Peter Palfrader [Fri, 23 Feb 2018 23:11:22 +0000 (00:11 +0100)]
bacula: remove obsolete pools
Peter Palfrader [Fri, 23 Feb 2018 22:00:47 +0000 (23:00 +0100)]
Redirect all of *.pages to https (re: RT#7072)
Julien Cristau [Fri, 23 Feb 2018 15:21:06 +0000 (16:21 +0100)]
mirror-health: set User-Agent http header
Julien Cristau [Fri, 23 Feb 2018 15:06:26 +0000 (16:06 +0100)]
Revert "Make security -> security-cdn redirect global, not just for the linux package"
I need to update the mirror health check to account for this.
This reverts commit
d8b6b760a99f36fc6bf6088b8e998c1d67d46ab6.
Julien Cristau [Fri, 23 Feb 2018 14:58:23 +0000 (15:58 +0100)]
Make security -> security-cdn redirect global, not just for the linux package
Aurelien Jarno [Thu, 22 Feb 2018 22:24:26 +0000 (23:24 +0100)]
Drop security-cdn.d.o on stretch
Now that security.d.o as a SRV record basically pointing to
security-cdn.d.o, there is no point to have both in the sources.list
for stretch hosts.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Thu, 22 Feb 2018 22:04:10 +0000 (23:04 +0100)]
storace also makes ACPI noises about power_meter
Martin Zobel-Helas [Wed, 21 Feb 2018 21:32:39 +0000 (22:32 +0100)]
we do not need to backup clamav-unofficial-sigs files
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Wed, 21 Feb 2018 21:05:21 +0000 (22:05 +0100)]
push empty /var/lib/varnish/.nobackup
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Julien Cristau [Wed, 21 Feb 2018 08:13:57 +0000 (09:13 +0100)]
mirror-conova also does lots of ACPI power-meter dmesg noise
Aurelien Jarno [Mon, 19 Feb 2018 18:56:52 +0000 (19:56 +0100)]
Decommission mirror-bytemark
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Mon, 19 Feb 2018 10:03:51 +0000 (11:03 +0100)]
Fix check url for security mirror health
It's still not ideal because an oldstable-only update won't be picked
up, but at least it exists.
Julien Cristau [Sun, 18 Feb 2018 12:27:05 +0000 (13:27 +0100)]
Run dsa-check-openmanage on schumann and wieck
Julien Cristau [Sat, 17 Feb 2018 14:41:19 +0000 (15:41 +0100)]
mirror-bytemark no longer a fastly backend for /debian/
Julien Cristau [Sat, 17 Feb 2018 09:18:43 +0000 (10:18 +0100)]
make schumann a fastly backend for security
Aurelien Jarno [Fri, 16 Feb 2018 20:23:25 +0000 (21:23 +0100)]
Remove /srv/ftp.root from security mirrors
They do not serve FTP anymore so the archive can be located directly
in /srv/mirrors/debian-security like for other archive.
Do not create the /srv/mirrors/debian-security, as it might still be a
symlink, and ftpsync will create it. This actually matches what is done
for the other archive.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Fri, 16 Feb 2018 20:07:56 +0000 (21:07 +0100)]
Serve security mirrors from /srv/mirrors/debian-security
In preparation for the /srv/ftp.root removal
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Fri, 16 Feb 2018 08:27:23 +0000 (09:27 +0100)]
Import facts from schumann
Aurelien Jarno [Thu, 15 Feb 2018 19:33:24 +0000 (20:33 +0100)]
Drop m68k@buildd.debian.org -> m68k-build@nocrew.org rewrite
I have no idea why this is done, but we don't want that.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Thu, 15 Feb 2018 16:34:05 +0000 (17:34 +0100)]
Add schumann to the security_mirror role
Martin Zobel-Helas [Thu, 15 Feb 2018 07:40:55 +0000 (08:40 +0100)]
Merge remote-tracking branch 'zobel-salsa/zobel-salsa'
Martin Zobel-Helas [Thu, 15 Feb 2018 07:39:47 +0000 (08:39 +0100)]
Merge branch 'zobel-salsa'
Julien Cristau [Thu, 15 Feb 2018 07:25:24 +0000 (08:25 +0100)]
Remove lobos from fastly security backends for now
We want to see how it does with 2 dedicated backends (villa and wieck).
