Julien Cristau [Mon, 7 Oct 2019 15:53:27 +0000 (17:53 +0200)]
autofs: add debian-buildd at ubc (RT#7993)
Julien Cristau [Mon, 7 Oct 2019 15:11:35 +0000 (17:11 +0200)]
move coccia to ubc
Peter Palfrader [Mon, 7 Oct 2019 11:12:31 +0000 (13:12 +0200)]
Move has_static_component function to modules/staticsync
Julien Cristau [Mon, 7 Oct 2019 08:41:42 +0000 (10:41 +0200)]
volumes for coccia at ubc
Luca Filipozzi [Mon, 7 Oct 2019 00:39:49 +0000 (17:39 -0700)]
update lfilipoz email address for bacula reports
Adam D. Barratt [Sat, 5 Oct 2019 11:32:33 +0000 (12:32 +0100)]
eximconf: put the escapes in the right places in RT_SUBJECT
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Thu, 3 Oct 2019 18:29:17 +0000 (19:29 +0100)]
eximconf: add explanatory comment for RT_SUBJECT's escaping
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Julien Cristau [Sat, 5 Oct 2019 10:10:42 +0000 (12:10 +0200)]
The nm user also wants lingering
Julien Cristau [Sat, 5 Oct 2019 10:04:42 +0000 (12:04 +0200)]
Enable lingering for the contributors user
Per enrico.
Julien Cristau [Sat, 5 Oct 2019 09:40:54 +0000 (11:40 +0200)]
Add sudo entries for new nm-web, contributors, contributors-web users
Julien Cristau [Fri, 4 Oct 2019 15:10:53 +0000 (17:10 +0200)]
nm.d.o no longer needs access to projectb on bmdb1
Julien Cristau [Fri, 4 Oct 2019 15:01:25 +0000 (17:01 +0200)]
Give nm.d.o access to the ubc projectb replica
Julien Cristau [Fri, 4 Oct 2019 14:16:24 +0000 (16:16 +0200)]
It doesn't look like udd actually uses projectb; remove its guest access
Julien Cristau [Fri, 4 Oct 2019 13:47:55 +0000 (15:47 +0200)]
Use unique names for pg_hba.conf entries
Julien Cristau [Fri, 4 Oct 2019 13:45:40 +0000 (15:45 +0200)]
Fix class name
Julien Cristau [Fri, 4 Oct 2019 13:39:47 +0000 (15:39 +0200)]
give udd access to the projectb copy on danzi
Aurelien Jarno [Thu, 3 Oct 2019 20:55:26 +0000 (22:55 +0200)]
staticsync: let's assume that IPv6 is not worse than IPv4
Adam D. Barratt [Thu, 3 Oct 2019 15:16:45 +0000 (16:16 +0100)]
eximconf: fix escaping in RT_SUBJECT macro
It's included in a doule-quoted string, which imposes extra escaping
requirements
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Julien Cristau [Wed, 2 Oct 2019 20:03:15 +0000 (22:03 +0200)]
Turn off accept_ra sysctl everywhere
Julien Cristau [Wed, 2 Oct 2019 20:00:13 +0000 (22:00 +0200)]
Merge branch 'fordsa' of https://git.adam-barratt.org.uk/git/mirror/dsa-puppet
Adam D. Barratt [Wed, 2 Oct 2019 19:54:58 +0000 (20:54 +0100)]
eximconf: more comments
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Wed, 2 Oct 2019 18:54:13 +0000 (19:54 +0100)]
eximconf: reject mail based on SORBS's "no mail" / "no servers" lists
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Wed, 2 Oct 2019 18:21:40 +0000 (19:21 +0100)]
exim/common/rhsbllist: Stop using the obsolete rfc-ignorant.org DNSBLs
See https://web.archive.org/web/
20121123184538/http://www.rfc-ignorant.org/endofanera.php
The mantle - and initially the dataset - has been taken over by
rfc-clueless.org. However, their DSN list contains (and it appears
will contain to contain), amongst others, Google, which makes it an
unsuitable choice for "default" role address filtering.
