Bastian Blank [Tue, 11 Apr 2017 17:12:13 +0000 (19:12 +0200)]
Use relative paths in environment.conf
Martin Zobel-Helas [Wed, 19 Apr 2017 07:45:46 +0000 (09:45 +0200)]
Merge remote-tracking branch 'waldi/rsync-cleanup'
* waldi/rsync-cleanup:
Lower client limit for rsync on masters
Disable reverse lookup in rsyncd
Drop max connections from rsyncd configs
Disable the security repository for smetana
Bastian Blank [Wed, 19 Apr 2017 07:40:04 +0000 (09:40 +0200)]
Lower client limit for rsync on masters
We only need one (or two for security-master) concurrent connections per
direct mirrors or syncproxies.
Bastian Blank [Wed, 19 Apr 2017 07:36:26 +0000 (09:36 +0200)]
Disable reverse lookup in rsyncd
Due to restrictions enforced by systemd we don't have any access to DNS.
As a lot of connections are coming via stunnel, we don't see the remote
IP anyway. Just disable all reverse lookups and the warnings.
Bastian Blank [Wed, 19 Apr 2017 07:31:32 +0000 (09:31 +0200)]
Drop max connections from rsyncd configs
We have an indepdendent connection limit in systemd. So drop the ones
from rsyncd configs.
Aurelien Jarno [Tue, 18 Apr 2017 22:13:45 +0000 (00:13 +0200)]
Disable the security repository for smetana
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 18 Apr 2017 17:26:02 +0000 (19:26 +0200)]
Setup sibelius as a NFS server exporting to sallinen
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 18 Apr 2017 08:03:10 +0000 (10:03 +0200)]
Add a debian-ports-buildd-dists rsync share
Peter Palfrader [Sun, 16 Apr 2017 12:41:54 +0000 (14:41 +0200)]
layout changes
Peter Palfrader [Sun, 16 Apr 2017 12:37:03 +0000 (14:37 +0200)]
spelling fixes
Peter Palfrader [Sun, 16 Apr 2017 12:35:13 +0000 (14:35 +0200)]
archive.debian.net vhost on right port
Peter Palfrader [Sun, 16 Apr 2017 12:33:00 +0000 (14:33 +0200)]
archive.debian.net vhost
Peter Palfrader [Sun, 16 Apr 2017 12:23:26 +0000 (14:23 +0200)]
and put archive.d.n ssl cert onto the host
Peter Palfrader [Sun, 16 Apr 2017 12:23:16 +0000 (14:23 +0200)]
Fix path
Peter Palfrader [Sun, 16 Apr 2017 12:21:18 +0000 (14:21 +0200)]
Add a 503.html for archive.debian.net
Aurelien Jarno [Sun, 16 Apr 2017 10:50:54 +0000 (12:50 +0200)]
dsa-puppet-stuff: check for puppet version instead of debian release
As we might install backport versions of puppet.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Martin Zobel-Helas [Thu, 13 Apr 2017 00:11:03 +0000 (02:11 +0200)]
add skroutz
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Thu, 13 Apr 2017 00:06:22 +0000 (02:06 +0200)]
add skroutz
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Thu, 13 Apr 2017 00:05:03 +0000 (02:05 +0200)]
Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet
* 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet:
Use list of binds in apache config for syncproxies
Martin Zobel-Helas [Thu, 13 Apr 2017 00:04:46 +0000 (02:04 +0200)]
add skroutz
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Wed, 12 Apr 2017 07:13:54 +0000 (09:13 +0200)]
Use list of binds in apache config for syncproxies
Julien Cristau [Wed, 12 Apr 2017 06:29:34 +0000 (08:29 +0200)]
Try to fix apache syncproxy config
Bastian Blank [Tue, 11 Apr 2017 12:40:55 +0000 (14:40 +0200)]
Rename vsftpd::site_systemd to vsftpd::site
Bastian Blank [Tue, 11 Apr 2017 12:39:47 +0000 (14:39 +0200)]
Rename rsync::site_systemd to rsync::site
Bastian Blank [Tue, 11 Apr 2017 12:36:28 +0000 (14:36 +0200)]
Drop xinetd support in vsftpd
Bastian Blank [Tue, 11 Apr 2017 12:35:56 +0000 (14:35 +0200)]
Drop xinetd support in rsync
Aurelien Jarno [Tue, 11 Apr 2017 13:30:37 +0000 (15:30 +0200)]
puppet.conf: fix a typo in my previous commit
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 11 Apr 2017 13:27:40 +0000 (15:27 +0200)]
puppet.conf: split configtimeout into http_connect_timeout and http_read_timeout on stretch hosts
configtimeout has been deprecated in puppet version 4.1.0. It has been
split into http_connect_timeout and http_read_timeout. The former
controls how long Puppet should attempt to make a connection and the
