From: Martin Zobel-Helas Date: Sun, 19 Mar 2017 09:35:29 +0000 (+0100) Subject: Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa... X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=b529b139a60ea8355089511737c8264185d8d074;hp=13b91f323e3b367fd847507deb689902d1885e3e;p=mirror%2Fdsa-puppet.git Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet * 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet: (32 commits) Do not use sslname empty string for no ssl Make scores of webserver related templates compile Fix historical mirror apache template make order a string fix torrc-header tempate fix rsync site module if we do not have specific binds, we use the empty string to signal that Fix stunnel template Attempt to fix version comparisons Fix munin::conf for new puppet Fix schroot-buildd/fstab.erb template Remove wheezy support in schroot files Remove wheezy support in buildd files Make concat::fragment order parameter be a string buildd: fix lsbmajdistrelease calls fix template fix two templates fix two templates rename nfs-server to nfs_server remove rng-tools without hwrandom ... --- diff --git a/manifests/site.pp b/manifests/site.pp index 28a443c29..97e962abe 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -40,6 +40,9 @@ node default { include grub include multipath include popcon + include portforwarder + include postgres + if $::lsbdistcodename == squeeze { include roles::udldap::client } else { @@ -97,17 +100,13 @@ node default { } if $::hostname in [buxtehude,milanollo,lw01,lw02,lw03,lw04,senfter,gretchaninov] { - include nfs-server + include nfs_server } if $::brokenhosts { include hosts } - if $::portforwarder_user_exists { - include portforwarder - } - if $::samhain { include samhain } @@ -116,10 +115,6 @@ node default { include debian_org::radvd } - if ($::postgres) { - include postgres - } - if $::spamd { munin::check { 'spamassassin': } } diff --git a/modules/acpi/manifests/init.pp b/modules/acpi/manifests/init.pp index f2c621b32..2a4fc1563 100644 --- a/modules/acpi/manifests/init.pp +++ b/modules/acpi/manifests/init.pp @@ -1,6 +1,6 @@ class acpi { if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { - if ($::lsbmajdistrelease >= '8') { + if (versioncmp($::lsbmajdistrelease, '8') >= 0) { package { 'acpid': ensure => purged } diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index 19400ad6d..b0bde4134 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -105,7 +105,7 @@ class apache2 { apache2::module { 'mpm_prefork': ensure => absent } apache2::module { 'mpm_worker': } } - if $::lsbmajdistrelease > '7' { + if versioncmp($::lsbmajdistrelease, '7') > 0 { file { '/etc/apache2/mods-available/mpm_worker.conf': content => template('apache2/mpm_worker.erb'), } diff --git a/modules/apache2/manifests/site.pp b/modules/apache2/manifests/site.pp index ff1ee20e1..6d5ec55f3 100644 --- a/modules/apache2/manifests/site.pp +++ b/modules/apache2/manifests/site.pp @@ -46,7 +46,7 @@ define apache2::site ( } } - if $::lsbmajdistrelease <= '7' { + if versioncmp($::lsbmajdistrelease, '7') <= 0 { $symlink = "/etc/apache2/sites-enabled/${name}" } else { $symlink = "/etc/apache2/sites-enabled/${name}.conf" diff --git a/modules/apache2/templates/default-debian.org.erb b/modules/apache2/templates/default-debian.org.erb index dff8a4ffe..0c9eff39a 100644 --- a/modules/apache2/templates/default-debian.org.erb +++ b/modules/apache2/templates/default-debian.org.erb @@ -10,7 +10,7 @@ CustomLog /var/log/apache2/access.log privacy DocumentRoot /srv/www/default.debian.org/htdocs - <% if @lsbmajdistrelease > '7' -%> + <% if scope.call_function('versioncmp', [@lsbmajdistrelease, '7']) > 0 -%> Require all granted diff --git a/modules/apache2/templates/puppet-config.erb b/modules/apache2/templates/puppet-config.erb index 3a7134d45..7c38884a5 100644 --- a/modules/apache2/templates/puppet-config.erb +++ b/modules/apache2/templates/puppet-config.erb @@ -4,13 +4,13 @@ # this is a list that seems suitable as of 2014-10, when running wheezy. It # probably requires re-visiting regularly. - <% if @lsbmajdistrelease <= '7' -%> + <% if scope.call_function('versioncmp', [@lsbmajdistrelease, '7']) <= 0 -%> SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS <% else -%> SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS <% end -%> - <%- if has_variable?("apache2deb9") && @apache2deb9 == "true" -%> + <%- if has_variable?("apache2deb9") && @apache2deb9 -%> SSLUseStapling On # the default size is 32k, but we make it 1M. diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp index 05234fc9b..2918a7938 100644 --- a/modules/bacula/manifests/client.pp +++ b/modules/bacula/manifests/client.pp @@ -50,7 +50,7 @@ class bacula::client inherits bacula { require => Package['bacula-fd'], notify => Service['bacula-fd'], } - if ($::lsbmajdistrelease >= '9' and $systemd) { + if (versioncmp($::lsbmajdistrelease, '9') >= 0 and $systemd) { file { '/etc/systemd/system/bacula-fd.service.d': ensure => directory, mode => '0755', diff --git a/modules/buildd/files/buildd-schroot-aptitude-kill.wheezy b/modules/buildd/files/buildd-schroot-aptitude-kill.wheezy deleted file mode 100755 index c73667a6d..000000000 --- a/modules/buildd/files/buildd-schroot-aptitude-kill.wheezy +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/python - -# kills aptitude processes that eat an excessive amount of resources - -# Copyright 2013 Peter Palfrader -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and associated documentation files (the -# "Software"), to deal in the Software without restriction, including -# without limitation the rights to use, copy, modify, merge, publish, -# distribute, sublicense, and/or sell copies of the Software, and to -# permit persons to whom the Software is furnished to do so, subject to -# the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -import os -import errno -import sys -try: - import psutil -except OSError, e: - # XXX: This is a hack, but since we are run from cron, it's - # better to handle this on the next run than to send mail. - if e.errno == errno.ENOENT: - sys.exit(0) - -total_mem = psutil.phymem_usage().total -cutoff_time = 60*10 - -for p in psutil.process_iter(): - try: - if p.name != 'aptitude': continue - parent = p.parent - if parent is None: continue - if parent.name != 'schroot': continue - # - try: - rootdir = os.readlink('/proc/%d/root'%(p.pid,)) - except OSError as e: - if e.errno == errno.ENOENT: - continue - else: - raise e - if not rootdir.startswith('/var/lib/schroot/mount'): continue - # - used = p.get_memory_info().vms - if used < total_mem: continue - # - cputime = p.get_cpu_times().user - if cputime < cutoff_time: continue - # - p.kill() - except psutil.error.NoSuchProcess: - pass diff --git a/modules/buildd/files/sbuild.conf.wheezy b/modules/buildd/files/sbuild.conf.wheezy deleted file mode 100644 index 6bfb6db49..000000000 --- a/modules/buildd/files/sbuild.conf.wheezy +++ /dev/null @@ -1,5 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## -1; diff --git a/modules/buildd/manifests/init.pp b/modules/buildd/manifests/init.pp index 205730ba6..f821eac74 100644 --- a/modules/buildd/manifests/init.pp +++ b/modules/buildd/manifests/init.pp @@ -31,16 +31,9 @@ class buildd ($ensure=present) { source => 'puppet:///modules/buildd/buildd.conf', require => Package['buildd'], } - if ($::lsbmajdistrelease >= 8) { - file { '/etc/sbuild/sbuild.conf': - source => 'puppet:///modules/buildd/sbuild.conf', - require => Package['sbuild'], - } - } else { - file { '/etc/sbuild/sbuild.conf': - source => 'puppet:///modules/buildd/sbuild.conf.wheezy', - require => Package['sbuild'], - } + file { '/etc/sbuild/sbuild.conf': + source => 'puppet:///modules/buildd/sbuild.conf', + require => Package['sbuild'], } include ferm::ftp_conntrack } @@ -85,16 +78,9 @@ class buildd ($ensure=present) { package { 'python-psutil': ensure => installed, } - if ($::lsbmajdistrelease >= 8) { - file { '/usr/local/sbin/buildd-schroot-aptitude-kill': - source => 'puppet:///modules/buildd/buildd-schroot-aptitude-kill', - mode => '0555', - } - } else { - file { '/usr/local/sbin/buildd-schroot-aptitude-kill': - source => 'puppet:///modules/buildd/buildd-schroot-aptitude-kill.wheezy', - mode => '0555', - } + file { '/usr/local/sbin/buildd-schroot-aptitude-kill': + source => 'puppet:///modules/buildd/buildd-schroot-aptitude-kill', + mode => '0555', } } else { file { '/usr/local/sbin/buildd-schroot-aptitude-kill': diff --git a/modules/debian_org/manifests/apt.pp b/modules/debian_org/manifests/apt.pp index 9fc02a0b2..948f606ea 100644 --- a/modules/debian_org/manifests/apt.pp +++ b/modules/debian_org/manifests/apt.pp @@ -3,7 +3,7 @@ # Stuff common to all debian.org servers # class debian_org::apt { - if $::lsbmajdistrelease <= '7' { + if versioncmp($::lsbmajdistrelease, '7') <= 0 { $mungedcodename = $::lsbdistcodename } elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) { $mungedcodename = "${::lsbdistcodename}-kfreebsd" @@ -11,7 +11,7 @@ class debian_org::apt { $mungedcodename = $::lsbdistcodename } - if $::lsbmajdistrelease <= '8' { + if versioncmp($::lsbmajdistrelease, '8') <= 0 { $fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/' } else { $fallbackmirror = 'http://deb.debian.org/debian/' diff --git a/modules/debian_org/manifests/init.pp b/modules/debian_org/manifests/init.pp index 6cb629efc..a7ff786d8 100644 --- a/modules/debian_org/manifests/init.pp +++ b/modules/debian_org/manifests/init.pp @@ -43,7 +43,7 @@ class debian_org { source => 'puppet:///modules/debian_org/basic-ssh_known_hosts' } - if ($::lsbmajdistrelease >= '8') { + if versioncmp($::lsbmajdistrelease, '8') >= 0 { $rubyfs_package = 'ruby-filesystem' } else { $rubyfs_package = 'libfilesystem-ruby1.9' @@ -136,7 +136,7 @@ class debian_org { } file { '/etc/puppet/puppet.conf': content => template('debian_org/puppet.conf.erb'), - mode => 0440, + mode => '0440', group => 'puppet', } file { '/etc/default/puppet': @@ -144,11 +144,11 @@ class debian_org { } file { '/etc/systemd': ensure => directory, - mode => 0755, + mode => '0755', } file { '/etc/systemd/system': ensure => directory, - mode => 0755, + mode => '0755', } file { '/etc/systemd/system/ud-replicated.service': ensure => $servicefiles, diff --git a/modules/debian_org/templates/dsa-puppet-stuff.cron.erb b/modules/debian_org/templates/dsa-puppet-stuff.cron.erb index 48fab729d..60f2f5aaf 100644 --- a/modules/debian_org/templates/dsa-puppet-stuff.cron.erb +++ b/modules/debian_org/templates/dsa-puppet-stuff.cron.erb @@ -5,7 +5,7 @@ SHELL=/bin/bash @hourly root [ ! -d /var/cache/dsa ] || touch /var/cache/dsa/cron.alive -<% if @lsbmajdistrelease <= '7' -%> +<% if scope.call_function('versioncmp', [@lsbmajdistrelease, '7']) <= 0 -%> 34 */4 * * * root if [ -x /usr/sbin/puppetd ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/sbin/puppetd -o --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi <% else -%> 34 */4 * * * root if [ -x /usr/bin/puppet ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/bin/puppet agent --onetime --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index ae732057f..4ff0fb1e2 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -24,7 +24,7 @@ class exim { concat::fragment { 'virtual_domain_template': target => '/etc/exim4/virtualdomains', content => template('exim/virtualdomains.erb'), - order => 05, + order => '05', } service { 'exim4': diff --git a/modules/exim/manifests/vdomain/setup.pp b/modules/exim/manifests/vdomain/setup.pp index 8be0c2634..2765fba43 100644 --- a/modules/exim/manifests/vdomain/setup.pp +++ b/modules/exim/manifests/vdomain/setup.pp @@ -10,6 +10,6 @@ class exim::vdomain::setup { concat::fragment { 'virtualdomains_header': target => '/etc/exim4/virtualdomains', source => 'puppet:///modules/exim/virtualdomains.header', - order => 00, + order => '00', } } diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 93ec70865..1c8dcf0ea 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -211,7 +211,7 @@ queue_only_load = 8 <%- end -%> queue_list_requires_admin = false -<%- if has_variable?("clamd") && @clamd == "true" -%> +<%- if has_variable?("clamd") && @clamd -%> av_scanner = clamd:/var/run/clamav/clamd.ctl <%- end -%> @@ -663,7 +663,7 @@ check_recipient: ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) -<%- if has_variable?("policydweight") && @policydweight == "true" -%> +<%- if has_variable?("policydweight") && @policydweight -%> # Check with policyd-weight - this only works with a version after etch's, # sadly. etch's version attempts to hold the socket open, since that's what # postfix expects. Exim, on the other hand, expects the remote side to close @@ -734,7 +734,7 @@ check_recipient: <%- end -%> -<%- if has_variable?("greylistd") && @greylistd == "true" -%> +<%- if has_variable?("greylistd") && @greylistd -%> defer message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>. log_message = greylisted. @@ -759,7 +759,7 @@ check_recipient: $local_part@$domain}\ {5s}{}{false}} -<%- elsif has_variable?("postgrey") && @postgrey == "true" -%> +<%- elsif has_variable?("postgrey") && @postgrey -%> # next three are greylisting, inspired by http://www.bebt.de/blog/debian/archives/2006/07/30/T06_12_27/index.html # this adds acl_m_grey if there isn't one (so unique per message) warn @@ -956,7 +956,7 @@ check_message: condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = Your mailer is not RFC 2047 compliant: message rejected -<%- if has_variable?("clamd") && @clamd == "true" -%> +<%- if has_variable?("clamd") && @clamd -%> discard condition = ${if eq {$acl_m_prf}{blackhole}} demime = * malware = */defer_ok diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index 869a3d660..23dfc2a79 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -16,7 +16,7 @@ class ferm { package { 'ferm': ensure => installed } - if ($::lsbmajdistrelease >= '8') { + if (versioncmp($::lsbmajdistrelease, '8') >= 0) { package { 'ulogd2': ensure => installed } @@ -92,7 +92,7 @@ class ferm { content => template('ferm/interfaces.conf.erb'), notify => Service['ferm'], } - if ($::lsbmajdistrelease >= '8') { + if (versioncmp($::lsbmajdistrelease, '8') >= 0) { augeas { 'logrotate_ulogd2': context => '/files/etc/logrotate.d/ulogd2', changes => [ diff --git a/modules/ferm/templates/ferm.conf.erb b/modules/ferm/templates/ferm.conf.erb index 5d63f8d0f..b8a6b692e 100644 --- a/modules/ferm/templates/ferm.conf.erb +++ b/modules/ferm/templates/ferm.conf.erb @@ -7,7 +7,7 @@ @include 'conf.d/'; -<% if @lsbmajdistrelease >= '8' -%> +<% if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) >= 0 -%> domain (ip ip6) { table filter { chain log_and_reject { diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb index 627e4bfae..75f0d5c46 100644 --- a/modules/ferm/templates/me.conf.erb +++ b/modules/ferm/templates/me.conf.erb @@ -13,7 +13,7 @@ restrict_ssh = %w{tchaikovsky draghi adayevskaya} if (nodeinfo['ldap'].has_key?