Peter Palfrader [Tue, 13 Mar 2018 10:08:13 +0000 (11:08 +0100)]
Try to make dsa-check-hpssacli cron entry setup code easier to read
Peter Palfrader [Mon, 12 Mar 2018 20:27:07 +0000 (21:27 +0100)]
raise warn-age for pg base backups to 11 days
Peter Palfrader [Sun, 11 Mar 2018 08:28:50 +0000 (09:28 +0100)]
There is no ferm-restart Exec to notify
Peter Palfrader [Wed, 7 Mar 2018 10:28:22 +0000 (11:28 +0100)]
postgres-make-base-backups: fix () formatting
Peter Palfrader [Wed, 7 Mar 2018 10:26:53 +0000 (11:26 +0100)]
format days differently
Peter Palfrader [Wed, 7 Mar 2018 10:24:39 +0000 (11:24 +0100)]
postgres-make-base-backups: and print seconds as times
Peter Palfrader [Wed, 7 Mar 2018 10:23:08 +0000 (11:23 +0100)]
postgres-make-base-backups: print more values
Peter Palfrader [Wed, 7 Mar 2018 10:21:59 +0000 (11:21 +0100)]
postgres-make-base-backups: rename variables to make them more obvious
Peter Palfrader [Wed, 7 Mar 2018 10:21:07 +0000 (11:21 +0100)]
postgres-make-base-backups: re-order logic for consistency
Peter Palfrader [Wed, 7 Mar 2018 10:20:03 +0000 (11:20 +0100)]
also print cutoff times
Peter Palfrader [Wed, 7 Mar 2018 10:16:25 +0000 (11:16 +0100)]
Format time deltas in a readable way instead of in seconds
Peter Palfrader [Wed, 7 Mar 2018 07:49:35 +0000 (08:49 +0100)]
Try to escape things differently
Peter Palfrader [Tue, 6 Mar 2018 22:11:42 +0000 (23:11 +0100)]
running every half hour should also suffice easily, with a semicolon
Peter Palfrader [Tue, 6 Mar 2018 22:05:21 +0000 (23:05 +0100)]
running every half hour should also suffice easily
Peter Palfrader [Tue, 6 Mar 2018 22:03:59 +0000 (23:03 +0100)]
postgres-make-base-backups: locks and logs
- get locks for each individual base backup so we do not run parallel ones in the precense of forced runs
- also log to syslog
Peter Palfrader [Tue, 6 Mar 2018 21:14:28 +0000 (22:14 +0100)]
run postgres-make-base-backups every 10 minutes not only on Sunday
Peter Palfrader [Tue, 6 Mar 2018 15:42:21 +0000 (16:42 +0100)]
sane mode for state dir
Peter Palfrader [Tue, 6 Mar 2018 15:40:41 +0000 (16:40 +0100)]
And create state dir for postgres-make-base-backups
Peter Palfrader [Tue, 6 Mar 2018 15:38:51 +0000 (16:38 +0100)]
run base backups spread over time. This also should help us to recover from failures or reboots better
Peter Palfrader [Tue, 6 Mar 2018 15:04:10 +0000 (16:04 +0100)]
Have postgres-make-base-backups use postgres-make-one-base-backup
Peter Palfrader [Tue, 6 Mar 2018 15:01:24 +0000 (16:01 +0100)]
Make a postgres-make-one-base-backup script with the logic from postgres-make-base-backups
Peter Palfrader [Tue, 6 Mar 2018 12:31:38 +0000 (13:31 +0100)]
ferm::conf - include ferm
Peter Palfrader [Tue, 6 Mar 2018 12:30:48 +0000 (13:30 +0100)]
start ferm config with a 00-init and start SSH*SOURCES there
Peter Palfrader [Tue, 6 Mar 2018 12:30:25 +0000 (13:30 +0100)]
ferm::conf - merge with tor version
Peter Palfrader [Fri, 2 Mar 2018 12:27:07 +0000 (13:27 +0100)]
Revert "The debian.ch domain is obsolete"
This reverts commit
4ea1c460a6197c4ab24ad77df64ea15acd6ba797.
Peter Palfrader [Fri, 2 Mar 2018 12:27:00 +0000 (13:27 +0100)]
Revert "Revert "massage log messages""
This reverts commit
0e6a2fddf5f78bc1bdeb2f95cc82e83a1b2e458f.
