inoremap <silent> <S-right> <C-O>:bnext<return>
-
-nnoremap <silent> <C-left> :bprevious<return>
-nnoremap <silent> <C-right> :bnext<return>
-inoremap <silent> <C-left> <C-O>:bprevious<return>
-inoremap <silent> <C-right> <C-O>:bnext<return>
-
-nnoremap <silent> <Esc>[1;2D :bprevious<return>
-nnoremap <silent> <Esc>[1;2C :bnext<return>
-inoremap <silent> <Esc>[1;2D <C-O>:bprevious<return>
-inoremap <silent> <Esc>[1;2C <C-O>:bnext<return>
-
-nnoremap <silent> <Esc>[D :bprevious<return>
-nnoremap <silent> <Esc>[C :bnext<return>
-inoremap <silent> <Esc>[D <C-O>:bprevious<return>
-inoremap <silent> <Esc>[C <C-O>:bnext<return>
-
-nnoremap <silent> <Esc>[d :bprevious<return>
-nnoremap <silent> <Esc>[c :bnext<return>
-inoremap <silent> <Esc>[d <C-O>:bprevious<return>
-inoremap <silent> <Esc>[c <C-O>:bnext<return>
-
-" nnoremap <space><space> :bnew<return>
-nnoremap <silent> <space><left> :bprevious<return>
-nnoremap <silent> <space><right> :bnext<return>
-
-if &term =~ '^screen'
-    " tmux will send xterm-style keys when xterm-keys is on
-    execute "set <xUp>=\e[1;*A"
-    execute "set <xDown>=\e[1;*B"
-    execute "set <xRight>=\e[1;*C"
-    execute "set <xLeft>=\e[1;*D"
-endif
-
-
-
-" wild/tab behavior
-" =================
-set wildmode=longest,list:longest,list:full
-
-" spelling stuff
-" ==============
-set spellfile=~/.vim.spell.en.add
-:nmap <F8> :set invspell<return>
-:imap <F8> <C-O>:set invspell<return>
-
-" Searching and highlighting
-" ==========================
-hi Search cterm=NONE ctermfg=yellow ctermbg=19
-set hlsearch
-nnoremap <CR> :noh<CR><CR>
-
-set tabpagemax=50
-" Do not close buffers we don't see
-set hidden
diff --git a/modules/debian-org/files/timezone b/modules/debian-org/files/timezone
deleted file mode 100644 (file)
index 7f39493..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Etc/UTC
diff --git a/modules/debian-org/files/ud-replicated.service b/modules/debian-org/files/ud-replicated.service
deleted file mode 100644 (file)
index dbf99a8..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=Userdir-Ldap Replication Daemon
-Wants=syslog.service
-
-[Service]
-ExecStart=/usr/bin/ud-replicated -d
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
diff --git a/modules/debian-org/lib/facter/architecture.rb b/modules/debian-org/lib/facter/architecture.rb
deleted file mode 100644 (file)
index e04cadc..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-Facter.add(:architecture) do
-    confine :kernel => 'GNU/kFreeBSD'
-    setcode do
-        model = Facter.value(:hardwaremodel)
-        case model
-        when 'x86_64' then "amd64"
-        when /(i[3456]86|pentium)/ then "i386"
-        else
-            model
-        end
-    end
-end
-
-Facter.add(:debarchitecture) do
-    setcode do
-        %x{/usr/bin/dpkg --print-architecture}.chomp
-    end
-end
-
diff --git a/modules/debian-org/lib/facter/cluster.rb b/modules/debian-org/lib/facter/cluster.rb
deleted file mode 100644 (file)
index 46d0bec..0000000
+++ /dev/null
@@ -1,17 +0,0 @@
-if FileTest.exist?('/usr/sbin/gnt-cluster') and FileTest.exist?('/var/lib/ganeti/ssconf_cluster_name')
-       begin
-               if system('/usr/sbin/gnt-cluster getmaster >/dev/null')
-                       Facter.add('cluster') do
-                               setcode do
-                                       open('/var/lib/ganeti/ssconf_cluster_name').read().chomp()
-                               end
-                       end
-                       Facter.add('cluster_nodes') do
-                               setcode do
-                                       open('/var/lib/ganeti/ssconf_node_list').read().split().join(" ")
-                               end
-                       end
-               end
-       rescue Exception => e
-       end
-end
diff --git a/modules/debian-org/lib/facter/debsso.rb b/modules/debian-org/lib/facter/debsso.rb
deleted file mode 100644 (file)
index 21c4f75..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-begin
-    require 'etc'
-
-    Facter.add("debsso_skac_crl") do
-        setcode do
-            crl = nil
-            crlfile = '/srv/sso.debian.org/debsso/data/spkac_ca/ca.crl'
-            if FileTest.exist?(crlfile)
-                crl = File.open(crlfile).read
-            end
-            crl
-        end
-    end
-
-rescue Exception => e
-end
-# vim:set et:
-# vim:set ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/debian-org/lib/facter/hosts.rb b/modules/debian-org/lib/facter/hosts.rb
deleted file mode 100644 (file)
index 63c04cb..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-Facter.add("brokenhosts") do
-       brokenhosts = true
-       if FileTest.exist?("/etc/hosts")
-               IO.foreach("/etc/hosts") do |x|
-                       x.split.each do |y|
-                               if y == Facter.value("fqdn")
-                                       brokenhosts = false
-                                       break
-                               end
-                       end
-               end
-       end
-       setcode do
-               if brokenhosts
-                       true
-               else
-                       ''
-               end
-       end
-end
-
-
diff --git a/modules/debian-org/lib/facter/ipaddresses.rb b/modules/debian-org/lib/facter/ipaddresses.rb
deleted file mode 100644 (file)
index 41f44e3..0000000
+++ /dev/null
@@ -1,66 +0,0 @@
-Facter.add("v4ips") do
-       confine :kernel => :linux
-       addrs = []
-       if FileTest.exist?("/bin/ip")
-               %x{ip addr list}.each_line do |line|
-                       next unless line =~ /\s+inet/
-                       next if line =~ /scope (link|host)/
-                       if line =~ /\s+inet\s+(\S+)\/\d{1,2} .*/
-                               addrs << $1
-                       end
-               end
-       end
-       ret = addrs.join(",")
-       if ret.empty?
-               ret = ''
-       end
-       setcode do
-               ret
-       end
-end
-
-Facter.add("v4ips") do
-       confine :kernel => 'GNU/kFreeBSD'
-       setcode do
-               addrs = []
-               output = %x{/sbin/ifconfig}
-
-               output.split(/^\S/).each { |str|
-                       if str =~ /inet ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/
-                               tmp = $1
-                               unless tmp =~ /127\./
-                                       addrs << tmp
-                                       break
-                               end
-                       end
-               }
-
-               ret = addrs.join(",")
-               if ret.empty?
-                       ret = ''
-               end
-               ret
-       end
-end
-
-Facter.add("v6ips") do
-       confine :kernel => :linux
-       addrs = []
-       if FileTest.exist?("/bin/ip")
-               %x{ip addr list}.each_line do |line|
-                       next unless line =~ /\s+inet/
-                       next if line =~ /scope (link|host)/
-                       if line =~ /\s+inet6\s+(\S+)\/\d{1,3} .*/
-                               addrs << $1
-                       end
-               end
-       end
-       ret = addrs.join(",")
-       if ret.empty?
-               ret = ''
-       end
-       setcode do
-               ret
-       end
-end
-
diff --git a/modules/debian-org/lib/facter/lsb-for-bsd.rb b/modules/debian-org/lib/facter/lsb-for-bsd.rb
deleted file mode 100644 (file)
index c95d7f2..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-{  "LSBRelease"         => %r{^LSB Version:\t(.*)$},
-   "LSBDistId"          => %r{^Distributor ID:\t(.*)$},
-   "LSBDistRelease"     => %r{^Release:\t(.*)$},
-   "LSBDistDescription" => %r{^Description:\t(.*)$},
-   "LSBDistCodeName"    => %r{^Codename:\t(.*)$}
-}.each do |fact, pattern|
-    Facter.add(fact) do
-        confine :kernel => 'GNU/kFreeBSD'
-        setcode do
-            unless defined?(lsbdata) and defined?(lsbtime) and (Time.now.to_i - lsbtime.to_i < 5)
-                type = nil
-                lsbtime = Time.now
-                lsbdata = Facter::Util::Resolution.exec('lsb_release -a 2>/dev/null')
-            end
-
-            if pattern.match(lsbdata)
-                $1
-            else
-                nil
-            end
-        end
-    end
-end
-
diff --git a/modules/debian-org/lib/facter/mounts.rb b/modules/debian-org/lib/facter/mounts.rb
deleted file mode 100644 (file)
index 4cdf969..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-begin
-  require 'filesystem'
-
-       Facter.add("mounts") do
-               ignorefs = ["NFS", "nfs", "nfs4", "nfsd", "afs", "binfmt_misc", "proc", "smbfs", 
-                           "autofs", "iso9660", "ncpfs", "coda", "devpts", "ftpfs", "devfs", 
-                           "mfs", "shfs", "sysfs", "cifs", "lustre_lite", "tmpfs", "usbfs", "udf",
-                           "fusectl", "fuse.snapshotfs", "rpc_pipefs", "devtmpfs"]
-               mountpoints = []
-               FileSystem.mounts.each do |m|
-                       if ((not ignorefs.include?(m.fstype)) && (m.options !~ /bind/))
-                               mountpoints << m.mount
-                       end
-               end
-               setcode do
-                       mountpoints.uniq.sort.join(',')
-               end
-       end
-
-rescue Exception => e
-end
diff --git a/modules/debian-org/lib/facter/mta.rb b/modules/debian-org/lib/facter/mta.rb
deleted file mode 100644 (file)
index 5d2242a..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-Facter.add("mta") do
-       setcode do
-               mta = "exim4"
-               if FileTest.exist?("/usr/sbin/postfix")
-                       mta = "postfix"
-               end
-               mta
-       end
-end
diff --git a/modules/debian-org/lib/facter/onion-services.rb b/modules/debian-org/lib/facter/onion-services.rb
deleted file mode 100644 (file)
index c444ec2..0000000
+++ /dev/null
@@ -1,35 +0,0 @@
-begin
-    require 'json'
-
-    Facter.add("onion_tor_service_hostname") do
-        services = {}
-
-        Dir['/var/lib/tor/onion/*/hostname'].each do |p|
-            dir = File.dirname(p)
-            service = File.basename(dir)
-            hostname = IO.read(p).chomp
-            services[service] = hostname
-        end
-        setcode do
-            services.to_json
-        end
-    end
-
-    Facter.add("onion_balance_service_hostname") do
-        services = {}
-
-        Dir['/etc/onionbalance/private_keys/*.key'].each do |p|
-            service = File.basename(p, '.key')
-            begin
-                services[service] = IO.popen(['/usr/local/bin/tor-onion-name', p]).read.chomp
-            rescue Errno::ENOENT
-            end
-        end
-        setcode do
-            services.to_json
-        end
-    end
-
-
-rescue Exception => e
-end
diff --git a/modules/debian-org/lib/facter/os-for-bsd.rb b/modules/debian-org/lib/facter/os-for-bsd.rb
deleted file mode 100644 (file)
index 77cad42..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-Facter.add(:operatingsystem) do
-    confine :kernel => 'GNU/kFreeBSD'
-    setcode do
-        if FileTest.exists?("/etc/debian_version")
-            "Debian"
-       end
-    end
-end
diff --git a/modules/debian-org/lib/facter/paths.rb b/modules/debian-org/lib/facter/paths.rb
deleted file mode 100644 (file)
index 47a010c..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-
-%w{/srv/build-trees
-   /srv/buildd
-   /etc/ssh/ssh_host_ed25519_key
-   /srv/mirrors/debian
-   /srv/mirrors/debian-debug
-   /srv/mirrors/debian-ports
-   /srv/mirrors/debian-security
-   /dev/hwrng
-}.each do |path|
-       Facter.add("has" + path.gsub(/[\/-]/,'_')) do
-               setcode do
-                       if FileTest.exist?(path)
-                               true
-                       else
-                               ''
-                       end
-               end
-       end
-end
diff --git a/modules/debian-org/lib/facter/raidarray.rb b/modules/debian-org/lib/facter/raidarray.rb
deleted file mode 100644 (file)
index 7dc29c3..0000000
+++ /dev/null
@@ -1,72 +0,0 @@
-Facter.add("smartarraycontroller") do
-       confine :kernel => :linux
-       setcode do
-               if FileTest.exist?("/dev/cciss/")
-                       true
-               elsif FileTest.exist?("/sys/module/hpsa/")
-                       true
-               else
-                       ''
-               end
-       end
-end
-
-Facter.add("ThreeWarecontroller") do
-       confine :kernel => :linux
-       setcode do
-               is3w = ''
-               if FileTest.exist?("/proc/scsi/scsi")
-                       IO.foreach("/proc/scsi/scsi") { |x|
-                               is3w = true if x =~ /Vendor: 3ware/
-                       }
-               end
-               is3w
-       end
-end
-
-Facter.add("megaraid") do
-       confine :kernel => :linux
-       setcode do
-               if FileTest.exist?("/dev/megadev0")
-                       true
-               else
-                       ''
-               end
-       end
-end
-
-Facter.add("mptraid") do
-       confine :kernel => :linux
-       setcode do
-               if FileTest.exist?("/dev/mptctl") or FileTest.exist?("/dev/mpt0") or FileTest.exist?("/proc/mpt/summary")
-                       true
-               else
-                       ''
-               end
-       end
-end
-
-Facter.add("aacraid") do
-       confine :kernel => :linux
-       setcode do
-               if FileTest.exist?("/dev/aac0")
-                       true
-               else
-                       ''
-               end
-       end
-end
-
-Facter.add("swraid") do
-       confine :kernel => :linux
-       setcode do
-                swraid = ''
-               if FileTest.exist?("/proc/mdstat") && FileTest.exist?("/sbin/mdadm")
-                        IO.foreach("/proc/mdstat") { |x|
-                                swraid = true if x =~ /md[0-9]+ : active/
-                        }
-                end
-                swraid
-       end
-end
-
diff --git a/modules/debian-org/lib/facter/roleaccounts.rb b/modules/debian-org/lib/facter/roleaccounts.rb
deleted file mode 100644 (file)
index 221c376..0000000
+++ /dev/null
@@ -1,119 +0,0 @@
-begin
-    require 'etc'
-
-    Facter.add("postgresql_key") do
-        setcode do
-            key = nil
-            keyfile = '/var/lib/postgresql/.ssh/id_rsa.pub'
-            if FileTest.exist?(keyfile)
-                key = File.open(keyfile).read.chomp
-            end
-            key
-        end
-    end
-
-    Facter.add("staticsync_key") do
-        setcode do
-            key = nil
-            keyfile = '/home/staticsync/.ssh/id_rsa.pub'
-            if FileTest.exist?(keyfile)
-                key = File.open(keyfile).read.chomp
-            end
-            key
-        end
-    end
-
-    Facter.add("staticsync_user_exists") do
-        setcode do
-            result = ''
-            begin
-                if Etc.getpwnam('staticsync')
-                    result = true
-                end
-            rescue ArgumentError
-            end
-            result
-        end
-    end
-
-
-    Facter.add("weblogsync_key") do
-        setcode do
-            key = nil
-            keyfile = '/home/weblogsync/.ssh/id_rsa.pub'
-            if FileTest.exist?(keyfile)
-                key = File.open(keyfile).read.chomp
-            end
-            key
-        end
-    end
-
-    Facter.add("weblogsync_user_exists") do
-        setcode do
-            result = ''
-            begin
-                if Etc.getpwnam('weblogsync')
-                    result = true
-                end
-            rescue ArgumentError
-            end
-            result
-        end
-    end
-
-
-    Facter.add("buildd_key") do
-        setcode do
-            key = nil
-            keyfile = '/home/buildd/.ssh/id_rsa.pub'
-            if FileTest.exist?(keyfile)
-                key = File.open(keyfile).read.chomp
-            end
-            key
-        end
-    end
-
-    Facter.add("buildd_user_exists") do
-        setcode do
-            result = ''
-            begin
-                if Etc.getpwnam('buildd')
-                    result = true
-                end
-            rescue ArgumentError
-            end
-            result
-        end
-    end
-
-    Facter.add("portforwarder_key") do
-        setcode do
-            key = nil
-            keyfile = '/home/portforwarder/.ssh/id_rsa.pub'
-            if FileTest.exist?(keyfile)
-                key = File.open(keyfile).read.chomp
-            end
-            key
-        end
-    end
-
-    Facter.add("portforwarder_user_exists") do
-        setcode do
-            result = ''
-            begin
-                if Etc.getpwnam('portforwarder')
-                    result = true
-                end
-            rescue ArgumentError
-            end
-            result
-        end
-    end
-
-
-
-rescue Exception => e
-end
-# vim:set et:
-# vim:set ts=4:
-# vim:set shiftwidth=4:
diff --git a/modules/debian-org/lib/facter/servertype.rb b/modules/debian-org/lib/facter/servertype.rb
deleted file mode 100644 (file)
index 85970c1..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-Facter.add("kvmdomain") do
-       setcode do
-               result = ''
-               if File.new('/proc/cpuinfo').read().index('QEMU Virtual CPU')
-                       result = true
-               end
-               result
-       end
-end
diff --git a/modules/debian-org/lib/facter/software.rb b/modules/debian-org/lib/facter/software.rb
deleted file mode 100644 (file)
index 0045a9e..0000000
+++ /dev/null
@@ -1,162 +0,0 @@
-Facter.add("apache2") do
-       setcode do
-               if FileTest.exist?("/usr/sbin/apache2")
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("apache2deb9") do
-       setcode do
-               # jessie (deb8) has 2.4.10-.., stretch (deb9) will have 2.4.23 or later.
-               if FileTest.exist?("/usr/sbin/apache2") and system("dpkg --compare-versions $(dpkg-query -W -f='${Version}\n' apache2-bin) gt 2.4.15")
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("clamd") do
-       setcode do
-               if FileTest.exist?("/usr/sbin/clamd")
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("exim4") do
-       setcode do
-               if FileTest.exist?("/usr/sbin/exim4")
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("postfix") do
-       setcode do
-               if FileTest.exist?("/usr/sbin/postfix")
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("postgres") do
-       setcode do
-               pg = (FileTest.exist?("/usr/lib/postgresql/8.1/bin/postgres") or
-               FileTest.exist?("/usr/lib/postgresql/8.3/bin/postgres") or
-               FileTest.exist?("/usr/lib/postgresql/8.4/bin/postgres") or
-               FileTest.exist?("/usr/lib/postgresql/9.0/bin/postgres") or
-               FileTest.exist?("/usr/lib/postgresql/9.1/bin/postgres") or
-               FileTest.exist?("/usr/lib/postgresql/9.2/bin/postgres"))
-               if pg
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("postgrey") do
-       setcode do
-               if FileTest.exist?("/usr/sbin/postgrey")
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("greylistd") do
-       setcode do
-               FileTest.exist?("/usr/sbin/greylistd")
-       end
-end
-Facter.add("policydweight") do
-       setcode do
-               if FileTest.exist?("/usr/sbin/policyd-weight")
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("spamd") do
-       setcode do
-               if FileTest.exist?("/usr/sbin/spamd")
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("php5") do
-       php =   (FileTest.exist?("/usr/lib/apache2/modules/libphp5.so") or
-               FileTest.exist?("/usr/bin/php5") or
-               FileTest.exist?("/usr/bin/php5-cgi") or
-               FileTest.exist?("/usr/lib/cgi-bin/php5"))
-       setcode do
-               if php
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("php5suhosin") do
-       suhosin=(FileTest.exist?("/usr/lib/php5/20060613/suhosin.so") or
-               FileTest.exist?("/usr/lib/php5/20060613+lfs/suhosin.so"))
-       setcode do
-               if suhosin
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("syslogversion") do
-       setcode do
-               %x{dpkg-query -W -f='${Version}\n' syslog-ng | cut -b1-3}.chomp
-       end
-end
-Facter.add("unbound") do
-       unbound=(FileTest.exist?("/usr/sbin/unbound") and
-               FileTest.exist?("/var/lib/unbound/root.key"))
-       setcode do
-               if unbound
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("munin_async") do
-       setcode do
-               FileTest.exist?("/usr/share/munin/munin-async")
-       end
-end
-Facter.add("samhain") do
-       setcode do
-               if FileTest.exist?("/usr/sbin/samhain")
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("systemd") do
-       setcode do
-               init = '/sbin/init'
-               if File.symlink?(init) and File.readlink(init) == "/lib/systemd/systemd"
-                       true
-               else
-                       ''
-               end
-       end
-end
-Facter.add("tor_ge_0_2_9") do
-       setcode do
-               system(%{dpkg -l tor >/dev/null 2>&1 && dpkg --compare-versions $(dpkg-query -W -f='${Version}' tor) ge 0.2.9})
-       end
-end
diff --git a/modules/debian-org/lib/facter/system-hw.rb b/modules/debian-org/lib/facter/system-hw.rb
deleted file mode 100644 (file)
index 0b36e5f..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-Facter.add("systemproductname") do
-       confine :kernel => :linux
-       setcode do
-               if FileTest.exist?("/usr/sbin/dmidecode")
-                       %x{/usr/sbin/dmidecode -s system-product-name}.chomp.strip
-               else
-                       ''
-               end
-       end
-end
-
-Facter.add("hw_can_temp_sensors") do
-       confine :kernel => :linux
-       setcode do
-               if FileTest.exist?("/sys/devices/virtual/thermal/thermal_zone0/temp")
-                       true
-               else
-                       ''
-               end
-       end
-end
diff --git a/modules/debian-org/manifests/apt.pp b/modules/debian-org/manifests/apt.pp
deleted file mode 100644 (file)
index 74aaa71..0000000
+++ /dev/null
@@ -1,121 +0,0 @@
-# == Class: debian-org
-#
-# Stuff common to all debian.org servers
-#
-class debian-org::apt {
-       if $::lsbmajdistrelease <= 7 {
-               $mungedcodename = $::lsbdistcodename
-       } elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
-               $mungedcodename = "${::lsbdistcodename}-kfreebsd"
-       } else {
-               $mungedcodename = $::lsbdistcodename
-       }
-
-       if $::lsbmajdistrelease <= 8 {
-               $fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/'
-       } else {
-               $fallbackmirror = 'http://deb.debian.org/debian/'
-       }
-
-       if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
-               $mirror = [ getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'), $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
-       } else {
-               $mirror = [ $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
-       }
-
-       site::aptrepo { 'debian':
-               url        => $mirror,
-               suite      => [ $mungedcodename, "${::lsbdistcodename}-backports", "${::lsbdistcodename}-updates" ],
-               components => ['main','contrib','non-free']
-       }
-       site::aptrepo { 'security':
-               url        => [ 'http://security-cdn.debian.org/', 'http://security.anycast-test.mirrors.debian.org/debian-security/', 'http://security.debian.org/' ],
-               suite      => "${mungedcodename}/updates",
-               components => ['main','contrib','non-free']
-       }
-
-       if has_role('experimental_apache') {
-               $dbdosuites = [ 'debian-all', $::lsbdistcodename, 'jessie-apache2' ]
-       } else {
-               $dbdosuites = [ 'debian-all', $::lsbdistcodename ]
-       }
-       site::aptrepo { 'db.debian.org':
-               url        => 'http://db.debian.org/debian-admin',
-               suite      => $dbdosuites,
-               components => 'main',
-               key        => 'puppet:///modules/debian-org/db.debian.org.gpg',
-       }
-
-       if ($::hostname in [] or $::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
-               site::aptrepo { 'proposed-updates':
-                       url        => $mirror,
-                       suite      => "${mungedcodename}-proposed-updates",
-                       components => ['main','contrib','non-free']
-               }
-       } else {
-               site::aptrepo { 'proposed-updates':
-                       ensure => absent,
-               }
-       }
-
-       site::aptrepo { 'debian-cdn':
-               ensure => absent,
-       }
-       site::aptrepo { 'debian.org':
-               ensure => absent,
-       }
-       site::aptrepo { 'debian2':
-               ensure => absent,
-       }
-       site::aptrepo { 'backports2.debian.org':
-               ensure => absent,
-       }
-       site::aptrepo { 'backports.debian.org':
-               ensure => absent,
-       }
-       site::aptrepo { 'volatile':
-               ensure => absent,
-       }
-       site::aptrepo { 'db.debian.org-suite':
-               ensure => absent,
-       }
-       site::aptrepo { 'debian-lts':
-               ensure => absent,
-       }
-
-
-
-
-       file { '/etc/apt/trusted-keys.d':
-               ensure => absent,
-               force  => true,
-       }
-
-       file { '/etc/apt/trusted.gpg':
-               mode    => '0600',
-               content => "",
-       }
-
-       file { '/etc/apt/preferences':
-               source => 'puppet:///modules/debian-org/apt.preferences',
-       }
-       file { '/etc/apt/apt.conf.d/local-compression':
-               source => 'puppet:///modules/debian-org/apt.conf.d/local-compression',
-       }
-       file { '/etc/apt/apt.conf.d/local-recommends':
-               source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends',
-       }
-       file { '/etc/apt/apt.conf.d/local-pdiffs':
-               source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs',
-       }
-       file { '/etc/apt/apt.conf.d/local-langs':
-               source => 'puppet:///modules/debian-org/apt.conf.d/local-langs',
-       }
-
-       exec { 'apt-get update':
-               path    => '/usr/bin:/usr/sbin:/bin:/sbin',
-               onlyif  => '/usr/local/bin/check_for_updates',
-               require => File['/usr/local/bin/check_for_updates']
