Peter Palfrader [Sun, 22 Sep 2019 10:32:09 +0000 (12:32 +0200)]
retire mail_port config from local.yaml
Peter Palfrader [Sun, 22 Sep 2019 10:28:42 +0000 (12:28 +0200)]
Merge virtualdomains setup into exim/init
Peter Palfrader [Sun, 22 Sep 2019 10:26:01 +0000 (12:26 +0200)]
move the remaining virtualdomains to the mailrelay class
Peter Palfrader [Sun, 22 Sep 2019 10:22:36 +0000 (12:22 +0200)]
remove manualroute cleanup; it has run everywhere
Peter Palfrader [Sun, 22 Sep 2019 10:15:00 +0000 (12:15 +0200)]
And fix name in manualroute.pp
Peter Palfrader [Sun, 22 Sep 2019 10:10:49 +0000 (12:10 +0200)]
Use correct variable scope in manualroute.pp
Peter Palfrader [Sun, 22 Sep 2019 10:08:43 +0000 (12:08 +0200)]
Move to collected manualroute
Peter Palfrader [Sun, 22 Sep 2019 10:04:57 +0000 (12:04 +0200)]
Register manualroutes from the service class for the three services that had it hardcoded in the exim class; and make a roles::salsa
Peter Palfrader [Sun, 22 Sep 2019 10:04:15 +0000 (12:04 +0200)]
Create an exim::manualroute define
Peter Palfrader [Sun, 22 Sep 2019 09:51:44 +0000 (11:51 +0200)]
Switch to the hiera optional mail_port
Peter Palfrader [Sun, 22 Sep 2019 09:46:44 +0000 (11:46 +0200)]
remove smtp_sources from ferm's me.conf, retire old-style heavy_{exim,postfix} roles
Peter Palfrader [Sun, 22 Sep 2019 09:43:35 +0000 (11:43 +0200)]
Move TLSA for submission port from exim::mx role to the mailrelay role
Peter Palfrader [Sun, 22 Sep 2019 09:42:28 +0000 (11:42 +0200)]
remove default firewall accept to port submission on the MXes
Peter Palfrader [Sun, 22 Sep 2019 09:40:55 +0000 (11:40 +0200)]
Retire debian_org::mail_incoming_port which did the default firewalling for the mail ports
Peter Palfrader [Sun, 22 Sep 2019 09:39:51 +0000 (11:39 +0200)]
Move tlsa setup from mail_incoming_port to mta role
Peter Palfrader [Sun, 22 Sep 2019 09:39:09 +0000 (11:39 +0200)]
Make the manualroute explicitly send to port 25 by default as that simplifies the logic here
Peter Palfrader [Sun, 22 Sep 2019 09:35:31 +0000 (11:35 +0200)]
Try to add firewalling to enable mail satellites to connect to the submission port on the mail relays
Peter Palfrader [Sun, 22 Sep 2019 09:25:40 +0000 (11:25 +0200)]
bugs_master: allow incoming mail to the submission port from the role
Peter Palfrader [Sun, 22 Sep 2019 09:18:09 +0000 (11:18 +0200)]
Have the nagios-server export an smtp-allow rule to the mail satellites
Peter Palfrader [Sun, 22 Sep 2019 09:17:45 +0000 (11:17 +0200)]
Re-tag the store/collect ferm rule for mailrelays to satelliltes from smtp::server::from::mailrelay to smtp::server::to::mail-satellite
Peter Palfrader [Sun, 22 Sep 2019 09:17:13 +0000 (11:17 +0200)]
On non-satellites, allow smtp from the world
Peter Palfrader [Sun, 22 Sep 2019 09:06:05 +0000 (11:06 +0200)]
Fail if we are not an MX and do not have set MX to the mail relays
Peter Palfrader [Sun, 22 Sep 2019 09:01:30 +0000 (11:01 +0200)]
also remove tye from the old heavy-exim role. that should probably be cleaned up next
Peter Palfrader [Sun, 22 Sep 2019 08:53:57 +0000 (10:53 +0200)]
retire i18n.debian.org mail setup
After discussion on #debian-admin, it seems @i18n.debian.org is not used
these days.
