Bastian Blank [Fri, 31 Mar 2017 18:00:47 +0000 (20:00 +0200)]
Use rsyncd via systemd on snapshot
Bastian Blank [Fri, 31 Mar 2017 16:33:45 +0000 (18:33 +0200)]
Use vsftpd via systemd on ftp
We also only need a list of bind addresses, so merge them.
Bastian Blank [Fri, 31 Mar 2017 17:46:11 +0000 (19:46 +0200)]
Use rsyncd via systemd on syncproxy
We also only need a list of bind addresses, so merge them.
Bastian Blank [Fri, 31 Mar 2017 16:25:27 +0000 (18:25 +0200)]
Use rsyncd and vsftpd via systemd on security_mirror
We also only need a list of bind addresses, so merge them.
Bastian Blank [Fri, 31 Mar 2017 16:51:35 +0000 (18:51 +0200)]
Fix dependencies between service and xinetd
Martin Zobel-Helas [Mon, 10 Apr 2017 15:11:09 +0000 (17:11 +0200)]
Merge remote-tracking branch 'waldi/vsftpd-systemd-upload'
* waldi/vsftpd-systemd-upload:
Use vsftpd via systemd on security_master
Use vsftpd via systemd on ftp_upload
Make sure xinetd is restarted on service removal
Aurelien Jarno [Sat, 8 Apr 2017 16:57:59 +0000 (18:57 +0200)]
samhain: disable SuidCheck for /srv/buildd/unpack on buildds
The SuidCheck module was not available in jessie (despite our
configuration file mentioning it), and is now enabled by default in
stretch.
For the build daemons, we need to disable suid checks in
/srv/buildd/unpack.
For the porterboxes, we need to disable suid checks in
/srv/chroot/schroot-unpack.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Sat, 8 Apr 2017 08:59:23 +0000 (10:59 +0200)]
Fix kvmdomain facter
QEMU can return a CPU model different than "QEMU Virtual CPU". Check for
the "hypervisor" flag instead.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Fri, 7 Apr 2017 17:24:11 +0000 (19:24 +0200)]
Try to fix previous commit about rng-tools
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Fri, 7 Apr 2017 17:14:56 +0000 (19:14 +0200)]
Do not install rng-tools on stretch VMs
Newer kernel version, includng the one in stretch, are able to feel the
entropy pool from a hardware random number generator without the help of
userspace. The quality option determine how much entropy is used from
the hardware random number and defaults to the maximum for virtio-rng.
Therefore we don't need rng-tools anymore on stretch VMs.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 6 Apr 2017 07:17:29 +0000 (09:17 +0200)]
setup-dchroot: fix root directory permissions
When using stretch, the debootstrap process does not change the
permissions of the root directory of the chroot. As it is created
with mktemp, it ends up not being readable by a normal user like
"buildd". Change the permissions just before creating the tarball
to avoid that.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Paul Wise [Thu, 6 Apr 2017 02:21:30 +0000 (10:21 +0800)]
Typo
Paul Wise [Thu, 6 Apr 2017 01:55:12 +0000 (09:55 +0800)]
Use standard update-ca-certificates on stretch and later
The changes in update-ca-certificates-dsa got merged in stretch ca-certificates.