-       }
-       Exec['apt-get update']->Package<| tag == extra_repo |>
-}
diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp
deleted file mode 100644 (file)
index e8962c6..0000000
+++ /dev/null
@@ -1,304 +0,0 @@
-# == Class: debian-org
-#
-# Stuff common to all debian.org servers
-#
-class debian-org {
-       include debian-org::apt
-
-       if $systemd {
-               include systemd
-               $servicefiles = 'present'
-       } else {
-               $servicefiles = 'absent'
-       }
-
-       $debianadmin = [
-               'debian-archive-debian-samhain-reports@master.debian.org',
-               'debian-admin@ftbfs.de',
-               'weasel@debian.org',
-               'steve@lobefin.net',
-               'zumbi@oron.es'
-       ]
-
-       package { [
-                       'klogd',
-                       'sysklogd',
-                       'rsyslog',
-                       'os-prober',
-                       'apt-listchanges',
-               ]:
-               ensure => purged,
-       }
-       package { [
-                       'debian.org',
-                       'dsa-munin-plugins',
-               ]:
-               ensure => installed,
-               tag    => extra_repo,
-       }
-       file { '/etc/ssh/ssh_known_hosts':
-               ensure  => present,
-               replace => false,
-               mode    => '0644',
-               source  => 'puppet:///modules/debian-org/basic-ssh_known_hosts'
-       }
-
-       if ($::lsbmajdistrelease >= 8) {
-               $rubyfs_package = 'ruby-filesystem'
-       } else {
-               $rubyfs_package = 'libfilesystem-ruby1.9'
-       }
-       package { [
-                       'apt-utils',
-                       'bash-completion',
-                       'dnsutils',
-                       'less',
-                       'lsb-release',
-                       $rubyfs_package,
-                       'mtr-tiny',
-                       'nload',
-                       'pciutils',
-                       'lldpd',
-               ]:
-               ensure => installed,
-       }
-
-       munin::check { [
-                       'cpu',
-                       'entropy',
-                       'forks',
-                       'interrupts',
-                       'iostat',
-                       'irqstats',
-                       'load',
-                       'memory',
-                       'open_files',
-                       'open_inodes',
-                       'processes',
-                       'swap',
-                       'uptime',
-                       'vmstat',
-               ]:
-       }
-
-       if getfromhash($site::nodeinfo, 'broken-rtc') {
-               package { 'fake-hwclock':
-                       ensure => installed,
-                       tag    => extra_repo,
-               }
-       }
-
-       package { 'molly-guard':
-               ensure => installed,
-       }
-       file { '/etc/molly-guard/run.d/10-check-kvm':
-               mode    => '0755',
-               source  => 'puppet:///modules/debian-org/molly-guard/10-check-kvm',
-               require => Package['molly-guard'],
-       }
-       file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
-               mode    => '0755',
-               source  => 'puppet:///modules/debian-org/molly-guard/15-acquire-reboot-lock',
-               require => Package['molly-guard'],
-       }
-
-       augeas { 'inittab_replicate':
-               context => '/files/etc/inittab',
-               changes => [
-                       'set ud/runlevels 2345',
-                       'set ud/action respawn',
-                       'set ud/process "/usr/bin/ud-replicated -d"',
-               ],
-               notify  => Exec['init q'],
-       }
-
-
-       file { '/etc/facter':
-               ensure  => directory,
-               purge   => true,
-               force   => true,
-               recurse => true,
-               source  => 'puppet:///files/empty/',
-       }
-       file { '/etc/facter/facts.d':
-               ensure => directory,
-       }
-       file { '/etc/facter/facts.d/debian_facts.yaml':
-               content => template('debian-org/debian_facts.yaml.erb')
-       }
-       file { '/etc/timezone':
-               source => 'puppet:///modules/debian-org/timezone',
-               notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
-       }
-       if $::hostname == handel {
-               include puppetmaster::db
-               $dbpassword = $puppetmaster::db::password
-       }
-       file { '/etc/puppet/puppet.conf':
-               content => template('debian-org/puppet.conf.erb'),
-               mode => 0440,
-               group => 'puppet',
-       }
-       file { '/etc/default/puppet':
-               source => 'puppet:///modules/debian-org/puppet.default',
-       }
-       file { '/etc/systemd':
-               ensure  => directory,
-               mode => 0755,
-       }
-       file { '/etc/systemd/system':
-               ensure  => directory,
-               mode => 0755,
-       }
-       file { '/etc/systemd/system/ud-replicated.service':
-               ensure => $servicefiles,
-               source => 'puppet:///modules/debian-org/ud-replicated.service',
-               notify => Exec['systemctl daemon-reload'],
-       }
-       if $systemd {
-               file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
-                       ensure => 'link',
-                       target => '../ud-replicated.service',
-                       notify => Exec['systemctl daemon-reload'],
-               }
-       }
-       file { '/etc/systemd/system/puppet.service':
-               ensure => 'link',
-               target => '/dev/null',
-               notify => Exec['systemctl daemon-reload'],
-       }
-       file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount':
-               ensure => 'link',
-               target => '/dev/null',
-               notify => Exec['systemctl daemon-reload'],
-       }
-
-       file { '/etc/cron.d/dsa-puppet-stuff':
-               content => template('debian-org/dsa-puppet-stuff.cron.erb'),
-               require => Package['debian.org'],
-       }
-       file { '/etc/ldap/ldap.conf':
-               require => Package['debian.org'],
-               content  => template('debian-org/ldap.conf.erb'),
-       }
-       file { '/etc/pam.d/common-session':
-               require => Package['debian.org'],
-               content => template('debian-org/pam.common-session.erb'),
-       }
-       file { '/etc/pam.d/common-session-noninteractive':
-               require => Package['debian.org'],
-               content => template('debian-org/pam.common-session-noninteractive.erb'),
-       }
-       file { '/etc/rc.local':
-               mode   => '0755',
-               content => template('debian-org/rc.local.erb'),
-               notify => Exec['service rc.local restart'],
-       }
-       file { '/etc/dsa':
-               ensure => directory,
-               mode   => '0755',
-       }
-       file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
-               source  => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore',
-               require => Package['debian.org']
-       }
-       file { '/etc/nsswitch.conf':
-               mode   => '0755',
-               source => 'puppet:///modules/debian-org/nsswitch.conf',
-       }
-
-       file { '/etc/profile.d/timeout.sh':
-               mode   => '0555',
-               source => 'puppet:///modules/debian-org/etc.profile.d/timeout.sh',
-       }
-       file { '/etc/zsh':
-               ensure => directory,
-       }
-       file { '/etc/zsh/zprofile':
-               mode   => '0444',
-               source => 'puppet:///modules/debian-org/etc.zsh/zprofile',
-       }
-
-       # set mmap_min_addr to 4096 to mitigate
-       # Linux NULL-pointer dereference exploits
-       site::sysctl { 'mmap_min_addr':
-               ensure => absent
-       }
-       site::sysctl { 'perf_event_paranoid':
-               key   => 'kernel.perf_event_paranoid',
-               value => '2',
-       }
-       site::sysctl { 'puppet-vfs_cache_pressure':
-               key   => 'vm.vfs_cache_pressure',
-               value => '10',
-       }
-       site::alternative { 'editor':
-               linkto => '/usr/bin/vim.basic',
-       }
-       site::alternative { 'view':
-               linkto => '/usr/bin/vim.basic',
-       }
-       mailalias { 'samhain-reports':
-               ensure    => present,
-               recipient => $debianadmin,
-               require   => Package['debian.org']
-       }
-
-       file { '/usr/local/bin/check_for_updates':
-               source => 'puppet:///modules/debian-org/check_for_updates',
-               mode   => '0755',
-               owner  => root,
-               group  => root,
-       }
-
-       exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
-               path        => '/usr/bin:/usr/sbin:/bin:/sbin',
-               refreshonly => true
-       }
-       exec { 'service puppetmaster restart':
-               refreshonly => true
-       }
-       exec { 'service rc.local restart':
-               refreshonly => true
-       }
-       exec { 'init q':
-               refreshonly => true
-       }
-
-       exec { 'systemctl daemon-reload':
-               refreshonly => true,
-               onlyif  => "test -x /bin/systemctl"
-       }
-
-       exec { 'systemd-tmpfiles --create --exclude-prefix=/dev':
-               refreshonly => true,
-               onlyif  => "test -x /bin/systemd-tmpfiles"
-       }
-
-       tidy { '/var/lib/puppet/clientbucket/':
-               age      => '2w',
-               recurse  => 9,
-               type     => ctime,
-               matches  => [ 'paths', 'contents' ],
-               schedule => weekly
-       }
-
-       file { '/root/.bashrc':
-               source => 'puppet:///modules/debian-org/root-dotfiles/bashrc',
-       }
-       file { '/root/.profile':
-               source => 'puppet:///modules/debian-org/root-dotfiles/profile',
-       }
-       file { '/root/.selected_editor':
-               source => 'puppet:///modules/debian-org/root-dotfiles/selected_editor',
-       }
-       file { '/root/.screenrc':
-               source => 'puppet:///modules/debian-org/root-dotfiles/screenrc',
-       }
-       file { '/root/.tmux.conf':
-               source => 'puppet:///modules/debian-org/root-dotfiles/tmux.conf',
-       }
-       file { '/root/.vimrc':
-               source => 'puppet:///modules/debian-org/root-dotfiles/vimrc',
-       }
-}
diff --git a/modules/debian-org/manifests/radvd.pp b/modules/debian-org/manifests/radvd.pp
deleted file mode 100644 (file)
index b9eeb80..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-class debian-org::radvd {
-       site::sysctl { 'dsa-accept-ra-default':
-               key   => 'net.ipv6.conf.default.accept_ra',
-               value => 0,
-       }
-       site::sysctl { 'dsa-accept-ra-all':
-               key   => 'net.ipv6.conf.all.accept_ra',
-               value => 0,
-       }
-}
diff --git a/modules/debian-org/misc/hoster.yaml b/modules/debian-org/misc/hoster.yaml
deleted file mode 100644 (file)
index 7917dda..0000000
+++ /dev/null
@@ -1,163 +0,0 @@
----
-1und1-sec:
-  netrange:
-    - 195.20.242.64/26
-    - 212.227.126.32/27
-    - 2001:8d8:2:1::/64
-accumu:
-  netrange:
-    - 130.236.0.0/14
-    - 2001:06B0:000E::/48
-aql:
-  netrange:
-    - 141.170.6.144/28
-  mirror-debian: http://ftp.uk.debian.org/debian/
-arm:
-  netrange:
-    - 217.140.96.0/22
-  entropy_provider_hoster: sil
-  mirror-debian: http://mirror.bytemark.co.uk/debian/
-brown:
-  netrange:
-    - 138.16.160.0/24
-  # all hosts have their own recursor
-  #mirror-debian: file:///srv/ftp-master.debian.org/mirror/ftp-master/
-  mirror-debian: http://ftp.us.debian.org/debian
-br:
-  # rename to c3sl
-  # University Federal do Parana (.br)
-  netrange:
-    - 200.17.192.0/19
-bytemark:
-  netrange:
-    - 5.153.231.0/24
-    - 89.16.160.112/29
-    - 2001:41c8:1000::/48
-    - 2001:41c8:61::/125
-  mirror-debian: http://mirror.bm.debian.org/debian
-carnet:
-  netrange:
-    - 193.198.0.0/16
-anu:
-  netrange:
-    - 150.203.164.0/24
-    - 2001:388:1034:2900::/64
-  #mirror-debian: http://mirror.linux.org.au/debian
-  #mirror-debian: http://ftp.au.debian.org/debian
-conova:
-  netrange:
-    - 217.196.149.224/28
-  mirror-debian: http://mirror.netcologne.de/debian/
-csail:
-  netrange:
-    - 128.31.0.0/24
-  mirror-debian: http://debian.csail.mit.edu/debian/
-dgi:
-  netrange:
-    - 93.94.130.128/26
-freenet:
-  netrange:
-    - 62.104.0.0/16
-gatech:
-  netrange:
-    - 128.61.240.0/23
-  mirror-debian: http://debian.gtisc.gatech.edu/debian/
-grnet:
-  netrange:
-    - 194.177.211.192/27
-    - 2001:648:2ffc:deb::/64
-  mirror-debian: http://ftp.gr.debian.org/debian/
-helsinki:
-  netrange:
-    - 193.167.160.0/23
-  # all hosts have their own recursor
-isc:
-  netrange:
-    - 149.20.0.0/16
-    - 2001:4F8::/32
-uni-karlsruhe:
-  # rename to karlsruhe
-  netrange:
-    - 129.143.160.0/29
-    - 2001:7c0:400:1337::/64
-  mirror-debian: http://ftp-stud.hs-esslingen.de/debian/
-linaro:
-  netrange:
-    - 64.28.108.83/32
-    - 64.28.108.84/32
-    - 64.28.108.85/32
-  mirror-debian: http://ftp.us.debian.org/debian/
-'man-da':
-  netrange:
-    - 82.195.75.64/26
-    - 2001:41b8:202:deb::/64
-  #mirror-debian: http://debian.netcologne.de/debian/ [currently unstable]
-  mirror-debian: http://ftp.de.debian.org/debian/
-leaseweb:
-  netrange:
-    - 185.17.185.176/28
-  #mirror-debian: http://mirror.nl.leaseweb.net/debian/
-marist:
-  netrange:
-    - 148.100.0.0/16
-  mirror-debian: http://ftp.us.debian.org/debian/
-osuosl:
-  netrange:
-    - 140.211.0.0/16
-  mirror-debian: http://debian.osuosl.org/debian
-sakura:
-  netrange:
-    - 133.242.99.74/32
-sanger:
-  netrange:
-    - 193.62.202.24/29
-  #resolvoptions: [single-request]
-  mirror-debian: http://mirror.bytemark.co.uk/debian/
-scanplus:
-  netrange:
-    - 212.211.132.0/26
-    - 212.211.132.248/29
-    - 2001:a78::/64
-sil:
-  netrange:
-    - 86.59.118.144/28
-    - 2001:858:2:2::/64
-  mirror-debian: http://ftp.at.debian.org/debian/
-ubc:
-  netrange:
-    - 209.87.16.0/24
-    - 2607:F8F0:614:1::/64
-    # old range:
-    - 206.12.19.0/24
-    - 2607:f8f0:610:4000::/64
-  mirror-debian: http://mirror-ubc.debian.org/debian/
-ugent:
-  netrange:
-    - 157.193.0.0/16
-umn:
-  netrange:
-    - 128.101.240.212
-unicamp:
-  netrange:
-    - 177.220.0.0/17
-  mirror-debian: http://ftp.br.debian.org/debian/
-utwente:
-  netrange:
-    - 130.89.0.0/16
-    - 2001:0610:1908::/48
-  # broken with dnssec
-xs4all:
-  # should be deleted
-  netrange:
-    - 194.109.137.216/29
-    - 2001:888:2000:12::/64
-ynic:
-  netrange:
-    - 144.32.168.64/28
-  mirror-debian: http://ftp.uk.debian.org/debian
-zivit:
-  netrange:
-    - 80.245.144.0/22
-  mirror-debian: http://debian.netcologne.de/debian/
-
-# vim:set et sts=2 ts=2 sw=2:
diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml
deleted file mode 100644 (file)
index 8aec035..0000000
+++ /dev/null
@@ -1,240 +0,0 @@
----
-nameinfo:
-  aagaard.debian.org: Thorvald Aagaard (June 8th, 1877 - March 22nd, 1937)
-  abel.debian.org: Carl Friedrich Abel (1723 - 1787)
-  acker.debian.org: Dieter Acker (November 3rd, 1940 - May 27th, 2006)
-  adayevskaya.debian.org: Ella Georgiyevna Adayevskaya (February, 22nd 1846 [O.S. February 10th] - July 26th, 1926)
-  antheil.debian.org: George Antheil (1900 - 1959)
-  arnold.debian.org: Malcolm Henry Arnold (1921 - 2006)
-  asachi.debian.org: Elena Asachi (1789 - 1877)
-  barriere.debian.org: Jean-Baptiste Barrière (May 2nd, 1707 - June 6th, 1747)
-  beach.debian.org: Amy Marcy Cheney Beach (September 5th, 1867 - December 27th, 1944)
-  beethoven.debian.org: Ludwig van Beethoven (December 16th, 1770 - March 26th, 1827)
-  bendel.debian.org: Franz Bendel (March 23rd, 1833 - July 3rd, 1874)
-  binet.debian.org: Jocelyne Binet (September 27th, 1923 - January 13th, 1968)
-  boott.debian.org: Francis Boott (June 24th, 1813 - March 1st, 1904)
-  busoni.debian.org: Ferruccio Dante Michelangiolo Benvenuto Busoni (April 1st, 1866 - July 27th, 1924)
-  buxtehude.debian.org: Dieterich Buxtehude (c. 1637 to 1639 - May 9th, 1707)
-  byrd.debian.org: William Byrd (1543 - July 4th, 1623)
-  casulana.debian.org: Maddalena Casulana (c. 1544 - c. 1590)
-  clementi.debian.org: Muzio Clementi (January 23rd, 1752 - March 10th, 1832)
-  coccia.debian.org: Maria Rosa Coccia (January 4th, 1759 - November 1833)
-  czerny.debian.org: Carl Czerny (February 21st, 1791 - July 15th, 1857)
-  danzi.debian.org: Franz Ignaz Danzi (June 15th, 1763 - April 13th, 1826)
-  delfin.debian.org: Carmelina Delfin (c. 1900 - after 1948)
-  diabelli.debian.org: Anton Diabelli (September 5th, 1781 - April 7th, 1858)
-  dinis.debian.org: Dinis of Portugal (October 9th, 1261 - January 7th, 1325)
-  dillon.debian.org: Fannie Charles Dillon (March 16th, 1881 - February 21st, 1947)
-  donizetti.debian.org: Gaetano Donizetti (November 29th, 1797 - April 8th, 1848)
-  draghi.debian.org: Antonio Draghi (1635 - January 16th, 1700)
-  eberlin.debian.org: Johann Ernst Eberlin (March 1702 27th - June 19th, 1762)
-  eller.debian.org: Heino Eller (March 7th, 1887 - June 16th, 1970)
-  elgar.debian.org: Edward Elgar (1857 - 1934)
-  falla.debian.org: Manuel de Falla y Matheu (November 23rd, 1876 - November 14th, 1946)
-  fano.debian.org: Guido Alberto Fano (March 18th, 1875 - August 14th, 1961)
-  fasolo.debian.org: Giovanni Battista Fasolo, O.F.M. (ca. 1598 - after 1664)
-  fayrfax.debian.org: Robert Fayrfax (April 23rd, 1464 - October 24th, 1521)
-  fils.debian.org: Anton Fils (September 22nd, 1733 (baptized) - March 14th, 1760 (buried))
-  finzi.debian.org: Gerald Raphael Finzi (July 14th, 1901 - September 27th, 1956)
-  fischer.debian.org: Johann Caspar Ferdinand Fischer (September 9th, 1656 - August 27th, 1746)
-  gideon.debian.org: Miriam Gideon (October 23rd, 1906 - June 18th, 1996)
-  gigault.debian.org: Nicolas Gigault (ca. 1627 - August 20th, 1707)
-  gombert.debian.org: Nicolas Gombert (c. 1495 - c. 1560)
-  gretchaninov: Alexander Tikhonovich Gretchaninov (October 25th, 1864 - January 3rd, 1956)
-  handel.debian.org: Georg Friedrich Händel (February 23rd, 1685 - April 14th, 1759)
-  harris.debian.org: Sir William Henry Harris (March 28th, 1883 - September 6th, 1973)
-  hartmann.debian.org: Karl Amadeus Hartmann (August 2nd, 1905 - December 5th, 1963)
-  hasse.debian.org: Johann Adolph Hasse (March 25th, 1699 - December 16th, 1783)
-  henze.debian.org: Hans Werner Henze (July 1st, 1926 - October 27th, 2012)
-  hoiby.debian.org: Lee Henry Hoiby (February 17th, 1926 - March 28th, 2011)
-  jerea.debian.org: Hilda Jerea (March 17th, 1916 - May 14th, 1980)
-  kaufmann.debian.org: Georg Friedrich Kauffmann (February 14th, 1679 - February 27th, 1735)
-  klecker.debian.org: Dedicated to Joel 'Espy' Klecker (1979 - July 11th, 2000)
-  lindsay.debian.org: Maria Lindsay Bliss (May 15th, 1827 - April 3rd, 1898)
-  lotti.debian.org: Antonio Lotti (ca. 1667 - January 5th, 1740)
-  lully.debian.org: Jean-Baptiste de Lully (November 28th, 1632 - March 22nd, 1687)
-  mailly.debian.org: Alphonse Jean Ernest Mailly (November 27th, 1833 - January 10th, 1918)
-  melartin.debian.org: Erkki Melartin (February 7th, 1875 - February 14th, 1937)
-  menotti.debian.org: Gian Carlo Menotti (July 7th, 1911 - February 1st, 2007)
-  manziarly.debian.org: Marcelle de Manziarly (October 1st/13th, 1899 -  May 12th, 1989)
-  mekeel.debian.org: Joyce Mekeel (July 6th, 1931 - Dec 29th, 1997)
-  milanollo.debian.org: Teresa Milanollo (August 28th, 1827 - October 25th, 1904)
-  minkus.debian.org: Ludwig Minkus (March 23rd 1826 - December 7th, 1917)
-  muffat.debian.org: George Muffat (June 1st, 1653 - February 23rd, 1704)
-  nono.debian.org: Luigi Nono (January 29th, 1924 - May 8th, 1990)
-  olin.debian.org: Elisabeth Olin (December 1740 - March 26th, 1828)
-  paradis.debian.org: Maria Theresia Paradis (May 15th, 1759 - February 1st, 1824)
-  partch.debian.org: Harry Partch (June 24th, 1901 - September 3rd, 1974)
-  pejacevic: Dora Pejačević (September 10th, 1885 - March 5th, 1923)
-  petrova.debian.org: Mara Petrova (May 15th, 1921 - June 7th. 1997)
-  pettersson.debian.org: Gustav Allan Pettersson (September 19th, 1911 - June 20th, 1980)
-  philp.debian.org: Elizabeth Philp (1827 - November 26th, 1885)
-  picconi.debian.org: Maria Antonietta Picconi (September 23rd, 1869 - 1926)
-  pieta.debian.org: Michielina della Pietà (fl. ca. 1700 - 1744)
-  pinel.debian.org: Julie Pinel (fl. 1710 - 1737)
-  pizzetti.debian.org: Ildebrando Pizzetti (20 September 1880 - 13 February 1968)
-  plummer.debian.org: John Plummer (c. 1410 - c. 1483)
-  porpora.debian.org: Niccolò (Antonio) Porpora (17 August 1686 - 3 March 1768)
-  porta.debian.org: Giovanni Porta (c. 1675 - 21 June 1755)
-  praetorius.debian.org: Hieronymus Praetorius (August 10th, 1560 - January 27th, 1629)
-  prokofiev.debian.org: Sergei Sergeyevich Prokofiev (April 27th, 1891 - March 5th, 1953)
-  quantz.debian.org: Johann Joachim Quantz (January 30th, 1697 - July 12th, 1773)
-  rachmaninoff: Sergei Vasilievich Rachmaninoff (1 April 1873 - 28 March 1943)
-  rainier.debian.org: Ivy Priaulx Rainier (February 3rd, 1903 - October 10th, 1986)
-  rapoport.debian.org: Eda Rothstein Rapoport (December 25th, 1890 - May 9th, 1968)
-  reger.debian.org: Johann Baptist Joseph Maximilian Reger (March 19th, 1873 - May 11th, 1916)
-  respighi.debian.org: Elsa Respighi (née Olivieri-Sangiacomo) (March 24th, 1894 - March 17th, 1996)
-  sallinen.debian.org: Aulis Sallinen (born April 9, 1935)
-  santoro.debian.org: Cláudio Santoro (November 23rd, 1919 - March 27th, 1989)
-  schumann.debian.org: Robert Alexander Schumann (June 8th, 1810 - July 29th, 1856)
-  sechter.debian.org: Simon Sechter (October 11th, 1788 - September 10th, 1867)
-  seger.debian.org: Josef Seger (March 21st, 1716 - April 22nd, 1782)
-  senfter.debian.org: Johanna Senfter (November, 27th, 1879 - August 11th, 1961)
-  setoguchi.debian.org: 瀬戸口藤吉, Tokichi Setoguchi (June 28th, 1868 - November 8th, 1941)
-  sibelius.debian.org: Jean Sibelius (December 8th, 1865 - September 20th, 1957)
-  smetana.debian.org: Bedřich Smetana (March 2nd, 1824 - May 12th, 1884)
-  sonntag.debian.org: Brunhilde Sonntag (September 27th, 1936 - December 18th, 2002)
-  sor.debian.org: Fernando Sor (February 14th, 1778 - July 10th, 1839)
-  soriano.debian.org: Francesco Soriano (1548 or 1549 - July 19th, 1621)
-  stockhausen.debian.org: Karlheinz Stockhausen (August 22nd, 1928 - December 5th, 2007)
-  storace.debian.org: Stephen Storace (April 4th, 1762 - March 19th, 1796)
-  spontini.debian.org: Gaspare Luigi Pacifico Spontini (November 14th, 1774 - January 24th, 1851)
-  tate.debian.org: Phyllis Tate (April 6th, 1911 - May 29th, 1987)
-  tchaikovsky.debian.org: Pyotr Ilyich Tchaikovsky (Пётр Ильич Чайковский) (May 7th, 1840 - November 6th, 1893)
-  ticharich.debian.org: Zdenka Ticharich (September 26th, 1900 - February 15th, 1979)
-  tye.debian.org: Christopher Tye (c.1505 - 1573)
-  ullmann.debian.org: Viktor Ullmann (January 1st, 1898 - October 17th, 1944)
-  usper.debian.org: Francesco Usper (November 1st, 1561 - February 24th, 1641)
-  vento.debian.org: Ivo de Vento (1543/1545 - 1575)
-  vittoria.debian.org: Tomás Luis da Vittoria (ca. 1548 - August 27th, 1611)
-  vogler.debian.org: Georg Joseph Vogler (June 15th, 1749 - May 6th, 1814)
-  wieck.debian.org: Clara Josephine Wieck (September 13th, 1819 - May 20th, 1896)
-  wilder.debian.org: Alec Wilder (February 16th, 1907 - December 24th, 1980)
-  wolkenstein.debian.org: Oswald von Wolkenstein (1377 - August 2nd, 1445)
-  wuiet.debian.org: Caroline Wuiet (1766 - 1835)
-  zandonai.debian.org: Riccardo Zandonai (May 30th, 1883 - June 5th, 1944)
-  zani.debian.org: Andrea Teodoro Zani (November 11th, 1696 - September 28th, 1757)
-  zelenka.debian.org: Jan Dismas Zelenka (October 16th, 1679 - December 23rd, 1745)
-  zemlinsky.debian.org: Alexander von Zemlinsky (October 14th, 1871 - March 15th 1942)
-footer:
-  dummy: foo
-  #zandonai.debian.org: "Debian s390 buildd system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
-  #zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
-host_settings:
-  heavy_exim:
-    # mail front-ends
-    - mailly.debian.org
-    - muffat.debian.org
-    # other mail receivers
-    - buxtehude.debian.org
-    - draghi.debian.org
-    - master.debian.org
-    - nono.debian.org
-    - picconi.debian.org
-    - pinel.debian.org
-    - quantz.debian.org
-    - reger.debian.org
-    - tye.debian.org
-    - vento.debian.org
-    - wuiet.debian.org
-  not-bacula-client:
-    # porterbox
-    - abel.debian.org
-    - asachi.debian.org
-    - barriere.debian.org
-    - binet.debian.org
-    - eller.debian.org
-    - falla.debian.org
-    - fischer.debian.org
-    - harris.debian.org
-    - minkus.debian.org
-    - partch.debian.org
-    - pizzetti.debian.org
-    - plummer.debian.org
-    - smetana.debian.org
-    - zelenka.debian.org
-    # buildd
-    - antheil.debian.org
-    - arm-arm-01.debian.org
-    - arm-arm-02.debian.org
-    - arm-arm-03.debian.org
-    - arm-arm-04.debian.org
-    - arm-conova-01.debian.org
-    - arm-conova-02.debian.org
-    - arm-conova-03.debian.org
-    - arm-conova-04.debian.org
-    - arm-linaro-01.debian.org
-    - arm-linaro-03.debian.org
-    - arnold.debian.org
-    - eberlin.debian.org
-    - fano.debian.org
-    - fayrfax.debian.org
-    - fils.debian.org
-    - finzi.debian.org
-    - hartmann.debian.org
-    - hasse.debian.org
-    - henze.debian.org
-    - hoiby.debian.org
-    - mips-aql-01.debian.org
-    - mips-aql-02.debian.org
-    - mips-aql-04.debian.org
-    - mips-aql-05.debian.org
-    - mips-aql-06.debian.org
-    - mips-sil-01.debian.org
-    - mips-manda-01.debian.org
-    - mipsel-aql-01.debian.org
-    - mipsel-aql-02.debian.org
-    - mipsel-aql-03.debian.org
-    - mipsel-manda-01.debian.org
-    - mipsel-manda-02.debian.org
-    - mipsel-manda-03.debian.org
-    - mipsel-sil-01.debian.org
-    - porpora.debian.org
-    - powerpc-osuosl-01.debian.org
-    - powerpc-unicamp-01.debian.org
-    - ppc64el-osuosl-01.debian.org
-    - ppc64el-unicamp-01.debian.org
-    - praetorius.debian.org
-    - spontini.debian.org
-    - x86-grnet-01.debian.org
-    - zandonai.debian.org
-    - zani.debian.org
-    - zemlinsky.debian.org
-    - x86-bm-01.debian.org
-    - x86-csail-01.debian.org
-    - x86-csail-02.debian.org
-    - x86-ubc-01.debian.org
-  broken-rtc:
-    - abel.debian.org
-    - antheil.debian.org