As such, the users of the "bogus MX" list are moved over to the new
domain, and the DSN list is dropped.
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Julien Cristau [Wed, 2 Oct 2019 07:22:12 +0000 (09:22 +0200)]
Fix /etc/exim4/submission-domains generation harder
Julien Cristau [Wed, 2 Oct 2019 07:20:27 +0000 (09:20 +0200)]
Fix /etc/exim4/submission-domains generation
Julien Cristau [Wed, 2 Oct 2019 07:12:12 +0000 (09:12 +0200)]
Merge branch 'fordsa' of https://git.adam-barratt.org.uk/git/mirror/dsa-puppet
Adam D. Barratt [Wed, 2 Oct 2019 07:07:39 +0000 (08:07 +0100)]
Rename exim::submission-domain.pp to drop the "-"
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Tue, 1 Oct 2019 12:59:06 +0000 (13:59 +0100)]
exim blacklist: add more recent offenders
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Tue, 1 Oct 2019 12:55:34 +0000 (13:55 +0100)]
exim: build submission domain list dynamically
and have the bugs_master role declare that it handles bugs.d.o
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Sun, 29 Sep 2019 21:10:26 +0000 (22:10 +0100)]
eximconf: only define RT_SUBJECT on RT master
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Sun, 29 Sep 2019 20:17:05 +0000 (21:17 +0100)]
eximconf: macroise RT Subject header replacement
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Sun, 29 Sep 2019 19:17:54 +0000 (20:17 +0100)]
eximconf: unfold Subject headers before processing in RT routers
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Sun, 29 Sep 2019 19:14:19 +0000 (20:14 +0100)]
exim blacklist: use simpler matches
The regular expression versions are more specific, but don't appear
to want to actually match.
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Sun, 29 Sep 2019 18:16:40 +0000 (19:16 +0100)]
eximconf: use \N rather than double escaping
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Julien Cristau [Tue, 1 Oct 2019 18:16:28 +0000 (20:16 +0200)]
Use ttyS1 on csail-node0[12]
Peter Palfrader [Tue, 1 Oct 2019 13:46:47 +0000 (15:46 +0200)]
upload hosts towards ftp-master need read access to the bm dak replica
Peter Palfrader [Tue, 1 Oct 2019 13:24:17 +0000 (15:24 +0200)]
retire manual firewalling on bmdb1 for dak replica access
Peter Palfrader [Tue, 1 Oct 2019 13:23:30 +0000 (15:23 +0200)]
manage bmdb1/dak pg_hba: fix common.yaml
Peter Palfrader [Tue, 1 Oct 2019 13:19:11 +0000 (15:19 +0200)]
manage bmdb1/dak pg_hba
Julien Cristau [Tue, 1 Oct 2019 12:50:44 +0000 (14:50 +0200)]
prepare for dak replica on danzi
Aurelien Jarno [Mon, 30 Sep 2019 08:17:46 +0000 (10:17 +0200)]
Add a comment about why access to UDD is needed on wuiet
Peter Palfrader [Mon, 30 Sep 2019 08:04:23 +0000 (10:04 +0200)]
add missing new files for pet role
Peter Palfrader [Mon, 30 Sep 2019 08:02:06 +0000 (10:02 +0200)]
manage bmdb1/main pg_hba
Peter Palfrader [Mon, 30 Sep 2019 07:45:45 +0000 (09:45 +0200)]
sort entries
Peter Palfrader [Mon, 30 Sep 2019 06:17:35 +0000 (08:17 +0200)]
Move draghi finger/ldap/ldaps fw into dbmaster role
Peter Palfrader [Mon, 30 Sep 2019 06:16:14 +0000 (08:16 +0200)]
Move gombert infinoted fw into gobby role