As such, remove tye from the heavy-exim roles and remove the virtual
email domain. the mx stuff on tye will be cleaned up manually.
Peter Palfrader [Sun, 22 Sep 2019 08:49:23 +0000 (10:49 +0200)]
Have the www-master role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:46:29 +0000 (10:46 +0200)]
Have the rt role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:22:35 +0000 (10:22 +0200)]
Quantz should have the packagesqamaster role
It already did, but that was lost a few days ago in
4dcb0bb6ab00da402d5939588bf5793a917f8b02 when we introduced the
dedicated manifest for the role.
Peter Palfrader [Sun, 22 Sep 2019 08:18:19 +0000 (10:18 +0200)]
Have the qa and packages.qa roles declare their exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:14:58 +0000 (10:14 +0200)]
Have the popcon role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:13:20 +0000 (10:13 +0200)]
note that there is role specific exim config for bugs and packages
Peter Palfrader [Sun, 22 Sep 2019 08:11:20 +0000 (10:11 +0200)]
Have the packages role declare its exim virtualdomain; changing group from Debian to pkg_maint
Peter Palfrader [Sun, 22 Sep 2019 08:06:53 +0000 (10:06 +0200)]
Have the nm role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:05:08 +0000 (10:05 +0200)]
Have the buildd_master role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:02:46 +0000 (10:02 +0200)]
Have the dbmaster role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 07:59:47 +0000 (09:59 +0200)]
Have the bugs_master role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 07:57:55 +0000 (09:57 +0200)]
vdomain: do not create and/or mess with the modes of basedir
Peter Palfrader [Sun, 22 Sep 2019 07:53:43 +0000 (09:53 +0200)]
Have the tracker role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 07:51:06 +0000 (09:51 +0200)]
Have the vote role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 07:44:14 +0000 (09:44 +0200)]
Document exim::vdomain, make files ownable by somebody other than root, retire alias_file parameter
Peter Palfrader [Sun, 22 Sep 2019 07:43:53 +0000 (09:43 +0200)]
Document exim::vdomain, make files ownable by somebody other than root, retire alias_file parameter
Peter Palfrader [Sun, 22 Sep 2019 07:17:35 +0000 (09:17 +0200)]
Disable manualroute-new and prepare for collecting the new file as manualroute
Peter Palfrader [Sun, 22 Sep 2019 07:15:09 +0000 (09:15 +0200)]
Fix mail_port for zani
Peter Palfrader [Sat, 21 Sep 2019 22:27:05 +0000 (00:27 +0200)]
most of the mta firewalling is not exim specific
Peter Palfrader [Sat, 21 Sep 2019 22:23:58 +0000 (00:23 +0200)]
Set port to 25 explicitly instead of undef if we do not have it overwritten for this host
Peter Palfrader [Sat, 21 Sep 2019 22:21:05 +0000 (00:21 +0200)]
On hosts that get mail via mailrelays, try to collect the ferm rule that will allow access
Peter Palfrader [Sat, 21 Sep 2019 22:15:33 +0000 (00:15 +0200)]
Even heavy_exim hosts can get their system mail from relays
Peter Palfrader [Sat, 21 Sep 2019 22:07:20 +0000 (00:07 +0200)]
mxRecord is actually an array called mXRecord
Peter Palfrader [Sat, 21 Sep 2019 21:56:08 +0000 (23:56 +0200)]
Try to make the manualroute on the mailrelays using a store/collect pattern
Peter Palfrader [Sat, 21 Sep 2019 21:43:06 +0000 (23:43 +0200)]
split out some exim::mx config into a new exim::mailrelay
Peter Palfrader [Sat, 21 Sep 2019 21:40:54 +0000 (23:40 +0200)]