-    - arm-arm-01.debian.org
-    - arm-arm-02.debian.org
-    - arm-arm-03.debian.org
-    - arnold.debian.org
-    - eller.debian.org
-    - harris.debian.org
-    - hasse.debian.org
-    - henze.debian.org
-    - hoiby.debian.org
-    - mips-aql-01.debian.org
-    - mips-aql-02.debian.org
-    - mips-aql-04.debian.org
-    - mips-aql-05.debian.org
-    - mips-aql-06.debian.org
-    - mips-manda-01.debian.org
-    - mips-sil-01.debian.org
-    - mipsel-aql-03.debian.org
-    - mipsel-manda-03.debian.org
-    - mipsel-sil-01.debian.org
-  mail_port:
-    klecker.debian.org: 2025
-    zani.debian.org: 587
-  no_munin:
-    - fano.debian.org
-  entropy_key:
-    - czerny.debian.org
-    - grnet-node01.debian.org
-    # - ubc-bl2.debian.org
-    - storace.debian.org
-  buildd_master:
-    - wuiet.debian.org
diff --git a/modules/debian-org/templates/debian_facts.yaml.erb b/modules/debian-org/templates/debian_facts.yaml.erb
deleted file mode 100644 (file)
index 2dcf796..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
----
-hoster: <%= scope.lookupvar('site::nodeinfo')['hoster']['name'] %>
diff --git a/modules/debian-org/templates/dsa-puppet-stuff.cron.erb b/modules/debian-org/templates/dsa-puppet-stuff.cron.erb
deleted file mode 100644 (file)
index 48fab72..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-SHELL=/bin/bash
-@hourly  root [ ! -d /var/cache/dsa ] || touch /var/cache/dsa/cron.alive
-<% if @lsbmajdistrelease <= '7' -%>
-34 */4 * * * root if [ -x /usr/sbin/puppetd ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/sbin/puppetd -o --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
-<% else -%>
-34 */4 * * * root if [ -x /usr/bin/puppet ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/bin/puppet agent --onetime --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
-<% end -%>
-
-@hourly root sleep $(( $RANDOM \% 300 )); if [ -x /usr/lib/nagios/plugins/dsa-check-stunnel-sanity ] && [ -e /etc/stunnel/puppet-ekeyd.conf ] && ! /usr/lib/nagios/plugins/dsa-check-stunnel-sanity > /dev/null && grep -q '^client = yes' /etc/stunnel/puppet-ekeyd.conf; then /usr/sbin/service stunnel4 restart > /dev/null; fi
-
-@daily munin-async [ -d /var/lib/munin-async ] && find /var/lib/munin-async -maxdepth 1 -type f -mtime +30 -delete
-
-@daily root [ -d /var/lib/puppet/clientbucket ] && find /var/lib/puppet/clientbucket -type f -mtime +60 -delete && find /var/lib/puppet/clientbucket -type d -empty -delete
-
-@hourly root ! [ -x /usr/local/sbin/ntp-restart-if-required ] || /usr/local/sbin/ntp-restart-if-required
diff --git a/modules/debian-org/templates/ldap.conf.erb b/modules/debian-org/templates/ldap.conf.erb
deleted file mode 100644 (file)
index b3f514b..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# LDAP Defaults
-#
-
-# See ldap.conf(5) for details
-# This file should be world readable but not world writable.
-
-#BASE  dc=example,dc=com
-#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666
-
-#SIZELIMIT     12
-#TIMELIMIT     15
-#DEREF         never
-
-URI             ldap://db.debian.org
-BASE            dc=debian,dc=org
-
-TLS_CACERT      /etc/ssl/ca-debian/ca-certificates.crt
-TLS_REQCERT     hard
diff --git a/modules/debian-org/templates/pam.common-session-noninteractive.erb b/modules/debian-org/templates/pam.common-session-noninteractive.erb
deleted file mode 100644 (file)
index 3b078a3..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# /etc/pam.d/common-session-noninteractive - session-related modules
-# common to all non-interactive services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of all non-interactive sessions.
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session [default=1]                     pam_permit.so
-# here's the fallback if no module succeeds
-session requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session required        pam_unix.so     
-# end of pam-auth-update config
diff --git a/modules/debian-org/templates/pam.common-session.erb b/modules/debian-org/templates/pam.common-session.erb
deleted file mode 100644 (file)
index 3a24bb7..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# /etc/pam.d/common-session - session-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session        [default=1]                     pam_permit.so
-# here's the fallback if no module succeeds
-session        requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session        required                        pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session        required        pam_unix.so 
-# end of pam-auth-update config
-session        [success=1 default=ignore]      pam_succeed_if.so quiet_fail quiet_success home = /nonexistent
-session        optional                        pam_mkhomedir.so skel=/etc/skel umask=0022
-session        optional                        pam_systemd.so
-session        optional                        pam_permit.so
diff --git a/modules/debian-org/templates/puppet.conf.erb b/modules/debian-org/templates/puppet.conf.erb
deleted file mode 100644 (file)
index 8b75800..0000000
+++ /dev/null
@@ -1,44 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-[main]
-logdir=/var/log/puppet
-vardir=/var/lib/puppet
-ssldir=/var/lib/puppet/ssl
-rundir=/var/run/puppet
-factpath=$vardir/lib/facter
-pluginsync=true
-# This is the default environment for all clients
-environment=production
-
-<%- if scope.lookupvar('::hostname') == 'handel' -%>
-modulepath=/etc/puppet/modules:/etc/puppet/3rdparty/modules:/usr/share/puppet/modules
-
-[master]
-environments = production,staging
-reports = store
-config_version = cat /etc/puppet/.config-version
-storeconfigs = true
-thin_storeconfigs = true
-dbadapter=mysql
-dbuser=puppet
-dbpassword=<%= scope.lookupvar('dbpassword') %>
-dbserver=localhost
-
-[production]
-manifestdir=/srv/puppet.debian.org/stages/production/manifests
-fileserverconfig=/srv/puppet.debian.org/stages/production/fileserver.conf
-modulepath=/srv/puppet.debian.org/stages/production/modules:/srv/puppet.debian.org/stages/production/3rdparty/modules
-
-[staging]
-manifestdir=/srv/puppet.debian.org/stages/staging/manifests
-fileserverconfig=/srv/puppet.debian.org/stages/staging/fileserver.conf
-modulepath=/srv/puppet.debian.org/stages/staging/modules:/srv/puppet.debian.org/stages/staging/3rdparty/modules
-<%- end -%>
-
-[agent]
-environments = development,testing,production,staging
-report = true
-configtimeout = 240
diff --git a/modules/debian-org/templates/rc.local.erb b/modules/debian-org/templates/rc.local.erb
deleted file mode 100755 (executable)
index b3d13dc..0000000
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-<%- if hostname == "zani" then -%>
-  if [ -n "$(awk '$4 == "dasdb1" && $3 == "249999" {print}' /proc/partitions)" ]; then
-    mkswap /dev/dasdb1 && swapon -p 30 /dev/dasdb1
-  fi
-  if [ -n "$(awk '$4 == "dasdc1" && $3 == "249999" {print}' /proc/partitions)" ]; then
-    mkswap /dev/dasdc1 && swapon -p 30 /dev/dasdc1
-  fi
-<%- end -%>
-<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
-  ( sleep 120;
-    service syslog-ng restart;
-    sleep 5;
-    init q
-  ) & disown
-<%- end -%>
-
-if [ -e /proc/sys/kernel/modules_disabled ]; then
-       ( sleep 60;
-         echo 1 > /proc/sys/kernel/modules_disabled || true
-       ) & disown
-fi
-
-touch /var/run/reboot-lock
diff --git a/modules/debian_org/files/apt.conf.d/local-compression b/modules/debian_org/files/apt.conf.d/local-compression
new file mode 100644 (file)
index 0000000..818a6e2
--- /dev/null
@@ -0,0 +1,15 @@
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+Acquire {
+  CompressionTypes
+  {
+    bz2 "bzip2";
+    lzma "lzma";
+    gz "gzip";
+
+    Order { "gz"; "lzma"; "bz2"; };
+  };
+};
diff --git a/modules/debian_org/files/apt.conf.d/local-langs b/modules/debian_org/files/apt.conf.d/local-langs
new file mode 100644 (file)
index 0000000..3e9ff30
--- /dev/null
@@ -0,0 +1 @@
+Acquire::Languages { "en"; "none"; };
diff --git a/modules/debian_org/files/apt.conf.d/local-pdiffs b/modules/debian_org/files/apt.conf.d/local-pdiffs
new file mode 100644 (file)
index 0000000..155daf9
--- /dev/null
@@ -0,0 +1,6 @@
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+Acquire::PDiffs "false";
diff --git a/modules/debian_org/files/apt.conf.d/local-recommends b/modules/debian_org/files/apt.conf.d/local-recommends
new file mode 100644 (file)
index 0000000..aa0261c
--- /dev/null
@@ -0,0 +1,6 @@
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+APT::Install-Recommends 0;
diff --git a/modules/debian_org/files/apt.preferences b/modules/debian_org/files/apt.preferences
new file mode 100644 (file)
index 0000000..65d1172
--- /dev/null
@@ -0,0 +1,23 @@
+Explanation:
+Explanation: THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+Explanation: USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+Explanation:
+Package: *
+Pin: release o=Debian Backports
+Pin-Priority: 200
+
+Package: sbuild
+Pin: release o=buildd.debian.org
+Pin-Priority: 500
+
+Package: buildd
+Pin: release o=buildd.debian.org
+Pin-Priority: 500
+
+Package: libsbuild-perl
+Pin: release o=buildd.debian.org
+Pin-Priority: 500
+
+Package: *
+Pin: release o=buildd.debian.org
+Pin-Priority: -1
diff --git a/modules/debian_org/files/basic-ssh_known_hosts b/modules/debian_org/files/basic-ssh_known_hosts
new file mode 100644 (file)
index 0000000..5f1d407
--- /dev/null
@@ -0,0 +1 @@
+draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106,2001:41b8:202:deb:1a1a:0:52c3:4b6a ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi
diff --git a/modules/debian_org/files/check_for_updates b/modules/debian_org/files/check_for_updates
new file mode 100755 (executable)
index 0000000..7894da4
--- /dev/null
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+parse_dates () {
+       while read url file junk; do
+               url=$(echo $url | sed -e "s/'//g")
+               url_time=$(date -d "$(curl -sqI ${url} | grep Last-Modified: | sed -e 's/Last-Modified: //')" +%s)
+               if [ ! -f "/var/lib/apt/lists/${file}" ]; then
+                       return 0
+               fi
+               file_time=$(stat -c %Y /var/lib/apt/lists/${file})
+               if [ $url_time -gt $file_time ]; then
+                       return 0
+               fi
+       done
+       return 1
+}
+
+su nobody -c 'apt-get update -s --print-uris' | grep 'Release ' | parse_dates
+exit $?
diff --git a/modules/debian_org/files/db.debian.org.gpg b/modules/debian_org/files/db.debian.org.gpg
new file mode 100644 (file)
index 0000000..229cb63
Binary files /dev/null and b/modules/debian_org/files/db.debian.org.gpg differ
diff --git a/modules/debian_org/files/dsa-puppet-stuff.cron.ignore b/modules/debian_org/files/dsa-puppet-stuff.cron.ignore
new file mode 100644 (file)
index 0000000..e348b0a
--- /dev/null
@@ -0,0 +1,15 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+# this is a list of patterns, one per line, of things that puppet's
+# cron output shouldn't mail to us.
+
+^v6: error fetching interface information: Device not found$
+^pcilib: Cannot open /proc/bus/pci$
+^lspci: Cannot find any working access method\.$
+^can't open /proc/dma at /usr/bin/lsdev line 32\.$
+^/usr/lib/ruby/1.9.1/rubygems/custom_require\.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead\.$
+^/usr/lib/ruby/vendor_ruby/puppet/provider/service/freebsd\.rb:[8910]*: warning: class variable access from toplevel$
+^/usr/lib/ruby/vendor_ruby/puppet/provider/service/bsd\.rb:12: warning: class variable access from toplevel$
+^/usr/lib/ruby/vendor_ruby/puppet/type/tidy\.rb:1[0-9][0-9]: warning: class variable access from toplevel$
diff --git a/modules/debian_org/files/etc.profile.d/timeout.sh b/modules/debian_org/files/etc.profile.d/timeout.sh
new file mode 100755 (executable)
index 0000000..617579e
--- /dev/null
@@ -0,0 +1,2 @@
+TMOUT=129600 # a day and a half (36 hrs)
+export TMOUT
diff --git a/modules/debian_org/files/etc.zsh/zprofile b/modules/debian_org/files/etc.zsh/zprofile
new file mode 100644 (file)
index 0000000..8ea4df3
--- /dev/null
@@ -0,0 +1,16 @@
+#
+# THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+# USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+#
+
+# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1).
+#
+# This file is sourced only for login shells (i.e. shells
+# invoked with "-" as the first character of argv[0], and
+# shells invoked with the -l flag.)
+#
+# Global Order: zshenv, zprofile, zshrc, zlogin
+
+if [ -e /etc/profile.d/timeout.sh ]; then
+  .  /etc/profile.d/timeout.sh
+fi
diff --git a/modules/debian_org/files/molly-guard/10-check-kvm b/modules/debian_org/files/molly-guard/10-check-kvm
new file mode 100644 (file)
index 0000000..e9ed39c
--- /dev/null
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+KVMCOUNT=`pgrep -cx '^(qemu-)?kvm$'`
+if [ $KVMCOUNT != 0 ]; then
+       echo "Found $KVMCOUNT qemu-kvm instances running, aborting $MOLLYGUARD_CMD!"
+       exit 1
+fi
diff --git a/modules/debian_org/files/molly-guard/15-acquire-reboot-lock b/modules/debian_org/files/molly-guard/15-acquire-reboot-lock
new file mode 100644 (file)
index 0000000..ebbac93
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Copyright 2012 Peter Palfrader
+
+l=/var/run/reboot-lock
+exec 3> $l
+
+if ! flock --exclusive -w 0  3; then
+       echo >&2 "Cannot acquire reboot lock."
+       exit 1
+fi
+echo "Reboot lock acquired."
+
+ppid="$PPID"
+(
+       while kill -0 "$ppid" 2>/dev/null; do
+               sleep 1
+       done
+) &
+disown
+exit 0
diff --git a/modules/debian_org/files/nsswitch.conf b/modules/debian_org/files/nsswitch.conf
new file mode 100644 (file)
index 0000000..e6a644e
--- /dev/null
@@ -0,0 +1,19 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         compat db
+group:          db compat
+shadow:         compat db
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
diff --git a/modules/debian_org/files/puppet.default b/modules/debian_org/files/puppet.default
new file mode 100644 (file)
index 0000000..dc0743f
--- /dev/null
@@ -0,0 +1,13 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# Defaults for puppet - sourced by /etc/init.d/puppet
+
+# Start puppet on boot?
+START=no
+exit 0
+
+# Startup options
+DAEMON_OPTS="-w 5 --factsync"
diff --git a/modules/debian_org/files/root-dotfiles/bashrc b/modules/debian_org/files/root-dotfiles/bashrc
new file mode 100644 (file)
index 0000000..048d944
--- /dev/null
@@ -0,0 +1,23 @@
+# ~/.bashrc: executed by bash(1) for non-login shells.
+
+## THIS FILE IS UNDER PUPPET CONTROL.
+## LOCAL CHANGES WILL BE OVERWRITTEN.
+
+if [ "$PS1" ]; then
+  typeset HISTCONTROL=ignoreboth
+  typeset HISTSIZE=50000
+
+  export LS_OPTIONS='--color=auto'
+  eval "`dircolors`"
+  alias ls='ls $LS_OPTIONS'
+  alias ll='ls $LS_OPTIONS -l'
+  alias l='ls $LS_OPTIONS -lA'
+
+  if [ -f /usr/share/bash-completion/bash_completion ]; then
+    . /usr/share/bash-completion/bash_completion
+  fi
+
+  PATH="$PATH:/usr/lib/nagios/plugins"
+fi
+
+# vim: set ft=sh ts=2 sw=2 et ai si:
diff --git a/modules/debian_org/files/root-dotfiles/profile b/modules/debian_org/files/root-dotfiles/profile
new file mode 100644 (file)
index 0000000..e4bb8db
--- /dev/null
@@ -0,0 +1,17 @@
+# ~/.profile: executed by Bourne-compatible login shells.
+
+## THIS FILE IS UNDER PUPPET CONTROL.
+## LOCAL CHANGES WILL BE OVERWRITTEN.
+
+if [ "$BASH" ]; then
+  if [ -f ~/.bashrc ]; then
+    . ~/.bashrc
+  fi
+  if [ "$PS1" ]; then
+    PS1='${debian_chroot:+[$debian_chroot] }\h:\w\$ '
+  fi
+fi
+
+mesg n
+
+# vim: set ft=sh ts=2 sw=2 et ai si:
diff --git a/modules/debian_org/files/root-dotfiles/screenrc b/modules/debian_org/files/root-dotfiles/screenrc
new file mode 100644 (file)
index 0000000..d59cfb9
--- /dev/null
@@ -0,0 +1,43 @@
+
+## THIS FILE IS UNDER PUPPET CONTROL.
+## LOCAL CHANGES WILL BE OVERWRITTEN.
+
+
+startup_message off
+deflogin on
+#vbell off
+defscrollback 10000
+defnonblock 5
+
+## set these terminals up to be 'optimal' instead of vt100
+#termcapinfo xterm*|linux*|rxvt*|Eterm* OP
+
+caption always " %?%F%{r}%?%H%{r}%?%F*%: %? %{rd}| %{r}$LOGNAME%{d} | %{b}%-Lw%{b}%50>%{kw}%n%f* %t %{-}%+Lw%<"
+
+# fix screens copy&paste (background-color-erase to on)
+defbce on
+
+# xterm, and urxvt on weasel's jessie systems
+bindkey "^[[1;5D" prev
+bindkey "^[[1;5C" next
+bindkey "^[[1;5A" focus up
+bindkey "^[[1;5B" focus down
+
+# urxvt default Ctrl+left/right/up/down on weasel's stretch systems
+bindkey "^[Od" prev
+bindkey "^[Oc" next
+bindkey "^[Oa" focus up
+bindkey "^[Ob" focus down
+
+# gnome terminal (in screen:
+#bindkey "^[n" screen
+#bindkey "^[O5D" prev
+#bindkey "^[O5C" next
+#bindkey "^[O5A" focus up
+#bindkey "^[O5B" focus down
+
+# urxvt shift+left/right
+#bindkey "^[[d" prev
+#bindkey "^[[c" next
+#bindkey "^[[a" focus up
+#bindkey "^[[b" focus down
diff --git a/modules/debian_org/files/root-dotfiles/selected_editor b/modules/debian_org/files/root-dotfiles/selected_editor
new file mode 100644 (file)
index 0000000..2cab271
--- /dev/null
@@ -0,0 +1 @@
+SELECTED_EDITOR="/usr/bin/vim"
diff --git a/modules/debian_org/files/root-dotfiles/tmux.conf b/modules/debian_org/files/root-dotfiles/tmux.conf
new file mode 100644 (file)
index 0000000..ecde616
--- /dev/null
@@ -0,0 +1,16 @@
+# mess with the status window
+set -g status-bg colour109
+set -g status-right "[#T]"
+setw -g window-status-current-bg white
+
+bind -n C-Right next-window
+bind -n C-Left previous-window
+
+bind -n C-Up select-pane -U
+bind -n C-Down select-pane -D
+bind | split-window -h
+bind - split-window -v
+
+#set -g default-terminal "screen-it"
+set -g xterm-keys on
+set -sg escape-time 0
diff --git a/modules/debian_org/files/root-dotfiles/vimrc b/modules/debian_org/files/root-dotfiles/vimrc
new file mode 100644 (file)
index 0000000..d99e4d6
--- /dev/null
@@ -0,0 +1,88 @@
+" ~/.vimrc - ViM configuration file
+
+" THIS FILE IS UNDER PUPPET CONTROL.
+" LOCAL CHANGES WILL BE OVERWRITTEN.
+
+runtime! debian.vim
+filetype plugin on
+set ai
+:set nocompatible
+:syn on
+:set title
+:set pastetoggle=<F10>
+:set listchars=tab:»·,trail:·
+:set list
+:nmap <F11> :set invlist<return>
+:imap <F11> <C-O>:set invlist<return>
+:set clipboard^=autoselectml guioptions+=A
+let g:Imap_UsePlaceHolders = 1
+let g:Imap_FreezeImap = 1
+:hi MatchParen ctermbg=black
+colorscheme peachpuff
+
+map <F3> :n<return>
+map <F2> :N<return>
+map <F5> :wn<return>
+map <F4> :wN<return>
+map fd ggV/^-- <CR><up>gq
+
+nnoremap <silent> <C-M> :make<return>
+
+nnoremap <silent> <S-left> :bprevious<return>
+nnoremap <silent> <S-right> :bnext<return>
+inoremap <silent> <S-left> <C-O>:bprevious<return>
+inoremap <silent> <S-right> <C-O>:bnext<return>
+
+nnoremap <silent> <C-left> :bprevious<return>
+nnoremap <silent> <C-right> :bnext<return>
+inoremap <silent> <C-left> <C-O>:bprevious<return>
+inoremap <silent> <C-right> <C-O>:bnext<return>
+
+nnoremap <silent> <Esc>[1;2D :bprevious<return>
+nnoremap <silent> <Esc>[1;2C :bnext<return>
+inoremap <silent> <Esc>[1;2D <C-O>:bprevious<return>
+inoremap <silent> <Esc>[1;2C <C-O>:bnext<return>
+
+nnoremap <silent> <Esc>[D :bprevious<return>
+nnoremap <silent> <Esc>[C :bnext<return>
+inoremap <silent> <Esc>[D <C-O>:bprevious<return>
+inoremap <silent> <Esc>[C <C-O>:bnext<return>
+
+nnoremap <silent> <Esc>[d :bprevious<return>
+nnoremap <silent> <Esc>[c :bnext<return>
+inoremap <silent> <Esc>[d <C-O>:bprevious<return>
+inoremap <silent> <Esc>[c <C-O>:bnext<return>
+
+" nnoremap <space><space> :bnew<return>
+nnoremap <silent> <space><left> :bprevious<return>
+nnoremap <silent> <space><right> :bnext<return>
+
+if &term =~ '^screen'
+    " tmux will send xterm-style keys when xterm-keys is on
+    execute "set <xUp>=\e[1;*A"
+    execute "set <xDown>=\e[1;*B"
+    execute "set <xRight>=\e[1;*C"
+    execute "set <xLeft>=\e[1;*D"
+endif
+
+
+
+" wild/tab behavior
+" =================
+set wildmode=longest,list:longest,list:full
+
+" spelling stuff
+" ==============
+set spellfile=~/.vim.spell.en.add
+:nmap <F8> :set invspell<return>
+:imap <F8> <C-O>:set invspell<return>
+
+" Searching and highlighting
+" ==========================
+hi Search cterm=NONE ctermfg=yellow ctermbg=19
+set hlsearch
+nnoremap <CR> :noh<CR><CR>
+
+set tabpagemax=50
+" Do not close buffers we don't see
+set hidden
diff --git a/modules/debian_org/files/timezone b/modules/debian_org/files/timezone
new file mode 100644 (file)
index 0000000..7f39493
--- /dev/null
@@ -0,0 +1 @@
+Etc/UTC
diff --git a/modules/debian_org/files/ud-replicated.service b/modules/debian_org/files/ud-replicated.service
new file mode 100644 (file)
index 0000000..dbf99a8
--- /dev/null
@@ -0,0 +1,10 @@
+[Unit]
+Description=Userdir-Ldap Replication Daemon
+Wants=syslog.service
+
+[Service]
+ExecStart=/usr/bin/ud-replicated -d
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/modules/debian_org/lib/facter/architecture.rb b/modules/debian_org/lib/facter/architecture.rb
new file mode 100644 (file)
index 0000000..e04cadc
--- /dev/null
@@ -0,0 +1,19 @@
+Facter.add(:architecture) do
+    confine :kernel => 'GNU/kFreeBSD'
+    setcode do
+        model = Facter.value(:hardwaremodel)
+        case model
+        when 'x86_64' then "amd64"
+        when /(i[3456]86|pentium)/ then "i386"
+        else
+            model
+        end
+    end
+end
+
+Facter.add(:debarchitecture) do
+    setcode do
+        %x{/usr/bin/dpkg --print-architecture}.chomp
+    end
+end
+
diff --git a/modules/debian_org/lib/facter/cluster.rb b/modules/debian_org/lib/facter/cluster.rb
new file mode 100644 (file)
index 0000000..46d0bec
--- /dev/null
@@ -0,0 +1,17 @@
+if FileTest.exist?('/usr/sbin/gnt-cluster') and FileTest.exist?('/var/lib/ganeti/ssconf_cluster_name')
+       begin
+               if system('/usr/sbin/gnt-cluster getmaster >/dev/null')
+                       Facter.add('cluster') do
+                               setcode do
+                                       open('/var/lib/ganeti/ssconf_cluster_name').read().chomp()
+                               end
+                       end
+                       Facter.add('cluster_nodes') do
+                               setcode do
+                                       open('/var/lib/ganeti/ssconf_node_list').read().split().join(" ")
+                               end
+                       end
+               end
+       rescue Exception => e
+       end
+end
diff --git a/modules/debian_org/lib/facter/debsso.rb b/modules/debian_org/lib/facter/debsso.rb
new file mode 100644 (file)
index 0000000..21c4f75
--- /dev/null
@@ -0,0 +1,19 @@
+begin
+    require 'etc'
+
+    Facter.add("debsso_skac_crl") do
+        setcode do
+            crl = nil
+            crlfile = '/srv/sso.debian.org/debsso/data/spkac_ca/ca.crl'
+            if FileTest.exist?(crlfile)
+                crl = File.open(crlfile).read
+            end
+            crl
+        end
+    end
+
+rescue Exception => e
+end
+# vim:set et:
+# vim:set ts=4:
+# vim:set shiftwidth=4:
diff --git a/modules/debian_org/lib/facter/hosts.rb b/modules/debian_org/lib/facter/hosts.rb
new file mode 100644 (file)
index 0000000..4c6cad7
--- /dev/null
@@ -0,0 +1,22 @@
+Facter.add("brokenhosts") do
+       brokenhosts = true
+       if FileTest.exist?("/etc/hosts")
+               IO.foreach("/etc/hosts") do |x|
+                       x.split.each do |y|
+                               if y == Facter.value("fqdn")
+                                       brokenhosts = false
+                                       break
+                               end
+                       end
+               end
+       end
+       setcode do
+               if brokenhosts
+                       true
+               else
+                       false
+               end
+       end
+end
+
+
diff --git a/modules/debian_org/lib/facter/ipaddresses.rb b/modules/debian_org/lib/facter/ipaddresses.rb
new file mode 100644 (file)
index 0000000..41f44e3
--- /dev/null
@@ -0,0 +1,66 @@
+Facter.add("v4ips") do
+       confine :kernel => :linux
+       addrs = []
+       if FileTest.exist?("/bin/ip")
+               %x{ip addr list}.each_line do |line|
+                       next unless line =~ /\s+inet/
+                       next if line =~ /scope (link|host)/
+                       if line =~ /\s+inet\s+(\S+)\/\d{1,2} .*/
+                               addrs << $1
+                       end
+               end
+       end
+       ret = addrs.join(",")
+       if ret.empty?
+               ret = ''
+       end
+       setcode do
+               ret
+       end
+end
+
+Facter.add("v4ips") do
+       confine :kernel => 'GNU/kFreeBSD'
+       setcode do
+               addrs = []
+               output = %x{/sbin/ifconfig}
+
+               output.split(/^\S/).each { |str|
+                       if str =~ /inet ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/
+                               tmp = $1
+                               unless tmp =~ /127\./
+                                       addrs << tmp
+                                       break
+                               end
+                       end
+               }
+
+               ret = addrs.join(",")
+               if ret.empty?
+                       ret = ''
+               end
+               ret
+       end
+end
+
+Facter.add("v6ips") do
+       confine :kernel => :linux
+       addrs = []
+       if FileTest.exist?("/bin/ip")
+               %x{ip addr list}.each_line do |line|
+                       next unless line =~ /\s+inet/
+                       next if line =~ /scope (link|host)/
+                       if line =~ /\s+inet6\s+(\S+)\/\d{1,3} .*/
+                               addrs << $1
+                       end
+               end
+       end
+       ret = addrs.join(",")
+       if ret.empty?
+               ret = ''
+       end
+       setcode do
+               ret
+       end
+end
+
diff --git a/modules/debian_org/lib/facter/lsb-for-bsd.rb b/modules/debian_org/lib/facter/lsb-for-bsd.rb
new file mode 100644 (file)
index 0000000..c95d7f2
--- /dev/null
@@ -0,0 +1,24 @@
+{  "LSBRelease"         => %r{^LSB Version:\t(.*)$},
+   "LSBDistId"          => %r{^Distributor ID:\t(.*)$},
+   "LSBDistRelease"     => %r{^Release:\t(.*)$},
+   "LSBDistDescription" => %r{^Description:\t(.*)$},
+   "LSBDistCodeName"    => %r{^Codename:\t(.*)$}
+}.each do |fact, pattern|
+    Facter.add(fact) do
+        confine :kernel => 'GNU/kFreeBSD'
+        setcode do
+            unless defined?(lsbdata) and defined?(lsbtime) and (Time.now.to_i - lsbtime.to_i < 5)
+                type = nil
+                lsbtime = Time.now
+                lsbdata = Facter::Util::Resolution.exec('lsb_release -a 2>/dev/null')
+            end
+
+            if pattern.match(lsbdata)
+                $1
+            else
+                nil
+            end
+        end
+    end
+end
+
