From: root Date: Sat, 18 Mar 2017 18:46:43 +0000 (+0000) Subject: puppet 4 foo X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=6f2e5fc86e49c12b12eef39fc69e0e810a32c318;p=mirror%2Fdsa-puppet.git puppet 4 foo Signed-off-by: root Signed-off-by: Martin Zobel-Helas --- diff --git a/manifests/site.pp b/manifests/site.pp index 178fc2d31..28a443c29 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -21,10 +21,10 @@ Service { node default { include site include munin - include syslog-ng + include syslog_ng include sudo include ssh - include debian-org + include debian_org include monit include time include ssl @@ -69,7 +69,7 @@ node default { include bacula::storage } - if $::kernel == Linux { + if $::kernel == 'Linux' { include linux include acpi } elsif $::kernel == 'GNU/kFreeBSD' { @@ -113,7 +113,7 @@ node default { } if $::hostname in [geo3,wieck] { - include debian-org::radvd + include debian_org::radvd } if ($::postgres) { diff --git a/modules/acpi/manifests/init.pp b/modules/acpi/manifests/init.pp index feadbe356..f2c621b32 100644 --- a/modules/acpi/manifests/init.pp +++ b/modules/acpi/manifests/init.pp @@ -1,6 +1,6 @@ class acpi { if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { - if ($::lsbmajdistrelease >= 8) { + if ($::lsbmajdistrelease >= '8') { package { 'acpid': ensure => purged } diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index 2e7592721..19400ad6d 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -105,7 +105,7 @@ class apache2 { apache2::module { 'mpm_prefork': ensure => absent } apache2::module { 'mpm_worker': } } - if $::lsbmajdistrelease > 7 { + if $::lsbmajdistrelease > '7' { file { '/etc/apache2/mods-available/mpm_worker.conf': content => template('apache2/mpm_worker.erb'), } diff --git a/modules/apache2/manifests/site.pp b/modules/apache2/manifests/site.pp index 2a7257ba7..ff1ee20e1 100644 --- a/modules/apache2/manifests/site.pp +++ b/modules/apache2/manifests/site.pp @@ -46,7 +46,7 @@ define apache2::site ( } } - if $::lsbmajdistrelease <= 7 { + if $::lsbmajdistrelease <= '7' { $symlink = "/etc/apache2/sites-enabled/${name}" } else { $symlink = "/etc/apache2/sites-enabled/${name}.conf" diff --git a/modules/apache2/templates/default-index.html b/modules/apache2/templates/default-index.html index ffb58f70a..c8c9c4019 100644 --- a/modules/apache2/templates/default-index.html +++ b/modules/apache2/templates/default-index.html @@ -1,16 +1,16 @@ - Welcome to <%= hostname %>! + Welcome to <%= @hostname %>! -

Welcome to <%= hostname %>!

+

Welcome to <%= @hostname %>!

-This is <%= hostname %>, a system run by and for the Debian Project. +This is <%= @hostname %>, a system run by and for the Debian Project. She does stuff. What kind of stuff and who our kind sponsors are you might learn on -db.debian.org. +db.debian.org.


diff --git a/modules/apache2/templates/disabled-index.html b/modules/apache2/templates/disabled-index.html index b9a3c720c..104efd48a 100644 --- a/modules/apache2/templates/disabled-index.html +++ b/modules/apache2/templates/disabled-index.html @@ -1,18 +1,18 @@ - Welcome to <%= hostname %>! + Welcome to <%= @hostname %>! -

Welcome to <%= hostname %>!

+

Welcome to <%= @hostname %>!

-This is <%= hostname %>, a system run by and for the Debian Project. +This is <%= @hostname %>, a system run by and for the Debian Project.

The service you have requested is currently disabled.

The reason for that and who our kind sponsors are you might learn on -db.debian.org. +db.debian.org.


diff --git a/modules/apache2/templates/puppet-config.erb b/modules/apache2/templates/puppet-config.erb index 966ff3fec..3a7134d45 100644 --- a/modules/apache2/templates/puppet-config.erb +++ b/modules/apache2/templates/puppet-config.erb @@ -10,7 +10,7 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS <% end -%> - <%- if has_variable?("apache2deb9") && apache2deb9 == "true" -%> + <%- if has_variable?("apache2deb9") && @apache2deb9 == "true" -%> SSLUseStapling On # the default size is 32k, but we make it 1M. diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp index 230b29f5a..05234fc9b 100644 --- a/modules/bacula/manifests/client.pp +++ b/modules/bacula/manifests/client.pp @@ -1,5 +1,5 @@ class bacula::client inherits bacula { - @@bacula::storage-per-node { $::fqdn: } + @@bacula::storage_per_node { $::fqdn: } if ! getfromhash($site::nodeinfo, 'not-bacula-client') { @@bacula::node { $::fqdn: @@ -50,7 +50,7 @@ class bacula::client inherits bacula { require => Package['bacula-fd'], notify => Service['bacula-fd'], } - if ($::lsbmajdistrelease >= 9 and $systemd) { + if ($::lsbmajdistrelease >= '9' and $systemd) { file { '/etc/systemd/system/bacula-fd.service.d': ensure => directory, mode => '0755', diff --git a/modules/bacula/manifests/storage-per-node.pp b/modules/bacula/manifests/storage-per-node.pp deleted file mode 100644 index 501921db3..000000000 --- a/modules/bacula/manifests/storage-per-node.pp +++ /dev/null @@ -1,27 +0,0 @@ -define bacula::storage-per-node() { - - include bacula - - $bacula_filestor_device = $bacula::bacula_filestor_device - $bacula_filestor_name = $bacula::bacula_filestor_name - $bacula_backup_path = $bacula::bacula_backup_path - - $bacula_client_name = "${name}-fd" - $client = $name - - file { - "/etc/bacula/storage-conf.d/${name}.conf": - content => template('bacula/storage-per-client.conf.erb'), - mode => '0440', - group => bacula, - notify => Exec['bacula-sd restart-when-idle'], - ; - "${bacula_backup_path}/${name}": - ensure => directory, - mode => '0755', - owner => bacula, - group => bacula, - ; - } -} - diff --git a/modules/bacula/manifests/storage_per_node.pp b/modules/bacula/manifests/storage_per_node.pp new file mode 100644 index 000000000..0a009456c --- /dev/null +++ b/modules/bacula/manifests/storage_per_node.pp @@ -0,0 +1,27 @@ +define bacula::storage_per_node() { + + include bacula + + $bacula_filestor_device = $bacula::bacula_filestor_device + $bacula_filestor_name = $bacula::bacula_filestor_name + $bacula_backup_path = $bacula::bacula_backup_path + + $bacula_client_name = "${name}-fd" + $client = $name + + file { + "/etc/bacula/storage-conf.d/${name}.conf": + content => template('bacula/storage-per-client.conf.erb'), + mode => '0440', + group => bacula, + notify => Exec['bacula-sd restart-when-idle'], + ; + "${bacula_backup_path}/${name}": + ensure => directory, + mode => '0755', + owner => bacula, + group => bacula, + ; + } +} + diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb index 3597a0c78..116d3c585 100644 --- a/modules/bacula/templates/bacula-fd.conf.erb +++ b/modules/bacula/templates/bacula-fd.conf.erb @@ -6,35 +6,35 @@ # List Directors who are permitted to contact this File daemon Director { - Name = <%= bacula_director_name %> - Password = "<%= bacula_client_secret %>" + Name = <%= @bacula_director_name %> + Password = "<%= @bacula_client_secret %>" TLS Enable = yes TLS Require = yes TLS Verify Peer = yes - TLS Allowed CN = "clientcerts/<%= bacula_director_address %>" - TLS CA Certificate File = "<%= bacula_ca_path %>" + TLS Allowed CN = "clientcerts/<%= @bacula_director_address %>" + TLS CA Certificate File = "<%= @bacula_ca_path %>" # This is a server certificate, used for incoming director connections. - TLS Certificate = "<%= bacula_ssl_server_cert %>" - TLS Key = "<%= bacula_ssl_server_key %>" + TLS Certificate = "<%= @bacula_ssl_server_cert %>" + TLS Key = "<%= @bacula_ssl_server_key %>" } # "Global" File daemon configuration specifications FileDaemon { - Name = <%= bacula_client_name %> - FDport = <%= bacula_client_port %> + Name = <%= @bacula_client_name %> + FDport = <%= @bacula_client_port %> WorkingDirectory = /var/lib/bacula Pid Directory = /var/run/bacula Maximum Concurrent Jobs = 20 - FDAddress = <%= fqdn %> + FDAddress = <%= @fqdn %> #Maximum Network Buffer Size = 524288 TLS Enable = yes TLS Require = yes - TLS CA Certificate File = "<%= bacula_ca_path %>" + TLS CA Certificate File = "<%= @bacula_ca_path %>" # This is a client certificate, used by the client to connect to the storage daemon - TLS Certificate = "<%= bacula_ssl_client_cert %>" - TLS Key = "<%= bacula_ssl_client_key %>" + TLS Certificate = "<%= @bacula_ssl_client_cert %>" + TLS Key = "<%= @bacula_ssl_client_key %>" <%- if scope.lookupvar('site::nodeinfo')['hoster']['name'] == "brown" -%> # broken firewall @@ -45,5 +45,5 @@ FileDaemon { # Send all messages except skipped files back to Director Messages { Name = Standard - director = <%=bacula_director_name%> = all, !skipped, !restored + director = <%= @bacula_director_name %> = all, !skipped, !restored } diff --git a/modules/bacula/templates/bacula-idle-restart.erb b/modules/bacula/templates/bacula-idle-restart.erb index a19101da9..a99ff8033 100644 --- a/modules/bacula/templates/bacula-idle-restart.erb +++ b/modules/bacula/templates/bacula-idle-restart.erb @@ -10,10 +10,10 @@ set -e if [ "$1" = "fd" ];then - PORT=<%= bacula_client_port %> + PORT=<%= @bacula_client_port %> DIR="bacula-fd" elif [ "$1" = "sd" ]; then - PORT=<%= bacula_storage_port %> + PORT=<%= @bacula_storage_port %> DIR="bacula-sd" else # Usage diff --git a/modules/debian-org/files/apt.conf.d/local-compression b/modules/debian-org/files/apt.conf.d/local-compression deleted file mode 100644 index 818a6e273..000000000 --- a/modules/debian-org/files/apt.conf.d/local-compression +++ /dev/null @@ -1,15 +0,0 @@ -// -// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -// - -Acquire { - CompressionTypes - { - bz2 "bzip2"; - lzma "lzma"; - gz "gzip"; - - Order { "gz"; "lzma"; "bz2"; }; - }; -}; diff --git a/modules/debian-org/files/apt.conf.d/local-langs b/modules/debian-org/files/apt.conf.d/local-langs deleted file mode 100644 index 3e9ff30d5..000000000 --- a/modules/debian-org/files/apt.conf.d/local-langs +++ /dev/null @@ -1 +0,0 @@ -Acquire::Languages { "en"; "none"; }; diff --git a/modules/debian-org/files/apt.conf.d/local-pdiffs b/modules/debian-org/files/apt.conf.d/local-pdiffs deleted file mode 100644 index 155daf9be..000000000 --- a/modules/debian-org/files/apt.conf.d/local-pdiffs +++ /dev/null @@ -1,6 +0,0 @@ -// -// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -// - -Acquire::PDiffs "false"; diff --git a/modules/debian-org/files/apt.conf.d/local-recommends b/modules/debian-org/files/apt.conf.d/local-recommends deleted file mode 100644 index aa0261cc9..000000000 --- a/modules/debian-org/files/apt.conf.d/local-recommends +++ /dev/null @@ -1,6 +0,0 @@ -// -// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -// - -APT::Install-Recommends 0; diff --git a/modules/debian-org/files/apt.preferences b/modules/debian-org/files/apt.preferences deleted file mode 100644 index 65d11720d..000000000 --- a/modules/debian-org/files/apt.preferences +++ /dev/null @@ -1,23 +0,0 @@ -Explanation: -Explanation: THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -Explanation: USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -Explanation: -Package: * -Pin: release o=Debian Backports -Pin-Priority: 200 - -Package: sbuild -Pin: release o=buildd.debian.org -Pin-Priority: 500 - -Package: buildd -Pin: release o=buildd.debian.org -Pin-Priority: 500 - -Package: libsbuild-perl -Pin: release o=buildd.debian.org -Pin-Priority: 500 - -Package: * -Pin: release o=buildd.debian.org -Pin-Priority: -1 diff --git a/modules/debian-org/files/basic-ssh_known_hosts b/modules/debian-org/files/basic-ssh_known_hosts deleted file mode 100644 index 5f1d4078c..000000000 --- a/modules/debian-org/files/basic-ssh_known_hosts +++ /dev/null @@ -1 +0,0 @@ -draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106,2001:41b8:202:deb:1a1a:0:52c3:4b6a ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi diff --git a/modules/debian-org/files/check_for_updates b/modules/debian-org/files/check_for_updates deleted file mode 100755 index 7894da48f..000000000 --- a/modules/debian-org/files/check_for_updates +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -parse_dates () { - while read url file junk; do - url=$(echo $url | sed -e "s/'//g") - url_time=$(date -d "$(curl -sqI ${url} | grep Last-Modified: | sed -e 's/Last-Modified: //')" +%s) - if [ ! -f "/var/lib/apt/lists/${file}" ]; then - return 0 - fi - file_time=$(stat -c %Y /var/lib/apt/lists/${file}) - if [ $url_time -gt $file_time ]; then - return 0 - fi - done - return 1 -} - -su nobody -c 'apt-get update -s --print-uris' | grep 'Release ' | parse_dates -exit $? diff --git a/modules/debian-org/files/db.debian.org.gpg b/modules/debian-org/files/db.debian.org.gpg deleted file mode 100644 index 229cb639f..000000000 Binary files a/modules/debian-org/files/db.debian.org.gpg and /dev/null differ diff --git a/modules/debian-org/files/dsa-puppet-stuff.cron.ignore b/modules/debian-org/files/dsa-puppet-stuff.cron.ignore deleted file mode 100644 index e348b0ac8..000000000 --- a/modules/debian-org/files/dsa-puppet-stuff.cron.ignore +++ /dev/null @@ -1,15 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## -# this is a list of patterns, one per line, of things that puppet's -# cron output shouldn't mail to us. - -^v6: error fetching interface information: Device not found$ -^pcilib: Cannot open /proc/bus/pci$ -^lspci: Cannot find any working access method\.$ -^can't open /proc/dma at /usr/bin/lsdev line 32\.$ -^/usr/lib/ruby/1.9.1/rubygems/custom_require\.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead\.$ -^/usr/lib/ruby/vendor_ruby/puppet/provider/service/freebsd\.rb:[8910]*: warning: class variable access from toplevel$ -^/usr/lib/ruby/vendor_ruby/puppet/provider/service/bsd\.rb:12: warning: class variable access from toplevel$ -^/usr/lib/ruby/vendor_ruby/puppet/type/tidy\.rb:1[0-9][0-9]: warning: class variable access from toplevel$ diff --git a/modules/debian-org/files/etc.profile.d/timeout.sh b/modules/debian-org/files/etc.profile.d/timeout.sh deleted file mode 100755 index 617579eaf..000000000 --- a/modules/debian-org/files/etc.profile.d/timeout.sh +++ /dev/null @@ -1,2 +0,0 @@ -TMOUT=129600 # a day and a half (36 hrs) -export TMOUT diff --git a/modules/debian-org/files/etc.zsh/zprofile b/modules/debian-org/files/etc.zsh/zprofile deleted file mode 100644 index 8ea4df35a..000000000 --- a/modules/debian-org/files/etc.zsh/zprofile +++ /dev/null @@ -1,16 +0,0 @@ -# -# THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -# USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -# - -# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1). -# -# This file is sourced only for login shells (i.e. shells -# invoked with "-" as the first character of argv[0], and -# shells invoked with the -l flag.) -# -# Global Order: zshenv, zprofile, zshrc, zlogin - -if [ -e /etc/profile.d/timeout.sh ]; then - . /etc/profile.d/timeout.sh -fi diff --git a/modules/debian-org/files/molly-guard/10-check-kvm b/modules/debian-org/files/molly-guard/10-check-kvm deleted file mode 100644 index e9ed39ca3..000000000 --- a/modules/debian-org/files/molly-guard/10-check-kvm +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh - -KVMCOUNT=`pgrep -cx '^(qemu-)?kvm$'` -if [ $KVMCOUNT != 0 ]; then - echo "Found $KVMCOUNT qemu-kvm instances running, aborting $MOLLYGUARD_CMD!" - exit 1 -fi diff --git a/modules/debian-org/files/molly-guard/15-acquire-reboot-lock b/modules/debian-org/files/molly-guard/15-acquire-reboot-lock deleted file mode 100644 index ebbac937b..000000000 --- a/modules/debian-org/files/molly-guard/15-acquire-reboot-lock +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# Copyright 2012 Peter Palfrader - -l=/var/run/reboot-lock -exec 3> $l - -if ! flock --exclusive -w 0 3; then - echo >&2 "Cannot acquire reboot lock." - exit 1 -fi -echo "Reboot lock acquired." - -ppid="$PPID" -( - while kill -0 "$ppid" 2>/dev/null; do - sleep 1 - done -) & -disown -exit 0 diff --git a/modules/debian-org/files/nsswitch.conf b/modules/debian-org/files/nsswitch.conf deleted file mode 100644 index e6a644e61..000000000 --- a/modules/debian-org/files/nsswitch.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/nsswitch.conf -# -# Example configuration of GNU Name Service Switch functionality. -# If you have the `glibc-doc-reference' and `info' packages installed, try: -# `info libc "Name Service Switch"' for information about this file. - -passwd: compat db -group: db compat -shadow: compat db - -hosts: files dns -networks: files - -protocols: db files -services: db files -ethers: db files -rpc: db files - -netgroup: nis diff --git a/modules/debian-org/files/puppet.default b/modules/debian-org/files/puppet.default deleted file mode 100644 index dc0743f26..000000000 --- a/modules/debian-org/files/puppet.default +++ /dev/null @@ -1,13 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# Defaults for puppet - sourced by /etc/init.d/puppet - -# Start puppet on boot? -START=no -exit 0 - -# Startup options -DAEMON_OPTS="-w 5 --factsync" diff --git a/modules/debian-org/files/root-dotfiles/bashrc b/modules/debian-org/files/root-dotfiles/bashrc deleted file mode 100644 index 048d94436..000000000 --- a/modules/debian-org/files/root-dotfiles/bashrc +++ /dev/null @@ -1,23 +0,0 @@ -# ~/.bashrc: executed by bash(1) for non-login shells. - -## THIS FILE IS UNDER PUPPET CONTROL. -## LOCAL CHANGES WILL BE OVERWRITTEN. - -if [ "$PS1" ]; then - typeset HISTCONTROL=ignoreboth - typeset HISTSIZE=50000 - - export LS_OPTIONS='--color=auto' - eval "`dircolors`" - alias ls='ls $LS_OPTIONS' - alias ll='ls $LS_OPTIONS -l' - alias l='ls $LS_OPTIONS -lA' - - if [ -f /usr/share/bash-completion/bash_completion ]; then - . /usr/share/bash-completion/bash_completion - fi - - PATH="$PATH:/usr/lib/nagios/plugins" -fi - -# vim: set ft=sh ts=2 sw=2 et ai si: diff --git a/modules/debian-org/files/root-dotfiles/profile b/modules/debian-org/files/root-dotfiles/profile deleted file mode 100644 index e4bb8dbd7..000000000 --- a/modules/debian-org/files/root-dotfiles/profile +++ /dev/null @@ -1,17 +0,0 @@ -# ~/.profile: executed by Bourne-compatible login shells. - -## THIS FILE IS UNDER PUPPET CONTROL. -## LOCAL CHANGES WILL BE OVERWRITTEN. - -if [ "$BASH" ]; then - if [ -f ~/.bashrc ]; then - . ~/.bashrc - fi - if [ "$PS1" ]; then - PS1='${debian_chroot:+[$debian_chroot] }\h:\w\$ ' - fi -fi - -mesg n - -# vim: set ft=sh ts=2 sw=2 et ai si: diff --git a/modules/debian-org/files/root-dotfiles/screenrc b/modules/debian-org/files/root-dotfiles/screenrc deleted file mode 100644 index d59cfb993..000000000 --- a/modules/debian-org/files/root-dotfiles/screenrc +++ /dev/null @@ -1,43 +0,0 @@ - -## THIS FILE IS UNDER PUPPET CONTROL. -## LOCAL CHANGES WILL BE OVERWRITTEN. - - -startup_message off -deflogin on -#vbell off -defscrollback 10000 -defnonblock 5 - -## set these terminals up to be 'optimal' instead of vt100 -#termcapinfo xterm*|linux*|rxvt*|Eterm* OP - -caption always " %?%F%{r}%?%H%{r}%?%F*%: %? %{rd}| %{r}$LOGNAME%{d} | %{b}%-Lw%{b}%50>%{kw}%n%f* %t %{-}%+Lw%<" - -# fix screens copy&paste (background-color-erase to on) -defbce on - -# xterm, and urxvt on weasel's jessie systems -bindkey "^[[1;5D" prev -bindkey "^[[1;5C" next -bindkey "^[[1;5A" focus up -bindkey "^[[1;5B" focus down - -# urxvt default Ctrl+left/right/up/down on weasel's stretch systems -bindkey "^[Od" prev -bindkey "^[Oc" next -bindkey "^[Oa" focus up -bindkey "^[Ob" focus down - -# gnome terminal (in screen: -#bindkey "^[n" screen -#bindkey "^[O5D" prev -#bindkey "^[O5C" next -#bindkey "^[O5A" focus up -#bindkey "^[O5B" focus down - -# urxvt shift+left/right -#bindkey "^[[d" prev -#bindkey "^[[c" next -#bindkey "^[[a" focus up -#bindkey "^[[b" focus down diff --git a/modules/debian-org/files/root-dotfiles/selected_editor b/modules/debian-org/files/root-dotfiles/selected_editor deleted file mode 100644 index 2cab27132..000000000 --- a/modules/debian-org/files/root-dotfiles/selected_editor +++ /dev/null @@ -1 +0,0 @@ -SELECTED_EDITOR="/usr/bin/vim" diff --git a/modules/debian-org/files/root-dotfiles/tmux.conf b/modules/debian-org/files/root-dotfiles/tmux.conf deleted file mode 100644 index ecde6161f..000000000 --- a/modules/debian-org/files/root-dotfiles/tmux.conf +++ /dev/null @@ -1,16 +0,0 @@ -# mess with the status window -set -g status-bg colour109 -set -g status-right "[#T]" -setw -g window-status-current-bg white - -bind -n C-Right next-window -bind -n C-Left previous-window - -bind -n C-Up select-pane -U -bind -n C-Down select-pane -D -bind | split-window -h -bind - split-window -v - -#set -g default-terminal "screen-it" -set -g xterm-keys on -set -sg escape-time 0 diff --git a/modules/debian-org/files/root-dotfiles/vimrc b/modules/debian-org/files/root-dotfiles/vimrc deleted file mode 100644 index d99e4d689..000000000 --- a/modules/debian-org/files/root-dotfiles/vimrc +++ /dev/null @@ -1,88 +0,0 @@ -" ~/.vimrc - ViM configuration file - -" THIS FILE IS UNDER PUPPET CONTROL. -" LOCAL CHANGES WILL BE OVERWRITTEN. - -runtime! debian.vim -filetype plugin on -set ai -:set nocompatible -:syn on -:set title -:set pastetoggle= -:set listchars=tab:»·,trail:· -:set list -:nmap :set invlist -:imap :set invlist -:set clipboard^=autoselectml guioptions+=A -let g:Imap_UsePlaceHolders = 1 -let g:Imap_FreezeImap = 1 -:hi MatchParen ctermbg=black -colorscheme peachpuff - -map :n -map :N -map :wn -map :wN -map fd ggV/^-- gq - -nnoremap :make - -nnoremap :bprevious -nnoremap :bnext -inoremap :bprevious -inoremap :bnext - -nnoremap :bprevious -nnoremap :bnext -inoremap :bprevious -inoremap :bnext - -nnoremap [1;2D :bprevious -nnoremap [1;2C :bnext -inoremap [1;2D :bprevious -inoremap [1;2C :bnext - -nnoremap [D :bprevious -nnoremap [C :bnext -inoremap [D :bprevious -inoremap [C :bnext - -nnoremap [d :bprevious -nnoremap [c :bnext -inoremap [d :bprevious -inoremap [c :bnext - -" nnoremap :bnew -nnoremap :bprevious -nnoremap :bnext - -if &term =~ '^screen' - " tmux will send xterm-style keys when xterm-keys is on - execute "set =\e[1;*A" - execute "set =\e[1;*B" - execute "set =\e[1;*C" - execute "set =\e[1;*D" -endif - - - -" wild/tab behavior -" ================= -set wildmode=longest,list:longest,list:full - -" spelling stuff -" ============== -set spellfile=~/.vim.spell.en.add -:nmap :set invspell -:imap :set invspell - -" Searching and highlighting -" ========================== -hi Search cterm=NONE ctermfg=yellow ctermbg=19 -set hlsearch -nnoremap :noh - -set tabpagemax=50 -" Do not close buffers we don't see -set hidden diff --git a/modules/debian-org/files/timezone b/modules/debian-org/files/timezone deleted file mode 100644 index 7f39493bd..000000000 --- a/modules/debian-org/files/timezone +++ /dev/null @@ -1 +0,0 @@ -Etc/UTC diff --git a/modules/debian-org/files/ud-replicated.service b/modules/debian-org/files/ud-replicated.service deleted file mode 100644 index dbf99a8fe..000000000 --- a/modules/debian-org/files/ud-replicated.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Userdir-Ldap Replication Daemon -Wants=syslog.service - -[Service] -ExecStart=/usr/bin/ud-replicated -d -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/modules/debian-org/lib/facter/architecture.rb b/modules/debian-org/lib/facter/architecture.rb deleted file mode 100644 index e04cadc0c..000000000 --- a/modules/debian-org/lib/facter/architecture.rb +++ /dev/null @@ -1,19 +0,0 @@ -Facter.add(:architecture) do - confine :kernel => 'GNU/kFreeBSD' - setcode do - model = Facter.value(:hardwaremodel) - case model - when 'x86_64' then "amd64" - when /(i[3456]86|pentium)/ then "i386" - else - model - end - end -end - -Facter.add(:debarchitecture) do - setcode do - %x{/usr/bin/dpkg --print-architecture}.chomp - end -end - diff --git a/modules/debian-org/lib/facter/cluster.rb b/modules/debian-org/lib/facter/cluster.rb deleted file mode 100644 index 46d0bec3e..000000000 --- a/modules/debian-org/lib/facter/cluster.rb +++ /dev/null @@ -1,17 +0,0 @@ -if FileTest.exist?('/usr/sbin/gnt-cluster') and FileTest.exist?('/var/lib/ganeti/ssconf_cluster_name') - begin - if system('/usr/sbin/gnt-cluster getmaster >/dev/null') - Facter.add('cluster') do - setcode do - open('/var/lib/ganeti/ssconf_cluster_name').read().chomp() - end - end - Facter.add('cluster_nodes') do - setcode do - open('/var/lib/ganeti/ssconf_node_list').read().split().join(" ") - end - end - end - rescue Exception => e - end -end diff --git a/modules/debian-org/lib/facter/debsso.rb b/modules/debian-org/lib/facter/debsso.rb deleted file mode 100644 index 21c4f755e..000000000 --- a/modules/debian-org/lib/facter/debsso.rb +++ /dev/null @@ -1,19 +0,0 @@ -begin - require 'etc' - - Facter.add("debsso_skac_crl") do - setcode do - crl = nil - crlfile = '/srv/sso.debian.org/debsso/data/spkac_ca/ca.crl' - if FileTest.exist?(crlfile) - crl = File.open(crlfile).read - end - crl - end - end - -rescue Exception => e -end -# vim:set et: -# vim:set ts=4: -# vim:set shiftwidth=4: diff --git a/modules/debian-org/lib/facter/hosts.rb b/modules/debian-org/lib/facter/hosts.rb deleted file mode 100644 index 63c04cb27..000000000 --- a/modules/debian-org/lib/facter/hosts.rb +++ /dev/null @@ -1,22 +0,0 @@ -Facter.add("brokenhosts") do - brokenhosts = true - if FileTest.exist?("/etc/hosts") - IO.foreach("/etc/hosts") do |x| - x.split.each do |y| - if y == Facter.value("fqdn") - brokenhosts = false - break - end - end - end - end - setcode do - if brokenhosts - true - else - '' - end - end -end - - diff --git a/modules/debian-org/lib/facter/ipaddresses.rb b/modules/debian-org/lib/facter/ipaddresses.rb deleted file mode 100644 index 41f44e3a1..000000000 --- a/modules/debian-org/lib/facter/ipaddresses.rb +++ /dev/null @@ -1,66 +0,0 @@ -Facter.add("v4ips") do - confine :kernel => :linux - addrs = [] - if FileTest.exist?("/bin/ip") - %x{ip addr list}.each_line do |line| - next unless line =~ /\s+inet/ - next if line =~ /scope (link|host)/ - if line =~ /\s+inet\s+(\S+)\/\d{1,2} .*/ - addrs << $1 - end - end - end - ret = addrs.join(",") - if ret.empty? - ret = '' - end - setcode do - ret - end -end - -Facter.add("v4ips") do - confine :kernel => 'GNU/kFreeBSD' - setcode do - addrs = [] - output = %x{/sbin/ifconfig} - - output.split(/^\S/).each { |str| - if str =~ /inet ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/ - tmp = $1 - unless tmp =~ /127\./ - addrs << tmp - break - end - end - } - - ret = addrs.join(",") - if ret.empty? - ret = '' - end - ret - end -end - -Facter.add("v6ips") do - confine :kernel => :linux - addrs = [] - if FileTest.exist?("/bin/ip") - %x{ip addr list}.each_line do |line| - next unless line =~ /\s+inet/ - next if line =~ /scope (link|host)/ - if line =~ /\s+inet6\s+(\S+)\/\d{1,3} .*/ - addrs << $1 - end - end - end - ret = addrs.join(",") - if ret.empty? - ret = '' - end - setcode do - ret - end -end - diff --git a/modules/debian-org/lib/facter/lsb-for-bsd.rb b/modules/debian-org/lib/facter/lsb-for-bsd.rb deleted file mode 100644 index c95d7f2eb..000000000 --- a/modules/debian-org/lib/facter/lsb-for-bsd.rb +++ /dev/null @@ -1,24 +0,0 @@ -{ "LSBRelease" => %r{^LSB Version:\t(.*)$}, - "LSBDistId" => %r{^Distributor ID:\t(.*)$}, - "LSBDistRelease" => %r{^Release:\t(.*)$}, - "LSBDistDescription" => %r{^Description:\t(.*)$}, - "LSBDistCodeName" => %r{^Codename:\t(.*)$} -}.each do |fact, pattern| - Facter.add(fact) do - confine :kernel => 'GNU/kFreeBSD' - setcode do - unless defined?(lsbdata) and defined?