Peter Palfrader [Tue, 10 Sep 2019 17:13:02 +0000 (19:13 +0200)]
Try to make resolv.conf options actual class parameters
Peter Palfrader [Tue, 10 Sep 2019 16:10:56 +0000 (18:10 +0200)]
Use https on deb.debian.org
Peter Palfrader [Tue, 10 Sep 2019 15:05:01 +0000 (17:05 +0200)]
The trick for merge options to work is to use lookup() rather than hiera()
Peter Palfrader [Tue, 10 Sep 2019 14:57:35 +0000 (16:57 +0200)]
temporarily hardcode debian.org and end of searchpaths
Peter Palfrader [Tue, 10 Sep 2019 14:55:26 +0000 (16:55 +0200)]
resolv.conf cleanup, fix 1
Peter Palfrader [Tue, 10 Sep 2019 14:54:41 +0000 (16:54 +0200)]
resolv.conf cleanup
Julien Cristau [Tue, 10 Sep 2019 14:39:14 +0000 (16:39 +0200)]
volumes for manziarly at ubc
Peter Palfrader [Tue, 10 Sep 2019 14:30:54 +0000 (16:30 +0200)]
hoster.yaml: remove obsolete comments
Peter Palfrader [Tue, 10 Sep 2019 14:29:51 +0000 (16:29 +0200)]
remove debian mirrors from hoster.yaml
Peter Palfrader [Tue, 10 Sep 2019 14:28:59 +0000 (16:28 +0200)]
fix hiera lookup call
Peter Palfrader [Tue, 10 Sep 2019 14:25:33 +0000 (16:25 +0200)]
schroot: use hiera debian mirror
Julien Cristau [Tue, 10 Sep 2019 12:17:00 +0000 (14:17 +0200)]
ferm::ftp_conntrack: remove jessie support
Julien Cristau [Tue, 10 Sep 2019 12:16:21 +0000 (14:16 +0200)]
debian_org: remove jessie support
Julien Cristau [Tue, 10 Sep 2019 12:15:18 +0000 (14:15 +0200)]
debian_org::apt: remove jessie support
Peter Palfrader [Tue, 10 Sep 2019 12:12:49 +0000 (14:12 +0200)]
get debian mirror for apt from hiera (not yet doing that for schroot)
Peter Palfrader [Tue, 10 Sep 2019 12:03:52 +0000 (14:03 +0200)]
use correct tag for ssh authkeys @@ferm::rule
Peter Palfrader [Tue, 10 Sep 2019 11:49:52 +0000 (13:49 +0200)]
remove retired hosters: carnet, freenet, helsinki, linaro, ugent, uni-karlsruhe, xs4all
Peter Palfrader [Tue, 10 Sep 2019 11:47:15 +0000 (13:47 +0200)]
hoster: sort alphabetically
Peter Palfrader [Tue, 10 Sep 2019 11:42:00 +0000 (13:42 +0200)]
move hoster hieradata into its own directory
Peter Palfrader [Tue, 10 Sep 2019 11:31:33 +0000 (13:31 +0200)]
Add a comment to hieradata/common.yaml/roles
Peter Palfrader [Tue, 10 Sep 2019 11:27:16 +0000 (13:27 +0200)]
debian_org::apt: Retire some <= Debian8(jessie) codepaths
Peter Palfrader [Tue, 10 Sep 2019 08:10:36 +0000 (10:10 +0200)]
retire rsync snapshot service for lw*
Peter Palfrader [Tue, 10 Sep 2019 08:09:40 +0000 (10:09 +0200)]
rsync::site: remove unused variables, define parameter types
Peter Palfrader [Tue, 10 Sep 2019 08:00:00 +0000 (10:00 +0200)]
move rsync stunnels also to dsa_systemd::socket_service. This should be a nop
Peter Palfrader [Tue, 10 Sep 2019 07:55:59 +0000 (09:55 +0200)]
fix a variable name
Peter Palfrader [Tue, 10 Sep 2019 07:52:48 +0000 (09:52 +0200)]
move rsync service/socket setup into a dsa_systemd::socket_service
Peter Palfrader [Tue, 10 Sep 2019 07:41:26 +0000 (09:41 +0200)]
Remove re-statement of default mode, owner, and group
Peter Palfrader [Tue, 10 Sep 2019 07:37:56 +0000 (09:37 +0200)]
rsync::site cleanup: try to fix ordering when we remove a service
Peter Palfrader [Tue, 10 Sep 2019 07:34:29 +0000 (09:34 +0200)]
rsync::site cleanup: move file and service names into variable
Peter Palfrader [Tue, 10 Sep 2019 07:31:27 +0000 (09:31 +0200)]
rsync::site dependency cleanup, part 1
We define three things: a .service file, a .socket file, and a service.