diff --git a/modules/debian_org/lib/facter/mounts.rb b/modules/debian_org/lib/facter/mounts.rb
new file mode 100644 (file)
index 0000000..4cdf969
--- /dev/null
@@ -0,0 +1,21 @@
+begin
+  require 'filesystem'
+
+       Facter.add("mounts") do
+               ignorefs = ["NFS", "nfs", "nfs4", "nfsd", "afs", "binfmt_misc", "proc", "smbfs", 
+                           "autofs", "iso9660", "ncpfs", "coda", "devpts", "ftpfs", "devfs", 
+                           "mfs", "shfs", "sysfs", "cifs", "lustre_lite", "tmpfs", "usbfs", "udf",
+                           "fusectl", "fuse.snapshotfs", "rpc_pipefs", "devtmpfs"]
+               mountpoints = []
+               FileSystem.mounts.each do |m|
+                       if ((not ignorefs.include?(m.fstype)) && (m.options !~ /bind/))
+                               mountpoints << m.mount
+                       end
+               end
+               setcode do
+                       mountpoints.uniq.sort.join(',')
+               end
+       end
+
+rescue Exception => e
+end
diff --git a/modules/debian_org/lib/facter/mta.rb b/modules/debian_org/lib/facter/mta.rb
new file mode 100644 (file)
index 0000000..5d2242a
--- /dev/null
@@ -0,0 +1,9 @@
+Facter.add("mta") do
+       setcode do
+               mta = "exim4"
+               if FileTest.exist?("/usr/sbin/postfix")
+                       mta = "postfix"
+               end
+               mta
+       end
+end
diff --git a/modules/debian_org/lib/facter/onion-services.rb b/modules/debian_org/lib/facter/onion-services.rb
new file mode 100644 (file)
index 0000000..c444ec2
--- /dev/null
@@ -0,0 +1,35 @@
+begin
+    require 'json'
+
+    Facter.add("onion_tor_service_hostname") do
+        services = {}
+
+        Dir['/var/lib/tor/onion/*/hostname'].each do |p|
+            dir = File.dirname(p)
+            service = File.basename(dir)
+            hostname = IO.read(p).chomp
+            services[service] = hostname
+        end
+        setcode do
+            services.to_json
+        end
+    end
+
+    Facter.add("onion_balance_service_hostname") do
+        services = {}
+
+        Dir['/etc/onionbalance/private_keys/*.key'].each do |p|
+            service = File.basename(p, '.key')
+            begin
+                services[service] = IO.popen(['/usr/local/bin/tor-onion-name', p]).read.chomp
+            rescue Errno::ENOENT
+            end
+        end
+        setcode do
+            services.to_json
+        end
+    end
+
+
+rescue Exception => e
+end
diff --git a/modules/debian_org/lib/facter/os-for-bsd.rb b/modules/debian_org/lib/facter/os-for-bsd.rb
new file mode 100644 (file)
index 0000000..77cad42
--- /dev/null
@@ -0,0 +1,8 @@
+Facter.add(:operatingsystem) do
+    confine :kernel => 'GNU/kFreeBSD'
+    setcode do
+        if FileTest.exists?("/etc/debian_version")
+            "Debian"
+       end
+    end
+end
diff --git a/modules/debian_org/lib/facter/paths.rb b/modules/debian_org/lib/facter/paths.rb
new file mode 100644 (file)
index 0000000..ccc4588
--- /dev/null
@@ -0,0 +1,20 @@
+
+%w{/srv/build-trees
+   /srv/buildd
+   /etc/ssh/ssh_host_ed25519_key
+   /srv/mirrors/debian
+   /srv/mirrors/debian-debug
+   /srv/mirrors/debian-ports
+   /srv/mirrors/debian-security
+   /dev/hwrng
+}.each do |path|
+       Facter.add("has" + path.gsub(/[\/-]/,'_')) do
+               setcode do
+                       if FileTest.exist?(path)
+                               true
+                       else
+                               false
+                       end
+               end
+       end
+end
diff --git a/modules/debian_org/lib/facter/raidarray.rb b/modules/debian_org/lib/facter/raidarray.rb
new file mode 100644 (file)
index 0000000..5fc70e5
--- /dev/null
@@ -0,0 +1,72 @@
+Facter.add("smartarraycontroller") do
+       confine :kernel => :linux
+       setcode do
+               if FileTest.exist?("/dev/cciss/")
+                       true
+               elsif FileTest.exist?("/sys/module/hpsa/")
+                       true
+               else
+                       false
+               end
+       end
+end
+
+Facter.add("ThreeWarecontroller") do
+       confine :kernel => :linux
+       setcode do
+               is3w = false
+               if FileTest.exist?("/proc/scsi/scsi")
+                       IO.foreach("/proc/scsi/scsi") { |x|
+                               is3w = true if x =~ /Vendor: 3ware/
+                       }
+               end
+               is3w
+       end
+end
+
+Facter.add("megaraid") do
+       confine :kernel => :linux
+       setcode do
+               if FileTest.exist?("/dev/megadev0")
+                       true
+               else
+                       false
+               end
+       end
+end
+
+Facter.add("mptraid") do
+       confine :kernel => :linux
+       setcode do
+               if FileTest.exist?("/dev/mptctl") or FileTest.exist?("/dev/mpt0") or FileTest.exist?("/proc/mpt/summary")
+                       true
+               else
+                       false
+               end
+       end
+end
+
+Facter.add("aacraid") do
+       confine :kernel => :linux
+       setcode do
+               if FileTest.exist?("/dev/aac0")
+                       true
+               else
+                       false
+               end
+       end
+end
+
+Facter.add("swraid") do
+       confine :kernel => :linux
+       setcode do
+                swraid = false
+               if FileTest.exist?("/proc/mdstat") && FileTest.exist?("/sbin/mdadm")
+                        IO.foreach("/proc/mdstat") { |x|
+                                swraid = true if x =~ /md[0-9]+ : active/
+                        }
+                end
+                swraid
+       end
+end
+
diff --git a/modules/debian_org/lib/facter/roleaccounts.rb b/modules/debian_org/lib/facter/roleaccounts.rb
new file mode 100644 (file)
index 0000000..d95dc04
--- /dev/null
@@ -0,0 +1,119 @@
+begin
+    require 'etc'
+
+    Facter.add("postgresql_key") do
+        setcode do
+            key = nil
+            keyfile = '/var/lib/postgresql/.ssh/id_rsa.pub'
+            if FileTest.exist?(keyfile)
+                key = File.open(keyfile).read.chomp
+            end
+            key
+        end
+    end
+
+    Facter.add("staticsync_key") do
+        setcode do
+            key = nil
+            keyfile = '/home/staticsync/.ssh/id_rsa.pub'
+            if FileTest.exist?(keyfile)
+                key = File.open(keyfile).read.chomp
+            end
+            key
+        end
+    end
+
+    Facter.add("staticsync_user_exists") do
+        setcode do
+            result = false
+            begin
+                if Etc.getpwnam('staticsync')
+                    result = true
+                end
+            rescue ArgumentError
+            end
+            result
+        end
+    end
+
+
+    Facter.add("weblogsync_key") do
+        setcode do
+            key = nil
+            keyfile = '/home/weblogsync/.ssh/id_rsa.pub'
+            if FileTest.exist?(keyfile)
+                key = File.open(keyfile).read.chomp
+            end
+            key
+        end
+    end
+
+    Facter.add("weblogsync_user_exists") do
+        setcode do
+            result = false
+            begin
+                if Etc.getpwnam('weblogsync')
+                    result = true
+                end
+            rescue ArgumentError
+            end
+            result
+        end
+    end
+
+
+    Facter.add("buildd_key") do
+        setcode do
+            key = nil
+            keyfile = '/home/buildd/.ssh/id_rsa.pub'
+            if FileTest.exist?(keyfile)
+                key = File.open(keyfile).read.chomp
+            end
+            key
+        end
+    end
+
+    Facter.add("buildd_user_exists") do
+        setcode do
+            result = false
+            begin
+                if Etc.getpwnam('buildd')
+                    result = true
+                end
+            rescue ArgumentError
+            end
+            result
+        end
+    end
+
+    Facter.add("portforwarder_key") do
+        setcode do
+            key = nil
+            keyfile = '/home/portforwarder/.ssh/id_rsa.pub'
+            if FileTest.exist?(keyfile)
+                key = File.open(keyfile).read.chomp
+            end
+            key
+        end
+    end
+
+    Facter.add("portforwarder_user_exists") do
+        setcode do
+            result = false
+            begin
+                if Etc.getpwnam('portforwarder')
+                    result = true
+                end
+            rescue ArgumentError
+            end
+            result
+        end
+    end
+
+
+
+rescue Exception => e
+end
+# vim:set et:
+# vim:set ts=4:
+# vim:set shiftwidth=4:
diff --git a/modules/debian_org/lib/facter/servertype.rb b/modules/debian_org/lib/facter/servertype.rb
new file mode 100644 (file)
index 0000000..21dba00
--- /dev/null
@@ -0,0 +1,9 @@
+Facter.add("kvmdomain") do
+       setcode do
+               result = false
+               if File.new('/proc/cpuinfo').read().index('QEMU Virtual CPU')
+                       result = true
+               end
+               result
+       end
+end
diff --git a/modules/debian_org/lib/facter/software.rb b/modules/debian_org/lib/facter/software.rb
new file mode 100644 (file)
index 0000000..5c07912
--- /dev/null
@@ -0,0 +1,162 @@
+Facter.add("apache2") do
+       setcode do
+               if FileTest.exist?("/usr/sbin/apache2")
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("apache2deb9") do
+       setcode do
+               # jessie (deb8) has 2.4.10-.., stretch (deb9) will have 2.4.23 or later.
+               if FileTest.exist?("/usr/sbin/apache2") and system("dpkg --compare-versions $(dpkg-query -W -f='${Version}\n' apache2-bin) gt 2.4.15")
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("clamd") do
+       setcode do
+               if FileTest.exist?("/usr/sbin/clamd")
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("exim4") do
+       setcode do
+               if FileTest.exist?("/usr/sbin/exim4")
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("postfix") do
+       setcode do
+               if FileTest.exist?("/usr/sbin/postfix")
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("postgres") do
+       setcode do
+               pg = (FileTest.exist?("/usr/lib/postgresql/8.1/bin/postgres") or
+               FileTest.exist?("/usr/lib/postgresql/8.3/bin/postgres") or
+               FileTest.exist?("/usr/lib/postgresql/8.4/bin/postgres") or
+               FileTest.exist?("/usr/lib/postgresql/9.0/bin/postgres") or
+               FileTest.exist?("/usr/lib/postgresql/9.1/bin/postgres") or
+               FileTest.exist?("/usr/lib/postgresql/9.2/bin/postgres"))
+               if pg
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("postgrey") do
+       setcode do
+               if FileTest.exist?("/usr/sbin/postgrey")
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("greylistd") do
+       setcode do
+               FileTest.exist?("/usr/sbin/greylistd")
+       end
+end
+Facter.add("policydweight") do
+       setcode do
+               if FileTest.exist?("/usr/sbin/policyd-weight")
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("spamd") do
+       setcode do
+               if FileTest.exist?("/usr/sbin/spamd")
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("php5") do
+       php =   (FileTest.exist?("/usr/lib/apache2/modules/libphp5.so") or
+               FileTest.exist?("/usr/bin/php5") or
+               FileTest.exist?("/usr/bin/php5-cgi") or
+               FileTest.exist?("/usr/lib/cgi-bin/php5"))
+       setcode do
+               if php
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("php5suhosin") do
+       suhosin=(FileTest.exist?("/usr/lib/php5/20060613/suhosin.so") or
+               FileTest.exist?("/usr/lib/php5/20060613+lfs/suhosin.so"))
+       setcode do
+               if suhosin
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("syslogversion") do
+       setcode do
+               %x{dpkg-query -W -f='${Version}\n' syslog-ng | cut -b1-3}.chomp
+       end
+end
+Facter.add("unbound") do
+       unbound=(FileTest.exist?("/usr/sbin/unbound") and
+               FileTest.exist?("/var/lib/unbound/root.key"))
+       setcode do
+               if unbound
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("munin_async") do
+       setcode do
+               FileTest.exist?("/usr/share/munin/munin-async")
+       end
+end
+Facter.add("samhain") do
+       setcode do
+               if FileTest.exist?("/usr/sbin/samhain")
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("systemd") do
+       setcode do
+               init = '/sbin/init'
+               if File.symlink?(init) and File.readlink(init) == "/lib/systemd/systemd"
+                       true
+               else
+                       false
+               end
+       end
+end
+Facter.add("tor_ge_0_2_9") do
+       setcode do
+               system(%{dpkg -l tor >/dev/null 2>&1 && dpkg --compare-versions $(dpkg-query -W -f='${Version}' tor) ge 0.2.9})
+       end
+end
diff --git a/modules/debian_org/lib/facter/system-hw.rb b/modules/debian_org/lib/facter/system-hw.rb
new file mode 100644 (file)
index 0000000..262e8c5
--- /dev/null
@@ -0,0 +1,21 @@
+Facter.add("systemproductname") do
+       confine :kernel => :linux
+       setcode do
+               if FileTest.exist?("/usr/sbin/dmidecode")
+                       %x{/usr/sbin/dmidecode -s system-product-name}.chomp.strip
+               else
+                       false
+               end
+       end
+end
+
+Facter.add("hw_can_temp_sensors") do
+       confine :kernel => :linux
+       setcode do
+               if FileTest.exist?("/sys/devices/virtual/thermal/thermal_zone0/temp")
+                       true
+               else
+                       false
+               end
+       end
+end
diff --git a/modules/debian_org/manifests/apt.pp b/modules/debian_org/manifests/apt.pp
new file mode 100644 (file)
index 0000000..9fc02a0
--- /dev/null
@@ -0,0 +1,121 @@
+# == Class: debian_org
+#
+# Stuff common to all debian.org servers
+#
+class debian_org::apt {
+       if $::lsbmajdistrelease <= '7' {
+               $mungedcodename = $::lsbdistcodename
+       } elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
+               $mungedcodename = "${::lsbdistcodename}-kfreebsd"
+       } else {
+               $mungedcodename = $::lsbdistcodename
+       }
+
+       if $::lsbmajdistrelease <= '8' {
+               $fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/'
+       } else {
+               $fallbackmirror = 'http://deb.debian.org/debian/'
+       }
+
+       if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
+               $mirror = [ getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'), $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
+       } else {
+               $mirror = [ $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
+       }
+
+       site::aptrepo { 'debian':
+               url        => $mirror,
+               suite      => [ $mungedcodename, "${::lsbdistcodename}-backports", "${::lsbdistcodename}-updates" ],
+               components => ['main','contrib','non-free']
+       }
+       site::aptrepo { 'security':
+               url        => [ 'http://security-cdn.debian.org/', 'http://security.anycast-test.mirrors.debian.org/debian-security/', 'http://security.debian.org/' ],
+               suite      => "${mungedcodename}/updates",
+               components => ['main','contrib','non-free']
+       }
+
+       if has_role('experimental_apache') {
+               $dbdosuites = [ 'debian-all', $::lsbdistcodename, 'jessie-apache2' ]
+       } else {
+               $dbdosuites = [ 'debian-all', $::lsbdistcodename ]
+       }
+       site::aptrepo { 'db.debian.org':
+               url        => 'http://db.debian.org/debian-admin',
+               suite      => $dbdosuites,
+               components => 'main',
+               key        => 'puppet:///modules/debian_org/db.debian.org.gpg',
+       }
+
+       if ($::hostname in [] or $::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
+               site::aptrepo { 'proposed-updates':
+                       url        => $mirror,
+                       suite      => "${mungedcodename}-proposed-updates",
+                       components => ['main','contrib','non-free']
+               }
+       } else {
+               site::aptrepo { 'proposed-updates':
+                       ensure => absent,
+               }
+       }
+
+       site::aptrepo { 'debian-cdn':
+               ensure => absent,
+       }
+       site::aptrepo { 'debian.org':
+               ensure => absent,
+       }
+       site::aptrepo { 'debian2':
+               ensure => absent,
+       }
+       site::aptrepo { 'backports2.debian.org':
+               ensure => absent,
+       }
+       site::aptrepo { 'backports.debian.org':
+               ensure => absent,
+       }
+       site::aptrepo { 'volatile':
+               ensure => absent,
+       }
+       site::aptrepo { 'db.debian.org-suite':
+               ensure => absent,
+       }
+       site::aptrepo { 'debian-lts':
+               ensure => absent,
+       }
+
+
+
+
+       file { '/etc/apt/trusted-keys.d':
+               ensure => absent,
+               force  => true,
+       }
+
+       file { '/etc/apt/trusted.gpg':
+               mode    => '0600',
+               content => "",
+       }
+
+       file { '/etc/apt/preferences':
+               source => 'puppet:///modules/debian_org/apt.preferences',
+       }
+       file { '/etc/apt/apt.conf.d/local-compression':
+               source => 'puppet:///modules/debian_org/apt.conf.d/local-compression',
+       }
+       file { '/etc/apt/apt.conf.d/local-recommends':
+               source => 'puppet:///modules/debian_org/apt.conf.d/local-recommends',
+       }
+       file { '/etc/apt/apt.conf.d/local-pdiffs':
+               source => 'puppet:///modules/debian_org/apt.conf.d/local-pdiffs',
+       }
+       file { '/etc/apt/apt.conf.d/local-langs':
+               source => 'puppet:///modules/debian_org/apt.conf.d/local-langs',
+       }
+
+       exec { 'apt-get update':
+               path    => '/usr/bin:/usr/sbin:/bin:/sbin',
+               onlyif  => '/usr/local/bin/check_for_updates',
+               require => File['/usr/local/bin/check_for_updates']
+       }
+       Exec['apt-get update']->Package<| tag == extra_repo |>
+}
diff --git a/modules/debian_org/manifests/init.pp b/modules/debian_org/manifests/init.pp
new file mode 100644 (file)
index 0000000..6cb629e
--- /dev/null
@@ -0,0 +1,304 @@
+# == Class: debian_org
+#
+# Stuff common to all debian.org servers
+#
+class debian_org {
+       include debian_org::apt
+
+       if $systemd {
+               include systemd
+               $servicefiles = 'present'
+       } else {
+               $servicefiles = 'absent'
+       }
+
+       $debianadmin = [
+               'debian-archive-debian-samhain-reports@master.debian.org',
+               'debian-admin@ftbfs.de',
+               'weasel@debian.org',
+               'steve@lobefin.net',
+               'zumbi@oron.es'
+       ]
+
+       package { [
+                       'klogd',
+                       'sysklogd',
+                       'rsyslog',
+                       'os-prober',
+                       'apt-listchanges',
+               ]:
+               ensure => purged,
+       }
+       package { [
+                       'debian.org',
+                       'dsa-munin-plugins',
+               ]:
+               ensure => installed,
+               tag    => extra_repo,
+       }
+       file { '/etc/ssh/ssh_known_hosts':
+               ensure  => present,
+               replace => false,
+               mode    => '0644',
+               source  => 'puppet:///modules/debian_org/basic-ssh_known_hosts'
+       }
+
+       if ($::lsbmajdistrelease >= '8') {
+               $rubyfs_package = 'ruby-filesystem'
+       } else {
+               $rubyfs_package = 'libfilesystem-ruby1.9'
+       }
+       package { [
+                       'apt-utils',
+                       'bash-completion',
+                       'dnsutils',
+                       'less',
+                       'lsb-release',
+                       $rubyfs_package,
+                       'mtr-tiny',
+                       'nload',
+                       'pciutils',
+                       'lldpd',
+               ]:
+               ensure => installed,
+       }
+
+       munin::check { [
+                       'cpu',
+                       'entropy',
+                       'forks',
+                       'interrupts',
+                       'iostat',
+                       'irqstats',
+                       'load',
+                       'memory',
+                       'open_files',
+                       'open_inodes',
+                       'processes',
+                       'swap',
+                       'uptime',
+                       'vmstat',
+               ]:
+       }
+
+       if getfromhash($site::nodeinfo, 'broken-rtc') {
+               package { 'fake-hwclock':
+                       ensure => installed,
+                       tag    => extra_repo,
+               }
+       }
+
+       package { 'molly-guard':
+               ensure => installed,
+       }
+       file { '/etc/molly-guard/run.d/10-check-kvm':
+               mode    => '0755',
+               source  => 'puppet:///modules/debian_org/molly-guard/10-check-kvm',
+               require => Package['molly-guard'],
+       }
+       file { '/etc/molly-guard/run.d/15-acquire-reboot-lock':
+               mode    => '0755',
+               source  => 'puppet:///modules/debian_org/molly-guard/15-acquire-reboot-lock',
+               require => Package['molly-guard'],
+       }
+
+       augeas { 'inittab_replicate':
+               context => '/files/etc/inittab',
+               changes => [
+                       'set ud/runlevels 2345',
+                       'set ud/action respawn',
+                       'set ud/process "/usr/bin/ud-replicated -d"',
+               ],
+               notify  => Exec['init q'],
+       }
+
+
+       file { '/etc/facter':
+               ensure  => directory,
+               purge   => true,
+               force   => true,
+               recurse => true,
+               source  => 'puppet:///files/empty/',
+       }
+       file { '/etc/facter/facts.d':
+               ensure => directory,
+       }
+       file { '/etc/facter/facts.d/debian_facts.yaml':
+               content => template('debian_org/debian_facts.yaml.erb')
+       }
+       file { '/etc/timezone':
+               source => 'puppet:///modules/debian_org/timezone',
+               notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'],
+       }
+       if $::hostname == handel {
+               include puppetmaster::db
+               $dbpassword = $puppetmaster::db::password
+       }
+       file { '/etc/puppet/puppet.conf':
+               content => template('debian_org/puppet.conf.erb'),
+               mode => 0440,
+               group => 'puppet',
+       }
+       file { '/etc/default/puppet':
+               source => 'puppet:///modules/debian_org/puppet.default',
+       }
+       file { '/etc/systemd':
+               ensure  => directory,
+               mode => 0755,
+       }
+       file { '/etc/systemd/system':
+               ensure  => directory,
+               mode => 0755,
+       }
+       file { '/etc/systemd/system/ud-replicated.service':
+               ensure => $servicefiles,
+               source => 'puppet:///modules/debian_org/ud-replicated.service',
+               notify => Exec['systemctl daemon-reload'],
+       }
+       if $systemd {
+               file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service':
+                       ensure => 'link',
+                       target => '../ud-replicated.service',
+                       notify => Exec['systemctl daemon-reload'],
+               }
+       }
+       file { '/etc/systemd/system/puppet.service':
+               ensure => 'link',
+               target => '/dev/null',
+               notify => Exec['systemctl daemon-reload'],
+       }
+       file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount':
+               ensure => 'link',
+               target => '/dev/null',
+               notify => Exec['systemctl daemon-reload'],
+       }
+
+       file { '/etc/cron.d/dsa-puppet-stuff':
+               content => template('debian_org/dsa-puppet-stuff.cron.erb'),
+               require => Package['debian.org'],
+       }
+       file { '/etc/ldap/ldap.conf':
+               require => Package['debian.org'],
+               content  => template('debian_org/ldap.conf.erb'),
+       }
+       file { '/etc/pam.d/common-session':
+               require => Package['debian.org'],
+               content => template('debian_org/pam.common-session.erb'),
+       }
+       file { '/etc/pam.d/common-session-noninteractive':
+               require => Package['debian.org'],
+               content => template('debian_org/pam.common-session-noninteractive.erb'),
+       }
+       file { '/etc/rc.local':
+               mode   => '0755',
+               content => template('debian_org/rc.local.erb'),
+               notify => Exec['service rc.local restart'],
+       }
+       file { '/etc/dsa':
+               ensure => directory,
+               mode   => '0755',
+       }
+       file { '/etc/dsa/cron.ignore.dsa-puppet-stuff':
+               source  => 'puppet:///modules/debian_org/dsa-puppet-stuff.cron.ignore',
+               require => Package['debian.org']
+       }
+       file { '/etc/nsswitch.conf':
+               mode   => '0755',
+               source => 'puppet:///modules/debian_org/nsswitch.conf',
+       }
+
+       file { '/etc/profile.d/timeout.sh':
+               mode   => '0555',
+               source => 'puppet:///modules/debian_org/etc.profile.d/timeout.sh',
+       }
+       file { '/etc/zsh':
+               ensure => directory,
+       }
+       file { '/etc/zsh/zprofile':
+               mode   => '0444',
+               source => 'puppet:///modules/debian_org/etc.zsh/zprofile',
+       }
+
+       # set mmap_min_addr to 4096 to mitigate
+       # Linux NULL-pointer dereference exploits
+       site::sysctl { 'mmap_min_addr':
+               ensure => absent
+       }
+       site::sysctl { 'perf_event_paranoid':
+               key   => 'kernel.perf_event_paranoid',
+               value => '2',
+       }
+       site::sysctl { 'puppet-vfs_cache_pressure':
+               key   => 'vm.vfs_cache_pressure',
+               value => '10',
+       }
+       site::alternative { 'editor':