Peter Palfrader [Fri, 2 Mar 2018 12:25:52 +0000 (13:25 +0100)]
The debconf13.ch domain is obsolete
Peter Palfrader [Fri, 2 Mar 2018 12:25:34 +0000 (13:25 +0100)]
Revert "massage log messages"
This reverts commit
caa87132c4be1e1de8c71dc2a421ca2f0413f583.
Peter Palfrader [Fri, 2 Mar 2018 12:20:03 +0000 (13:20 +0100)]
The debian.ch domain is obsolete
Peter Palfrader [Fri, 2 Mar 2018 10:49:58 +0000 (11:49 +0100)]
massage log messages
Peter Palfrader [Fri, 2 Mar 2018 10:45:15 +0000 (11:45 +0100)]
massage log messages
Peter Palfrader [Fri, 2 Mar 2018 09:34:51 +0000 (10:34 +0100)]
Run our own bacula scheduler from cron
Julien Cristau [Tue, 27 Feb 2018 16:15:07 +0000 (17:15 +0100)]
Update ntp init script to the stretch version (RT#6907)
Bug#802040 was fixed in stretch so we no longer need this.
Julien Cristau [Tue, 27 Feb 2018 10:07:45 +0000 (11:07 +0100)]
Drop alioth zone from named config
Julien Cristau [Mon, 26 Feb 2018 20:46:01 +0000 (21:46 +0100)]
Fix /etc/repro/radius-servers more
Julien Cristau [Mon, 26 Feb 2018 20:43:29 +0000 (21:43 +0100)]
Fix /etc/repro/radius-servers
Julien Cristau [Mon, 26 Feb 2018 20:33:55 +0000 (21:33 +0100)]
Configuration item "hashsize" is deprecated
Julien Cristau [Mon, 26 Feb 2018 20:32:07 +0000 (21:32 +0100)]
Configuration item "allowmultiplekeys" is deprecated
Julien Cristau [Mon, 26 Feb 2018 20:30:41 +0000 (21:30 +0100)]
Configuration item "ignorenislike" is deprecated
Julien Cristau [Mon, 26 Feb 2018 20:28:56 +0000 (21:28 +0100)]
And fixup another path
Julien Cristau [Mon, 26 Feb 2018 20:12:55 +0000 (21:12 +0100)]
Fix path to template
Julien Cristau [Mon, 26 Feb 2018 20:09:25 +0000 (21:09 +0100)]
Disable default freeradius sites I don't think we want
Julien Cristau [Mon, 26 Feb 2018 20:06:07 +0000 (21:06 +0100)]
Attempt to pull in some of the freeradius config from rtc.d.o
Peter Palfrader [Mon, 26 Feb 2018 09:26:52 +0000 (10:26 +0100)]
Also put bacula messages into syslog
Peter Palfrader [Sat, 24 Feb 2018 12:53:16 +0000 (13:53 +0100)]
Disable scheduling for backup jobs in preparation of deploying our own scheduler
Peter Palfrader [Sat, 24 Feb 2018 11:20:35 +0000 (12:20 +0100)]
Only add host to bacula dsa client list if we do backups for it
Peter Palfrader [Sat, 24 Feb 2018 09:18:34 +0000 (10:18 +0100)]
Update (c) year
Peter Palfrader [Sat, 24 Feb 2018 09:16:09 +0000 (10:16 +0100)]
Be more defensive when removing potentially obsolete pools
Peter Palfrader [Sat, 24 Feb 2018 08:59:30 +0000 (09:59 +0100)]
collect backup client list in a plain text file
Peter Palfrader [Fri, 23 Feb 2018 23:11:22 +0000 (00:11 +0100)]
bacula: remove obsolete pools
Peter Palfrader [Fri, 23 Feb 2018 22:00:47 +0000 (23:00 +0100)]
Redirect all of *.pages to https (re: RT#7072)
Julien Cristau [Fri, 23 Feb 2018 15:21:06 +0000 (16:21 +0100)]
mirror-health: set User-Agent http header
Julien Cristau [Fri, 23 Feb 2018 15:06:26 +0000 (16:06 +0100)]
Revert "Make security -> security-cdn redirect global, not just for the linux package"
I need to update the mirror health check to account for this.