Aurelien Jarno [Thu, 15 Feb 2018 07:11:16 +0000 (08:11 +0100)]
dupload.conf: fix a thinko in the security upload hostname
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 18:23:21 +0000 (19:23 +0100)]
buildd: do security uploads using SSH
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 16:33:17 +0000 (17:33 +0100)]
rsync-ssh-wrap: force the permissions of uploaded files
dupload calls rsync with -p, causing the uploaded files to be world
readable, despite the ACL of the upload directory (see bug#876900).
This is an issue for security uploads.
This has been fixed in sid, but not yet in stretch. In the meantime
force the permissions to 0640 at the wrapper level.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 11:49:38 +0000 (12:49 +0100)]
planet-d.o: fix a thinko in my previous commit
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 11:43:27 +0000 (12:43 +0100)]
planet-d.o: only allow access from localhost and local IP
This way it's possible to access planet-master.d.o using SSH as a socks
proxy. It requires to connect to planet-master.d.o aka philp.d.o instead
of any debian machine.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 13:33:55 +0000 (14:33 +0100)]
99builddsourceslist: access the security archive using https
Let's try again!
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 09:52:25 +0000 (10:52 +0100)]
lintian.d.o: fix deflate output filter
It appears that AddOutputFilterByType options also apply to the
subdirectories. However this directive overwrites the default value or
the one defined in the parent directory.
Therefore we only want to add this directive to the root directory and
with all the mime types.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Martin Zobel-Helas [Tue, 13 Feb 2018 21:50:36 +0000 (22:50 +0100)]
Merge remote-tracking branch 'waldi-salsa/godard-apache' into HEAD
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Tue, 13 Feb 2018 21:37:55 +0000 (22:37 +0100)]
Mock more certificates
Martin Zobel-Helas [Fri, 9 Feb 2018 17:18:36 +0000 (18:18 +0100)]
RT#7092: Apache on godard adds an additional X-Xss-Protection
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Tue, 13 Feb 2018 19:45:51 +0000 (20:45 +0100)]
Import facts from godard
Martin Zobel-Helas [Sat, 10 Feb 2018 08:47:33 +0000 (09:47 +0100)]
octocatalog: add dummy file for LE service certs
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Tue, 13 Feb 2018 21:09:51 +0000 (22:09 +0100)]
Mock ldapinfo during octocatalog runs
Aurelien Jarno [Tue, 13 Feb 2018 21:18:25 +0000 (22:18 +0100)]
Merge branch 'lintian.d.o-tweaks' of https://salsa.debian.org/nthykier/dsa-puppet
Aurelien Jarno [Tue, 13 Feb 2018 21:16:29 +0000 (22:16 +0100)]
static_mirror: enable deflate and filter modules
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 20:30:52 +0000 (21:30 +0100)]
Install ca-certificates in the buildd chroots
This is need in addition of apt-transport-https.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Niels Thykier [Tue, 13 Feb 2018 19:25:41 +0000 (19:25 +0000)]
lintian.d.o: Move svg compression to the resources directory
It does not appear to propogate on its own, so move it from the root
to the "resources" directory section. There are no SVG images outside
that directory anyway.
Signed-off-by: Niels Thykier <niels@thykier.net>
Niels Thykier [Tue, 13 Feb 2018 19:25:02 +0000 (19:25 +0000)]
lintian.d.o: Remove redundant + incorrect IfModule mod_userdir
Signed-off-by: Niels Thykier <niels@thykier.net>
Aurelien Jarno [Tue, 13 Feb 2018 14:17:33 +0000 (15:17 +0100)]
Revert "99builddsourceslist: access the security archive using https"
This reverts commit
f77a22de23c38230527be61375482971dea55fef.