+               linkto => '/usr/bin/vim.basic',
+       }
+       site::alternative { 'view':
+               linkto => '/usr/bin/vim.basic',
+       }
+       mailalias { 'samhain-reports':
+               ensure    => present,
+               recipient => $debianadmin,
+               require   => Package['debian.org']
+       }
+
+       file { '/usr/local/bin/check_for_updates':
+               source => 'puppet:///modules/debian_org/check_for_updates',
+               mode   => '0755',
+               owner  => root,
+               group  => root,
+       }
+
+       exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive':
+               path        => '/usr/bin:/usr/sbin:/bin:/sbin',
+               refreshonly => true
+       }
+       exec { 'service puppetmaster restart':
+               refreshonly => true
+       }
+       exec { 'service rc.local restart':
+               refreshonly => true
+       }
+       exec { 'init q':
+               refreshonly => true
+       }
+
+       exec { 'systemctl daemon-reload':
+               refreshonly => true,
+               onlyif  => "test -x /bin/systemctl"
+       }
+
+       exec { 'systemd-tmpfiles --create --exclude-prefix=/dev':
+               refreshonly => true,
+               onlyif  => "test -x /bin/systemd-tmpfiles"
+       }
+
+       tidy { '/var/lib/puppet/clientbucket/':
+               age      => '2w',
+               recurse  => 9,
+               type     => ctime,
+               matches  => [ 'paths', 'contents' ],
+               schedule => weekly
+       }
+
+       file { '/root/.bashrc':
+               source => 'puppet:///modules/debian_org/root-dotfiles/bashrc',
+       }
+       file { '/root/.profile':
+               source => 'puppet:///modules/debian_org/root-dotfiles/profile',
+       }
+       file { '/root/.selected_editor':
+               source => 'puppet:///modules/debian_org/root-dotfiles/selected_editor',
+       }
+       file { '/root/.screenrc':
+               source => 'puppet:///modules/debian_org/root-dotfiles/screenrc',
+       }
+       file { '/root/.tmux.conf':
+               source => 'puppet:///modules/debian_org/root-dotfiles/tmux.conf',
+       }
+       file { '/root/.vimrc':
+               source => 'puppet:///modules/debian_org/root-dotfiles/vimrc',
+       }
+}
diff --git a/modules/debian_org/manifests/radvd.pp b/modules/debian_org/manifests/radvd.pp
new file mode 100644 (file)
index 0000000..b9eeb80
--- /dev/null
@@ -0,0 +1,10 @@
+class debian-org::radvd {
+       site::sysctl { 'dsa-accept-ra-default':
+               key   => 'net.ipv6.conf.default.accept_ra',
+               value => 0,
+       }
+       site::sysctl { 'dsa-accept-ra-all':
+               key   => 'net.ipv6.conf.all.accept_ra',
+               value => 0,
+       }
+}
diff --git a/modules/debian_org/misc/hoster.yaml b/modules/debian_org/misc/hoster.yaml
new file mode 100644 (file)
index 0000000..7917dda
--- /dev/null
@@ -0,0 +1,163 @@
+---
+1und1-sec:
+  netrange:
+    - 195.20.242.64/26
+    - 212.227.126.32/27
+    - 2001:8d8:2:1::/64
+accumu:
+  netrange:
+    - 130.236.0.0/14
+    - 2001:06B0:000E::/48
+aql:
+  netrange:
+    - 141.170.6.144/28
+  mirror-debian: http://ftp.uk.debian.org/debian/
+arm:
+  netrange:
+    - 217.140.96.0/22
+  entropy_provider_hoster: sil
+  mirror-debian: http://mirror.bytemark.co.uk/debian/
+brown:
+  netrange:
+    - 138.16.160.0/24
+  # all hosts have their own recursor
+  #mirror-debian: file:///srv/ftp-master.debian.org/mirror/ftp-master/
+  mirror-debian: http://ftp.us.debian.org/debian
+br:
+  # rename to c3sl
+  # University Federal do Parana (.br)
+  netrange:
+    - 200.17.192.0/19
+bytemark:
+  netrange:
+    - 5.153.231.0/24
+    - 89.16.160.112/29
+    - 2001:41c8:1000::/48
+    - 2001:41c8:61::/125
+  mirror-debian: http://mirror.bm.debian.org/debian
+carnet:
+  netrange:
+    - 193.198.0.0/16
+anu:
+  netrange:
+    - 150.203.164.0/24
+    - 2001:388:1034:2900::/64
+  #mirror-debian: http://mirror.linux.org.au/debian
+  #mirror-debian: http://ftp.au.debian.org/debian
+conova:
+  netrange:
+    - 217.196.149.224/28
+  mirror-debian: http://mirror.netcologne.de/debian/
+csail:
+  netrange:
+    - 128.31.0.0/24
+  mirror-debian: http://debian.csail.mit.edu/debian/
+dgi:
+  netrange:
+    - 93.94.130.128/26
+freenet:
+  netrange:
+    - 62.104.0.0/16
+gatech:
+  netrange:
+    - 128.61.240.0/23
+  mirror-debian: http://debian.gtisc.gatech.edu/debian/
+grnet:
+  netrange:
+    - 194.177.211.192/27
+    - 2001:648:2ffc:deb::/64
+  mirror-debian: http://ftp.gr.debian.org/debian/
+helsinki:
+  netrange:
+    - 193.167.160.0/23
+  # all hosts have their own recursor
+isc:
+  netrange:
+    - 149.20.0.0/16
+    - 2001:4F8::/32
+uni-karlsruhe:
+  # rename to karlsruhe
+  netrange:
+    - 129.143.160.0/29
+    - 2001:7c0:400:1337::/64
+  mirror-debian: http://ftp-stud.hs-esslingen.de/debian/
+linaro:
+  netrange:
+    - 64.28.108.83/32
+    - 64.28.108.84/32
+    - 64.28.108.85/32
+  mirror-debian: http://ftp.us.debian.org/debian/
+'man-da':
+  netrange:
+    - 82.195.75.64/26
+    - 2001:41b8:202:deb::/64
+  #mirror-debian: http://debian.netcologne.de/debian/ [currently unstable]
+  mirror-debian: http://ftp.de.debian.org/debian/
+leaseweb:
+  netrange:
+    - 185.17.185.176/28
+  #mirror-debian: http://mirror.nl.leaseweb.net/debian/
+marist:
+  netrange:
+    - 148.100.0.0/16
+  mirror-debian: http://ftp.us.debian.org/debian/
+osuosl:
+  netrange:
+    - 140.211.0.0/16
+  mirror-debian: http://debian.osuosl.org/debian
+sakura:
+  netrange:
+    - 133.242.99.74/32
+sanger:
+  netrange:
+    - 193.62.202.24/29
+  #resolvoptions: [single-request]
+  mirror-debian: http://mirror.bytemark.co.uk/debian/
+scanplus:
+  netrange:
+    - 212.211.132.0/26
+    - 212.211.132.248/29
+    - 2001:a78::/64
+sil:
+  netrange:
+    - 86.59.118.144/28
+    - 2001:858:2:2::/64
+  mirror-debian: http://ftp.at.debian.org/debian/
+ubc:
+  netrange:
+    - 209.87.16.0/24
+    - 2607:F8F0:614:1::/64
+    # old range:
+    - 206.12.19.0/24
+    - 2607:f8f0:610:4000::/64
+  mirror-debian: http://mirror-ubc.debian.org/debian/
+ugent:
+  netrange:
+    - 157.193.0.0/16
+umn:
+  netrange:
+    - 128.101.240.212
+unicamp:
+  netrange:
+    - 177.220.0.0/17
+  mirror-debian: http://ftp.br.debian.org/debian/
+utwente:
+  netrange:
+    - 130.89.0.0/16
+    - 2001:0610:1908::/48
+  # broken with dnssec
+xs4all:
+  # should be deleted
+  netrange:
+    - 194.109.137.216/29
+    - 2001:888:2000:12::/64
+ynic:
+  netrange:
+    - 144.32.168.64/28
+  mirror-debian: http://ftp.uk.debian.org/debian
+zivit:
+  netrange:
+    - 80.245.144.0/22
+  mirror-debian: http://debian.netcologne.de/debian/
+
+# vim:set et sts=2 ts=2 sw=2:
diff --git a/modules/debian_org/misc/local.yaml b/modules/debian_org/misc/local.yaml
new file mode 100644 (file)
index 0000000..8aec035
--- /dev/null
@@ -0,0 +1,240 @@
+---
+nameinfo:
+  aagaard.debian.org: Thorvald Aagaard (June 8th, 1877 - March 22nd, 1937)
+  abel.debian.org: Carl Friedrich Abel (1723 - 1787)
+  acker.debian.org: Dieter Acker (November 3rd, 1940 - May 27th, 2006)
+  adayevskaya.debian.org: Ella Georgiyevna Adayevskaya (February, 22nd 1846 [O.S. February 10th] - July 26th, 1926)
+  antheil.debian.org: George Antheil (1900 - 1959)
+  arnold.debian.org: Malcolm Henry Arnold (1921 - 2006)
+  asachi.debian.org: Elena Asachi (1789 - 1877)
+  barriere.debian.org: Jean-Baptiste Barrière (May 2nd, 1707 - June 6th, 1747)
+  beach.debian.org: Amy Marcy Cheney Beach (September 5th, 1867 - December 27th, 1944)
+  beethoven.debian.org: Ludwig van Beethoven (December 16th, 1770 - March 26th, 1827)
+  bendel.debian.org: Franz Bendel (March 23rd, 1833 - July 3rd, 1874)
+  binet.debian.org: Jocelyne Binet (September 27th, 1923 - January 13th, 1968)
+  boott.debian.org: Francis Boott (June 24th, 1813 - March 1st, 1904)
+  busoni.debian.org: Ferruccio Dante Michelangiolo Benvenuto Busoni (April 1st, 1866 - July 27th, 1924)
+  buxtehude.debian.org: Dieterich Buxtehude (c. 1637 to 1639 - May 9th, 1707)
+  byrd.debian.org: William Byrd (1543 - July 4th, 1623)
+  casulana.debian.org: Maddalena Casulana (c. 1544 - c. 1590)
+  clementi.debian.org: Muzio Clementi (January 23rd, 1752 - March 10th, 1832)
+  coccia.debian.org: Maria Rosa Coccia (January 4th, 1759 - November 1833)
+  czerny.debian.org: Carl Czerny (February 21st, 1791 - July 15th, 1857)
+  danzi.debian.org: Franz Ignaz Danzi (June 15th, 1763 - April 13th, 1826)
+  delfin.debian.org: Carmelina Delfin (c. 1900 - after 1948)
+  diabelli.debian.org: Anton Diabelli (September 5th, 1781 - April 7th, 1858)
+  dinis.debian.org: Dinis of Portugal (October 9th, 1261 - January 7th, 1325)
+  dillon.debian.org: Fannie Charles Dillon (March 16th, 1881 - February 21st, 1947)
+  donizetti.debian.org: Gaetano Donizetti (November 29th, 1797 - April 8th, 1848)
+  draghi.debian.org: Antonio Draghi (1635 - January 16th, 1700)
+  eberlin.debian.org: Johann Ernst Eberlin (March 1702 27th - June 19th, 1762)
+  eller.debian.org: Heino Eller (March 7th, 1887 - June 16th, 1970)
+  elgar.debian.org: Edward Elgar (1857 - 1934)
+  falla.debian.org: Manuel de Falla y Matheu (November 23rd, 1876 - November 14th, 1946)
+  fano.debian.org: Guido Alberto Fano (March 18th, 1875 - August 14th, 1961)
+  fasolo.debian.org: Giovanni Battista Fasolo, O.F.M. (ca. 1598 - after 1664)
+  fayrfax.debian.org: Robert Fayrfax (April 23rd, 1464 - October 24th, 1521)
+  fils.debian.org: Anton Fils (September 22nd, 1733 (baptized) - March 14th, 1760 (buried))
+  finzi.debian.org: Gerald Raphael Finzi (July 14th, 1901 - September 27th, 1956)
+  fischer.debian.org: Johann Caspar Ferdinand Fischer (September 9th, 1656 - August 27th, 1746)
+  gideon.debian.org: Miriam Gideon (October 23rd, 1906 - June 18th, 1996)
+  gigault.debian.org: Nicolas Gigault (ca. 1627 - August 20th, 1707)
+  gombert.debian.org: Nicolas Gombert (c. 1495 - c. 1560)
+  gretchaninov: Alexander Tikhonovich Gretchaninov (October 25th, 1864 - January 3rd, 1956)
+  handel.debian.org: Georg Friedrich Händel (February 23rd, 1685 - April 14th, 1759)
+  harris.debian.org: Sir William Henry Harris (March 28th, 1883 - September 6th, 1973)
+  hartmann.debian.org: Karl Amadeus Hartmann (August 2nd, 1905 - December 5th, 1963)
+  hasse.debian.org: Johann Adolph Hasse (March 25th, 1699 - December 16th, 1783)
+  henze.debian.org: Hans Werner Henze (July 1st, 1926 - October 27th, 2012)
+  hoiby.debian.org: Lee Henry Hoiby (February 17th, 1926 - March 28th, 2011)
+  jerea.debian.org: Hilda Jerea (March 17th, 1916 - May 14th, 1980)
+  kaufmann.debian.org: Georg Friedrich Kauffmann (February 14th, 1679 - February 27th, 1735)
+  klecker.debian.org: Dedicated to Joel 'Espy' Klecker (1979 - July 11th, 2000)
+  lindsay.debian.org: Maria Lindsay Bliss (May 15th, 1827 - April 3rd, 1898)
+  lotti.debian.org: Antonio Lotti (ca. 1667 - January 5th, 1740)
+  lully.debian.org: Jean-Baptiste de Lully (November 28th, 1632 - March 22nd, 1687)
+  mailly.debian.org: Alphonse Jean Ernest Mailly (November 27th, 1833 - January 10th, 1918)
+  melartin.debian.org: Erkki Melartin (February 7th, 1875 - February 14th, 1937)
+  menotti.debian.org: Gian Carlo Menotti (July 7th, 1911 - February 1st, 2007)
+  manziarly.debian.org: Marcelle de Manziarly (October 1st/13th, 1899 -  May 12th, 1989)
+  mekeel.debian.org: Joyce Mekeel (July 6th, 1931 - Dec 29th, 1997)
+  milanollo.debian.org: Teresa Milanollo (August 28th, 1827 - October 25th, 1904)
+  minkus.debian.org: Ludwig Minkus (March 23rd 1826 - December 7th, 1917)
+  muffat.debian.org: George Muffat (June 1st, 1653 - February 23rd, 1704)
+  nono.debian.org: Luigi Nono (January 29th, 1924 - May 8th, 1990)
+  olin.debian.org: Elisabeth Olin (December 1740 - March 26th, 1828)
+  paradis.debian.org: Maria Theresia Paradis (May 15th, 1759 - February 1st, 1824)
+  partch.debian.org: Harry Partch (June 24th, 1901 - September 3rd, 1974)
+  pejacevic: Dora Pejačević (September 10th, 1885 - March 5th, 1923)
+  petrova.debian.org: Mara Petrova (May 15th, 1921 - June 7th. 1997)
+  pettersson.debian.org: Gustav Allan Pettersson (September 19th, 1911 - June 20th, 1980)
+  philp.debian.org: Elizabeth Philp (1827 - November 26th, 1885)
+  picconi.debian.org: Maria Antonietta Picconi (September 23rd, 1869 - 1926)
+  pieta.debian.org: Michielina della Pietà (fl. ca. 1700 - 1744)
+  pinel.debian.org: Julie Pinel (fl. 1710 - 1737)
+  pizzetti.debian.org: Ildebrando Pizzetti (20 September 1880 - 13 February 1968)
+  plummer.debian.org: John Plummer (c. 1410 - c. 1483)
+  porpora.debian.org: Niccolò (Antonio) Porpora (17 August 1686 - 3 March 1768)
+  porta.debian.org: Giovanni Porta (c. 1675 - 21 June 1755)
+  praetorius.debian.org: Hieronymus Praetorius (August 10th, 1560 - January 27th, 1629)
+  prokofiev.debian.org: Sergei Sergeyevich Prokofiev (April 27th, 1891 - March 5th, 1953)
+  quantz.debian.org: Johann Joachim Quantz (January 30th, 1697 - July 12th, 1773)
+  rachmaninoff: Sergei Vasilievich Rachmaninoff (1 April 1873 - 28 March 1943)
+  rainier.debian.org: Ivy Priaulx Rainier (February 3rd, 1903 - October 10th, 1986)
+  rapoport.debian.org: Eda Rothstein Rapoport (December 25th, 1890 - May 9th, 1968)
+  reger.debian.org: Johann Baptist Joseph Maximilian Reger (March 19th, 1873 - May 11th, 1916)
+  respighi.debian.org: Elsa Respighi (née Olivieri-Sangiacomo) (March 24th, 1894 - March 17th, 1996)
+  sallinen.debian.org: Aulis Sallinen (born April 9, 1935)
+  santoro.debian.org: Cláudio Santoro (November 23rd, 1919 - March 27th, 1989)
+  schumann.debian.org: Robert Alexander Schumann (June 8th, 1810 - July 29th, 1856)
+  sechter.debian.org: Simon Sechter (October 11th, 1788 - September 10th, 1867)
+  seger.debian.org: Josef Seger (March 21st, 1716 - April 22nd, 1782)
+  senfter.debian.org: Johanna Senfter (November, 27th, 1879 - August 11th, 1961)
+  setoguchi.debian.org: 瀬戸口藤吉, Tokichi Setoguchi (June 28th, 1868 - November 8th, 1941)
+  sibelius.debian.org: Jean Sibelius (December 8th, 1865 - September 20th, 1957)
+  smetana.debian.org: Bedřich Smetana (March 2nd, 1824 - May 12th, 1884)
+  sonntag.debian.org: Brunhilde Sonntag (September 27th, 1936 - December 18th, 2002)
+  sor.debian.org: Fernando Sor (February 14th, 1778 - July 10th, 1839)
+  soriano.debian.org: Francesco Soriano (1548 or 1549 - July 19th, 1621)
+  stockhausen.debian.org: Karlheinz Stockhausen (August 22nd, 1928 - December 5th, 2007)
+  storace.debian.org: Stephen Storace (April 4th, 1762 - March 19th, 1796)
+  spontini.debian.org: Gaspare Luigi Pacifico Spontini (November 14th, 1774 - January 24th, 1851)
+  tate.debian.org: Phyllis Tate (April 6th, 1911 - May 29th, 1987)
+  tchaikovsky.debian.org: Pyotr Ilyich Tchaikovsky (Пётр Ильич Чайковский) (May 7th, 1840 - November 6th, 1893)
+  ticharich.debian.org: Zdenka Ticharich (September 26th, 1900 - February 15th, 1979)
+  tye.debian.org: Christopher Tye (c.1505 - 1573)
+  ullmann.debian.org: Viktor Ullmann (January 1st, 1898 - October 17th, 1944)
+  usper.debian.org: Francesco Usper (November 1st, 1561 - February 24th, 1641)
+  vento.debian.org: Ivo de Vento (1543/1545 - 1575)
+  vittoria.debian.org: Tomás Luis da Vittoria (ca. 1548 - August 27th, 1611)
+  vogler.debian.org: Georg Joseph Vogler (June 15th, 1749 - May 6th, 1814)
+  wieck.debian.org: Clara Josephine Wieck (September 13th, 1819 - May 20th, 1896)
+  wilder.debian.org: Alec Wilder (February 16th, 1907 - December 24th, 1980)
+  wolkenstein.debian.org: Oswald von Wolkenstein (1377 - August 2nd, 1445)
+  wuiet.debian.org: Caroline Wuiet (1766 - 1835)
+  zandonai.debian.org: Riccardo Zandonai (May 30th, 1883 - June 5th, 1944)
+  zani.debian.org: Andrea Teodoro Zani (November 11th, 1696 - September 28th, 1757)
+  zelenka.debian.org: Jan Dismas Zelenka (October 16th, 1679 - December 23rd, 1745)
+  zemlinsky.debian.org: Alexander von Zemlinsky (October 14th, 1871 - March 15th 1942)
+footer:
+  dummy: foo
+  #zandonai.debian.org: "Debian s390 buildd system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
+  #zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
+host_settings:
+  heavy_exim:
+    # mail front-ends
+    - mailly.debian.org
+    - muffat.debian.org
+    # other mail receivers
+    - buxtehude.debian.org
+    - draghi.debian.org
+    - master.debian.org
+    - nono.debian.org
+    - picconi.debian.org
+    - pinel.debian.org
+    - quantz.debian.org
+    - reger.debian.org
+    - tye.debian.org
+    - vento.debian.org
+    - wuiet.debian.org
+  not-bacula-client:
+    # porterbox
+    - abel.debian.org
+    - asachi.debian.org
+    - barriere.debian.org
+    - binet.debian.org
+    - eller.debian.org
+    - falla.debian.org
+    - fischer.debian.org
+    - harris.debian.org
+    - minkus.debian.org
+    - partch.debian.org
+    - pizzetti.debian.org
+    - plummer.debian.org
+    - smetana.debian.org
+    - zelenka.debian.org
+    # buildd
+    - antheil.debian.org
+    - arm-arm-01.debian.org
+    - arm-arm-02.debian.org
+    - arm-arm-03.debian.org
+    - arm-arm-04.debian.org
+    - arm-conova-01.debian.org
+    - arm-conova-02.debian.org
+    - arm-conova-03.debian.org
+    - arm-conova-04.debian.org
+    - arm-linaro-01.debian.org
+    - arm-linaro-03.debian.org
+    - arnold.debian.org
+    - eberlin.debian.org
+    - fano.debian.org
+    - fayrfax.debian.org
+    - fils.debian.org
+    - finzi.debian.org
+    - hartmann.debian.org
+    - hasse.debian.org
+    - henze.debian.org
+    - hoiby.debian.org
+    - mips-aql-01.debian.org
+    - mips-aql-02.debian.org
+    - mips-aql-04.debian.org
+    - mips-aql-05.debian.org
+    - mips-aql-06.debian.org
+    - mips-sil-01.debian.org
+    - mips-manda-01.debian.org
+    - mipsel-aql-01.debian.org
+    - mipsel-aql-02.debian.org
+    - mipsel-aql-03.debian.org
+    - mipsel-manda-01.debian.org
+    - mipsel-manda-02.debian.org
+    - mipsel-manda-03.debian.org
+    - mipsel-sil-01.debian.org
+    - porpora.debian.org
+    - powerpc-osuosl-01.debian.org
+    - powerpc-unicamp-01.debian.org
+    - ppc64el-osuosl-01.debian.org
+    - ppc64el-unicamp-01.debian.org
+    - praetorius.debian.org
+    - spontini.debian.org
+    - x86-grnet-01.debian.org
+    - zandonai.debian.org
+    - zani.debian.org
+    - zemlinsky.debian.org
+    - x86-bm-01.debian.org
+    - x86-csail-01.debian.org
+    - x86-csail-02.debian.org
+    - x86-ubc-01.debian.org
+  broken-rtc:
+    - abel.debian.org
+    - antheil.debian.org
+    - arm-arm-01.debian.org
+    - arm-arm-02.debian.org
+    - arm-arm-03.debian.org
+    - arnold.debian.org
+    - eller.debian.org
+    - harris.debian.org
+    - hasse.debian.org
+    - henze.debian.org
+    - hoiby.debian.org
+    - mips-aql-01.debian.org
+    - mips-aql-02.debian.org
+    - mips-aql-04.debian.org
+    - mips-aql-05.debian.org
+    - mips-aql-06.debian.org
+    - mips-manda-01.debian.org
+    - mips-sil-01.debian.org
+    - mipsel-aql-03.debian.org
+    - mipsel-manda-03.debian.org
+    - mipsel-sil-01.debian.org
+  mail_port:
+    klecker.debian.org: 2025
+    zani.debian.org: 587
+  no_munin:
+    - fano.debian.org
+  entropy_key:
+    - czerny.debian.org
+    - grnet-node01.debian.org
+    # - ubc-bl2.debian.org
+    - storace.debian.org
+  buildd_master:
+    - wuiet.debian.org
diff --git a/modules/debian_org/templates/debian_facts.yaml.erb b/modules/debian_org/templates/debian_facts.yaml.erb
new file mode 100644 (file)
index 0000000..2dcf796
--- /dev/null
@@ -0,0 +1,2 @@
+---
+hoster: <%= scope.lookupvar('site::nodeinfo')['hoster']['name'] %>
diff --git a/modules/debian_org/templates/dsa-puppet-stuff.cron.erb b/modules/debian_org/templates/dsa-puppet-stuff.cron.erb
new file mode 100644 (file)
index 0000000..48fab72
--- /dev/null
@@ -0,0 +1,20 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+SHELL=/bin/bash
+@hourly  root [ ! -d /var/cache/dsa ] || touch /var/cache/dsa/cron.alive
+<% if @lsbmajdistrelease <= '7' -%>
+34 */4 * * * root if [ -x /usr/sbin/puppetd ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/sbin/puppetd -o --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
+<% else -%>
+34 */4 * * * root if [ -x /usr/bin/puppet ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/bin/puppet agent --onetime --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
+<% end -%>
+
+@hourly root sleep $(( $RANDOM \% 300 )); if [ -x /usr/lib/nagios/plugins/dsa-check-stunnel-sanity ] && [ -e /etc/stunnel/puppet-ekeyd.conf ] && ! /usr/lib/nagios/plugins/dsa-check-stunnel-sanity > /dev/null && grep -q '^client = yes' /etc/stunnel/puppet-ekeyd.conf; then /usr/sbin/service stunnel4 restart > /dev/null; fi
+
+@daily munin-async [ -d /var/lib/munin-async ] && find /var/lib/munin-async -maxdepth 1 -type f -mtime +30 -delete
+
+@daily root [ -d /var/lib/puppet/clientbucket ] && find /var/lib/puppet/clientbucket -type f -mtime +60 -delete && find /var/lib/puppet/clientbucket -type d -empty -delete
+
+@hourly root ! [ -x /usr/local/sbin/ntp-restart-if-required ] || /usr/local/sbin/ntp-restart-if-required
diff --git a/modules/debian_org/templates/ldap.conf.erb b/modules/debian_org/templates/ldap.conf.erb
new file mode 100644 (file)
index 0000000..b3f514b
--- /dev/null
@@ -0,0 +1,24 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE  dc=example,dc=com
+#URI   ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT     12
+#TIMELIMIT     15
+#DEREF         never
+
+URI             ldap://db.debian.org
+BASE            dc=debian,dc=org
+
+TLS_CACERT      /etc/ssl/ca-debian/ca-certificates.crt
+TLS_REQCERT     hard
diff --git a/modules/debian_org/templates/pam.common-session-noninteractive.erb b/modules/debian_org/templates/pam.common-session-noninteractive.erb
new file mode 100644 (file)
index 0000000..3b078a3
--- /dev/null
@@ -0,0 +1,30 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required        pam_unix.so     
+# end of pam-auth-update config
diff --git a/modules/debian_org/templates/pam.common-session.erb b/modules/debian_org/templates/pam.common-session.erb
new file mode 100644 (file)
index 0000000..3a24bb7
--- /dev/null
@@ -0,0 +1,34 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session        [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session        requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session        required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session        required        pam_unix.so 
+# end of pam-auth-update config
+session        [success=1 default=ignore]      pam_succeed_if.so quiet_fail quiet_success home = /nonexistent
+session        optional                        pam_mkhomedir.so skel=/etc/skel umask=0022
+session        optional                        pam_systemd.so
+session        optional                        pam_permit.so
diff --git a/modules/debian_org/templates/puppet.conf.erb b/modules/debian_org/templates/puppet.conf.erb
new file mode 100644 (file)
index 0000000..4f6c659
--- /dev/null
@@ -0,0 +1,47 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+[main]
+logdir=/var/log/puppet
+vardir=/var/lib/puppet
+ssldir=/var/lib/puppet/ssl
+rundir=/var/run/puppet
+factpath=$vardir/lib/facter
+pluginsync=true
+# This is the default environment for all clients
+environment=production
+
+<%- if scope.lookupvar('::hostname') == 'handel' -%>
+modulepath=/etc/puppet/modules:/etc/puppet/3rdparty/modules:/usr/share/puppet/modules
+
+[master]
+environments = production,staging
+reports = store
+config_version = cat /etc/puppet/.config-version
+storeconfigs = true
+thin_storeconfigs = true
+dbadapter=mysql
+dbuser=puppet
+dbpassword=<%= scope.lookupvar('dbpassword') %>
+dbserver=localhost
+
+[production]
+manifestdir=/srv/puppet.debian.org/stages/production/manifests
+fileserverconfig=/srv/puppet.debian.org/stages/production/fileserver.conf
+modulepath=/srv/puppet.debian.org/stages/production/modules:/srv/puppet.debian.org/stages/production/3rdparty/modules
+
+[staging]
+manifestdir=/srv/puppet.debian.org/stages/staging/manifests
+fileserverconfig=/srv/puppet.debian.org/stages/staging/fileserver.conf
+modulepath=/srv/puppet.debian.org/stages/staging/modules:/srv/puppet.debian.org/stages/staging/3rdparty/modules
+<%- end -%>
+
+[agent]
+environments = development,testing,production,staging
+report = true
+configtimeout = 240
+<%- if has_variable?("puppetversion") and @puppetversion.to_s == "3.7.2" -%>
+stringify_facts = false
+<%- end -%>
diff --git a/modules/debian_org/templates/rc.local.erb b/modules/debian_org/templates/rc.local.erb
new file mode 100755 (executable)
index 0000000..5667c32
--- /dev/null
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+<%- if @hostname == "zani" then -%>
+  if [ -n "$(awk '$4 == "dasdb1" && $3 == "249999" {print}' /proc/partitions)" ]; then
+    mkswap /dev/dasdb1 && swapon -p 30 /dev/dasdb1
+  fi
+  if [ -n "$(awk '$4 == "dasdc1" && $3 == "249999" {print}' /proc/partitions)" ]; then
+    mkswap /dev/dasdc1 && swapon -p 30 /dev/dasdc1
+  fi
+<%- end -%>
+<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
+  ( sleep 120;
+    service syslog-ng restart;
+    sleep 5;
+    init q
+  ) & disown
+<%- end -%>
+
+if [ -e /proc/sys/kernel/modules_disabled ]; then
+       ( sleep 60;
+         echo 1 > /proc/sys/kernel/modules_disabled || true
+       ) & disown
+fi
+
+touch /var/run/reboot-lock
index e5b051b..ae73205 100644 (file)
@@ -54,7 +54,7 @@ class exim {
        }
        file { '/etc/exim4/ssl':
                ensure  => directory,
-               group   => Debian-exim,
+               group   => 'Debian-exim',
                mode    => '0750',
                purge   => true,
        }
@@ -110,28 +110,28 @@ class exim {
        }
        file { '/etc/exim4/ssl/thishost.crt':
                source  => "puppet:///modules/exim/certs/${::fqdn}.crt",
-               group   => Debian-exim,
+               group   => 'Debian-exim',
                mode    => '0640',
        }
        file { '/etc/exim4/ssl/thishost.key':
                source  => "puppet:///modules/exim/certs/${::fqdn}.key",
-               group   => Debian-exim,
+               group   => 'Debian-exim',
                mode    => '0640',
        }
        file { '/etc/exim4/ssl/ca.crt':
                source  => 'puppet:///modules/exim/certs/ca.crt',
-               group   => Debian-exim,
+               group   => 'Debian-exim',
                mode    => '0640',
        }
        file { '/etc/exim4/ssl/ca.crl':
                source  => 'puppet:///modules/exim/certs/ca.crl',
-               group   => Debian-exim,
+               group   => 'Debian-exim',
                mode    => '0640',
        }
        file { '/var/log/exim4':
                ensure  => directory,
                mode    => '2750',
-               owner   => Debian-exim,
+               owner   => 'Debian-exim',
                group   => maillog,
        }
 
