From: Martin Zobel-Helas Date: Tue, 5 Jan 2010 15:12:21 +0000 (+0100) Subject: Merge branch 'master' of git+ssh://zobel@puppet.debian.org/srv/puppet.debian.org... X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=09f53cc3299c6699be7959e6aff131d0034d97f8;hp=4e1f7afe46f851063bd6012f70d02f04ed72575d;p=mirror%2Fdsa-puppet.git Merge branch 'master' of git+ssh://zobel@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet --- diff --git a/facts/architecture.rb b/facts/architecture.rb index d6187b238..f0d7ff57e 100644 --- a/facts/architecture.rb +++ b/facts/architecture.rb @@ -11,3 +11,9 @@ Facter.add(:architecture) do end end +Facter.add(:debarchitecture) do + setcode do + %x{/usr/bin/dpkg --print-architecture} + end +end + diff --git a/facts/servertype.rb b/facts/servertype.rb new file mode 100644 index 000000000..fa2f35ed6 --- /dev/null +++ b/facts/servertype.rb @@ -0,0 +1,9 @@ +Facter.add("kvmdomain") do + setcode do + if File.new('/proc/cpuinfo').read().index('QEMU Virtual CPU') + result = true + else + result = false + end + end +end diff --git a/files/etc/puppet/lib/puppet/parser/functions/allnodeinfo.rb b/files/etc/puppet/lib/puppet/parser/functions/allnodeinfo.rb index 6120c1f83..47450d559 100644 --- a/files/etc/puppet/lib/puppet/parser/functions/allnodeinfo.rb +++ b/files/etc/puppet/lib/puppet/parser/functions/allnodeinfo.rb @@ -1,6 +1,5 @@ module Puppet::Parser::Functions newfunction(:allnodeinfo, :type => :rvalue) do |attributes| - require '/etc/puppet/lib/puppet/parser/functions/ldapinfo.rb' attributes.unshift('*') return (function_ldapinfo(attributes)) end diff --git a/files/etc/puppet/lib/puppet/parser/functions/nodeinfo.rb b/files/etc/puppet/lib/puppet/parser/functions/nodeinfo.rb index fae9d6dd7..4d915b21b 100644 --- a/files/etc/puppet/lib/puppet/parser/functions/nodeinfo.rb +++ b/files/etc/puppet/lib/puppet/parser/functions/nodeinfo.rb @@ -5,7 +5,6 @@ module Puppet::Parser::Functions yamlfile = args[1] require '/etc/puppet/lib/puppet/parser/functions/ldapinfo.rb' - require '/etc/puppet/lib/puppet/parser/functions/yamlinfo.rb' results = function_yamlinfo(host, yamlfile) results['ldap'] = function_ldapinfo(host, '*') diff --git a/files/etc/puppet/puppet.conf b/files/etc/puppet/puppet.conf index 931ce3ce6..1a8394691 100644 --- a/files/etc/puppet/puppet.conf +++ b/files/etc/puppet/puppet.conf @@ -10,7 +10,20 @@ ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/facts pluginsync=true +# This is the default environment for all clients +environment=production [puppetmasterd] templatedir=/etc/puppet/templates libdir=/etc/puppet/lib +environments = development,testing,production,staging + +[puppetd] +environments = development,testing,production,staging + +[staging] +libdir=/etc/puppet/lib +manifestdir=/srv/puppet.debian.org/stages/staging/manifests +templatedir=/srv/puppet.debian.org/stages/staging/templates +fileserverconfig=/srv/puppet.debian.org/stages/staging/fileserver.conf +modulepath=/srv/puppet.debian.org/stages/staging/modules diff --git a/fileserver.conf b/fileserver.conf index dfc3f68a2..2dc300035 100644 --- a/fileserver.conf +++ b/fileserver.conf @@ -1,3 +1,8 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + # This file consists of arbitrarily named sections/modules # defining where files are served from and to whom diff --git a/manifests/site.pp b/manifests/site.pp index 59bce1cdf..092f32124 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -14,11 +14,11 @@ Exec { } node default { + $localinfo = yamlinfo('*', "/etc/puppet/modules/debian-org/misc/local.yaml") $nodeinfo = nodeinfo($fqdn, "/etc/puppet/modules/debian-org/misc/local.yaml") $hoster = whohosts($nodeinfo, "/etc/puppet/modules/debian-org/misc/hoster.yaml") notice("hoster for ${fqdn} is ${hoster}") - $localinfo = yamlinfo('*', "/etc/puppet/modules/debian-org/misc/local.yaml") $mxinfo = allnodeinfo("mXRecord") include munin-node @@ -35,6 +35,9 @@ node default { case $smartarraycontroller { "true": { include debian-proliant } } + case $kvmdomain { + "true": { package { acpid: ensure => installed } } + } case $mta { "exim4": { @@ -54,21 +57,21 @@ node default { } } - case extractnodeinfo($nodeinfo, 'apache2_defaultconfig') { - "true": { include apache2 } + case $apache2 { + "true": { + case extractnodeinfo($nodeinfo, 'apache2_security_mirror') { + "true": { include apache2::security_mirror } + default: { include apache2 } + } + } } case extractnodeinfo($nodeinfo, 'buildd') { "true": { include buildd } } - case extractnodeinfo($nodeinfo, 'apache2_security_mirror') { - "true": { include apache2::security_mirror } - } - -# maybe wait for rietz to be upgraded to lenny case $hostname { - rietz,raff,klecker: { include named::secondary } + rietz,klecker,ravel,senfl: { include named::secondary } } case $hostname { @@ -78,6 +81,6 @@ node default { "true": { include hosts } } case $hoster { - "ubcece", "darmstadt": { include resolv } + "ubcece", "darmstadt", "ftcollins": { include resolv } } } diff --git a/modules/apache2/files/common/etc/apache2/sites-available/default-debian.org b/modules/apache2/files/common/etc/apache2/sites-available/default-debian.org deleted file mode 100644 index dca460b41..000000000 --- a/modules/apache2/files/common/etc/apache2/sites-available/default-debian.org +++ /dev/null @@ -1,21 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - - ServerAdmin debian-admin@debian.org - - ErrorLog /var/log/apache2/error.log - CustomLog /var/log/apache2/access.log combined - - DocumentRoot /srv/www/default.debian.org/htdocs - - HostnameLookups Off - UseCanonicalName Off - ServerSignature On - - UserDir disabled - - -# vim:set syn=apache: diff --git a/modules/apache2/files/per-host/spohr.debian.org/etc/apache2/sites-available/default-debian.org b/modules/apache2/files/per-host/spohr.debian.org/etc/apache2/sites-available/default-debian.org deleted file mode 100644 index 5d31d531e..000000000 --- a/modules/apache2/files/per-host/spohr.debian.org/etc/apache2/sites-available/default-debian.org +++ /dev/null @@ -1,22 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - - - ServerAdmin debian-admin@debian.org - - ErrorLog /var/log/apache2/error.log - CustomLog /var/log/apache2/access.log combined - - DocumentRoot /srv/www/default.debian.org/htdocs - - Alias /debian /org/mirrors/ftp.debian.org/ftp - HostnameLookups Off - UseCanonicalName Off - ServerSignature On - - UserDir disabled - - -# vim:set syn=apache: diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index 90c2f824a..dc8c66c8d 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -6,6 +6,30 @@ class apache2 { "logrotate": ensure => installed; } + define activate_apache_site($ensure=present, $site=$name) { + case $site { + "": { $base = $name } + default: { $base = $site } + } + + case $ensure { + present: { + file { "/etc/apache2/sites-enabled/$name": + ensure => "/etc/apache2/sites-available/$base", + require => Package["apache2"], + notify => Exec["reload-apache2"]; + } + } + absent: { + file { "/etc/apache2/sites-enabled/$name": + ensure => $ensure, + notify => Exec["reload-apache2"]; + } + } + default: { err ( "Unknown ensure value: '$ensure'" ) } + } + } + define enable_module($ensure=present) { case $ensure { present: { @@ -29,6 +53,11 @@ class apache2 { "status":; } + activate_apache_site { + "00-default": site => "default-debian.org"; + "000-default": ensure => absent; + } + file { "/etc/apache2/conf.d/ressource-limits": content => template("apache2/ressource-limits.erb"), @@ -51,8 +80,7 @@ class apache2 { notify => Exec["reload-apache2"]; "/etc/apache2/sites-available/default-debian.org": - source => [ "puppet:///apache2/per-host/$fqdn/etc/apache2/sites-available/default-debian.org", - "puppet:///apache2/common/etc/apache2/sites-available/default-debian.org" ], + content => template("apache2/default-debian.org.erb"), require => Package["apache2"], notify => Exec["reload-apache2"]; diff --git a/modules/apache2/manifests/security_mirror.pp b/modules/apache2/manifests/security_mirror.pp index ee20e9d9e..85adcf1de 100644 --- a/modules/apache2/manifests/security_mirror.pp +++ b/modules/apache2/manifests/security_mirror.pp @@ -2,11 +2,14 @@ class apache2::security_mirror inherits apache2 { file { "/etc/apache2/sites-available/security.debian.org": source => [ "puppet:///apache2/per-host/$fqdn/etc/apache2/sites-available/security.debian.org", - "puppet:///apache2/common/etc/apache2/sites-available/security.debian.org" ], - require => Package["apache2"], - notify => Exec["reload-apache2"]; + "puppet:///apache2/common/etc/apache2/sites-available/security.debian.org" ]; } + activate_apache_site { + "010-security.debian.org": site => "security.debian.org"; + "security.debian.org": ensure => absent; + } + } diff --git a/modules/apache2/templates/default-debian.org.erb b/modules/apache2/templates/default-debian.org.erb new file mode 100644 index 000000000..b07bed535 --- /dev/null +++ b/modules/apache2/templates/default-debian.org.erb @@ -0,0 +1,62 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + + + ServerAdmin debian-admin@debian.org + + ErrorLog /var/log/apache2/error.log + CustomLog /var/log/apache2/access.log combined + + DocumentRoot /srv/www/default.debian.org/htdocs + + HostnameLookups Off + UseCanonicalName Off + ServerSignature On +<%= +out = case fqdn + when "merkel.debian.org" + then " + RemoveType .php .phtml .php3 .phps + php_admin_flag engine off + + SetEnv PERLLIB \"/home/don/perl/usr/share/perl5:/home/don/source/\" + SetEnv DEBBUGS_CONFIG_FILE \"/home/don/config_internal\" + SetHandler cgi-script + AllowOverride None + Options +ExecCGI + Order allow,deny + Allow from all + +" + when "master.debian.org" then "" +else +" + + UserDir disabled + +" +end +case fqdn + when "spohr.debian.org" then + out += " + Alias /debian \"/org/mirrors/ftp.debian.org/ftp\" +" + when "piatti.debian.org" then + out += " + # for piuparts, RT#1218 + Alias /debian/ \"/org/mirrors/ftp.debian.org/ftp/\" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 193.167.161.225/32 + +" +end +out +%> + +# vim:set syn=apache: diff --git a/modules/apache2/templates/ressource-limits.erb b/modules/apache2/templates/ressource-limits.erb index 66cc04620..8ddb67362 100644 --- a/modules/apache2/templates/ressource-limits.erb +++ b/modules/apache2/templates/ressource-limits.erb @@ -6,6 +6,7 @@ RLimitCPU 180 <%= case fqdn + when "merkel.debian.org" then "" # maybe unlimited will be better when "cimarosa.debian.org" then # buildd.debian.org "RLimitMEM "+(96 * 1024**2).to_s diff --git a/modules/buildd/files/cron.d-dsa-buildd b/modules/buildd/files/cron.d-dsa-buildd index 9deb39f32..bf9b12287 100644 --- a/modules/buildd/files/cron.d-dsa-buildd +++ b/modules/buildd/files/cron.d-dsa-buildd @@ -1 +1 @@ -@reboot buildd [ -f ~buildd/NO-DAEMON-PLEASE ] && grep 'delete-on-boot' ~buildd/NO-DAEMON-PLEASE > /dev/null && rm -f ~buildd/NO-DAEMON-PLEASE && buildd-watcher +@reboot buildd [ -f ~buildd/NO-DAEMON-PLEASE ] && grep 'delete-on-boot' ~buildd/NO-DAEMON-PLEASE > /dev/null && rm -f ~buildd/NO-DAEMON-PLEASE && if [ -x ~buildd/.bootscript ]; then ~buildd/.bootscript; else buildd-watcher; fi diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp index 4dca10d0c..bed7a84b7 100644 --- a/modules/debian-org/manifests/init.pp +++ b/modules/debian-org/manifests/init.pp @@ -147,9 +147,15 @@ class debian-org { class debian-proliant inherits debian-org { package { "hpacucli": ensure => installed; + "hp-health": ensure => installed; "cpqarrayd": ensure => installed; "arrayprobe": ensure => installed; } + case $debarchitecture { + "amd64": { + package { "lib32gcc1": ensure => installed; } + } + } file { "/etc/apt/sources.list.d/debian.restricted.list": content => template("debian-org/etc/apt/sources.list.d/debian.restricted.list.erb"), diff --git a/modules/debian-org/misc/hoster.yaml b/modules/debian-org/misc/hoster.yaml index 265567f96..afe41494a 100644 --- a/modules/debian-org/misc/hoster.yaml +++ b/modules/debian-org/misc/hoster.yaml @@ -7,6 +7,7 @@ csail: - 128.31.0.0/24 darmstadt: - 82.195.75.64/26 + - 82.195.75.32/28 - 2001:41b8:202:deb::/64 dgi: - 93.94.130.128/26 @@ -19,6 +20,12 @@ osousl: - 140.211.166.0/25 sanger: - 193.62.202.24/29 +sil: + - 86.59.118.153/28 +scanplus: + - 212.211.132.0/26 + - 212.211.132.248/29 + - 2001:a78::/64 ubcece: - 137.82.84.64/27 - 206.12.19.0/24 diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml index 307735e07..fd0be8610 100644 --- a/modules/debian-org/misc/local.yaml +++ b/modules/debian-org/misc/local.yaml @@ -33,7 +33,9 @@ nameinfo: mahler.debian.org: Gustav Mahler (7 July 1860 - 18 May 1911) mayr.debian.org: Johann(es) Simon Mayr (June 14, 1763 - December 2, 1845) merkel.debian.org: Gustav (Adolf) Merkel (November 12, 1827 - October 30, 1885) + mendes.debian.org: Manuel Mendes (c. 1547 - September 24, 1605) merulo.debian.org: Claudio Merulo (8 April 1533 - 4 May 1604) + monteverdi.debian.org: Claudio Giovanni Antonio Monteverdi (15 May 1567 - 29 November 1643) morales.debian.org: Cristóbal de Morales (c. 1500 - between September 4 and October 7, 1553) morricone.debian.org: Ennio Morricone (November 10, 1928 - ) mundy.debian.org: William Mundy (c. 1529 - 1591) @@ -54,7 +56,6 @@ nameinfo: rietz.debian.org: August Wilhelm Julius Rietz (December 28, 1812 - September 12, 1877) rore.debian.org: Cipriano de Rore (occasionally Cypriano) (1515 or 1516 - between September 11 and September 20, 1565) saens.debian.org: Charles-Camille Saint-Saëns (9 October 1835 - 16 December 1921) - sarti.debian.org: Giuseppe Sarti (baptised December 1, 1729 - July 28, 1802) schein.debian.org: Johann Hermann Schein (January 20, 1586 - November 19, 1630) schroeder.debian.org: Hermann Schroeder (1904 - 1984) schumann.debian.org: Robert Alexander Schumann (8 June 1810 - 29 July 1856) @@ -67,26 +68,25 @@ nameinfo: spontini.debian.org: Gaspare Luigi Pacifico Spontini (14 November 1774 - 24 January 1851) stabile.debian.org: Annibale Stabile (~1535 - April 1595) steffani.debian.org: Agostino Steffani (25 July 1653 - 12 February 1728) - strauss.debian.org: Johann Baptist Strauß (October 25, 1825 - June 3, 1899) tartini.debian.org: Giuseppe Tartini (April 8, 1692 - February 26, 1770) unger.debian.org: Caroline Unger (October 28, 1803 - March 23, 1877) valente.debian.org: Vincenzo