Paul Wise [Wed, 5 Apr 2017 23:07:52 +0000 (07:07 +0800)]
Switch from psutil.phymem_usage() to psutil.virtual_memory()
The former was deprecated in version 0.6.0 and removed after jessie:
https://github.com/giampaolo/psutil/blob/master/HISTORY.rst
Aurelien Jarno [Wed, 5 Apr 2017 19:22:32 +0000 (21:22 +0200)]
Update ssh upload rsync wrapper for stretch
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Bastian Blank [Fri, 31 Mar 2017 15:17:56 +0000 (17:17 +0200)]
Use vsftpd via systemd on security_master
Bastian Blank [Fri, 31 Mar 2017 15:17:37 +0000 (17:17 +0200)]
Use vsftpd via systemd on ftp_upload
Bastian Blank [Fri, 31 Mar 2017 17:57:00 +0000 (19:57 +0200)]
Make sure xinetd is restarted on service removal
Martin Zobel-Helas [Fri, 31 Mar 2017 14:52:42 +0000 (16:52 +0200)]
Merge remote-tracking branch 'waldi/vsftpd-systemd'
* waldi/vsftpd-systemd:
Use vsftpd::site_systemd on ports_master
Add systemd backed vsftpd service
Bastian Blank [Fri, 31 Mar 2017 13:41:22 +0000 (15:41 +0200)]
Use vsftpd::site_systemd on ports_master
Bastian Blank [Fri, 31 Mar 2017 13:38:32 +0000 (15:38 +0200)]
Add systemd backed vsftpd service
Julien Cristau [Fri, 31 Mar 2017 13:14:55 +0000 (15:14 +0200)]
Merge branch 'fix-security' of https://gitlab.com/waldi/dsa-puppet
Signed-off-by: Julien Cristau <jcristau@debian.org>
Bastian Blank [Fri, 31 Mar 2017 13:02:11 +0000 (15:02 +0200)]
Provide expected parameters to vsftp site
Bastian Blank [Fri, 31 Mar 2017 09:19:10 +0000 (11:19 +0200)]
Setup /srv/ftp.root in security_mirror role
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Fri, 31 Mar 2017 09:27:09 +0000 (11:27 +0200)]
Disable ftp in security_mirror role
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Fri, 31 Mar 2017 09:24:35 +0000 (11:24 +0200)]
Allow ensure absent in vsftp::site
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Fri, 31 Mar 2017 09:15:33 +0000 (11:15 +0200)]
Don't need ftp on mirror-accumu
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Thu, 30 Mar 2017 20:36:23 +0000 (22:36 +0200)]
add mirror-accumu to security_mirror
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Julien Cristau [Thu, 30 Mar 2017 08:58:21 +0000 (10:58 +0200)]
update debian.org DS
Peter Palfrader [Tue, 28 Mar 2017 12:00:24 +0000 (14:00 +0200)]
Purge mlocate from fasolo and all other hosts
Peter Palfrader [Tue, 28 Mar 2017 11:57:39 +0000 (13:57 +0200)]
Allow larger volumes
Peter Palfrader [Tue, 28 Mar 2017 11:51:33 +0000 (13:51 +0200)]
and we need python3-psycopg2
Peter Palfrader [Tue, 28 Mar 2017 11:49:43 +0000 (13:49 +0200)]
remove obsolete volumes daily
Peter Palfrader [Tue, 28 Mar 2017 11:43:30 +0000 (13:43 +0200)]
make bacula storage and director roles
Peter Palfrader [Tue, 28 Mar 2017 11:24:13 +0000 (13:24 +0200)]
bacula db access from storace
Peter Palfrader [Tue, 28 Mar 2017 09:03:17 +0000 (11:03 +0200)]
fix accumu netrange, again
Peter Palfrader [Tue, 28 Mar 2017 09:01:22 +0000 (11:01 +0200)]
update accumu netrange
Peter Palfrader [Tue, 28 Mar 2017 09:00:30 +0000 (11:00 +0200)]
update accumu netrange
Peter Palfrader [Sun, 26 Mar 2017 11:47:55 +0000 (13:47 +0200)]
ignore /srv in samhain
Paul Wise [Sat, 25 Mar 2017 07:56:59 +0000 (15:56 +0800)]
Revert "Update configuration for SSL ca-debian cert store"
This reverts commit
f35f47969e10aeeaf6a48ad2a0f4dbde1f2f9de3.