Peter Palfrader [Mon, 30 Sep 2019 06:13:43 +0000 (08:13 +0200)]
Move kaufmann keyserver fw into keyring role
Peter Palfrader [Mon, 30 Sep 2019 06:07:51 +0000 (08:07 +0200)]
udd: no ssl needed on localhost
Peter Palfrader [Mon, 30 Sep 2019 06:04:05 +0000 (08:04 +0200)]
buildd/udd: do guest access earlier
Peter Palfrader [Mon, 30 Sep 2019 06:01:51 +0000 (08:01 +0200)]
udd wants guest access on localhost
Peter Palfrader [Mon, 30 Sep 2019 05:59:17 +0000 (07:59 +0200)]
buildd/udd: do guest access earlier
Peter Palfrader [Mon, 30 Sep 2019 05:55:30 +0000 (07:55 +0200)]
manage ullmann/udd pg_hba
Peter Palfrader [Mon, 30 Sep 2019 05:45:08 +0000 (07:45 +0200)]
pg config on ullmann, pt 1
Peter Palfrader [Sun, 29 Sep 2019 20:45:26 +0000 (22:45 +0200)]
manage danzi/wanna-build pg_hba
Peter Palfrader [Sun, 29 Sep 2019 20:30:15 +0000 (22:30 +0200)]
manage danzi/main pg_hba
Peter Palfrader [Sun, 29 Sep 2019 20:23:44 +0000 (22:23 +0200)]
manage danzi/debconf pg_hba
Peter Palfrader [Sun, 29 Sep 2019 20:21:07 +0000 (22:21 +0200)]
fqdn in name
Peter Palfrader [Sun, 29 Sep 2019 20:16:20 +0000 (22:16 +0200)]
manage danzi/tracker pg_hba
Peter Palfrader [Sun, 29 Sep 2019 19:18:13 +0000 (21:18 +0200)]
remove manual firewall allow snapshotdb-manda-01->sallinen
Peter Palfrader [Sun, 29 Sep 2019 19:17:32 +0000 (21:17 +0200)]
fix order of the guest trust on snapshot db (do it before the other localhost entries)
Peter Palfrader [Sun, 29 Sep 2019 19:15:05 +0000 (21:15 +0200)]
manage pg_hba on sallinen
Peter Palfrader [Sun, 29 Sep 2019 19:13:02 +0000 (21:13 +0200)]
put a fqdn in a name in ftp_master_dak_replica
Peter Palfrader [Sun, 29 Sep 2019 19:09:02 +0000 (21:09 +0200)]
roles::snapshot_db: make packages ignore conditional on running on buster
Peter Palfrader [Sun, 29 Sep 2019 19:07:10 +0000 (21:07 +0200)]
remove manual firewall allow leaseweb->snapshotdb-manda-01
Peter Palfrader [Sun, 29 Sep 2019 19:05:50 +0000 (21:05 +0200)]
manage pg_hba on snapshotdb-manda-01
Peter Palfrader [Sun, 29 Sep 2019 18:50:14 +0000 (20:50 +0200)]
manage pg_hba on melartin
Peter Palfrader [Sun, 29 Sep 2019 17:08:09 +0000 (19:08 +0200)]
remove manual firewall allow bmdb1->fasolo
Peter Palfrader [Sun, 29 Sep 2019 17:03:20 +0000 (19:03 +0200)]
unique names
Peter Palfrader [Sun, 29 Sep 2019 17:02:19 +0000 (19:02 +0200)]
Do not require ssl on localhost
Peter Palfrader [Sun, 29 Sep 2019 17:00:45 +0000 (19:00 +0200)]
move localhost guest access in front of catch-all localhost access
Peter Palfrader [Sun, 29 Sep 2019 16:55:44 +0000 (18:55 +0200)]
guest access for dak on ftp-master
Peter Palfrader [Sun, 29 Sep 2019 16:52:11 +0000 (18:52 +0200)]
Fix spelling for a type
Peter Palfrader [Sun, 29 Sep 2019 16:50:17 +0000 (18:50 +0200)]
manage pg_hba on fasolo
Peter Palfrader [Sun, 29 Sep 2019 16:44:38 +0000 (18:44 +0200)]
manage pg_hba on seger
Peter Palfrader [Sun, 29 Sep 2019 16:43:23 +0000 (18:43 +0200)]
manage pg_hba on vittoria
Peter Palfrader [Sun, 29 Sep 2019 16:42:19 +0000 (18:42 +0200)]
Do not enable replication from localhost
Peter Palfrader [Sun, 29 Sep 2019 16:40:11 +0000 (18:40 +0200)]
manage pg_hba on buxtehude