('purpose')) then nodeinfo['ldap']['purpose'].each do |purp| if restricted_purposes.include?(purp) then - restrict_ssh << hostname + restrict_ssh << @hostname end end end diff --git a/modules/hardware/manifests/raid.pp b/modules/hardware/manifests/raid.pp index 3affb8983..d682c30b2 100644 --- a/modules/hardware/manifests/raid.pp +++ b/modules/hardware/manifests/raid.pp @@ -7,8 +7,5 @@ class hardware::raid { include hardware::raid::megactl } - if $::mptraid { - include hardware::raid::raidmpt - } - + include hardware::raid::raidmpt } diff --git a/modules/hardware/manifests/raid/raidmpt.pp b/modules/hardware/manifests/raid/raidmpt.pp index c512913ec..f371c7227 100644 --- a/modules/hardware/manifests/raid/raidmpt.pp +++ b/modules/hardware/manifests/raid/raidmpt.pp @@ -7,18 +7,27 @@ # include hardware::raid::raidmpt # class hardware::raid::raidmpt { + if $::mptraid { + package { 'mpt-status': + ensure => installed + } - package { 'mpt-status': - ensure => installed - } + file { '/etc/default/mpt-statusd': + content => "# This file is under puppet control\nRUN_DAEMON=no\n", + notify => Exec['mpt-statusd-stop'], + } - file { '/etc/default/mpt-statusd': - content => "# This file is under puppet control\nRUN_DAEMON=no\n", - notify => Exec['mpt-statusd-stop'], - } + exec { 'mpt-statusd-stop': + command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"', + refreshonly => true, + } + } else { + package { 'mpt-status': + ensure => purged, + } - exec { 'mpt-statusd-stop': - command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"', - refreshonly => true, + file { '/etc/default/mpt-statusd': + ensure => absent, + } } } diff --git a/modules/hardware/manifests/sensors.pp b/modules/hardware/manifests/sensors.pp index b52b95e85..d835c9335 100644 --- a/modules/hardware/manifests/sensors.pp +++ b/modules/hardware/manifests/sensors.pp @@ -2,5 +2,8 @@ class hardware::sensors { if $::hw_can_temp_sensors { package { 'lm-sensors': ensure => installed, } munin::check { 'sensors_temp': script => 'sensors_' } + } else { + package { 'lm-sensors': ensure => purged, } + munin::check { 'sensors_temp': ensure => absent } } } diff --git a/modules/monit/manifests/init.pp b/modules/monit/manifests/init.pp index 977f1847c..999cdfb3d 100644 --- a/modules/monit/manifests/init.pp +++ b/modules/monit/manifests/init.pp @@ -7,7 +7,7 @@ # include monit # class monit { - if $::lsbmajdistrelease <= '7' { + if versioncmp($::lsbmajdistrelease, '7') <= 0 { package { 'monit': ensure => installed } diff --git a/modules/munin/manifests/conf.pp b/modules/munin/manifests/conf.pp index ad557abe2..5413c4349 100644 --- a/modules/munin/manifests/conf.pp +++ b/modules/munin/manifests/conf.pp @@ -1,7 +1,7 @@ define munin::conf ( $ensure=present, - $content='', - $source='' + $content=false, + $source=false ) { include munin diff --git a/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb b/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb index 8f815826f..a1265ffe8 100644 --- a/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb +++ b/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb @@ -14,7 +14,7 @@ when "sibelius.debian.org" then ignore << %w{tivs when /(storace|backuphost).debian.org/ then ignore << %w{postgresql-client-9.1} end -if @lsbmajdistrelease <= '8' +if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) <= 0 case @fqdn when /(acker|aagaard).debian.org/ then ignore << %w{qemu-efi} end diff --git a/modules/nfs-server/files/lockd.local.modprobe b/modules/nfs-server/files/lockd.local.modprobe deleted file mode 100644 index 105d4b537..000000000 --- a/modules/nfs-server/files/lockd.local.modprobe +++ /dev/null @@ -1,6 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -options lockd nlm_udpport=10003 nlm_tcpport=10003 diff --git a/modules/nfs-server/files/nfs-common.default b/modules/nfs-server/files/nfs-common.default deleted file mode 100644 index 93f659823..000000000 --- a/modules/nfs-server/files/nfs-common.default +++ /dev/null @@ -1,24 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# If you do not set values for the NEED_ options, they will be attempted -# autodetected; this should be sufficient for most people. Valid alternatives -# for the NEED_ options are "yes" and "no". - -# Do you want to start the statd daemon? It is not needed for NFSv4. -NEED_STATD= - -# Options for rpc.statd. -# Should rpc.statd listen on a specific port? This is especially useful -# when you have a port-based firewall. To use a fixed port, set this -# this variable to a statd argument like: "--port 4000 --outgoing-port 4001". -# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS -STATDOPTS='--port 10000 -o 10001' - -# Do you want to start the idmapd daemon? It is only needed for NFSv4. -NEED_IDMAPD= - -# Do you want to start the gssd daemon? It is required for Kerberos mounts. -NEED_GSSD= diff --git a/modules/nfs-server/files/nfs-kernel-server.default b/modules/nfs-server/files/nfs-kernel-server.default deleted file mode 100644 index d40255f5c..000000000 --- a/modules/nfs-server/files/nfs-kernel-server.default +++ /dev/null @@ -1,23 +0,0 @@ -## -## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. -## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git -## - -# Number of servers to start up -RPCNFSDCOUNT=8 - -# Runtime priority of server (see nice(1)) -RPCNFSDPRIORITY=0 - -# Options for rpc.mountd. -# If you have a port-based firewall, you might want to set up -# a fixed port here using the --port option. For more information, -# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS -RPCMOUNTDOPTS="-p 10002" - -# Do you want to start the svcgssd daemon? It is only required for Kerberos -# exports. Valid alternatives are "yes" and "no"; the default is "no". -NEED_SVCGSSD= - -# Options for rpc.svcgssd. -RPCSVCGSSDOPTS= diff --git a/modules/nfs-server/manifests/init.pp b/modules/nfs-server/manifests/init.pp deleted file mode 100644 index 7021ef330..000000000 --- a/modules/nfs-server/manifests/init.pp +++ /dev/null @@ -1,75 +0,0 @@ -class nfs-server { - - package { [ - 'nfs-common', - 'nfs-kernel-server' - ]: - ensure => installed - } - - service { 'nfs-common': - hasstatus => false, - status => '/bin/true', - } - service { 'nfs-kernel-server': - hasstatus => false, - status => '/bin/true', - } - - case $::hostname { - lw01,lw02,lw03,lw04: { - $client_range = '10.0.0.0/8' - } - milanollo,senfter: { - $client_range = '172.29.122.0/24' - } - buxtehude: { - $client_range = '(172.29.40.0/22 206.12.19.126/32)' - } - gretchaninov: { - $client_range = '172.29.40.0/22' - } - default: { - # Better than 0.0.0.0/0 - we really ought to configure a - # client range for them all instead of exporting to the world. - $client_range = '127.0.0.0/8' - } - } - - @ferm::rule { 'dsa-portmap': - description => 'Allow portmap access', - rule => "&TCP_UDP_SERVICE_RANGE(111, $client_range)" - } - @ferm::rule { 'dsa-nfs': - description => 'Allow nfsd access', - rule => "&TCP_UDP_SERVICE_RANGE(2049, $client_range)" - } - @ferm::rule { 'dsa-status': - description => 'Allow statd access', - rule => "&TCP_UDP_SERVICE_RANGE(10000, $client_range)" - } - @ferm::rule { 'dsa-mountd': - description => 'Allow mountd access', - rule => "&TCP_UDP_SERVICE_RANGE(10002, $client_range)" - } - @ferm::rule { 'dsa-lockd': - description => 'Allow lockd access', - rule => "&TCP_UDP_SERVICE_RANGE(10003, $client_range)" - } - - file { '/etc/default/nfs-common': - source => 'puppet:///modules/nfs-server/nfs-common.default', - before => Package['nfs-common'], - notify => Service['nfs-common'], - } - file { '/etc/default/nfs-kernel-server': - source => 'puppet:///modules/nfs-server/nfs-kernel-server.default', - before => Package['nfs-kernel-server'], - notify => Service['nfs-kernel-server'], - } - file { '/etc/modprobe.d/lockd.local': - source => 'puppet:///modules/nfs-server/lockd.local.modprobe', - before => Package['nfs-common'], - notify => Service['nfs-common'], - } -} diff --git a/modules/nfs_server/files/lockd.local.modprobe b/modules/nfs_server/files/lockd.local.modprobe new file mode 100644 index 000000000..105d4b537 --- /dev/null +++ b/modules/nfs_server/files/lockd.local.modprobe @@ -0,0 +1,6 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +options lockd nlm_udpport=10003 nlm_tcpport=10003 diff --git a/modules/nfs_server/files/nfs-common.default b/modules/nfs_server/files/nfs-common.default new file mode 100644 index 000000000..93f659823 --- /dev/null +++ b/modules/nfs_server/files/nfs-common.default @@ -0,0 +1,24 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# If you do not set values for the NEED_ options, they will be attempted +# autodetected; this should be sufficient for most people. Valid alternatives +# for the NEED_ options are "yes" and "no". + +# Do you want to start the statd daemon? It is not needed for NFSv4. +NEED_STATD= + +# Options for rpc.statd. +# Should rpc.statd listen on a specific port? This is especially useful +# when you have a port-based firewall. To use a fixed port, set this +# this variable to a statd argument like: "--port 4000 --outgoing-port 4001". +# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS +STATDOPTS='--port 10000 -o 10001' + +# Do you want to start the idmapd daemon? It is only needed for NFSv4. +NEED_IDMAPD= + +# Do you want to start the gssd daemon? It is required for Kerberos mounts. +NEED_GSSD= diff --git a/modules/nfs_server/files/nfs-kernel-server.default b/modules/nfs_server/files/nfs-kernel-server.default new file mode 100644 index 000000000..d40255f5c --- /dev/null +++ b/modules/nfs_server/files/nfs-kernel-server.default @@ -0,0 +1,23 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + +# Number of servers to start up +RPCNFSDCOUNT=8 + +# Runtime priority of server (see nice(1)) +RPCNFSDPRIORITY=0 + +# Options for rpc.mountd. +# If you have a port-based firewall, you might want to set up +# a fixed port here using the --port option. For more information, +# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS +RPCMOUNTDOPTS="-p 10002" + +# Do you want to start the svcgssd daemon? It is only required for Kerberos +# exports. Valid alternatives are "yes" and "no"; the default is "no". +NEED_SVCGSSD= + +# Options for rpc.svcgssd. +RPCSVCGSSDOPTS= diff --git a/modules/nfs_server/manifests/init.pp b/modules/nfs_server/manifests/init.pp new file mode 100644 index 000000000..5545114f6 --- /dev/null +++ b/modules/nfs_server/manifests/init.pp @@ -0,0 +1,75 @@ +class nfs_server { + + package { [ + 'nfs-common', + 'nfs-kernel-server' + ]: + ensure => installed + } + + service { 'nfs-common': + hasstatus => false, + status => '/bin/true', + } + service { 'nfs-kernel-server': + hasstatus => false, + status => '/bin/true', + } + + case $::hostname { + lw01,lw02,lw03,lw04: { + $client_range = '10.0.0.0/8' + } + milanollo,senfter: { + $client_range = '172.29.122.0/24' + } + buxtehude: { + $client_range = '(172.29.40.0/22 206.12.19.126/32)' + } + gretchaninov: { + $client_range = '172.29.40.0/22' + } + default: { + # Better than 0.0.0.0/0 - we really ought to configure a + # client range for them all instead of exporting to the world. + $client_range = '127.0.0.0/8' + } + } + + @ferm::rule { 'dsa-portmap': + description => 'Allow portmap access', + rule => "&TCP_UDP_SERVICE_RANGE(111, $client_range)" + } + @ferm::rule { 'dsa-nfs': + description => 'Allow nfsd access', + rule => "&TCP_UDP_SERVICE_RANGE(2049, $client_range)" + } + @ferm::rule { 'dsa-status': + description => 'Allow statd access', + rule => "&TCP_UDP_SERVICE_RANGE(10000, $client_range)" + } + @ferm::rule { 'dsa-mountd': + description => 'Allow mountd access', + rule => "&TCP_UDP_SERVICE_RANGE(10002, $client_range)" + } + @ferm::rule { 'dsa-lockd': + description => 'Allow lockd access', + rule => "&TCP_UDP_SERVICE_RANGE(10003, $client_range)" + } + + file { '/etc/default/nfs-common': + source => 'puppet:///modules/nfs_server/nfs-common.default', + before => Package['nfs-common'], + notify => Service['nfs-common'], + } + file { '/etc/default/nfs-kernel-server': + source => 'puppet:///modules/nfs_server/nfs-kernel-server.default', + before => Package['nfs-kernel-server'], + notify => Service['nfs-kernel-server'], + } + file { '/etc/modprobe.d/lockd.local': + source => 'puppet:///modules/nfs_server/lockd.local.modprobe', + before => Package['nfs-common'], + notify => Service['nfs-common'], + } +} diff --git a/modules/onion/manifests/balance.pp b/modules/onion/manifests/balance.pp index 600aa24a4..855e7cde8 100644 --- a/modules/onion/manifests/balance.pp +++ b/modules/onion/manifests/balance.pp @@ -21,7 +21,7 @@ class onion::balance { concat::fragment { 'onion::torrc_control_header': target => "/etc/tor/torrc", - order => 10, + order => '10', content => "ControlPort 9051\n\n", } diff --git a/modules/onion/manifests/init.pp b/modules/onion/manifests/init.pp index 31543e9fe..c7b06c594 100644 --- a/modules/onion/manifests/init.pp +++ b/modules/onion/manifests/init.pp @@ -26,7 +26,7 @@ class onion { } concat::fragment { 'onion::torrc_header': target => "/etc/tor/torrc", - order => 05, + order => '05', content => template("onion/torrc-header.erb"), } } diff --git a/modules/onion/manifests/service.pp b/modules/onion/manifests/service.pp index 80d692250..77ecc8927 100644 --- a/modules/onion/manifests/service.pp +++ b/modules/onion/manifests/service.pp @@ -19,7 +19,7 @@ define onion::service ( concat::fragment { "onion::torrc_onionservice::${name}": target => "/etc/tor/torrc", - order => 50, + order => '50', content => "HiddenServiceDir /var/lib/tor/onion/${name}\nHiddenServicePort ${port} ${target_address}:${target_port}\n\n", } diff --git a/modules/onion/templates/torrc-header.erb b/modules/onion/templates/torrc-header.erb index 845adbfd9..b45b81d96 100644 --- a/modules/onion/templates/torrc-header.erb +++ b/modules/onion/templates/torrc-header.erb @@ -1,7 +1,7 @@ SocksPort 0 Log notice syslog -<%- if has_variable?