This doesn't work, we also need ca-certificate in the chroot :-(
Aurelien Jarno [Tue, 13 Feb 2018 13:33:55 +0000 (14:33 +0100)]
99builddsourceslist: access the security archive using https
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 11:54:26 +0000 (12:54 +0100)]
Fully retire spontini.d.o
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 11:11:22 +0000 (12:11 +0100)]
Also drop security anycast-test mirrors
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Peter Palfrader [Tue, 13 Feb 2018 10:26:15 +0000 (11:26 +0100)]
snapshot storage nodes want the toolchain to build the snapshot fsck utility
Aurelien Jarno [Tue, 13 Feb 2018 09:30:53 +0000 (10:30 +0100)]
setup-dchroot: fix a typo
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 08:54:39 +0000 (09:54 +0100)]
Install apt-transport-https in the buildd chroots
This will be used to access the security archive in a more private way.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 08:44:03 +0000 (09:44 +0100)]
Drop anycast-test mirrors from apt
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 08:15:10 +0000 (09:15 +0100)]
More kfreebsd removal
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 07:47:40 +0000 (08:47 +0100)]
setup-all-dchroots: get rid of kfreebsd and ppc64
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Peter Palfrader [Sun, 11 Feb 2018 10:20:27 +0000 (11:20 +0100)]
nagios: use dsa-check-systemd-services instead of systemctl is-system-running
Peter Palfrader [Sun, 11 Feb 2018 10:02:25 +0000 (11:02 +0100)]
Also systemctl reset-failed failed session-nnn.scope
Peter Palfrader [Sun, 11 Feb 2018 09:58:08 +0000 (10:58 +0100)]
Move failed rsync cleanup into systemd module
Martin Zobel-Helas [Sat, 10 Feb 2018 08:47:33 +0000 (09:47 +0100)]
octocatalog: add dummy file for LE service certs
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Sat, 10 Feb 2018 08:42:16 +0000 (09:42 +0100)]
Merge remote-tracking branch 'origin/master' into zobel-salsa
Julien Cristau [Sat, 10 Feb 2018 07:59:40 +0000 (08:59 +0100)]
Fixup local-mirror.cdbuilder sites-enabled symlink name
Julien Cristau [Sat, 10 Feb 2018 07:58:52 +0000 (08:58 +0100)]
Add {deb,security}.d.o aliases to local-mirror.cdbuilder
Peter Palfrader [Fri, 9 Feb 2018 20:23:28 +0000 (21:23 +0100)]
use ttyS1 for the serial console on casulana
Peter Palfrader [Fri, 9 Feb 2018 19:49:14 +0000 (20:49 +0100)]
Get trailing slashes right for aliases
Peter Palfrader [Fri, 9 Feb 2018 19:41:56 +0000 (20:41 +0100)]
First go at cdbuilder local mirror export (re: RT##7101)
Peter Palfrader [Fri, 9 Feb 2018 19:03:17 +0000 (20:03 +0100)]
Add a apache_not_public role where we do not add ferm allow rules and put casulana into it
Peter Palfrader [Fri, 9 Feb 2018 19:00:00 +0000 (20:00 +0100)]
no more experimental_apache (previously cgi-grnet-01, pejacevic, petrova)
Peter Palfrader [Fri, 9 Feb 2018 18:32:09 +0000 (19:32 +0100)]
Add cdbuilder-logs static component (re: RT##7101)
Peter Palfrader [Fri, 9 Feb 2018 18:27:21 +0000 (19:27 +0100)]
Add casulana as a static source for cdbuilder-logs (re: RT##7101)
Martin Zobel-Helas [Fri, 9 Feb 2018 17:25:45 +0000 (18:25 +0100)]
Merge branch 'master' into zobel-salsa
Martin Zobel-Helas [Fri, 9 Feb 2018 17:18:36 +0000 (18:18 +0100)]
RT#7092: Apache on godard adds an additional X-Xss-Protection
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Fri, 9 Feb 2018 13:02:52 +0000 (14:02 +0100)]
Test with Puppet 4.8
Bastian Blank [Fri, 9 Feb 2018 12:58:29 +0000 (13:58 +0100)]
Update facts