(lsbtime) and (Time.now.to_i - lsbtime.to_i < 5) - type = nil - lsbtime = Time.now - lsbdata = Facter::Util::Resolution.exec('lsb_release -a 2>/dev/null') - end - - if pattern.match(lsbdata) - $1 - else - nil - end - end - end -end - diff --git a/modules/debian-org/lib/facter/mounts.rb b/modules/debian-org/lib/facter/mounts.rb deleted file mode 100644 index 4cdf969a2..000000000 --- a/modules/debian-org/lib/facter/mounts.rb +++ /dev/null @@ -1,21 +0,0 @@ -begin - require 'filesystem' - - Facter.add("mounts") do - ignorefs = ["NFS", "nfs", "nfs4", "nfsd", "afs", "binfmt_misc", "proc", "smbfs", - "autofs", "iso9660", "ncpfs", "coda", "devpts", "ftpfs", "devfs", - "mfs", "shfs", "sysfs", "cifs", "lustre_lite", "tmpfs", "usbfs", "udf", - "fusectl", "fuse.snapshotfs", "rpc_pipefs", "devtmpfs"] - mountpoints = [] - FileSystem.mounts.each do |m| - if ((not ignorefs.include?(m.fstype)) && (m.options !~ /bind/)) - mountpoints << m.mount - end - end - setcode do - mountpoints.uniq.sort.join(',') - end - end - -rescue Exception => e -end diff --git a/modules/debian-org/lib/facter/mta.rb b/modules/debian-org/lib/facter/mta.rb deleted file mode 100644 index 5d2242a61..000000000 --- a/modules/debian-org/lib/facter/mta.rb +++ /dev/null @@ -1,9 +0,0 @@ -Facter.add("mta") do - setcode do - mta = "exim4" - if FileTest.exist?("/usr/sbin/postfix") - mta = "postfix" - end - mta - end -end diff --git a/modules/debian-org/lib/facter/onion-services.rb b/modules/debian-org/lib/facter/onion-services.rb deleted file mode 100644 index c444ec2d1..000000000 --- a/modules/debian-org/lib/facter/onion-services.rb +++ /dev/null @@ -1,35 +0,0 @@ -begin - require 'json' - - Facter.add("onion_tor_service_hostname") do - services = {} - - Dir['/var/lib/tor/onion/*/hostname'].each do |p| - dir = File.dirname(p) - service = File.basename(dir) - hostname = IO.read(p).chomp - services[service] = hostname - end - setcode do - services.to_json - end - end - - Facter.add("onion_balance_service_hostname") do - services = {} - - Dir['/etc/onionbalance/private_keys/*.key'].each do |p| - service = File.basename(p, '.key') - begin - services[service] = IO.popen(['/usr/local/bin/tor-onion-name', p]).read.chomp - rescue Errno::ENOENT - end - end - setcode do - services.to_json - end - end - - -rescue Exception => e -end diff --git a/modules/debian-org/lib/facter/os-for-bsd.rb b/modules/debian-org/lib/facter/os-for-bsd.rb deleted file mode 100644 index 77cad42ec..000000000 --- a/modules/debian-org/lib/facter/os-for-bsd.rb +++ /dev/null @@ -1,8 +0,0 @@ -Facter.add(:operatingsystem) do - confine :kernel => 'GNU/kFreeBSD' - setcode do - if FileTest.exists?("/etc/debian_version") - "Debian" - end - end -end diff --git a/modules/debian-org/lib/facter/paths.rb b/modules/debian-org/lib/facter/paths.rb deleted file mode 100644 index 47a010ce8..000000000 --- a/modules/debian-org/lib/facter/paths.rb +++ /dev/null @@ -1,20 +0,0 @@ - -%w{/srv/build-trees - /srv/buildd - /etc/ssh/ssh_host_ed25519_key - /srv/mirrors/debian - /srv/mirrors/debian-debug - /srv/mirrors/debian-ports - /srv/mirrors/debian-security - /dev/hwrng -}.each do |path| - Facter.add("has" + path.gsub(/[\/-]/,'_')) do - setcode do - if FileTest.exist?(path) - true - else - '' - end - end - end -end diff --git a/modules/debian-org/lib/facter/raidarray.rb b/modules/debian-org/lib/facter/raidarray.rb deleted file mode 100644 index 7dc29c3e8..000000000 --- a/modules/debian-org/lib/facter/raidarray.rb +++ /dev/null @@ -1,72 +0,0 @@ -Facter.add("smartarraycontroller") do - confine :kernel => :linux - setcode do - if FileTest.exist?("/dev/cciss/") - true - elsif FileTest.exist?("/sys/module/hpsa/") - true - else - '' - end - end -end - -Facter.add("ThreeWarecontroller") do - confine :kernel => :linux - setcode do - is3w = '' - if FileTest.exist?("/proc/scsi/scsi") - IO.foreach("/proc/scsi/scsi") { |x| - is3w = true if x =~ /Vendor: 3ware/ - } - end - is3w - end -end - -Facter.add("megaraid") do - confine :kernel => :linux - setcode do - if FileTest.exist?("/dev/megadev0") - true - else - '' - end - end -end - -Facter.add("mptraid") do - confine :kernel => :linux - setcode do - if FileTest.exist?("/dev/mptctl") or FileTest.exist?("/dev/mpt0") or FileTest.exist?("/proc/mpt/summary") - true - else - '' - end - end -end - -Facter.add("aacraid") do - confine :kernel => :linux - setcode do - if FileTest.exist?("/dev/aac0") - true - else - '' - end - end -end - -Facter.add("swraid") do - confine :kernel => :linux - setcode do - swraid = '' - if FileTest.exist?("/proc/mdstat") && FileTest.exist?("/sbin/mdadm") - IO.foreach("/proc/mdstat") { |x| - swraid = true if x =~ /md[0-9]+ : active/ - } - end - swraid - end -end - diff --git a/modules/debian-org/lib/facter/roleaccounts.rb b/modules/debian-org/lib/facter/roleaccounts.rb deleted file mode 100644 index 221c376c8..000000000 --- a/modules/debian-org/lib/facter/roleaccounts.rb +++ /dev/null @@ -1,119 +0,0 @@ -begin - require 'etc' - - Facter.add("postgresql_key") do - setcode do - key = nil - keyfile = '/var/lib/postgresql/.ssh/id_rsa.pub' - if FileTest.exist?(keyfile) - key = File.open(keyfile).read.chomp - end - key - end - end - - Facter.add("staticsync_key") do - setcode do - key = nil - keyfile = '/home/staticsync/.ssh/id_rsa.pub' - if FileTest.exist?(keyfile) - key = File.open(keyfile).read.chomp - end - key - end - end - - Facter.add("staticsync_user_exists") do - setcode do - result = '' - begin - if Etc.getpwnam('staticsync') - result = true - end - rescue ArgumentError - end - result - end - end - - - Facter.add("weblogsync_key") do - setcode do - key = nil - keyfile = '/home/weblogsync/.ssh/id_rsa.pub' - if FileTest.exist?(keyfile) - key = File.open(keyfile).read.chomp - end - key - end - end - - Facter.add("weblogsync_user_exists") do - setcode do - result = '' - begin - if Etc.getpwnam('weblogsync') - result = true - end - rescue ArgumentError - end - result - end - end - - - Facter.add("buildd_key") do - setcode do - key = nil - keyfile = '/home/buildd/.ssh/id_rsa.pub' - if FileTest.exist?(keyfile) - key = File.open(keyfile).read.chomp - end - key - end - end - - Facter.add("buildd_user_exists") do - setcode do - result = '' - begin - if Etc.getpwnam('buildd') - result = true - end - rescue ArgumentError - end - result - end - end - - Facter.add("portforwarder_key") do - setcode do - key = nil - keyfile = '/home/portforwarder/.ssh/id_rsa.pub' - if FileTest.exist?(keyfile) - key = File.open(keyfile).read.chomp - end - key - end - end - - Facter.add("portforwarder_user_exists") do - setcode do - result = '' - begin - if Etc.getpwnam('portforwarder') - result = true - end - rescue ArgumentError - end - result - end - end - - - -rescue Exception => e -end -# vim:set et: -# vim:set ts=4: -# vim:set shiftwidth=4: diff --git a/modules/debian-org/lib/facter/servertype.rb b/modules/debian-org/lib/facter/servertype.rb deleted file mode 100644 index 85970c168..000000000 --- a/modules/debian-org/lib/facter/servertype.rb +++ /dev/null @@ -1,9 +0,0 @@ -Facter.add("kvmdomain") do - setcode do - result = '' - if File.new('/proc/cpuinfo').read().index('QEMU Virtual CPU') - result = true - end - result - end -end diff --git a/modules/debian-org/lib/facter/software.rb b/modules/debian-org/lib/facter/software.rb deleted file mode 100644 index 0045a9ef0..000000000 --- a/modules/debian-org/lib/facter/software.rb +++ /dev/null @@ -1,162 +0,0 @@ -Facter.add("apache2") do - setcode do - if FileTest.exist?("/usr/sbin/apache2") - true - else - '' - end - end -end -Facter.add("apache2deb9") do - setcode do - # jessie (deb8) has 2.4.10-.., stretch (deb9) will have 2.4.23 or later. - if FileTest.exist?("/usr/sbin/apache2") and system("dpkg --compare-versions $(dpkg-query -W -f='${Version}\n' apache2-bin) gt 2.4.15") - true - else - '' - end - end -end -Facter.add("clamd") do - setcode do - if FileTest.exist?("/usr/sbin/clamd") - true - else - '' - end - end -end -Facter.add("exim4") do - setcode do - if FileTest.exist?("/usr/sbin/exim4") - true - else - '' - end - end -end -Facter.add("postfix") do - setcode do - if FileTest.exist?("/usr/sbin/postfix") - true - else - '' - end - end -end -Facter.add("postgres") do - setcode do - pg = (FileTest.exist?("/usr/lib/postgresql/8.1/bin/postgres") or - FileTest.exist?("/usr/lib/postgresql/8.3/bin/postgres") or - FileTest.exist?("/usr/lib/postgresql/8.4/bin/postgres") or - FileTest.exist?("/usr/lib/postgresql/9.0/bin/postgres") or - FileTest.exist?("/usr/lib/postgresql/9.1/bin/postgres") or - FileTest.exist?("/usr/lib/postgresql/9.2/bin/postgres")) - if pg - true - else - '' - end - end -end -Facter.add("postgrey") do - setcode do - if FileTest.exist?("/usr/sbin/postgrey") - true - else - '' - end - end -end -Facter.add("greylistd") do - setcode do - FileTest.exist?("/usr/sbin/greylistd") - end -end -Facter.add("policydweight") do - setcode do - if FileTest.exist?("/usr/sbin/policyd-weight") - true - else - '' - end - end -end -Facter.add("spamd") do - setcode do - if FileTest.exist?("/usr/sbin/spamd") - true - else - '' - end - end -end -Facter.add("php5") do - php = (FileTest.exist?("/usr/lib/apache2/modules/libphp5.so") or - FileTest.exist?("/usr/bin/php5") or - FileTest.exist?("/usr/bin/php5-cgi") or - FileTest.exist?("/usr/lib/cgi-bin/php5")) - setcode do - if php - true - else - '' - end - end -end -Facter.add("php5suhosin") do - suhosin=(FileTest.exist?("/usr/lib/php5/20060613/suhosin.so") or - FileTest.exist?("/usr/lib/php5/20060613+lfs/suhosin.so")) - setcode do - if suhosin - true - else - '' - end - end -end -Facter.add("syslogversion") do - setcode do - %x{dpkg-query -W -f='${Version}\n' syslog-ng | cut -b1-3}.chomp - end -end -Facter.add("unbound") do - unbound=(FileTest.exist?("/usr/sbin/unbound") and - FileTest.exist?("/var/lib/unbound/root.key")) - setcode do - if unbound - true - else - '' - end - end -end -Facter.add("munin_async") do - setcode do - FileTest.exist?("/usr/share/munin/munin-async") - end -end -Facter.add("samhain") do - setcode do - if FileTest.exist?("/usr/sbin/samhain") - true - else - '' - end - end -end -Facter.add("systemd") do - setcode do - init = '/sbin/init' - if File.symlink?(init) and File.readlink(init) == "/lib/systemd/systemd" - true - else - '' - end - end -end -Facter.add("tor_ge_0_2_9") do - setcode do - system(%{dpkg -l tor >/dev/null 2>&1 && dpkg --compare-versions $(dpkg-query -W -f='${Version}' tor) ge 0.2.9}) - end -end diff --git a/modules/debian-org/lib/facter/system-hw.rb b/modules/debian-org/lib/facter/system-hw.rb deleted file mode 100644 index 0b36e5feb..000000000 --- a/modules/debian-org/lib/facter/system-hw.rb +++ /dev/null @@ -1,21 +0,0 @@ -Facter.add("systemproductname") do - confine :kernel => :linux - setcode do - if FileTest.exist?("/usr/sbin/dmidecode") - %x{/usr/sbin/dmidecode -s system-product-name}.chomp.strip - else - '' - end - end -end - -Facter.add("hw_can_temp_sensors") do - confine :kernel => :linux - setcode do - if FileTest.exist?("/sys/devices/virtual/thermal/thermal_zone0/temp") - true - else - '' - end - end -end diff --git a/modules/debian-org/manifests/apt.pp b/modules/debian-org/manifests/apt.pp deleted file mode 100644 index 74aaa71c8..000000000 --- a/modules/debian-org/manifests/apt.pp +++ /dev/null @@ -1,121 +0,0 @@ -# == Class: debian-org -# -# Stuff common to all debian.org servers -# -class debian-org::apt { - if $::lsbmajdistrelease <= 7 { - $mungedcodename = $::lsbdistcodename - } elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { - $mungedcodename = "${::lsbdistcodename}-kfreebsd" - } else { - $mungedcodename = $::lsbdistcodename - } - - if $::lsbmajdistrelease <= 8 { - $fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/' - } else { - $fallbackmirror = 'http://deb.debian.org/debian/' - } - - if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') { - $mirror = [ getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'), $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ] - } else { - $mirror = [ $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ] - } - - site::aptrepo { 'debian': - url => $mirror, - suite => [ $mungedcodename, "${::lsbdistcodename}-backports", "${::lsbdistcodename}-updates" ], - components => ['main','contrib','non-free'] - } - site::aptrepo { 'security': - url => [ 'http://security-cdn.debian.org/', 'http://security.anycast-test.mirrors.debian.org/debian-security/', 'http://security.debian.org/' ], - suite => "${mungedcodename}/updates", - components => ['main','contrib','non-free'] - } - - if has_role('experimental_apache') { - $dbdosuites = [ 'debian-all', $::lsbdistcodename, 'jessie-apache2' ] - } else { - $dbdosuites = [ 'debian-all', $::lsbdistcodename ] - } - site::aptrepo { 'db.debian.org': - url => 'http://db.debian.org/debian-admin', - suite => $dbdosuites, - components => 'main', - key => 'puppet:///modules/debian-org/db.debian.org.gpg', - } - - if ($::hostname in [] or $::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { - site::aptrepo { 'proposed-updates': - url => $mirror, - suite => "${mungedcodename}-proposed-updates", - components => ['main','contrib','non-free'] - } - } else { - site::aptrepo { 'proposed-updates': - ensure => absent, - } - } - - site::aptrepo { 'debian-cdn': - ensure => absent, - } - site::aptrepo { 'debian.org': - ensure => absent, - } - site::aptrepo { 'debian2': - ensure => absent, - } - site::aptrepo { 'backports2.debian.org': - ensure => absent, - } - site::aptrepo { 'backports.debian.org': - ensure => absent, - } - site::aptrepo { 'volatile': - ensure => absent, - } - site::aptrepo { 'db.debian.org-suite': - ensure => absent, - } - site::aptrepo { 'debian-lts': - ensure => absent, - } - - - - - file { '/etc/apt/trusted-keys.d': - ensure => absent, - force => true, - } - - file { '/etc/apt/trusted.gpg': - mode => '0600', - content => "", - } - - file { '/etc/apt/preferences': - source => 'puppet:///modules/debian-org/apt.preferences', - } - file { '/etc/apt/apt.conf.d/local-compression': - source => 'puppet:///modules/debian-org/apt.conf.d/local-compression', - } - file { '/etc/apt/apt.conf.d/local-recommends': - source => 'puppet:///modules/debian-org/apt.conf.d/local-recommends', - } - file { '/etc/apt/apt.conf.d/local-pdiffs': - source => 'puppet:///modules/debian-org/apt.conf.d/local-pdiffs', - } - file { '/etc/apt/apt.conf.d/local-langs': - source => 'puppet:///modules/debian-org/apt.conf.d/local-langs', - } - - exec { 'apt-get update': - path => '/usr/bin:/usr/sbin:/bin:/sbin', - onlyif => '/usr/local/bin/check_for_updates', - require => File['/usr/local/bin/check_for_updates'] - } - Exec['apt-get update']->Package<| tag == extra_repo |> -} diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp deleted file mode 100644 index e8962c6df..000000000 --- a/modules/debian-org/manifests/init.pp +++ /dev/null @@ -1,304 +0,0 @@ -# == Class: debian-org -# -# Stuff common to all debian.org servers -# -class debian-org { - include debian-org::apt - - if $systemd { - include systemd - $servicefiles = 'present' - } else { - $servicefiles = 'absent' - } - - $debianadmin = [ - 'debian-archive-debian-samhain-reports@master.debian.org', - 'debian-admin@ftbfs.de', - 'weasel@debian.org', - 'steve@lobefin.net', - 'zumbi@oron.es' - ] - - package { [ - 'klogd', - 'sysklogd', - 'rsyslog', - 'os-prober', - 'apt-listchanges', - ]: - ensure => purged, - } - package { [ - 'debian.org', - 'dsa-munin-plugins', - ]: - ensure => installed, - tag => extra_repo, - } - file { '/etc/ssh/ssh_known_hosts': - ensure => present, - replace => false, - mode => '0644', - source => 'puppet:///modules/debian-org/basic-ssh_known_hosts' - } - - if ($::lsbmajdistrelease >= 8) { - $rubyfs_package = 'ruby-filesystem' - } else { - $rubyfs_package = 'libfilesystem-ruby1.9' - } - package { [ - 'apt-utils', - 'bash-completion', - 'dnsutils', - 'less', - 'lsb-release', - $rubyfs_package, - 'mtr-tiny', - 'nload', - 'pciutils', - 'lldpd', - ]: - ensure => installed, - } - - munin::check { [ - 'cpu', - 'entropy', - 'forks', - 'interrupts', - 'iostat', - 'irqstats', - 'load', - 'memory', - 'open_files', - 'open_inodes', - 'processes', - 'swap', - 'uptime', - 'vmstat', - ]: - } - - if getfromhash($site::nodeinfo, 'broken-rtc') { - package { 'fake-hwclock': - ensure => installed, - tag => extra_repo, - } - } - - package { 'molly-guard': - ensure => installed, - } - file { '/etc/molly-guard/run.d/10-check-kvm': - mode => '0755', - source => 'puppet:///modules/debian-org/molly-guard/10-check-kvm', - require => Package['molly-guard'], - } - file { '/etc/molly-guard/run.d/15-acquire-reboot-lock': - mode => '0755', - source => 'puppet:///modules/debian-org/molly-guard/15-acquire-reboot-lock', - require => Package['molly-guard'], - } - - augeas { 'inittab_replicate': - context => '/files/etc/inittab', - changes => [ - 'set ud/runlevels 2345', - 'set ud/action respawn', - 'set ud/process "/usr/bin/ud-replicated -d"', - ], - notify => Exec['init q'], - } - - - file { '/etc/facter': - ensure => directory, - purge => true, - force => true, - recurse => true, - source => 'puppet:///files/empty/', - } - file { '/etc/facter/facts.d': - ensure => directory, - } - file { '/etc/facter/facts.d/debian_facts.yaml': - content => template('debian-org/debian_facts.yaml.erb') - } - file { '/etc/timezone': - source => 'puppet:///modules/debian-org/timezone', - notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'], - } - if $::hostname == handel { - include puppetmaster::db - $dbpassword = $puppetmaster::db::password - } - file { '/etc/puppet/puppet.conf': - content => template('debian-org/puppet.conf.erb'), - mode => 0440, - group => 'puppet', - } - file { '/etc/default/puppet': - source => 'puppet:///modules/debian-org/puppet.default', - } - file { '/etc/systemd': - ensure => directory, - mode => 0755, - } - file { '/etc/systemd/system': - ensure => directory, - mode => 0755, - } - file { '/etc/systemd/system/ud-replicated.service': - ensure => $servicefiles, - source => 'puppet:///modules/debian-org/ud-replicated.service', - notify => Exec['systemctl daemon-reload'], - } - if $systemd { - file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service': - ensure => 'link', - target => '../ud-replicated.service', - notify => Exec['systemctl daemon-reload'], - } - } - file { '/etc/systemd/system/puppet.service': - ensure => 'link', - target => '/dev/null', - notify => Exec['systemctl daemon-reload'], - } - file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount': - ensure => 'link', - target => '/dev/null', - notify => Exec['systemctl daemon-reload'], - } - - file { '/etc/cron.d/dsa-puppet-stuff': - content => template('debian-org/dsa-puppet-stuff.cron.erb'), - require => Package['debian.org'], - } - file { '/etc/ldap/ldap.conf': - require => Package['debian.org'], - content => template('debian-org/ldap.conf.erb'), - } - file { '/etc/pam.d/common-session': - require => Package['debian.org'], - content => template('debian-org/pam.common-session.erb'), - } - file { '/etc/pam.d/common-session-noninteractive': - require => Package['debian.org'], - content => template('debian-org/pam.common-session-noninteractive.erb'), - } - file { '/etc/rc.local': - mode => '0755', - content => template('debian-org/rc.local.erb'), - notify => Exec['service rc.local restart'], - } - file { '/etc/dsa': - ensure => directory, - mode => '0755', - } - file { '/etc/dsa/cron.ignore.dsa-puppet-stuff': - source => 'puppet:///modules/debian-org/dsa-puppet-stuff.cron.ignore', - require => Package['debian.org'] - } - file { '/etc/nsswitch.conf': - mode => '0755', - source => 'puppet:///modules/debian-org/nsswitch.conf', - } - - file { '/etc/profile.d/timeout.sh': - mode => '0555', - source => 'puppet:///modules/debian-org/etc.profile.d/timeout.sh', - } - file { '/etc/zsh': - ensure => directory, - } - file { '/etc/zsh/zprofile': - mode => '0444', - source => 'puppet:///modules/debian-org/etc.zsh/zprofile', - } - - # set mmap_min_addr to 4096 to mitigate - # Linux NULL-pointer dereference exploits - site::sysctl { 'mmap_min_addr': - ensure => absent - } - site::sysctl { 'perf_event_paranoid': - key => 'kernel.perf_event_paranoid', - value => '2', - } - site::sysctl { 'puppet-vfs_cache_pressure': - key => 'vm.vfs_cache_pressure', - value => '10', - } - site::alternative { 'editor': - linkto => '/usr/bin/vim.basic', - } - site::alternative { 'view': - linkto => '/usr/bin/vim.basic', - } - mailalias { 'samhain-reports': - ensure => present, - recipient => $debianadmin, - require => Package['debian.org'] - } - - file { '/usr/local/bin/check_for_updates': - source => 'puppet:///modules/debian-org/check_for_updates', - mode => '0755', - owner => root, - group => root, - } - - exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive': - path => '/usr/bin:/usr/sbin:/bin:/sbin', - refreshonly => true - } - exec { 'service puppetmaster restart': - refreshonly => true - } - exec { 'service rc.local restart': - refreshonly => true - } - exec { 'init q': - refreshonly => true - } - - exec { 'systemctl daemon-reload': - refreshonly => true, - onlyif => "test -x /bin/systemctl" - } - - exec { 'systemd-tmpfiles --create --exclude-prefix=/dev': - refreshonly => true, - onlyif => "test -x /bin/systemd-tmpfiles" - } - - tidy { '/var/lib/puppet/clientbucket/': - age => '2w', - recurse => 9, - type => ctime, - matches => [ 'paths', 'contents' ], - schedule => weekly - } - - file { '/root/.bashrc': - source => 'puppet:///modules/debian-org/root-dotfiles/bashrc', - } - file { '/root/.profile': - source => 'puppet:///modules/debian-org/root-dotfiles/profile', - } - file { '/root/.selected_editor': - source => 'puppet:///modules/debian-org/root-dotfiles/selected_editor', - } - file { '/root/.screenrc': - source => 'puppet:///modules/debian-org/root-dotfiles/screenrc', - } - file { '/root/.tmux.conf': - source => 'puppet:///modules/debian-org/root-dotfiles/tmux.conf', - } - file { '/root/.vimrc': - source => 'puppet:///modules/debian-org/root-dotfiles/vimrc', - } -} diff --git a/modules/debian-org/manifests/radvd.pp b/modules/debian-org/manifests/radvd.pp deleted file mode 100644 index b9eeb8088..000000000 --- a/modules/debian-org/manifests/radvd.pp +++ /dev/null @@ -1,10 +0,0 @@ -class debian-org::radvd { - site::sysctl { 'dsa-accept-ra-default': - key => 'net.ipv6.conf.default.accept_ra', - value => 0, - } - site::sysctl { 'dsa-accept-ra-all': - key => 'net.ipv6.conf.all.accept_ra', - value => 0, - } -} diff --git a/modules/debian-org/misc/hoster.yaml b/modules/debian-org/misc/hoster.yaml deleted file mode 100644 index 7917dda6d..000000000 --- a/modules/debian-org/misc/hoster.yaml +++ /dev/null @@ -1,163 +0,0 @@ ---- -1und1-sec: - netrange: - - 195.20.242.64/26 - - 212.227.126.32/27 - - 2001:8d8:2:1::/64 -accumu: - netrange: - - 130.236.0.0/14 - - 2001:06B0:000E::/48 -aql: - netrange: - - 141.170.6.144/28 - mirror-debian: http://ftp.uk.debian.org/debian/ -arm: - netrange: - - 217.140.96.0/22 - entropy_provider_hoster: sil - mirror-debian: http://mirror.bytemark.co.uk/debian/ -brown: - netrange: - - 138.16.160.0/24 - # all hosts have their own recursor - #mirror-debian: file:///srv/ftp-master.debian.org/mirror/ftp-master/ - mirror-debian: http://ftp.us.debian.org/debian -br: - # rename to c3sl - # University Federal do Parana (.br) - netrange: - - 200.17.192.0/19 -bytemark: - netrange: - - 5.153.231.0/24 - - 89.16.160.112/29 - - 2001:41c8:1000::/48 - - 2001:41c8:61::/125 - mirror-debian: http://mirror.bm.debian.org/debian -carnet: - netrange: - - 193.198.0.0/16 -anu: - netrange: - - 150.203.164.0/24 - - 2001:388:1034:2900::/64 - #mirror-debian: http://mirror.linux.org.au/debian - #mirror-debian: http://ftp.au.debian.org/debian -conova: - netrange: - - 217.196.149.224/28 - mirror-debian: http://mirror.netcologne.de/debian/ -csail: - netrange: - - 128.31.0.0/24 - mirror-debian: http://debian.csail.mit.edu/debian/ -dgi: - netrange: - - 93.94.130.128/26 -freenet: - netrange: - - 62.104.0.0/16 -gatech: - netrange: - - 128.61.240.0/23 - mirror-debian: http://debian.gtisc.gatech.edu/debian/ -grnet: - netrange: - - 194.177.211.192/27 - - 2001:648:2ffc:deb::/64 - mirror-debian: http://ftp.gr.debian.org/debian/ -helsinki: - netrange: - - 193.167.160.0/23 - # all hosts have their own recursor -isc: - netrange: - - 149.20.0.0/16 - - 2001:4F8::/32 -uni-karlsruhe: - # rename to karlsruhe - netrange: - - 129.143.160.0/29 - - 2001:7c0:400:1337::/64 - mirror-debian: http://ftp-stud.hs-esslingen.de/debian/ -linaro: - netrange: - - 64.28.108.83/32 - - 64.28.108.84/32 - - 64.28.108.85/32 - mirror-debian: http://ftp.us.debian.org/debian/ -'man-da': - netrange: - - 82.195.75.64/26 - - 2001:41b8:202:deb::/64 - #mirror-debian: http://debian.netcologne.de/debian/ [currently unstable] - mirror-debian: http://ftp.de.debian.org/debian/ -leaseweb: - netrange: - - 185.17.185.176/28 - #mirror-debian: http://mirror.nl.leaseweb.net/debian/ -marist: - netrange: - - 148.100.0.0/16 - mirror-debian: http://ftp.us.debian.org/debian/ -osuosl: - netrange: - - 140.211.0.0/16 - mirror-debian: http://debian.osuosl.org/debian -sakura: - netrange: - - 133.242.99.74/32 -sanger: - netrange: - - 193.62.202.24/29 - #resolvoptions: [single-request] - mirror-debian: http://mirror.bytemark.co.uk/debian/ -scanplus: - netrange: - - 212.211.132.0/26 - - 212.211.132.248/29 - - 2001:a78::/64 -sil: - netrange: - - 86.59.118.144/28 - - 2001:858:2:2::/64 - mirror-debian: http://ftp.at.debian.org/debian/ -ubc: - netrange: - - 209.87.16.0/24 - - 2607:F8F0:614:1::/64 - # old range: - - 206.12.19.0/24 - - 2607:f8f0:610:4000::/64 - mirror-debian: http://mirror-ubc.debian.org/debian/ -ugent: - netrange: - - 157.193.0.0/16 -umn: - netrange: - - 128.101.240.212 -unicamp: - netrange: - - 177.220.0.0/17 - mirror-debian: http://ftp.br.debian.org/debian/ -utwente: - netrange: - - 130.89.0.0/16 - - 2001:0610:1908::/48 - # broken with dnssec -xs4all: - # should be deleted - netrange: - - 194.109.137.216/29 - - 2001:888:2000:12::/64 -ynic: - netrange: - - 144.32.168.64/28 - mirror-debian: http://ftp.uk.debian.org/debian -zivit: - netrange: - - 80.245.144.0/22 - mirror-debian: http://debian.netcologne.de/debian/ - -# vim:set et sts=2 ts=2 sw=2: diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml deleted file mode 100644 index 8aec03557..000000000 --- a/modules/debian-org/misc/local.yaml +++ /dev/null @@ -1,240 +0,0 @@ ---- -nameinfo: - aagaard.debian.org: Thorvald Aagaard (June 8th, 1877 - March 22nd, 1937) - abel.debian.org: Carl Friedrich Abel (1723 - 1787) - acker.debian.org: Dieter Acker (November 3rd, 1940 - May 27th, 2006) - adayevskaya.debian.org: Ella Georgiyevna Adayevskaya (February, 22nd 1846 [O.S. February 10th] - July 26th, 1926) - antheil.debian.org: George Antheil (1900 - 1959) - arnold.debian.org: Malcolm Henry Arnold (1921 - 2006) - asachi.debian.org: Elena Asachi (1789 - 1877) - barriere.debian.org: Jean-Baptiste Barrière (May 2nd, 1707 - June 6th, 1747) - beach.debian.org: Amy Marcy Cheney Beach (September 5th, 1867 - December 27th, 1944) - beethoven.debian.org: Ludwig van Beethoven (December 16th, 1770 - March 26th, 1827) - bendel.debian.org: Franz Bendel (March 23rd, 1833 - July 3rd, 1874) - binet.debian.org: Jocelyne Binet (September 27th, 1923 - January 13th, 1968) - boott.debian.org: Francis Boott (June 24th, 1813 - March 1st, 1904) - busoni.debian.org: Ferruccio Dante Michelangiolo Benvenuto Busoni (April 1st, 1866 - July 27th, 1924) - buxtehude.debian.org: Dieterich Buxtehude (c. 1637 to 1639 - May 9th, 1707) - byrd.debian.org: William Byrd (1543 - July 4th, 1623) - casulana.debian.org: Maddalena Casulana (c. 1544 - c. 1590) - clementi.debian.org: Muzio Clementi (January 23rd, 1752 - March 10th, 1832) - coccia.debian.org: Maria Rosa Coccia (January 4th, 1759 - November 1833) - czerny.debian.org: Carl Czerny (February 21st, 1791 - July 15th, 1857) - danzi.debian.org: Franz Ignaz Danzi (June 15th, 1763 - April 13th, 1826) - delfin.debian.org: Carmelina Delfin (c. 1900 - after 1948) - diabelli.debian.org: Anton Diabelli (September 5th, 1781 - April 7th, 1858) - dinis.debian.org: Dinis of Portugal (October 9th, 1261 - January 7th, 1325) - dillon.debian.org: Fannie Charles Dillon (March 16th, 1881 - February 21st, 1947) - donizetti.debian.org: Gaetano Donizetti (November 29th, 1797 - April 8th, 1848) - draghi.debian.org: Antonio Draghi (1635 - January 16th, 1700) - eberlin.debian.org: Johann Ernst Eberlin (March 1702 27th - June 19th, 1762) - eller.debian.org: Heino Eller (March 7th, 1887 - June 16th, 1970) - elgar.debian.org: Edward Elgar (1857 - 1934) - falla.debian.org: Manuel de Falla y Matheu (November 23rd, 1876 - November 14th, 1946) - fano.debian.org: Guido Alberto Fano (March 18th, 1875 - August 14th, 1961) - fasolo.debian.org: Giovanni Battista Fasolo, O.F.M. (ca. 1598 - after 1664) - fayrfax.debian.org: Robert Fayrfax (April 23rd, 1464 - October 24th, 1521) - fils.debian.org: Anton Fils (September 22nd, 1733 (baptized) - March 14th, 1760 (buried)) - finzi.debian.org: Gerald Raphael Finzi (July 14th, 1901 - September 27th, 1956) - fischer.debian.org: Johann Caspar Ferdinand Fischer (September 9th, 1656 - August 27th, 1746) - gideon.debian.org: Miriam Gideon (October 23rd, 1906 - June 18th, 1996) - gigault.debian.org: Nicolas Gigault (ca. 1627 - August 20th, 1707) - gombert.debian.org: Nicolas Gombert (c. 1495 - c. 1560) - gretchaninov: Alexander Tikhonovich Gretchaninov (October 25th, 1864 - January 3rd, 1956) - handel.debian.org: Georg Friedrich Händel (February 23rd, 1685 - April 14th, 1759) - harris.debian.org: Sir William Henry Harris (March 28th, 1883 - September 6th, 1973) - hartmann.debian.org: Karl Amadeus Hartmann (August 2nd, 1905 - December 5th, 1963) - hasse.debian.org: Johann Adolph Hasse (March 25th, 1699 - December 16th, 1783) - henze.debian.org: Hans Werner Henze (July 1st, 1926 - October 27th, 2012) - hoiby.debian.org: Lee Henry Hoiby (February 17th, 1926 - March 28th, 2011) - jerea.debian.org: Hilda Jerea (March 17th, 1916 - May 14th, 1980) - kaufmann.debian.org: Georg Friedrich Kauffmann (February 14th, 1679 - February 27th, 1735) - klecker.debian.org: Dedicated to Joel 'Espy' Klecker (1979 - July 11th, 2000) - lindsay.debian.org: Maria Lindsay Bliss (May 15th, 1827 - April 3rd, 1898) - lotti.debian.org: Antonio Lotti (ca. 1667 - January 5th, 1740) - lully.debian.org: Jean-Baptiste de Lully (November 28th, 1632 - March 22nd, 1687) - mailly.debian.org: Alphonse Jean Ernest Mailly (November 27th, 1833 - January 10th, 1918) - melartin.debian.org: Erkki Melartin (February 7th, 1875 - February 14th, 1937) - menotti.debian.org: Gian Carlo Menotti (July 7th, 1911 - February 1st, 2007) - manziarly.debian.org: Marcelle de Manziarly (October 1st/13th, 1899 - May 12th, 1989) - mekeel.debian.org: Joyce Mekeel (July 6th, 1931 - Dec 29th, 1997) - milanollo.debian.org: Teresa Milanollo (August 28th, 1827 - October 25th, 1904) - minkus.debian.org: Ludwig Minkus (March 23rd 1826 - December 7th, 1917) - muffat.debian.org: George Muffat (June 1st, 1653 - February 23rd, 1704) - nono.debian.org: Luigi Nono (January 29th, 1924 - May 8th, 1990) - olin.debian.org: Elisabeth Olin (December 1740 - March 26th, 1828) - paradis.debian.org: Maria Theresia Paradis (May 15th, 1759 - February 1st, 1824) - partch.debian.org: Harry Partch (June 24th, 1901 - September 3rd, 1974) - pejacevic: Dora Pejačević (September 10th, 1885 - March 5th, 1923) - petrova.debian.org: Mara Petrova (May 15th, 1921 - June 7th. 1997) - pettersson.debian.org: Gustav Allan Pettersson (September 19th, 1911 - June 20th, 1980) - philp.debian.org: Elizabeth Philp (1827 - November 26th, 1885) - picconi.debian.org: Maria Antonietta Picconi (September 23rd, 1869 - 1926) - pieta.debian.org: Michielina della Pietà (fl. ca. 1700 - 1744) - pinel.debian.org: Julie Pinel (fl. 1710 - 1737) - pizzetti.debian.org: Ildebrando Pizzetti (20 September 1880 - 13 February 1968) - plummer.debian.org: John Plummer (c. 1410 - c. 1483) - porpora.debian.org: Niccolò (Antonio) Porpora (17 August 1686 - 3 March 1768) - porta.debian.org: Giovanni Porta (c. 1675 - 21 June 1755) - praetorius.debian.org: Hieronymus Praetorius (August 10th, 1560 - January 27th, 1629) - prokofiev.debian.org: Sergei Sergeyevich Prokofiev (April 27th, 1891 - March 5th, 1953) - quantz.debian.org: Johann Joachim Quantz (January 30th, 1697 - July 12th, 1773) - rachmaninoff: Sergei Vasilievich Rachmaninoff (1 April 1873 - 28 March 1943) - rainier.debian.org: Ivy Priaulx Rainier (February 3rd, 1903 - October 10th, 1986) - rapoport.debian.org: Eda Rothstein Rapoport (December 25th, 1890 - May 9th, 1968) - reger.debian.org: Johann Baptist Joseph Maximilian Reger (March 19th, 1873 - May 11th, 1916) - respighi.debian.org: Elsa Respighi (née Olivieri-Sangiacomo) (March 24th, 1894 - March 17th, 1996) - sallinen.debian.org: Aulis Sallinen (born April 9, 1935) - santoro.debian.org: Cláudio Santoro (November 23rd, 1919 - March 27th, 1989) - schumann.debian.org: Robert Alexander Schumann (June 8th, 1810 - July 29th, 1856) - sechter.debian.org: Simon Sechter (October 11th, 1788 - September 10th, 1867) - seger.debian.org: Josef Seger (March 21st, 1716 - April 22nd, 1782) - senfter.debian.org: Johanna Senfter (November, 27th, 1879 - August 11th, 1961) - setoguchi.debian.org: 瀬戸口藤吉, Tokichi Setoguchi (June 28th, 1868 - November 8th, 1941) - sibelius.debian.org: Jean Sibelius (December 8th, 1865 - September 20th, 1957) - smetana.debian.org: Bedřich Smetana (March 2nd, 1824 - May 12th, 1884) - sonntag.debian.org: Brunhilde Sonntag (September 27th, 1936 - December 18th, 2002) - sor.debian.org: Fernando Sor (February 14th, 1778 - July 10th, 1839) - soriano.debian.org: Francesco Soriano (1548 or 1549 - July 19th, 1621) - stockhausen.debian.org: Karlheinz Stockhausen (August 22nd, 1928 - December 5th, 2007) - storace.debian.org: Stephen Storace (April 4th, 1762 - March 19th, 1796) - spontini.debian.org: Gaspare Luigi Pacifico Spontini (November 14th, 1774 - January 24th, 1851) - tate.debian.org: Phyllis Tate (April 6th, 1911 - May 29th, 1987) - tchaikovsky.debian.org: Pyotr Ilyich Tchaikovsky (Пётр Ильич Чайковский) (May 7th, 1840 - November 6th, 1893) - ticharich.debian.org: Zdenka Ticharich (September 26th, 1900 - February 15th, 1979) - tye.debian.org: Christopher Tye (c.1505 - 1573) - ullmann.debian.org: Viktor Ullmann (January 1st, 1898 - October 17th, 1944) - usper.debian.org: Francesco Usper (November 1st, 1561 - February 24th, 1641) - vento.debian.org: Ivo de Vento (1543/1545 - 1575) - vittoria.debian.org: Tomás Luis da Vittoria (ca. 1548 - August 27th, 1611) - vogler.debian.org: Georg Joseph Vogler (June 15th, 1749 - May 6th, 1814) - wieck.debian.org: Clara Josephine Wieck (September 13th, 1819 - May 20th, 1896) - wilder.debian.org: Alec Wilder (February 16th, 1907 - December 24th, 1980) - wolkenstein.debian.org: Oswald von Wolkenstein (1377 - August 2nd, 1445) - wuiet.debian.org: Caroline Wuiet (1766 - 1835) - zandonai.debian.org: Riccardo Zandonai (May 30th, 1883 - June 5th, 1944) - zani.debian.org: Andrea Teodoro Zani (November 11th, 1696 - September 28th, 1757) - zelenka.debian.org: Jan Dismas Zelenka (October 16th, 1679 - December 23rd, 1745) - zemlinsky.debian.org: Alexander von Zemlinsky (October 14th, 1871 - March 15th 1942) -footer: - dummy: foo - #zandonai.debian.org: "Debian s390 buildd system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]" - #zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]" -host_settings: - heavy_exim: - # mail front-ends - - mailly.debian.org - - muffat.debian.org - # other mail receivers - - buxtehude.debian.org - - draghi.debian.org - - master.debian.org - - nono.debian.org - - picconi.debian.org - - pinel.debian.org - - quantz.debian.org - - reger.debian.org - - tye.debian.org - - vento.debian.org - - wuiet.debian.org - not-bacula-client: - # porterbox - - abel.debian.org - - asachi.debian.org - - barriere.debian.org - - binet.debian.org - - eller.debian.org - - falla.debian.org - - fischer.debian.org - - harris.debian.org - - minkus.debian.org - - partch.debian.org - - pizzetti.debian.org - - plummer.debian.org - - smetana.debian.org - - zelenka.debian.org - # buildd - - antheil.debian.org - - arm-arm-01.debian.org - - arm-arm-02.debian.org - - arm-arm-03.debian.org - - arm-arm-04.debian.org - - arm-conova-01.debian.org - - arm-conova-02.debian.org - - arm-conova-03.debian.org - - arm-conova-04.debian.org - - arm-linaro-01.debian.org - - arm-linaro-03.debian.org - - arnold.debian.org - - eberlin.debian.org - - fano.debian.org - - fayrfax.debian.org - - fils.debian.org - - finzi.debian.org - - hartmann.debian.org - - hasse.debian.org - - henze.debian.org - - hoiby.debian.org - - mips-aql-01.debian.org - - mips-aql-02.debian.org - - mips-aql-04.debian.org - - mips-aql-05.debian.org - - mips-aql-06.debian.org - - mips-sil-01.debian.org - - mips-manda-01.debian.org - - mipsel-aql-01.debian.org - - mipsel-aql-02.debian.org - - mipsel-aql-03.debian.org - - mipsel-manda-01.debian.org - - mipsel-manda-02.debian.org - - mipsel-manda-03.debian.org - - mipsel-sil-01.debian.org - - porpora.debian.org - - powerpc-osuosl-01.debian.org - - powerpc-unicamp-01.debian.org - - ppc64el-osuosl-01.debian.org - - ppc64el-unicamp-01.debian.org - - praetorius.debian.org - - spontini.debian.org - - x86-grnet-01.debian.org - - zandonai.debian.org - - zani.debian.org - - zemlinsky.debian.org - - x86-bm-01.debian.org - - x86-csail-01.debian.org - - x86-csail-02.debian.org - - x86-ubc-01.debian.org - broken-rtc: - - abel.debian.org - - antheil.debian.org - - arm-arm-01.debian.org - - arm-arm-02.debian.org - - arm-arm-03.debian.org - - arnold.debian.org - - eller.debian.org - - harris.debian.org - - hasse.debian.org - - henze.debian.org - - hoiby.debian.org - - mips-aql-01.debian.org - - mips-aql-02.debian.org - - mips-aql-04.debian.org - - mips-aql-05.debian.org - - mips-aql-06.debian.org - - mips-manda-01.debian.org - - mips-sil-01.debian.org - - mipsel-aql-03.debian.org - - mipsel-manda-03.debian.org - - mipsel-sil-01.debian.org - mail_port: - klecker.debian.org: 2025 - zani.debian.org: 587 - no_munin: - - fano.debian.org - entropy_key: - - czerny.debian.org - - grnet-node01.debian.org - # - ubc-bl2.debian.org - - storace.debian.org - buildd_master: - - wuiet.debian.org diff --git a/modules/debian-org/templates/debian_facts.yaml.erb b/modules/debian-org/templates/debian_facts.yaml.erb deleted file mode 100644 index 2dcf7961f..000000000 --- a/modules/debian-org/templates/debian_facts.yaml.erb +++ /dev/null @@ -1,2 +0,0 @@ ---- -hoster: <%= scope.lookupvar('site::nodeinfo')['hoster']['name'] %> diff --git a/modules/debian-org/templates/dsa-puppet-stuff.cron.erb b/modules/debian-org/templates/dsa-puppet-stuff.cron.erb deleted file mode 100644 index 48fab729d..000000000 --- a/modules/debian-org/templates/dsa-puppet-stuff.cron.erb +++ /dev/null @@ -1,20 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -SHELL=/bin/bash -@hourly root [ ! -d /var/cache/dsa ] || touch /var/cache/dsa/cron.alive -<% if @lsbmajdistrelease <= '7' -%> -34 */4 * * * root if [ -x /usr/sbin/puppetd ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/sbin/puppetd -o --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi -<% else -%> -34 */4 * * * root if [ -x /usr/bin/puppet ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/bin/puppet agent --onetime --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi -<% end -%> - -@hourly root sleep $(( $RANDOM \% 300 )); if [ -x /usr/lib/nagios/plugins/dsa-check-stunnel-sanity ] && [ -e /etc/stunnel/puppet-ekeyd.conf ] && ! /usr/lib/nagios/plugins/dsa-check-stunnel-sanity > /dev/null && grep -q '^client = yes' /etc/stunnel/puppet-ekeyd.conf; then /usr/sbin/service stunnel4 restart > /dev/null; fi - -@daily munin-async [ -d /var/lib/munin-async ] && find /var/lib/munin-async -maxdepth 1 -type f -mtime +30 -delete - -@daily root [ -d /var/lib/puppet/clientbucket ] && find /var/lib/puppet/clientbucket -type f -mtime +60 -delete && find /var/lib/puppet/clientbucket -type d -empty -delete - -@hourly root ! [ -x /usr/local/sbin/ntp-restart-if-required ] || /usr/local/sbin/ntp-restart-if-required diff --git a/modules/debian-org/templates/ldap.conf.erb b/modules/debian-org/templates/ldap.conf.erb deleted file mode 100644 index b3f514b70..000000000 --- a/modules/debian-org/templates/ldap.conf.erb +++ /dev/null @@ -1,24 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# -# LDAP Defaults -# - -# See ldap.conf(5) for details -# This file should be world readable but not world writable. - -#BASE dc=example,dc=com -#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 - -#SIZELIMIT 12 -#TIMELIMIT 15 -#DEREF never - -URI ldap://db.debian.org -BASE dc=debian,dc=org - -TLS_CACERT /etc/ssl/ca-debian/ca-certificates.crt -TLS_REQCERT hard diff --git a/modules/debian-org/templates/pam.common-session-noninteractive.erb b/modules/debian-org/templates/pam.common-session-noninteractive.erb deleted file mode 100644 index 3b078a335..000000000 --- a/modules/debian-org/templates/pam.common-session-noninteractive.erb +++ /dev/null @@ -1,30 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# -# /etc/pam.d/common-session-noninteractive - session-related modules -# common to all non-interactive services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define tasks to be performed -# at the start and end of all non-interactive sessions. -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# and here are more per-package modules (the "Additional" block) -session required pam_unix.so -# end of pam-auth-update config diff --git a/modules/debian-org/templates/pam.common-session.erb b/modules/debian-org/templates/pam.common-session.erb deleted file mode 100644 index 3a24bb790..000000000 --- a/modules/debian-org/templates/pam.common-session.erb +++ /dev/null @@ -1,34 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# -# /etc/pam.d/common-session - session-related modules common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define tasks to be performed -# at the start and end of sessions of *any* kind (both interactive and -# non-interactive). -# -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# and here are more per-package modules (the "Additional" block) -session required pam_unix.so -# end of pam-auth-update config -session [success=1 default=ignore] pam_succeed_if.so quiet_fail quiet_success home = /nonexistent -session optional pam_mkhomedir.so skel=/etc/skel umask=0022 -session optional pam_systemd.so -session optional pam_permit.so diff --git a/modules/debian-org/templates/puppet.conf.erb b/modules/debian-org/templates/puppet.conf.erb deleted file mode 100644 index 8b7580026..000000000 --- a/modules/debian-org/templates/puppet.conf.erb +++ /dev/null @@ -1,44 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -[main] -logdir=/var/log/puppet -vardir=/var/lib/puppet -ssldir=/var/lib/puppet/ssl -rundir=/var/run/puppet -factpath=$vardir/lib/facter -pluginsync=true -# This is the default environment for all clients -environment=production - -<%- if scope.lookupvar('::hostname') == 'handel' -%> -modulepath=/etc/puppet/modules:/etc/puppet/3rdparty/modules:/usr/share/puppet/modules - -[master] -environments = production,staging -reports = store -config_version = cat /etc/puppet/.config-version -storeconfigs = true -thin_storeconfigs = true -dbadapter=mysql -dbuser=puppet -dbpassword=<%= scope.lookupvar('dbpassword') %> -dbserver=localhost - -[production] -manifestdir=/srv/puppet.debian.org/stages/production/manifests -fileserverconfig=/srv/puppet.debian.org/stages/production/fileserver.conf -modulepath=/srv/puppet.debian.org/stages/production/modules:/srv/puppet.debian.org/stages/production/3rdparty/modules - -[staging] -manifestdir=/srv/puppet.debian.org/stages/staging/manifests -fileserverconfig=/srv/puppet.debian.org/stages/staging/fileserver.conf -modulepath=/srv/puppet.debian.org/stages/staging/modules:/srv/puppet.debian.org/stages/staging/3rdparty/modules -<%- end -%> - -[agent] -environments = development,testing,production,staging -report = true -configtimeout = 240 diff --git a/modules/debian-org/templates/rc.local.erb b/modules/debian-org/templates/rc.local.erb deleted file mode 100755 index b3d13dc02..000000000 --- a/modules/debian-org/templates/rc.local.erb +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash - -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## -<%- if hostname == "zani" then -%> - if [ -n "$(awk '$4 == "dasdb1" && $3 == "249999" {print}' /proc/partitions)" ]; then - mkswap /dev/dasdb1 && swapon -p 30 /dev/dasdb1 - fi - if [ -n "$(awk '$4 == "dasdc1" && $3 == "249999" {print}' /proc/partitions)" ]; then - mkswap /dev/dasdc1 && swapon -p 30 /dev/dasdc1 - fi -<%- end -%> -<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%> - ( sleep 120; - service syslog-ng restart; - sleep 5; - init q - ) & disown -<%- end -%> - -if [ -e /proc/sys/kernel/modules_disabled ]; then - ( sleep 60; - echo 1 > /proc/sys/kernel/modules_disabled || true - ) & disown -fi - -touch /var/run/reboot-lock diff --git a/modules/debian_org/files/apt.conf.d/local-compression b/modules/debian_org/files/apt.conf.d/local-compression new file mode 100644 index 000000000..818a6e273 --- /dev/null +++ b/modules/debian_org/files/apt.conf.d/local-compression @@ -0,0 +1,15 @@ +// +// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +// + +Acquire { + CompressionTypes + { + bz2 "bzip2"; + lzma "lzma"; + gz "gzip"; + + Order { "gz"; "lzma"; "bz2"; }; + }; +}; diff --git a/modules/debian_org/files/apt.conf.d/local-langs b/modules/debian_org/files/apt.conf.d/local-langs new file mode 100644 index 000000000..3e9ff30d5 --- /dev/null +++ b/modules/debian_org/files/apt.conf.d/local-langs @@ -0,0 +1 @@ +Acquire::Languages { "en"; "none"; }; diff --git a/modules/debian_org/files/apt.conf.d/local-pdiffs b/modules/debian_org/files/apt.conf.d/local-pdiffs new file mode 100644 index 000000000..155daf9be --- /dev/null +++ b/modules/debian_org/files/apt.conf.d/local-pdiffs @@ -0,0 +1,6 @@ +// +// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +// + +Acquire::PDiffs "false"; diff --git a/modules/debian_org/files/apt.conf.d/local-recommends b/modules/debian_org/files/apt.conf.d/local-recommends new file mode 100644 index 000000000..aa0261cc9 --- /dev/null +++ b/modules/debian_org/files/apt.conf.d/local-recommends @@ -0,0 +1,6 @@ +// +// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +// + +APT::Install-Recommends 0; diff --git a/modules/debian_org/files/apt.preferences b/modules/debian_org/files/apt.preferences new file mode 100644 index 000000000..65d11720d --- /dev/null +++ b/modules/debian_org/files/apt.preferences @@ -0,0 +1,23 @@ +Explanation: +Explanation: THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +Explanation: USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +Explanation: +Package: * +Pin: release o=Debian Backports +Pin-Priority: 200 + +Package: sbuild +Pin: release o=buildd.debian.org +Pin-Priority: 500 + +Package: buildd +Pin: release o=buildd.debian.org +Pin-Priority: 500 + +Package: libsbuild-perl +Pin: release o=buildd.debian.org +Pin-Priority: 500 + +Package: * +Pin: release o=buildd.debian.org +Pin-Priority: -1 diff --git a/modules/debian_org/files/basic-ssh_known_hosts b/modules/debian_org/files/basic-ssh_known_hosts new file mode 100644 index 000000000..5f1d4078c --- /dev/null +++ b/modules/debian_org/files/basic-ssh_known_hosts @@ -0,0 +1 @@ +draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106,2001:41b8:202:deb:1a1a:0:52c3:4b6a ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi diff --git a/modules/debian_org/files/check_for_updates b/modules/debian_org/files/check_for_updates new file mode 100755 index 000000000..7894da48f --- /dev/null +++ b/modules/debian_org/files/check_for_updates @@ -0,0 +1,19 @@ +#!/bin/bash + +parse_dates () { + while read url file junk; do + url=$(echo $url | sed -e "s/'//g") + url_time=$(date -d "$(curl -sqI ${url} | grep Last-Modified: | sed -e 's/Last-Modified: //')" +%s) + if [ ! -f "/var/lib/apt/lists/${file}" ]; then + return 0 + fi + file_time=$(stat -c %Y /var/lib/apt/lists/${file}) + if [ $url_time -gt $file_time ]; then + return 0 + fi + done + return 1 +} + +su nobody -c 'apt-get update -s --print-uris' | grep 'Release ' | parse_dates +exit $? diff --git a/modules/debian_org/files/db.debian.org.gpg b/modules/debian_org/files/db.debian.org.gpg new file mode 100644 index 000000000..229cb639f Binary files /dev/null and b/modules/debian_org/files/db.debian.org.gpg differ diff --git a/modules/debian_org/files/dsa-puppet-stuff.cron.ignore b/modules/debian_org/files/dsa-puppet-stuff.cron.ignore new file mode 100644 index 000000000..e348b0ac8 --- /dev/null +++ b/modules/debian_org/files/dsa-puppet-stuff.cron.ignore @@ -0,0 +1,15 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## +# this is a list of patterns, one per line, of things that puppet's +# cron output shouldn't mail to us. + +^v6: error fetching interface information: Device not found$ +^pcilib: Cannot open /proc/bus/pci$ +^lspci: Cannot find any working access method\.$ +^can't open /proc/dma at /usr/bin/lsdev line 32\.$ +^/usr/lib/ruby/1.9.1/rubygems/custom_require\.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead\.$ +^/usr/lib/ruby/vendor_ruby/puppet/provider/service/freebsd\.rb:[8910]*: warning: class variable access from toplevel$ +^/usr/lib/ruby/vendor_ruby/puppet/provider/service/bsd\.rb:12: warning: class variable access from toplevel$ +^/usr/lib/ruby/vendor_ruby/puppet/type/tidy\.rb:1[0-9][0-9]: warning: class variable access from toplevel$ diff --git a/modules/debian_org/files/etc.profile.d/timeout.sh b/modules/debian_org/files/etc.profile.d/timeout.sh new file mode 100755 index 000000000..617579eaf --- /dev/null +++ b/modules/debian_org/files/etc.profile.d/timeout.sh @@ -0,0 +1,2 @@ +TMOUT=129600 # a day and a half (36 hrs) +export TMOUT diff --git a/modules/debian_org/files/etc.zsh/zprofile b/modules/debian_org/files/etc.zsh/zprofile new file mode 100644 index 000000000..8ea4df35a --- /dev/null +++ b/modules/debian_org/files/etc.zsh/zprofile @@ -0,0 +1,16 @@ +# +# THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +# USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +# + +# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1). +# +# This file is sourced only for login shells (i.e. shells +# invoked with "-" as the first character of argv[0], and +# shells invoked with the -l flag.) +# +# Global Order: zshenv, zprofile, zshrc, zlogin + +if [ -e /etc/profile.d/timeout.sh ]; then + . /etc/profile.d/timeout.sh +fi diff --git a/modules/debian_org/files/molly-guard/10-check-kvm b/modules/debian_org/files/molly-guard/10-check-kvm new file mode 100644 index 000000000..e9ed39ca3 --- /dev/null +++ b/modules/debian_org/files/molly-guard/10-check-kvm @@ -0,0 +1,7 @@ +#!/bin/sh + +KVMCOUNT=`pgrep -cx '^(qemu-)?kvm$'` +if [ $KVMCOUNT != 0 ]; then + echo "Found $KVMCOUNT qemu-kvm instances running, aborting $MOLLYGUARD_CMD!" + exit 1 +fi diff --git a/modules/debian_org/files/molly-guard/15-acquire-reboot-lock b/modules/debian_org/files/molly-guard/15-acquire-reboot-lock new file mode 100644 index 000000000..ebbac937b --- /dev/null +++ b/modules/debian_org/files/molly-guard/15-acquire-reboot-lock @@ -0,0 +1,21 @@ +#!/bin/bash + +# Copyright 2012 Peter Palfrader + +l=/var/run/reboot-lock +exec 3> $l + +if ! flock --exclusive -w 0 3; then + echo >&2 "Cannot acquire reboot lock." + exit 1 +fi +echo "Reboot lock acquired." + +ppid="$PPID" +( + while kill -0 "$ppid" 2>/dev/null; do + sleep 1 + done +) & +disown +exit 0 diff --git a/modules/debian_org/files/nsswitch.conf b/modules/debian_org/files/nsswitch.conf new file mode 100644 index 000000000..e6a644e61 --- /dev/null +++ b/modules/debian_org/files/nsswitch.conf @@ -0,0 +1,19 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat db +group: db compat +shadow: compat db + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/modules/debian_org/files/puppet.default b/modules/debian_org/files/puppet.default new file mode 100644 index 000000000..dc0743f26 --- /dev/null +++ b/modules/debian_org/files/puppet.default @@ -0,0 +1,13 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# Defaults for puppet - sourced by /etc/init.d/puppet + +# Start puppet on boot? +START=no +exit 0 + +# Startup options +DAEMON_OPTS="-w 5 --factsync" diff --git a/modules/debian_org/files/root-dotfiles/bashrc b/modules/debian_org/files/root-dotfiles/bashrc new file mode 100644 index 000000000..048d94436 --- /dev/null +++ b/modules/debian_org/files/root-dotfiles/bashrc @@ -0,0 +1,23 @@ +# ~/.bashrc: executed by bash(1) for non-login shells. + +## THIS FILE IS UNDER PUPPET CONTROL. +## LOCAL CHANGES WILL BE OVERWRITTEN. + +if [ "$PS1" ]; then + typeset HISTCONTROL=ignoreboth + typeset HISTSIZE=50000 + + export LS_OPTIONS='--color=auto' + eval "`dircolors`" + alias ls='ls $LS_OPTIONS' + alias ll='ls $LS_OPTIONS -l' + alias l='ls $LS_OPTIONS -lA' + + if [ -f /usr/share/bash-completion/bash_completion ]; then + . /usr/share/bash-completion/bash_completion + fi + + PATH="$PATH:/usr/lib/nagios/plugins" +fi + +# vim: set ft=sh ts=2 sw=2 et ai si: diff --git a/modules/debian_org/files/root-dotfiles/profile b/modules/debian_org/files/root-dotfiles/profile new file mode 100644 index 000000000..e4bb8dbd7 --- /dev/null +++ b/modules/debian_org/files/root-dotfiles/profile @@ -0,0 +1,17 @@ +# ~/.profile: executed by Bourne-compatible login shells. + +## THIS FILE IS UNDER PUPPET CONTROL. +## LOCAL CHANGES WILL BE OVERWRITTEN. + +if [ "$BASH" ]; then + if [ -f ~/.bashrc ]; then + . ~/.bashrc + fi + if [ "$PS1" ]; then + PS1='${debian_chroot:+[$debian_chroot] }\h:\w\$ ' + fi +fi + +mesg n + +# vim: set ft=sh ts=2 sw=2 et ai si: diff --git a/modules/debian_org/files/root-dotfiles/screenrc b/modules/debian_org/files/root-dotfiles/screenrc new file mode 100644 index 000000000..d59cfb993 --- /dev/null +++ b/modules/debian_org/files/root-dotfiles/screenrc @@ -0,0 +1,43 @@ + +## THIS FILE IS UNDER PUPPET CONTROL. +## LOCAL CHANGES WILL BE OVERWRITTEN. + + +startup_message off +deflogin on +#vbell off +defscrollback 10000 +defnonblock 5 + +## set these terminals up to be 'optimal' instead of vt100 +#termcapinfo xterm*|linux*|rxvt*|Eterm* OP + +caption always " %?%F%{r}%?%H%{r}%?