("tor_ge_0_2_9") && tor_ge_0_2_9 == "true" -%> +<%- if has_variable?("tor_ge_0_2_9") && @tor_ge_0_2_9 -%> #HiddenServiceSingleHopMode 1 #HiddenServiceNonAnonymousMode 1 <%- end -%> diff --git a/modules/portforwarder/manifests/init.pp b/modules/portforwarder/manifests/init.pp index e7009b22e..e5a59828f 100644 --- a/modules/portforwarder/manifests/init.pp +++ b/modules/portforwarder/manifests/init.pp @@ -2,28 +2,37 @@ class portforwarder { # do not depend on xinetd, yet. it might uninstall other inetds # for now this will have to be done manually - if ! $::portforwarder_key { - exec { 'create-portforwarder-key': - command => '/bin/su - portforwarder -c \'mkdir -p -m 02700 .ssh && ssh-keygen -C "`whoami`@`hostname` (`date +%Y-%m-%d`)" -P "" -f .ssh/id_rsa -q\'', - onlyif => '/usr/bin/getent passwd portforwarder > /dev/null && ! [ -e /home/portforwarder/.ssh/id_rsa ]' + if $::portforwarder_user_exists { + if ! $::portforwarder_key { + exec { 'create-portforwarder-key': + command => '/bin/su - portforwarder -c \'mkdir -p -m 02700 .ssh && ssh-keygen -C "`whoami`@`hostname` (`date +%Y-%m-%d`)" -P "" -f .ssh/id_rsa -q\'', + onlyif => '/usr/bin/getent passwd portforwarder > /dev/null && ! [ -e /home/portforwarder/.ssh/id_rsa ]' + } } - } - file { '/etc/ssh/userkeys/portforwarder': - content => template('portforwarder/authorized_keys.erb'), - } - file { '/etc/xinetd.d': - ensure => directory, - owner => root, - group => root, - mode => '0755', - } - file { '/etc/xinetd.d/dsa-portforwader': - content => template('portforwarder/xinetd.erb'), - notify => Exec['service xinetd reload'] - } + file { '/etc/ssh/userkeys/portforwarder': + content => template('portforwarder/authorized_keys.erb'), + } + file { '/etc/xinetd.d': + ensure => directory, + owner => root, + group => root, + mode => '0755', + } + file { '/etc/xinetd.d/dsa-portforwader': + content => template('portforwarder/xinetd.erb'), + notify => Exec['service xinetd reload'] + } - exec { 'service xinetd reload': - refreshonly => true, + exec { 'service xinetd reload': + refreshonly => true, + } + } else { + file { [ + '/etc/ssh/userkeys/portforwarder', + '/etc/xinetd.d/dsa-portforwader', + ]: + ensure => 'absent', + } } } diff --git a/modules/postgres/manifests/init.pp b/modules/postgres/manifests/init.pp index 4edc5c8a6..af2f206d5 100644 --- a/modules/postgres/manifests/init.pp +++ b/modules/postgres/manifests/init.pp @@ -1,17 +1,30 @@ class postgres { - munin::check { 'postgres_bgwriter': } - munin::check { 'postgres_connections_db': } + $ensure = ($::postgres) ? { + true => 'ensure', + default => 'absent' + } + + munin::check { 'postgres_bgwriter': + ensure => $ensure, + } + munin::check { 'postgres_connections_db': + ensure => $ensure, + } munin::check { 'postgres_cache_ALL': + ensure => $ensure, script => 'postgres_cache_' } munin::check { 'postgres_querylength_ALL': + ensure => $ensure, script => 'postgres_querylength_' } munin::check { 'postgres_size_ALL': + ensure => $ensure, script => 'postgres_size_' } file { '/etc/munin/plugin-conf.d/local-postgres': + ensure => $ensure, source => 'puppet:///modules/postgres/plugin.conf', } } diff --git a/modules/resolv/templates/resolv.conf.erb b/modules/resolv/templates/resolv.conf.erb index a42aa25d4..773337420 100644 --- a/modules/resolv/templates/resolv.conf.erb +++ b/modules/resolv/templates/resolv.conf.erb @@ -15,7 +15,7 @@ if %w{draghi}.include?(@hostname) end nameservers += @ns -if @unbound && @unbound == "true" +if @unbound nameservers = ['127.0.0.1'] end diff --git a/modules/rng_tools/manifests/init.pp b/modules/rng_tools/manifests/init.pp index c8bb9ab1e..d1db5babd 100644 --- a/modules/rng_tools/manifests/init.pp +++ b/modules/rng_tools/manifests/init.pp @@ -7,5 +7,9 @@ class rng_tools { ensure => running, require => Package['rng-tools'] } + } else { + package { 'rng-tools': + ensure => purged + } } } diff --git a/modules/roles/manifests/ftp.pp b/modules/roles/manifests/ftp.pp index bdb9f4b64..5823032cc 100644 --- a/modules/roles/manifests/ftp.pp +++ b/modules/roles/manifests/ftp.pp @@ -21,7 +21,7 @@ class roles::ftp { root => '/srv/ftp.debian.org/ftp.root', } - if $bind6 { + if $bind6 != '' { vsftpd::site { 'ftp-v6': banner => 'ftp.debian.org FTP server', logfile => '/var/log/ftp/vsftpd-ftp.debian.org.log', diff --git a/modules/roles/manifests/ftp_upload.pp b/modules/roles/manifests/ftp_upload.pp index 56126068c..b553b7086 100644 --- a/modules/roles/manifests/ftp_upload.pp +++ b/modules/roles/manifests/ftp_upload.pp @@ -10,7 +10,7 @@ class roles::ftp_upload { root => '/srv/upload.debian.org/ftp', } - if $bind6 { + if $bind6 != '' { vsftpd::site { 'ftp-upload-v6': banner => 'ftp.upload.debian.org FTP server', logfile => '/var/log/ftp/vsftpd-ftp.upload.debian.org.log', diff --git a/modules/roles/manifests/historical_mirror.pp b/modules/roles/manifests/historical_mirror.pp index d80b1afb4..5036e8fbc 100644 --- a/modules/roles/manifests/historical_mirror.pp +++ b/modules/roles/manifests/historical_mirror.pp @@ -29,7 +29,7 @@ class roles::historical_mirror { tlsaport => [], } } else { - $sslname = '' + $sslname = undef } rsync::site_systemd { 'archive': diff --git a/modules/roles/manifests/ports_master.pp b/modules/roles/manifests/ports_master.pp index d714d7cb9..fa7099a4d 100644 --- a/modules/roles/manifests/ports_master.pp +++ b/modules/roles/manifests/ports_master.pp @@ -20,7 +20,7 @@ class roles::ports_master { root => '/srv/ports-master.debian.org/ftp.upload', } - if $bind6 { + if $bind6 != '' { vsftpd::site { 'ports-master-v6': banner => 'ports-master.debian.org FTP server', logfile => '/var/log/ftp/vsftpd-ports-master.debian.org.log', diff --git a/modules/roles/manifests/postgresql_server.pp b/modules/roles/manifests/postgresql_server.pp index 3fbaa63d0..25aa3e5dd 100644 --- a/modules/roles/manifests/postgresql_server.pp +++ b/modules/roles/manifests/postgresql_server.pp @@ -1,10 +1,10 @@ class roles::postgresql_server { file { "/usr/local/bin/pg-backup-file": - mode => 555, + mode => '0555', source => "puppet:///modules/roles/postgresql_server/pg-backup-file", } file { "/usr/local/bin/pg-receive-file-from-backup": - mode => 555, + mode => '0555', source => "puppet:///modules/roles/postgresql_server/pg-receive-file-from-backup", } file { "/etc/dsa/pg-backup-file.conf": diff --git a/modules/roles/manifests/pubsub/config.pp b/modules/roles/manifests/pubsub/config.pp index 07289d39e..24499bf62 100644 --- a/modules/roles/manifests/pubsub/config.pp +++ b/modules/roles/manifests/pubsub/config.pp @@ -55,7 +55,7 @@ define roles::pubsub::config ( $exchange=dsa, $username=$::fqdn, $queue=undef, - $order=00 + $order='00' ){ include roles::pubsub::config::setup diff --git a/modules/roles/manifests/security_mirror.pp b/modules/roles/manifests/security_mirror.pp index 1cda924c6..d135ffe41 100644 --- a/modules/roles/manifests/security_mirror.pp +++ b/modules/roles/manifests/security_mirror.pp @@ -48,7 +48,7 @@ class roles::security_mirror { root => '/srv/ftp.root/', bind => $ftp_bind, } - if ($ftp_bind6) { + if ($ftp_bind6 != '') { vsftpd::site { 'security6': banner => 'security.debian.org FTP server (vsftpd)', logfile => '/var/log/ftp/vsftpd-security6.debian.org.log', diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp index 5d12d297f..a08b5a7a6 100644 --- a/modules/roles/manifests/syncproxy.pp +++ b/modules/roles/manifests/syncproxy.pp @@ -36,7 +36,7 @@ class roles::syncproxy { file { '/etc/rsyncd/debian.secrets': owner => 'root', group => 'mirroradm', - mode => 0660, + mode => '0660', } if $::apache2 and $syncproxy_name != 'unknown' { diff --git a/modules/roles/templates/apache-archive.debian.org.erb b/modules/roles/templates/apache-archive.debian.org.erb index 84026e8e5..0cf3b0c4e 100644 --- a/modules/roles/templates/apache-archive.debian.org.erb +++ b/modules/roles/templates/apache-archive.debian.org.erb @@ -4,11 +4,11 @@ ## <% - if not binds.kind_of?