Valente (February 21, 1855 - September 6, 1921) vivaldi.debian.org: Antonio Lucio Vivaldi (March 4, 1678 - July 28, 1741) voltaire.debian.org: François-Marie Arouet (Voltaire) (21 November 1694 - 30 May 1778) - wagner.debian.org: Wilhelm Richard Wagner (22 May 1813 - 13 February 1883) widor.debian.org: Charles-Marie Jean Albert Widor (February 21, 1844 - March 12, 1937) wieck.debian.org: Clara Josephine Wieck (September 13, 1819 - May 20, 1896) wolkenstein.debian.org: Oswald von Wolkenstein (1377 - August 2nd, 1445) zandonai.debian.org: Riccardo Zandonai (May 30th, 1883 - June 5th, 1944) zelenka.debian.org: Jan Dismas Zelenka (16 October 1679 - 23 December 1745) footer: - bartok.debian.org: "Documentation: gluck:/org/admin.debian.org/doc/backup.debian.org" lebrun.debian.org: "- This host is using an iptables firewall. See /etc/rc.boot/firewall{,6}" schroeder.debian.org: "- This host is using an iptables firewall. See /etc/rc.boot/firewall{,6}" zandonai.debian.org: "Debian s390 buildd system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]" zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]" services: - bugsmaster: rietz.debian.org + bugsmaster: + - busoni.debian.org + - rietz.debian.org bugsmx: - byrd.debian.org mailrelay: @@ -99,49 +99,27 @@ services: host_settings: heavy_exim: - bellini.debian.org + - busoni.debian.org - byrd.debian.org + - chopin.debian.org + - cimarosa.debian.org - draghi.debian.org - klecker.debian.org - master.debian.org - merkel.debian.org + - morricone.debian.org - powell.debian.org - - raff.debian.org - - ries.debian.org - - rietz.debian.org - - spohr.debian.org - apache2_defaultconfig: - - bellini.debian.org - - carver.debian.org - - cimarosa.debian.org - - draghi.debian.org - - duarte.debian.org - - gluck.debian.org - - kaufmann.debian.org - - klecker.debian.org - - liszt.debian.org - - lobos.debian.org - - piatti.debian.org - - raff.debian.org - ravel.debian.org - - respighi.debian.org - ries.debian.org - - rore.debian.org - - saens.debian.org - - samosa.debian.org - - schein.debian.org - - senfl.debian.org - - soler.debian.org + - rietz.debian.org - spohr.debian.org - - steffani.debian.org - - tartini.debian.org - - villa.debian.org + - valente.debian.org - widor.debian.org - - wieck.debian.org - - wolkenstein.debian.org apache2_security_mirror: - gluck.debian.org - kassia.debian.org - lobos.debian.org + - raff.debian.org - saens.debian.org - schein.debian.org - steffani.debian.org @@ -171,8 +149,6 @@ host_settings: squeeze: - fano.debian.org - finzi.debian.org - smarthost_port: - voltaire.debian.org: 25 smarthost: agnesi.debian.org: mailout.debian.org agricola.debian.org: mailout.debian.org @@ -183,8 +159,10 @@ host_settings: bartok.debian.org: mailout.debian.org brahms.debian.org: mailout.debian.org caballero.debian.org: mailout.debian.org + carver.debian.org: mailout.debian.org crest.debian.org: mailout.debian.org dijkstra.debian.org: mailout.debian.org + duarte.debian.org: mailout.debian.org escher.debian.org: mailout.debian.org fano.debian.org: mailout.debian.org finzi.debian.org: mailout.debian.org @@ -205,11 +183,14 @@ host_settings: malo.debian.org: mailout.debian.org mayer.debian.org: mailout.debian.org mayr.debian.org: mailout.debian.org + mendes.debian.org: mailout.debian.org merulo.debian.org: mailout.debian.org + monteverdi.debian.org: mailout.debian.org morales.debian.org: mailout.debian.org mundy.debian.org: mailout.debian.org murphy.debian.org: mailout.debian.org paer.debian.org: mailout.debian.org + paganini.debian.org: mailout.debian.org penalosa.debian.org: mailout.debian.org pergolesi.debian.org: mailout.debian.org peri.debian.org: mailout.debian.org @@ -217,7 +198,9 @@ host_settings: piatti.debian.org: mailout.debian.org praetorius.debian.org: mailout.debian.org puccini.debian.org: mailout.debian.org + raff.debian.org: mailout.debian.org rem.debian.org: mailout.debian.org + respighi.debian.org: mailout.debian.org rore.debian.org: mailout.debian.org saens.debian.org: mailout.debian.org schein.debian.org: mailout.debian.org @@ -229,11 +212,14 @@ host_settings: soler.debian.org: mailout.debian.org sperger.debian.org: mailout.debian.org spontini.debian.org: mailout.debian.org + stabile.debian.org: mailout.debian.org steffani.debian.org: mailout.debian.org unger.debian.org: mailout.debian.org villa.debian.org: mailout.debian.org + vivaldi.debian.org: mailout.debian.org voltaire.debian.org: mailout.debian.org wieck.debian.org: mailout.debian.org + wolkenstein.debian.org: mailout.debian.org zee.debian.org: mailout.debian.org zandonai.debian.org: mailout.debian.org zelenka.debian.org: mailout.debian.org diff --git a/modules/exim/files/common/host_blacklist b/modules/exim/files/common/host_blacklist index a59ce8274..1f1d6284f 100644 --- a/modules/exim/files/common/host_blacklist +++ b/modules/exim/files/common/host_blacklist @@ -4,4 +4,6 @@ ## 193.146.156.252 112.78.115.101 +198.143.4.176 +64.255.101.196 *.bp06.net diff --git a/modules/exim/files/common/rcpthosts b/modules/exim/files/common/rcpthosts deleted file mode 100644 index 3e0ece1a9..000000000 --- a/modules/exim/files/common/rcpthosts +++ /dev/null @@ -1,5 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index 0b5f7d675..43dd108df 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -19,6 +19,20 @@ class exim { mode => 755, purge => true ; + "/etc/exim4/Git": + ensure => directory, + purge => true, + force => true, + recurse => true, + source => "puppet:///files/empty/" + ; + "/etc/exim4/conf.d": + ensure => directory, + purge => true, + force => true, + recurse => true, + source => "puppet:///files/empty/" + ; "/etc/exim4/ssl": ensure => directory, owner => root, @@ -78,11 +92,6 @@ class exim { source => [ "puppet:///exim/per-host/$fqdn/rbllist", "puppet:///exim/common/rbllist" ] ; - "/etc/exim4/rcpthosts": - require => Package["exim4-daemon-heavy"], - source => [ "puppet:///exim/per-host/$fqdn/rcpthosts", - "puppet:///exim/common/rcpthosts" ] - ; "/etc/exim4/rhsbllist": require => Package["exim4-daemon-heavy"], source => [ "puppet:///exim/per-host/$fqdn/rhsbllist", @@ -107,11 +116,6 @@ class exim { source => [ "puppet:///exim/per-host/$fqdn/logrotate-exim4-paniclog", "puppet:///exim/common/logrotate-exim4-paniclog" ] ; - "/etc/exim4/local-auto.conf": - require => Package["exim4-daemon-heavy"], - content => template("exim-local-auto.erb"), - notify => Exec["exim4 reload"] - ; "/etc/exim4/ssl/thishost.crt": require => Package["exim4-daemon-heavy"], source => "puppet:///exim/certs/$fqdn.crt", @@ -140,6 +144,12 @@ class exim { group => Debian-exim, mode => 640 ; + "/var/log/exim4": + mode => 2750, + ensure => directory, + owner => Debian-exim, + group => maillog + ; } exec { "exim4 reload": diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index fb7b0838b..6dd0a376c 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -27,10 +27,6 @@ # is much like a local domain, execpt that the delivery location # and allowed set of users is controlled by a virtual domain # alias file and not /etc/passwd. Wildcards are permitted -# rcpthosts - recipient hosts or relay domains. This is a list