index c3841cc..93ec708 100644 (file)
@@ -211,7 +211,7 @@ queue_only_load = 8
 <%- end -%>
 queue_list_requires_admin = false
 
-<%- if has_variable?("clamd") && clamd == "true" -%>
+<%- if has_variable?("clamd") && @clamd == "true" -%>
 av_scanner = clamd:/var/run/clamav/clamd.ctl
 <%- end -%>
 
@@ -663,7 +663,7 @@ check_recipient:
           ratelimit      = 10 / 60m / per_rcpt / $sender_host_address
           message        = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
 
-<%- if has_variable?("policydweight") && policydweight == "true" -%>
+<%- if has_variable?("policydweight") && @policydweight == "true" -%>
   # Check with policyd-weight - this only works with a version after etch's,
   # sadly.  etch's version attempts to hold the socket open, since that's what
   # postfix expects.  Exim, on the other hand, expects the remote side to close
@@ -734,7 +734,7 @@ check_recipient:
 
 
 <%- end -%>
-<%- if has_variable?("greylistd") && greylistd == "true" -%>
+<%- if has_variable?("greylistd") && @greylistd == "true" -%>
   defer
     message  = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
     log_message = greylisted.
@@ -759,7 +759,7 @@ check_recipient:
                                   $local_part@$domain}\
                                  {5s}{}{false}}
 
-<%- elsif has_variable?("postgrey") && postgrey == "true" -%>
+<%- elsif has_variable?("postgrey") && @postgrey == "true" -%>
   # next three are greylisting, inspired by http://www.bebt.de/blog/debian/archives/2006/07/30/T06_12_27/index.html
   # this adds acl_m_grey if there isn't one (so unique per message)
   warn
@@ -956,7 +956,7 @@ check_message:
           condition       = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
          message         = Your mailer is not RFC 2047 compliant: message rejected
 
-<%- if has_variable?("clamd") && clamd == "true" -%>
+<%- if has_variable?("clamd") && @clamd == "true" -%>
   discard condition       = ${if eq {$acl_m_prf}{blackhole}}
           demime          = *
           malware         = */defer_ok
index ae4ea19..869a3d6 100644 (file)
@@ -16,7 +16,7 @@ class ferm {
        package { 'ferm':
                ensure => installed
        }
-       if ($::lsbmajdistrelease >= 8) {
+       if ($::lsbmajdistrelease >= '8') {
                package { 'ulogd2':
                        ensure => installed
                }
@@ -92,7 +92,7 @@ class ferm {
                content => template('ferm/interfaces.conf.erb'),
                notify  => Service['ferm'],
        }
-       if ($::lsbmajdistrelease >= 8) {
+       if ($::lsbmajdistrelease >= '8') {
                augeas { 'logrotate_ulogd2':
                        context => '/files/etc/logrotate.d/ulogd2',
                        changes => [
diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
deleted file mode 100644 (file)
index 7db3c2d..0000000
+++ /dev/null
@@ -1,418 +0,0 @@
-class ferm::per-host {
-       if $::hostname in [zandonai,zelenka] {
-               include ferm::zivit
-       }
-
-       case $::hostname {
-               czerny,clementi: {
-                       @ferm::rule { 'dsa-upsmon':
-                               description     => 'Allow upsmon access',
-                               rule            => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
-                       }
-               }
-               bendel: {
-                       @ferm::rule { 'listmaster-ontp-in':
-                               description => 'ONTP has a broken mail setup',
-                               table       => 'filter',
-                               chain       => 'INPUT',
-                               rule        => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
-                       }
-                       @ferm::rule { 'listmaster-ontp-out':
-                               description => 'ONTP has a broken mail setup',
-                               table       => 'filter',
-                               chain       => 'OUTPUT',
-                               rule        => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
-                       }
-               }
-               lotti,lully,loghost-grnet-01: {
-                       @ferm::rule { 'dsa-syslog':
-                               description     => 'Allow syslog access',
-                               rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
-                       }
-                       @ferm::rule { 'dsa-syslog-v6':
-                               domain          => 'ip6',
-                               description     => 'Allow syslog access',
-                               rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
-                       }
-               }
-               kaufmann: {
-                       @ferm::rule { 'dsa-hkp':
-                               domain          => '(ip ip6)',
-                               description     => 'Allow hkp access',
-                               rule            => '&SERVICE(tcp, 11371)'
-                       }
-               }
-               gombert: {
-                       @ferm::rule { 'dsa-infinoted':
-                               domain          => '(ip ip6)',
-                               description     => 'Allow infinoted access',
-                               rule            => '&SERVICE(tcp, 6523)'
-                       }
-               }
-               draghi: {
-                       @ferm::rule { 'dsa-finger':
-                               domain          => '(ip ip6)',
-                               description     => 'Allow finger access',
-                               rule            => '&SERVICE(tcp, 79)'
-                       }
-                       @ferm::rule { 'dsa-ldap':
-                               domain          => '(ip ip6)',
-                               description     => 'Allow ldap access',
-                               rule            => '&SERVICE(tcp, 389)'
-                       }
-                       @ferm::rule { 'dsa-ldaps':
-                               domain          => '(ip ip6)',
-                               description     => 'Allow ldaps access',
-                               rule            => '&SERVICE(tcp, 636)'
-                       }
-               }
-               sonntag: {
-                       @ferm::rule { 'dsa-bugs-search':
-                               description  => 'port 1978 for bugs-search from bug web frontends',
-                               rule         => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))'
-                       }
-               }
-               default: {}
-       }
-
-       # redirect snapshot into varnish
-       case $::hostname {
-               sibelius: {
-                       @ferm::rule { 'dsa-snapshot-varnish':
-                               rule            => '&SERVICE(tcp, 6081)',
-                       }
-                       @ferm::rule { 'dsa-nat-snapshot-varnish':
-                               table           => 'nat',
-                               chain           => 'PREROUTING',
-                               rule            => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
-                       }
-               }
-               lw07: {
-                       @ferm::rule { 'dsa-snapshot-varnish':
-                               rule            => '&SERVICE(tcp, 6081)',
-                       }
-                       @ferm::rule { 'dsa-nat-snapshot-varnish':
-                               table           => 'nat',
-                               chain           => 'PREROUTING',
-                               rule            => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
-                       }
-               }
-               default: {}
-       }
-       case $::hostname {
-               bm-bl1,bm-bl2: {
-                       @ferm::rule { 'dsa-vrrp':
-                               rule            => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
-                       }
-                       @ferm::rule { 'dsa-conntrackd':
-                               rule            => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
-                       }
-                       @ferm::rule { 'dsa-bind-notrack-in':
-                               domain      => 'ip',
-                               description => 'NOTRACK for nameserver traffic',
-                               table       => 'raw',
-                               chain       => 'PREROUTING',
-                               rule        => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
-                       }
-
-                       @ferm::rule { 'dsa-bind-notrack-out':
-                               domain      => 'ip',
-                               description => 'NOTRACK for nameserver traffic',
-                               table       => 'raw',
-                               chain       => 'OUTPUT',
-                               rule        => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
-                       }
-
-                       @ferm::rule { 'dsa-bind-notrack-in6':
-                               domain      => 'ip6',
-                               description => 'NOTRACK for nameserver traffic',
-                               table       => 'raw',
-                               chain       => 'PREROUTING',
-                               rule        => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
-                       }
-
-                       @ferm::rule { 'dsa-bind-notrack-out6':
-                               domain      => 'ip6',
-                               description => 'NOTRACK for nameserver traffic',
-                               table       => 'raw',
-                               chain       => 'OUTPUT',
-                               rule        => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
-                       }
-               }
-               default: {}
-       }
-
-       # elasticsearch stuff
-       case $::hostname {
-               stockhausen: {
-                       @ferm::rule { 'dsa-elasticsearch-bendel':
-                               domain          => '(ip)',
-                               description     => 'Allow elasticsearch access from bendel',
-                               rule            => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))'
-                       }
-                       @ferm::rule { 'dsa-elasticsearch-bendel6':
-                               domain          => '(ip6)',
-                               description     => 'Allow elasticsearch access from bendel',
-                               rule            => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))'
-                       }
-               }
-       }
-
-       # postgres stuff
-       case $::hostname {
-               ullmann: {
-                       @ferm::rule { 'dsa-postgres-udd':
-                               description     => 'Allow postgress access',
-                               # quantz, moszumanska, master, coccia
-                               rule            => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-udd6':
-                               domain          => '(ip6)',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
-                       }
-               }
-               fasolo: {
-                       @ferm::rule { 'dsa-postgres-fasolo':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-fasolo6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
-                       }
-
-                       @ferm::rule { 'dsa-postgres-backup':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-backup6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
-                       }
-               }
-               bmdb1: {
-                       @ferm::rule { 'dsa-postgres-main':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-main6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-dak':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-dak6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-wannabuild':
-                               # wuiet, ullmann
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-wannabuild6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-bacula':
-                               # dinis
-                               description     => 'Allow postgress access1',
-                               rule            => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-bacula6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access1',
-                               rule            => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
-                       }
-
-                       @ferm::rule { 'dsa-postgres-backup':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V4 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-backup6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V6 ))'
-                       }
-
-                       @ferm::rule { 'dsa-postgres-dedup':
-                               # ubc, wuit
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-dedup6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
-                       }
-
-                       @ferm::rule { 'dsa-postgres-debsources':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-debsources6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))'
-                       }
-               }
-               danzi: {
-                       @ferm::rule { 'dsa-postgres-danzi':
-                               # ubc, wuit
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-danzi6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
-                       }
-
-                       @ferm::rule { 'dsa-postgres2-danzi':
-                               description     => 'Allow postgress access2',
-                               rule            => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres3-danzi':
-                               description     => 'Allow postgress access3',
-                               rule            => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres4-danzi':
-                               description     => 'Allow postgress access4',
-                               rule            => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))'
-                       }
-
-                       @ferm::rule { 'dsa-postgres-backup':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-backup6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
-                       }
-               }
-               seger: {
-                       @ferm::rule { 'dsa-postgres-backup':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-backup6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
-                       }
-               }
-               sibelius: {
-                       @ferm::rule { 'dsa-postgres-backup':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-backup6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-replication':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-replication6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))'
-                       }
-               }
-               lw07: {
-                       @ferm::rule { 'dsa-postgres-snapshot':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-snapshot6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
-                       }
-               }
-               melartin,vittoria: {
-                       @ferm::rule { 'dsa-postgres-backup':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-backup6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
-                       }
-               }
-               buxtehude: {
-                       @ferm::rule { 'dsa-postgres-backup':
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V4 ))'
-                       }
-                       @ferm::rule { 'dsa-postgres-backup6':
-                               domain          => 'ip6',
-                               description     => 'Allow postgress access',
-                               rule            => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V6 ))'
-                       }
-               }
-               default: {}
-       }
-       # vpn fu
-       case $::hostname {
-               draghi: {
-                       @ferm::rule { 'dsa-vpn':
-                               description     => 'Allow openvpn access',
-                               rule            => '&SERVICE(udp, 17257)'
-                       }
-                       @ferm::rule { 'dsa-routing':
-                               description     => 'forward chain',
-                               chain           => 'FORWARD',
-                               rule            => 'policy ACCEPT;
-mod state state (ESTABLISHED RELATED) ACCEPT;
-interface tun+ ACCEPT;
-REJECT reject-with icmp-admin-prohibited
-'
-                       }
-                       @ferm::rule { 'dsa-vpn-mark':
-                               table           => 'mangle',
-                               chain           => 'PREROUTING',
-                               rule            => 'interface tun+ MARK set-mark 1',
-                       }
-                       @ferm::rule { 'dsa-vpn-nat':
-                               table           => 'nat',
-                               chain           => 'POSTROUTING',
-                               rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
-                       }
-               }
-               ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
-                       @ferm::rule { 'dsa-luca-fixme':
-                               description     => 'Allow ssh access from mnt and vpn networks',
-                               rule            => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
-                       }
-               }
-               default: {}
-       }
-       # tftp
-       case $::hostname {
-               abel: {
-                       @ferm::rule { 'dsa-tftp':
-                               description     => 'Allow tftp access',
-                               rule            => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
-                       }
-               }
-               master: {
-                       @ferm::rule { 'dsa-tftp':
-                               description     => 'Allow tftp access',
-                               rule            => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
-                       }
-               }
-       }
-}
diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
new file mode 100644 (file)
index 0000000..8fd0d07
--- /dev/null
@@ -0,0 +1,418 @@
+class ferm::per_host {
+       if $::hostname in [zandonai,zelenka] {
+               include ferm::zivit
+       }
+
+       case $::hostname {
+               czerny,clementi: {
+                       @ferm::rule { 'dsa-upsmon':
+                               description     => 'Allow upsmon access',
+                               rule            => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))'
+                       }
+               }
+               bendel: {
+                       @ferm::rule { 'listmaster-ontp-in':
+                               description => 'ONTP has a broken mail setup',
+                               table       => 'filter',
+                               chain       => 'INPUT',
+                               rule        => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP',
+                       }
+                       @ferm::rule { 'listmaster-ontp-out':
+                               description => 'ONTP has a broken mail setup',
+                               table       => 'filter',
+                               chain       => 'OUTPUT',
+                               rule        => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP',
+                       }
+               }
+               lotti,lully,loghost-grnet-01: {
+                       @ferm::rule { 'dsa-syslog':
+                               description     => 'Allow syslog access',
+                               rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)'
+                       }
+                       @ferm::rule { 'dsa-syslog-v6':
+                               domain          => 'ip6',
+                               description     => 'Allow syslog access',
+                               rule            => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)'
+                       }
+               }
+               kaufmann: {
+                       @ferm::rule { 'dsa-hkp':
+                               domain          => '(ip ip6)',
+                               description     => 'Allow hkp access',
+                               rule            => '&SERVICE(tcp, 11371)'
+                       }
+               }
+               gombert: {
+                       @ferm::rule { 'dsa-infinoted':
+                               domain          => '(ip ip6)',
+                               description     => 'Allow infinoted access',
+                               rule            => '&SERVICE(tcp, 6523)'
+                       }
+               }
+               draghi: {
+                       @ferm::rule { 'dsa-finger':
+                               domain          => '(ip ip6)',
+                               description     => 'Allow finger access',
+                               rule            => '&SERVICE(tcp, 79)'
+                       }
+                       @ferm::rule { 'dsa-ldap':
+                               domain          => '(ip ip6)',
+                               description     => 'Allow ldap access',
+                               rule            => '&SERVICE(tcp, 389)'
+                       }
+                       @ferm::rule { 'dsa-ldaps':
+                               domain          => '(ip ip6)',
+                               description     => 'Allow ldaps access',
+                               rule            => '&SERVICE(tcp, 636)'
+                       }
+               }
+               sonntag: {
+                       @ferm::rule { 'dsa-bugs-search':
+                               description  => 'port 1978 for bugs-search from bug web frontends',
+                               rule         => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))'
+                       }
+               }
+               default: {}
+       }
+
+       # redirect snapshot into varnish
+       case $::hostname {
+               sibelius: {
+                       @ferm::rule { 'dsa-snapshot-varnish':
+                               rule            => '&SERVICE(tcp, 6081)',
+                       }
+                       @ferm::rule { 'dsa-nat-snapshot-varnish':
+                               table           => 'nat',
+                               chain           => 'PREROUTING',
+                               rule            => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081',
+                       }
+               }
+               lw07: {
+                       @ferm::rule { 'dsa-snapshot-varnish':
+                               rule            => '&SERVICE(tcp, 6081)',
+                       }
+                       @ferm::rule { 'dsa-nat-snapshot-varnish':
+                               table           => 'nat',
+                               chain           => 'PREROUTING',
+                               rule            => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081',
+                       }
+               }
+               default: {}
+       }
+       case $::hostname {
+               bm-bl1,bm-bl2: {
+                       @ferm::rule { 'dsa-vrrp':
+                               rule            => 'proto vrrp daddr 224.0.0.18 jump ACCEPT',
+                       }
+                       @ferm::rule { 'dsa-conntrackd':
+                               rule            => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
+                       }
+                       @ferm::rule { 'dsa-bind-notrack-in':
+                               domain      => 'ip',
+                               description => 'NOTRACK for nameserver traffic',
+                               table       => 'raw',
+                               chain       => 'PREROUTING',
+                               rule        => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
+                       }
+
+                       @ferm::rule { 'dsa-bind-notrack-out':
+                               domain      => 'ip',
+                               description => 'NOTRACK for nameserver traffic',
+                               table       => 'raw',
+                               chain       => 'OUTPUT',
+                               rule        => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
+                       }
+
+                       @ferm::rule { 'dsa-bind-notrack-in6':
+                               domain      => 'ip6',
+                               description => 'NOTRACK for nameserver traffic',
+                               table       => 'raw',
+                               chain       => 'PREROUTING',
+                               rule        => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
+                       }
+
+                       @ferm::rule { 'dsa-bind-notrack-out6':
+                               domain      => 'ip6',
+                               description => 'NOTRACK for nameserver traffic',
+                               table       => 'raw',
+                               chain       => 'OUTPUT',
+                               rule        => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
+                       }
+               }
+               default: {}
+       }
+
+       # elasticsearch stuff
+       case $::hostname {
+               stockhausen: {
+                       @ferm::rule { 'dsa-elasticsearch-bendel':
+                               domain          => '(ip)',
+                               description     => 'Allow elasticsearch access from bendel',
+                               rule            => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))'
+                       }
+                       @ferm::rule { 'dsa-elasticsearch-bendel6':
+                               domain          => '(ip6)',
+                               description     => 'Allow elasticsearch access from bendel',
+                               rule            => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))'
+                       }
+               }
+       }
+
+       # postgres stuff
+       case $::hostname {
+               ullmann: {
+                       @ferm::rule { 'dsa-postgres-udd':
+                               description     => 'Allow postgress access',
+                               # quantz, moszumanska, master, coccia
+                               rule            => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-udd6':
+                               domain          => '(ip6)',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))'
+                       }
+               }
+               fasolo: {
+                       @ferm::rule { 'dsa-postgres-fasolo':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-fasolo6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))'
+                       }
+
+                       @ferm::rule { 'dsa-postgres-backup':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-backup6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
+                       }
+               }
+               bmdb1: {
+                       @ferm::rule { 'dsa-postgres-main':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-main6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-dak':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-dak6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-wannabuild':
+                               # wuiet, ullmann
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-wannabuild6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-bacula':
+                               # dinis
+                               description     => 'Allow postgress access1',
+                               rule            => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-bacula6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access1',
+                               rule            => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))'
+                       }
+
+                       @ferm::rule { 'dsa-postgres-backup':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V4 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-backup6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V6 ))'
+                       }
+
+                       @ferm::rule { 'dsa-postgres-dedup':
+                               # ubc, wuit
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-dedup6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))'
+                       }
+
+                       @ferm::rule { 'dsa-postgres-debsources':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-debsources6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))'
+                       }
+               }
+               danzi: {
+                       @ferm::rule { 'dsa-postgres-danzi':
+                               # ubc, wuit
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-danzi6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
+                       }
+
+                       @ferm::rule { 'dsa-postgres2-danzi':
+                               description     => 'Allow postgress access2',
+                               rule            => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres3-danzi':
+                               description     => 'Allow postgress access3',
+                               rule            => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres4-danzi':
+                               description     => 'Allow postgress access4',
+                               rule            => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))'
+                       }
+
+                       @ferm::rule { 'dsa-postgres-backup':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-backup6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
+                       }
+               }
+               seger: {
+                       @ferm::rule { 'dsa-postgres-backup':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-backup6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
+                       }
+               }
+               sibelius: {
+                       @ferm::rule { 'dsa-postgres-backup':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-backup6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-replication':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-replication6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))'
+                       }
+               }
+               lw07: {
+                       @ferm::rule { 'dsa-postgres-snapshot':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-snapshot6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))'
+                       }
+               }
+               melartin,vittoria: {
+                       @ferm::rule { 'dsa-postgres-backup':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-backup6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))'
+                       }
+               }
+               buxtehude: {
+                       @ferm::rule { 'dsa-postgres-backup':
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V4 ))'
+                       }
+                       @ferm::rule { 'dsa-postgres-backup6':
+                               domain          => 'ip6',
+                               description     => 'Allow postgress access',
+                               rule            => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V6 ))'
+                       }
+               }
+               default: {}
+       }
+       # vpn fu
+       case $::hostname {
+               draghi: {
+                       @ferm::rule { 'dsa-vpn':
+                               description     => 'Allow openvpn access',
+                               rule            => '&SERVICE(udp, 17257)'
+                       }
+                       @ferm::rule { 'dsa-routing':
+                               description     => 'forward chain',
+                               chain           => 'FORWARD',
+                               rule            => 'policy ACCEPT;
+mod state state (ESTABLISHED RELATED) ACCEPT;
+interface tun+ ACCEPT;
+REJECT reject-with icmp-admin-prohibited
+'
+                       }
+                       @ferm::rule { 'dsa-vpn-mark':
+                               table           => 'mangle',
+                               chain           => 'PREROUTING',
+                               rule            => 'interface tun+ MARK set-mark 1',
+                       }
+                       @ferm::rule { 'dsa-vpn-nat':
+                               table           => 'nat',
+                               chain           => 'POSTROUTING',
+                               rule            => 'outerface !tun+ mod mark mark 1 MASQUERADE',
+                       }
+               }
+               ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: {
+                       @ferm::rule { 'dsa-luca-fixme':
+                               description     => 'Allow ssh access from mnt and vpn networks',
+                               rule            => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))',
+                       }
+               }
+               default: {}
+       }
+       # tftp
+       case $::hostname {
+               abel: {
+                       @ferm::rule { 'dsa-tftp':
+                               description     => 'Allow tftp access',
+                               rule            => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))'
+                       }
+               }
+               master: {
+                       @ferm::rule { 'dsa-tftp':
+                               description     => 'Allow tftp access',
+                               rule            => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))'
+                       }
+               }
+       }
+}
index 939f926..f63d421 100644 (file)
@@ -14,7 +14,7 @@ define ferm::rule (
                "/etc/ferm/dsa.d/${prio}_${name}":
                        ensure  => present,
                        mode    => '0400',
-                       content => template('ferm/ferm-rule.erb'),
+                       content => template('ferm/ferm_rule.erb'),
                        notify  => Service['ferm'],
        }
 }
diff --git a/modules/ferm/templates/ferm-rule.erb b/modules/ferm/templates/ferm-rule.erb
deleted file mode 100644 (file)
index 235b8e3..0000000
+++ /dev/null
@@ -1,13 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-domain <%= domain %> {
-       table <%= table %> {
-               chain <%= chain %> {
-                       <%= rule %><% unless notarule -%>;<% end -%>
-
-               }
-       }
-}
diff --git a/modules/ferm/templates/ferm_rule.erb b/modules/ferm/templates/ferm_rule.erb
new file mode 100644 (file)
index 0000000..ef67415
--- /dev/null
@@ -0,0 +1,13 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+domain <%= @domain %> {
+       table <%= @table %> {
+               chain <%= @chain %> {
+                       <%= @rule %><% unless @notarule -%>;<% end -%>
+
+               }
+       }
+}
index 72e65f4..627e4bf 100644 (file)
@@ -21,7 +21,7 @@ end
 ssh4allowed = []
 ssh6allowed = []
 
-should_restrict = restrict_ssh.include?(hostname)
+should_restrict = restrict_ssh.include?(@hostname)
 %w{dns_primary dns_geo}.each do |role_restrict|
        if scope.function_has_role([role_restrict]) then
                should_restrict = true
@@ -29,16 +29,16 @@ should_restrict = restrict_ssh.include?(hostname)
 end
 
 
-if restrict_ssh.include?(hostname) then
+if restrict_ssh.include?(@hostname) then
        ssh4allowed << %w{$DSA_IPS    $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4}
        ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6}
 
-       if %w{draghi}.include?(hostname) then
+       if %w{draghi}.include?(@hostname) then
                ssh4allowed << '$HOST_DEBIAN_V4'
                ssh6allowed << '$HOST_DEBIAN_V6'
        end
 
-       if %w{adayevskaya}.include?(hostname) then
+       if %w{adayevskaya}.include?(@hostname) then
                 out << '@def $MFL_LOCAL = ( 130.83.226.60 );' # Michael Fladerer
                 ssh4allowed << '$MFL_LOCAL'
                ssh4allowed << %w{$HOST_DEBIAN_V4}
index 1105ac3..9448d0e 100644 (file)
@@ -4,7 +4,7 @@
 ##
 
 127.0.0.1       localhost
-<%= ipaddress %>        <%= fqdn %> <%= hostname %>
+<%= @ipaddress %>        <%= @fqdn %> <%= @hostname %>
 
 # The following lines are desirable for IPv6 capable hosts
 ::1     localhost ip6-localhost ip6-loopback
index 78ab1da..e91ef22 100644 (file)
@@ -1,6 +1,6 @@
 class linux {
        include ferm
-       include ferm::per-host
+       include ferm::per_host
        include entropykey
-       include rng-tools
+       include rng_tools
 }
index 88055a1..977f184 100644 (file)
@@ -7,7 +7,7 @@
 #   include monit
 #
 class monit {
-       if $::lsbmajdistrelease <= 7 {
+       if $::lsbmajdistrelease <= '7' {
                package { 'monit':
                        ensure => installed
                }
index 686f630..f078a5f 100644 (file)
@@ -40,7 +40,7 @@ end
 
 ninfo = scope.lookupvar('site::nodeinfo')
 