(Array) + if not @binds.kind_of?(Array) raise Puppet::Error, "binds variable is not an array" end - vhost_listen = binds.map{|x| x+":80" }.join(' ') + vhost_listen = @binds.map{|x| x+":80" }.join(' ') %> @@ -22,13 +22,13 @@ ServerAlias *.archive.backend.mirrors.debian.org #RedirectMatch "^/$" /debian-archive/ - DocumentRoot <%= archive_root %>/ - Alias /debian-archive/ <%= archive_root %>/ + DocumentRoot <%= @archive_root %>/ + Alias /debian-archive/ <%= @archive_root %>/ ErrorLog /var/log/apache2/archive.debian.org-error.log CustomLog /var/log/apache2/archive.debian.org-access.log privacy - > + > Require all granted Options +Indexes +FollowSymLinks diff --git a/modules/roles/templates/apache-debug.mirrors.debian.org.erb b/modules/roles/templates/apache-debug.mirrors.debian.org.erb index b57df668c..103724733 100644 --- a/modules/roles/templates/apache-debug.mirrors.debian.org.erb +++ b/modules/roles/templates/apache-debug.mirrors.debian.org.erb @@ -3,7 +3,7 @@ ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## - > + > ServerAdmin debian-admin@debian.org ServerName debug.mirrors.debian.org <% if scope.function_onion_global_service_hostname(['debug.mirrors.debian.org']) -%> diff --git a/modules/roles/templates/apache-ftp.debian.org.erb b/modules/roles/templates/apache-ftp.debian.org.erb index 339f93449..6dda3727a 100644 --- a/modules/roles/templates/apache-ftp.debian.org.erb +++ b/modules/roles/templates/apache-ftp.debian.org.erb @@ -3,7 +3,7 @@ ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## -> +> ServerAdmin debian-admin@debian.org ServerName ftp.debian.org ServerAlias debian.anycast-test.mirrors.debian.org @@ -14,12 +14,12 @@ ServerAlias *.debian.backend.mirrors.debian.org RedirectMatch "^/$" /debian/ - Alias /debian/ <%= archive_root %>/ + Alias /debian/ <%= @archive_root %>/ ErrorLog /var/log/apache2/ftp.debian.org-error.log CustomLog /var/log/apache2/ftp.debian.org-access.log privacy - Use ftp-archive <%= archive_root %> + Use ftp-archive <%= @archive_root %> UserDir disabled diff --git a/modules/roles/templates/apache-ftp.ports.debian.org.erb b/modules/roles/templates/apache-ftp.ports.debian.org.erb index 458a83e4b..a9d4058e4 100644 --- a/modules/roles/templates/apache-ftp.ports.debian.org.erb +++ b/modules/roles/templates/apache-ftp.ports.debian.org.erb @@ -3,7 +3,7 @@ ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git ## - > + > ServerAdmin debian-admin@debian.org ServerName ftp.ports.debian.org <% if scope.function_onion_global_service_hostname(['ftp.ports.debian.org']) -%> diff --git a/modules/roles/templates/apache-www.debian.org.erb b/modules/roles/templates/apache-www.debian.org.erb index f505aaee1..39f6cee0e 100644 --- a/modules/roles/templates/apache-www.debian.org.erb +++ b/modules/roles/templates/apache-www.debian.org.erb @@ -4,7 +4,7 @@ ## # Need to turn on negotiation_module -/> +/> Options +MultiViews +FollowSymLinks +Indexes AddHandler type-map var # Make sure that the srm.conf directive is commented out. @@ -141,7 +141,7 @@ ServerAlias www.debian.de ServerAlias newwww.deb.at - DocumentRoot <%= wwwdo_document_root %>/ + DocumentRoot <%= @wwwdo_document_root %>/ LogFormat "0.0.0.0 - %u %{[%d/%b/%Y:00:00:00 %z]}t \"%r\" %>s %b \"%{Referer}i\" \"-\" %V" privacy+host ErrorLog /var/log/apache2/www-other.debian.org-error.log CustomLog /var/log/apache2/www-other.debian.org-access.log privacy+host @@ -155,7 +155,7 @@ ServerAlias <%= scope.function_onion_global_service_hostname(['www.debian.org']) %> <% end %> - DocumentRoot <%= wwwdo_document_root %>/ + DocumentRoot <%= @wwwdo_document_root %>/ # CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each # document that was negotiated on the basis of content. This asks proxy @@ -253,12 +253,12 @@ RewriteRule ^/devel/debian-volatile/.* /volatile/ [R=301] # Offer a Redirect to DSA without knowing year #474730 - RewriteMap dsa txt:<%= wwwdo_document_root %>/security/map-dsa.txt + RewriteMap dsa txt:<%= @wwwdo_document_root %>/security/map-dsa.txt RewriteRule ^/security/dsa-(\d+)(\..*)? /security/${dsa:$1}$2 [R=301] # Compatibility after SGML -> DocBook # Debian Reference #624239 - RewriteMap reference txt:<%= wwwdo_document_root %>/doc/map-reference.txt + RewriteMap reference txt:<%= @wwwdo_document_root %>/doc/map-reference.txt RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/ch-support$1 !-f RewriteRule ^/doc/manuals/debian-reference/ch-support(.*) /support$1 [L,R=301] RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/${reference:$1}$2 -f @@ -284,13 +284,13 @@ - > + > ErrorLog /var/log/apache2/www.debian.org-error.log CustomLog /var/log/apache2/www.debian.org-access.log privacy Use common-www.d.o - > + > ErrorLog /var/log/apache2/www.debian.org-error.log CustomLog /var/log/apache2/www.debian.org-access.log privacyssl @@ -301,7 +301,7 @@ - > + > Use common-www-other.d.o ErrorLog /var/log/apache2/www-other.debian.org-error.log @@ -309,7 +309,7 @@ Redirect permanent / http://www.debian.org/ - > + > Use common-www-other.d.o CustomLog /var/log/apache2/www-other-access.log privacyssl @@ -320,3 +320,4 @@ Use common-debian-service-ssl debian.org Use common-ssl-HSTS +# vim:set syn=apache: diff --git a/modules/roles/templates/postgresql_server/pg-backup-file.conf.erb b/modules/roles/templates/postgresql_server/pg-backup-file.conf.erb index 1293d385c..ff6700464 100644 --- a/modules/roles/templates/postgresql_server/pg-backup-file.conf.erb +++ b/modules/roles/templates/postgresql_server/pg-backup-file.conf.erb @@ -1,4 +1,4 @@ -<%- if hostname == "sibelius" then -%> +<%- if @hostname == "sibelius" then -%> # use ipv4 ssh_options="-oAddressFamily=inet" <%- end %> diff --git a/modules/roles/templates/static-mirroring/static-vhost.conf.erb b/modules/roles/templates/static-mirroring/static-vhost.conf.erb index 5b2eb4db3..9a3e83c19 100644 --- a/modules/roles/templates/static-mirroring/static-vhost.conf.erb +++ b/modules/roles/templates/static-mirroring/static-vhost.conf.erb @@ -1,6 +1,6 @@ # puppet maintained - > + > ServerName $name ServerAdmin debian-admin@lists.debian.org @@ -27,7 +27,7 @@ Require all granted - Header set Surrogate-Key <%= hostname %> + Header set Surrogate-Key <%= @hostname %> AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css @@ -35,7 +35,7 @@ - > + > ServerName $name ErrorLog /var/log/apache2/$name-error.log @@ -46,7 +46,7 @@ - > + > ServerName $onion ErrorLog /var/log/apache2/$name-error.log @@ -57,7 +57,7 @@ - > + > ServerName $name ErrorLog /var/log/apache2/$name-error.log diff --git a/modules/roles/templates/static-mirroring/vhost/planet.debian.org.erb