%F*%: %? %{rd}| %{r}$LOGNAME%{d} | %{b}%-Lw%{b}%50>%{kw}%n%f* %t %{-}%+Lw%<" + +# fix screens copy&paste (background-color-erase to on) +defbce on + +# xterm, and urxvt on weasel's jessie systems +bindkey "^[[1;5D" prev +bindkey "^[[1;5C" next +bindkey "^[[1;5A" focus up +bindkey "^[[1;5B" focus down + +# urxvt default Ctrl+left/right/up/down on weasel's stretch systems +bindkey "^[Od" prev +bindkey "^[Oc" next +bindkey "^[Oa" focus up +bindkey "^[Ob" focus down + +# gnome terminal (in screen: +#bindkey "^[n" screen +#bindkey "^[O5D" prev +#bindkey "^[O5C" next +#bindkey "^[O5A" focus up +#bindkey "^[O5B" focus down + +# urxvt shift+left/right +#bindkey "^[[d" prev +#bindkey "^[[c" next +#bindkey "^[[a" focus up +#bindkey "^[[b" focus down diff --git a/modules/debian_org/files/root-dotfiles/selected_editor b/modules/debian_org/files/root-dotfiles/selected_editor new file mode 100644 index 000000000..2cab27132 --- /dev/null +++ b/modules/debian_org/files/root-dotfiles/selected_editor @@ -0,0 +1 @@ +SELECTED_EDITOR="/usr/bin/vim" diff --git a/modules/debian_org/files/root-dotfiles/tmux.conf b/modules/debian_org/files/root-dotfiles/tmux.conf new file mode 100644 index 000000000..ecde6161f --- /dev/null +++ b/modules/debian_org/files/root-dotfiles/tmux.conf @@ -0,0 +1,16 @@ +# mess with the status window +set -g status-bg colour109 +set -g status-right "[#T]" +setw -g window-status-current-bg white + +bind -n C-Right next-window +bind -n C-Left previous-window + +bind -n C-Up select-pane -U +bind -n C-Down select-pane -D +bind | split-window -h +bind - split-window -v + +#set -g default-terminal "screen-it" +set -g xterm-keys on +set -sg escape-time 0 diff --git a/modules/debian_org/files/root-dotfiles/vimrc b/modules/debian_org/files/root-dotfiles/vimrc new file mode 100644 index 000000000..d99e4d689 --- /dev/null +++ b/modules/debian_org/files/root-dotfiles/vimrc @@ -0,0 +1,88 @@ +" ~/.vimrc - ViM configuration file + +" THIS FILE IS UNDER PUPPET CONTROL. +" LOCAL CHANGES WILL BE OVERWRITTEN. + +runtime! debian.vim +filetype plugin on +set ai +:set nocompatible +:syn on +:set title +:set pastetoggle= +:set listchars=tab:»·,trail:· +:set list +:nmap :set invlist +:imap :set invlist +:set clipboard^=autoselectml guioptions+=A +let g:Imap_UsePlaceHolders = 1 +let g:Imap_FreezeImap = 1 +:hi MatchParen ctermbg=black +colorscheme peachpuff + +map :n +map :N +map :wn +map :wN +map fd ggV/^-- gq + +nnoremap :make + +nnoremap :bprevious +nnoremap :bnext +inoremap :bprevious +inoremap :bnext + +nnoremap :bprevious +nnoremap :bnext +inoremap :bprevious +inoremap :bnext + +nnoremap [1;2D :bprevious +nnoremap [1;2C :bnext +inoremap [1;2D :bprevious +inoremap [1;2C :bnext + +nnoremap [D :bprevious +nnoremap [C :bnext +inoremap [D :bprevious +inoremap [C :bnext + +nnoremap [d :bprevious +nnoremap [c :bnext +inoremap [d :bprevious +inoremap [c :bnext + +" nnoremap :bnew +nnoremap :bprevious +nnoremap :bnext + +if &term =~ '^screen' + " tmux will send xterm-style keys when xterm-keys is on + execute "set =\e[1;*A" + execute "set =\e[1;*B" + execute "set =\e[1;*C" + execute "set =\e[1;*D" +endif + + + +" wild/tab behavior +" ================= +set wildmode=longest,list:longest,list:full + +" spelling stuff +" ============== +set spellfile=~/.vim.spell.en.add +:nmap :set invspell +:imap :set invspell + +" Searching and highlighting +" ========================== +hi Search cterm=NONE ctermfg=yellow ctermbg=19 +set hlsearch +nnoremap :noh + +set tabpagemax=50 +" Do not close buffers we don't see +set hidden diff --git a/modules/debian_org/files/timezone b/modules/debian_org/files/timezone new file mode 100644 index 000000000..7f39493bd --- /dev/null +++ b/modules/debian_org/files/timezone @@ -0,0 +1 @@ +Etc/UTC diff --git a/modules/debian_org/files/ud-replicated.service b/modules/debian_org/files/ud-replicated.service new file mode 100644 index 000000000..dbf99a8fe --- /dev/null +++ b/modules/debian_org/files/ud-replicated.service @@ -0,0 +1,10 @@ +[Unit] +Description=Userdir-Ldap Replication Daemon +Wants=syslog.service + +[Service] +ExecStart=/usr/bin/ud-replicated -d +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/modules/debian_org/lib/facter/architecture.rb b/modules/debian_org/lib/facter/architecture.rb new file mode 100644 index 000000000..e04cadc0c --- /dev/null +++ b/modules/debian_org/lib/facter/architecture.rb @@ -0,0 +1,19 @@ +Facter.add(:architecture) do + confine :kernel => 'GNU/kFreeBSD' + setcode do + model = Facter.value(:hardwaremodel) + case model + when 'x86_64' then "amd64" + when /(i[3456]86|pentium)/ then "i386" + else + model + end + end +end + +Facter.add(:debarchitecture) do + setcode do + %x{/usr/bin/dpkg --print-architecture}.chomp + end +end + diff --git a/modules/debian_org/lib/facter/cluster.rb b/modules/debian_org/lib/facter/cluster.rb new file mode 100644 index 000000000..46d0bec3e --- /dev/null +++ b/modules/debian_org/lib/facter/cluster.rb @@ -0,0 +1,17 @@ +if FileTest.exist?('/usr/sbin/gnt-cluster') and FileTest.exist?('/var/lib/ganeti/ssconf_cluster_name') + begin + if system('/usr/sbin/gnt-cluster getmaster >/dev/null') + Facter.add('cluster') do + setcode do + open('/var/lib/ganeti/ssconf_cluster_name').read().chomp() + end + end + Facter.add('cluster_nodes') do + setcode do + open('/var/lib/ganeti/ssconf_node_list').read().split().join(" ") + end + end + end + rescue Exception => e + end +end diff --git a/modules/debian_org/lib/facter/debsso.rb b/modules/debian_org/lib/facter/debsso.rb new file mode 100644 index 000000000..21c4f755e --- /dev/null +++ b/modules/debian_org/lib/facter/debsso.rb @@ -0,0 +1,19 @@ +begin + require 'etc' + + Facter.add("debsso_skac_crl") do + setcode do + crl = nil + crlfile = '/srv/sso.debian.org/debsso/data/spkac_ca/ca.crl' + if FileTest.exist?(crlfile) + crl = File.open(crlfile).read + end + crl + end + end + +rescue Exception => e +end +# vim:set et: +# vim:set ts=4: +# vim:set shiftwidth=4: diff --git a/modules/debian_org/lib/facter/hosts.rb b/modules/debian_org/lib/facter/hosts.rb new file mode 100644 index 000000000..4c6cad75c --- /dev/null +++ b/modules/debian_org/lib/facter/hosts.rb @@ -0,0 +1,22 @@ +Facter.add("brokenhosts") do + brokenhosts = true + if FileTest.exist?("/etc/hosts") + IO.foreach("/etc/hosts") do |x| + x.split.each do |y| + if y == Facter.value("fqdn") + brokenhosts = false + break + end + end + end + end + setcode do + if brokenhosts + true + else + false + end + end +end + + diff --git a/modules/debian_org/lib/facter/ipaddresses.rb b/modules/debian_org/lib/facter/ipaddresses.rb new file mode 100644 index 000000000..41f44e3a1 --- /dev/null +++ b/modules/debian_org/lib/facter/ipaddresses.rb @@ -0,0 +1,66 @@ +Facter.add("v4ips") do + confine :kernel => :linux + addrs = [] + if FileTest.exist?("/bin/ip") + %x{ip addr list}.each_line do |line| + next unless line =~ /\s+inet/ + next if line =~ /scope (link|host)/ + if line =~ /\s+inet\s+(\S+)\/\d{1,2} .*/ + addrs << $1 + end + end + end + ret = addrs.join(",") + if ret.empty? + ret = '' + end + setcode do + ret + end +end + +Facter.add("v4ips") do + confine :kernel => 'GNU/kFreeBSD' + setcode do + addrs = [] + output = %x{/sbin/ifconfig} + + output.split(/^\S/).each { |str| + if str =~ /inet ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/ + tmp = $1 + unless tmp =~ /127\./ + addrs << tmp + break + end + end + } + + ret = addrs.join(",") + if ret.empty? + ret = '' + end + ret + end +end + +Facter.add("v6ips") do + confine :kernel => :linux + addrs = [] + if FileTest.exist?("/bin/ip") + %x{ip addr list}.each_line do |line| + next unless line =~ /\s+inet/ + next if line =~ /scope (link|host)/ + if line =~ /\s+inet6\s+(\S+)\/\d{1,3} .*/ + addrs << $1 + end + end + end + ret = addrs.join(",") + if ret.empty? + ret = '' + end + setcode do + ret + end +end + diff --git a/modules/debian_org/lib/facter/lsb-for-bsd.rb b/modules/debian_org/lib/facter/lsb-for-bsd.rb new file mode 100644 index 000000000..c95d7f2eb --- /dev/null +++ b/modules/debian_org/lib/facter/lsb-for-bsd.rb @@ -0,0 +1,24 @@ +{ "LSBRelease" => %r{^LSB Version:\t(.*)$}, + "LSBDistId" => %r{^Distributor ID:\t(.*)$}, + "LSBDistRelease" => %r{^Release:\t(.*)$}, + "LSBDistDescription" => %r{^Description:\t(.*)$}, + "LSBDistCodeName" => %r{^Codename:\t(.*)$} +}.each do |fact, pattern| + Facter.add(fact) do + confine :kernel => 'GNU/kFreeBSD' + setcode do + unless defined?(lsbdata) and defined?(lsbtime) and (Time.now.to_i - lsbtime.to_i < 5) + type = nil + lsbtime = Time.now + lsbdata = Facter::Util::Resolution.exec('lsb_release -a 2>/dev/null') + end + + if pattern.match(lsbdata) + $1 + else + nil + end + end + end +end + diff --git a/modules/debian_org/lib/facter/mounts.rb b/modules/debian_org/lib/facter/mounts.rb new file mode 100644 index 000000000..4cdf969a2 --- /dev/null +++ b/modules/debian_org/lib/facter/mounts.rb @@ -0,0 +1,21 @@ +begin + require 'filesystem' + + Facter.add("mounts") do + ignorefs = ["NFS", "nfs", "nfs4", "nfsd", "afs", "binfmt_misc", "proc", "smbfs", + "autofs", "iso9660", "ncpfs", "coda", "devpts", "ftpfs", "devfs", + "mfs", "shfs", "sysfs", "cifs", "lustre_lite", "tmpfs", "usbfs", "udf", + "fusectl", "fuse.snapshotfs", "rpc_pipefs", "devtmpfs"] + mountpoints = [] + FileSystem.mounts.each do |m| + if ((not ignorefs.include?(m.fstype)) && (m.options !~ /bind/)) + mountpoints << m.mount + end + end + setcode do + mountpoints.uniq.sort.join(',') + end + end + +rescue Exception => e +end diff --git a/modules/debian_org/lib/facter/mta.rb b/modules/debian_org/lib/facter/mta.rb new file mode 100644 index 000000000..5d2242a61 --- /dev/null +++ b/modules/debian_org/lib/facter/mta.rb @@ -0,0 +1,9 @@ +Facter.add("mta") do + setcode do + mta = "exim4" + if FileTest.exist?("/usr/sbin/postfix") + mta = "postfix" + end + mta + end +end diff --git a/modules/debian_org/lib/facter/onion-services.rb b/modules/debian_org/lib/facter/onion-services.rb new file mode 100644 index 000000000..c444ec2d1 --- /dev/null +++ b/modules/debian_org/lib/facter/onion-services.rb @@ -0,0 +1,35 @@ +begin + require 'json' + + Facter.add("onion_tor_service_hostname") do + services = {} + + Dir['/var/lib/tor/onion/*/hostname'].each do |p| + dir = File.dirname(p) + service = File.basename(dir) + hostname = IO.read(p).chomp + services[service] = hostname + end + setcode do + services.to_json + end + end + + Facter.add("onion_balance_service_hostname") do + services = {} + + Dir['/etc/onionbalance/private_keys/*.key'].each do |p| + service = File.basename(p, '.key') + begin + services[service] = IO.popen(['/usr/local/bin/tor-onion-name', p]).read.chomp + rescue Errno::ENOENT + end + end + setcode do + services.to_json + end + end + + +rescue Exception => e +end diff --git a/modules/debian_org/lib/facter/os-for-bsd.rb b/modules/debian_org/lib/facter/os-for-bsd.rb new file mode 100644 index 000000000..77cad42ec --- /dev/null +++ b/modules/debian_org/lib/facter/os-for-bsd.rb @@ -0,0 +1,8 @@ +Facter.add(:operatingsystem) do + confine :kernel => 'GNU/kFreeBSD' + setcode do + if FileTest.exists?("/etc/debian_version") + "Debian" + end + end +end diff --git a/modules/debian_org/lib/facter/paths.rb b/modules/debian_org/lib/facter/paths.rb new file mode 100644 index 000000000..ccc4588d8 --- /dev/null +++ b/modules/debian_org/lib/facter/paths.rb @@ -0,0 +1,20 @@ + +%w{/srv/build-trees + /srv/buildd + /etc/ssh/ssh_host_ed25519_key + /srv/mirrors/debian + /srv/mirrors/debian-debug + /srv/mirrors/debian-ports + /srv/mirrors/debian-security + /dev/hwrng +}.each do |path| + Facter.add("has" + path.gsub(/[\/-]/,'_')) do + setcode do + if FileTest.exist?(path) + true + else + false + end + end + end +end diff --git a/modules/debian_org/lib/facter/raidarray.rb b/modules/debian_org/lib/facter/raidarray.rb new file mode 100644 index 000000000..5fc70e550 --- /dev/null +++ b/modules/debian_org/lib/facter/raidarray.rb @@ -0,0 +1,72 @@ +Facter.add("smartarraycontroller") do + confine :kernel => :linux + setcode do + if FileTest.exist?("/dev/cciss/") + true + elsif FileTest.exist?("/sys/module/hpsa/") + true + else + false + end + end +end + +Facter.add("ThreeWarecontroller") do + confine :kernel => :linux + setcode do + is3w = false + if FileTest.exist?("/proc/scsi/scsi") + IO.foreach("/proc/scsi/scsi") { |x| + is3w = true if x =~ /Vendor: 3ware/ + } + end + is3w + end +end + +Facter.add("megaraid") do + confine :kernel => :linux + setcode do + if FileTest.exist?("/dev/megadev0") + true + else + false + end + end +end + +Facter.add("mptraid") do + confine :kernel => :linux + setcode do + if FileTest.exist?("/dev/mptctl") or FileTest.exist?("/dev/mpt0") or FileTest.exist?("/proc/mpt/summary") + true + else + false + end + end +end + +Facter.add("aacraid") do + confine :kernel => :linux + setcode do + if FileTest.exist?("/dev/aac0") + true + else + false + end + end +end + +Facter.add("swraid") do + confine :kernel => :linux + setcode do + swraid = false + if FileTest.exist?("/proc/mdstat") && FileTest.exist?("/sbin/mdadm") + IO.foreach("/proc/mdstat") { |x| + swraid = true if x =~ /md[0-9]+ : active/ + } + end + swraid + end +end + diff --git a/modules/debian_org/lib/facter/roleaccounts.rb b/modules/debian_org/lib/facter/roleaccounts.rb new file mode 100644 index 000000000..d95dc0419 --- /dev/null +++ b/modules/debian_org/lib/facter/roleaccounts.rb @@ -0,0 +1,119 @@ +begin + require 'etc' + + Facter.add("postgresql_key") do + setcode do + key = nil + keyfile = '/var/lib/postgresql/.ssh/id_rsa.pub' + if FileTest.exist?(keyfile) + key = File.open(keyfile).read.chomp + end + key + end + end + + Facter.add("staticsync_key") do + setcode do + key = nil + keyfile = '/home/staticsync/.ssh/id_rsa.pub' + if FileTest.exist?(keyfile) + key = File.open(keyfile).read.chomp + end + key + end + end + + Facter.add("staticsync_user_exists") do + setcode do + result = false + begin + if Etc.getpwnam('staticsync') + result = true + end + rescue ArgumentError + end + result + end + end + + + Facter.add("weblogsync_key") do + setcode do + key = nil + keyfile = '/home/weblogsync/.ssh/id_rsa.pub' + if FileTest.exist?(keyfile) + key = File.open(keyfile).read.chomp + end + key + end + end + + Facter.add("weblogsync_user_exists") do + setcode do + result = false + begin + if Etc.getpwnam('weblogsync') + result = true + end + rescue ArgumentError + end + result + end + end + + + Facter.add("buildd_key") do + setcode do + key = nil + keyfile = '/home/buildd/.ssh/id_rsa.pub' + if FileTest.exist?(keyfile) + key = File.open(keyfile).read.chomp + end + key + end + end + + Facter.add("buildd_user_exists") do + setcode do + result = false + begin + if Etc.getpwnam('buildd') + result = true + end + rescue ArgumentError + end + result + end + end + + Facter.add("portforwarder_key") do + setcode do + key = nil + keyfile = '/home/portforwarder/.ssh/id_rsa.pub' + if FileTest.exist?(keyfile) + key = File.open(keyfile).read.chomp + end + key + end + end + + Facter.add("portforwarder_user_exists") do + setcode do + result = false + begin + if Etc.getpwnam('portforwarder') + result = true + end + rescue ArgumentError + end + result + end + end + + + +rescue Exception => e +end +# vim:set et: +# vim:set ts=4: +# vim:set shiftwidth=4: diff --git a/modules/debian_org/lib/facter/servertype.rb b/modules/debian_org/lib/facter/servertype.rb new file mode 100644 index 000000000..21dba00b6 --- /dev/null +++ b/modules/debian_org/lib/facter/servertype.rb @@ -0,0 +1,9 @@ +Facter.add("kvmdomain") do + setcode do + result = false + if File.new('/proc/cpuinfo').read().index('QEMU Virtual CPU') + result = true + end + result + end +end diff --git a/modules/debian_org/lib/facter/software.rb b/modules/debian_org/lib/facter/software.rb new file mode 100644 index 000000000..5c079129b --- /dev/null +++ b/modules/debian_org/lib/facter/software.rb @@ -0,0 +1,162 @@ +Facter.add("apache2") do + setcode do + if FileTest.exist?("/usr/sbin/apache2") + true + else + false + end + end +end +Facter.add("apache2deb9") do + setcode do + # jessie (deb8) has 2.4.10-.., stretch (deb9) will have 2.4.23 or later. + if FileTest.exist?("/usr/sbin/apache2") and system("dpkg --compare-versions $(dpkg-query -W -f='${Version}\n' apache2-bin) gt 2.4.15") + true + else + false + end + end +end +Facter.add("clamd") do + setcode do + if FileTest.exist?("/usr/sbin/clamd") + true + else + false + end + end +end +Facter.add("exim4") do + setcode do + if FileTest.exist?("/usr/sbin/exim4") + true + else + false + end + end +end +Facter.add("postfix") do + setcode do + if FileTest.exist?("/usr/sbin/postfix") + true + else + false + end + end +end +Facter.add("postgres") do + setcode do + pg = (FileTest.exist?("/usr/lib/postgresql/8.1/bin/postgres") or + FileTest.exist?("/usr/lib/postgresql/8.3/bin/postgres") or + FileTest.exist?("/usr/lib/postgresql/8.4/bin/postgres") or + FileTest.exist?("/usr/lib/postgresql/9.0/bin/postgres") or + FileTest.exist?("/usr/lib/postgresql/9.1/bin/postgres") or + FileTest.exist?("/usr/lib/postgresql/9.2/bin/postgres")) + if pg + true + else + false + end + end +end +Facter.add("postgrey") do + setcode do + if FileTest.exist?("/usr/sbin/postgrey") + true + else + false + end + end +end +Facter.add("greylistd") do + setcode do + FileTest.exist?("/usr/sbin/greylistd") + end +end +Facter.add("policydweight") do + setcode do + if FileTest.exist?("/usr/sbin/policyd-weight") + true + else + false + end + end +end +Facter.add("spamd") do + setcode do + if FileTest.exist?("/usr/sbin/spamd") + true + else + false + end + end +end +Facter.add("php5") do + php = (FileTest.exist?("/usr/lib/apache2/modules/libphp5.so") or + FileTest.exist?("/usr/bin/php5") or + FileTest.exist?("/usr/bin/php5-cgi") or + FileTest.exist?("/usr/lib/cgi-bin/php5")) + setcode do + if php + true + else + false + end + end +end +Facter.add("php5suhosin") do + suhosin=(FileTest.exist?("/usr/lib/php5/20060613/suhosin.so") or + FileTest.exist?("/usr/lib/php5/20060613+lfs/suhosin.so")) + setcode do + if suhosin + true + else + false + end + end +end +Facter.add("syslogversion") do + setcode do + %x{dpkg-query -W -f='${Version}\n' syslog-ng | cut -b1-3}.chomp + end +end +Facter.add("unbound") do + unbound=(FileTest.exist?("/usr/sbin/unbound") and + FileTest.exist?("/var/lib/unbound/root.key")) + setcode do + if unbound + true + else + false + end + end +end +Facter.add("munin_async") do + setcode do + FileTest.exist?("/usr/share/munin/munin-async") + end +end +Facter.add("samhain") do + setcode do + if FileTest.exist?("/usr/sbin/samhain") + true + else + false + end + end +end +Facter.add("systemd") do + setcode do + init = '/sbin/init' + if File.symlink?(init) and File.readlink(init) == "/lib/systemd/systemd" + true + else + false + end + end +end +Facter.add("tor_ge_0_2_9") do + setcode do + system(%{dpkg -l tor >/dev/null 2>&1 && dpkg --compare-versions $(dpkg-query -W -f='${Version}' tor) ge 0.2.9}) + end +end diff --git a/modules/debian_org/lib/facter/system-hw.rb b/modules/debian_org/lib/facter/system-hw.rb new file mode 100644 index 000000000..262e8c518 --- /dev/null +++ b/modules/debian_org/lib/facter/system-hw.rb @@ -0,0 +1,21 @@ +Facter.add("systemproductname") do + confine :kernel => :linux + setcode do + if FileTest.exist?("/usr/sbin/dmidecode") + %x{/usr/sbin/dmidecode -s system-product-name}.chomp.strip + else + false + end + end +end + +Facter.add("hw_can_temp_sensors") do + confine :kernel => :linux + setcode do + if FileTest.exist?("/sys/devices/virtual/thermal/thermal_zone0/temp") + true + else + false + end + end +end diff --git a/modules/debian_org/manifests/apt.pp b/modules/debian_org/manifests/apt.pp new file mode 100644 index 000000000..9fc02a0b2 --- /dev/null +++ b/modules/debian_org/manifests/apt.pp @@ -0,0 +1,121 @@ +# == Class: debian_org +# +# Stuff common to all debian.org servers +# +class debian_org::apt { + if $::lsbmajdistrelease <= '7' { + $mungedcodename = $::lsbdistcodename + } elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { + $mungedcodename = "${::lsbdistcodename}-kfreebsd" + } else { + $mungedcodename = $::lsbdistcodename + } + + if $::lsbmajdistrelease <= '8' { + $fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/' + } else { + $fallbackmirror = 'http://deb.debian.org/debian/' + } + + if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') { + $mirror = [ getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'), $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ] + } else { + $mirror = [ $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ] + } + + site::aptrepo { 'debian': + url => $mirror, + suite => [ $mungedcodename, "${::lsbdistcodename}-backports", "${::lsbdistcodename}-updates" ], + components => ['main','contrib','non-free'] + } + site::aptrepo { 'security': + url => [ 'http://security-cdn.debian.org/', 'http://security.anycast-test.mirrors.debian.org/debian-security/', 'http://security.debian.org/' ], + suite => "${mungedcodename}/updates", + components => ['main','contrib','non-free'] + } + + if has_role('experimental_apache') { + $dbdosuites = [ 'debian-all', $::lsbdistcodename, 'jessie-apache2' ] + } else { + $dbdosuites = [ 'debian-all', $::lsbdistcodename ] + } + site::aptrepo { 'db.debian.org': + url => 'http://db.debian.org/debian-admin', + suite => $dbdosuites, + components => 'main', + key => 'puppet:///modules/debian_org/db.debian.org.gpg', + } + + if ($::hostname in [] or $::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { + site::aptrepo { 'proposed-updates': + url => $mirror, + suite => "${mungedcodename}-proposed-updates", + components => ['main','contrib','non-free'] + } + } else { + site::aptrepo { 'proposed-updates': + ensure => absent, + } + } + + site::aptrepo { 'debian-cdn': + ensure => absent, + } + site::aptrepo { 'debian.org': + ensure => absent, + } + site::aptrepo { 'debian2': + ensure => absent, + } + site::aptrepo { 'backports2.debian.org': + ensure => absent, + } + site::aptrepo { 'backports.debian.org': + ensure => absent, + } + site::aptrepo { 'volatile': + ensure => absent, + } + site::aptrepo { 'db.debian.org-suite': + ensure => absent, + } + site::aptrepo { 'debian-lts': + ensure => absent, + } + + + + + file { '/etc/apt/trusted-keys.d': + ensure => absent, + force => true, + } + + file { '/etc/apt/trusted.gpg': + mode => '0600', + content => "", + } + + file { '/etc/apt/preferences': + source => 'puppet:///modules/debian_org/apt.preferences', + } + file { '/etc/apt/apt.conf.d/local-compression': + source => 'puppet:///modules/debian_org/apt.conf.d/local-compression', + } + file { '/etc/apt/apt.conf.d/local-recommends': + source => 'puppet:///modules/debian_org/apt.conf.d/local-recommends', + } + file { '/etc/apt/apt.conf.d/local-pdiffs': + source => 'puppet:///modules/debian_org/apt.conf.d/local-pdiffs', + } + file { '/etc/apt/apt.conf.d/local-langs': + source => 'puppet:///modules/debian_org/apt.conf.d/local-langs', + } + + exec { 'apt-get update': + path => '/usr/bin:/usr/sbin:/bin:/sbin', + onlyif => '/usr/local/bin/check_for_updates', + require => File['/usr/local/bin/check_for_updates'] + } + Exec['apt-get update']->Package<| tag == extra_repo |> +} diff --git a/modules/debian_org/manifests/init.pp b/modules/debian_org/manifests/init.pp new file mode 100644 index 000000000..6cb629efc --- /dev/null +++ b/modules/debian_org/manifests/init.pp @@ -0,0 +1,304 @@ +# == Class: debian_org +# +# Stuff common to all debian.org servers +# +class debian_org { + include debian_org::apt + + if $systemd { + include systemd + $servicefiles = 'present' + } else { + $servicefiles = 'absent' + } + + $debianadmin = [ + 'debian-archive-debian-samhain-reports@master.debian.org', + 'debian-admin@ftbfs.de', + 'weasel@debian.org', + 'steve@lobefin.net', + 'zumbi@oron.es' + ] + + package { [ + 'klogd', + 'sysklogd', + 'rsyslog', + 'os-prober', + 'apt-listchanges', + ]: + ensure => purged, + } + package { [ + 'debian.org', + 'dsa-munin-plugins', + ]: + ensure => installed, + tag => extra_repo, + } + file { '/etc/ssh/ssh_known_hosts': + ensure => present, + replace => false, + mode => '0644', + source => 'puppet:///modules/debian_org/basic-ssh_known_hosts' + } + + if ($::lsbmajdistrelease >= '8') { + $rubyfs_package = 'ruby-filesystem' + } else { + $rubyfs_package = 'libfilesystem-ruby1.9' + } + package { [ + 'apt-utils', + 'bash-completion', + 'dnsutils', + 'less', + 'lsb-release', + $rubyfs_package, + 'mtr-tiny', + 'nload', + 'pciutils', + 'lldpd', + ]: + ensure => installed, + } + + munin::check { [ + 'cpu', + 'entropy', + 'forks', + 'interrupts', + 'iostat', + 'irqstats', + 'load', + 'memory', + 'open_files', + 'open_inodes', + 'processes', + 'swap', + 'uptime', + 'vmstat', + ]: + } + + if getfromhash($site::nodeinfo, 'broken-rtc') { + package { 'fake-hwclock': + ensure => installed, + tag => extra_repo, + } + } + + package { 'molly-guard': + ensure => installed, + } + file { '/etc/molly-guard/run.d/10-check-kvm': + mode => '0755', + source => 'puppet:///modules/debian_org/molly-guard/10-check-kvm', + require => Package['molly-guard'], + } + file { '/etc/molly-guard/run.d/15-acquire-reboot-lock': + mode => '0755', + source => 'puppet:///modules/debian_org/molly-guard/15-acquire-reboot-lock', + require => Package['molly-guard'], + } + + augeas { 'inittab_replicate': + context => '/files/etc/inittab', + changes => [ + 'set ud/runlevels 2345', + 'set ud/action respawn', + 'set ud/process "/usr/bin/ud-replicated -d"', + ], + notify => Exec['init q'], + } + + + file { '/etc/facter': + ensure => directory, + purge => true, + force => true, + recurse => true, + source => 'puppet:///files/empty/', + } + file { '/etc/facter/facts.d': + ensure => directory, + } + file { '/etc/facter/facts.d/debian_facts.yaml': + content => template('debian_org/debian_facts.yaml.erb') + } + file { '/etc/timezone': + source => 'puppet:///modules/debian_org/timezone', + notify => Exec['dpkg-reconfigure tzdata -pcritical -fnoninteractive'], + } + if $::hostname == handel { + include puppetmaster::db + $dbpassword = $puppetmaster::db::password + } + file { '/etc/puppet/puppet.conf': + content => template('debian_org/puppet.conf.erb'), + mode => 0440, + group => 'puppet', + } + file { '/etc/default/puppet': + source => 'puppet:///modules/debian_org/puppet.default', + } + file { '/etc/systemd': + ensure => directory, + mode => 0755, + } + file { '/etc/systemd/system': + ensure => directory, + mode => 0755, + } + file { '/etc/systemd/system/ud-replicated.service': + ensure => $servicefiles, + source => 'puppet:///modules/debian_org/ud-replicated.service', + notify => Exec['systemctl daemon-reload'], + } + if $systemd { + file { '/etc/systemd/system/multi-user.target.wants/ud-replicated.service': + ensure => 'link', + target => '../ud-replicated.service', + notify => Exec['systemctl daemon-reload'], + } + } + file { '/etc/systemd/system/puppet.service': + ensure => 'link', + target => '/dev/null', + notify => Exec['systemctl daemon-reload'], + } + file { '/etc/systemd/system/proc-sys-fs-binfmt_misc.automount': + ensure => 'link', + target => '/dev/null', + notify => Exec['systemctl daemon-reload'], + } + + file { '/etc/cron.d/dsa-puppet-stuff': + content => template('debian_org/dsa-puppet-stuff.cron.erb'), + require => Package['debian.org'], + } + file { '/etc/ldap/ldap.conf': + require => Package['debian.org'], + content => template('debian_org/ldap.conf.erb'), + } + file { '/etc/pam.d/common-session': + require => Package['debian.org'], + content => template('debian_org/pam.common-session.erb'), + } + file { '/etc/pam.d/common-session-noninteractive': + require => Package['debian.org'], + content => template('debian_org/pam.common-session-noninteractive.erb'), + } + file { '/etc/rc.local': + mode => '0755', + content => template('debian_org/rc.local.erb'), + notify => Exec['service rc.local restart'], + } + file { '/etc/dsa': + ensure => directory, + mode => '0755', + } + file { '/etc/dsa/cron.ignore.dsa-puppet-stuff': + source => 'puppet:///modules/debian_org/dsa-puppet-stuff.cron.ignore', + require => Package['debian.org'] + } + file { '/etc/nsswitch.conf': + mode => '0755', + source => 'puppet:///modules/debian_org/nsswitch.conf', + } + + file { '/etc/profile.d/timeout.sh': + mode => '0555', + source => 'puppet:///modules/debian_org/etc.profile.d/timeout.sh', + } + file { '/etc/zsh': + ensure => directory, + } + file { '/etc/zsh/zprofile': + mode => '0444', + source => 'puppet:///modules/debian_org/etc.zsh/zprofile', + } + + # set mmap_min_addr to 4096 to mitigate + # Linux NULL-pointer dereference exploits + site::sysctl { 'mmap_min_addr': + ensure => absent + } + site::sysctl { 'perf_event_paranoid': + key => 'kernel.perf_event_paranoid', + value => '2', + } + site::sysctl { 'puppet-vfs_cache_pressure': + key => 'vm.vfs_cache_pressure', + value => '10', + } + site::alternative { 'editor': + linkto => '/usr/bin/vim.basic', + } + site::alternative { 'view': + linkto => '/usr/bin/vim.basic', + } + mailalias { 'samhain-reports': + ensure => present, + recipient => $debianadmin, + require => Package['debian.org'] + } + + file { '/usr/local/bin/check_for_updates': + source => 'puppet:///modules/debian_org/check_for_updates', + mode => '0755', + owner => root, + group => root, + } + + exec { 'dpkg-reconfigure tzdata -pcritical -fnoninteractive': + path => '/usr/bin:/usr/sbin:/bin:/sbin', + refreshonly => true + } + exec { 'service puppetmaster restart': + refreshonly => true + } + exec { 'service rc.local restart': + refreshonly => true + } + exec { 'init q': + refreshonly => true + } + + exec { 'systemctl daemon-reload': + refreshonly => true, + onlyif => "test -x /bin/systemctl" + } + + exec { 'systemd-tmpfiles --create --exclude-prefix=/dev': + refreshonly => true, + onlyif => "test -x /bin/systemd-tmpfiles" + } + + tidy { '/var/lib/puppet/clientbucket/': + age => '2w', + recurse => 9, + type => ctime, + matches => [ 'paths', 'contents' ], + schedule => weekly + } + + file { '/root/.bashrc': + source => 'puppet:///modules/debian_org/root-dotfiles/bashrc', + } + file { '/root/.profile': + source => 'puppet:///modules/debian_org/root-dotfiles/profile', + } + file { '/root/.selected_editor': + source => 'puppet:///modules/debian_org/root-dotfiles/selected_editor', + } + file { '/root/.screenrc': + source => 'puppet:///modules/debian_org/root-dotfiles/screenrc', + } + file { '/root/.tmux.conf': + source => 'puppet:///modules/debian_org/root-dotfiles/tmux.conf', + } + file { '/root/.vimrc': + source => 'puppet:///modules/debian_org/root-dotfiles/vimrc', + } +} diff --git a/modules/debian_org/manifests/radvd.pp b/modules/debian_org/manifests/radvd.pp new file mode 100644 index 000000000..b9eeb8088 --- /dev/null +++ b/modules/debian_org/manifests/radvd.pp @@ -0,0 +1,10 @@ +class debian-org::radvd { + site::sysctl { 'dsa-accept-ra-default': + key => 'net.ipv6.conf.default.accept_ra', + value => 0, + } + site::sysctl { 'dsa-accept-ra-all': + key => 'net.ipv6.conf.all.accept_ra', + value => 0, + } +} diff --git a/modules/debian_org/misc/hoster.yaml b/modules/debian_org/misc/hoster.yaml new file mode 100644 index 000000000..7917dda6d --- /dev/null +++ b/modules/debian_org/misc/hoster.yaml @@ -0,0 +1,163 @@ +--- +1und1-sec: + netrange: + - 195.20.242.64/26 + - 212.227.126.32/27 + - 2001:8d8:2:1::/64 +accumu: + netrange: + - 130.236.0.0/14 + - 2001:06B0:000E::/48 +aql: + netrange: + - 141.170.6.144/28 + mirror-debian: http://ftp.uk.debian.org/debian/ +arm: + netrange: + - 217.140.96.0/22 + entropy_provider_hoster: sil + mirror-debian: http://mirror.bytemark.co.uk/debian/ +brown: + netrange: + - 138.16.160.0/24 + # all hosts have their own recursor + #mirror-debian: file:///srv/ftp-master.debian.org/mirror/ftp-master/ + mirror-debian: http://ftp.us.debian.org/debian +br: + # rename to c3sl + # University Federal do Parana (.br) + netrange: + - 200.17.192.0/19 +bytemark: + netrange: + - 5.153.231.0/24 + - 89.16.160.112/29 + - 2001:41c8:1000::/48 + - 2001:41c8:61::/125 + mirror-debian: http://mirror.bm.debian.org/debian +carnet: + netrange: + - 193.198.0.0/16 +anu: + netrange: + - 150.203.164.0/24 + - 2001:388:1034:2900::/64 + #mirror-debian: http://mirror.linux.org.au/debian + #mirror-debian: http://ftp.au.debian.org/debian +conova: + netrange: + - 217.196.149.224/28 + mirror-debian: http://mirror.netcologne.de/debian/ +csail: + netrange: + - 128.31.0.0/24 + mirror-debian: http://debian.csail.mit.edu/debian/ +dgi: + netrange: + - 93.94.130.128/26 +freenet: + netrange: + - 62.104.0.0/16 +gatech: + netrange: + - 128.61.240.0/23 + mirror-debian: http://debian.gtisc.gatech.edu/debian/ +grnet: + netrange: + - 194.177.211.192/27 + - 2001:648:2ffc:deb::/64 + mirror-debian: http://ftp.gr.debian.org/debian/ +helsinki: + netrange: + - 193.167.160.0/23 + # all hosts have their own recursor +isc: + netrange: + - 149.20.0.0/16 + - 2001:4F8::/32 +uni-karlsruhe: + # rename to karlsruhe + netrange: + - 129.143.160.0/29 + - 2001:7c0:400:1337::/64 + mirror-debian: http://ftp-stud.hs-esslingen.de/debian/ +linaro: + netrange: + - 64.28.108.83/32 + - 64.28.108.84/32 + - 64.28.108.85/32 + mirror-debian: http://ftp.us.debian.org/debian/ +'man-da': + netrange: + - 82.195.75.64/26 + - 2001:41b8:202:deb::/64 + #mirror-debian: http://debian.netcologne.de/debian/ [currently unstable] + mirror-debian: http://ftp.de.debian.org/debian/ +leaseweb: + netrange: + - 185.17.185.176/28 + #mirror-debian: http://mirror.nl.leaseweb.net/debian/ +marist: + netrange: + - 148.100.0.0/16 + mirror-debian: http://ftp.us.debian.org/debian/ +osuosl: + netrange: + - 140.211.0.0/16 + mirror-debian: http://debian.osuosl.org/debian +sakura: + netrange: + - 133.242.99.74/32 +sanger: + netrange: + - 193.62.202.24/29 + #resolvoptions: [single-request] + mirror-debian: http://mirror.bytemark.co.uk/debian/ +scanplus: + netrange: + - 212.211.132.0/26 + - 212.211.132.248/29 + - 2001:a78::/64 +sil: + netrange: + - 86.59.118.144/28 + - 2001:858:2:2::/64 + mirror-debian: http://ftp.at.debian.org/debian/ +ubc: + netrange: + - 209.87.16.0/24 + - 2607:F8F0:614:1::/64 + # old range: + - 206.12.19.0/24 + - 2607:f8f0:610:4000::/64 + mirror-debian: http://mirror-ubc.debian.org/debian/ +ugent: + netrange: + - 157.193.0.0/16 +umn: + netrange: + - 128.101.240.212 +unicamp: + netrange: + - 177.220.0.0/17 + mirror-debian: http://ftp.br.debian.org/debian/ +utwente: + netrange: + - 130.89.0.0/16 + - 2001:0610:1908::/48 + # broken with dnssec +xs4all: + # should be deleted + netrange: + - 194.109.137.216/29 + - 2001:888:2000:12::/64 +ynic: + netrange: + - 144.32.168.64/28 + mirror-debian: http://ftp.uk.debian.org/debian +zivit: + netrange: + - 80.245.144.0/22 + mirror-debian: http://debian.netcologne.de/debian/ + +# vim:set et sts=2 ts=2 sw=2: diff --git a/modules/debian_org/misc/local.yaml b/modules/debian_org/misc/local.yaml new file mode 100644 index 000000000..8aec03557 --- /dev/null +++ b/modules/debian_org/misc/local.yaml @@ -0,0 +1,240 @@ +--- +nameinfo: + aagaard.debian.org: Thorvald Aagaard (June 8th, 1877 - March 22nd, 1937) + abel.debian.org: Carl Friedrich Abel (1723 - 1787) + acker.debian.org: Dieter Acker (November 3rd, 1940 - May 27th, 2006) + adayevskaya.debian.org: Ella Georgiyevna Adayevskaya (February, 22nd 1846 [O.S. February 10th] - July 26th, 1926) + antheil.debian.org: George Antheil (1900 - 1959) + arnold.debian.org: Malcolm Henry Arnold (1921 - 2006) + asachi.debian.org: Elena Asachi (1789 - 1877) + barriere.debian.org: Jean-Baptiste Barrière (May 2nd, 1707 - June 6th, 1747) + beach.debian.org: Amy Marcy Cheney Beach (September 5th, 1867 - December 27th, 1944) + beethoven.debian.org: Ludwig van Beethoven (December 16th, 1770 - March 26th, 1827) + bendel.debian.org: Franz Bendel (March 23rd, 1833 - July 3rd, 1874) + binet.debian.org: Jocelyne Binet (September 27th, 1923 - January 13th, 1968) + boott.debian.org: Francis Boott (June 24th, 1813 - March 1st, 1904) + busoni.debian.org: Ferruccio Dante Michelangiolo Benvenuto Busoni (April 1st, 1866 - July 27th, 1924) + buxtehude.debian.org: Dieterich Buxtehude (c. 1637 to 1639 - May 9th, 1707) + byrd.debian.org: William Byrd (1543 - July 4th, 1623) + casulana.debian.org: Maddalena Casulana (c. 1544 - c. 1590) + clementi.debian.org: Muzio Clementi (January 23rd, 1752 - March 10th, 1832) + coccia.debian.org: Maria Rosa Coccia (January 4th, 1759 - November 1833) + czerny.debian.org: Carl Czerny (February 21st, 1791 - July 15th, 1857) + danzi.debian.org: Franz Ignaz Danzi (June 15th, 1763 - April 13th, 1826) + delfin.debian.org: Carmelina Delfin (c. 1900 - after 1948) + diabelli.debian.org: Anton Diabelli (September 5th, 1781 - April 7th, 1858) + dinis.debian.org: Dinis of Portugal (October 9th, 1261 - January 7th, 1325) + dillon.debian.org: Fannie Charles Dillon (March 16th, 1881 - February 21st, 1947) + donizetti.debian.org: Gaetano Donizetti (November 29th, 1797 - April 8th, 1848) + draghi.debian.org: Antonio Draghi (1635 - January 16th, 1700) + eberlin.debian.org: Johann Ernst Eberlin (March 1702 27th - June 19th, 1762) + eller.debian.org: Heino Eller (March 7th, 1887 - June 16th, 1970) + elgar.debian.org: Edward Elgar (1857 - 1934) + falla.debian.org: Manuel de Falla y Matheu (November 23rd, 1876 - November 14th, 1946) + fano.debian.org: Guido Alberto Fano (March 18th, 1875 - August 14th, 1961) + fasolo.debian.org: Giovanni Battista Fasolo, O.F.M. (ca. 1598 - after 1664) + fayrfax.debian.org: Robert Fayrfax (April 23rd, 1464 - October 24th, 1521) + fils.debian.org: Anton Fils (September 22nd, 1733 (baptized) - March 14th, 1760 (buried)) + finzi.debian.org: Gerald Raphael Finzi (July 14th, 1901 - September 27th, 1956) + fischer.debian.org: Johann Caspar Ferdinand Fischer (September 9th, 1656 - August 27th, 1746) + gideon.debian.org: Miriam Gideon (October 23rd, 1906 - June 18th, 1996) + gigault.debian.org: Nicolas Gigault (ca. 1627 - August 20th, 1707) + gombert.debian.org: Nicolas Gombert (c. 1495 - c. 1560) + gretchaninov: Alexander Tikhonovich Gretchaninov (October 25th, 1864 - January 3rd, 1956) + handel.debian.org: Georg Friedrich Händel (February 23rd, 1685 - April 14th, 1759) + harris.debian.org: Sir William Henry Harris (March 28th, 1883 - September 6th, 1973) + hartmann.debian.org: Karl Amadeus Hartmann (August 2nd, 1905 - December 5th, 1963) + hasse.debian.org: Johann Adolph Hasse (March 25th, 1699 - December 16th, 1783) + henze.debian.org: Hans Werner Henze (July 1st, 1926 - October 27th, 2012) + hoiby.debian.org: Lee Henry Hoiby (February 17th, 1926 - March 28th, 2011) + jerea.debian.org: Hilda Jerea (March 17th, 1916 - May 14th, 1980) + kaufmann.debian.org: Georg Friedrich Kauffmann (February 14th, 1679 - February 27th, 1735) + klecker.debian.org: Dedicated to Joel 'Espy' Klecker (1979 - July 11th, 2000) + lindsay.debian.org: Maria Lindsay Bliss (May 15th, 1827 - April 3rd, 1898) + lotti.debian.org: Antonio Lotti (ca. 1667 - January 5th, 1740) + lully.debian.org: Jean-Baptiste de Lully (November 28th, 1632 - March 22nd, 1687) + mailly.debian.org: Alphonse Jean Ernest Mailly (November 27th, 1833 - January 10th, 1918) + melartin.debian.org: Erkki Melartin (February 7th, 1875 - February 14th, 1937) + menotti.debian.org: Gian Carlo Menotti (July 7th, 1911 - February 1st, 2007) + manziarly.debian.org: Marcelle de Manziarly (October 1st/13th, 1899 - May 12th, 1989) + mekeel.debian.org: Joyce Mekeel (July 6th, 1931 - Dec 29th, 1997) + milanollo.debian.org: Teresa Milanollo (August 28th, 1827 - October 25th, 1904) + minkus.debian.org: Ludwig Minkus (March 23rd 1826 - December 7th, 1917) + muffat.debian.org: George Muffat (June 1st, 1653 - February 23rd, 1704) + nono.debian.org: Luigi Nono (January 29th, 1924 - May 8th, 1990) + olin.debian.org: Elisabeth Olin (December 1740 - March 26th, 1828) + paradis.debian.org: Maria Theresia Paradis (May 15th, 1759 - February 1st, 1824) + partch.debian.org: Harry Partch (June 24th, 1901 - September 3rd, 1974) + pejacevic: Dora Pejačević (September 10th, 1885 - March 5th, 1923) + petrova.debian.org: Mara Petrova (May 15th, 1921 - June 7th. 1997) + pettersson.debian.org: Gustav Allan Pettersson (September 19th, 1911 - June 20th, 1980) + philp.debian.org: Elizabeth Philp (1827 - November 26th, 1885) + picconi.debian.org: Maria Antonietta Picconi (September 23rd, 1869 - 1926) + pieta.debian.org: Michielina della Pietà (fl. ca. 1700 - 1744) + pinel.debian.org: Julie Pinel (fl. 1710 - 1737) + pizzetti.debian.org: Ildebrando Pizzetti (20 September 1880 - 13 February 1968) + plummer.debian.org: John Plummer (c. 1410 - c. 1483) + porpora.debian.org: Niccolò (Antonio) Porpora (17 August 1686 - 3 March 1768) + porta.debian.org: Giovanni Porta (c. 1675 - 21 June 1755) + praetorius.debian.org: Hieronymus Praetorius (August 10th, 1560 - January 27th, 1629) + prokofiev.debian.org: Sergei Sergeyevich Prokofiev (April 27th, 1891 - March 5th, 1953) + quantz.debian.org: Johann Joachim Quantz (January 30th, 1697 - July 12th, 1773) + rachmaninoff: Sergei Vasilievich Rachmaninoff (1 April 1873 - 28 March 1943) + rainier.debian.org: Ivy Priaulx Rainier (February 3rd, 1903 - October 10th, 1986) + rapoport.debian.org: Eda Rothstein Rapoport (December 25th, 1890 - May 9th, 1968) + reger.debian.org: Johann Baptist Joseph Maximilian Reger (March 19th, 1873 - May 11th, 1916) + respighi.debian.org: Elsa Respighi (née Olivieri-Sangiacomo) (March 24th, 1894 - March 17th, 1996) + sallinen.debian.org: Aulis Sallinen (born April 9, 1935) + santoro.debian.org: Cláudio Santoro (November 23rd, 1919 - March 27th, 1989) + schumann.debian.org: Robert Alexander Schumann (June 8th, 1810 - July 29th, 1856) + sechter.debian.org: Simon Sechter (October 11th, 1788 - September 10th, 1867) + seger.debian.org: Josef Seger (March 21st, 1716 - April 22nd, 1782) + senfter.debian.org: Johanna Senfter (November, 27th, 1879 - August 11th, 1961) + setoguchi.debian.org: 瀬戸口藤吉, Tokichi Setoguchi (June 28th, 1868 - November 8th, 1941) + sibelius.debian.org: Jean Sibelius (December 8th, 1865 - September 20th, 1957) + smetana.debian.org: Bedřich Smetana (March 2nd, 1824 - May 12th, 1884) + sonntag.debian.org: Brunhilde Sonntag (September 27th, 1936 - December 18th, 2002) + sor.debian.org: Fernando Sor (February 14th, 1778 - July 10th, 1839) + soriano.debian.org: Francesco Soriano (1548 or 1549 - July 19th, 1621) + stockhausen.debian.org: Karlheinz Stockhausen (August 22nd, 1928 - December 5th, 2007) + storace.debian.org: Stephen Storace (April 4th, 1762 - March 19th, 1796) + spontini.debian.org: Gaspare Luigi Pacifico Spontini (November 14th, 1774 - January 24th, 1851) + tate.debian.org: Phyllis Tate (April 6th, 1911 - May 29th, 1987) + tchaikovsky.debian.org: Pyotr Ilyich Tchaikovsky (Пётр Ильич Чайковский) (May 7th, 1840 - November 6th, 1893) + ticharich.debian.org: Zdenka Ticharich (September 26th, 1900 - February 15th, 1979) + tye.debian.org: Christopher Tye (c.1505 - 1573) + ullmann.debian.org: Viktor Ullmann (January 1st, 1898 - October 17th, 1944) + usper.debian.org: Francesco Usper (November 1st, 1561 - February 24th, 1641) + vento.debian.org: Ivo de Vento (1543/1545 - 1575) + vittoria.debian.org: Tomás Luis da Vittoria (ca. 1548 - August 27th, 1611) + vogler.debian.org: Georg Joseph Vogler (June 15th, 1749 - May 6th, 1814) + wieck.debian.org: Clara Josephine Wieck (September 13th, 1819 - May 20th, 1896) + wilder.debian.org: Alec Wilder (February 16th, 1907 - December 24th, 1980) + wolkenstein.debian.org: Oswald von Wolkenstein (1377 - August 2nd, 1445) + wuiet.debian.org: Caroline Wuiet (1766 - 1835) + zandonai.debian.org: Riccardo Zandonai (May 30th, 1883 - June 5th, 1944) + zani.debian.org: Andrea Teodoro Zani (November 11th, 1696 - September 28th, 1757) + zelenka.debian.org: Jan Dismas Zelenka (October 16th, 1679 - December 23rd, 1745) + zemlinsky.debian.org: Alexander von Zemlinsky (October 14th, 1871 - March 15th 1942) +footer: + dummy: foo + #zandonai.debian.org: "Debian s390 buildd system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]" + #zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]" +host_settings: + heavy_exim: + # mail front-ends + - mailly.debian.org + - muffat.debian.org + # other mail receivers + - buxtehude.debian.org + - draghi.debian.org + - master.debian.org + - nono.debian.org + - picconi.debian.org + - pinel.debian.org + - quantz.debian.org + - reger.debian.org + - tye.debian.org + - vento.debian.org + - wuiet.debian.org + not-bacula-client: + # porterbox + - abel.debian.org + - asachi.debian.org + - barriere.debian.org + - binet.debian.org + - eller.debian.org + - falla.debian.org + - fischer.debian.org + - harris.debian.org + - minkus.debian.org + - partch.debian.org + - pizzetti.debian.org + - plummer.debian.org + - smetana.debian.org + - zelenka.debian.org + # buildd + - antheil.debian.org + - arm-arm-01.debian.org + - arm-arm-02.debian.org + - arm-arm-03.debian.org + - arm-arm-04.debian.org + - arm-conova-01.debian.org + - arm-conova-02.debian.org + - arm-conova-03.debian.org + - arm-conova-04.debian.org + - arm-linaro-01.debian.org + - arm-linaro-03.debian.org + - arnold.debian.org + - eberlin.debian.org + - fano.debian.org + - fayrfax.debian.org + - fils.debian.org + - finzi.debian.org + - hartmann.debian.org + - hasse.debian.org + - henze.debian.org + - hoiby.debian.org + - mips-aql-01.debian.org + - mips-aql-02.debian.org + - mips-aql-04.debian.org + - mips-aql-05.debian.org + - mips-aql-06.debian.org + - mips-sil-01.debian.org + - mips-manda-01.debian.org + - mipsel-aql-01.debian.org + - mipsel-aql-02.debian.org + - mipsel-aql-03.debian.org + - mipsel-manda-01.debian.org + - mipsel-manda-02.debian.org + - mipsel-manda-03.debian.org + - mipsel-sil-01.debian.org + - porpora.debian.org + - powerpc-osuosl-01.debian.org + - powerpc-unicamp-01.debian.org + - ppc64el-osuosl-01.debian.org + - ppc64el-unicamp-01.debian.org + - praetorius.debian.org + - spontini.debian.org + - x86-grnet-01.debian.org + - zandonai.debian.org + - zani.debian.org + - zemlinsky.debian.org + - x86-bm-01.debian.org + - x86-csail-01.debian.org + - x86-csail-02.debian.org + - x86-ubc-01.debian.org + broken-rtc: + - abel.debian.org + - antheil.debian.org + - arm-arm-01.debian.org + - arm-arm-02.debian.org + - arm-arm-03.debian.org + - arnold.debian.org + - eller.debian.org + - harris.debian.org + - hasse.debian.org + - henze.debian.org + - hoiby.debian.org + - mips-aql-01.debian.org + - mips-aql-02.debian.org + - mips-aql-04.debian.org + - mips-aql-05.debian.org + - mips-aql-06.debian.org + - mips-manda-01.debian.org + - mips-sil-01.debian.org + - mipsel-aql-03.debian.org + - mipsel-manda-03.debian.org + - mipsel-sil-01.debian.org + mail_port: + klecker.debian.org: 2025 + zani.debian.org: 587 + no_munin: + - fano.debian.org + entropy_key: + - czerny.debian.org + - grnet-node01.debian.org + # - ubc-bl2.debian.org + - storace.debian.org + buildd_master: + - wuiet.debian.org diff --git a/modules/debian_org/templates/debian_facts.yaml.erb b/modules/debian_org/templates/debian_facts.yaml.erb new file mode 100644 index 000000000..2dcf7961f --- /dev/null +++ b/modules/debian_org/templates/debian_facts.yaml.erb @@ -0,0 +1,2 @@ +--- +hoster: <%= scope.lookupvar('site::nodeinfo')['hoster']['name'] %> diff --git a/modules/debian_org/templates/dsa-puppet-stuff.cron.erb b/modules/debian_org/templates/dsa-puppet-stuff.cron.erb new file mode 100644 index 000000000..48fab729d --- /dev/null +++ b/modules/debian_org/templates/dsa-puppet-stuff.cron.erb @@ -0,0 +1,20 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +SHELL=/bin/bash +@hourly root [ ! -d /var/cache/dsa ] || touch /var/cache/dsa/cron.alive +<% if @lsbmajdistrelease <= '7' -%> +34 */4 * * * root if [ -x /usr/sbin/puppetd ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/sbin/puppetd -o --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi +<% else -%> +34 */4 * * * root if [ -x /usr/bin/puppet ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/bin/puppet agent --onetime --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi +<% end -%> + +@hourly root sleep $(( $RANDOM \% 300 )); if [ -x /usr/lib/nagios/plugins/dsa-check-stunnel-sanity ] && [ -e /etc/stunnel/puppet-ekeyd.conf ] && ! /usr/lib/nagios/plugins/dsa-check-stunnel-sanity > /dev/null && grep -q '^client = yes' /etc/stunnel/puppet-ekeyd.conf; then /usr/sbin/service stunnel4 restart > /dev/null; fi + +@daily munin-async [ -d /var/lib/munin-async ] && find /var/lib/munin-async -maxdepth 1 -type f -mtime +30 -delete + +@daily root [ -d /var/lib/puppet/clientbucket ] && find /var/lib/puppet/clientbucket -type f -mtime +60 -delete && find /var/lib/puppet/clientbucket -type d -empty -delete + +@hourly root ! [ -x /usr/local/sbin/ntp-restart-if-required ] || /usr/local/sbin/ntp-restart-if-required diff --git a/modules/debian_org/templates/ldap.conf.erb b/modules/debian_org/templates/ldap.conf.erb new file mode 100644 index 000000000..b3f514b70 --- /dev/null +++ b/modules/debian_org/templates/ldap.conf.erb @@ -0,0 +1,24 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +URI ldap://db.debian.org +BASE dc=debian,dc=org + +TLS_CACERT /etc/ssl/ca-debian/ca-certificates.crt +TLS_REQCERT hard diff --git a/modules/debian_org/templates/pam.common-session-noninteractive.erb b/modules/debian_org/templates/pam.common-session-noninteractive.erb new file mode 100644 index 000000000..3b078a335 --- /dev/null +++ b/modules/debian_org/templates/pam.common-session-noninteractive.erb @@ -0,0 +1,30 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config diff --git a/modules/debian_org/templates/pam.common-session.erb b/modules/debian_org/templates/pam.common-session.erb new file mode 100644 index 000000000..3a24bb790 --- /dev/null +++ b/modules/debian_org/templates/pam.common-session.erb @@ -0,0 +1,34 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config +session [success=1 default=ignore] pam_succeed_if.so quiet_fail quiet_success home = /nonexistent +session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +session optional pam_systemd.so +session optional pam_permit.so diff --git a/modules/debian_org/templates/puppet.conf.erb b/modules/debian_org/templates/puppet.conf.erb new file mode 100644 index 000000000..4f6c659d6 --- /dev/null +++ b/modules/debian_org/templates/puppet.conf.erb @@ -0,0 +1,47 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +[main] +logdir=/var/log/puppet +vardir=/var/lib/puppet +ssldir=/var/lib/puppet/ssl +rundir=/var/run/puppet +factpath=$vardir/lib/facter +pluginsync=true +# This is the default environment for all clients +environment=production + +<%- if scope.lookupvar('::hostname') == 'handel' -%> +modulepath=/etc/puppet/modules:/etc/puppet/3rdparty/modules:/usr/share/puppet/modules + +[master] +environments = production,staging +reports = store +config_version = cat /etc/puppet/.config-version +storeconfigs = true +thin_storeconfigs = true +dbadapter=mysql +dbuser=puppet +dbpassword=<%= scope.lookupvar('dbpassword') %> +dbserver=localhost + +[production] +manifestdir=/srv/puppet.debian.org/stages/production/manifests +fileserverconfig=/srv/puppet.debian.org/stages/production/fileserver.conf +modulepath=/srv/puppet.debian.org/stages/production/modules:/srv/puppet.debian.org/stages/production/3rdparty/modules + +[staging] +manifestdir=/srv/puppet.debian.org/stages/staging/manifests +fileserverconfig=/srv/puppet.debian.org/stages/staging/fileserver.conf +modulepath=/srv/puppet.debian.org/stages/staging/modules:/srv/puppet.debian.org/stages/staging/3rdparty/modules +<%- end -%> + +[agent] +environments = development,testing,production,staging +report = true +configtimeout = 240 +<%- if has_variable?("puppetversion") and @puppetversion.to_s == "3.7.2" -%> +stringify_facts = false +<%- end -%> diff --git a/modules/debian_org/templates/rc.local.erb b/modules/debian_org/templates/rc.local.erb new file mode 100755 index 000000000..5667c3260 --- /dev/null +++ b/modules/debian_org/templates/rc.local.erb @@ -0,0 +1,29 @@ +#!/bin/bash + +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## +<%- if @hostname == "zani" then -%> + if [ -n "$(awk '$4 == "dasdb1" && $3 == "249999" {print}' /proc/partitions)" ]; then + mkswap /dev/dasdb1 && swapon -p 30 /dev/dasdb1 + fi + if [ -n "$(awk '$4 == "dasdc1" && $3 == "249999" {print}' /proc/partitions)" ]; then + mkswap /dev/dasdc1 && swapon -p 30 /dev/dasdc1 + fi +<%- end -%> +<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%> + ( sleep 120; + service syslog-ng restart; + sleep 5; + init q + ) & disown +<%- end -%> + +if [ -e /proc/sys/kernel/modules_disabled ]; then + ( sleep 60; + echo 1 > /proc/sys/kernel/modules_disabled || true + ) & disown +fi + +touch /var/run/reboot-lock diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index e5b051b25..ae732057f 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -54,7 +54,7 @@ class exim { } file { '/etc/exim4/ssl': ensure => directory, - group => Debian-exim, + group => 'Debian-exim', mode => '0750', purge => true, } @@ -110,28 +110,28 @@ class exim { } file { '/etc/exim4/ssl/thishost.crt': source => "puppet:///modules/exim/certs/${::fqdn}.crt", - group => Debian-exim, + group => 'Debian-exim', mode => '0640', } file { '/etc/exim4/ssl/thishost.key': source => "puppet:///modules/exim/certs/${::fqdn}.key", - group => Debian-exim, + group => 'Debian-exim', mode => '0640', } file { '/etc/exim4/ssl/ca.crt': source => 'puppet:///modules/exim/certs/ca.crt', - group => Debian-exim, + group => 'Debian-exim', mode => '0640', } file { '/etc/exim4/ssl/ca.crl': source => 'puppet:///modules/exim/certs/ca.crl', - group => Debian-exim, + group => 'Debian-exim', mode => '0640', } file { '/var/log/exim4': ensure => directory, mode => '2750', - owner => Debian-exim, + owner => 'Debian-exim', group => maillog, } diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index c3841ccac..93ec70865 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -211,7 +211,7 @@ queue_only_load = 8 <%- end -%> queue_list_requires_admin = false -<%- if has_variable?("clamd") && clamd == "true" -%> +<%- if has_variable?("clamd") && @clamd == "true" -%> av_scanner = clamd:/var/run/clamav/clamd.ctl <%- end -%> @@ -663,7 +663,7 @@ check_recipient: ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) -<%- if has_variable?("policydweight") && policydweight == "true" -%> +<%- if has_variable?("policydweight") && @policydweight == "true" -%> # Check with policyd-weight - this only works with a version after etch's, # sadly. etch's version attempts to hold the socket open, since that's what # postfix expects. Exim, on the other hand, expects the remote side to close @@ -734,7 +734,7 @@ check_recipient: <%- end -%> -<%- if has_variable?("greylistd") && greylistd == "true" -%> +<%- if has_variable?("greylistd") && @greylistd == "true" -%> defer message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>. log_message = greylisted. @@ -759,7 +759,7 @@ check_recipient: $local_part@$domain}\ {5s}{}{false}} -<%- elsif has_variable?("postgrey") && postgrey == "true" -%> +<%- elsif has_variable?("postgrey") && @postgrey == "true" -%> # next three are greylisting, inspired by http://www.bebt.de/blog/debian/archives/2006/07/30/T06_12_27/index.html # this adds acl_m_grey if there isn't one (so unique per message) warn @@ -956,7 +956,7 @@ check_message: condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = Your mailer is not RFC 2047 compliant: message rejected -<%- if has_variable?("clamd") && clamd == "true" -%> +<%- if has_variable?