Paul Wise [Sat, 25 Mar 2017 07:03:18 +0000 (15:03 +0800)]
Fix typo
Paul Wise [Sat, 25 Mar 2017 06:52:02 +0000 (14:52 +0800)]
Update configuration for SSL ca-debian cert store
Remove AddTrust as it isn't used any more.
Switch from the DST root CA to ISRG on jessie and newer
for Let's Encrypt since it has less intermediate CAs.
The ISRG root isn't available in wheezy ca-certificates.
Document why each CA cert is being used with comments.
Martin Zobel-Helas [Fri, 24 Mar 2017 13:14:13 +0000 (14:14 +0100)]
add mirror-accumu as anycast bgp host
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Peter Palfrader [Mon, 20 Mar 2017 17:42:28 +0000 (17:42 +0000)]
fix storage-per-client.conf template
Peter Palfrader [Mon, 20 Mar 2017 17:39:35 +0000 (17:39 +0000)]
fix per-client.conf template
Peter Palfrader [Mon, 20 Mar 2017 17:26:11 +0000 (17:26 +0000)]
fix munin.conf_per_node template
Peter Palfrader [Mon, 20 Mar 2017 16:03:33 +0000 (17:03 +0100)]
Use the dsa-check-libs from the dsa nagios checks package again
Peter Palfrader [Mon, 20 Mar 2017 15:57:59 +0000 (16:57 +0100)]
remove debian.restricted.list apt source on hosts without proliant raid
Peter Palfrader [Mon, 20 Mar 2017 15:39:12 +0000 (16:39 +0100)]
move munin.conf_per_node.erb to the right place
Julien Cristau [Mon, 20 Mar 2017 14:19:37 +0000 (15:19 +0100)]
Only ignore puppetdb.conf at the root
Peter Palfrader [Mon, 20 Mar 2017 14:17:09 +0000 (14:17 +0000)]
update .gitignore
Peter Palfrader [Mon, 20 Mar 2017 14:15:55 +0000 (14:15 +0000)]
add puppetdb.conf on puppetmaster
Peter Palfrader [Mon, 20 Mar 2017 14:15:29 +0000 (14:15 +0000)]
Do not hardcode "handel" in template - use puppetmaster role instead
Peter Palfrader [Mon, 20 Mar 2017 14:14:33 +0000 (14:14 +0000)]
use puppetdb backend for storeconfigs
Martin Zobel-Helas [Mon, 20 Mar 2017 13:37:05 +0000 (14:37 +0100)]
update puppet.conf.erb
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Peter Palfrader [Mon, 20 Mar 2017 09:25:49 +0000 (10:25 +0100)]
run puppet every 2 instead of every 4 hours
Peter Palfrader [Mon, 20 Mar 2017 09:11:23 +0000 (10:11 +0100)]
samhain ignore /etc/cron.d/puppet-nagios-wraps
Peter Palfrader [Mon, 20 Mar 2017 09:00:00 +0000 (10:00 +0100)]
Add nagios puppet check out of cron
Tollef Fog Heen [Sun, 19 Mar 2017 13:11:05 +0000 (14:11 +0100)]
Prefix variables with the right sigil
Tollef Fog Heen [Sun, 19 Mar 2017 13:09:34 +0000 (14:09 +0100)]
Use underscores rather than hyphens for class names
Aurelien Jarno [Sun, 19 Mar 2017 12:49:25 +0000 (13:49 +0100)]
Fix bconsole.conf template
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Martin Zobel-Helas [Sun, 19 Mar 2017 12:47:02 +0000 (13:47 +0100)]
Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet
* 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet:
Fix bacula-dir.conf template
Drop dead bits in ftp_upload
Fix portforwarder inetd config for new puppet
Martin Zobel-Helas [Sun, 19 Mar 2017 12:46:35 +0000 (13:46 +0100)]
fix syntax in modules/named/templates/named.conf.puppet-shared-keys.erb
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Aurelien Jarno [Sun, 19 Mar 2017 12:44:46 +0000 (13:44 +0100)]
Fix bacula-dir.conf template
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Sun, 19 Mar 2017 11:57:59 +0000 (12:57 +0100)]
Drop dead bits in ftp_upload
$bind6 was undefined since commit
b0dd1aa9d67bc92d097c1ad23f42bbedd173b756.
