From: Peter Palfrader Date: Sun, 7 Jun 2009 17:22:04 +0000 (+0200) Subject: Merge branch 'master' of ssh://handel.debian.org/srv/puppet.debian.org/git/dsa-puppet X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=489c57a538241de27243d5a3bc2413c559d73022;hp=4585d002d4a4a2482bb276444ed224eb3428c620;p=mirror%2Fdsa-puppet.git Merge branch 'master' of ssh://handel.debian.org/srv/puppet.debian.org/git/dsa-puppet * 'master' of ssh://handel.debian.org/srv/puppet.debian.org/git/dsa-puppet: (26 commits) Another file that may be changed by puppet to ignore Maybe we don't need the sleep eh, duh. Need sudo for this. Try a longer wait? wait a moment after running reconfig, so that the reload works more accurate error message Move reject of localonly users to predata. This allows callouts to We push this with a Makefile for now Correct the name to samhain ignore Move the config file snippet to the top Fix the posthooks Revert "we should also samhain ignore that file" Revert "And it's directory" Change path to geo file Add my key Some tightening up Rename the views so I don't have to make code changes Well, there's only one way to figure out if this will work And allow the postcommand Also autogenerate bind config snippets ... --- diff --git a/modules/buildd/files/mount-defaults b/modules/buildd/files/mount-defaults new file mode 100644 index 000000000..f3971e2a1 --- /dev/null +++ b/modules/buildd/files/mount-defaults @@ -0,0 +1,12 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## +# mount.defaults: static file system information for chroots. +# Note that the mount point will be prefixed by the chroot path +# (CHROOT_PATH) +# +# +proc /proc proc defaults 0 0 +/dev/pts /dev/pts none rw,bind 0 0 +tmpfs /dev/shm tmpfs defaults 0 0 diff --git a/modules/buildd/manifests/init.pp b/modules/buildd/manifests/init.pp index 1d711b9fa..7977b11ad 100644 --- a/modules/buildd/manifests/init.pp +++ b/modules/buildd/manifests/init.pp @@ -14,10 +14,14 @@ class buildd { notify => Exec["apt-get update"], ; - "/etc/apt/trusted-keys.d/buildd.debian.org.asc": - source => "puppet:///buildd/buildd.debian.org.asc", - mode => 664, - notify => Exec["apt-keys-update"], - ; + "/etc/apt/trusted-keys.d/buildd.debian.org.asc": + source => "puppet:///buildd/buildd.debian.org.asc", + mode => 664, + notify => Exec["apt-keys-update"], + ; + "/etc/schroot/mount-defaults": + source => "puppet:///buildd/mount-defaults", + require => Package["sbuild"] + ; } } diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml index 732360684..8206d68a3 100644 --- a/modules/debian-org/misc/local.yaml +++ b/modules/debian-org/misc/local.yaml @@ -1,7 +1,9 @@ --- nameinfo: agnesi.debian.org: Maria Teresa Agnesi (October 17, 1720 - January 19, 1795) + agricola.debian.org: Alexander Agricola (1445 or 1446 - August 15, 1506) albeniz.debian.org: Isaac Manuel Francisco Albéniz i Pascual (May 29, 1860 - May 18, 1909) + allegri.debian.org: Gregorio Allegri (1582 - 7 February 1652) ancina.debian.org: Giovanni Giovenale Ancina (19 October 1545 - August 30, 1604) arcadelt.debian.org: Jacques Arcadelt (also Jacob Arcadelt) (?1507 - October 14, 1568) argento.debian.org: Dominick Argento (b. October 27, 1927) @@ -20,6 +22,7 @@ nameinfo: klecker.debian.org: Dedicated to Joel 'Espy' Klecker (1979 - July 11, 2000) lafayette.debian.org: Eugenie Lafayette lebrun.debian.org: Francesca Lebrun (March 24, 1756 - May 14, 1791) + liszt.debian.org: Franz Liszt (October 22, 1811 - July 31, 1886) mahler.debian.org: Gustav Mahler (7 July 1860 - 18 May 1911) mayr.debian.org: Johann(es) Simon Mayr (June 14, 1763 - December 2, 1845) merkel.debian.org: Gustav (Adolf) Merkel (November 12, 1827 - October 30, 1885) @@ -53,6 +56,7 @@ nameinfo: strauss.debian.org: Johann Baptist Strauß (October 25, 1825 - June 3, 1899) tartini.debian.org: Giuseppe Tartini (April 8, 1692 - February 26, 1770) unger.debian.org: Caroline Unger (October 28, 1803 - March 23, 1877) + valente.debian.org: Vincenzo Valente (February 