Peter Palfrader [Sun, 29 Sep 2019 14:38:41 +0000 (16:38 +0200)]
auth method trust also wants addresses
Peter Palfrader [Sun, 29 Sep 2019 14:36:38 +0000 (16:36 +0200)]
manage debsources access to its DB on bmdb1
Peter Palfrader [Sun, 29 Sep 2019 14:30:28 +0000 (16:30 +0200)]
Allow us to gradually move a server with multiple clusters to move to managed hba
Peter Palfrader [Sun, 29 Sep 2019 14:24:44 +0000 (16:24 +0200)]
allow the backup hosts to access the salsa pg again
Julien Cristau [Sun, 29 Sep 2019 14:21:12 +0000 (16:21 +0200)]
Merge branch 'fordsa' of https://git.adam-barratt.org.uk/git/mirror/dsa-puppet
Peter Palfrader [Sun, 29 Sep 2019 14:18:20 +0000 (16:18 +0200)]
Variables work better with $
Peter Palfrader [Sun, 29 Sep 2019 14:17:15 +0000 (16:17 +0200)]
fix ferm::rule::chain template
Peter Palfrader [Sun, 29 Sep 2019 14:16:23 +0000 (16:16 +0200)]
We want variable expansion in this one
Peter Palfrader [Sun, 29 Sep 2019 14:14:46 +0000 (16:14 +0200)]
Create an empty pg-nnn chain in case nobody else puts anything there
Peter Palfrader [Sun, 29 Sep 2019 14:13:55 +0000 (16:13 +0200)]
puppet rule to create an empty ferm chain
Adam D. Barratt [Sun, 29 Sep 2019 14:11:20 +0000 (15:11 +0100)]
eximconf: fix IPv4-only sending
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Julien Cristau [Sun, 29 Sep 2019 14:05:41 +0000 (16:05 +0200)]
Don't hardcode bacula director host name
Peter Palfrader [Sun, 29 Sep 2019 14:00:57 +0000 (16:00 +0200)]
better instance names for pg clusters
Peter Palfrader [Sun, 29 Sep 2019 13:59:29 +0000 (15:59 +0200)]
reload ferm when files are removed
Peter Palfrader [Sun, 29 Sep 2019 13:53:43 +0000 (15:53 +0200)]
roles::postgresql::server now sets up postgres::cluster for all clusters
Setting up backup moved to postgres::cluster which includes
postgres::backup_cluster if requested.
All the backup firewall access should be done via pg_hba entries now.
Adam D. Barratt [Sun, 29 Sep 2019 13:37:08 +0000 (14:37 +0100)]
fail2ban: use "host_info" template expression
This correctly handles items such as the port number that is now
included in log entries
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Sun, 29 Sep 2019 13:35:07 +0000 (14:35 +0100)]
fail2ban: fix case-insensitive match in dsa-exim-strict
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Sun, 29 Sep 2019 13:34:08 +0000 (14:34 +0100)]
fail2ban: set explicit encoding for exim logs
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Adam D. Barratt [Sun, 29 Sep 2019 13:33:50 +0000 (14:33 +0100)]
eximconf: expand comments related to retries
Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
Peter Palfrader [Sun, 29 Sep 2019 13:29:43 +0000 (15:29 +0200)]
fix entry name
Peter Palfrader [Sun, 29 Sep 2019 13:27:54 +0000 (15:27 +0200)]
Make the bacula director node request DB access from its role
Peter Palfrader [Sun, 29 Sep 2019 13:24:51 +0000 (15:24 +0200)]
Make the bacula storage node request DB access from its role
Peter Palfrader [Sun, 29 Sep 2019 13:23:08 +0000 (15:23 +0200)]
Also collect entries that only knew the port
projects / mirror / dsa-puppet.git / log