-extra = 'Welcome to ' + fqdn
+extra = 'Welcome to ' + @fqdn
 if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose'))
   p = scope.lookupvar('site::nodeinfo')['ldap']['purpose'].clone()
   entries = ""
@@ -84,7 +84,7 @@ end
 
 vms = []
 scope.lookupvar('site::allnodeinfo').keys.sort.each do |node|
-  if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(fqdn)
+  if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(@fqdn)
     vms << node
   end
 end
diff --git a/modules/munin/manifests/master-per-node.pp b/modules/munin/manifests/master-per-node.pp
deleted file mode 100644 (file)
index 1d8864e..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-define munin::master-per-node($ipaddress, $munin_async) {
-       $client_fqdn               = $name
-       $client_ipaddress          = $ipaddress
-       $client_munin_async        = $munin_async
-
-       file { "/etc/munin/munin-conf.d/${name}.conf":
-               content => template('munin/munin.conf-per-node.erb'),
-       }
-}
diff --git a/modules/munin/manifests/master_per_node.pp b/modules/munin/manifests/master_per_node.pp
new file mode 100644 (file)
index 0000000..cdb1dec
--- /dev/null
@@ -0,0 +1,9 @@
+define munin::master_per_node($ipaddress, $munin_async) {
+       $client_fqdn               = $name
+       $client_ipaddress          = $ipaddress
+       $client_munin_async        = $munin_async
+
+       file { "/etc/munin/munin-conf.d/${name}.conf":
+               content => template('munin/munin.conf_per_node.erb'),
+       }
+}
diff --git a/modules/munin/munin.conf_per_node.erb b/modules/munin/munin.conf_per_node.erb
new file mode 100644 (file)
index 0000000..421d0dd
--- /dev/null
@@ -0,0 +1,15 @@
+##
+### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+[<%= client_fqdn %>]
+<%
+# variables are different whether or not they go via the stored config thing.
+#  on the host that actually gets the config, client_munin_async is a String, saying "true",
+#  from other hosts it's an actual boolean, i.e. an instance of either FalseClass or TrueClass
+%>
+<%- if has_variable?('client_munin_async') and ((client_munin_async.kind_of?(String) and client_munin_async == "true") or (client_munin_async.kind_of?(TrueClass))) %>
+    address ssh://munin-async@<%= client_fqdn %>/set-in-authkeys
+<%- else %>
+    address <%= client_ipaddress %>
+<%- end %>
index 9aebf14..872ac55 100644 (file)
@@ -19,7 +19,7 @@ group adm, maillog
 user root
 <%=
 out = ""
-if has_variable?("mta") and mta == "exim4"
+if has_variable?("mta") and @mta == "exim4"
   out="
 [exim_mail*]
 user Debian-exim
@@ -63,7 +63,7 @@ env.critical 98
 
 <%=
 out = ""
-if has_variable?("mta") and mta == "postfix"
+if has_variable?("mta") and @mta == "postfix"
   out="
 [postfix_mailqueue]
 user postfix
diff --git a/modules/munin/templates/munin.conf-per-node.erb b/modules/munin/templates/munin.conf-per-node.erb
deleted file mode 100644 (file)
index 421d0dd..0000000
+++ /dev/null
@@ -1,15 +0,0 @@
-##
-### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-##
-
-[<%= client_fqdn %>]
-<%
-# variables are different whether or not they go via the stored config thing.
-#  on the host that actually gets the config, client_munin_async is a String, saying "true",
-#  from other hosts it's an actual boolean, i.e. an instance of either FalseClass or TrueClass
-%>
-<%- if has_variable?('client_munin_async') and ((client_munin_async.kind_of?(String) and client_munin_async == "true") or (client_munin_async.kind_of?(TrueClass))) %>
-    address ssh://munin-async@<%= client_fqdn %>/set-in-authkeys
-<%- else %>
-    address <%= client_ipaddress %>
-<%- end %>
index f307ec6..8f81582 100644 (file)
@@ -5,7 +5,7 @@
 
 <%=
 ignore = []
-case fqdn
+case @fqdn
 when /draghi.debian.org/ then                                  ignore << %w{userdir-ldap userdir-ldap-cgi libheimdal-kadm5-perl django-ldapdb ud python-cdb python-nameparser python-django-ldapdb}
 when "handel.debian.org" then                                  ignore << %w{puppet-dashboard}
 when "reger.debian.org" then                                   ignore << %w{librt-extension-commandbymail-perl}
@@ -15,7 +15,7 @@ when /(storace|backuphost).debian.org/ then                    ignore << %w{post
 end
 
 if @lsbmajdistrelease <= '8'
-  case fqdn
+  case @fqdn
     when /(acker|aagaard).debian.org/ then                     ignore << %w{qemu-efi}
   end
 end
index 14b2fb7..6120c41 100644 (file)
@@ -7,10 +7,10 @@ PARTICIPATE="yes"
 USEHTTP="yes"
 <%=
 # hostids are 32 hexchars long
-id_short = popcon_host_id[0,32]
+id_short = @popcon_host_id[0,32]
 
 # slightly biased, but meh
-day = (popcon_host_id[0].ord + 256*popcon_host_id[1].ord) % 7
+day = (@popcon_host_id[0].ord + 256*@popcon_host_id[1].ord) % 7
 
 conf = []
 conf << "MY_HOSTID=\"#{id_short}\""
index 063312a..ec11e54 100644 (file)
@@ -30,7 +30,7 @@ config.each_pair do |sourcehost, services|
        ##lines << "# sourcehost is #{sourcehost}"
        services.each do |service|
                ##lines << "# targethost is #{service['target_host']}, my hostname #{hostname}, fqdn is #{fqdn}"
-               next if service['target_host'] != fqdn
+               next if service['target_host'] != @fqdn
                allowed_ports << service['target_port'] if service['target_port']
        end
 
index 7ff0dfb..93ba0af 100644 (file)
@@ -25,7 +25,7 @@ template = 'service @@TARGET_HOST@@@@TARGET_PORT@@
 '
 
 config = YAML.load(File.open('/etc/puppet/modules/portforwarder/misc/config.yaml').read)
-if config[fqdn]
+if config[@fqdn]
        config[fqdn].each do |service|
                target_port = service['target_port']
                target_host = service['target_host']
index e16290c..9f628cb 100644 (file)
@@ -22,7 +22,7 @@ module Puppet::Parser::Functions
         next unless  localinfo[node]['entropy_key']
 
         addresses = allnodeinfo[node]['ipHostNumber']
-        thishoster = function_whohosts([addresses, "/etc/puppet/modules/debian-org/misc/hoster.yaml"])
+        thishoster = function_whohosts([addresses, "/etc/puppet/modules/debian_org/misc/hoster.yaml"])
         name = thishoster['name']
 
         provider << node
index 71d5ee5..1380a02 100644 (file)
@@ -12,7 +12,7 @@ module Puppet::Parser::Functions
       unless nodeinfo['ldap']['ipHostNumber']
         raise Puppet::ParseError, "Host #{host} does not have ipHostNumber values in ldap"
       end
-      nodeinfo['hoster'] = function_whohosts([nodeinfo['ldap']['ipHostNumber'], "/etc/puppet/modules/debian-org/misc/hoster.yaml"])
+      nodeinfo['hoster'] = function_whohosts([nodeinfo['ldap']['ipHostNumber'], "/etc/puppet/modules/debian_org/misc/hoster.yaml"])
       nodeinfo['buildd'] = (nodeinfo['ldap']['purpose'].respond_to?('include?') && nodeinfo['ldap']['purpose'].include?('buildd'))
       nodeinfo['timeserver'] = (nodeinfo['ldap']['purpose'].respond_to?('include?') && nodeinfo['ldap']['purpose'].include?('timeserver'))
       nodeinfo['porterbox'] = (nodeinfo['ldap']['purpose'].respond_to?('include?') && nodeinfo['ldap']['purpose'].include?('porterbox'))
index dc2babe..a42aa25 100644 (file)
@@ -10,7 +10,7 @@ searchpaths << "debian.org" -%>
 search <%= searchpaths.to_a.flatten.join(" ") %>
 <%
 nameservers = []
-if %w{draghi}.include?(hostname)
+if %w{draghi}.include?(@hostname)
   nameservers << "127.0.0.1"
 end
 nameservers += @ns
diff --git a/modules/rng-tools/manifests/init.pp b/modules/rng-tools/manifests/init.pp
deleted file mode 100644 (file)
index abbc486..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
-class rng-tools {
-       if $has_dev_hwrng {
-               package { 'rng-tools':
-                       ensure => installed
-               }
-               service { 'rng-tools':
-                       ensure  => running,
-                       require => Package['rng-tools']
-               }
-       }
-}
diff --git a/modules/rng_tools/manifests/init.pp b/modules/rng_tools/manifests/init.pp
new file mode 100644 (file)
index 0000000..c8bb9ab
--- /dev/null
@@ -0,0 +1,11 @@
+class rng_tools {
+       if $has_dev_hwrng {
+               package { 'rng-tools':
+                       ensure => installed
+               }
+               service { 'rng-tools':
+                       ensure  => running,
+                       require => Package['rng-tools']
+               }
+       }
+}
index 72ee42a..018a05e 100644 (file)
@@ -180,7 +180,7 @@ file=/etc/ssh/userkeys
 file=/etc/ssh/userkeys/staticsync
 <% end -%>
 file=/etc/rsyncd
-<%- if hostname == "sibelius" then -%>
+<%- if @hostname == "sibelius" then -%>
 file=/etc/tsm
 file=/etc/tsm/TSM.PWD
 <% end -%>
@@ -945,7 +945,7 @@ SetMailNum = 10
 
 ## Recipient (max. 8)
 #
-SetMailAddress=samhain-reports@<%= fqdn -%>
+SetMailAddress=samhain-reports@<%= @fqdn -%>
 
 SetMailRelay = localhost
 
index d405714..19a64b5 100644 (file)
@@ -1,7 +1,7 @@
 class site {
 
-       $localinfo = yamlinfo('*', '/etc/puppet/modules/debian-org/misc/local.yaml')
-       $nodeinfo  = nodeinfo($::fqdn, '/etc/puppet/modules/debian-org/misc/local.yaml')
+       $localinfo = yamlinfo('*', '/etc/puppet/modules/debian_org/misc/local.yaml')
+       $nodeinfo  = nodeinfo($::fqdn, '/etc/puppet/modules/debian_org/misc/local.yaml')
        $allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose')
         $roles = hiera('roles')
 
index e2d8f88..b9e3434 100644 (file)
@@ -1,4 +1,4 @@
-define site::sysctl ($key='', $value='', $target=Linux, $ensure = present) {
+define site::sysctl ($key='', $value='', $target='Linux', $ensure = present) {
        include site
        case $ensure {
                present: { if ($key == "" or $value == "") { fail ( "Need to provide key and value" )} }
index d86093e..fc576f8 100644 (file)
@@ -37,7 +37,7 @@ class ssh {
                content => template('ssh/authorized_keys.erb'),
        }
 
-       if ($::lsbmajdistrelease >= 8) {
+       if ($::lsbmajdistrelease >= '8') {
                if ! $has_etc_ssh_ssh_host_ed25519_key {
                        exec { 'create-ed25519-host-key':
                                command => 'ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -q -P "" -t ed25519',
index 274654f..ad126fa 100644 (file)
@@ -4,7 +4,7 @@
 %>
 
 # local admin
-<%= localkeys = case fqdn
+<%= localkeys = case @fqdn
          when "pettersson.debian.org" then "from=\"nixon.acc.umu.se\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwDw56/XK0/uQB+ZIOZIfZ3vpz9zLRuv6G0U4eU4VavqvaL0dXSNhGJLBDLlfpxtJYwYf/mSoK4WZasbbfHxz8jtIxK9c9aGkVA0GKT+xiHWB3J1SlwJaA7S7Ed8nNcG5PNOVd30BD5LimkS53Nz841e+MgZRuL9SfLALq7er03U= root@nixon"
 end
 localkeys
@@ -46,7 +46,7 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDJp6ryOTW7VgqEa+n6uKpi/bh2PO4P9Z/voz0zPYtP
 <%=
 
 machine_keys = []
-case fqdn
+case @fqdn
   when "storace.debian.org" then
     roles['dabackup_client'].each do |node|
       if allnodeinfo.has_key?(node)
index ddd7556..e132a20 100644 (file)
@@ -54,7 +54,7 @@ Host *
     GSSAPIAuthentication no
     GSSAPIDelegateCredentials no
     VerifyHostKeyDNS yes
-<%- if (hostname == "sibelius") -%>
+<%- if (@hostname == "sibelius") -%>
     ServerAliveInterval 450
 <%- end -%>
 # Used for the email-virtualdomains setup
index 6330a27..7a8ff87 100644 (file)
@@ -8,7 +8,7 @@
 
 # What ports, IPs and protocols we listen for
 Port 22
-<%= extraports = case fqdn
+<%= extraports = case @fqdn
                         when "paradis.debian.org" then "
 ListenAddress 0.0.0.0:22
 ListenAddress [::]:22
@@ -24,7 +24,7 @@ extraports
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
-<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && has_etc_ssh_ssh_host_ed25519_key == "true" -%>
+<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key == "true" -%>
 HostKey /etc/ssh/ssh_host_ed25519_key
 <% end %>
 #Privilege Separation is turned on for security
index d2a3258..67cf7fd 100644 (file)
@@ -3,7 +3,7 @@
 ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
 ##
 
-<%- if client -%>
+<%- if @client -%>
 cert = /etc/ssl/debian/certs/thishost.crt
 key = /etc/ssl/private/thishost.key
 <%- else -%>
@@ -16,11 +16,11 @@ chroot = /var/run/stunnel4
 setuid = stunnel4
 setgid = stunnel4
 ; PID is created inside chroot jail
-pid = /stunnel-<%= name %>.pid
+pid = /stunnel-<%= @name %>.pid
 
-verify = <%= verify %>
-CAfile = <%= cafile %>
-<%- if crlfile -%>
+verify = <%= @verify %>
+CAfile = <%= @cafile %>
+<%- if @crlfile -%>
 CRLfile = /etc/exim4/ssl/ca.crl
 <%- end -%>
 
@@ -29,16 +29,16 @@ debug = notice
 ; don't use a file, use syslog
 ; output = /var/log/stunnel4/stunnel.log
 
-client = <%= client ? "yes" : "no" %>
+client = <%= @client ? "yes" : "no" %>
 
 socket = a:SO_LINGER=1:60
 socket = a:SO_KEEPALIVE=1
 
-[<%= name %>-server]
-accept = <%= accept =~ /:/ ? accept : ":::#{accept}" %>
-connect = <%= connect %>
-<%- if local -%>
-local = <%= local %>
+[<%= @name %>-server]
+accept = <%= @accept =~ /:/ ? @accept : ":::#{accept}" %>
+connect = <%= @connect %>
+<%- if @local -%>
+local = <%= @local %>
 <%- end -%>
 