Previously, the service would require the two files, and the .socket
file would also notify the service. Change that to the service
subscribing to the files, so it gets a) applied after the files, and
b) refreshed if either changes.
This seems cleaner. The net change should be that the service gets
also notified if the .service file changes.
Peter Palfrader [Tue, 10 Sep 2019 07:30:58 +0000 (09:30 +0200)]
Revert "rsync::site dependency cleanup, part 1"
This reverts commit
e18adfd6c665a99d3e5cde12b9cac516c39bda6b.
The commit contained unrelated changes. Will re-commit the relevant
ones soon.
Peter Palfrader [Tue, 10 Sep 2019 07:25:51 +0000 (09:25 +0200)]
rsync::site dependency cleanup, part 1
We define three things: a .service file, a .socket file, and a service.
Previously, the service would require the two files, and the .socket
file would also notify the service. Change that to the service
subscribing to the files, so it gets a) applied after the files, and
b) refreshed if either changes.
This seems cleaner. The net change should be that the service gets
also notified if the .service file changes.
Peter Palfrader [Tue, 10 Sep 2019 07:11:57 +0000 (09:11 +0200)]
remove snapshot rsync service on lw* snapshot storage nodes
This service was not published and it's unlikely to be useful in any
sane way these days.
Peter Palfrader [Tue, 10 Sep 2019 07:10:17 +0000 (09:10 +0200)]
rsync::site: typecheck $ensure parameter
Peter Palfrader [Tue, 10 Sep 2019 06:56:54 +0000 (08:56 +0200)]
restrict,pty is a better way to get pty and disable everything else than listing all the current else things now
Peter Palfrader [Mon, 9 Sep 2019 20:35:32 +0000 (22:35 +0200)]
anarcat points out that maybe Optional[String] is better to use here
No idea if it works, but we'll find out eventually
Peter Palfrader [Mon, 9 Sep 2019 20:26:14 +0000 (22:26 +0200)]
the dsa user on the draghi pushes compiled nagios config (nrpe) to the puppet master
Peter Palfrader [Mon, 9 Sep 2019 20:25:00 +0000 (22:25 +0200)]
whitespace change only
Peter Palfrader [Mon, 9 Sep 2019 20:19:20 +0000 (22:19 +0200)]
authorized_key_add: allow undef value for key
Peter Palfrader [Mon, 9 Sep 2019 20:16:39 +0000 (22:16 +0200)]
the letsencrypt user on the dns primary pushes certs to the puppet master
Peter Palfrader [Mon, 9 Sep 2019 20:00:56 +0000 (22:00 +0200)]
roleaccounts: add dsa, letsencrypt
Peter Palfrader [Mon, 9 Sep 2019 20:00:32 +0000 (22:00 +0200)]
roleaccounts: reformat user list
Peter Palfrader [Mon, 9 Sep 2019 14:08:39 +0000 (16:08 +0200)]
no pg on sibelius
Peter Palfrader [Mon, 9 Sep 2019 12:06:02 +0000 (14:06 +0200)]
ganeti-reboot-cluster: describe what it does, and a license
Julien Cristau [Mon, 9 Sep 2019 08:34:44 +0000 (10:34 +0200)]
Don't use versioned pg_basebackup
Use the latest so we know we can pass -X none. -X fetch causes the
debsources backup to fail with a "requested WAL segment has already been
removed" error.