("clamd") && @clamd == "true" -%> discard condition = ${if eq {$acl_m_prf}{blackhole}} demime = * malware = */defer_ok diff --git a/modules/exim/templates/mailname.erb b/modules/exim/templates/mailname.erb index c1b3ea33a..de5618b74 100644 --- a/modules/exim/templates/mailname.erb +++ b/modules/exim/templates/mailname.erb @@ -1 +1 @@ -<%= fqdn %> +<%= @fqdn %> diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index ae4ea19b2..869a3d660 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -16,7 +16,7 @@ class ferm { package { 'ferm': ensure => installed } - if ($::lsbmajdistrelease >= 8) { + if ($::lsbmajdistrelease >= '8') { package { 'ulogd2': ensure => installed } @@ -92,7 +92,7 @@ class ferm { content => template('ferm/interfaces.conf.erb'), notify => Service['ferm'], } - if ($::lsbmajdistrelease >= 8) { + if ($::lsbmajdistrelease >= '8') { augeas { 'logrotate_ulogd2': context => '/files/etc/logrotate.d/ulogd2', changes => [ diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp deleted file mode 100644 index 7db3c2dbd..000000000 --- a/modules/ferm/manifests/per-host.pp +++ /dev/null @@ -1,418 +0,0 @@ -class ferm::per-host { - if $::hostname in [zandonai,zelenka] { - include ferm::zivit - } - - case $::hostname { - czerny,clementi: { - @ferm::rule { 'dsa-upsmon': - description => 'Allow upsmon access', - rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))' - } - } - bendel: { - @ferm::rule { 'listmaster-ontp-in': - description => 'ONTP has a broken mail setup', - table => 'filter', - chain => 'INPUT', - rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP', - } - @ferm::rule { 'listmaster-ontp-out': - description => 'ONTP has a broken mail setup', - table => 'filter', - chain => 'OUTPUT', - rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP', - } - } - lotti,lully,loghost-grnet-01: { - @ferm::rule { 'dsa-syslog': - description => 'Allow syslog access', - rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)' - } - @ferm::rule { 'dsa-syslog-v6': - domain => 'ip6', - description => 'Allow syslog access', - rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)' - } - } - kaufmann: { - @ferm::rule { 'dsa-hkp': - domain => '(ip ip6)', - description => 'Allow hkp access', - rule => '&SERVICE(tcp, 11371)' - } - } - gombert: { - @ferm::rule { 'dsa-infinoted': - domain => '(ip ip6)', - description => 'Allow infinoted access', - rule => '&SERVICE(tcp, 6523)' - } - } - draghi: { - @ferm::rule { 'dsa-finger': - domain => '(ip ip6)', - description => 'Allow finger access', - rule => '&SERVICE(tcp, 79)' - } - @ferm::rule { 'dsa-ldap': - domain => '(ip ip6)', - description => 'Allow ldap access', - rule => '&SERVICE(tcp, 389)' - } - @ferm::rule { 'dsa-ldaps': - domain => '(ip ip6)', - description => 'Allow ldaps access', - rule => '&SERVICE(tcp, 636)' - } - } - sonntag: { - @ferm::rule { 'dsa-bugs-search': - description => 'port 1978 for bugs-search from bug web frontends', - rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))' - } - } - default: {} - } - - # redirect snapshot into varnish - case $::hostname { - sibelius: { - @ferm::rule { 'dsa-snapshot-varnish': - rule => '&SERVICE(tcp, 6081)', - } - @ferm::rule { 'dsa-nat-snapshot-varnish': - table => 'nat', - chain => 'PREROUTING', - rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081', - } - } - lw07: { - @ferm::rule { 'dsa-snapshot-varnish': - rule => '&SERVICE(tcp, 6081)', - } - @ferm::rule { 'dsa-nat-snapshot-varnish': - table => 'nat', - chain => 'PREROUTING', - rule => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081', - } - } - default: {} - } - case $::hostname { - bm-bl1,bm-bl2: { - @ferm::rule { 'dsa-vrrp': - rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT', - } - @ferm::rule { 'dsa-conntrackd': - rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT', - } - @ferm::rule { 'dsa-bind-notrack-in': - domain => 'ip', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'PREROUTING', - rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK' - } - - @ferm::rule { 'dsa-bind-notrack-out': - domain => 'ip', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'OUTPUT', - rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK' - } - - @ferm::rule { 'dsa-bind-notrack-in6': - domain => 'ip6', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'PREROUTING', - rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK' - } - - @ferm::rule { 'dsa-bind-notrack-out6': - domain => 'ip6', - description => 'NOTRACK for nameserver traffic', - table => 'raw', - chain => 'OUTPUT', - rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK' - } - } - default: {} - } - - # elasticsearch stuff - case $::hostname { - stockhausen: { - @ferm::rule { 'dsa-elasticsearch-bendel': - domain => '(ip)', - description => 'Allow elasticsearch access from bendel', - rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))' - } - @ferm::rule { 'dsa-elasticsearch-bendel6': - domain => '(ip6)', - description => 'Allow elasticsearch access from bendel', - rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))' - } - } - } - - # postgres stuff - case $::hostname { - ullmann: { - @ferm::rule { 'dsa-postgres-udd': - description => 'Allow postgress access', - # quantz, moszumanska, master, coccia - rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))' - } - @ferm::rule { 'dsa-postgres-udd6': - domain => '(ip6)', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))' - } - } - fasolo: { - @ferm::rule { 'dsa-postgres-fasolo': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))' - } - @ferm::rule { 'dsa-postgres-fasolo6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))' - } - - @ferm::rule { 'dsa-postgres-backup': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))' - } - @ferm::rule { 'dsa-postgres-backup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))' - } - } - bmdb1: { - @ferm::rule { 'dsa-postgres-main': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))' - } - @ferm::rule { 'dsa-postgres-main6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))' - } - @ferm::rule { 'dsa-postgres-dak': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))' - } - @ferm::rule { 'dsa-postgres-dak6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))' - } - @ferm::rule { 'dsa-postgres-wannabuild': - # wuiet, ullmann - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))' - } - @ferm::rule { 'dsa-postgres-wannabuild6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))' - } - @ferm::rule { 'dsa-postgres-bacula': - # dinis - description => 'Allow postgress access1', - rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))' - } - @ferm::rule { 'dsa-postgres-bacula6': - domain => 'ip6', - description => 'Allow postgress access1', - rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))' - } - - @ferm::rule { 'dsa-postgres-backup': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V4 ))' - } - @ferm::rule { 'dsa-postgres-backup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V6 ))' - } - - @ferm::rule { 'dsa-postgres-dedup': - # ubc, wuit - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))' - } - @ferm::rule { 'dsa-postgres-dedup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))' - } - - @ferm::rule { 'dsa-postgres-debsources': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))' - } - @ferm::rule { 'dsa-postgres-debsources6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))' - } - } - danzi: { - @ferm::rule { 'dsa-postgres-danzi': - # ubc, wuit - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))' - } - @ferm::rule { 'dsa-postgres-danzi6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))' - } - - @ferm::rule { 'dsa-postgres2-danzi': - description => 'Allow postgress access2', - rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))' - } - @ferm::rule { 'dsa-postgres3-danzi': - description => 'Allow postgress access3', - rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))' - } - @ferm::rule { 'dsa-postgres4-danzi': - description => 'Allow postgress access4', - rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))' - } - - @ferm::rule { 'dsa-postgres-backup': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))' - } - @ferm::rule { 'dsa-postgres-backup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))' - } - } - seger: { - @ferm::rule { 'dsa-postgres-backup': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))' - } - @ferm::rule { 'dsa-postgres-backup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))' - } - } - sibelius: { - @ferm::rule { 'dsa-postgres-backup': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))' - } - @ferm::rule { 'dsa-postgres-backup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))' - } - @ferm::rule { 'dsa-postgres-replication': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))' - } - @ferm::rule { 'dsa-postgres-replication6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))' - } - } - lw07: { - @ferm::rule { 'dsa-postgres-snapshot': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))' - } - @ferm::rule { 'dsa-postgres-snapshot6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))' - } - } - melartin,vittoria: { - @ferm::rule { 'dsa-postgres-backup': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))' - } - @ferm::rule { 'dsa-postgres-backup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))' - } - } - buxtehude: { - @ferm::rule { 'dsa-postgres-backup': - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V4 ))' - } - @ferm::rule { 'dsa-postgres-backup6': - domain => 'ip6', - description => 'Allow postgress access', - rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V6 ))' - } - } - default: {} - } - # vpn fu - case $::hostname { - draghi: { - @ferm::rule { 'dsa-vpn': - description => 'Allow openvpn access', - rule => '&SERVICE(udp, 17257)' - } - @ferm::rule { 'dsa-routing': - description => 'forward chain', - chain => 'FORWARD', - rule => 'policy ACCEPT; -mod state state (ESTABLISHED RELATED) ACCEPT; -interface tun+ ACCEPT; -REJECT reject-with icmp-admin-prohibited -' - } - @ferm::rule { 'dsa-vpn-mark': - table => 'mangle', - chain => 'PREROUTING', - rule => 'interface tun+ MARK set-mark 1', - } - @ferm::rule { 'dsa-vpn-nat': - table => 'nat', - chain => 'POSTROUTING', - rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', - } - } - ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: { - @ferm::rule { 'dsa-luca-fixme': - description => 'Allow ssh access from mnt and vpn networks', - rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))', - } - } - default: {} - } - # tftp - case $::hostname { - abel: { - @ferm::rule { 'dsa-tftp': - description => 'Allow tftp access', - rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))' - } - } - master: { - @ferm::rule { 'dsa-tftp': - description => 'Allow tftp access', - rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))' - } - } - } -} diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp new file mode 100644 index 000000000..8fd0d0757 --- /dev/null +++ b/modules/ferm/manifests/per_host.pp @@ -0,0 +1,418 @@ +class ferm::per_host { + if $::hostname in [zandonai,zelenka] { + include ferm::zivit + } + + case $::hostname { + czerny,clementi: { + @ferm::rule { 'dsa-upsmon': + description => 'Allow upsmon access', + rule => '&SERVICE_RANGE(tcp, 3493, ( 82.195.75.64/26 192.168.43.0/24 ))' + } + } + bendel: { + @ferm::rule { 'listmaster-ontp-in': + description => 'ONTP has a broken mail setup', + table => 'filter', + chain => 'INPUT', + rule => 'source 188.165.23.89/32 proto tcp dport 25 jump DROP', + } + @ferm::rule { 'listmaster-ontp-out': + description => 'ONTP has a broken mail setup', + table => 'filter', + chain => 'OUTPUT', + rule => 'destination 78.8.208.246/32 proto tcp dport 25 jump DROP', + } + } + lotti,lully,loghost-grnet-01: { + @ferm::rule { 'dsa-syslog': + description => 'Allow syslog access', + rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V4)' + } + @ferm::rule { 'dsa-syslog-v6': + domain => 'ip6', + description => 'Allow syslog access', + rule => '&SERVICE_RANGE(tcp, 5140, $HOST_DEBIAN_V6)' + } + } + kaufmann: { + @ferm::rule { 'dsa-hkp': + domain => '(ip ip6)', + description => 'Allow hkp access', + rule => '&SERVICE(tcp, 11371)' + } + } + gombert: { + @ferm::rule { 'dsa-infinoted': + domain => '(ip ip6)', + description => 'Allow infinoted access', + rule => '&SERVICE(tcp, 6523)' + } + } + draghi: { + @ferm::rule { 'dsa-finger': + domain => '(ip ip6)', + description => 'Allow finger access', + rule => '&SERVICE(tcp, 79)' + } + @ferm::rule { 'dsa-ldap': + domain => '(ip ip6)', + description => 'Allow ldap access', + rule => '&SERVICE(tcp, 389)' + } + @ferm::rule { 'dsa-ldaps': + domain => '(ip ip6)', + description => 'Allow ldaps access', + rule => '&SERVICE(tcp, 636)' + } + } + sonntag: { + @ferm::rule { 'dsa-bugs-search': + description => 'port 1978 for bugs-search from bug web frontends', + rule => '&SERVICE_RANGE(tcp, 1978, ( 140.211.166.26 209.87.16.39 ))' + } + } + default: {} + } + + # redirect snapshot into varnish + case $::hostname { + sibelius: { + @ferm::rule { 'dsa-snapshot-varnish': + rule => '&SERVICE(tcp, 6081)', + } + @ferm::rule { 'dsa-nat-snapshot-varnish': + table => 'nat', + chain => 'PREROUTING', + rule => 'proto tcp daddr 193.62.202.30 dport 80 REDIRECT to-ports 6081', + } + } + lw07: { + @ferm::rule { 'dsa-snapshot-varnish': + rule => '&SERVICE(tcp, 6081)', + } + @ferm::rule { 'dsa-nat-snapshot-varnish': + table => 'nat', + chain => 'PREROUTING', + rule => 'proto tcp daddr 185.17.185.185 dport 80 REDIRECT to-ports 6081', + } + } + default: {} + } + case $::hostname { + bm-bl1,bm-bl2: { + @ferm::rule { 'dsa-vrrp': + rule => 'proto vrrp daddr 224.0.0.18 jump ACCEPT', + } + @ferm::rule { 'dsa-conntrackd': + rule => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT', + } + @ferm::rule { 'dsa-bind-notrack-in': + domain => 'ip', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'PREROUTING', + rule => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK' + } + + @ferm::rule { 'dsa-bind-notrack-out': + domain => 'ip', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'OUTPUT', + rule => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK' + } + + @ferm::rule { 'dsa-bind-notrack-in6': + domain => 'ip6', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'PREROUTING', + rule => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK' + } + + @ferm::rule { 'dsa-bind-notrack-out6': + domain => 'ip6', + description => 'NOTRACK for nameserver traffic', + table => 'raw', + chain => 'OUTPUT', + rule => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK' + } + } + default: {} + } + + # elasticsearch stuff + case $::hostname { + stockhausen: { + @ferm::rule { 'dsa-elasticsearch-bendel': + domain => '(ip)', + description => 'Allow elasticsearch access from bendel', + rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 82.195.75.100/32 ))' + } + @ferm::rule { 'dsa-elasticsearch-bendel6': + domain => '(ip6)', + description => 'Allow elasticsearch access from bendel', + rule => '&SERVICE_RANGE(tcp, 9200:9300, ( 2001:41b8:202:deb:216:36ff:fe40:4002/128 ))' + } + } + } + + # postgres stuff + case $::hostname { + ullmann: { + @ferm::rule { 'dsa-postgres-udd': + description => 'Allow postgress access', + # quantz, moszumanska, master, coccia + rule => '&SERVICE_RANGE(tcp, 5452, ( 5.153.231.28/32 5.153.231.21/32 82.195.75.110/32 5.153.231.11/32 ))' + } + @ferm::rule { 'dsa-postgres-udd6': + domain => '(ip6)', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5452, ( 2001:41c8:1000:21::21:28/128 2001:41b8:202:deb:216:36ff:fe40:4001/128 2001:41c8:1000:21::21:11/32 2001:41c8:1000:21::21:21/128 ))' + } + } + fasolo: { + @ferm::rule { 'dsa-postgres-fasolo': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 5.153.231.10/32 ))' + } + @ferm::rule { 'dsa-postgres-fasolo6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:41c8:1000:21::21:10/128 ))' + } + + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))' + } + } + bmdb1: { + @ferm::rule { 'dsa-postgres-main': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 5.153.231.23/32 5.153.231.25/32 209.87.16.38/32 5.153.231.26/32 5.153.231.18/32 5.153.231.28/32 5.153.231.249/32 5.153.231.29/32 5.153.231.43/32 5.153.231.33/32 ))' + } + @ferm::rule { 'dsa-postgres-main6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5435, ( 2001:41c8:1000:21::21:23/128 2001:41c8:1000:21::21:25/128 2607:f8f0:614:1::1274:38/128 2001:41c8:1000:21::21:26/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:28/128 2001:41c8:1000:20::20:249/128 2001:41c8:1000:21::21:29/128 2001:41c8:1000:21::21:43/128 2001:41c8:1000:21::21:33/128 ))' + } + @ferm::rule { 'dsa-postgres-dak': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5434, ( 5.153.231.11/32 5.153.231.28/32 209.87.16.26/32 5.153.231.21/32 5.153.231.18/32 5.153.231.29/32 128.31.0.69/32 ))' + } + @ferm::rule { 'dsa-postgres-dak6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5434, ( 2001:41c8:1000:21::21:11/128 2001:41c8:1000:21::21:28/128 2607:f8f0:614:1::1274:26/128 2001:41c8:1000:21::21:21/128 2001:41c8:1000:21::21:18/128 2001:41c8:1000:21::21:29/128 ))' + } + @ferm::rule { 'dsa-postgres-wannabuild': + # wuiet, ullmann + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5436, ( 5.153.231.18/32 209.87.16.38/32 ))' + } + @ferm::rule { 'dsa-postgres-wannabuild6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5436, ( 2001:41c8:1000:21::21:18/128 2607:f8f0:614:1::1274:38/128 ))' + } + @ferm::rule { 'dsa-postgres-bacula': + # dinis + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5437, ( 5.153.231.19/32 ))' + } + @ferm::rule { 'dsa-postgres-bacula6': + domain => 'ip6', + description => 'Allow postgress access1', + rule => '&SERVICE_RANGE(tcp, 5437, ( 2001:41c8:1000:21::21:19/128 ))' + } + + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V4 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5435 5436 5440), ( $HOST_PGBACKUPHOST_V6 ))' + } + + @ferm::rule { 'dsa-postgres-dedup': + # ubc, wuit + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5439), ( 5.153.231.17/32 ))' + } + @ferm::rule { 'dsa-postgres-dedup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5439), ( 2001:41c8:1000:21::21:17/128 ))' + } + + @ferm::rule { 'dsa-postgres-debsources': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5440), ( 5.153.231.38/32 ))' + } + @ferm::rule { 'dsa-postgres-debsources6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5440), ( 2001:41c8:1000:21::21:38/128 ))' + } + } + danzi: { + @ferm::rule { 'dsa-postgres-danzi': + # ubc, wuit + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))' + } + @ferm::rule { 'dsa-postgres-danzi6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))' + } + + @ferm::rule { 'dsa-postgres2-danzi': + description => 'Allow postgress access2', + rule => '&SERVICE_RANGE(tcp, 5437, ( 206.12.19.0/24 209.87.16.0/24 ))' + } + @ferm::rule { 'dsa-postgres3-danzi': + description => 'Allow postgress access3', + rule => '&SERVICE_RANGE(tcp, 5436, ( 206.12.19.0/24 209.87.16.0/24 ))' + } + @ferm::rule { 'dsa-postgres4-danzi': + description => 'Allow postgress access4', + rule => '&SERVICE_RANGE(tcp, 5438, ( 206.12.19.0/24 209.87.16.0/24 ))' + } + + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))' + } + } + seger: { + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))' + } + } + sibelius: { + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V4 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( $HOST_PGBACKUPHOST_V6 ))' + } + @ferm::rule { 'dsa-postgres-replication': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 185.17.185.187/32 ))' + } + @ferm::rule { 'dsa-postgres-replication6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5433, ( 2001:1af8:4020:b030:deb::187/128 ))' + } + } + lw07: { + @ferm::rule { 'dsa-postgres-snapshot': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5439, ( 185.17.185.176/28 ))' + } + @ferm::rule { 'dsa-postgres-snapshot6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5439, ( 2001:1af8:4020:b030::/64 ))' + } + } + melartin,vittoria: { + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V4 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, 5432, ( $HOST_PGBACKUPHOST_V6 ))' + } + } + buxtehude: { + @ferm::rule { 'dsa-postgres-backup': + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V4 ))' + } + @ferm::rule { 'dsa-postgres-backup6': + domain => 'ip6', + description => 'Allow postgress access', + rule => '&SERVICE_RANGE(tcp, (5433 5441), ( $HOST_PGBACKUPHOST_V6 ))' + } + } + default: {} + } + # vpn fu + case $::hostname { + draghi: { + @ferm::rule { 'dsa-vpn': + description => 'Allow openvpn access', + rule => '&SERVICE(udp, 17257)' + } + @ferm::rule { 'dsa-routing': + description => 'forward chain', + chain => 'FORWARD', + rule => 'policy ACCEPT; +mod state state (ESTABLISHED RELATED) ACCEPT; +interface tun+ ACCEPT; +REJECT reject-with icmp-admin-prohibited +' + } + @ferm::rule { 'dsa-vpn-mark': + table => 'mangle', + chain => 'PREROUTING', + rule => 'interface tun+ MARK set-mark 1', + } + @ferm::rule { 'dsa-vpn-nat': + table => 'nat', + chain => 'POSTROUTING', + rule => 'outerface !tun+ mod mark mark 1 MASQUERADE', + } + } + ubc-enc2bl01,ubc-enc2bl02,ubc-enc2bl09,ubc-enc2bl10: { + @ferm::rule { 'dsa-luca-fixme': + description => 'Allow ssh access from mnt and vpn networks', + rule => '&SERVICE_RANGE(tcp, 22, ( 172.29.40.0/22 172.29.203.0/24 ))', + } + } + default: {} + } + # tftp + case $::hostname { + abel: { + @ferm::rule { 'dsa-tftp': + description => 'Allow tftp access', + rule => '&SERVICE_RANGE(udp, 69, ( 172.28.17.0/24 ))' + } + } + master: { + @ferm::rule { 'dsa-tftp': + description => 'Allow tftp access', + rule => '&SERVICE_RANGE(udp, 69, ( 82.195.75.64/26 192.168.43.0/24 ))' + } + } + } +} diff --git a/modules/ferm/manifests/rule.pp b/modules/ferm/manifests/rule.pp index 939f926bb..f63d42167 100644 --- a/modules/ferm/manifests/rule.pp +++ b/modules/ferm/manifests/rule.pp @@ -14,7 +14,7 @@ define ferm::rule ( "/etc/ferm/dsa.d/${prio}_${name}": ensure => present, mode => '0400', - content => template('ferm/ferm-rule.erb'), + content => template('ferm/ferm_rule.erb'), notify => Service['ferm'], } } diff --git a/modules/ferm/templates/ferm-rule.erb b/modules/ferm/templates/ferm-rule.erb deleted file mode 100644 index 235b8e329..000000000 --- a/modules/ferm/templates/ferm-rule.erb +++ /dev/null @@ -1,13 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -domain <%= domain %> { - table <%= table %> { - chain <%= chain %> { - <%= rule %><% unless notarule -%>;<% end -%> - - } - } -} diff --git a/modules/ferm/templates/ferm_rule.erb b/modules/ferm/templates/ferm_rule.erb new file mode 100644 index 000000000..ef674154b --- /dev/null +++ b/modules/ferm/templates/ferm_rule.erb @@ -0,0 +1,13 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +domain <%= @domain %> { + table <%= @table %> { + chain <%= @chain %> { + <%= @rule %><% unless @notarule -%>;<% end -%> + + } + } +} diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index 72e65f422..627e4bfae 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -21,7 +21,7 @@ end ssh4allowed = [] ssh6allowed = [] -should_restrict = restrict_ssh.include?(hostname) +should_restrict = restrict_ssh.include?(@hostname) %w{dns_primary dns_geo}.each do |role_restrict| if scope.function_has_role([role_restrict]) then should_restrict = true @@ -29,16 +29,16 @@ should_restrict = restrict_ssh.include?(hostname) end -if restrict_ssh.include?(hostname) then +if restrict_ssh.include?(@hostname) then ssh4allowed << %w{$DSA_IPS $HOST_NAGIOS_V4 $HOST_MUNIN_V4 $HOST_DB_V4} ssh6allowed << %w{$DSA_V6_IPS $HOST_NAGIOS_V6 $HOST_MUNIN_V6 $HOST_DB_V6} - if %w{draghi}.include?(hostname) then + if %w{draghi}.include?(@hostname) then ssh4allowed << '$HOST_DEBIAN_V4' ssh6allowed << '$HOST_DEBIAN_V6' end - if %w{adayevskaya}.include?(hostname) then + if %w{adayevskaya}.include?(@hostname) then out << '@def $MFL_LOCAL = ( 130.83.226.60 );' # Michael Fladerer ssh4allowed << '$MFL_LOCAL' ssh4allowed << %w{$HOST_DEBIAN_V4} diff --git a/modules/hosts/templates/etc-hosts.erb b/modules/hosts/templates/etc-hosts.erb index 1105ac3ed..9448d0ea4 100644 --- a/modules/hosts/templates/etc-hosts.erb +++ b/modules/hosts/templates/etc-hosts.erb @@ -4,7 +4,7 @@ ## 127.0.0.1 localhost -<%= ipaddress %> <%= fqdn %> <%= hostname %> +<%= @ipaddress %> <%= @fqdn %> <%= @hostname %> # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback diff --git a/modules/linux/manifests/init.pp b/modules/linux/manifests/init.pp index 78ab1da77..e91ef2241 100644 --- a/modules/linux/manifests/init.pp +++ b/modules/linux/manifests/init.pp @@ -1,6 +1,6 @@ class linux { include ferm - include ferm::per-host + include ferm::per_host include entropykey - include rng-tools + include rng_tools } diff --git a/modules/monit/manifests/init.pp b/modules/monit/manifests/init.pp index 88055a109..977f1847c 100644 --- a/modules/monit/manifests/init.pp +++ b/modules/monit/manifests/init.pp @@ -7,7 +7,7 @@ # include monit # class monit { - if $::lsbmajdistrelease <= 7 { + if $::lsbmajdistrelease <= '7' { package { 'monit': ensure => installed } diff --git a/modules/motd/templates/motd.erb b/modules/motd/templates/motd.erb index 686f63019..f078a5f45 100644 --- a/modules/motd/templates/motd.erb +++ b/modules/motd/templates/motd.erb @@ -40,7 +40,7 @@ end ninfo = scope.lookupvar('site::nodeinfo') -extra = 'Welcome to ' + fqdn +extra = 'Welcome to ' + @fqdn if (scope.lookupvar('site::nodeinfo')['ldap'].has_key?('purpose')) p = scope.lookupvar('site::nodeinfo')['ldap']['purpose'].clone() entries = "" @@ -84,7 +84,7 @@ end vms = [] scope.lookupvar('site::allnodeinfo').keys.sort.each do |node| - if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(fqdn) + if scope.lookupvar('site::allnodeinfo')[node]['physicalHost'] and scope.lookupvar('site::allnodeinfo')[node]['physicalHost'].include?(@fqdn) vms << node end end diff --git a/modules/munin/manifests/master-per-node.pp b/modules/munin/manifests/master-per-node.pp deleted file mode 100644 index 1d8864e2a..000000000 --- a/modules/munin/manifests/master-per-node.pp +++ /dev/null @@ -1,9 +0,0 @@ -define munin::master-per-node($ipaddress, $munin_async) { - $client_fqdn = $name - $client_ipaddress = $ipaddress - $client_munin_async = $munin_async - - file { "/etc/munin/munin-conf.d/${name}.conf": - content => template('munin/munin.conf-per-node.erb'), - } -} diff --git a/modules/munin/manifests/master_per_node.pp b/modules/munin/manifests/master_per_node.pp new file mode 100644 index 000000000..cdb1dec0c --- /dev/null +++ b/modules/munin/manifests/master_per_node.pp @@ -0,0 +1,9 @@ +define munin::master_per_node($ipaddress, $munin_async) { + $client_fqdn = $name + $client_ipaddress = $ipaddress + $client_munin_async = $munin_async + + file { "/etc/munin/munin-conf.d/${name}.conf": + content => template('munin/munin.conf_per_node.erb'), + } +} diff --git a/modules/munin/munin.conf_per_node.erb b/modules/munin/munin.conf_per_node.erb new file mode 100644 index 000000000..421d0dd61 --- /dev/null +++ b/modules/munin/munin.conf_per_node.erb @@ -0,0 +1,15 @@ +## +### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## + +[<%= client_fqdn %>] +<% +# variables are different whether or not they go via the stored config thing. +# on the host that actually gets the config, client_munin_async is a String, saying "true", +# from other hosts it's an actual boolean, i.e. an instance of either FalseClass or TrueClass +%> +<%- if has_variable?('client_munin_async') and ((client_munin_async.kind_of?(String) and client_munin_async == "true") or (client_munin_async.kind_of?(TrueClass))) %> + address ssh://munin-async@<%= client_fqdn %>/set-in-authkeys +<%- else %> + address <%= client_ipaddress %> +<%- end %> diff --git a/modules/munin/templates/munin-node.plugin.conf.erb b/modules/munin/templates/munin-node.plugin.conf.erb index 9aebf149d..872ac55c8 100644 --- a/modules/munin/templates/munin-node.plugin.conf.erb +++ b/modules/munin/templates/munin-node.plugin.conf.erb @@ -19,7 +19,7 @@ group adm, maillog user root <%= out = "" -if has_variable?("mta") and mta == "exim4" +if has_variable?("mta") and @mta == "exim4" out=" [exim_mail*] user Debian-exim @@ -63,7 +63,7 @@ env.critical 98 <%= out = "" -if has_variable?("mta") and mta == "postfix" +if has_variable?("mta") and @mta == "postfix" out=" [postfix_mailqueue] user postfix diff --git a/modules/munin/templates/munin.conf-per-node.erb b/modules/munin/templates/munin.conf-per-node.erb deleted file mode 100644 index 421d0dd61..000000000 --- a/modules/munin/templates/munin.conf-per-node.erb +++ /dev/null @@ -1,15 +0,0 @@ -## -### THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## - -[<%= client_fqdn %>] -<% -# variables are different whether or not they go via the stored config thing. -# on the host that actually gets the config, client_munin_async is a String, saying "true", -# from other hosts it's an actual boolean, i.e. an instance of either FalseClass or TrueClass -%> -<%- if has_variable?