 ; vim:ft=dosini
diff --git a/modules/syslog-ng/files/syslog-ng.default b/modules/syslog-ng/files/syslog-ng.default
deleted file mode 100644 (file)
index a32c4b2..0000000
+++ /dev/null
@@ -1,18 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# If a variable is not set here, then the corresponding
-# parameter will not be changed.
-# If a variables is set, then every invocation of
-# syslog-ng's init script will set them using dmesg.
-
-# log level of messages which should go to console
-# see <linux/kernel.h> for details
-#
-CONSOLE_LOG_LEVEL=2
-
-# Command line options to syslog-ng
-#SYSLOGNG_OPTS="--no-caps"
-
diff --git a/modules/syslog-ng/files/syslog-ng.logrotate b/modules/syslog-ng/files/syslog-ng.logrotate
deleted file mode 100644 (file)
index 2714307..0000000
+++ /dev/null
@@ -1,128 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-/var/log/auth.log {
-   rotate 4
-   missingok
-   notifempty
-   weekly
-   compress
-}
-
-/var/log/cron.log {
-   rotate 4
-   weekly
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/daemon.log {
-   rotate 7
-   weekly
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/debug {
-   rotate 4
-   weekly
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/kern.log {
-   rotate 4
-   weekly
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/lpr.log {
-   rotate 4
-   weekly
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/mail.err {
-   rotate 30
-   daily
-   dateext
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/mail.info {
-   rotate 30
-   daily
-   dateext
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/mail.log {
-   rotate 30
-   daily
-   dateext
-   missingok
-   notifempty
-   compress
-   # listmaster asked for this one
-   delaycompress
-}
-
-/var/log/mail.warn {
-   rotate 30
-   daily
-   dateext
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/messages {
-   rotate 4
-   weekly
-   missingok
-   notifempty
-   compress
-}
-
-
-/var/log/user.log {
-   rotate 4
-   weekly
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/uucp.log {
-   rotate 4
-   missingok
-   notifempty
-   weekly
-   compress
-}
-
-/var/log/syslog {
-   rotate 7
-   daily
-   compress
-   postrotate
-      if [ -d /run/systemd/system ]; then
-          /bin/systemctl reload syslog-ng.service >/dev/null
-      else
-          /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
-      fi
-   endscript
-}
diff --git a/modules/syslog-ng/files/syslog-ng.logrotate.loggers b/modules/syslog-ng/files/syslog-ng.logrotate.loggers
deleted file mode 100644 (file)
index 75212ca..0000000
+++ /dev/null
@@ -1,31 +0,0 @@
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-/var/log/mail-all.log {
-   rotate 4
-   weekly
-   missingok
-   notifempty
-   compress
-}
-
-/var/log/syslog-all {
-   rotate 4
-   missingok
-   notifempty
-   weekly
-   compress
-}
-
-/var/log/auth-all.log {
-   rotate 4
-   missingok
-   notifempty
-   weekly
-   compress
-   postrotate
-      /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
-   endscript
-}
diff --git a/modules/syslog-ng/files/syslog-ng.service b/modules/syslog-ng/files/syslog-ng.service
deleted file mode 100644 (file)
index 0598277..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=System Logger Daemon
-Documentation=man:syslog-ng(8)
-After=network-online.target unbound.service
-
-[Service]
-Type=notify
-ExecStart=/usr/sbin/syslog-ng -F
-ExecReload=/bin/kill -HUP $MAINPID
-StandardOutput=journal
-StandardError=journal
-Restart=always
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
diff --git a/modules/syslog-ng/manifests/init.pp b/modules/syslog-ng/manifests/init.pp
deleted file mode 100644 (file)
index c55b687..0000000
+++ /dev/null
@@ -1,46 +0,0 @@
-class syslog-ng {
-       package { 'syslog-ng':
-               ensure => installed
-       }
-
-       service { 'syslog-ng':
-               ensure => running,
-               hasstatus => false,
-               pattern   => 'syslog-ng',
-       }
-
-       file { '/etc/syslog-ng/syslog-ng.conf':
-               content => template('syslog-ng/syslog-ng.conf.erb'),
-               require => Package['syslog-ng'],
-               notify  => Service['syslog-ng']
-       }
-       file { '/etc/default/syslog-ng':
-               source  => 'puppet:///modules/syslog-ng/syslog-ng.default',
-               require => Package['syslog-ng'],
-               notify  => Service['syslog-ng']
-       }
-       file { '/etc/logrotate.d/syslog-ng':
-               source  => 'puppet:///modules/syslog-ng/syslog-ng.logrotate',
-               require => Package['syslog-ng']
-       }
-       if $::hostname in [lotty,lully,loghost-grnet-01] {
-               file { '/etc/logrotate.d/syslog-ng-loggers':
-                       source  => 'puppet:///modules/syslog-ng/syslog-ng.logrotate.loggers',
-                       require => Package['syslog-ng']
-               }
-       }
-       # while syslog-ng breaks on boot
-
-       if $systemd {
-               file { '/etc/systemd/system/syslog-ng.service':
-                       ensure => $servicefiles,
-                       source => 'puppet:///modules/syslog-ng/syslog-ng.service',
-                       notify => Exec['systemctl daemon-reload'],
-               }
-
-               file { '/etc/systemd/system/syslog.service':
-                       ensure => absent,
-                       notify => Exec['systemctl daemon-reload'],
-               }
-       }
-}
diff --git a/modules/syslog-ng/templates/syslog-ng.conf.erb b/modules/syslog-ng/templates/syslog-ng.conf.erb
deleted file mode 100644 (file)
index 551b7db..0000000
+++ /dev/null
@@ -1,556 +0,0 @@
-<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%>
-@version: 3.0
-<%- elsif has_variable?("syslogversion") and syslogversion.to_s == "3.5" -%>
-@version: 3.5
-@include "scl.conf"
-<%- else -%>
-@version: 3.3
-@include "scl.conf"
-<%- end -%>
-
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#
-# Configuration file for syslog-ng under Debian
-#
-# attempts at reproducing default syslog behavior
-
-# the standard syslog levels are (in descending order of priority):
-# emerg alert crit err warning notice info debug
-# the aliases "error", "panic", and "warn" are deprecated
-# the "none" priority found in the original syslogd configuration is
-# only used in internal messages created by syslogd
-
-
-######
-# options
-
-options {
-        # disable the chained hostname format in logs
-        # (default is enabled)
-        chain_hostnames(1);
-
-        # the time to wait before a died connection is re-established
-        # (default is 60)
-        time_reopen(10);
-
-        # the time to wait before an idle destination file is closed
-        # (default is 60)
-        time_reap(360);
-
-        # the number of lines buffered before written to file
-        # you might want to increase this if your disk isn't catching with
-        # all the log messages you get or if you want less disk activity
-        # (say on a laptop)
-        # (default is 0)
-        #sync(0);
-
-        # the number of lines fitting in the output queue
-<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%>
-        log_fifo_size(2048);
-<%- else -%>
-        log_fifo_size(10000);
-<%- end -%>
-
-        # enable or disable directory creation for destination files
-        create_dirs(yes);
-
-        # default owner, group, and permissions for log files
-        # (defaults are 0, 0, 0600)
-        #owner(root);
-        group(adm);
-        perm(0640);
-
-        # default owner, group, and permissions for created directories
-        # (defaults are 0, 0, 0700)
-        #dir_owner(root);
-        #dir_group(root);
-        dir_perm(0755);
-
-        # enable or disable DNS usage
-        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
-        # a Denial of Service attack
-        # (default is yes)
-        use_dns(no);
-
-        # maximum length of message in bytes
-        # this is only limited by the program listening on the /dev/log Unix
-        # socket, glibc can handle arbitrary length log messages, but -- for
-        # example -- syslogd accepts only 1024 bytes
-        # (default is 2048)
-        #log_msg_size(2048);
-
-       #Disable statistic log messages.
-       stats_freq(0);
-
-       # Some program send log messages through a private implementation.
-       # and sometimes that implementation is bad. If this happen syslog-ng
-       # may recognise the program name as hostname. Whit this option
-       # we tell the syslog-ng that if a hostname match this regexp than that
-       # is not a real hostname.
-       bad_hostname("^gconfd$");
-
-       keep_hostname(no);
-
-       # We believe our own clock more than we believe the client clock.
-       keep_timestamp(no);
-};
-
-
-######
-# sources
-
-# all known message sources
-source s_local {
-        # message generated by Syslog-NG
-        internal();
-<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%>
-        # standard Linux log source (this is the default place for the syslog()
-        # function to send logs to)
-        unix-stream("/dev/log");
-        # messages from the kernel
-        file("/proc/kmsg" program_override("kernel: "));
-<%- else -%>
-       system();
-<%- end -%>
-};
-
-<%- if (hostname == "lotti") || (hostname == "lully") || (hostname == "loghost-grnet-01") -%>
-source s_network {
-       tcp6(port(5140) max-connections(400)
-               tls( key_file("/etc/exim4/ssl/thishost.key")
-                    cert_file("/etc/exim4/ssl/thishost.crt")
-                    ca_dir("/etc/exim4/ssl/")
-               )
-       );
-};
-<%- end -%>
-
-
-######
-# destinations
-
-# some standard log files
-destination df_auth { file("/var/log/auth.log"); };
-destination df_syslog { file("/var/log/syslog"); };
-destination df_cron { file("/var/log/cron.log"); };
-destination df_daemon { file("/var/log/daemon.log"); };
-destination df_kern { file("/var/log/kern.log"); };
-destination df_lpr { file("/var/log/lpr.log"); };
-destination df_mail { file("/var/log/mail.log" group(maillog)); };
-# destination df_mail_info { file("/var/log/mail.info" group(maillog)); };
-destination df_mail_warn { file("/var/log/mail.warn" group(maillog)); };
-destination df_mail_err { file("/var/log/mail.err" group(maillog)); };
-destination df_user { file("/var/log/user.log" perm(0644)); };
-destination df_uucp { file("/var/log/uucp.log"); };
-
-# these files are meant for the mail system log files
-# and provide re-usable destinations for {mail,cron,...}.info,
-# {mail,cron,...}.notice, etc.
-destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
-destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
-destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
-destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
-destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
-
-# these files are meant for the news system, and are kept separated
-# because they should be owned by "news" instead of "root"
-destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };
-destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
-destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
-
-# some more classical and useful files found in standard syslog configurations
-destination df_debug { file("/var/log/debug"); };
-destination df_messages { file("/var/log/messages"); };
-
-<%- if kernel == 'Linux' -%>
-# pipes
-# a console to view log messages under X
-destination dp_xconsole { pipe("/dev/xconsole"); };
-
-<%- end -%>
-# consoles
-# this will send messages to everyone logged in
-destination du_all { usertty("*"); };
-
-
-######
-# filters
-
-# all messages from the auth and authpriv facilities
-filter f_auth { facility(auth, authpriv); };
-
-# all messages except from the auth and authpriv facilities
-filter f_syslog { not facility(auth, authpriv, mail); };
-
-# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
-# and uucp facilities
-filter f_cron { facility(cron); };
-filter f_daemon { facility(daemon); };
-filter f_kern { facility(kern); };
-filter f_lpr { facility(lpr); };
-filter f_mail { facility(mail); };
-filter f_news { facility(news); };
-filter f_user { facility(user); };
-filter f_uucp { facility(uucp); };
-
-# some filters to select messages of priority greater or equal to info, warn,
-# and err
-# (equivalents of syslogd's *.info, *.warn, and *.err)
-filter f_at_least_info { level(info..emerg); };
-filter f_at_least_notice { level(notice..emerg); };
-filter f_at_least_warn { level(warn..emerg); };
-filter f_at_least_err { level(err..emerg); };
-filter f_at_least_crit { level(crit..emerg); };
-
-# all messages of priority debug not coming from the auth, authpriv, news, and
-# mail facilities
-filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
-
-# all messages of info, notice, or warn priority not coming form the auth,
-# authpriv, cron, daemon, mail, and news facilities
-filter f_messages {
-        level(info,notice,warn)
-            and not facility(auth,authpriv,cron,daemon,mail,news);
-};
-
-# messages with priority emerg
-filter f_emerg { level(emerg); };
-
-<%- if kernel == 'Linux' -%>
-# complex filter for messages usually sent to the xconsole
-filter f_xconsole {
-    facility(daemon,mail)
-        or level(debug,info,notice,warn)
-        or (facility(news)
-                and level(crit,err,notice));
-};
-
-<%- end -%>
-
-# order matters if you use "flags(final);" to mark the end of processing in a
-# "log" statement
-
-###############################################################################
-########## ON LOG CLIENTS #####################################################
-###############################################################################
-###############################################################################
-###############################################################################
-# all log clients, including the log server, log their locally created
-# messages to the standard places.
-
-# auth,authpriv.*                 /var/log/auth.log
-log {
-        source(s_local);
-        filter(f_auth);
-        destination(df_auth);
-};
-
-# *.*;auth,authpriv.none          -/var/log/syslog
-log {
-        source(s_local);
-        filter(f_syslog);
-        destination(df_syslog);
-};
-
-# this is commented out in the default syslog.conf
-# cron.*                         /var/log/cron.log
-#log {
-#        source(s_local);
-#        filter(f_cron);
-#        destination(df_cron);
-#};
-
-# daemon.*                        -/var/log/daemon.log
-log {
-        source(s_local);
-        filter(f_daemon);
-        destination(df_daemon);
-};
-
-# kern.*                          -/var/log/kern.log
-log {
-        source(s_local);
-        filter(f_kern);
-        destination(df_kern);
-};
-
-# lpr.*                           -/var/log/lpr.log
-log {
-        source(s_local);
-        filter(f_lpr);
-        destination(df_lpr);
-};
-
-# mail.*                          -/var/log/mail.log
-log {
-        source(s_local);
-        filter(f_mail);
-        destination(df_mail);
-};
-
-# user.*                          -/var/log/user.log
-log {
-        source(s_local);
-        filter(f_user);
-        destination(df_user);
-};
-
-# uucp.*                          /var/log/uucp.log
-log {
-        source(s_local);
-        filter(f_uucp);
-        destination(df_uucp);
-};
-
-# mail.info                       -/var/log/mail.info
-#log {
-#        source(s_local);
-#        filter(f_mail);
-#        filter(f_at_least_info);
-#        destination(df_mail_info);
-#};
-
-# mail.warn                       -/var/log/mail.warn
-log {
-        source(s_local);
-        filter(f_mail);
-        filter(f_at_least_warn);
-        destination(df_mail_warn);
-};
-
-# mail.err                        /var/log/mail.err
-log {
-        source(s_local);
-        filter(f_mail);
-        filter(f_at_least_err);
-        destination(df_mail_err);
-};
-
-# news.crit                       /var/log/news/news.crit
-log {
-        source(s_local);
-        filter(f_news);
-        filter(f_at_least_crit);
-        destination(df_news_dot_crit);
-};
-
-# news.err                        /var/log/news/news.err
-log {
-        source(s_local);
-        filter(f_news);
-        filter(f_at_least_err);
-        destination(df_news_dot_err);
-};
-
-# news.notice                     /var/log/news/news.notice
-log {
-        source(s_local);
-        filter(f_news);
-        filter(f_at_least_notice);
-        destination(df_news_dot_notice);
-};
-
-
-# *.=debug;\
-#         auth,authpriv.none;\
-#         news.none;mail.none     -/var/log/debug
-log {
-        source(s_local);
-        filter(f_debug);
-        destination(df_debug);
-};
-
-
-# *.=info;*.=notice;*.=warn;\
-#         auth,authpriv.none;\
-#         cron,daemon.none;\
-#         mail,news.none          -/var/log/messages
-log {
-        source(s_local);
-        filter(f_messages);
-        destination(df_messages);
-};
-
-# *.emerg                         *
-log {
-        source(s_local);
-        filter(f_emerg);
-        destination(du_all);
-};
-
-
-<%- if kernel == 'Linux' -%>
-# daemon.*;mail.*;\
-#         news.crit;news.err;news.notice;\
-#         *.=debug;*.=info;\
-#         *.=notice;*.=warn       |/dev/xconsole
-log {
-        source(s_local);
-        filter(f_xconsole);
-        destination(dp_xconsole);
-};
-<%- end -%>
-
-
- <%- if hostname != "lotti" -%>
-destination loghost-lotti {
-       tcp("lotti.debian.org" port (5140)
-               tls( key_file("/etc/ssl/private/thishost.key")
-                    cert_file("/etc/ssl/debian/certs/thishost.crt")
-                    ca_dir("/etc/ssl/debian/certs/")
-               )
-       );
-};
- <%- end -%>
-  <%- if hostname != "lully" -%>
-destination loghost-lully {
-       tcp("lully.debian.org" port (5140)
-               tls( key_file("/etc/ssl/private/thishost.key")
-                    cert_file("/etc/ssl/debian/certs/thishost.crt")
-                    ca_dir("/etc/ssl/debian/certs/")
-               )
-       );
-};
- <%- end -%>
-  <%- if hostname != "loghost-grnet-01" -%>
-destination loghost-loghost-grnet-01 {
-       tcp("loghost-grnet-01.debian.org" port (5140)
-               tls( key_file("/etc/ssl/private/thishost.key")
-                    cert_file("/etc/ssl/debian/certs/thishost.crt")
-                    ca_dir("/etc/ssl/debian/certs/")
-               )
-       );
-};
- <%- end -%>
-
-log {
-       source(s_local);
- <%- if hostname != "lotti" -%>
-       destination(loghost-lotti);
- <%- end -%>
- <%- if hostname != "lully" -%>
-       destination(loghost-lully);
- <%- end -%>
- <%- if hostname != "loghost-grnet-01" -%>
-       destination(loghost-loghost-grnet-01);
- <%- end -%>
-};
-
-
-
-<%- if (hostname == "lotti") || (hostname == "lully") || (hostname == "loghost-grnet-01") -%>
-###############################################################################
-########## ON LOG HOST ########################################################
-###############################################################################
-###############################################################################
-#
-# The log server, additionally, also logs all local and remote messages to
-# a few special places.
-destination hostdest_auth           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/auth.log"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_syslog         { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/syslog"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_cron           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/cron.log"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_daemon         { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/daemon.log"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_kern           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/kern.log"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_lpr            { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/lpr.log"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_mail           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/mail.log"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_news           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/news.log"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_user           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/user.log"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_uucp           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/uucp.log"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_debug          { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/debug"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_messages       { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/messages"
-                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-
-
-#----------------------------------------------------------------------
-#  Special catch all destination hostdest_sorting by host
-#----------------------------------------------------------------------
-destination hostdest_facility_dot_info   { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.info"
-                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_facility_dot_notice { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.notice"
-                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_facility_dot_warn   { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.warn"
-                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_facility_dot_err    { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.err"
-                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-destination hostdest_facility_dot_crit   { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.crit"
-                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
-
-
-#----------------------------------------------------------------------
-#  Catch all log files
-#----------------------------------------------------------------------
-destination df_ALL_auth { file("/var/log/auth-all.log"); };
-destination df_ALL_mail { file("/var/log/mail-all.log"); };
-destination df_ALL_syslog { file("/var/log/syslog-all"); };
-
-log { source(s_local);
-      source(s_network);
-      filter(f_auth); destination(hostdest_auth); };
-log { source(s_local);
-      source(s_network);
-      filter(f_syslog); destination(hostdest_syslog); };
-log { source(s_local);
-      source(s_network);
-      filter(f_daemon); destination(hostdest_daemon); };
-log { source(s_local);
-      source(s_network);
-      filter(f_kern); destination(hostdest_kern); };
-log { source(s_local);
-      source(s_network);
-      filter(f_lpr); destination(hostdest_lpr); };
-log { source(s_local);
-      source(s_network);
-      filter(f_mail); destination(hostdest_mail); };
-log { source(s_local);
-      source(s_network);
-      filter(f_news); destination(hostdest_mail); };
-log { source(s_local);
-      source(s_network);
-      filter(f_user); destination(hostdest_user); };
-log { source(s_local);
-      source(s_network);
-      filter(f_uucp); destination(hostdest_uucp); };
-log { source(s_local);
-      source(s_network);
-      filter(f_debug); destination(hostdest_debug); };
-log { source(s_local);
-      source(s_network);
-      filter(f_messages); destination(hostdest_messages); };
-
-log { source(s_local);
-      source(s_network);
-      filter(f_mail); filter(f_at_least_info); destination(hostdest_facility_dot_info); };
-log { source(s_local);
-      source(s_network);
-      filter(f_mail); filter(f_at_least_warn); destination(hostdest_facility_dot_warn); };
-log { source(s_local);
-      source(s_network);
-      filter(f_mail); filter(f_at_least_err); destination(hostdest_facility_dot_err); };
-
-
-## catch all:
-log { source(s_local);
-      source(s_network);
-      filter(f_auth); destination(df_ALL_auth); };
-log { source(s_local);
-      source(s_network);
-      filter(f_mail); destination(df_ALL_mail); };
-log { source(s_local);
-      source(s_network);
-      filter(f_syslog); destination(df_ALL_syslog); };
-<%- end -%>
diff --git a/modules/syslog_ng/files/syslog-ng.default b/modules/syslog_ng/files/syslog-ng.default
new file mode 100644 (file)
index 0000000..a32c4b2
--- /dev/null
@@ -0,0 +1,18 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# If a variable is not set here, then the corresponding
+# parameter will not be changed.
+# If a variables is set, then every invocation of
+# syslog-ng's init script will set them using dmesg.
+
+# log level of messages which should go to console
+# see <linux/kernel.h> for details
+#
+CONSOLE_LOG_LEVEL=2
+
+# Command line options to syslog-ng
+#SYSLOGNG_OPTS="--no-caps"
+
diff --git a/modules/syslog_ng/files/syslog-ng.logrotate b/modules/syslog_ng/files/syslog-ng.logrotate
new file mode 100644 (file)
index 0000000..2714307
--- /dev/null
@@ -0,0 +1,128 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+/var/log/auth.log {
+   rotate 4
+   missingok
+   notifempty
+   weekly
+   compress
+}
+
+/var/log/cron.log {
+   rotate 4
+   weekly
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/daemon.log {
+   rotate 7
+   weekly
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/debug {
+   rotate 4
+   weekly
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/kern.log {
+   rotate 4
+   weekly
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/lpr.log {
+   rotate 4
+   weekly
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/mail.err {
+   rotate 30
+   daily
+   dateext
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/mail.info {
+   rotate 30
+   daily
+   dateext
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/mail.log {
+   rotate 30
+   daily
+   dateext
+   missingok
+   notifempty
+   compress
+   # listmaster asked for this one
+   delaycompress
+}
+
+/var/log/mail.warn {
+   rotate 30
+   daily
+   dateext
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/messages {
+   rotate 4
+   weekly
+   missingok
+   notifempty
+   compress
+}
+
+
+/var/log/user.log {
+   rotate 4
+   weekly
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/uucp.log {
+   rotate 4
+   missingok
+   notifempty
+   weekly
+   compress
+}
+
+/var/log/syslog {
+   rotate 7
+   daily
+   compress
+   postrotate
+      if [ -d /run/systemd/system ]; then
+          /bin/systemctl reload syslog-ng.service >/dev/null
+      else
+          /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
+      fi
+   endscript
+}
diff --git a/modules/syslog_ng/files/syslog-ng.logrotate.loggers b/modules/syslog_ng/files/syslog-ng.logrotate.loggers
new file mode 100644 (file)
index 0000000..75212ca
--- /dev/null
@@ -0,0 +1,31 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+/var/log/mail-all.log {
+   rotate 4
+   weekly
+   missingok
+   notifempty
+   compress
+}
+
+/var/log/syslog-all {
+   rotate 4
+   missingok
+   notifempty
+   weekly
+   compress
+}
+
+/var/log/auth-all.log {
+   rotate 4
+   missingok
+   notifempty
+   weekly
+   compress
+   postrotate
+      /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
+   endscript
+}
diff --git a/modules/syslog_ng/files/syslog-ng.service b/modules/syslog_ng/files/syslog-ng.service
new file mode 100644 (file)
index 0000000..0598277
--- /dev/null
@@ -0,0 +1,16 @@
+[Unit]
+Description=System Logger Daemon
+Documentation=man:syslog-ng(8)
+After=network-online.target unbound.service
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/syslog-ng -F
+ExecReload=/bin/kill -HUP $MAINPID
+StandardOutput=journal
+StandardError=journal
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/modules/syslog_ng/manifests/init.pp b/modules/syslog_ng/manifests/init.pp
new file mode 100644 (file)
index 0000000..a9b5206
--- /dev/null
@@ -0,0 +1,46 @@
+class syslog_ng {
+       package { 'syslog-ng':
+               ensure => installed
+       }
+
+       service { 'syslog-ng':
+               ensure => running,
+               hasstatus => false,
+               pattern   => 'syslog-ng',
+       }
+
+       file { '/etc/syslog-ng/syslog-ng.conf':
+               content => template('syslog_ng/syslog-ng.conf.erb'),
+               require => Package['syslog-ng'],
+               notify  => Service['syslog-ng']
+       }
+       file { '/etc/default/syslog-ng':
+               source  => 'puppet:///modules/syslog_ng/syslog-ng.default',
+               require => Package['syslog-ng'],
+               notify  => Service['syslog-ng']
+       }
+       file { '/etc/logrotate.d/syslog-ng':
+               source  => 'puppet:///modules/syslog_ng/syslog-ng.logrotate',
+               require => Package['syslog-ng']
+       }
+       if $::hostname in [lotty,lully,loghost-grnet-01] {
+               file { '/etc/logrotate.d/syslog-ng-loggers':
+                       source  => 'puppet:///modules/syslog_ng/syslog-ng.logrotate.loggers',
+                       require => Package['syslog-ng']
+               }
+       }
+       # while syslog-ng breaks on boot
+
+       if $systemd {
+               file { '/etc/systemd/system/syslog-ng.service':
+                       ensure => $servicefiles,
+                       source => 'puppet:///modules/syslog_ng/syslog-ng.service',
+                       notify => Exec['systemctl daemon-reload'],
+               }
+
+               file { '/etc/systemd/system/syslog.service':
+                       ensure => absent,
+                       notify => Exec['systemctl daemon-reload'],
+               }
+       }
+}
diff --git a/modules/syslog_ng/templates/syslog-ng.conf.erb b/modules/syslog_ng/templates/syslog-ng.conf.erb
new file mode 100644 (file)
index 0000000..d68fe0c
--- /dev/null
@@ -0,0 +1,556 @@
+<%- if has_variable?("syslogversion") and @syslogversion.to_s == "3.1" -%>
+@version: 3.0
+<%- elsif has_variable?("syslogversion") and @syslogversion.to_s == "3.5" -%>
+@version: 3.5
+@include "scl.conf"
+<%- else -%>
+@version: 3.3
+@include "scl.conf"
+<%- end -%>
+
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# Configuration file for syslog-ng under Debian
+#
+# attempts at reproducing default syslog behavior
+
+# the standard syslog levels are (in descending order of priority):
+# emerg alert crit err warning notice info debug
+# the aliases "error", "panic", and "warn" are deprecated
+# the "none" priority found in the original syslogd configuration is
+# only used in internal messages created by syslogd
+
+
+######
+# options
+
+options {
+        # disable the chained hostname format in logs
+        # (default is enabled)
+        chain_hostnames(1);
+
+        # the time to wait before a died connection is re-established
+        # (default is 60)
+        time_reopen(10);
+
+        # the time to wait before an idle destination file is closed
+        # (default is 60)
+        time_reap(360);
+
+        # the number of lines buffered before written to file
+        # you might want to increase this if your disk isn't catching with
+        # all the log messages you get or if you want less disk activity
+        # (say on a laptop)
+        # (default is 0)
+        #sync(0);
+
+        # the number of lines fitting in the output queue
+<%- if has_variable?("syslogversion") and @syslogversion.to_s == "3.1" -%>
+        log_fifo_size(2048);
+<%- else -%>
+        log_fifo_size(10000);
+<%- end -%>
+
+        # enable or disable directory creation for destination files
+        create_dirs(yes);
+
+        # default owner, group, and permissions for log files
+        # (defaults are 0, 0, 0600)
+        #owner(root);
+        group(adm);
+        perm(0640);
+
+        # default owner, group, and permissions for created directories
+        # (defaults are 0, 0, 0700)
+        #dir_owner(root);
+        #dir_group(root);
+        dir_perm(0755);
+
+        # enable or disable DNS usage
+        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
+        # a Denial of Service attack
+        # (default is yes)
+        use_dns(no);
+
+        # maximum length of message in bytes
+        # this is only limited by the program listening on the /dev/log Unix
+        # socket, glibc can handle arbitrary length log messages, but -- for
+        # example -- syslogd accepts only 1024 bytes
+        # (default is 2048)
+        #log_msg_size(2048);
+
+       #Disable statistic log messages.
+       stats_freq(0);
+
+       # Some program send log messages through a private implementation.
+       # and sometimes that implementation is bad. If this happen syslog-ng
+       # may recognise the program name as hostname. Whit this option
+       # we tell the syslog-ng that if a hostname match this regexp than that
+       # is not a real hostname.
+       bad_hostname("^gconfd$");
+
+       keep_hostname(no);
+
+       # We believe our own clock more than we believe the client clock.
+       keep_timestamp(no);
+};
+
+
+######
+# sources
+
+# all known message sources
+source s_local {
+        # message generated by Syslog-NG
+        internal();
+<%- if has_variable?("syslogversion") and @syslogversion.to_s == "3.1" -%>
+        # standard Linux log source (this is the default place for the syslog()
+        # function to send logs to)
+        unix-stream("/dev/log");
+        # messages from the kernel
+        file("/proc/kmsg" program_override("kernel: "));
+<%- else -%>
+       system();
+<%- end -%>
+};
+
+<%- if (@hostname == "lotti") || (@hostname == "lully") || (@hostname == "loghost-grnet-01") -%>
+source s_network {
+       tcp6(port(5140) max-connections(400)
+               tls( key_file("/etc/exim4/ssl/thishost.key")
+                    cert_file("/etc/exim4/ssl/thishost.crt")
+                    ca_dir("/etc/exim4/ssl/")
+               )
+       );
+};
+<%- end -%>
+
+
+######
+# destinations
+
+# some standard log files
+destination df_auth { file("/var/log/auth.log"); };
+destination df_syslog { file("/var/log/syslog"); };
+destination df_cron { file("/var/log/cron.log"); };
+destination df_daemon { file("/var/log/daemon.log"); };
+destination df_kern { file("/var/log/kern.log"); };
+destination df_lpr { file("/var/log/lpr.log"); };
+destination df_mail { file("/var/log/mail.log" group(maillog)); };
+# destination df_mail_info { file("/var/log/mail.info" group(maillog)); };
+destination df_mail_warn { file("/var/log/mail.warn" group(maillog)); };
+destination df_mail_err { file("/var/log/mail.err" group(maillog)); };
+destination df_user { file("/var/log/user.log" perm(0644)); };
+destination df_uucp { file("/var/log/uucp.log"); };
+
+# these files are meant for the mail system log files
+# and provide re-usable destinations for {mail,cron,...}.info,
+# {mail,cron,...}.notice, etc.
+destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
+destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
+destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
+destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
+destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
+
+# these files are meant for the news system, and are kept separated
+# because they should be owned by "news" instead of "root"
+destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };
+destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
+destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
+
+# some more classical and useful files found in standard syslog configurations
+destination df_debug { file("/var/log/debug"); };
+destination df_messages { file("/var/log/messages"); };
+
+<%- if @kernel == 'Linux' -%>
+# pipes
+# a console to view log messages under X
+destination dp_xconsole { pipe("/dev/xconsole"); };
+
+<%- end -%>
+# consoles
+# this will send messages to everyone logged in
+destination du_all { usertty("*"); };
+
+
+######
+# filters
+
+# all messages from the auth and authpriv facilities
+filter f_auth { facility(auth, authpriv); };
+
+# all messages except from the auth and authpriv facilities
+filter f_syslog { not facility(auth, authpriv, mail); };
+
+# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
+# and uucp facilities
+filter f_cron { facility(cron); };
+filter f_daemon { facility(daemon); };
+filter f_kern { facility(kern); };
+filter f_lpr { facility(lpr); };
+filter f_mail { facility(mail); };
+filter f_news { facility(news); };
+filter f_user { facility(user); };
+filter f_uucp { facility(uucp); };
+
+# some filters to select messages of priority greater or equal to info, warn,
+# and err
+# (equivalents of syslogd's *.info, *.warn, and *.err)
+filter f_at_least_info { level(info..emerg); };
+filter f_at_least_notice { level(notice..emerg); };
+filter f_at_least_warn { level(warn..emerg); };
+filter f_at_least_err { level(err..emerg); };
+filter f_at_least_crit { level(crit..emerg); };
+
+# all messages of priority debug not coming from the auth, authpriv, news, and
+# mail facilities
+filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
+
+# all messages of info, notice, or warn priority not coming form the auth,
+# authpriv, cron, daemon, mail, and news facilities
+filter f_messages {
+        level(info,notice,warn)
+            and not facility(auth,authpriv,cron,daemon,mail,news);
+};
+
+# messages with priority emerg
+filter f_emerg { level(emerg); };
+
+<%- if @kernel == 'Linux' -%>
+# complex filter for messages usually sent to the xconsole
+filter f_xconsole {
+    facility(daemon,mail)
+        or level(debug,info,notice,warn)
+        or (facility(news)
+                and level(crit,err,notice));
+};
+
+<%- end -%>
+
+# order matters if you use "flags(final);" to mark the end of processing in a
+# "log" statement
+
+###############################################################################
+########## ON LOG CLIENTS #####################################################
+###############################################################################
+###############################################################################
+###############################################################################
+# all log clients, including the log server, log their locally created
+# messages to the standard places.
+
+# auth,authpriv.*                 /var/log/auth.log
+log {
+        source(s_local);
+        filter(f_auth);
+        destination(df_auth);
+};
+
+# *.*;auth,authpriv.none          -/var/log/syslog
+log {
+        source(s_local);
+        filter(f_syslog);
+        destination(df_syslog);
+};
+
+# this is commented out in the default syslog.conf
+# cron.*                         /var/log/cron.log
+#log {
+#        source(s_local);
+#        filter(f_cron);
+#        destination(df_cron);
+#};
+
+# daemon.*                        -/var/log/daemon.log
+log {
+        source(s_local);
+        filter(f_daemon);
+        destination(df_daemon);
+};
+
+# kern.*                          -/var/log/kern.log
+log {
+        source(s_local);
+        filter(f_kern);
+        destination(df_kern);
+};
+
+# lpr.*                           -/var/log/lpr.log
+log {
+        source(s_local);
+        filter(f_lpr);
+        destination(df_lpr);
+};
+
+# mail.*                          -/var/log/mail.log
+log {
+        source(s_local);
+        filter(f_mail);
+        destination(df_mail);
+};
+
+# user.*                          -/var/log/user.log
+log {
+        source(s_local);
+        filter(f_user);
+        destination(df_user);
+};
+
+# uucp.*                          /var/log/uucp.log
+log {
+        source(s_local);
+        filter(f_uucp);
+        destination(df_uucp);
+};
+
+# mail.info                       -/var/log/mail.info
+#log {
+#        source(s_local);
+#        filter(f_mail);
+#        filter(f_at_least_info);
+#        destination(df_mail_info);
+#};
+
+# mail.warn                       -/var/log/mail.warn
+log {
+        source(s_local);
+        filter(f_mail);
+        filter(f_at_least_warn);
+        destination(df_mail_warn);
+};
+
+# mail.err                        /var/log/mail.err
+log {
+        source(s_local);
+        filter(f_mail);
+        filter(f_at_least_err);
+        destination(df_mail_err);
+};
+
+# news.crit                       /var/log/news/news.crit
+log {
+        source(s_local);
+        filter(f_news);
+        filter(f_at_least_crit);
+        destination(df_news_dot_crit);
+};
+
+# news.err                        /var/log/news/news.err
+log {
+        source(s_local);
+        filter(f_news);
+        filter(f_at_least_err);
+        destination(df_news_dot_err);
+};
+
+# news.notice                     /var/log/news/news.notice
+log {
+        source(s_local);
+        filter(f_news);
+        filter(f_at_least_notice);
+        destination(df_news_dot_notice);
+};
+
+
+# *.=debug;\
+#         auth,authpriv.none;\
+#         news.none;mail.none     -/var/log/debug
+log {
+        source(s_local);
+        filter(f_debug);
+        destination(df_debug);
+};
+
+
+# *.=info;*.=notice;*.=warn;\
+#         auth,authpriv.none;\
+#         cron,daemon.none;\
+#         mail,news.none          -/var/log/messages
+log {
+        source(s_local);
+        filter(f_messages);
+        destination(df_messages);
+};
+
+# *.emerg                         *
+log {
+        source(s_local);
+        filter(f_emerg);
+        destination(du_all);
+};
+
+
+<%- if @kernel == 'Linux' -%>
+# daemon.*;mail.*;\
+#         news.crit;news.err;news.notice;\
+#         *.=debug;*.=info;\
+#         *.=notice;*.=warn       |/dev/xconsole
+log {
+        source(s_local);
+        filter(f_xconsole);
+        destination(dp_xconsole);
+};
+<%- end -%>
+
+
+ <%- if @hostname != "lotti" -%>
+destination loghost-lotti {
+       tcp("lotti.debian.org" port (5140)
+               tls( key_file("/etc/ssl/private/thishost.key")
+                    cert_file("/etc/ssl/debian/certs/thishost.crt")
+                    ca_dir("/etc/ssl/debian/certs/")
+               )
+       );
+};
+ <%- end -%>
+  <%- if @hostname != "lully" -%>
+destination loghost-lully {
+       tcp("lully.debian.org" port (5140)
+               tls( key_file("/etc/ssl/private/thishost.key")
+                    cert_file("/etc/ssl/debian/certs/thishost.crt")
+                    ca_dir("/etc/ssl/debian/certs/")
+               )
+       );
+};
+ <%- end -%>
+  <%- if @hostname != "loghost-grnet-01" -%>
+destination loghost-loghost-grnet-01 {
+       tcp("loghost-grnet-01.debian.org" port (5140)
+               tls( key_file("/etc/ssl/private/thishost.key")
+                    cert_file("/etc/ssl/debian/certs/thishost.crt")
+                    ca_dir("/etc/ssl/debian/certs/")
+               )
+       );
+};
+ <%- end -%>
+
+log {
+       source(s_local);
+ <%- if @hostname != "lotti" -%>
+       destination(loghost-lotti);
+ <%- end -%>
+ <%- if @hostname != "lully" -%>
+       destination(loghost-lully);
+ <%- end -%>
+ <%- if @hostname != "loghost-grnet-01" -%>
+       destination(loghost-loghost-grnet-01);
+ <%- end -%>
+};
+
+
+
+<%- if (@hostname == "lotti") || (@hostname == "lully") || (@hostname == "loghost-grnet-01") -%>
+###############################################################################
+########## ON LOG HOST ########################################################
+###############################################################################
+###############################################################################
+#
+# The log server, additionally, also logs all local and remote messages to
+# a few special places.
+destination hostdest_auth           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/auth.log"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_syslog         { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/syslog"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_cron           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/cron.log"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_daemon         { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/daemon.log"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_kern           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/kern.log"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_lpr            { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/lpr.log"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_mail           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/mail.log"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_news           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/news.log"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_user           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/user.log"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_uucp           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/uucp.log"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_debug          { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/debug"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_messages       { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/messages"
+                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+
+
+#----------------------------------------------------------------------
+#  Special catch all destination hostdest_sorting by host
+#----------------------------------------------------------------------
+destination hostdest_facility_dot_info   { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.info"
+                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_facility_dot_notice { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.notice"
+                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_facility_dot_warn   { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.warn"
+                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_facility_dot_err    { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.err"
+                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+destination hostdest_facility_dot_crit   { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.crit"
+                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
+
+
+#----------------------------------------------------------------------
+#  Catch all log files
+#----------------------------------------------------------------------
+destination df_ALL_auth { file("/var/log/auth-all.log"); };
+destination df_ALL_mail { file("/var/log/mail-all.log"); };
+destination df_ALL_syslog { file("/var/log/syslog-all"); };
+
+log { source(s_local);
+      source(s_network);
+      filter(f_auth); destination(hostdest_auth); };
+log { source(s_local);
+      source(s_network);
+      filter(f_syslog); destination(hostdest_syslog); };
+log { source(s_local);
+      source(s_network);
+      filter(f_daemon); destination(hostdest_daemon); };
+log { source(s_local);
+      source(s_network);
+      filter(f_kern); destination(hostdest_kern); };
+log { source(s_local);
+      source(s_network);
+      filter(f_lpr); destination(hostdest_lpr); };
+log { source(s_local);
+      source(s_network);
+      filter(f_mail); destination(hostdest_mail); };
+log { source(s_local);
+      source(s_network);
+      filter(f_news); destination(hostdest_mail); };
+log { source(s_local);
+      source(s_network);
+      filter(f_user); destination(hostdest_user); };
+log { source(s_local);
+      source(s_network);
+      filter(f_uucp); destination(hostdest_uucp); };
+log { source(s_local);
+      source(s_network);
+      filter(f_debug); destination(hostdest_debug); };
+log { source(s_local);
+      source(s_network);
+      filter(f_messages); destination(hostdest_messages); };
+
+log { source(s_local);
+      source(s_network);
+      filter(f_mail); filter(f_at_least_info); destination(hostdest_facility_dot_info); };
+log { source(s_local);
+      source(s_network);
+      filter(f_mail); filter(f_at_least_warn); destination(hostdest_facility_dot_warn); };
+log { source(s_local);
+      source(s_network);
+      filter(f_mail); filter(f_at_least_err); destination(hostdest_facility_dot_err); };
+
+
+## catch all:
+log { source(s_local);
+      source(s_network);
+      filter(f_auth); destination(df_ALL_auth); };
+log { source(s_local);
+      source(s_network);
+      filter(f_mail); destination(df_ALL_mail); };
+log { source(s_local);
+      source(s_network);
+      filter(f_syslog); destination(df_ALL_syslog); };
+<%- end -%>