b/modules/roles/templates/static-mirroring/vhost/planet.debian.org.erb index 7d0ab0159..9dca69c6e 100644 --- a/modules/roles/templates/static-mirroring/vhost/planet.debian.org.erb +++ b/modules/roles/templates/static-mirroring/vhost/planet.debian.org.erb @@ -1,6 +1,6 @@ <% if scope.function_has_static_component(['planet.debian.org']) -%> - > + > ServerName planet.debian.org ServerAlias planet.debian.net planeta.debian.net planet-backend.debian.org planet-fastly.debian.org planet-maxcdn.debian.org <% if scope.function_onion_global_service_hostname(['planet.debian.org']) -%> diff --git a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb index b035fed58..b9df97509 100644 --- a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb +++ b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb @@ -14,7 +14,7 @@ Redirect /debian-security/ http://cdn-fastly.deb.debian.org/debian-security/ - > + > ServerName deb.debian.org ErrorLog /var/log/apache2/deb.debian.org-error.log @@ -36,7 +36,7 @@ Require all granted - Header set Surrogate-Key <%= hostname %> + Header set Surrogate-Key <%= @hostname %> AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css @@ -240,7 +240,7 @@ lines.join("\n") # www.backports.org is the historical place for the backports # website and archive. It is now a CNAME to backports.debian.org: # redirect http requests. - > + > ServerName www.backports.org ServerAlias lists.backports.org ServerAdmin debian-admin@debian.org @@ -248,27 +248,27 @@ lines.join("\n") ###################### - > + > ServerName www.debian-ports.org ServerAlias debian-ports.org ServerAdmin debian-admin@debian.org RedirectPermanent / https://www.ports.debian.org/ - > + > ServerName ports.debian.org ServerAlias ports.debian.net ServerAdmin debian-admin@debian.org RedirectPermanent / https://www.ports.debian.org/ - > + > ServerName incoming.debian-ports.org ServerAdmin debian-admin@debian.org RedirectPermanent / http://incoming.ports.debian.org/ - > + > ServerName ftp.debian-ports.org ServerAdmin debian-admin@debian.org RedirectPermanent /archive http://www.ports.debian.org @@ -277,7 +277,7 @@ lines.join("\n") RedirectPermanent / http://ftp.ports.debian.org/ - > + > ServerName video.debian.net ServerAdmin debian-admin@debian.org Redirect / http://meetings-archive.debian.net/pub/debian-meetings/ @@ -286,7 +286,7 @@ lines.join("\n") # historical sites ################## # now only redirects remain - > + > ServerName women.debian.org ServerAdmin debian-admin@debian.org @@ -303,26 +303,26 @@ lines.join("\n") RedirectPermanent /profiles/ http://www.debian.org/women/profiles/ - > + > ServerName volatile.debian.org ServerAlias volatile-master.debian.org ServerAdmin debian-admin@debian.org RedirectPermanent / http://www.debian.org/volatile/ - > + > ServerName ftp-master.metadata.debian.org ServerAdmin debian-admin@debian.org RedirectPermanent / http://metadata.ftp-master.debian.org/ - > + > ServerName backports-master.debian.org ServerAdmin debian-admin@debian.org RedirectPermanent / https://backports.debian.org/ - > + > ServerName manpages.debian.net ServerAdmin debian-admin@debian.org Redirect / https://manpages.debian.org/ diff --git a/modules/roles/templates/syncproxy/rsyncd.conf.erb b/modules/roles/templates/syncproxy/rsyncd.conf.erb index d27bcc487..a04eeae7a 100644 --- a/modules/roles/templates/syncproxy/rsyncd.conf.erb +++ b/modules/roles/templates/syncproxy/rsyncd.conf.erb @@ -14,7 +14,7 @@ strict modes = false [debian] path = /srv/mirrors/debian/ -<%- unless has_variable?("has_srv_mirrors_debian") && has_srv_mirrors_debian == "true" -%> +<%- unless has_variable?("has_srv_mirrors_debian") && @has_srv_mirrors_debian -%> list = no <%- end -%> comment = Debian archive (contact mirrors@debian.org for access; see https://www.debian.org/mirror/size for size) @@ -23,7 +23,7 @@ strict modes = false [debian-debug] path = /srv/mirrors/debian-debug/ -<%- unless has_variable?("has_srv_mirrors_debian_debug") && has_srv_mirrors_debian_debug == "true" -%> +<%- unless has_variable?("has_srv_mirrors_debian_debug") && @has_srv_mirrors_debian_debug -%> list = no <%- end -%> comment = Debug packages for Debian archive (contact mirrors@debian.org for access) @@ -32,7 +32,7 @@ strict modes = false [debian-ports] path = /srv/mirrors/debian-ports/ -<%- unless has_variable?("has_srv_mirrors_debian_debug") && has_srv_mirrors_debian_debug == "true" -%> +<%- unless has_variable?("has_srv_mirrors_debian_debug") && @has_srv_mirrors_debian_debug -%> list = no <%- end -%> comment = Debian ports archive (contact mirrors@debian.org for access) @@ -41,7 +41,7 @@ strict modes = false [debian-security] path = /srv/mirrors/debian-security/ -<%- unless has_variable?("has_srv_mirrors_debian_security") && has_srv_mirrors_debian_security == "true" -%> +<%- unless has_variable?("has_srv_mirrors_debian_security") && @has_srv_mirrors_debian_security -%> list = no <%- end -%> comment = Debian security archive (contact mirrors@debian.org for access) diff --git a/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb b/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb index de01c02a5..e81cbe308 100644 --- a/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb +++ b/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb @@ -4,25 +4,25 @@ ## <% - vhost_listen = [ (bind != '') ? "#{bind}" : "*", (bind6 != '') ? "#{bind6}" : "*"].uniq - vhost_listen_443 = [ (bind != '') ? "#{bind}:443" : "*:443", (bind6 != '') ? "[#{bind6}]:443" : "*:443"].uniq + vhost_listen = [ (@bind != '') ? "#{@bind}" : "*", (@bind6 != '') ? "#{@bind6}" : "*"].uniq + vhost_listen_443 = [ (@bind != '') ? "#{@bind}:443" : "*:443", (@bind6 != '') ? "[#{@bind6}]:443" : "*:443"].uniq %> <%= lines = [] vhost_listen.each do |bind| - lines << "Use common-debian-service-https-redirect \"#{bind}\" \"#{syncproxy_name}\"" + lines << "Use common-debian-service-https-redirect \"#{bind}\" \"#{@syncproxy_name}\"" end lines.join("\n") %> > - ServerName <%= syncproxy_name %> + ServerName <%= @syncproxy_name %> DocumentRoot /srv/www/syncproxy.debian.org/htdocs - Use common-debian-service-ssl <%= syncproxy_name %> + Use common-debian-service-ssl <%= @syncproxy_name %> Use common-ssl-HSTS - Use http-pkp-<%= syncproxy_name %> + Use http-pkp-<%= @syncproxy_name %> Require all granted @@ -35,7 +35,7 @@ lines.join("\n") lines = [] %w{debian debian-debug debian-ports debian-security}.each do |archive| varname = 'has_srv_mirrors_' + archive.gsub(/[\/-]/,'_') - if has_variable?(varname) and (eval(varname)) == 'true' + if has_variable?(varname) and (eval("@"+varname)) lines << " Alias /#{archive}/project/trace/ /srv/mirrors/#{archive}/project/trace/" lines << " " lines << " Require all granted" diff --git a/modules/roles/templates/syncproxy/syncproxy.debian.org-index.html.erb b/modules/roles/templates/syncproxy/syncproxy.debian.org-index.html.erb index 062731ee9..ef9fdfcd5 100644 --- a/modules/roles/templates/syncproxy/syncproxy.debian.org-index.html.erb +++ b/modules/roles/templates/syncproxy/syncproxy.debian.org-index.html.erb @@ -1,13 +1,13 @@ - Welcome to <%= syncproxy_name %>! + Welcome to <%= @syncproxy_name %>! -

Welcome to <%= syncproxy_name %>!

Welcome to <%= @syncproxy_name %>!

-This is <%= syncproxy_name %>, a syncproxy run by and for the , a syncproxy run by and for the Debian Project to aid in mirroring our software. Consult the mirrors section of the Debian website for more information. @@ -20,7 +20,7 @@ This syncproxy contains copies of the following archives. lines = [] %w{debian debian-debug debian-ports debian-security}.each do |archive| varname = 'has_srv_mirrors_' + archive.gsub(/[\/-]/,'_') - if has_variable?(varname) and (eval(varname)) == 'true' + if has_variable?(varname) and (eval("@"+varname)) lines << "

#{archive} [trace directory]

" end end diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp index ab47a1ad3..04c1e20e9 100644 --- a/modules/rsync/manifests/site.pp +++ b/modules/rsync/manifests/site.pp @@ -1,11 +1,11 @@ define rsync::site ( $bind='', $bind6='', - $source='', - $content='', + $source=undef, + $content=undef, $max_clients=200, $ensure=present, - $sslname='', + $sslname=undef, $sslport=1873 ){ @@ -62,7 +62,7 @@ define rsync::site ( } } - if $sslname != '' { + if $sslname { file { "/etc/rsyncd-${name}-stunnel.conf": content => template('rsync/rsyncd-stunnel.conf.erb'), require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"], diff --git a/modules/rsync/templates/rsyncd-stunnel.conf.erb b/modules/rsync/templates/rsyncd-stunnel.conf.erb index f57d67aff..ffb7ba862 100644 --- a/modules/rsync/templates/rsyncd-stunnel.conf.erb +++ b/modules/rsync/templates/rsyncd-stunnel.conf.erb @@ -1,5 +1,5 @@ -cert = /etc/ssl/debian/certs/<%= sslname %>.crt-chained -key = /etc/ssl/private/<%= sslname %>.key +cert = /etc/ssl/debian/certs/<%= @sslname %>.crt-chained +key = /etc/ssl/private/<%= @sslname %>.key debug = notice @@ -8,4 +8,4 @@ socket = a:SO_LINGER=1:60 socket = a:SO_KEEPALIVE=1 exec = /usr/bin/rsync -execargs = rsync --daemon --config=/etc/rsyncd-<%= name %>.conf +execargs = rsync --daemon --config=/etc/rsyncd-<%= @name %>.conf diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index 018a05ebe..93116acea 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -835,7 +835,7 @@ SyslogSeverity=alert # # SetDefault = no -<% if @lsbmajdistrelease >= '9' -%> +<% if scope.call_function('versioncmp', [@lsbmajdistrelease, '9']) >= 0 -%> [PortCheck] PortCheckActive=0 <% end -%> diff --git a/modules/schroot/manifests/init.pp b/modules/schroot/manifests/init.pp index 14bb91455..7c5e00896 100644 --- a/modules/schroot/manifests/init.pp +++ b/modules/schroot/manifests/init.pp @@ -33,12 +33,10 @@ class schroot { source => 'puppet:///modules/schroot/schroot-setup.d/99porterbox-extra-sources', require => Package['schroot'], } - if ($::lsbmajdistrelease >= 8) { - file { '/etc/schroot/setup.d/99builddsourceslist': - mode => '0555', - source => 'puppet:///modules/schroot/schroot-setup.d/99builddsourceslist', - require => Package['schroot'], - } + file { '/etc/schroot/setup.d/99builddsourceslist': + mode => '0555', + source => 'puppet:///modules/schroot/schroot-setup.d/99builddsourceslist', + require => Package['schroot'], } file { '/usr/local/sbin/setup-dchroot': diff --git a/modules/schroot/templates/schroot-buildd/fstab.erb b/modules/schroot/templates/schroot-buildd/fstab.erb index 56a87563e..7fe230f9d 100644 --- a/modules/schroot/templates/schroot-buildd/fstab.erb +++ b/modules/schroot/templates/schroot-buildd/fstab.erb @@ -18,7 +18,7 @@ dev /dev/fd fdescfs rw 0 0 /dev/pts /dev/pts none rw,bind 0 0 tmpfs-shm /dev/shm tmpfs defaults,size=64m 0 0 -<%- if has_variable?("has_srv_build_trees") && has_srv_build_trees == "true" -%> +<%- if has_variable?("has_srv_build_trees") && @has_srv_build_trees -%> /srv/build-trees /build none rw,bind 0 0 <% end %> diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp index fc576f82f..56537e43d 100644 --- a/modules/ssh/manifests/init.pp +++ b/modules/ssh/manifests/init.pp @@ -37,7 +37,7 @@ class ssh { content => template('ssh/authorized_keys.erb'), } - if ($::lsbmajdistrelease >= '8') { + if (versioncmp($::lsbmajdistrelease, '8') >= 0) { if ! $has_etc_ssh_ssh_host_ed25519_key { exec { 'create-ed25519-host-key': command => 'ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -q -P "" -t ed25519', diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 7a8ff877c..d2ad6b37c 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -24,7 +24,7 @@ extraports Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key == "true" -%> +<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key -%> HostKey /etc/ssh/ssh_host_ed25519_key <% end %> #Privilege Separation is turned on for security diff --git a/modules/ssl/templates/chained.erb b/modules/ssl/templates/chained.erb index 778a5b817..737b9f5a9 100644 --- a/modules/ssl/templates/chained.erb +++ b/modules/ssl/templates/chained.erb @@ -1,13 +1,13 @@ <%= out = "" - fn = "/etc/puppet/modules/ssl/files/servicecerts/#{name}.crt" + fn = "/etc/puppet/modules/ssl/files/servicecerts/#{@name}.crt" if File.exist?(fn) then out = File.read(fn) - chain = "/etc/puppet/modules/ssl/files/chains/#{name}.crt" + chain = "/etc/puppet/modules/ssl/files/chains/#{@name}.crt" out += File.exist?(chain) ? ("\n" + File.read(chain)) : '' else - fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{name}.crt-chained" + fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{@name}.crt-chained" out = File.read(fn) end out diff --git a/modules/ssl/templates/key-chained.erb b/modules/ssl/templates/key-chained.erb index 2fbace05a..75b34283f 100644 --- a/modules/ssl/templates/key-chained.erb +++ b/modules/ssl/templates/key-chained.erb @@ -1,24 +1,24 @@ <%= out = "" - fn = "/etc/puppet/modules/ssl/files/keys/#{name}.crt" + fn = "/etc/puppet/modules/ssl/files/keys/#{@name}.crt" if File.exist?(fn) then out = File.read(fn) else - fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{name}.key" + fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{@name}.key" out = File.read(fn) end out %> <%= out = "" - fn = "/etc/puppet/modules/ssl/files/servicecerts/#{name}.crt" + fn = "/etc/puppet/modules/ssl/files/servicecerts/#{@name}.crt" if File.exist?(fn) then out = File.read(fn) - chain = "/etc/puppet/modules/ssl/files/chains/#{name}.crt" + chain = "/etc/puppet/modules/ssl/files/chains/#{@name}.crt" out += File.exist?(chain) ? ("\n" + File.read(chain)) : '' else - fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{name}.crt-chained" + fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{@name}.crt-chained" out = File.read(fn) end out diff --git a/modules/stunnel4/templates/stunnel.conf.erb b/modules/stunnel4/templates/stunnel.conf.erb index 67cf7fd67..7cf1a6faa 100644 --- a/modules/stunnel4/templates/stunnel.conf.erb +++ b/modules/stunnel4/templates/stunnel.conf.erb @@ -35,7 +35,7 @@ socket = a:SO_LINGER=1:60 socket = a:SO_KEEPALIVE=1 [<%= @name %>-server] -accept = <%= @accept =~ /:/ ? @accept : ":::#{accept}" %> +accept = <%= @accept =~ /:/ ? @accept : ":::#{@accept}" %> connect = <%= @connect %> <%- if @local -%> local = <%= @local %> diff --git a/modules/systemdtimesyncd/templates/timesyncd.conf.erb b/modules/systemdtimesyncd/templates/timesyncd.conf.erb index 7065c7899..761a570f1 100644 --- a/modules/systemdtimesyncd/templates/timesyncd.conf.erb +++ b/modules/systemdtimesyncd/templates/timesyncd.conf.erb @@ -16,7 +16,7 @@ #Servers=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org <%= servers = [] - localtimeservers.each do |node| + @localtimeservers.each do |node| scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr| servers << addr end