of -# all hosts that we mail exchange for. All domains that list -# this host in their MX records should be listed here. Wildcards -# are permitted. # relayhosts - Hostnames that can send any arbitarily addressed mail to # us. This is primarily only usefull for emergancy 'queue # flushing' operations, but should be populated with a list @@ -140,7 +136,6 @@ localpartlist postmasterish = postmaster : abuse : hostmaster : root # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. -domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts <%= out = "" @@ -219,7 +214,8 @@ delay_warning = <% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %> queue_run_max = 50 deliver_queue_load_max = 50 -queue_only_load = 15 +queue_only_load = 35 +smtp_load_reserve = 20 <% else %> queue_run_max = 5 deliver_queue_load_max = 10 @@ -533,7 +529,6 @@ out accept domains = +local_domains hosts = +debianhosts endpass - message = unknown user verify = recipient <%= @@ -542,7 +537,6 @@ if nodeinfo['mailrelay'] out = ' accept domains = +mailhubdomains endpass - message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache ' end @@ -551,7 +545,6 @@ out accept domains = +submission_domains endpass - message = unknown user verify = recipient deny message = relay not permitted @@ -789,7 +782,7 @@ if has_variable?("greylistd") && greylistd == "true" {/var/lib/greylistd/whitelist-hosts}{}} condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * - domains = +handled_domains : +rcpthosts + domains = +handled_domains condition = ${readsocket{/var/run/greylistd/socket}\ {--grey \ $sender_host_address \ @@ -814,7 +807,7 @@ elsif has_variable?("postgrey") && postgrey == "true" !hosts = : +debianhosts : WHITELIST condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * - domains = +handled_domains : +rcpthosts + domains = +handled_domains local_parts = GREYLIST_LOCAL_PARTS set acl_m_pgr = request=smtpd_access_policy\n\ protocol_state=RCPT\n\ @@ -839,7 +832,7 @@ elsif has_variable?("postgrey") && postgrey == "true" !hosts = : +debianhosts : WHITELIST condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * - domains = +handled_domains : +rcpthosts + domains = +handled_domains local_parts = GREYLIST_LOCAL_PARTS condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}} message = ${sg{$acl_m_pgr}{^\\\\w+\\\\s*}{}} @@ -849,7 +842,7 @@ out %> accept local_parts = +postmasterish - domains = +handled_domains : +rcpthosts + domains = +handled_domains deny hosts = ${if exists{/etc/exim4/host_blacklist}{/etc/exim4/host_blacklist}{}} message = I'm terribly sorry, but it seems you have been blacklisted @@ -869,7 +862,7 @@ if nodeinfo['smarthost'].empty? {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\ {${lookup{$local_part}lsearch{/etc/exim4/rbllist}{$value}{}} : \ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rbl}{$value}{}}}} - domains = +handled_domains : +rcpthosts + domains = +handled_domains !hosts = +debianhosts : WHITELIST ' end @@ -882,14 +875,14 @@ out {${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\ {${expand:${lookup{$local_part}lsearch{/etc/exim4/rhsbllist}{$value}{}}} : \ ${expand:${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rhsbl}{$value}{}}}}} - domains = +handled_domains : +rcpthosts + domains = +handled_domains !hosts = +debianhosts : WHITELIST <%= out = "" if nodeinfo['smarthost'].empty? out = ' - deny domains = +handled_domains : +rcpthosts + deny domains = +handled_domains local_parts = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}{$local_part}{}}}{}}}\ @@ -908,7 +901,6 @@ if nodeinfo['mailrelay'] out = ' accept domains = +mailhubdomains endpass - message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache ' end @@ -916,14 +908,8 @@ out %> accept domains = +handled_domains endpass - message = unknown user verify = recipient/defer_ok - accept domains = +rcpthosts - endpass - message = unrouteable address - verify = recipient - accept hosts = +debianhosts accept authenticated = * @@ -1453,25 +1439,6 @@ end out %> -virt_alias_verify: - debug_print = "R: virt_aliases for $local_part@$domain" - driver = redirect - data = ${if exists{\ - ${extract{directory}{VDOMAINDATA}{${value}/aliases}}}\ - {${lookup{$local_part}lsearch*{\ - ${extract{directory}{VDOMAINDATA}{$value/aliases}}\ - }}}} - directory_transport = address_directory - cannot_route_message = Unknown user - domains = +virtual_domains - file_transport = address_file - pipe_transport = address_pipe - qualify_preserve_domain - retry_use_local_part - transport_current_directory = ${extract{directory}{VDOMAINDATA}} - transport_home_directory = ${extract{directory}{VDOMAINDATA}} - verify_only - virt_direct_verify: debug_print = "R: virt_direct for $local_part@$domain" driver = redirect @@ -1514,7 +1481,6 @@ virt_aliases: retry_use_local_part transport_current_directory = ${extract{directory}{VDOMAINDATA}} transport_home_directory = ${extract{directory}{VDOMAINDATA}} - no_verify user = ${extract{user}{VDOMAINDATA}} # This is a qmailesque deliver into a directory of .forward files diff --git a/modules/exim/templates/virtualdomains.erb b/modules/exim/templates/virtualdomains.erb index eb0301fb4..b814bbc4e 100644 --- a/modules/exim/templates/virtualdomains.erb +++ b/modules/exim/templates/virtualdomains.erb @@ -49,9 +49,6 @@ nm.debian.org: user=nm group=nm directory=/org/nm.debian.org/mail/" when "powell.debian.org" then "packages.debian.org: user=pkg_user group=Debian directory=/org/packages.debian.org/mail/" - #when "raff.debian.org" then "buildd.debian.org: user=wbadm group=wbadm directory=/srv/buildd.debian.org/mail -#logs.buildd.debian.org: user=wbadm group=wbadm directory=/srv/logs.buildd.debian.org/mail" - when "ravel.debian.org" then "women.debian.org: user=nobody group=mujeres directory=/org/women.debian.org/mail" when "ries.debian.org" then "release.debian.org: user=release group=debian-release directory=/org/release.debian.org/mail diff --git a/modules/motd/files/rem.debian.org/motd.tail b/modules/motd/files/rem.debian.org/motd.tail deleted file mode 100644 index 619bb202e..000000000 --- a/modules/motd/files/rem.debian.org/motd.tail +++ /dev/null @@ -1,20 +0,0 @@ - -20050413 flo - Finally the machine is up and running in its final destination - - Reachability problems should be solved - bogus objects - in firewall - - Added user joey -20060401 flo - Reduced ram to 512MB as the 1GB setup was producing - random hicups ... -20070411 flo - Maschine was dead - no connect, nothing on the console - rebooted. -20071008 flo - Planned but unannounced power-outage from 0:00-03:00 CEST - Machine didnt power up itself - needed a powerbutton -20080127 flo - Maschine died - rebooted by helping hands on site -20080222 flo - Put in a promise controller and a PATA 120GB Disk -20080302 flo - Create 2G swap on the UDMA capable disk and remove swap files -20080313 flo - rsynced /home to new disk and mounted it instead of /home - (old content in /home.backup.20080313) - - Installed smartmontools -20080819 weasel - moved this host under DSA control. account passwords, sudo - passwords and ssh keys are taken from ldap (db.debian.org). -20090221 