This reverts commit
d8b6b760a99f36fc6bf6088b8e998c1d67d46ab6.
Julien Cristau [Fri, 23 Feb 2018 14:58:23 +0000 (15:58 +0100)]
Make security -> security-cdn redirect global, not just for the linux package
Aurelien Jarno [Thu, 22 Feb 2018 22:24:26 +0000 (23:24 +0100)]
Drop security-cdn.d.o on stretch
Now that security.d.o as a SRV record basically pointing to
security-cdn.d.o, there is no point to have both in the sources.list
for stretch hosts.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Thu, 22 Feb 2018 22:04:10 +0000 (23:04 +0100)]
storace also makes ACPI noises about power_meter
Martin Zobel-Helas [Wed, 21 Feb 2018 21:32:39 +0000 (22:32 +0100)]
we do not need to backup clamav-unofficial-sigs files
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Wed, 21 Feb 2018 21:05:21 +0000 (22:05 +0100)]
push empty /var/lib/varnish/.nobackup
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Julien Cristau [Wed, 21 Feb 2018 08:13:57 +0000 (09:13 +0100)]
mirror-conova also does lots of ACPI power-meter dmesg noise
Aurelien Jarno [Mon, 19 Feb 2018 18:56:52 +0000 (19:56 +0100)]
Decommission mirror-bytemark
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Mon, 19 Feb 2018 10:03:51 +0000 (11:03 +0100)]
Fix check url for security mirror health
It's still not ideal because an oldstable-only update won't be picked
up, but at least it exists.
Julien Cristau [Sun, 18 Feb 2018 12:27:05 +0000 (13:27 +0100)]
Run dsa-check-openmanage on schumann and wieck
Julien Cristau [Sat, 17 Feb 2018 14:41:19 +0000 (15:41 +0100)]
mirror-bytemark no longer a fastly backend for /debian/
Julien Cristau [Sat, 17 Feb 2018 09:18:43 +0000 (10:18 +0100)]
make schumann a fastly backend for security
Aurelien Jarno [Fri, 16 Feb 2018 20:23:25 +0000 (21:23 +0100)]
Remove /srv/ftp.root from security mirrors
They do not serve FTP anymore so the archive can be located directly
in /srv/mirrors/debian-security like for other archive.
Do not create the /srv/mirrors/debian-security, as it might still be a
symlink, and ftpsync will create it. This actually matches what is done
for the other archive.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Fri, 16 Feb 2018 20:07:56 +0000 (21:07 +0100)]
Serve security mirrors from /srv/mirrors/debian-security
In preparation for the /srv/ftp.root removal
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Fri, 16 Feb 2018 08:27:23 +0000 (09:27 +0100)]
Import facts from schumann
Aurelien Jarno [Thu, 15 Feb 2018 19:33:24 +0000 (20:33 +0100)]
Drop m68k@buildd.debian.org -> m68k-build@nocrew.org rewrite
I have no idea why this is done, but we don't want that.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Thu, 15 Feb 2018 16:34:05 +0000 (17:34 +0100)]
Add schumann to the security_mirror role
Martin Zobel-Helas [Thu, 15 Feb 2018 07:40:55 +0000 (08:40 +0100)]
Merge remote-tracking branch 'zobel-salsa/zobel-salsa'
Martin Zobel-Helas [Thu, 15 Feb 2018 07:39:47 +0000 (08:39 +0100)]
Merge branch 'zobel-salsa'
Julien Cristau [Thu, 15 Feb 2018 07:25:24 +0000 (08:25 +0100)]
Remove lobos from fastly security backends for now
We want to see how it does with 2 dedicated backends (villa and wieck).
Aurelien Jarno [Thu, 15 Feb 2018 07:11:16 +0000 (08:11 +0100)]
dupload.conf: fix a thinko in the security upload hostname
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 18:23:21 +0000 (19:23 +0100)]
buildd: do security uploads using SSH
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 16:33:17 +0000 (17:33 +0100)]
rsync-ssh-wrap: force the permissions of uploaded files
dupload calls rsync with -p, causing the uploaded files to be world
readable, despite the ACL of the upload directory (see bug#876900).
This is an issue for security uploads.