Add a todo item
Peter Palfrader [Sat, 21 Sep 2019 21:40:43 +0000 (23:40 +0200)]
remove redundance include
Peter Palfrader [Sat, 21 Sep 2019 19:12:37 +0000 (21:12 +0200)]
pass is_mailrelay through exim::mx
Peter Palfrader [Sat, 21 Sep 2019 19:10:55 +0000 (21:10 +0200)]
set exim::is_mailrelay on the mail relays
Peter Palfrader [Sat, 21 Sep 2019 18:33:25 +0000 (20:33 +0200)]
Try to make mail_port really optional
Peter Palfrader [Sat, 21 Sep 2019 18:31:14 +0000 (20:31 +0200)]
Add mail_port to hiera and the exim class. not yet used
Aurelien Jarno [Sat, 21 Sep 2019 18:26:14 +0000 (20:26 +0200)]
prefix pinel volumes with OLD-
Peter Palfrader [Sat, 21 Sep 2019 17:52:07 +0000 (19:52 +0200)]
Also move master.d.o hiera data
Peter Palfrader [Sat, 21 Sep 2019 17:18:32 +0000 (19:18 +0200)]
switch postfix smarthost config to classparams
Peter Palfrader [Sat, 21 Sep 2019 17:17:31 +0000 (19:17 +0200)]
reorder params
Peter Palfrader [Sat, 21 Sep 2019 17:10:52 +0000 (19:10 +0200)]
Merge branch 'mtatest'
* mtatest:
Make an explicit use_smarthost setting
Consider the empty string as no smarthost
Setting to undef does not clear the hiera default :(
undef is the value, Undef the type
eximconf: drop bad quoting
the class to include is roles::mta, not mta
move exim vs. postfix, heavy vs. not, into hiera
Peter Palfrader [Sat, 21 Sep 2019 17:09:31 +0000 (19:09 +0200)]
Make an explicit use_smarthost setting
Peter Palfrader [Sat, 21 Sep 2019 17:06:27 +0000 (19:06 +0200)]
Consider the empty string as no smarthost
Peter Palfrader [Sat, 21 Sep 2019 17:05:06 +0000 (19:05 +0200)]
Setting to undef does not clear the hiera default :(
Peter Palfrader [Sat, 21 Sep 2019 17:03:48 +0000 (19:03 +0200)]
undef is the value, Undef the type
Peter Palfrader [Sat, 21 Sep 2019 17:02:33 +0000 (19:02 +0200)]
eximconf: drop bad quoting
Peter Palfrader [Sat, 21 Sep 2019 16:45:53 +0000 (18:45 +0200)]
the class to include is roles::mta, not mta
Peter Palfrader [Sat, 21 Sep 2019 16:40:18 +0000 (18:40 +0200)]
move exim vs. postfix, heavy vs. not, into hiera
Peter Palfrader [Sat, 21 Sep 2019 16:58:24 +0000 (18:58 +0200)]
Try to move to hiera5
Peter Palfrader [Sat, 21 Sep 2019 16:48:14 +0000 (18:48 +0200)]
move hiera.yaml into repo root
Aurelien Jarno [Sat, 21 Sep 2019 16:32:31 +0000 (18:32 +0200)]
Drop ftp.ports.debian.org from klecker
also move roles::ports_mirror::onion_service to new-klecker
Aurelien Jarno [Sat, 21 Sep 2019 16:30:05 +0000 (18:30 +0200)]
autofs: pinel is now at ubc
Peter Palfrader [Sat, 21 Sep 2019 16:26:10 +0000 (18:26 +0200)]
eximconf.erb: spell smarthost_port better
Peter Palfrader [Sat, 21 Sep 2019 16:24:24 +0000 (18:24 +0200)]
eximconf.erb: we want linebreaks after these variable includes
Peter Palfrader [Sat, 21 Sep 2019 16:23:07 +0000 (18:23 +0200)]
And fix the smarthost template somewhat
Peter Palfrader [Sat, 21 Sep 2019 16:18:59 +0000 (18:18 +0200)]
Remove smarthost_port from nodeinfo
Peter Palfrader [Sat, 21 Sep 2019 15:58:45 +0000 (17:58 +0200)]
All these files that we ignore on heavy exim hosts have not changed in the last 4+ years on the hosts I checked; stop ignoring them
Peter Palfrader [Sat, 21 Sep 2019 15:34:24 +0000 (17:34 +0200)]
Have the mailrelays store a firewall rule to allow incoming smtp on the other hosts
Julien Cristau [Sat, 21 Sep 2019 14:56:13 +0000 (16:56 +0200)]
prefix dinis volumes at bm with OLD-