latter controls how long Puppet should allow transfers to continue.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 11 Apr 2017 13:20:50 +0000 (15:20 +0200)]
puppet.conf: do not set pluginsync=true on stretch hosts
pluginsync has been deprecated in puppet version 4.4.0. It is however
the default, so it can be safely removed from the configuration file.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Bastian Blank [Tue, 11 Apr 2017 10:55:45 +0000 (12:55 +0200)]
Re-introduce ftpsite variable
Martin Zobel-Helas [Tue, 11 Apr 2017 10:51:29 +0000 (12:51 +0200)]
Merge remote-tracking branch 'waldi/rsyncd-vsftpd-systemd-all'
* waldi/rsyncd-vsftpd-systemd-all:
Another try to fix xinetd vs. systemd
Pull in ftp conntrack in vsftpd site
Use rsyncd via systemd on bugs_mirror
Use rsyncd via systemd on wiki
Use rsyncd via systemd on snapshot
Use vsftpd via systemd on ftp
Use rsyncd via systemd on syncproxy
Use rsyncd and vsftpd via systemd on security_mirror
Fix dependencies between service and xinetd
Aurelien Jarno [Tue, 11 Apr 2017 10:33:30 +0000 (12:33 +0200)]
Only switch FTP conntrack to explicit CT target for stretch hosts
While it also works for jessie works, it requires a reboot as module
loading is disabled.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 11 Apr 2017 10:22:52 +0000 (12:22 +0200)]
Switch FTP conntrack to explicit CT target
From Linux 4.7, automatic conntrack helper assignment has been disabled.
An explicit CT target should be used instead, which also automatically
loads the corresponding conntrack module.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Bastian Blank [Mon, 10 Apr 2017 20:30:56 +0000 (22:30 +0200)]
Another try to fix xinetd vs. systemd
Bastian Blank [Fri, 31 Mar 2017 16:53:27 +0000 (18:53 +0200)]
Pull in ftp conntrack in vsftpd site
Bastian Blank [Fri, 31 Mar 2017 20:20:15 +0000 (22:20 +0200)]
Use rsyncd via systemd on bugs_mirror
Bastian Blank [Fri, 31 Mar 2017 18:01:03 +0000 (20:01 +0200)]
Use rsyncd via systemd on wiki
Bastian Blank [Fri, 31 Mar 2017 18:00:47 +0000 (20:00 +0200)]
Use rsyncd via systemd on snapshot
Bastian Blank [Fri, 31 Mar 2017 16:33:45 +0000 (18:33 +0200)]
Use vsftpd via systemd on ftp
We also only need a list of bind addresses, so merge them.
Bastian Blank [Fri, 31 Mar 2017 17:46:11 +0000 (19:46 +0200)]
Use rsyncd via systemd on syncproxy
We also only need a list of bind addresses, so merge them.
Bastian Blank [Fri, 31 Mar 2017 16:25:27 +0000 (18:25 +0200)]
Use rsyncd and vsftpd via systemd on security_mirror
We also only need a list of bind addresses, so merge them.
Bastian Blank [Fri, 31 Mar 2017 16:51:35 +0000 (18:51 +0200)]
Fix dependencies between service and xinetd
Martin Zobel-Helas [Mon, 10 Apr 2017 15:11:09 +0000 (17:11 +0200)]
Merge remote-tracking branch 'waldi/vsftpd-systemd-upload'
* waldi/vsftpd-systemd-upload:
Use vsftpd via systemd on security_master
Use vsftpd via systemd on ftp_upload
Make sure xinetd is restarted on service removal
Aurelien Jarno [Sat, 8 Apr 2017 16:57:59 +0000 (18:57 +0200)]
samhain: disable SuidCheck for /srv/buildd/unpack on buildds
The SuidCheck module was not available in jessie (despite our
configuration file mentioning it), and is now enabled by default in
stretch.
For the build daemons, we need to disable suid checks in
/srv/buildd/unpack.
For the porterboxes, we need to disable suid checks in
/srv/chroot/schroot-unpack.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Sat, 8 Apr 2017 08:59:23 +0000 (10:59 +0200)]
Fix kvmdomain facter
QEMU can return a CPU model different than "QEMU Virtual CPU". Check for
the "hypervisor" flag instead.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Fri, 7 Apr 2017 17:24:11 +0000 (19:24 +0200)]
Try to fix previous commit about rng-tools
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Fri, 7 Apr 2017 17:14:56 +0000 (19:14 +0200)]
Do not install rng-tools on stretch VMs
Newer kernel version, includng the one in stretch, are able to feel the
entropy pool from a hardware random number generator without the help of
userspace. The quality option determine how much entropy is used from
the hardware random number and defaults to the maximum for virtio-rng.