This has been fixed in sid, but not yet in stretch. In the meantime
force the permissions to 0640 at the wrapper level.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 11:49:38 +0000 (12:49 +0100)]
planet-d.o: fix a thinko in my previous commit
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 11:43:27 +0000 (12:43 +0100)]
planet-d.o: only allow access from localhost and local IP
This way it's possible to access planet-master.d.o using SSH as a socks
proxy. It requires to connect to planet-master.d.o aka philp.d.o instead
of any debian machine.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 13:33:55 +0000 (14:33 +0100)]
99builddsourceslist: access the security archive using https
Let's try again!
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 09:52:25 +0000 (10:52 +0100)]
lintian.d.o: fix deflate output filter
It appears that AddOutputFilterByType options also apply to the
subdirectories. However this directive overwrites the default value or
the one defined in the parent directory.
Therefore we only want to add this directive to the root directory and
with all the mime types.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Martin Zobel-Helas [Tue, 13 Feb 2018 21:50:36 +0000 (22:50 +0100)]
Merge remote-tracking branch 'waldi-salsa/godard-apache' into HEAD
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Tue, 13 Feb 2018 21:37:55 +0000 (22:37 +0100)]
Mock more certificates
Martin Zobel-Helas [Fri, 9 Feb 2018 17:18:36 +0000 (18:18 +0100)]
RT#7092: Apache on godard adds an additional X-Xss-Protection
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Tue, 13 Feb 2018 19:45:51 +0000 (20:45 +0100)]
Import facts from godard
Martin Zobel-Helas [Sat, 10 Feb 2018 08:47:33 +0000 (09:47 +0100)]
octocatalog: add dummy file for LE service certs
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Tue, 13 Feb 2018 21:09:51 +0000 (22:09 +0100)]
Mock ldapinfo during octocatalog runs
Aurelien Jarno [Tue, 13 Feb 2018 21:18:25 +0000 (22:18 +0100)]
Merge branch 'lintian.d.o-tweaks' of https://salsa.debian.org/nthykier/dsa-puppet
Aurelien Jarno [Tue, 13 Feb 2018 21:16:29 +0000 (22:16 +0100)]
static_mirror: enable deflate and filter modules
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 20:30:52 +0000 (21:30 +0100)]
Install ca-certificates in the buildd chroots
This is need in addition of apt-transport-https.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Niels Thykier [Tue, 13 Feb 2018 19:25:41 +0000 (19:25 +0000)]
lintian.d.o: Move svg compression to the resources directory
It does not appear to propogate on its own, so move it from the root
to the "resources" directory section. There are no SVG images outside
that directory anyway.
Signed-off-by: Niels Thykier <niels@thykier.net>
Niels Thykier [Tue, 13 Feb 2018 19:25:02 +0000 (19:25 +0000)]
lintian.d.o: Remove redundant + incorrect IfModule mod_userdir
Signed-off-by: Niels Thykier <niels@thykier.net>
Aurelien Jarno [Tue, 13 Feb 2018 14:17:33 +0000 (15:17 +0100)]
Revert "99builddsourceslist: access the security archive using https"
This reverts commit
f77a22de23c38230527be61375482971dea55fef.
This doesn't work, we also need ca-certificate in the chroot :-(
Aurelien Jarno [Tue, 13 Feb 2018 13:33:55 +0000 (14:33 +0100)]
99builddsourceslist: access the security archive using https
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 11:54:26 +0000 (12:54 +0100)]
Fully retire spontini.d.o
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 11:11:22 +0000 (12:11 +0100)]
Also drop security anycast-test mirrors
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Peter Palfrader [Tue, 13 Feb 2018 10:26:15 +0000 (11:26 +0100)]
snapshot storage nodes want the toolchain to build the snapshot fsck utility
Aurelien Jarno [Tue, 13 Feb 2018 09:30:53 +0000 (10:30 +0100)]
setup-dchroot: fix a typo
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 08:54:39 +0000 (09:54 +0100)]
Install apt-transport-https in the buildd chroots
This will be used to access the security archive in a more private way.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 08:44:03 +0000 (09:44 +0100)]
Drop anycast-test mirrors from apt
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 08:15:10 +0000 (09:15 +0100)]
More kfreebsd removal
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 07:47:40 +0000 (08:47 +0100)]
setup-all-dchroots: get rid of kfreebsd and ppc64
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>