21, 1855 - September 6, 1921) verdi.debian.org: Giuseppe Fortunino Francesco Verdi (October 9 or 10, 1813 - January 27, 1901) voltaire.debian.org: François-Marie Arouet (Voltaire) (21 November 1694 - 30 May 1778) wagner.debian.org: Wilhelm Richard Wagner (22 May 1813 - 13 February 1883) diff --git a/modules/exim/files/common/callout_users b/modules/exim/files/common/callout_users index d3c4d8e29..0ec22bd78 100644 --- a/modules/exim/files/common/callout_users +++ b/modules/exim/files/common/callout_users @@ -14,7 +14,6 @@ ftpmaster gandi-discount hostmaster keyring-maint -leader lintian-maint listarchives mailer-daemon diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 98d608ce3..46f624e60 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -108,6 +108,7 @@ if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? end out %> +acl_smtp_predata = acl_check_predata # accept domain literal syntax in e-mail addresses. To actually make use of # this a router is also required @@ -280,6 +281,13 @@ RT_QUEUE_MAP = /srv/rt.debian.org/mail/rt_queue_map ###################################################################### begin acl +acl_localonly: + accept local_parts = +local_only_users + domains = +local_domains + hosts = !+debianhosts + + deny + check_helo: warn set acl_c1 = 0 @@ -513,10 +521,22 @@ out condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}} message = no mail should ever come from <$sender_address> - deny local_parts = +local_only_users - domains = +local_domains - hosts = !+debianhosts - message = mail for $local_part is only accepted internally + warn condition = ${if eq{$acl_m6}{}} + acl = acl_localonly + set acl_m6 = localonly + set acl_m7 = ${if eq{$acl_m7}{}{$local_part@$domain}{$acl_m7, $local_part@$domain}} + + warn condition = ${if eq{$acl_m6}{}} + !acl = acl_localonly + set acl_m6 = normal + + defer condition = ${if eq{$acl_m6}{localonly}} + !acl = acl_localonly + log_message = Only one profile at a time, please + + defer condition = ${if eq{$acl_m6}{normal}} + acl = acl_localonly + log_message = Only one profile at a time, please <%= out='' @@ -788,6 +808,13 @@ end out %> +acl_check_predata: + deny condition = ${if eq{$acl_m6}{localonly}} + message = mail for $acl_m7 is only accepted internally + + accept + + #!!# ACL that is used after the DATA command check_message: require verify = header_syntax diff --git a/modules/geodns/files/common/authorized_keys b/modules/geodns/files/common/authorized_keys index afba8d0e9..646c710d4 100644 --- a/modules/geodns/files/common/authorized_keys +++ b/modules/geodns/files/common/authorized_keys @@ -3,3 +3,4 @@ # USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git # from="82.195.75.106,2001:41b8:202:deb:216:36ff:fe40:3906",command="/etc/bind/geodns/recvconf /etc/bind/geodns/recvconf.files",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2cJCkmggW6TD0UPJP9lelDno8qbYGXPeYE4+QmkqJv8mslcHxmx5tA2TvpJ9qbAUMPOdZf9ihomwPmFzz9UNZH4eDA8F126UUP5DXsh7FC7yVGSBUNdJdYS7m2wtVs8ddhrVdI+8c39D7NVGGjtUCJCWA/3fE65O183Gm+vER65SYR6LfHlEiC2FBROs6qwnjQ0yw194MnU7Jxl/GsTdZ72ArkmcPjuWsVHWtkSTt0hPfgBOyL4vSfBgl2p2eQBXCEPOaPTa1Yr5qfur1+Cj+iwadEmPfRap6rBO3wfIjbXt/KncM2uFrCXuF1TOqQxrs5LSe8dz16vf9Ckf9Ae5wQ== geodnssync@draghi (20090527) +from="91.103.132.25,2001:4b10:100b::dead:f00d",command="/etc/bind/geodns/recvconf /etc/bind/geodns/recvconf.files",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApBLc4ZoGTtXDJ1UhgA7NEPdwqibg5BSXZfKPgfM9wn0mZooAlYzVYwNfe08UmDwrGkSjeNphmzpiDFQA27WGLCgAw8SIjunojWKvJwJcDwx2W4OPLByZaVg/wcEivC2h0+xlRc9jFqKL5cOsTnKBuD4nC7r8qnNcWxyeEEJGP4PVb2zgrGhf8UK3bAqYPuQp0pBFo4EPdorxsgThshEWg9eqB94ph7s+YXoccoWh4NlH2TaO9QdjtsWCId6uhfpcrxjhwKRkqdjofKiOhBB3vqHE+Cpe95nKHZAP5JDgqFH/L+pzyOiRqfTeYh2ivaEBl6m5F7C/QlDBOFrOZkEtXQ== geodnssync key for sgran diff --git a/modules/geodns/files/common/named.conf.acl b/modules/geodns/files/common/named.conf.acl index 7ee6711fb..b0877d817 100644 --- a/modules/geodns/files/common/named.conf.acl +++ b/modules/geodns/files/common/named.conf.acl @@ -8,7 +8,7 @@ acl Nagios { }; // Africa -acl Africa { +acl AF { country_AO; country_BF; country_BI; @@ -69,7 +69,7 @@ acl Africa { }; // Asia -acl Asia { +acl AS { country_AE; country_AF; country_AM; @@ -127,7 +127,7 @@ acl Asia { }; // Europe -acl Europe { +acl EU { country_AD; country_AL; country_AT; @@ -182,7 +182,7 @@ acl Europe { }; // North America -acl NorthAmerica { +acl NA { country_AG; country_AI; country_AN; @@ -225,7 +225,7 @@ acl NorthAmerica { }; // South America -acl SouthAmerica { +acl SA { country_AR; country_BO; country_BR; @@ -243,7 +243,7 @@ acl SouthAmerica { }; // Oceania -acl Oceania { +acl OC { country_AS; country_AU; country_CK; @@ -273,7 +273,7 @@ acl Oceania { }; // Antarctica -acl Antarctica { +acl AN { country_AQ; country_BV; country_GS; diff --git a/modules/geodns/files/common/named.conf.geo b/modules/geodns/files/common/named.conf.geo deleted file mode 100644 index 8c21bb679..000000000 --- a/modules/geodns/files/common/named.conf.geo +++ /dev/null @@ -1,126 +0,0 @@ -// -// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -// - -view "Africa" { - match-clients { - Africa; - }; - zone "security.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.AF"; - notify no; - }; - zone "security.geo.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.AF"; - notify no; - }; -}; - -view "Asia" { - match-clients { - Asia; - }; - zone "security.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.AS"; - notify no; - }; - zone "security.geo.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.AS"; - notify no; - }; -}; - -view "Europe" { - match-clients { - Europe; - }; - zone "security.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.EU"; - notify no; - }; - zone "security.geo.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.EU"; - notify no; - }; -}; - -view "NorthAmerica" { - match-clients { - NorthAmerica; - }; - zone "security.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.NA"; - notify no; - }; - zone "security.geo.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.NA"; - notify no; - }; -}; -view "SouthAmerica" { - match-clients { - SouthAmerica; - }; - zone "security.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.SA"; - notify no; - }; - zone "security.geo.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.SA"; - notify no; - }; -}; -view "Oceania" { - match-clients { - Oceania; - }; - zone "security.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.OC"; - notify no; - }; - zone "security.geo.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.OC"; - notify no; - }; -}; -view "Antarctica" { - match-clients { - Antarctica; - }; - zone "security.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.AN"; - notify no; - }; - zone "security.geo.debian.org" { - type master; - file "/etc/bind/db.security.debian.org.AN"; - notify no; - }; -}; -view "other" { - match-clients { any; }; - zone "security.debian.org" { - type master; - file "/etc/bind/db.security.debian.org"; - notify no; - }; - zone "security.geo.debian.org" { - type master; - file "/etc/bind/db.security.debian.org"; - notify no; - }; -}; diff --git a/modules/geodns/files/common/named.conf.local b/modules/geodns/files/common/named.conf.local index 094022e06..ba4ae0ba6 100644 --- a/modules/geodns/files/common/named.conf.local +++ b/modules/geodns/files/common/named.conf.local @@ -4,4 +4,4 @@ // include "/etc/bind/named.conf.acl"; -include "/etc/bind/named.conf.geo"; +include "/etc/bind/geodns/named.conf.geo.security.debian.org"; diff --git a/modules/geodns/files/common/named.conf.options b/modules/geodns/files/common/named.conf.options index 7a90e66f8..aa593440d 100644 --- a/modules/geodns/files/common/named.conf.options +++ b/modules/geodns/files/common/named.conf.options @@ -21,6 +21,9 @@ options { auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; + allow-query { any; }; + allow-update { none; }; + allow-transfer { none; }; allow-recursion { Nagios; }; }; diff --git a/modules/geodns/files/common/recvconf.files b/modules/geodns/files/common/recvconf.files index 5e29bb297..b80f33532 100644 --- a/modules/geodns/files/common/recvconf.files +++ b/modules/geodns/files/common/recvconf.files @@ -3,43 +3,56 @@ # USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git # +file etc/bind/geodns/named.conf.geo.security.debian.org + perms 0644 + user geodnssync + group geodnssync + postcommand /usr/sbin/named-checkconf /etc/bind/named.conf && sudo /usr/sbin/rndc reconfig file etc/bind/geodns/db.security.debian.org perms 0644 user geodnssync group geodnssync - postcommand /etc/init.d/bind9 reload + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.security.debian.org.AF perms 0644 user geodnssync group geodnssync - postcommand /etc/init.d/bind9 reload + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.AF + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.security.debian.org.AN perms 0644 user geodnssync group geodnssync - postcommand /etc/init.d/bind9 reload + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.AN + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.security.debian.org.AS perms 0644 user geodnssync group geodnssync - postcommand /etc/init.d/bind9 reload + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.AS + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.security.debian.org.EU perms 0644 user geodnssync group geodnssync - postcommand /etc/init.d/bind9 reload + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.EU + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.security.debian.org.NA perms 0644 user geodnssync group geodnssync - postcommand /etc/init.d/bind9 reload + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.NA + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.security.debian.org.OC perms 0644 user geodnssync group geodnssync - postcommand /etc/init.d/bind9 reload + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.OC + postcommand sudo /etc/init.d/bind9 reload file etc/bind/geodns/db.security.debian.org.SA perms 0644 user geodnssync group geodnssync - postcommand /etc/init.d/bind9 reload + precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.SA + postcommand sudo /etc/init.d/bind9 reload diff --git a/modules/geodns/manifests/init.pp b/modules/geodns/manifests/init.pp index a0397d07e..27d236593 100644 --- a/modules/geodns/manifests/init.pp +++ b/modules/geodns/manifests/init.pp @@ -17,14 +17,6 @@ class geodns { owner => root, group => root, ; - "/etc/bind/named.conf.geo": - source => [ "puppet:///geodns/per-host/$fqdn/named.conf.geo", - "puppet:///geodns/common/named.conf.geo" ], - require => Package["bind9"], - notify => Exec["bind9 restart"], - owner => root, - group => root, - ; "/etc/bind/named.conf.acl": source => [ "puppet:///geodns/per-host/$fqdn/named.conf.acl", "puppet:///geodns/common/named.conf.acl" ], diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index 50518143d..861e75a80 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -90,9 +90,10 @@ file=/var/state/samhain/samhain_file file=/etc/bind/zones/db.debian.net file=/etc/exim4/bsmtp <% if hostname == "geo1" || hostname == "geo2" || hostname == "geo3" -%> -file=/etc/bind/named.conf.geo file=/etc/bind/named.conf.acl file=/etc/bind/named.conf.options +file=/etc/bind/geodns/named.conf.geo.security.debian.org +file=/etc/bind/geodns/recvconf.files file=/etc/bind/geodns/db.security.debian.org.SA file=/etc/bind/geodns/db.security.debian.org.OC file=/etc/bind/geodns/db.security.debian.org.NA diff --git a/modules/sudo/files/common/sudoers b/modules/sudo/files/common/sudoers index 57ec4903a..5debc1e34 100644 --- a/modules/sudo/files/common/sudoers +++ b/modules/sudo/files/common/sudoers @@ -117,3 +117,4 @@ debwww klecker=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors %list liszt=(amavis) ALL # geodns may reload bind geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload +geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig