From: Martin Zobel-Helas Date: Thu, 15 Feb 2018 07:40:55 +0000 (+0100) Subject: Merge remote-tracking branch 'zobel-salsa/zobel-salsa' X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=01224a1c8744adc357f1cedeb512ff8c779ae565;hp=641b06da386fa4d8f9d992fdcc88470c63bb8835;p=mirror%2Fdsa-puppet.git Merge remote-tracking branch 'zobel-salsa/zobel-salsa' --- diff --git a/hieradata/common.yaml b/hieradata/common.yaml index eae4051c8..e78f9829d 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -134,7 +134,7 @@ roles: fastly-backend: false lobos.debian.org: service-hostname: lobos.security.backend.mirrors.debian.org - fastly-backend: true + fastly-backend: false onion_v4_address: 212.211.132.250 santoro.debian.org: fastly-backend: false diff --git a/modules/buildd/files/buildd.conf b/modules/buildd/files/buildd.conf index 7bd496582..efac652ca 100644 --- a/modules/buildd/files/buildd.conf +++ b/modules/buildd/files/buildd.conf @@ -17,6 +17,6 @@ $upload_queues = [ }, { dupload_local_queue_dir => "upload-security", - dupload_archive_name => "security", + dupload_archive_name => "rsync-security", } ]; diff --git a/modules/buildd/files/dupload.conf b/modules/buildd/files/dupload.conf index cf6ab39a1..581353880 100644 --- a/modules/buildd/files/dupload.conf +++ b/modules/buildd/files/dupload.conf @@ -68,7 +68,7 @@ $cfg{'security'} = $cfg{'anonymous-security'}; $cfg{'rsync-security'} = { method => "rsync", login => "buildd-uploader", - fqdn => "ssh.upload.security.debian.org", + fqdn => "ssh.security.upload.debian.org", incoming => "/srv/security.upload.debian.org/SecurityUploadQueue/", # files pass on to dinstall on ftp-master which sends emails itself dinstall_runs => 1, diff --git a/modules/roles/files/planet_master/planet-master.debian.org b/modules/roles/files/planet_master/planet-master.debian.org deleted file mode 100644 index a58f07c6e..000000000 --- a/modules/roles/files/planet_master/planet-master.debian.org +++ /dev/null @@ -1,20 +0,0 @@ -Use common-debian-service-https-redirect * planet-master.debian.org - - ServerName planet-master.debian.org - ServerAdmin debian-admin@lists.debian.org - - Use common-debian-service-ssl planet-master.debian.org - Use common-ssl-HSTS - - - UserDir disabled - - ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log - CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy - ServerSignature On - - DocumentRoot /srv/planet.debian.org/www - - Use DebianHostList - - diff --git a/modules/roles/files/ssh_upload/rsync-ssh-wrap b/modules/roles/files/ssh_upload/rsync-ssh-wrap index bdfc6f190..f2a8917fe 100755 --- a/modules/roles/files/ssh_upload/rsync-ssh-wrap +++ b/modules/roles/files/ssh_upload/rsync-ssh-wrap @@ -68,7 +68,7 @@ do_rsync() { allowed="${allowed_rsyncs[$cmd_idx]}" if [ "$*" = "$allowed" ]; then info "Running for host $remote_host: rsync $*" - exec rsync "$@" + exec rsync --chmod=F640 "$@" croak "Exec failed" fi done diff --git a/modules/roles/manifests/planet_master.pp b/modules/roles/manifests/planet_master.pp index 5114ece75..8e67d469c 100644 --- a/modules/roles/manifests/planet_master.pp +++ b/modules/roles/manifests/planet_master.pp @@ -1,10 +1,10 @@ class roles::planet_master { include apache2::ssl apache2::config { 'puppet-debianhosts': - content => template('roles/conf-debianhostlist.erb'), + ensure => 'absent', } apache2::site { 'planet-master.debian.org': - source => 'puppet:///modules/roles/planet_master/planet-master.debian.org', + content => template('roles/planet_master/planet-master.debian.org.erb') } ssl::service { 'planet-master.debian.org': notify => Exec['service apache2 reload'], diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp index c3d62e580..96e607cac 100644 --- a/modules/roles/manifests/static_mirror.pp +++ b/modules/roles/manifests/static_mirror.pp @@ -10,6 +10,8 @@ class roles::static_mirror { include apache2::ssl apache2::module { 'include': } apache2::module { 'geoip': require => [Package['libapache2-mod-geoip'], Package['geoip-database']]; } + apache2::module { 'deflate': } + apache2::module { 'filter': } file { '/usr/local/bin/static-mirror-run': source => 'puppet:///modules/roles/static-mirroring/static-mirror-run', diff --git a/modules/roles/templates/planet_master/planet-master.debian.org.erb b/modules/roles/templates/planet_master/planet-master.debian.org.erb new file mode 100644 index 000000000..95afcf03d --- /dev/null +++ b/modules/roles/templates/planet_master/planet-master.debian.org.erb @@ -0,0 +1,41 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +Use common-debian-service-https-redirect * planet-master.debian.org + + ServerName planet-master.debian.org + ServerAdmin debian-admin@lists.debian.org + + Use common-debian-service-ssl planet-master.debian.org + Use common-ssl-HSTS + + + UserDir disabled + + ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log + CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy + ServerSignature On + + DocumentRoot /srv/planet.debian.org/www + + # Localhost + Require ip ::1 + Require ip 127.0.0.1 +<%= + lines = [] + roles = scope.lookupvar('site::roles') + roles['planet_master'].each do |node| + lines << "\t\t# #{scope.lookupvar('site::allnodeinfo')[node]['hostname'][0]}" + scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr| + lines << "\t\tRequire ip #{addr}" + end + end + lines.join("\n") +# vim:set et: +# vim:set sts=2 ts=2: +# vim:set shiftwidth=2: +%> + + diff --git a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb index cbdeb36ae..fea7de7e5 100644 --- a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb +++ b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb @@ -126,10 +126,7 @@ AddEncoding x-gzip .gz AddType text/plain .log - - AddOutputFilterByType DEFLATE image/svg+xml - AddOutputFilterByType DEFLATE text/plain - + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css image/svg+xml diff --git a/modules/schroot/files/schroot-setup.d/99builddsourceslist b/modules/schroot/files/schroot-setup.d/99builddsourceslist index 7a613913c..d9dc92d0d 100755 --- a/modules/schroot/files/schroot-setup.d/99builddsourceslist +++ b/modules/schroot/files/schroot-setup.d/99builddsourceslist @@ -137,8 +137,8 @@ if [ "$1" = "setup-start" ] || [ "$1" = "setup-recover" ]; then [ -n "${debian_mirror}" ] && domirror "${debian_mirror} ${SUITE_BASE} COMPONENT" ${APT_LIST} domirror "http://ftp.debian.org/debian ${SUITE_BASE} COMPONENT" ${APT_LIST} [ -n "${security_mirror}" ] && domirror "${security_mirror} ${SUITE_BASE}/updates COMPONENT" ${APT_LIST} - domirror "http://security-master.debian.org/debian-security ${SUITE_BASE}/updates COMPONENT" ${APT_LIST} - domirror "http://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates COMPONENT" ${APT_LIST} + domirror "https://security-master.debian.org/debian-security ${SUITE_BASE}/updates COMPONENT" ${APT_LIST} + domirror "https://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates COMPONENT" ${APT_LIST} elif [ "${SUITE_VARIANT%%-sloppy}" = 'backports' ]; then # Hack: for kfreebsd-* the base suite for jessie-backports and jessie-backports-sloppy is jessie-kfreebsd (and not jessie) @@ -207,10 +207,10 @@ if [ "$1" = "setup-start" ] || [ "$1" = "setup-recover" ]; then echo deb ${security_mirror} ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} echo deb-src ${security_mirror} ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} fi - echo deb http://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} - echo deb-src http://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} - echo deb http://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} - echo deb-src http://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} + echo deb https://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} + echo deb-src https://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} + echo deb https://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} + echo deb-src https://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO} elif [ ${SUITE_VARIANT%%-sloppy} = 'backports' ]; then : > ${APT_LIST_AUTO} if [ -n "${debian_mirror}" ]; then diff --git a/modules/schroot/files/setup-dchroot b/modules/schroot/files/setup-dchroot index 99f0919ac..1040212ab 100755 --- a/modules/schroot/files/setup-dchroot +++ b/modules/schroot/files/setup-dchroot @@ -386,10 +386,10 @@ chroot "$rootdir" apt-get install -y --no-install-recommends build-essential if [ -n "$buildd" ] ; then case "$suite" in wheezy|jessie|stretch) - chroot "$rootdir" apt-get install -y --no-install-recommends apt-transport-https + chroot "$rootdir" apt-get install -y --no-install-recommends apt-transport-https ca-certificates ;; *) - # Nothing to do, https support is part of the apt package + chroot "$rootdir" apt-get install -y --no-install-recommends ca-certificates ;; esac fi