Therefore we don't need rng-tools anymore on stretch VMs.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 6 Apr 2017 07:17:29 +0000 (09:17 +0200)]
setup-dchroot: fix root directory permissions
When using stretch, the debootstrap process does not change the
permissions of the root directory of the chroot. As it is created
with mktemp, it ends up not being readable by a normal user like
"buildd". Change the permissions just before creating the tarball
to avoid that.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Paul Wise [Thu, 6 Apr 2017 02:21:30 +0000 (10:21 +0800)]
Typo
Paul Wise [Thu, 6 Apr 2017 01:55:12 +0000 (09:55 +0800)]
Use standard update-ca-certificates on stretch and later
The changes in update-ca-certificates-dsa got merged in stretch ca-certificates.
Paul Wise [Wed, 5 Apr 2017 23:07:52 +0000 (07:07 +0800)]
Switch from psutil.phymem_usage() to psutil.virtual_memory()
The former was deprecated in version 0.6.0 and removed after jessie:
https://github.com/giampaolo/psutil/blob/master/HISTORY.rst
Aurelien Jarno [Wed, 5 Apr 2017 19:22:32 +0000 (21:22 +0200)]
Update ssh upload rsync wrapper for stretch
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Bastian Blank [Fri, 31 Mar 2017 15:17:56 +0000 (17:17 +0200)]
Use vsftpd via systemd on security_master
Bastian Blank [Fri, 31 Mar 2017 15:17:37 +0000 (17:17 +0200)]
Use vsftpd via systemd on ftp_upload
Bastian Blank [Fri, 31 Mar 2017 17:57:00 +0000 (19:57 +0200)]
Make sure xinetd is restarted on service removal
Martin Zobel-Helas [Fri, 31 Mar 2017 14:52:42 +0000 (16:52 +0200)]
Merge remote-tracking branch 'waldi/vsftpd-systemd'
* waldi/vsftpd-systemd:
Use vsftpd::site_systemd on ports_master
Add systemd backed vsftpd service
Bastian Blank [Fri, 31 Mar 2017 13:41:22 +0000 (15:41 +0200)]
Use vsftpd::site_systemd on ports_master
Bastian Blank [Fri, 31 Mar 2017 13:38:32 +0000 (15:38 +0200)]
Add systemd backed vsftpd service
Julien Cristau [Fri, 31 Mar 2017 13:14:55 +0000 (15:14 +0200)]
Merge branch 'fix-security' of https://gitlab.com/waldi/dsa-puppet
Signed-off-by: Julien Cristau <jcristau@debian.org>
Bastian Blank [Fri, 31 Mar 2017 13:02:11 +0000 (15:02 +0200)]
Provide expected parameters to vsftp site
Bastian Blank [Fri, 31 Mar 2017 09:19:10 +0000 (11:19 +0200)]
Setup /srv/ftp.root in security_mirror role
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Fri, 31 Mar 2017 09:27:09 +0000 (11:27 +0200)]
Disable ftp in security_mirror role
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Fri, 31 Mar 2017 09:24:35 +0000 (11:24 +0200)]
Allow ensure absent in vsftp::site
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Fri, 31 Mar 2017 09:15:33 +0000 (11:15 +0200)]
Don't need ftp on mirror-accumu
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Thu, 30 Mar 2017 20:36:23 +0000 (22:36 +0200)]
add mirror-accumu to security_mirror
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Julien Cristau [Thu, 30 Mar 2017 08:58:21 +0000 (10:58 +0200)]
update debian.org DS
Peter Palfrader [Tue, 28 Mar 2017 12:00:24 +0000 (14:00 +0200)]
Purge mlocate from fasolo and all other hosts
Peter Palfrader [Tue, 28 Mar 2017 11:57:39 +0000 (13:57 +0200)]
Allow larger volumes
Peter Palfrader [Tue, 28 Mar 2017 11:51:33 +0000 (13:51 +0200)]
and we need python3-psycopg2
Peter Palfrader [Tue, 28 Mar 2017 11:49:43 +0000 (13:49 +0200)]
remove obsolete volumes daily
Peter Palfrader [Tue, 28 Mar 2017 11:43:30 +0000 (13:43 +0200)]
make bacula storage and director roles
Peter Palfrader [Tue, 28 Mar 2017 11:24:13 +0000 (13:24 +0200)]
bacula db access from storace
Peter Palfrader [Tue, 28 Mar 2017 09:03:17 +0000 (11:03 +0200)]
fix accumu netrange, again
Peter Palfrader [Tue, 28 Mar 2017 09:01:22 +0000 (11:01 +0200)]
update accumu netrange
Peter Palfrader [Tue, 28 Mar 2017 09:00:30 +0000 (11:00 +0200)]
update accumu netrange
Peter Palfrader [Sun, 26 Mar 2017 11:47:55 +0000 (13:47 +0200)]
ignore /srv in samhain
Paul Wise [Sat, 25 Mar 2017 07:56:59 +0000 (15:56 +0800)]
Revert "Update configuration for SSL ca-debian cert store"
This reverts commit
f35f47969e10aeeaf6a48ad2a0f4dbde1f2f9de3.