Peter Palfrader [Sun, 8 Sep 2019 19:05:59 +0000 (21:05 +0200)]
Log exit code of make-one-base-backup
Peter Palfrader [Sun, 8 Sep 2019 14:03:04 +0000 (16:03 +0200)]
no longer let thijs run tcpdump on klecker
Peter Palfrader [Sun, 8 Sep 2019 14:01:57 +0000 (16:01 +0200)]
Split out jenkins sudoers entries
Peter Palfrader [Sun, 8 Sep 2019 14:00:36 +0000 (16:00 +0200)]
whitespace change only
Peter Palfrader [Sun, 8 Sep 2019 13:58:19 +0000 (15:58 +0200)]
sudoers: include /etc/sudoers.d/
Peter Palfrader [Sun, 8 Sep 2019 13:57:14 +0000 (15:57 +0200)]
Create and own /etc/sudoers.d
Peter Palfrader [Sun, 8 Sep 2019 13:55:55 +0000 (15:55 +0200)]
Install libpam-pwdfile
Peter Palfrader [Sun, 8 Sep 2019 13:54:58 +0000 (15:54 +0200)]
no longer try release-specific sudoers files
Peter Palfrader [Sun, 8 Sep 2019 13:54:10 +0000 (15:54 +0200)]
sudo: whitespace change only
Peter Palfrader [Sun, 8 Sep 2019 13:53:00 +0000 (15:53 +0200)]
Make jenkins a proper role
Peter Palfrader [Sun, 8 Sep 2019 13:46:52 +0000 (15:46 +0200)]
make a dsa_systemd::linger to enable or disable lingering consistently
Aurelien Jarno [Sun, 8 Sep 2019 13:37:00 +0000 (15:37 +0200)]
Enable lingering for jenkins user for jenkins role
Peter Palfrader [Sun, 8 Sep 2019 13:36:05 +0000 (15:36 +0200)]
ignore old PG on snapshotdb-manda-01 until January. Hopefully we will have upgraded by then
Peter Palfrader [Sun, 8 Sep 2019 11:53:12 +0000 (13:53 +0200)]
switch package{} in bacula::client to ensure_packages
Peter Palfrader [Sun, 8 Sep 2019 11:52:17 +0000 (13:52 +0200)]
switch package{} in bacula::director to ensure_packages
Peter Palfrader [Sun, 8 Sep 2019 11:49:52 +0000 (13:49 +0200)]
minor comments
Peter Palfrader [Sun, 8 Sep 2019 11:42:15 +0000 (13:42 +0200)]
Make all the settings parameters. the (unused) bacula_fd_port from hiera is now bacula::bacula_client_port
Peter Palfrader [Sun, 8 Sep 2019 11:39:24 +0000 (13:39 +0200)]
cleanup old, commented out hiera info
Peter Palfrader [Sun, 8 Sep 2019 11:31:22 +0000 (13:31 +0200)]
bacula directori and storage: whitespace change only
Peter Palfrader [Sun, 8 Sep 2019 11:10:05 +0000 (13:10 +0200)]
retire not-bacula-client local.yaml "role"
Peter Palfrader [Sun, 8 Sep 2019 11:08:01 +0000 (13:08 +0200)]
turn buildd into a real role
Peter Palfrader [Sun, 8 Sep 2019 10:52:32 +0000 (12:52 +0200)]
make motd check for no-backups depend on bacula::not_a_client class rather than local.yaml
Peter Palfrader [Sun, 8 Sep 2019 10:50:49 +0000 (12:50 +0200)]
no longer necessary to list porterboxes explicitly in local.yaml not-bacula-client
Peter Palfrader [Sun, 8 Sep 2019 10:50:13 +0000 (12:50 +0200)]
Do not backup porterboxes
Peter Palfrader [Sun, 8 Sep 2019 10:49:55 +0000 (12:49 +0200)]
do bacula backups iff we do not include the bacula::not_a_client class, 2
Peter Palfrader [Sun, 8 Sep 2019 10:48:59 +0000 (12:48 +0200)]
do bacula backups iff we do not include the bacula::not_a_client class
Peter Palfrader [Sun, 8 Sep 2019 10:44:00 +0000 (12:44 +0200)]
bacula::client -- support present/absent
Peter Palfrader [Sun, 8 Sep 2019 10:30:19 +0000 (12:30 +0200)]
fix a spacing in also-used in motd
Peter Palfrader [Sun, 8 Sep 2019 10:30:11 +0000 (12:30 +0200)]
remove porterbox purpose when we add the porterbox blurb to the motd
Peter Palfrader [Sun, 8 Sep 2019 10:28:15 +0000 (12:28 +0200)]
turn porterbox into a real role
Julien Cristau [Sun, 8 Sep 2019 09:43:45 +0000 (11:43 +0200)]
Mask openipmi service on dell hosts
Peter Palfrader [Sun, 8 Sep 2019 08:51:56 +0000 (10:51 +0200)]