weasel - moved to lenny. diff --git a/modules/munin-node/templates/munin-node.plugin.conf.erb b/modules/munin-node/templates/munin-node.plugin.conf.erb index fbf153977..b5012f7de 100644 --- a/modules/munin-node/templates/munin-node.plugin.conf.erb +++ b/modules/munin-node/templates/munin-node.plugin.conf.erb @@ -88,7 +88,7 @@ group maillog [bind*] <%= out = case hostname - when "geo1","geo2","geo3","raff" then "group bind + when "geo1","geo2","geo3" then "group bind env.logfile /var/log/bind9/geoip-query.log" else "group adm" end diff --git a/modules/nagios/files/per-host/geo1.debian.org/obsolete-packages-ignore.d-hostspecific b/modules/nagios/files/per-host/geo1.debian.org/obsolete-packages-ignore.d-hostspecific new file mode 100644 index 000000000..19e0ccfd7 --- /dev/null +++ b/modules/nagios/files/per-host/geo1.debian.org/obsolete-packages-ignore.d-hostspecific @@ -0,0 +1,8 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +geoip-database +libgeoip1 +geoip-bin diff --git a/modules/nagios/files/per-host/geo2.debian.org/obsolete-packages-ignore.d-hostspecific b/modules/nagios/files/per-host/geo2.debian.org/obsolete-packages-ignore.d-hostspecific new file mode 100644 index 000000000..19e0ccfd7 --- /dev/null +++ b/modules/nagios/files/per-host/geo2.debian.org/obsolete-packages-ignore.d-hostspecific @@ -0,0 +1,8 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +geoip-database +libgeoip1 +geoip-bin diff --git a/modules/nagios/files/per-host/geo3.debian.org/obsolete-packages-ignore.d-hostspecific b/modules/nagios/files/per-host/geo3.debian.org/obsolete-packages-ignore.d-hostspecific new file mode 100644 index 000000000..19e0ccfd7 --- /dev/null +++ b/modules/nagios/files/per-host/geo3.debian.org/obsolete-packages-ignore.d-hostspecific @@ -0,0 +1,8 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +geoip-database +libgeoip1 +geoip-bin diff --git a/modules/named/files/common/GeoIPv6.dat b/modules/named/files/common/GeoIPv6.dat deleted file mode 100644 index b425e60e4..000000000 Binary files a/modules/named/files/common/GeoIPv6.dat and /dev/null differ diff --git a/modules/named/files/common/named.conf.acl b/modules/named/files/common/named.conf.acl index f04c9b870..801b487d6 100644 --- a/modules/named/files/common/named.conf.acl +++ b/modules/named/files/common/named.conf.acl @@ -73,6 +73,7 @@ acl AS { country_AE; country_AF; country_AM; + country_AP; // global region Asia/Pacific country_AZ; country_BD; country_BH; @@ -141,6 +142,7 @@ acl EU { country_DK; country_EE; country_ES; + country_EU; // global region Europe country_FI; country_FO; country_FR; @@ -280,3 +282,12 @@ acl AN { country_HM; country_TF; }; + +acl undef { + country_A1; + country_A2; + 8.8.8.8/32; // Google DNS Server fails with GeoIP + 8.8.4.4/32; // Google DNS Server fails with GeoIP + 208.67.222.222/32; // OpenDNS fails with GeoIP + 208.67.220.220/32; // OpenDNS fails with GeoIP +}; diff --git a/modules/named/files/common/named.conf.debian-zones b/modules/named/files/common/named.conf.debian-zones index a7874dd33..066f9d540 100644 --- a/modules/named/files/common/named.conf.debian-zones +++ b/modules/named/files/common/named.conf.debian-zones @@ -5,8 +5,6 @@ // Slave domains, includ in bind.conf -// NOT USED YET - SYNC UP WITH dsa-misc/config/bind/ before enabling finally - zone "debian.org" { type slave; notify no; @@ -103,6 +101,31 @@ zone "2.0.0.0.2.0.0.0.8.5.8.0.1.0.0.2.ip6.arpa" { allow-transfer { }; }; +// debian rack with grnet +zone "192/27.211.177.194.in-addr.arpa" { + type slave; + notify no; + file "db.194.177.211.192"; + masters { + 82.195.75.106; // draghi + 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi + }; + allow-query { any; }; + allow-transfer { }; +}; +zone "b.e.d.0.c.f.f.2.8.4.6.0.1.0.0.2.ip6.arpa" { + type slave; + notify no; + file "db.2001:0648:2ffc:0deb"; + masters { + 82.195.75.106; // draghi + 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi + }; + allow-query { any; }; + allow-transfer { }; +}; + + // ipv6 at 1&1 - powell: 2001:08d8:0081:1520::/60 zone "2.5.1.1.8.0.0.8.d.8.0.1.0.0.2.ip6.arpa" { type slave; diff --git a/modules/named/files/common/named.conf.geo b/modules/named/files/common/named.conf.geo index ad520c37a..57fe21996 100644 --- a/modules/named/files/common/named.conf.geo +++ b/modules/named/files/common/named.conf.geo @@ -6,6 +6,14 @@ view "AF" { match-clients { AF; }; + zone "volatile.debian.org" { + type master; + file "/etc/bind/geodns/db.volatile.debian.org.AF"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "security.geo.debian.org" { type master; file "/etc/bind/geodns/db.security.debian.org.AF"; @@ -22,6 +30,14 @@ view "AF" { allow-transfer { }; }; + zone "ftp.debian.org" { + type master; + file "/etc/bind/geodns/db.ftp.debian.org.AF"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "bugs.debian.org" { type master; file "/etc/bind/geodns/db.bugs.debian.org.AF"; @@ -50,6 +66,14 @@ view "AF" { view "AN" { match-clients { AN; }; + zone "volatile.debian.org" { + type master; + file "/etc/bind/geodns/db.volatile.debian.org.AN"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "security.geo.debian.org" { type master; file "/etc/bind/geodns/db.security.debian.org.AN"; @@ -66,6 +90,14 @@ view "AN" { allow-transfer { }; }; + zone "ftp.debian.org" { + type master; + file "/etc/bind/geodns/db.ftp.debian.org.AN"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "bugs.debian.org" { type master; file "/etc/bind/geodns/db.bugs.debian.org.AN"; @@ -94,6 +126,14 @@ view "AN" { view "AS" { match-clients { AS; }; + zone "volatile.debian.org" { + type master; + file "/etc/bind/geodns/db.volatile.debian.org.AS"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "security.geo.debian.org" { type master; file "/etc/bind/geodns/db.security.debian.org.AS"; @@ -110,6 +150,14 @@ view "AS" { allow-transfer { }; }; + zone "ftp.debian.org" { + type master; + file "/etc/bind/geodns/db.ftp.debian.org.AS"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "bugs.debian.org" { type master; file "/etc/bind/geodns/db.bugs.debian.org.AS"; @@ -138,6 +186,14 @@ view "AS" { view "EU" { match-clients { EU; }; + zone "volatile.debian.org" { + type master; + file "/etc/bind/geodns/db.volatile.debian.org.EU"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "security.geo.debian.org" { type master; file "/etc/bind/geodns/db.security.debian.org.EU"; @@ -154,6 +210,14 @@ view "EU" { allow-transfer { }; }; + zone "ftp.debian.org" { + type master; + file "/etc/bind/geodns/db.ftp.debian.org.EU"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "bugs.debian.org" { type master; file "/etc/bind/geodns/db.bugs.debian.org.EU"; @@ -182,6 +246,14 @@ view "EU" { view "NA" { match-clients { NA; }; + zone "volatile.debian.org" { + type master; + file "/etc/bind/geodns/db.volatile.debian.org.NA"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "security.geo.debian.org" { type master; file "/etc/bind/geodns/db.security.debian.org.NA"; @@ -198,6 +270,14 @@ view "NA" { allow-transfer { }; }; + zone "ftp.debian.org" { + type master; + file "/etc/bind/geodns/db.ftp.debian.org.NA"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "bugs.debian.org" { type