Paul Wise [Sat, 25 Mar 2017 07:03:18 +0000 (15:03 +0800)]
Fix typo
Paul Wise [Sat, 25 Mar 2017 06:52:02 +0000 (14:52 +0800)]
Update configuration for SSL ca-debian cert store
Remove AddTrust as it isn't used any more.
Switch from the DST root CA to ISRG on jessie and newer
for Let's Encrypt since it has less intermediate CAs.
The ISRG root isn't available in wheezy ca-certificates.
Document why each CA cert is being used with comments.
Martin Zobel-Helas [Fri, 24 Mar 2017 13:14:13 +0000 (14:14 +0100)]
add mirror-accumu as anycast bgp host
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Peter Palfrader [Mon, 20 Mar 2017 17:42:28 +0000 (17:42 +0000)]
fix storage-per-client.conf template
Peter Palfrader [Mon, 20 Mar 2017 17:39:35 +0000 (17:39 +0000)]
fix per-client.conf template
Peter Palfrader [Mon, 20 Mar 2017 17:26:11 +0000 (17:26 +0000)]
fix munin.conf_per_node template
Peter Palfrader [Mon, 20 Mar 2017 16:03:33 +0000 (17:03 +0100)]
Use the dsa-check-libs from the dsa nagios checks package again
Peter Palfrader [Mon, 20 Mar 2017 15:57:59 +0000 (16:57 +0100)]
remove debian.restricted.list apt source on hosts without proliant raid
Peter Palfrader [Mon, 20 Mar 2017 15:39:12 +0000 (16:39 +0100)]
move munin.conf_per_node.erb to the right place
Julien Cristau [Mon, 20 Mar 2017 14:19:37 +0000 (15:19 +0100)]
Only ignore puppetdb.conf at the root
Peter Palfrader [Mon, 20 Mar 2017 14:17:09 +0000 (14:17 +0000)]
update .gitignore
Peter Palfrader [Mon, 20 Mar 2017 14:15:55 +0000 (14:15 +0000)]
add puppetdb.conf on puppetmaster
Peter Palfrader [Mon, 20 Mar 2017 14:15:29 +0000 (14:15 +0000)]
Do not hardcode "handel" in template - use puppetmaster role instead
Peter Palfrader [Mon, 20 Mar 2017 14:14:33 +0000 (14:14 +0000)]
use puppetdb backend for storeconfigs
Martin Zobel-Helas [Mon, 20 Mar 2017 13:37:05 +0000 (14:37 +0100)]
update puppet.conf.erb
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Peter Palfrader [Mon, 20 Mar 2017 09:25:49 +0000 (10:25 +0100)]
run puppet every 2 instead of every 4 hours
Peter Palfrader [Mon, 20 Mar 2017 09:11:23 +0000 (10:11 +0100)]
samhain ignore /etc/cron.d/puppet-nagios-wraps
Peter Palfrader [Mon, 20 Mar 2017 09:00:00 +0000 (10:00 +0100)]
Add nagios puppet check out of cron
Tollef Fog Heen [Sun, 19 Mar 2017 13:11:05 +0000 (14:11 +0100)]
Prefix variables with the right sigil
Tollef Fog Heen [Sun, 19 Mar 2017 13:09:34 +0000 (14:09 +0100)]
Use underscores rather than hyphens for class names
Aurelien Jarno [Sun, 19 Mar 2017 12:49:25 +0000 (13:49 +0100)]
Fix bconsole.conf template
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Martin Zobel-Helas [Sun, 19 Mar 2017 12:47:02 +0000 (13:47 +0100)]
Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet
* 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet:
Fix bacula-dir.conf template
Drop dead bits in ftp_upload
Fix portforwarder inetd config for new puppet
Martin Zobel-Helas [Sun, 19 Mar 2017 12:46:35 +0000 (13:46 +0100)]
fix syntax in modules/named/templates/named.conf.puppet-shared-keys.erb
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
projects / mirror / dsa-puppet.git / log