Switch the wb-buildd ssh keys to collected snippets
Peter Palfrader [Sun, 8 Sep 2019 08:45:44 +0000 (10:45 +0200)]
roles/manifests/buildd_master: whitespace change only
Peter Palfrader [Sun, 8 Sep 2019 08:44:57 +0000 (10:44 +0200)]
Upgrade some notifies to warnings
Peter Palfrader [Sun, 8 Sep 2019 08:43:23 +0000 (10:43 +0200)]
Remove temporary DC19 rules for roles::sreview
Peter Palfrader [Sun, 8 Sep 2019 08:41:16 +0000 (10:41 +0200)]
Finish migrating to /etc/ssh/puppetkeys/ for exported ssh authkeys
Peter Palfrader [Sun, 8 Sep 2019 08:36:45 +0000 (10:36 +0200)]
Continue migrating to /etc/ssh/puppetkeys/ for exported ssh authkeys
Peter Palfrader [Sun, 8 Sep 2019 08:28:35 +0000 (10:28 +0200)]
Start migrating to /etc/ssh/puppetkeys/ for exported ssh authkeys
Peter Palfrader [Sun, 8 Sep 2019 08:24:41 +0000 (10:24 +0200)]
Make an /etc/ssh/puppetkeys for future use, and have sshd read keys from there already
Peter Palfrader [Sun, 8 Sep 2019 08:17:06 +0000 (10:17 +0200)]
Switch /etc/ssh/userkeys/buildd-uploader to collected snippets
Peter Palfrader [Sun, 8 Sep 2019 08:15:42 +0000 (10:15 +0200)]
roles/manifests/ssh_upload: whitespace change only
Peter Palfrader [Sun, 8 Sep 2019 07:33:56 +0000 (09:33 +0200)]
masters also talk to themselves
Peter Palfrader [Sun, 8 Sep 2019 07:29:00 +0000 (09:29 +0200)]
Only setup ssh in static_source if we are not also a static_master
Peter Palfrader [Sun, 8 Sep 2019 07:21:27 +0000 (09:21 +0200)]
rename a file correctly
Peter Palfrader [Sun, 8 Sep 2019 07:17:15 +0000 (09:17 +0200)]
Attempt to partition staticsync ssh setup
In the old setup, every host that is involved with staticsync can ssh to
every other host.
In this new setup:
- sources can only reach masters (not mirrors),
- mirrors can only reach masters (not sources), and
- masters still can talk to all other sources and mirrors
(but not other masters).
Peter Palfrader [Sun, 8 Sep 2019 07:11:05 +0000 (09:11 +0200)]
Move the non-roles static_base and static_srvdir to static/<foo>
Peter Palfrader [Sun, 8 Sep 2019 07:07:57 +0000 (09:07 +0200)]
Allow providing multiple tags to authorized_key_add
Peter Palfrader [Sun, 8 Sep 2019 06:47:06 +0000 (08:47 +0200)]
Of course just restoring the default symlink is not sufficient -- we also have to retire our own
Peter Palfrader [Sun, 8 Sep 2019 06:43:23 +0000 (08:43 +0200)]
Revert "want systemd-timesyncd from multi-user.target"
This reverts commit
443aa81b256b615c55d4fe987a556c663ad4589d.
By default, systemd-timesyncd.service is installed/wanted-by
sysinit.target. We changed that to multi-user.target about three
years ago, but it's not clear why we did that.
Revert to the defaults and see if it blows up. If yes, we have a chance
to find out exactly why we moved it. If not, we have one less thing
that gets messed with at every point release.
Peter Palfrader [Sat, 7 Sep 2019 23:21:27 +0000 (01:21 +0200)]
staticsync requires a pty
Peter Palfrader [Sat, 7 Sep 2019 23:14:37 +0000 (01:14 +0200)]
collect staticsync ssh authkeys
Peter Palfrader [Sat, 7 Sep 2019 23:13:59 +0000 (01:13 +0200)]
base::public_addresses: handle v4 only hosts like fasolo
Peter Palfrader [Sat, 7 Sep 2019 23:08:23 +0000 (01:08 +0200)]
export staticsync ssh keys, but do not yet collect
Peter Palfrader [Sat, 7 Sep 2019 22:54:54 +0000 (00:54 +0200)]
static: whitespace changes and turn double quotes into single quotes if they have no variables to expand
Peter Palfrader [Sat, 7 Sep 2019 22:39:59 +0000 (00:39 +0200)]
store ssh auth key snippets for buildd wb and upload access, but do not collect just yet