Bastian Blank [Fri, 9 Feb 2018 12:49:13 +0000 (13:49 +0100)]
Move nagios stuff
Bastian Blank [Fri, 9 Feb 2018 12:45:03 +0000 (13:45 +0100)]
Move generated cert files to new location
Bastian Blank [Fri, 9 Feb 2018 12:28:28 +0000 (13:28 +0100)]
Update octocatalog job
Bastian Blank [Fri, 9 Feb 2018 13:02:52 +0000 (14:02 +0100)]
Test with Puppet 4.8
Bastian Blank [Fri, 9 Feb 2018 12:58:29 +0000 (13:58 +0100)]
Update facts
Bastian Blank [Fri, 9 Feb 2018 12:49:13 +0000 (13:49 +0100)]
Move nagios stuff
Bastian Blank [Fri, 9 Feb 2018 12:45:03 +0000 (13:45 +0100)]
Move generated cert files to new location
Bastian Blank [Fri, 9 Feb 2018 12:28:28 +0000 (13:28 +0100)]
Update octocatalog job
Peter Palfrader [Fri, 9 Feb 2018 09:19:26 +0000 (10:19 +0100)]
rsync on lw09,lw10
Peter Palfrader [Fri, 9 Feb 2018 08:38:23 +0000 (09:38 +0100)]
update lw autotab
Peter Palfrader [Fri, 9 Feb 2018 08:28:27 +0000 (09:28 +0100)]
update lw autotab
Peter Palfrader [Fri, 9 Feb 2018 08:11:24 +0000 (09:11 +0100)]
do nfs server setup on lw09/lw10
Peter Palfrader [Fri, 9 Feb 2018 08:10:57 +0000 (09:10 +0100)]
no more 10/8 network at leaseweb
Martin Zobel-Helas [Thu, 8 Feb 2018 16:26:48 +0000 (17:26 +0100)]
remove sgran from root keys
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Thu, 8 Feb 2018 16:25:54 +0000 (17:25 +0100)]
remove sgran IP range. he can hop via master if needed
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Thu, 8 Feb 2018 16:24:00 +0000 (17:24 +0100)]
puppet does not have any mail config in /srv/puppet.debian.org/mail
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Peter Palfrader [Thu, 8 Feb 2018 15:09:27 +0000 (16:09 +0100)]
backgrounding does not really work remotely
Peter Palfrader [Thu, 8 Feb 2018 14:47:32 +0000 (15:47 +0100)]
dsa-restart-all-idle-postgres: only restart pg instances that show up in dsa-check-libs
Peter Palfrader [Thu, 8 Feb 2018 14:34:10 +0000 (15:34 +0100)]
dsa-restart-all-idle-postgres: and do not keep fds open
Peter Palfrader [Thu, 8 Feb 2018 14:30:06 +0000 (15:30 +0100)]
dsa-restart-all-idle-postgres: disown background jobs instead of waiting for them
Peter Palfrader [Thu, 8 Feb 2018 12:41:55 +0000 (13:41 +0100)]
in practice make the sleep longer
Peter Palfrader [Thu, 8 Feb 2018 12:39:46 +0000 (13:39 +0100)]
fix filename
Peter Palfrader [Thu, 8 Feb 2018 12:38:53 +0000 (13:38 +0100)]
Add script to restart postgres clusters
Peter Palfrader [Thu, 8 Feb 2018 12:01:00 +0000 (13:01 +0100)]
ignore wb-buildd.more on buildd_master role hosts
Peter Palfrader [Tue, 6 Feb 2018 09:15:04 +0000 (10:15 +0100)]
samhain ignore /etc/ssh/userkeys/buildd-uploader on ssh upload hosts
Julien Cristau [Mon, 5 Feb 2018 16:29:31 +0000 (17:29 +0100)]
Use "restrict" key option for buildd access to upload hosts
Julien Cristau [Mon, 5 Feb 2018 16:28:21 +0000 (17:28 +0100)]
Use "restrict" key option for buildd access to wanna-build
Julien Cristau [Mon, 5 Feb 2018 16:27:10 +0000 (17:27 +0100)]
Use "restrict" key option for storace's da-backup keys
Julien Cristau [Mon, 5 Feb 2018 16:18:50 +0000 (17:18 +0100)]
Use "restrict" key option in debbackup authorized_keys
Julien Cristau [Mon, 5 Feb 2018 15:03:51 +0000 (16:03 +0100)]
Simplify portforwarder authorized_keys options
Replace "no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding" with
"restrict" since all hosts using this module are on stretch with new enough
sshd
Peter Palfrader [Mon, 5 Feb 2018 13:34:57 +0000 (14:34 +0100)]
Put ganeti VMs into their own systemd scope
projects / mirror / dsa-puppet.git / log