Julien Cristau [Sat, 21 Sep 2019 14:08:56 +0000 (16:08 +0200)]
dinis is now at manda
Aurelien Jarno [Sat, 21 Sep 2019 13:44:12 +0000 (15:44 +0200)]
prefix lindsay volumes with OLD-
Aurelien Jarno [Sat, 21 Sep 2019 13:25:07 +0000 (15:25 +0200)]
static: change lintian.debian.org master to static-master-ubc-01.d.o
Aurelien Jarno [Sat, 21 Sep 2019 12:36:50 +0000 (14:36 +0200)]
autofs: lindsay is now at ubc
Julien Cristau [Sat, 21 Sep 2019 13:05:53 +0000 (15:05 +0200)]
add postgresql-manda-01
Peter Palfrader [Sat, 21 Sep 2019 11:30:39 +0000 (13:30 +0200)]
remove old-style ssh firewalling setup for mirrors/syncproxies
Aurelien Jarno [Sat, 21 Sep 2019 11:32:57 +0000 (13:32 +0200)]
Add lindsay and pinel volumes at ubc
Peter Palfrader [Sat, 21 Sep 2019 11:18:32 +0000 (13:18 +0200)]
let ports mirrors get triggered from syncproxies
Peter Palfrader [Sat, 21 Sep 2019 11:15:51 +0000 (13:15 +0200)]
move syncproxy config into hiera
also, syncproxies ssh from their configured IP address.
Further, drop klecker from syncproxy role (that job is moving to smit).
Peter Palfrader [Sat, 21 Sep 2019 10:43:31 +0000 (12:43 +0200)]
mirror ssh firewalling setup from ferm/templates/me.conf.erb with roles
In particular:
debian mirrors can be accessed from syncproxies
debug mirrors can be accessed from ftp-master
historical mirrors can be accessed from historical-master
security mirrors can be accessed from security-master
And from the previous commits:
syncproxies can be accessed from syncproxies, ftp-master, ports-master, and security-master
Peter Palfrader [Sat, 21 Sep 2019 10:39:32 +0000 (12:39 +0200)]
Add a minimal historical_master (archive.debian.org-master) role.
The master does not have any special rsync config that is not also
preesnt on the mirrors (and currently the historical master also is a
historical mirror).
Peter Palfrader [Sat, 21 Sep 2019 10:35:09 +0000 (12:35 +0200)]
So now we have ssh::server::from and ssh::server::to, hopefully making it more clear
Peter Palfrader [Sat, 21 Sep 2019 10:33:45 +0000 (12:33 +0200)]
I am still unsure how to do tags properly
Peter Palfrader [Sat, 21 Sep 2019 10:31:28 +0000 (12:31 +0200)]
whitespace/quoting: modules/roles/manifests/*mirror (make lint happy)
Peter Palfrader [Sat, 21 Sep 2019 10:26:20 +0000 (12:26 +0200)]
minor naming fixes
Peter Palfrader [Sat, 21 Sep 2019 10:24:22 +0000 (12:24 +0200)]
on ftp, ports, and security-master: store ssh allows to be collected on the syncproxies
Peter Palfrader [Sat, 21 Sep 2019 10:22:50 +0000 (12:22 +0200)]
whitespace/quoting: modules/roles/manifests/{ftp_master,security_master} (make lint happy)
Peter Palfrader [Sat, 21 Sep 2019 10:21:37 +0000 (12:21 +0200)]
syncproxy ssh firewalling
Aurelien Jarno [Sat, 21 Sep 2019 10:22:31 +0000 (12:22 +0200)]
Drop OLD-picconi volumes from multipath-bm.conf
They do not exist anymore on the MSA
Aurelien Jarno [Sat, 21 Sep 2019 10:20:27 +0000 (12:20 +0200)]
Rename unused volume on the bytemark MSA
The name matches the one of the MSA. They need to be zeroed at some
point, but we want to postpone that once the VM have been moved out of
bytemark.
Peter Palfrader [Sat, 21 Sep 2019 10:18:54 +0000 (12:18 +0200)]
Make ssh allow tag specific to the target (archvsync role in this case)
Peter Palfrader [Sat, 21 Sep 2019 10:15:49 +0000 (12:15 +0200)]
whitespace/quoting: modules/roles/manifests/syncproxy (make lint happy)