('client_munin_async') and ((client_munin_async.kind_of?(String) and client_munin_async == "true") or (client_munin_async.kind_of?(TrueClass))) %> - address ssh://munin-async@<%= client_fqdn %>/set-in-authkeys -<%- else %> - address <%= client_ipaddress %> -<%- end %> diff --git a/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb b/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb index f307ec6ef..8f815826f 100644 --- a/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb +++ b/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb @@ -5,7 +5,7 @@ <%= ignore = [] -case fqdn +case @fqdn when /draghi.debian.org/ then ignore << %w{userdir-ldap userdir-ldap-cgi libheimdal-kadm5-perl django-ldapdb ud python-cdb python-nameparser python-django-ldapdb} when "handel.debian.org" then ignore << %w{puppet-dashboard} when "reger.debian.org" then ignore << %w{librt-extension-commandbymail-perl} @@ -15,7 +15,7 @@ when /(storace|backuphost).debian.org/ then ignore << %w{post end if @lsbmajdistrelease <= '8' - case fqdn + case @fqdn when /(acker|aagaard).debian.org/ then ignore << %w{qemu-efi} end end diff --git a/modules/popcon/templates/popularity-contest.conf.erb b/modules/popcon/templates/popularity-contest.conf.erb index 14b2fb79b..6120c4183 100644 --- a/modules/popcon/templates/popularity-contest.conf.erb +++ b/modules/popcon/templates/popularity-contest.conf.erb @@ -7,10 +7,10 @@ PARTICIPATE="yes" USEHTTP="yes" <%= # hostids are 32 hexchars long -id_short = popcon_host_id[0,32] +id_short = @popcon_host_id[0,32] # slightly biased, but meh -day = (popcon_host_id[0].ord + 256*popcon_host_id[1].ord) % 7 +day = (@popcon_host_id[0].ord + 256*@popcon_host_id[1].ord) % 7 conf = [] conf << "MY_HOSTID=\"#{id_short}\"" diff --git a/modules/portforwarder/templates/authorized_keys.erb b/modules/portforwarder/templates/authorized_keys.erb index 063312a2f..ec11e54f6 100644 --- a/modules/portforwarder/templates/authorized_keys.erb +++ b/modules/portforwarder/templates/authorized_keys.erb @@ -30,7 +30,7 @@ config.each_pair do |sourcehost, services| ##lines << "# sourcehost is #{sourcehost}" services.each do |service| ##lines << "# targethost is #{service['target_host']}, my hostname #{hostname}, fqdn is #{fqdn}" - next if service['target_host'] != fqdn + next if service['target_host'] != @fqdn allowed_ports << service['target_port'] if service['target_port'] end diff --git a/modules/portforwarder/templates/xinetd.erb b/modules/portforwarder/templates/xinetd.erb index 7ff0dfb0d..93ba0aff3 100644 --- a/modules/portforwarder/templates/xinetd.erb +++ b/modules/portforwarder/templates/xinetd.erb @@ -25,7 +25,7 @@ template = 'service @@TARGET_HOST@@@@TARGET_PORT@@ ' config = YAML.load(File.open('/etc/puppet/modules/portforwarder/misc/config.yaml').read) -if config[fqdn] +if config[@fqdn] config[fqdn].each do |service| target_port = service['target_port'] target_host = service['target_host'] diff --git a/modules/puppetmaster/lib/puppet/parser/functions/entropy_provider.rb b/modules/puppetmaster/lib/puppet/parser/functions/entropy_provider.rb index e16290ce6..9f628cb60 100644 --- a/modules/puppetmaster/lib/puppet/parser/functions/entropy_provider.rb +++ b/modules/puppetmaster/lib/puppet/parser/functions/entropy_provider.rb @@ -22,7 +22,7 @@ module Puppet::Parser::Functions next unless localinfo[node]['entropy_key'] addresses = allnodeinfo[node]['ipHostNumber'] - thishoster = function_whohosts([addresses, "/etc/puppet/modules/debian-org/misc/hoster.yaml"]) + thishoster = function_whohosts([addresses, "/etc/puppet/modules/debian_org/misc/hoster.yaml"]) name = thishoster['name'] provider << node diff --git a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb index 71d5ee50e..1380a02ed 100644 --- a/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb +++ b/modules/puppetmaster/lib/puppet/parser/functions/nodeinfo.rb @@ -12,7 +12,7 @@ module Puppet::Parser::Functions unless nodeinfo['ldap']['ipHostNumber'] raise Puppet::ParseError, "Host #{host} does not have ipHostNumber values in ldap" end - nodeinfo['hoster'] = function_whohosts([nodeinfo['ldap']['ipHostNumber'], "/etc/puppet/modules/debian-org/misc/hoster.yaml"]) + nodeinfo['hoster'] = function_whohosts([nodeinfo['ldap']['ipHostNumber'], "/etc/puppet/modules/debian_org/misc/hoster.yaml"]) nodeinfo['buildd'] = (nodeinfo['ldap']['purpose'].respond_to?('include?') && nodeinfo['ldap']['purpose'].include?('buildd')) nodeinfo['timeserver'] = (nodeinfo['ldap']['purpose'].respond_to?('include?') && nodeinfo['ldap']['purpose'].include?('timeserver')) nodeinfo['porterbox'] = (nodeinfo['ldap']['purpose'].respond_to?('include?') && nodeinfo['ldap']['purpose'].include?('porterbox')) diff --git a/modules/resolv/templates/resolv.conf.erb b/modules/resolv/templates/resolv.conf.erb index dc2babed9..a42aa25d4 100644 --- a/modules/resolv/templates/resolv.conf.erb +++ b/modules/resolv/templates/resolv.conf.erb @@ -10,7 +10,7 @@ searchpaths << "debian.org" -%> search <%= searchpaths.to_a.flatten.join(" ") %> <% nameservers = [] -if %w{draghi}.include?(hostname) +if %w{draghi}.include?(@hostname) nameservers << "127.0.0.1" end nameservers += @ns diff --git a/modules/rng-tools/manifests/init.pp b/modules/rng-tools/manifests/init.pp deleted file mode 100644 index abbc48622..000000000 --- a/modules/rng-tools/manifests/init.pp +++ /dev/null @@ -1,11 +0,0 @@ -class rng-tools { - if $has_dev_hwrng { - package { 'rng-tools': - ensure => installed - } - service { 'rng-tools': - ensure => running, - require => Package['rng-tools'] - } - } -} diff --git a/modules/rng_tools/manifests/init.pp b/modules/rng_tools/manifests/init.pp new file mode 100644 index 000000000..c8bb9ab1e --- /dev/null +++ b/modules/rng_tools/manifests/init.pp @@ -0,0 +1,11 @@ +class rng_tools { + if $has_dev_hwrng { + package { 'rng-tools': + ensure => installed + } + service { 'rng-tools': + ensure => running, + require => Package['rng-tools'] + } + } +} diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index 72ee42a80..018a05ebe 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -180,7 +180,7 @@ file=/etc/ssh/userkeys file=/etc/ssh/userkeys/staticsync <% end -%> file=/etc/rsyncd -<%- if hostname == "sibelius" then -%> +<%- if @hostname == "sibelius" then -%> file=/etc/tsm file=/etc/tsm/TSM.PWD <% end -%> @@ -945,7 +945,7 @@ SetMailNum = 10 ## Recipient (max. 8) # -SetMailAddress=samhain-reports@<%= fqdn -%> +SetMailAddress=samhain-reports@<%= @fqdn -%> SetMailRelay = localhost diff --git a/modules/site/manifests/init.pp b/modules/site/manifests/init.pp index d40571417..19a64b5bf 100644 --- a/modules/site/manifests/init.pp +++ b/modules/site/manifests/init.pp @@ -1,7 +1,7 @@ class site { - $localinfo = yamlinfo('*', '/etc/puppet/modules/debian-org/misc/local.yaml') - $nodeinfo = nodeinfo($::fqdn, '/etc/puppet/modules/debian-org/misc/local.yaml') + $localinfo = yamlinfo('*', '/etc/puppet/modules/debian_org/misc/local.yaml') + $nodeinfo = nodeinfo($::fqdn, '/etc/puppet/modules/debian_org/misc/local.yaml') $allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose') $roles = hiera('roles') diff --git a/modules/site/manifests/sysctl.pp b/modules/site/manifests/sysctl.pp index e2d8f8816..b9e343479 100644 --- a/modules/site/manifests/sysctl.pp +++ b/modules/site/manifests/sysctl.pp @@ -1,4 +1,4 @@ -define site::sysctl ($key='', $value='', $target=Linux, $ensure = present) { +define site::sysctl ($key='', $value='', $target='Linux', $ensure = present) { include site case $ensure { present: { if ($key == "" or $value == "") { fail ( "Need to provide key and value" )} } diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp index d86093ef3..fc576f82f 100644 --- a/modules/ssh/manifests/init.pp +++ b/modules/ssh/manifests/init.pp @@ -37,7 +37,7 @@ class ssh { content => template('ssh/authorized_keys.erb'), } - if ($::lsbmajdistrelease >= 8) { + if ($::lsbmajdistrelease >= '8') { if ! $has_etc_ssh_ssh_host_ed25519_key { exec { 'create-ed25519-host-key': command => 'ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -q -P "" -t ed25519', diff --git a/modules/ssh/templates/authorized_keys.erb b/modules/ssh/templates/authorized_keys.erb index 274654f26..ad126fa3e 100644 --- a/modules/ssh/templates/authorized_keys.erb +++ b/modules/ssh/templates/authorized_keys.erb @@ -4,7 +4,7 @@ %> # local admin -<%= localkeys = case fqdn +<%= localkeys = case @fqdn when "pettersson.debian.org" then "from=\"nixon.acc.umu.se\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwDw56/XK0/uQB+ZIOZIfZ3vpz9zLRuv6G0U4eU4VavqvaL0dXSNhGJLBDLlfpxtJYwYf/mSoK4WZasbbfHxz8jtIxK9c9aGkVA0GKT+xiHWB3J1SlwJaA7S7Ed8nNcG5PNOVd30BD5LimkS53Nz841e+MgZRuL9SfLALq7er03U= root@nixon" end localkeys @@ -46,7 +46,7 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDJp6ryOTW7VgqEa+n6uKpi/bh2PO4P9Z/voz0zPYtP <%= machine_keys = [] -case fqdn +case @fqdn when "storace.debian.org" then roles['dabackup_client'].each do |node| if allnodeinfo.has_key?(node) diff --git a/modules/ssh/templates/ssh_config.erb b/modules/ssh/templates/ssh_config.erb index ddd755605..e132a202b 100644 --- a/modules/ssh/templates/ssh_config.erb +++ b/modules/ssh/templates/ssh_config.erb @@ -54,7 +54,7 @@ Host * GSSAPIAuthentication no GSSAPIDelegateCredentials no VerifyHostKeyDNS yes -<%- if (hostname == "sibelius") -%> +<%- if (@hostname == "sibelius") -%> ServerAliveInterval 450 <%- end -%> # Used for the email-virtualdomains setup diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 6330a27c4..7a8ff877c 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -8,7 +8,7 @@ # What ports, IPs and protocols we listen for Port 22 -<%= extraports = case fqdn +<%= extraports = case @fqdn when "paradis.debian.org" then " ListenAddress 0.0.0.0:22 ListenAddress [::]:22 @@ -24,7 +24,7 @@ extraports Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && has_etc_ssh_ssh_host_ed25519_key == "true" -%> +<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key == "true" -%> HostKey /etc/ssh/ssh_host_ed25519_key <% end %> #Privilege Separation is turned on for security diff --git a/modules/stunnel4/templates/stunnel.conf.erb b/modules/stunnel4/templates/stunnel.conf.erb index d2a3258ae..67cf7fd67 100644 --- a/modules/stunnel4/templates/stunnel.conf.erb +++ b/modules/stunnel4/templates/stunnel.conf.erb @@ -3,7 +3,7 @@ ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## -<%- if client -%> +<%- if @client -%> cert = /etc/ssl/debian/certs/thishost.crt key = /etc/ssl/private/thishost.key <%- else -%> @@ -16,11 +16,11 @@ chroot = /var/run/stunnel4 setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail -pid = /stunnel-<%= name %>.pid +pid = /stunnel-<%= @name %>.pid -verify = <%= verify %> -CAfile = <%= cafile %> -<%- if crlfile -%> +verify = <%= @verify %> +CAfile = <%= @cafile %> +<%- if @crlfile -%> CRLfile = /etc/exim4/ssl/ca.crl <%- end -%> @@ -29,16 +29,16 @@ debug = notice ; don't use a file, use syslog ; output = /var/log/stunnel4/stunnel.log -client = <%= client ? "yes" : "no" %> +client = <%= @client ? "yes" : "no" %> socket = a:SO_LINGER=1:60 socket = a:SO_KEEPALIVE=1 -[<%= name %>-server] -accept = <%= accept =~ /:/ ? accept : ":::#{accept}" %> -connect = <%= connect %> -<%- if local -%> -local = <%= local %> +[<%= @name %>-server] +accept = <%= @accept =~ /:/ ? @accept : ":::#{accept}" %> +connect = <%= @connect %> +<%- if @local -%> +local = <%= @local %> <%- end -%> ; vim:ft=dosini diff --git a/modules/syslog-ng/files/syslog-ng.default b/modules/syslog-ng/files/syslog-ng.default deleted file mode 100644 index a32c4b236..000000000 --- a/modules/syslog-ng/files/syslog-ng.default +++ /dev/null @@ -1,18 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# If a variable is not set here, then the corresponding -# parameter will not be changed. -# If a variables is set, then every invocation of -# syslog-ng's init script will set them using dmesg. - -# log level of messages which should go to console -# see for details -# -CONSOLE_LOG_LEVEL=2 - -# Command line options to syslog-ng -#SYSLOGNG_OPTS="--no-caps" - diff --git a/modules/syslog-ng/files/syslog-ng.logrotate b/modules/syslog-ng/files/syslog-ng.logrotate deleted file mode 100644 index 27143073b..000000000 --- a/modules/syslog-ng/files/syslog-ng.logrotate +++ /dev/null @@ -1,128 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -/var/log/auth.log { - rotate 4 - missingok - notifempty - weekly - compress -} - -/var/log/cron.log { - rotate 4 - weekly - missingok - notifempty - compress -} - -/var/log/daemon.log { - rotate 7 - weekly - missingok - notifempty - compress -} - -/var/log/debug { - rotate 4 - weekly - missingok - notifempty - compress -} - -/var/log/kern.log { - rotate 4 - weekly - missingok - notifempty - compress -} - -/var/log/lpr.log { - rotate 4 - weekly - missingok - notifempty - compress -} - -/var/log/mail.err { - rotate 30 - daily - dateext - missingok - notifempty - compress -} - -/var/log/mail.info { - rotate 30 - daily - dateext - missingok - notifempty - compress -} - -/var/log/mail.log { - rotate 30 - daily - dateext - missingok - notifempty - compress - # listmaster asked for this one - delaycompress -} - -/var/log/mail.warn { - rotate 30 - daily - dateext - missingok - notifempty - compress -} - -/var/log/messages { - rotate 4 - weekly - missingok - notifempty - compress -} - - -/var/log/user.log { - rotate 4 - weekly - missingok - notifempty - compress -} - -/var/log/uucp.log { - rotate 4 - missingok - notifempty - weekly - compress -} - -/var/log/syslog { - rotate 7 - daily - compress - postrotate - if [ -d /run/systemd/system ]; then - /bin/systemctl reload syslog-ng.service >/dev/null - else - /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null - fi - endscript -} diff --git a/modules/syslog-ng/files/syslog-ng.logrotate.loggers b/modules/syslog-ng/files/syslog-ng.logrotate.loggers deleted file mode 100644 index 75212cace..000000000 --- a/modules/syslog-ng/files/syslog-ng.logrotate.loggers +++ /dev/null @@ -1,31 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -/var/log/mail-all.log { - rotate 4 - weekly - missingok - notifempty - compress -} - -/var/log/syslog-all { - rotate 4 - missingok - notifempty - weekly - compress -} - -/var/log/auth-all.log { - rotate 4 - missingok - notifempty - weekly - compress - postrotate - /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null - endscript -} diff --git a/modules/syslog-ng/files/syslog-ng.service b/modules/syslog-ng/files/syslog-ng.service deleted file mode 100644 index 0598277b4..000000000 --- a/modules/syslog-ng/files/syslog-ng.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=System Logger Daemon -Documentation=man:syslog-ng(8) -After=network-online.target unbound.service - -[Service] -Type=notify -ExecStart=/usr/sbin/syslog-ng -F -ExecReload=/bin/kill -HUP $MAINPID -StandardOutput=journal -StandardError=journal -Restart=always -RestartSec=5 - -[Install] -WantedBy=multi-user.target diff --git a/modules/syslog-ng/manifests/init.pp b/modules/syslog-ng/manifests/init.pp deleted file mode 100644 index c55b6876b..000000000 --- a/modules/syslog-ng/manifests/init.pp +++ /dev/null @@ -1,46 +0,0 @@ -class syslog-ng { - package { 'syslog-ng': - ensure => installed - } - - service { 'syslog-ng': - ensure => running, - hasstatus => false, - pattern => 'syslog-ng', - } - - file { '/etc/syslog-ng/syslog-ng.conf': - content => template('syslog-ng/syslog-ng.conf.erb'), - require => Package['syslog-ng'], - notify => Service['syslog-ng'] - } - file { '/etc/default/syslog-ng': - source => 'puppet:///modules/syslog-ng/syslog-ng.default', - require => Package['syslog-ng'], - notify => Service['syslog-ng'] - } - file { '/etc/logrotate.d/syslog-ng': - source => 'puppet:///modules/syslog-ng/syslog-ng.logrotate', - require => Package['syslog-ng'] - } - if $::hostname in [lotty,lully,loghost-grnet-01] { - file { '/etc/logrotate.d/syslog-ng-loggers': - source => 'puppet:///modules/syslog-ng/syslog-ng.logrotate.loggers', - require => Package['syslog-ng'] - } - } - # while syslog-ng breaks on boot - - if $systemd { - file { '/etc/systemd/system/syslog-ng.service': - ensure => $servicefiles, - source => 'puppet:///modules/syslog-ng/syslog-ng.service', - notify => Exec['systemctl daemon-reload'], - } - - file { '/etc/systemd/system/syslog.service': - ensure => absent, - notify => Exec['systemctl daemon-reload'], - } - } -} diff --git a/modules/syslog-ng/templates/syslog-ng.conf.erb b/modules/syslog-ng/templates/syslog-ng.conf.erb deleted file mode 100644 index 551b7dbc5..000000000 --- a/modules/syslog-ng/templates/syslog-ng.conf.erb +++ /dev/null @@ -1,556 +0,0 @@ -<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%> -@version: 3.0 -<%- elsif has_variable?("syslogversion") and syslogversion.to_s == "3.5" -%> -@version: 3.5 -@include "scl.conf" -<%- else -%> -@version: 3.3 -@include "scl.conf" -<%- end -%> - -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# -# Configuration file for syslog-ng under Debian -# -# attempts at reproducing default syslog behavior - -# the standard syslog levels are (in descending order of priority): -# emerg alert crit err warning notice info debug -# the aliases "error", "panic", and "warn" are deprecated -# the "none" priority found in the original syslogd configuration is -# only used in internal messages created by syslogd - - -###### -# options - -options { - # disable the chained hostname format in logs - # (default is enabled) - chain_hostnames(1); - - # the time to wait before a died connection is re-established - # (default is 60) - time_reopen(10); - - # the time to wait before an idle destination file is closed - # (default is 60) - time_reap(360); - - # the number of lines buffered before written to file - # you might want to increase this if your disk isn't catching with - # all the log messages you get or if you want less disk activity - # (say on a laptop) - # (default is 0) - #sync(0); - - # the number of lines fitting in the output queue -<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%> - log_fifo_size(2048); -<%- else -%> - log_fifo_size(10000); -<%- end -%> - - # enable or disable directory creation for destination files - create_dirs(yes); - - # default owner, group, and permissions for log files - # (defaults are 0, 0, 0600) - #owner(root); - group(adm); - perm(0640); - - # default owner, group, and permissions for created directories - # (defaults are 0, 0, 0700) - #dir_owner(root); - #dir_group(root); - dir_perm(0755); - - # enable or disable DNS usage - # syslog-ng blocks on DNS queries, so enabling DNS may lead to - # a Denial of Service attack - # (default is yes) - use_dns(no); - - # maximum length of message in bytes - # this is only limited by the program listening on the /dev/log Unix - # socket, glibc can handle arbitrary length log messages, but -- for - # example -- syslogd accepts only 1024 bytes - # (default is 2048) - #log_msg_size(2048); - - #Disable statistic log messages. - stats_freq(0); - - # Some program send log messages through a private implementation. - # and sometimes that implementation is bad. If this happen syslog-ng - # may recognise the program name as hostname. Whit this option - # we tell the syslog-ng that if a hostname match this regexp than that - # is not a real hostname. - bad_hostname("^gconfd$"); - - keep_hostname(no); - - # We believe our own clock more than we believe the client clock. - keep_timestamp(no); -}; - - -###### -# sources - -# all known message sources -source s_local { - # message generated by Syslog-NG - internal(); -<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%> - # standard Linux log source (this is the default place for the syslog() - # function to send logs to) - unix-stream("/dev/log"); - # messages from the kernel - file("/proc/kmsg" program_override("kernel: ")); -<%- else -%> - system(); -<%- end -%> -}; - -<%- if (hostname == "lotti") || (hostname == "lully") || (hostname == "loghost-grnet-01") -%> -source s_network { - tcp6(port(5140) max-connections(400) - tls( key_file("/etc/exim4/ssl/thishost.key") - cert_file("/etc/exim4/ssl/thishost.crt") - ca_dir("/etc/exim4/ssl/") - ) - ); -}; -<%- end -%> - - -###### -# destinations - -# some standard log files -destination df_auth { file("/var/log/auth.log"); }; -destination df_syslog { file("/var/log/syslog"); }; -destination df_cron { file("/var/log/cron.log"); }; -destination df_daemon { file("/var/log/daemon.log"); }; -destination df_kern { file("/var/log/kern.log"); }; -destination df_lpr { file("/var/log/lpr.log"); }; -destination df_mail { file("/var/log/mail.log" group(maillog)); }; -# destination df_mail_info { file("/var/log/mail.info" group(maillog)); }; -destination df_mail_warn { file("/var/log/mail.warn" group(maillog)); }; -destination df_mail_err { file("/var/log/mail.err" group(maillog)); }; -destination df_user { file("/var/log/user.log" perm(0644)); }; -destination df_uucp { file("/var/log/uucp.log"); }; - -# these files are meant for the mail system log files -# and provide re-usable destinations for {mail,cron,...}.info, -# {mail,cron,...}.notice, etc. -destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; -destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; -destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; -destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; -destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; - -# these files are meant for the news system, and are kept separated -# because they should be owned by "news" instead of "root" -destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; -destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; -destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; - -# some more classical and useful files found in standard syslog configurations -destination df_debug { file("/var/log/debug"); }; -destination df_messages { file("/var/log/messages"); }; - -<%- if kernel == 'Linux' -%> -# pipes -# a console to view log messages under X -destination dp_xconsole { pipe("/dev/xconsole"); }; - -<%- end -%> -# consoles -# this will send messages to everyone logged in -destination du_all { usertty("*"); }; - - -###### -# filters - -# all messages from the auth and authpriv facilities -filter f_auth { facility(auth, authpriv); }; - -# all messages except from the auth and authpriv facilities -filter f_syslog { not facility(auth, authpriv, mail); }; - -# respectively: messages from the cron, daemon, kern, lpr, mail, news, user, -# and uucp facilities -filter f_cron { facility(cron); }; -filter f_daemon { facility(daemon); }; -filter f_kern { facility(kern); }; -filter f_lpr { facility(lpr); }; -filter f_mail { facility(mail); }; -filter f_news { facility(news); }; -filter f_user { facility(user); }; -filter f_uucp { facility(uucp); }; - -# some filters to select messages of priority greater or equal to info, warn, -# and err -# (equivalents of syslogd's *.info, *.warn, and *.err) -filter f_at_least_info { level(info..emerg); }; -filter f_at_least_notice { level(notice..emerg); }; -filter f_at_least_warn { level(warn..emerg); }; -filter f_at_least_err { level(err..emerg); }; -filter f_at_least_crit { level(crit..emerg); }; - -# all messages of priority debug not coming from the auth, authpriv, news, and -# mail facilities -filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; - -# all messages of info, notice, or warn priority not coming form the auth, -# authpriv, cron, daemon, mail, and news facilities -filter f_messages { - level(info,notice,warn) - and not facility(auth,authpriv,cron,daemon,mail,news); -}; - -# messages with priority emerg -filter f_emerg { level(emerg); }; - -<%- if kernel == 'Linux' -%> -# complex filter for messages usually sent to the xconsole -filter f_xconsole { - facility(daemon,mail) - or level(debug,info,notice,warn) - or (facility(news) - and level(crit,err,notice)); -}; - -<%- end -%> - -# order matters if you use "flags(final);" to mark the end of processing in a -# "log" statement - -############################################################################### -########## ON LOG CLIENTS ##################################################### -############################################################################### -############################################################################### -############################################################################### -# all log clients, including the log server, log their locally created -# messages to the standard places. - -# auth,authpriv.* /var/log/auth.log -log { - source(s_local); - filter(f_auth); - destination(df_auth); -}; - -# *.*;auth,authpriv.none -/var/log/syslog -log { - source(s_local); - filter(f_syslog); - destination(df_syslog); -}; - -# this is commented out in the default syslog.conf -# cron.* /var/log/cron.log -#log { -# source(s_local); -# filter(f_cron); -# destination(df_cron); -#}; - -# daemon.* -/var/log/daemon.log -log { - source(s_local); - filter(f_daemon); - destination(df_daemon); -}; - -# kern.* -/var/log/kern.log -log { - source(s_local); - filter(f_kern); - destination(df_kern); -}; - -# lpr.* -/var/log/lpr.log -log { - source(s_local); - filter(f_lpr); - destination(df_lpr); -}; - -# mail.* -/var/log/mail.log -log { - source(s_local); - filter(f_mail); - destination(df_mail); -}; - -# user.* -/var/log/user.log -log { - source(s_local); - filter(f_user); - destination(df_user); -}; - -# uucp.* /var/log/uucp.log -log { - source(s_local); - filter(f_uucp); - destination(df_uucp); -}; - -# mail.info -/var/log/mail.info -#log { -# source(s_local); -# filter(f_mail); -# filter(f_at_least_info); -# destination(df_mail_info); -#}; - -# mail.warn -/var/log/mail.warn -log { - source(s_local); - filter(f_mail); - filter(f_at_least_warn); - destination(df_mail_warn); -}; - -# mail.err /var/log/mail.err -log { - source(s_local); - filter(f_mail); - filter(f_at_least_err); - destination(df_mail_err); -}; - -# news.crit /var/log/news/news.crit -log { - source(s_local); - filter(f_news); - filter(f_at_least_crit); - destination(df_news_dot_crit); -}; - -# news.err /var/log/news/news.err -log { - source(s_local); - filter(f_news); - filter(f_at_least_err); - destination(df_news_dot_err); -}; - -# news.notice /var/log/news/news.notice -log { - source(s_local); - filter(f_news); - filter(f_at_least_notice); - destination(df_news_dot_notice); -}; - - -# *.=debug;\ -# auth,authpriv.none;\ -# news.none;mail.none -/var/log/debug -log { - source(s_local); - filter(f_debug); - destination(df_debug); -}; - - -# *.=info;*.=notice;*.=warn;\ -# auth,authpriv.none;\ -# cron,daemon.none;\ -# mail,news.none -/var/log/messages -log { - source(s_local); - filter(f_messages); - destination(df_messages); -}; - -# *.emerg * -log { - source(s_local); - filter(f_emerg); - destination(du_all); -}; - - -<%- if kernel == 'Linux' -%> -# daemon.*;mail.*;\ -# news.crit;news.err;news.notice;\ -# *.=debug;*.=info;\ -# *.=notice;*.