master; file "/etc/bind/geodns/db.bugs.debian.org.NA"; @@ -226,6 +306,14 @@ view "NA" { view "OC" { match-clients { OC; }; + zone "volatile.debian.org" { + type master; + file "/etc/bind/geodns/db.volatile.debian.org.OC"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "security.geo.debian.org" { type master; file "/etc/bind/geodns/db.security.debian.org.OC"; @@ -242,6 +330,14 @@ view "OC" { allow-transfer { }; }; + zone "ftp.debian.org" { + type master; + file "/etc/bind/geodns/db.ftp.debian.org.OC"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "bugs.debian.org" { type master; file "/etc/bind/geodns/db.bugs.debian.org.OC"; @@ -270,6 +366,14 @@ view "OC" { view "SA" { match-clients { SA; }; + zone "volatile.debian.org" { + type master; + file "/etc/bind/geodns/db.volatile.debian.org.SA"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "security.geo.debian.org" { type master; file "/etc/bind/geodns/db.security.debian.org.SA"; @@ -286,6 +390,14 @@ view "SA" { allow-transfer { }; }; + zone "ftp.debian.org" { + type master; + file "/etc/bind/geodns/db.ftp.debian.org.SA"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "bugs.debian.org" { type master; file "/etc/bind/geodns/db.bugs.debian.org.SA"; @@ -310,10 +422,78 @@ view "SA" { allow-transfer { }; }; +}; +view "undef" { + match-clients { undef; }; + + zone "volatile.debian.org" { + type master; + file "/etc/bind/geodns/db.volatile.debian.org.undef"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + + zone "security.geo.debian.org" { + type master; + file "/etc/bind/geodns/db.security.debian.org.undef"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + + zone "security.debian.org" { + type master; + file "/etc/bind/geodns/db.security.debian.org.undef"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + + zone "ftp.debian.org" { + type master; + file "/etc/bind/geodns/db.ftp.debian.org.undef"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + + zone "bugs.debian.org" { + type master; + file "/etc/bind/geodns/db.bugs.debian.org.undef"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + + zone "www.debian.org" { + type master; + file "/etc/bind/geodns/db.www.debian.org.undef"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + + zone "packages.debian.org" { + type master; + file "/etc/bind/geodns/db.packages.debian.org.undef"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + }; view "default" { match-clients { any; }; + zone "volatile.debian.org" { + type master; + file "/etc/bind/geodns/db.volatile.debian.org"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "security.geo.debian.org" { type master; file "/etc/bind/geodns/db.security.debian.org"; @@ -330,6 +510,14 @@ view "default" { allow-transfer { }; }; + zone "ftp.debian.org" { + type master; + file "/etc/bind/geodns/db.ftp.debian.org"; + notify no; + allow-query { any; }; + allow-transfer { }; + }; + zone "bugs.debian.org" { type master; file "/etc/bind/geodns/db.bugs.debian.org"; diff --git a/modules/named/files/common/named.conf.options b/modules/named/files/common/named.conf.options index 1a872001c..b81be8c87 100644 --- a/modules/named/files/common/named.conf.options +++ b/modules/named/files/common/named.conf.options @@ -25,6 +25,7 @@ options { allow-update { none; }; allow-transfer { none; }; allow-recursion { Nagios; }; + blackhole { 192.168.0.0/16; 10.0.0.0/8; 172.16.0.0/12; }; }; logging { diff --git a/modules/named/files/common/recvconf.files b/modules/named/files/common/recvconf.files index 9c6667b6c..e91238323 100644 --- a/modules/named/files/common/recvconf.files +++ b/modules/named/files/common/recvconf.files @@ -27,6 +27,12 @@ file etc/bind/geodns/db.bugs.debian.org.AS group geodnssync precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail bugs.debian.org etc/bind/geodns/db.bugs.debian.org.AS postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.bugs.debian.org.undef + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail bugs.debian.org etc/bind/geodns/db.bugs.debian.org.undef + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.bugs.debian.org.AF perms 0644 user geodnssync @@ -51,6 +57,60 @@ file etc/bind/geodns/db.bugs.debian.org.NA group geodnssync precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail bugs.debian.org etc/bind/geodns/db.bugs.debian.org.NA postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.ftp.debian.org.AN + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail ftp.debian.org etc/bind/geodns/db.ftp.debian.org.AN + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.ftp.debian.org.SA + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail ftp.debian.org etc/bind/geodns/db.ftp.debian.org.SA + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.ftp.debian.org.OC + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail ftp.debian.org etc/bind/geodns/db.ftp.debian.org.OC + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.ftp.debian.org.AS + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail ftp.debian.org etc/bind/geodns/db.ftp.debian.org.AS + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.ftp.debian.org.undef + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail ftp.debian.org etc/bind/geodns/db.ftp.debian.org.undef + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.ftp.debian.org.AF + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail ftp.debian.org etc/bind/geodns/db.ftp.debian.org.AF + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.ftp.debian.org + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail ftp.debian.org etc/bind/geodns/db.ftp.debian.org + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.ftp.debian.org.EU + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail ftp.debian.org etc/bind/geodns/db.ftp.debian.org.EU + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.ftp.debian.org.NA + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail ftp.debian.org etc/bind/geodns/db.ftp.debian.org.NA + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.packages.debian.org.AN perms 0644 user geodnssync @@ -75,6 +135,12 @@ file etc/bind/geodns/db.packages.debian.org.AS group geodnssync precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail packages.debian.org etc/bind/geodns/db.packages.debian.org.AS postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.packages.debian.org.undef + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail packages.debian.org etc/bind/geodns/db.packages.debian.org.undef + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.packages.debian.org.AF perms 0644 user geodnssync @@ -123,6 +189,12 @@ file etc/bind/geodns/db.security.debian.org.AS group geodnssync precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.AS postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.security.debian.org.undef + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.undef + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.security.debian.org.AF perms 0644 user geodnssync @@ -147,6 +219,60 @@ file etc/bind/geodns/db.security.debian.org.NA group geodnssync precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.NA postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.volatile.debian.org.AN + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail volatile.debian.org etc/bind/geodns/db.volatile.debian.org.AN + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.volatile.debian.org.SA + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail volatile.debian.org etc/bind/geodns/db.volatile.debian.org.SA + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.volatile.debian.org.OC + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail volatile.debian.org etc/bind/geodns/db.volatile.debian.org.OC + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.volatile.debian.org.AS + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail volatile.debian.org etc/bind/geodns/db.volatile.debian.org.AS + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.volatile.debian.org.undef + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail volatile.debian.org etc/bind/geodns/db.volatile.debian.org.undef + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.volatile.debian.org.AF + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail volatile.debian.org etc/bind/geodns/db.volatile.debian.org.AF + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.volatile.debian.org + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail volatile.debian.org etc/bind/geodns/db.volatile.debian.org + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.volatile.debian.org.EU + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail volatile.debian.org etc/bind/geodns/db.volatile.debian.org.EU + postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.volatile.debian.org.NA + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail volatile.debian.org etc/bind/geodns/db.volatile.debian.org.NA + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.www.debian.org.AN perms 0644 user geodnssync @@ -171,6 +297,12 @@ file etc/bind/geodns/db.www.debian.org.AS group geodnssync precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org.AS postcommand sudo /etc/init.d/bind9 reload +file etc/bind/geodns/db.www.debian.org.undef + perms 0644 + user geodnssync + group geodnssync + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org.undef + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.www.debian.org.AF perms 0644 user geodnssync diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp index 42e1db9bb..191f898ef 100644 --- a/modules/named/manifests/geodns.pp +++ b/modules/named/manifests/geodns.pp @@ -62,14 +62,6 @@ class named::geodns inherits named { mode => 444, ; - "/usr/share/GeoIP/GeoIPv6.dat": - source => [ "puppet:///named/per-host/$fqdn/GeoIPv6.dat", - "puppet:///named/common/GeoIPv6.dat" ], - owner => root, - group => root, - mode => 444, - ; - "/etc/ssh/userkeys/geodnssync": source => [ "puppet:///named/per-host/$fqdn/authorized_keys", "puppet:///named/common/authorized_keys" ], diff --git a/modules/named/manifests/secondary.pp b/modules/named/manifests/secondary.pp index b9615a627..8d00d0aff 100644 --- a/modules/named/manifests/secondary.pp +++ b/modules/named/manifests/secondary.pp @@ -1,8 +1,13 @@ class named::secondary inherits named { -# file { "/etc/bind/named.conf.debian-zones": -# source => [ "puppet:///named/per-host/$fqdn/named.conf.debian-zones", -# "puppet:///named/common/named.conf.debian-zones" ], -# notify => Exec["bind9 reload"], -# } + file { "/etc/bind/named.conf.debian-zones": + source => [ "puppet:///named/per-host/$fqdn/named.conf.debian-zones", + "puppet:///named/common/named.conf.debian-zones" ], + notify => Exec["bind9 reload"], + } + file { "/etc/bind/named.conf.shared-keys": + mode => 640, + owner => root, + group => bind, + } } diff --git a/modules/resolv/templates/resolv.conf.erb b/modules/resolv/templates/resolv.conf.erb index 8fa658de5..eb59db861 100644 --- a/modules/resolv/templates/resolv.conf.erb +++ b/modules/resolv/templates/resolv.conf.erb @@ -19,6 +19,13 @@ case hoster end nameservers += ["82.195.75.81", "82.195.66.249", "217.198.242.225"] searchpaths << "debprivate-darmstadt.debian.org" + when "ftcollins" then + case hostname + when "spohr", "samosa" then + nameservers << "127.0.0.1" + end + nameservers += ["192.25.206.33", "192.25.206.57"] + searchpaths << "debprivate-ftcollins.debian.org" end searchpaths << "debian.org" diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index e99822a21..64ebe2283 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -75,7 +75,10 @@ file=/etc/mtab file=/etc/ssh_random_seed file=/etc/asound.conf +<% case hoster when "ubcece", "darmstadt", "ftcollins" then "" +else -%> file=/etc/resolv.conf +<% end -%> file=/etc/localtime file=/etc/ioctl.save file=/etc/passwd.backup @@ -205,6 +208,10 @@ file=/var/log/syslog ## ## This file might be created or removed by the system sometimes. ## +<% case hoster when "ubcece", "darmstadt", "ftcollins" then "" -%> +file=/etc/resolv.conf +<% else +end -%> file=/etc/resolv.conf.pcmcia.save file=/etc/nologin file=/etc/postfix/debian.db @@ -237,11 +244,9 @@ file=/etc/exim4/locals file=/etc/exim4/localusers file=/etc/exim4/manualroute file=/etc/exim4/rbllist -file=/etc/exim4/rcpthosts file=/etc/exim4/rhsbllist file=/etc/exim4/virtualdomains file=/etc/exim4/whitelist -file=/etc/exim4/local-auto.conf file=/etc/exim4/local-settings.conf file=/etc/exim4/ssl/ca.crt file=/etc/exim4/ssl/ca.crl @@ -363,6 +368,8 @@ file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg" when "handel.debian.org": extrafiles="dir=8/etc/puppet" when "dijkstra.debian.org": extrafiles="dir=4/etc/dsa-kvm" when /geo[123].debian.org/: extrafiles="dir=1/etc/bind/geodns" +when /(senfl|ravel|rietz|klecker).debian.org/: extrafiles="dir=1/etc/bind +file=/etc/bind/named.conf.debian-zones" end extrafiles %> diff --git a/modules/ssh/templates/authorized_keys.erb b/modules/ssh/templates/authorized_keys.erb index acdca8b7c..08da26e73 100644 --- a/modules/ssh/templates/authorized_keys.erb +++ b/modules/ssh/templates/authorized_keys.erb @@ -25,7 +25,6 @@ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAt3g97cGfOA9DnAKF6h8RlFDppPtyKfjlyvG4f+gTTYAk ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwbRijHuvIC6cZUZwUfqLT5t/4GRvqiBBmYXkRRhwMajTOBeaR6vRx9mZ+UdTAUKno8LuMNvFoovvwXBqqwH7yMa/SHgpA0wXl+bcYUbtoRbOVQEXwX/70Yoo0HLMGwoeuddjUICYZQomLYYLlkrWt1in9g4AGzqtmyCcDrxaneGYOvwJIm4sBhhJfns3j8AK7wIAaOA5fU9azR6JofX8g7QhqVrTlww0yOTlHsqheGUnLVzqPTzcJTPLDWKs9DOZT8a+IOc1R5TS2k07IFZk4TjCodW+iLCKHdudqpS8MKOY9EtfDaANl7JeCNa0NUZRVeXX9H4jtPIJ5/naa6m1XQ== Florian.Lohoff(flo,mW-N,RSA,2048)" when "sperger.debian.org" then "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAuXKdZTW+Ju0p+4pBXPFSEF9lyav7x5yR0P0Gk6NijfWIbx6DQKbCccR0PobDL+To1dtCP9JbOr3zZjV0VaRpMqlfjH1DR/SkI7orcomwh0fFYzygx2OZ9HJCYv2UERRsKEt3GJr2yFEaNSLg25tIOpvwsHSIQHt8hg5h6sdyzgCrEvwfCImncdyp1WssqFp70TXyRWnSSzq8cMH1zE8B9uoPATTVjcFB6E8+HuY5KSd8Thg2jQ+2pFLj8D0VNMj9nCVRlDOhunkfMzS7rx3eBl3oqxgIL8SWfB7aZKdEb77RXemUBvNDghWTaQxgXlOQP4v/cVrg03TNlcM5kbZqIeBidfzF5C1lcZOuAMlZYSq+bpdBC9j+dT2Lr/blNatN7LKLYVaQ+W7a6zAvmfubr+vjhO+JUY8XT9wmFlY+o1wYaup455LA3pmKhBPGpcNtaZ7FEotGNYTXjpTbpzMp6vvOXf3n325GWS9so9e6PTbuvdJdRO5Et69kV5dqP4XwUT3d3SQs5W16Rj6QF0Aod2QFEaIpZu52fkyt4dAn0WCRnDR2PB9n99CDZ4f4mKg66u6oNT3RUcMtK1lHyhxlFdjG7qJ2EwnqLbTpvWq8qD5zzc/uJwy9eK5RqQhXMtIP+2FN7o2cfw2n8tUx4LIeCMZ8pcVHgY17M2v/oBLn+IU= bzed@think" when "tartini.debian.org" then "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAmXjNW2OoDl7mwAyzHHNMMfuGGor6Vgr2LiKdlVmRCk6EeqrYrRY4ZYsJ2c0nBNzvzgxLO/deau/LBYdpNIO5341GvSWWIA+2khXY+Fzb35UGt4J5eZWOLYsJmplM3xm9lde404WOgqqu0ywsXJMxYmQtqzUjI/tFA5zyE2baPpMjnYyfmxPPOXdv7L6uK5qaWGZFBp8iVJxYwvUTADstAz077kiBpaZoEG1jr8kEzwd2so9cNDGq4wmjF2xv3M2i/rmSLgoLGeI6GtgTL3BU39CXFXa9y5sMRf4opxSzV2JwGtXbhmtqkHZAXufMndRmEy9IyOkFsJvUJoUe0n+Hhwo/JGiXC2vBGA0ueeMXtUgjYs11cprd6rVI8+WZMND9YOdwS71aWXiX5zN36F3JdaND4yblLpATprHp6/npYCSI5IC/42m4AbWu6aj85SC9Bnegb+FkLCUIcXQ/STPr9ptaaRCNBucbSAovJ84k6Ny2qwUfSYT3zWkL6hl5JnIv9y4HbfFHAD2e4dCXidb8H3/X8H/giwPvtOLwiHf8r+Kxya6JuYzo/ZoGhQhP2MnfyxapoqG+kixU0pPaPN39trraTOzZNXIPOxyyuGhu77x4oh4uNBqnpr2aR1xi+/qvSK0f/BO0AyHLRZXtTbn9Bjr588Vb/Cx9t0aKGJCSPoE= jeroen@eee.wolffelaar.nl 2008-05-14" - when "zelenka.debian.org" then "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA185aKAQqnSecI0peA4YhzfOjmN5fM6DJ5JJzxnLfNRdXBwtEOI8z+BFdHqQHDBQp3jq4V45ZaCyg/Qi8WTjDoPG/UyHx1FWAfC37pLlQQJ3Vq7X4BDrCvRwBNj+rI9tiUi+PXW6m2MaihblSmcNQGdmO7nHgxKsEXNLIEKfRtYBveTiolNACXxO//kDBwGFgvnAKiv5jtD6xcrA5d2DpvUX07zWhRsNbilba8JyqN+sOEbKtKa/7uCY9TD3Z1/aSFAw3I9K1S+DDdZZ7hK09BLwpcXRG6zAVqYzZ4rZ/S2zP+dXPy5L13ORNAGdv8d9Krw8iYjuJ6YfOqFAQIrH+EQ== waldi@debian.org" end localkeys %> @@ -36,8 +35,7 @@ localkeys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwe0KhG7S6agOekJ5U2DB/Ze2B5u9/PKo2ha765ZkYOScRWdRWUSOYwBOrrfrQUf1gCicdcsG9lLnbTeFeH4i9UJ8XUf4uhS4rK0RurKf5MN8xlqETU88q7fMTQj5LXkkJXrs8aMCxKmMhGlh62CUbANCY7i6hzXIo7KU1MIdT/E= lucaf@bofh ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1zy2/qSBpYaOKYVEnDI+KEiQlPiKsTv96zJeNdu7xLY1bwd3n0ORyTGO4Hp06PBlfek0f7/xClUHb7xgroTWAebhOes880evhGmYemQyYew+a2nBXyuiEFT8QS+Iw601zFRgy/+0nZvCAkr5Xn+mHtnhQKu5GzWsYVl3uxMo7CEiCOVpupz7FjALAoMgY25JYtFAuK0hwzAO/r9Ja89jmgdAlWJn1uAziwUVBmM6bR6AhhvI+9WR6XDzElz5pVT740kbA6ri+Jv2in9Gp7eIfgdXnaXJvxuqMk0zPB6Y7MZ0UmlvpU4A1h83SAYf6XyOHgWyn+fYhF41OR958ShLIQ== lucaf@portabofh # zobel -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvA82iZhdqMbUYXGv9DSMNRmFuXpemOQyAZCd6YkI1XtFEGMN3hlA1XrXRep0FwChCOOs+I/W/vyBdChRKzqxDE1HmTORhCxHNOwWBg1XaRLyeGFo5MEhNzGG0GQBx2+bwVkGLwPTWPQ+A1eV+mm52CpqjeRpeiu4ums6zJ7/oZRwpvZcGoHCu3KxCHtzUwyoufv7BpbwZLk0WyRg70gJ2mwJpVNPFktVSlykdbUmuQ0y76/XIOoCcFD1W44WLu8WWBOWbyPM+gE7pb1Z711MM3k949AJgDqyHYMxTD1d3b2aeoX9zW0zGFrbZVDCrDOkUNlH2b4er/Lm1xXhYQAuSQ== zobel@lunar -ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA79oE1QcaEmY/RPA8pJWaY1t9GZ0icXK0dEPpqMwyWeZM3k9Avfx6M/ROGVnDOe+BZ86tZzom1yqOhUdpmSG2akNWfwQXkKrkDEGYfYVLKANaXpgwEJMNrmQGZa9jZtQfcR4ogz6Codk5meegSareWhhIw+oNdaH2KVCwxOYQv8xb1BGIOdOze0LdGiOzXRegtVnquiL3xs1EAiH4RiFbOXwFDnGq3szj54xzO08LrMUqt+xFBNpa6yBeK7VQWpwQU7sml2K1OJ2yux5O9ISmld0/He+OI+Ocse1Fk9UapiWF4RqT4OawpYRJoeS6sSDu2pzsSnMSdvvHwn4VuD0khQ== Martin Zobel-Helas - debian key (2008-08-26) +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuWUv0xRqmnrYX/7b80HIAY9s80Qp4QRFH3DXEkuyDeprJC+GdJs2S/fwhWI9eZDF8NN03SLoOg9q7lXoy2Ts6tda8zfqIf/IBnvcqbsoCtbmrOTvwHj5fVFh0fw72KSc8b+Bccs+1aLXUqP2eSKXB9jpR+apUd7DQ0i6si2/fwrQvqXZ71NeRkcSXIuED9PCA2298DKob1tCAXP1XSIswxxgHdGZgVHYhNt33XSM7zksTbMjr7NBZkJOcgk3dLOVz2RSo38+Curv8nPVoD4uIsE551GXnNTPZiMosvDY3Cy3gTwBhpXFxtkRDr0jMQpYj+ahQ3F+MFJr+0S89QeHfQ== Martin Zobel-Helas - debian adm key (2010-01-04) # weasel ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAqtZYwCwuLP2KZOfqdRyKbexfhcfEiwY7en7aYmY7eUxa396Nzhxv1KOl2xpatD40/TPHtU+GUMxa0PLM7Tn5j2HxZ5S/bjp2l881EWJlYUzZjL95e/PBhPM2r6/VvLTHI7dFI+2s2/LDIuRn3dKsIxFncRzZRjPrpks14wpII4UpVTwQSrBMwkweq0anUiUtw/y7s33fSQJKYu7gXkmkm7mtuF8PJnvI6j482pu34GxWGjjSs9f7ZAm2+mXviVedAsrN3E4MgK14Z6+lOIxfgWmZ2gz33u2nbJ5TCTGJYyxbkaYXXLKo8JW2GtcCZchmhw4kUzo0rfRIXI80e4FEeh3Tj2X0518xp7m/SvKa2nE/dcye2a77ruJZJ0tzHqUmXZSMT5ZdOqgIxeqLGksNFK1mPUbMsfkxbCANVLp17CIeqUtiMYfOjzCuKc3GdYe8Mp47dQx824hnfEldJw9dWH8d+ELO64UsQnEIleQt+d2ASdFK0Vc2SmG7gxcFa2OU9V8TAWx/HKhBhW5KkMKUagATYLgbqzMRfgqslJFDJxB8fQ++Xlodq20MTt2TM9L89ilKyzmG/tNawR71l8+U/sxJS6/sVVXCzHLlMEyVnYRZMBeNwiW2ZBjM+mTv300vUS7+iNUOaZasPOMJqV3d4ImgRUMcOmExMDAnHCRGS10= Peter Palfrader - debian adm key (2008-05-11) # sgran diff --git a/modules/sudo/files/common/sudoers b/modules/sudo/files/common/sudoers index f0218b113..9ff6f97fc 100644 --- a/modules/sudo/files/common/sudoers +++ b/modules/sudo/files/common/sudoers @@ -42,6 +42,7 @@ admin agnesi=(ALL) ALL # nagios nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup "" # with smartarray controllers +nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli "" nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe "" nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=[02] pd all show @@ -77,6 +78,7 @@ nagios bellini,cimarosa,morricone,paganini,respighi,vivaldi=(ALL) NOPASSWD: /us %popcon ALL=(popcon) ALL %secretary ALL=(secretary) ALL %sectracker ALL=(sectracker) ALL +%security SECHOSTS=(mail_security) ALL %snapshot ALL=(snapshot) ALL %uddadm ALL=(udd) ALL %volatile ALL=(volatile) ALL @@ -102,8 +104,8 @@ pkg_user powell=(archvsync) NOPASSWD: /home/archvsync/bin/pushpdo # remote power to babylon5 in the same rack: joerg unger=(ALL) /usr/bin/sispmctl -t 1, /usr/bin/sispmctl -g 1 # wbadm can update all buildd* users' keys on buildd.d.o -%wbadm raff=(root) /usr/local/bin/update-buildd-sshkeys %wbadm cimarosa=(root) /usr/local/bin/update-buildd-sshkeys +wbadm cimarosa=(postgres) NOPASSWD: /usr/bin/pg_dumpall --cluster 8.4/wanna-build # mirror push dak ries=(archvsync) NOPASSWD:/home/archvsync/runmirrors planet senfl=(archvsync) NOPASSWD: /home/archvsync/bin/runplanet "" diff --git a/templates/exim-local-auto.erb b/templates/exim-local-auto.erb deleted file mode 100644 index 0412dcd07..000000000 --- a/templates/exim-local-auto.erb +++ /dev/null @@ -1,49 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# Various bits of software -<% if has_variable?("clamd") && clamd == "true" -%> -CLAMAV = clamd:/var/run/clamav/clamd.ctl -<% else -%> -# CLAMAV is undefined -<% end -%> -<% if has_variable?("postgrey") && postgrey == "true" -%> -USE_GREYLISTING = 1 -# HAVE_GREYLIST is undefined -HAVE_POSTGREY = 1 -<% elsif has_variable?("greylistd") && greylistd == "true" -%> -USE_GREYLISTING = 1 -HAVE_GREYLIST = 1 -# HAVE_POSTGREY is undefined -<% else -%> -# HAVE_POSTGREY is undefined -# HAVE_GREYLIST is undefined -# USE_GREYLISTING is undefined -<% end -%> -<% if has_variable?("policydweight") && policydweight == "true" -%> -HAVE_POLICYD = 1 -<% else -%> -# HAVE_POLICYD is undefined -<% end -%> - -# user settings (controls some mail routing) -<% if has_variable?("bugs_host") && bugs_host == "true" -%> -HAVE_USER_DEBBUGS = 1 -<% else -%> -# HAVE_USER_DEBBUGS is undefined -<% end -%> -<% if has_variable?("qa_host") && qa_host == "true" -%> -HAVE_USER_QA = 1 -<% else -%> -# HAVE_USER_QA is undefined -<% end -%> - -# SSL stuff for mail relays -<% if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true" -%> -USE_TLS = 1 -<% else -%> -# USE_TLS is undefined -<% end -%> -