=warn |/dev/xconsole -log { - source(s_local); - filter(f_xconsole); - destination(dp_xconsole); -}; -<%- end -%> - - - <%- if hostname != "lotti" -%> -destination loghost-lotti { - tcp("lotti.debian.org" port (5140) - tls( key_file("/etc/ssl/private/thishost.key") - cert_file("/etc/ssl/debian/certs/thishost.crt") - ca_dir("/etc/ssl/debian/certs/") - ) - ); -}; - <%- end -%> - <%- if hostname != "lully" -%> -destination loghost-lully { - tcp("lully.debian.org" port (5140) - tls( key_file("/etc/ssl/private/thishost.key") - cert_file("/etc/ssl/debian/certs/thishost.crt") - ca_dir("/etc/ssl/debian/certs/") - ) - ); -}; - <%- end -%> - <%- if hostname != "loghost-grnet-01" -%> -destination loghost-loghost-grnet-01 { - tcp("loghost-grnet-01.debian.org" port (5140) - tls( key_file("/etc/ssl/private/thishost.key") - cert_file("/etc/ssl/debian/certs/thishost.crt") - ca_dir("/etc/ssl/debian/certs/") - ) - ); -}; - <%- end -%> - -log { - source(s_local); - <%- if hostname != "lotti" -%> - destination(loghost-lotti); - <%- end -%> - <%- if hostname != "lully" -%> - destination(loghost-lully); - <%- end -%> - <%- if hostname != "loghost-grnet-01" -%> - destination(loghost-loghost-grnet-01); - <%- end -%> -}; - - - -<%- if (hostname == "lotti") || (hostname == "lully") || (hostname == "loghost-grnet-01") -%> -############################################################################### -########## ON LOG HOST ######################################################## -############################################################################### -############################################################################### -# -# The log server, additionally, also logs all local and remote messages to -# a few special places. -destination hostdest_auth { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/auth.log" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_syslog { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/syslog" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_cron { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/cron.log" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_daemon { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/daemon.log" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_kern { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/kern.log" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_lpr { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/lpr.log" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_mail { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/mail.log" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_news { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/news.log" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_user { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/user.log" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_uucp { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/uucp.log" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_debug { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/debug" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_messages { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/messages" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; - - -#---------------------------------------------------------------------- -# Special catch all destination hostdest_sorting by host -#---------------------------------------------------------------------- -destination hostdest_facility_dot_info { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.info" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_facility_dot_notice { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.notice" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_facility_dot_warn { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.warn" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_facility_dot_err { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.err" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; -destination hostdest_facility_dot_crit { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.crit" - owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; - - -#---------------------------------------------------------------------- -# Catch all log files -#---------------------------------------------------------------------- -destination df_ALL_auth { file("/var/log/auth-all.log"); }; -destination df_ALL_mail { file("/var/log/mail-all.log"); }; -destination df_ALL_syslog { file("/var/log/syslog-all"); }; - -log { source(s_local); - source(s_network); - filter(f_auth); destination(hostdest_auth); }; -log { source(s_local); - source(s_network); - filter(f_syslog); destination(hostdest_syslog); }; -log { source(s_local); - source(s_network); - filter(f_daemon); destination(hostdest_daemon); }; -log { source(s_local); - source(s_network); - filter(f_kern); destination(hostdest_kern); }; -log { source(s_local); - source(s_network); - filter(f_lpr); destination(hostdest_lpr); }; -log { source(s_local); - source(s_network); - filter(f_mail); destination(hostdest_mail); }; -log { source(s_local); - source(s_network); - filter(f_news); destination(hostdest_mail); }; -log { source(s_local); - source(s_network); - filter(f_user); destination(hostdest_user); }; -log { source(s_local); - source(s_network); - filter(f_uucp); destination(hostdest_uucp); }; -log { source(s_local); - source(s_network); - filter(f_debug); destination(hostdest_debug); }; -log { source(s_local); - source(s_network); - filter(f_messages); destination(hostdest_messages); }; - -log { source(s_local); - source(s_network); - filter(f_mail); filter(f_at_least_info); destination(hostdest_facility_dot_info); }; -log { source(s_local); - source(s_network); - filter(f_mail); filter(f_at_least_warn); destination(hostdest_facility_dot_warn); }; -log { source(s_local); - source(s_network); - filter(f_mail); filter(f_at_least_err); destination(hostdest_facility_dot_err); }; - - -## catch all: -log { source(s_local); - source(s_network); - filter(f_auth); destination(df_ALL_auth); }; -log { source(s_local); - source(s_network); - filter(f_mail); destination(df_ALL_mail); }; -log { source(s_local); - source(s_network); - filter(f_syslog); destination(df_ALL_syslog); }; -<%- end -%> diff --git a/modules/syslog_ng/files/syslog-ng.default b/modules/syslog_ng/files/syslog-ng.default new file mode 100644 index 000000000..a32c4b236 --- /dev/null +++ b/modules/syslog_ng/files/syslog-ng.default @@ -0,0 +1,18 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# If a variable is not set here, then the corresponding +# parameter will not be changed. +# If a variables is set, then every invocation of +# syslog-ng's init script will set them using dmesg. + +# log level of messages which should go to console +# see for details +# +CONSOLE_LOG_LEVEL=2 + +# Command line options to syslog-ng +#SYSLOGNG_OPTS="--no-caps" + diff --git a/modules/syslog_ng/files/syslog-ng.logrotate b/modules/syslog_ng/files/syslog-ng.logrotate new file mode 100644 index 000000000..27143073b --- /dev/null +++ b/modules/syslog_ng/files/syslog-ng.logrotate @@ -0,0 +1,128 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +/var/log/auth.log { + rotate 4 + missingok + notifempty + weekly + compress +} + +/var/log/cron.log { + rotate 4 + weekly + missingok + notifempty + compress +} + +/var/log/daemon.log { + rotate 7 + weekly + missingok + notifempty + compress +} + +/var/log/debug { + rotate 4 + weekly + missingok + notifempty + compress +} + +/var/log/kern.log { + rotate 4 + weekly + missingok + notifempty + compress +} + +/var/log/lpr.log { + rotate 4 + weekly + missingok + notifempty + compress +} + +/var/log/mail.err { + rotate 30 + daily + dateext + missingok + notifempty + compress +} + +/var/log/mail.info { + rotate 30 + daily + dateext + missingok + notifempty + compress +} + +/var/log/mail.log { + rotate 30 + daily + dateext + missingok + notifempty + compress + # listmaster asked for this one + delaycompress +} + +/var/log/mail.warn { + rotate 30 + daily + dateext + missingok + notifempty + compress +} + +/var/log/messages { + rotate 4 + weekly + missingok + notifempty + compress +} + + +/var/log/user.log { + rotate 4 + weekly + missingok + notifempty + compress +} + +/var/log/uucp.log { + rotate 4 + missingok + notifempty + weekly + compress +} + +/var/log/syslog { + rotate 7 + daily + compress + postrotate + if [ -d /run/systemd/system ]; then + /bin/systemctl reload syslog-ng.service >/dev/null + else + /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null + fi + endscript +} diff --git a/modules/syslog_ng/files/syslog-ng.logrotate.loggers b/modules/syslog_ng/files/syslog-ng.logrotate.loggers new file mode 100644 index 000000000..75212cace --- /dev/null +++ b/modules/syslog_ng/files/syslog-ng.logrotate.loggers @@ -0,0 +1,31 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +/var/log/mail-all.log { + rotate 4 + weekly + missingok + notifempty + compress +} + +/var/log/syslog-all { + rotate 4 + missingok + notifempty + weekly + compress +} + +/var/log/auth-all.log { + rotate 4 + missingok + notifempty + weekly + compress + postrotate + /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null + endscript +} diff --git a/modules/syslog_ng/files/syslog-ng.service b/modules/syslog_ng/files/syslog-ng.service new file mode 100644 index 000000000..0598277b4 --- /dev/null +++ b/modules/syslog_ng/files/syslog-ng.service @@ -0,0 +1,16 @@ +[Unit] +Description=System Logger Daemon +Documentation=man:syslog-ng(8) +After=network-online.target unbound.service + +[Service] +Type=notify +ExecStart=/usr/sbin/syslog-ng -F +ExecReload=/bin/kill -HUP $MAINPID +StandardOutput=journal +StandardError=journal +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/modules/syslog_ng/manifests/init.pp b/modules/syslog_ng/manifests/init.pp new file mode 100644 index 000000000..a9b520673 --- /dev/null +++ b/modules/syslog_ng/manifests/init.pp @@ -0,0 +1,46 @@ +class syslog_ng { + package { 'syslog-ng': + ensure => installed + } + + service { 'syslog-ng': + ensure => running, + hasstatus => false, + pattern => 'syslog-ng', + } + + file { '/etc/syslog-ng/syslog-ng.conf': + content => template('syslog_ng/syslog-ng.conf.erb'), + require => Package['syslog-ng'], + notify => Service['syslog-ng'] + } + file { '/etc/default/syslog-ng': + source => 'puppet:///modules/syslog_ng/syslog-ng.default', + require => Package['syslog-ng'], + notify => Service['syslog-ng'] + } + file { '/etc/logrotate.d/syslog-ng': + source => 'puppet:///modules/syslog_ng/syslog-ng.logrotate', + require => Package['syslog-ng'] + } + if $::hostname in [lotty,lully,loghost-grnet-01] { + file { '/etc/logrotate.d/syslog-ng-loggers': + source => 'puppet:///modules/syslog_ng/syslog-ng.logrotate.loggers', + require => Package['syslog-ng'] + } + } + # while syslog-ng breaks on boot + + if $systemd { + file { '/etc/systemd/system/syslog-ng.service': + ensure => $servicefiles, + source => 'puppet:///modules/syslog_ng/syslog-ng.service', + notify => Exec['systemctl daemon-reload'], + } + + file { '/etc/systemd/system/syslog.service': + ensure => absent, + notify => Exec['systemctl daemon-reload'], + } + } +} diff --git a/modules/syslog_ng/templates/syslog-ng.conf.erb b/modules/syslog_ng/templates/syslog-ng.conf.erb new file mode 100644 index 000000000..d68fe0cdd --- /dev/null +++ b/modules/syslog_ng/templates/syslog-ng.conf.erb @@ -0,0 +1,556 @@ +<%- if has_variable?("syslogversion") and @syslogversion.to_s == "3.1" -%> +@version: 3.0 +<%- elsif has_variable?("syslogversion") and @syslogversion.to_s == "3.5" -%> +@version: 3.5 +@include "scl.conf" +<%- else -%> +@version: 3.3 +@include "scl.conf" +<%- end -%> + +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# +# Configuration file for syslog-ng under Debian +# +# attempts at reproducing default syslog behavior + +# the standard syslog levels are (in descending order of priority): +# emerg alert crit err warning notice info debug +# the aliases "error", "panic", and "warn" are deprecated +# the "none" priority found in the original syslogd configuration is +# only used in internal messages created by syslogd + + +###### +# options + +options { + # disable the chained hostname format in logs + # (default is enabled) + chain_hostnames(1); + + # the time to wait before a died connection is re-established + # (default is 60) + time_reopen(10); + + # the time to wait before an idle destination file is closed + # (default is 60) + time_reap(360); + + # the number of lines buffered before written to file + # you might want to increase this if your disk isn't catching with + # all the log messages you get or if you want less disk activity + # (say on a laptop) + # (default is 0) + #sync(0); + + # the number of lines fitting in the output queue +<%- if has_variable?("syslogversion") and @syslogversion.to_s == "3.1" -%> + log_fifo_size(2048); +<%- else -%> + log_fifo_size(10000); +<%- end -%> + + # enable or disable directory creation for destination files + create_dirs(yes); + + # default owner, group, and permissions for log files + # (defaults are 0, 0, 0600) + #owner(root); + group(adm); + perm(0640); + + # default owner, group, and permissions for created directories + # (defaults are 0, 0, 0700) + #dir_owner(root); + #dir_group(root); + dir_perm(0755); + + # enable or disable DNS usage + # syslog-ng blocks on DNS queries, so enabling DNS may lead to + # a Denial of Service attack + # (default is yes) + use_dns(no); + + # maximum length of message in bytes + # this is only limited by the program listening on the /dev/log Unix + # socket, glibc can handle arbitrary length log messages, but -- for + # example -- syslogd accepts only 1024 bytes + # (default is 2048) + #log_msg_size(2048); + + #Disable statistic log messages. + stats_freq(0); + + # Some program send log messages through a private implementation. + # and sometimes that implementation is bad. If this happen syslog-ng + # may recognise the program name as hostname. Whit this option + # we tell the syslog-ng that if a hostname match this regexp than that + # is not a real hostname. + bad_hostname("^gconfd$"); + + keep_hostname(no); + + # We believe our own clock more than we believe the client clock. + keep_timestamp(no); +}; + + +###### +# sources + +# all known message sources +source s_local { + # message generated by Syslog-NG + internal(); +<%- if has_variable?("syslogversion") and @syslogversion.to_s == "3.1" -%> + # standard Linux log source (this is the default place for the syslog() + # function to send logs to) + unix-stream("/dev/log"); + # messages from the kernel + file("/proc/kmsg" program_override("kernel: ")); +<%- else -%> + system(); +<%- end -%> +}; + +<%- if (@hostname == "lotti") || (@hostname == "lully") || (@hostname == "loghost-grnet-01") -%> +source s_network { + tcp6(port(5140) max-connections(400) + tls( key_file("/etc/exim4/ssl/thishost.key") + cert_file("/etc/exim4/ssl/thishost.crt") + ca_dir("/etc/exim4/ssl/") + ) + ); +}; +<%- end -%> + + +###### +# destinations + +# some standard log files +destination df_auth { file("/var/log/auth.log"); }; +destination df_syslog { file("/var/log/syslog"); }; +destination df_cron { file("/var/log/cron.log"); }; +destination df_daemon { file("/var/log/daemon.log"); }; +destination df_kern { file("/var/log/kern.log"); }; +destination df_lpr { file("/var/log/lpr.log"); }; +destination df_mail { file("/var/log/mail.log" group(maillog)); }; +# destination df_mail_info { file("/var/log/mail.info" group(maillog)); }; +destination df_mail_warn { file("/var/log/mail.warn" group(maillog)); }; +destination df_mail_err { file("/var/log/mail.err" group(maillog)); }; +destination df_user { file("/var/log/user.log" perm(0644)); }; +destination df_uucp { file("/var/log/uucp.log"); }; + +# these files are meant for the mail system log files +# and provide re-usable destinations for {mail,cron,...}.info, +# {mail,cron,...}.notice, etc. +destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; +destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; +destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; +destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; +destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; + +# these files are meant for the news system, and are kept separated +# because they should be owned by "news" instead of "root" +destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; +destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; +destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; + +# some more classical and useful files found in standard syslog configurations +destination df_debug { file("/var/log/debug"); }; +destination df_messages { file("/var/log/messages"); }; + +<%- if @kernel == 'Linux' -%> +# pipes +# a console to view log messages under X +destination dp_xconsole { pipe("/dev/xconsole"); }; + +<%- end -%> +# consoles +# this will send messages to everyone logged in +destination du_all { usertty("*"); }; + + +###### +# filters + +# all messages from the auth and authpriv facilities +filter f_auth { facility(auth, authpriv); }; + +# all messages except from the auth and authpriv facilities +filter f_syslog { not facility(auth, authpriv, mail); }; + +# respectively: messages from the cron, daemon, kern, lpr, mail, news, user, +# and uucp facilities +filter f_cron { facility(cron); }; +filter f_daemon { facility(daemon); }; +filter f_kern { facility(kern); }; +filter f_lpr { facility(lpr); }; +filter f_mail { facility(mail); }; +filter f_news { facility(news); }; +filter f_user { facility(user); }; +filter f_uucp { facility(uucp); }; + +# some filters to select messages of priority greater or equal to info, warn, +# and err +# (equivalents of syslogd's *.info, *.warn, and *.err) +filter f_at_least_info { level(info..emerg); }; +filter f_at_least_notice { level(notice..emerg); }; +filter f_at_least_warn { level(warn..emerg); }; +filter f_at_least_err { level(err..emerg); }; +filter f_at_least_crit { level(crit..emerg); }; + +# all messages of priority debug not coming from the auth, authpriv, news, and +# mail facilities +filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; + +# all messages of info, notice, or warn priority not coming form the auth, +# authpriv, cron, daemon, mail, and news facilities +filter f_messages { + level(info,notice,warn) + and not facility(auth,authpriv,cron,daemon,mail,news); +}; + +# messages with priority emerg +filter f_emerg { level(emerg); }; + +<%- if @kernel == 'Linux' -%> +# complex filter for messages usually sent to the xconsole +filter f_xconsole { + facility(daemon,mail) + or level(debug,info,notice,warn) + or (facility(news) + and level(crit,err,notice)); +}; + +<%- end -%> + +# order matters if you use "flags(final);" to mark the end of processing in a +# "log" statement + +############################################################################### +########## ON LOG CLIENTS ##################################################### +############################################################################### +############################################################################### +############################################################################### +# all log clients, including the log server, log their locally created +# messages to the standard places. + +# auth,authpriv.* /var/log/auth.log +log { + source(s_local); + filter(f_auth); + destination(df_auth); +}; + +# *.*;auth,authpriv.none -/var/log/syslog +log { + source(s_local); + filter(f_syslog); + destination(df_syslog); +}; + +# this is commented out in the default syslog.conf +# cron.* /var/log/cron.log +#log { +# source(s_local); +# filter(f_cron); +# destination(df_cron); +#}; + +# daemon.* -/var/log/daemon.log +log { + source(s_local); + filter(f_daemon); + destination(df_daemon); +}; + +# kern.* -/var/log/kern.log +log { + source(s_local); + filter(f_kern); + destination(df_kern); +}; + +# lpr.* -/var/log/lpr.log +log { + source(s_local); + filter(f_lpr); + destination(df_lpr); +}; + +# mail.* -/var/log/mail.log +log { + source(s_local); + filter(f_mail); + destination(df_mail); +}; + +# user.* -/var/log/user.log +log { + source(s_local); + filter(f_user); + destination(df_user); +}; + +# uucp.* /var/log/uucp.log +log { + source(s_local); + filter(f_uucp); + destination(df_uucp); +}; + +# mail.info -/var/log/mail.info +#log { +# source(s_local); +# filter(f_mail); +# filter(f_at_least_info); +# destination(df_mail_info); +#}; + +# mail.warn -/var/log/mail.warn +log { + source(s_local); + filter(f_mail); + filter(f_at_least_warn); + destination(df_mail_warn); +}; + +# mail.err /var/log/mail.err +log { + source(s_local); + filter(f_mail); + filter(f_at_least_err); + destination(df_mail_err); +}; + +# news.crit /var/log/news/news.crit +log { + source(s_local); + filter(f_news); + filter(f_at_least_crit); + destination(df_news_dot_crit); +}; + +# news.err /var/log/news/news.err +log { + source(s_local); + filter(f_news); + filter(f_at_least_err); + destination(df_news_dot_err); +}; + +# news.notice /var/log/news/news.notice +log { + source(s_local); + filter(f_news); + filter(f_at_least_notice); + destination(df_news_dot_notice); +}; + + +# *.=debug;\ +# auth,authpriv.none;\ +# news.none;mail.none -/var/log/debug +log { + source(s_local); + filter(f_debug); + destination(df_debug); +}; + + +# *.=info;*.=notice;*.=warn;\ +# auth,authpriv.none;\ +# cron,daemon.none;\ +# mail,news.none -/var/log/messages +log { + source(s_local); + filter(f_messages); + destination(df_messages); +}; + +# *.emerg * +log { + source(s_local); + filter(f_emerg); + destination(du_all); +}; + + +<%- if @kernel == 'Linux' -%> +# daemon.*;mail.*;\ +# news.crit;news.err;news.notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn |/dev/xconsole +log { + source(s_local); + filter(f_xconsole); + destination(dp_xconsole); +}; +<%- end -%> + + + <%- if @hostname != "lotti" -%> +destination loghost-lotti { + tcp("lotti.debian.org" port (5140) + tls( key_file("/etc/ssl/private/thishost.key") + cert_file("/etc/ssl/debian/certs/thishost.crt") + ca_dir("/etc/ssl/debian/certs/") + ) + ); +}; + <%- end -%> + <%- if @hostname != "lully" -%> +destination loghost-lully { + tcp("lully.debian.org" port (5140) + tls( key_file("/etc/ssl/private/thishost.key") + cert_file("/etc/ssl/debian/certs/thishost.crt") + ca_dir("/etc/ssl/debian/certs/") + ) + ); +}; + <%- end -%> + <%- if @hostname != "loghost-grnet-01" -%> +destination loghost-loghost-grnet-01 { + tcp("loghost-grnet-01.debian.org" port (5140) + tls( key_file("/etc/ssl/private/thishost.key") + cert_file("/etc/ssl/debian/certs/thishost.crt") + ca_dir("/etc/ssl/debian/certs/") + ) + ); +}; + <%- end -%> + +log { + source(s_local); + <%- if @hostname != "lotti" -%> + destination(loghost-lotti); + <%- end -%> + <%- if @hostname != "lully" -%> + destination(loghost-lully); + <%- end -%> + <%- if @hostname != "loghost-grnet-01" -%> + destination(loghost-loghost-grnet-01); + <%- end -%> +}; + + + +<%- if (@hostname == "lotti") || (@hostname == "lully") || (@hostname == "loghost-grnet-01") -%> +############################################################################### +########## ON LOG HOST ######################################################## +############################################################################### +############################################################################### +# +# The log server, additionally, also logs all local and remote messages to +# a few special places. +destination hostdest_auth { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/auth.log" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_syslog { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/syslog" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_cron { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/cron.log" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_daemon { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/daemon.log" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_kern { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/kern.log" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_lpr { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/lpr.log" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_mail { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/mail.log" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_news { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/news.log" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_user { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/user.log" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_uucp { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/uucp.log" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_debug { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/debug" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_messages { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/messages" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; + + +#---------------------------------------------------------------------- +# Special catch all destination hostdest_sorting by host +#---------------------------------------------------------------------- +destination hostdest_facility_dot_info { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.info" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_facility_dot_notice { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.notice" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_facility_dot_warn { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.warn" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_facility_dot_err { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.err" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; +destination hostdest_facility_dot_crit { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.crit" + owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); }; + + +#---------------------------------------------------------------------- +# Catch all log files +#---------------------------------------------------------------------- +destination df_ALL_auth { file("/var/log/auth-all.log"); }; +destination df_ALL_mail { file("/var/log/mail-all.log"); }; +destination df_ALL_syslog { file("/var/log/syslog-all"); }; + +log { source(s_local); + source(s_network); + filter(f_auth); destination(hostdest_auth); }; +log { source(s_local); + source(s_network); + filter(f_syslog); destination(hostdest_syslog); }; +log { source(s_local); + source(s_network); + filter(f_daemon); destination(hostdest_daemon); }; +log { source(s_local); + source(s_network); + filter(f_kern); destination(hostdest_kern); }; +log { source(s_local); + source(s_network); + filter(f_lpr); destination(hostdest_lpr); }; +log { source(s_local); + source(s_network); + filter(f_mail); destination(hostdest_mail); }; +log { source(s_local); + source(s_network); + filter(f_news); destination(hostdest_mail); }; +log { source(s_local); + source(s_network); + filter(f_user); destination(hostdest_user); }; +log { source(s_local); + source(s_network); + filter(f_uucp); destination(hostdest_uucp); }; +log { source(s_local); + source(s_network); + filter(f_debug); destination(hostdest_debug); }; +log { source(s_local); + source(s_network); + filter(f_messages); destination(hostdest_messages); }; + +log { source(s_local); + source(s_network); + filter(f_mail); filter(f_at_least_info); destination(hostdest_facility_dot_info); }; +log { source(s_local); + source(s_network); + filter(f_mail); filter(f_at_least_warn); destination(hostdest_facility_dot_warn); }; +log { source(s_local); + source(s_network); + filter(f_mail); filter(f_at_least_err); destination(hostdest_facility_dot_err); }; + + +## catch all: +log { source(s_local); + source(s_network); + filter(f_auth); destination(df_ALL_auth); }; +log { source(s_local); + source(s_network); + filter(f_mail); destination(df_ALL_mail); }; +log { source(s_local); + source(s_network); + filter(f_syslog); destination(df_ALL_syslog); }; +<%- end -%>