Julien Cristau [Sun, 19 Mar 2017 11:43:56 +0000 (12:43 +0100)]
Fix portforwarder inetd config for new puppet
Martin Zobel-Helas [Sun, 19 Mar 2017 11:32:15 +0000 (12:32 +0100)]
Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet
* 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet:
Fix ensure value for postgres
Update postgres fact
Use absolute includes, not relative ones
Martin Zobel-Helas [Sun, 19 Mar 2017 11:31:50 +0000 (12:31 +0100)]
lint name of function
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Julien Cristau [Sun, 19 Mar 2017 11:30:17 +0000 (12:30 +0100)]
Fix ensure value for postgres
Julien Cristau [Sun, 19 Mar 2017 11:28:13 +0000 (12:28 +0100)]
Update postgres fact
Tollef Fog Heen [Sun, 19 Mar 2017 10:57:06 +0000 (11:57 +0100)]
Use absolute includes, not relative ones
Tollef Fog Heen [Sun, 19 Mar 2017 10:43:35 +0000 (11:43 +0100)]
Look for Numeric in addition to allowing number-strings
foo: 587 in yaml gets us a Numeric, and regex matches only matches
strings in newer puppets, so check for that and use sprintf to get us
a string.
Julien Cristau [Sun, 19 Mar 2017 10:43:26 +0000 (11:43 +0100)]
Fix postgres-make-base-backups for new puppet
Martin Zobel-Helas [Sun, 19 Mar 2017 09:57:08 +0000 (10:57 +0100)]
and add absolute path
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Sun, 19 Mar 2017 09:56:04 +0000 (10:56 +0100)]
*cough* this is no executable
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Sun, 19 Mar 2017 09:35:29 +0000 (10:35 +0100)]
Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet
* 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet: (32 commits)
Do not use sslname empty string for no ssl
Make scores of webserver related templates compile
Fix historical mirror apache template
make order a string
fix torrc-header tempate
fix rsync site module
if we do not have specific binds, we use the empty string to signal that
Fix stunnel template
Attempt to fix version comparisons
Fix munin::conf for new puppet
Fix schroot-buildd/fstab.erb template
Remove wheezy support in schroot files
Remove wheezy support in buildd files
Make concat::fragment order parameter be a string
buildd: fix lsbmajdistrelease calls
fix template
fix two templates
fix two templates
rename nfs-server to nfs_server
remove rng-tools without hwrandom
...
Martin Zobel-Helas [Sun, 19 Mar 2017 09:35:11 +0000 (10:35 +0100)]
add back our git reversion
Peter Palfrader [Sun, 19 Mar 2017 09:02:22 +0000 (09:02 +0000)]
Do not use sslname empty string for no ssl
Peter Palfrader [Sun, 19 Mar 2017 08:56:48 +0000 (08:56 +0000)]
Make scores of webserver related templates compile
Peter Palfrader [Sun, 19 Mar 2017 08:42:50 +0000 (08:42 +0000)]
Fix historical mirror apache template
Peter Palfrader [Sun, 19 Mar 2017 08:35:52 +0000 (08:35 +0000)]
make order a string
Peter Palfrader [Sun, 19 Mar 2017 08:35:22 +0000 (08:35 +0000)]
fix torrc-header tempate
Peter Palfrader [Sun, 19 Mar 2017 08:30:44 +0000 (08:30 +0000)]
fix rsync site module
Peter Palfrader [Sun, 19 Mar 2017 08:30:32 +0000 (08:30 +0000)]
if we do not have specific binds, we use the empty string to signal that
Aurelien Jarno [Sun, 19 Mar 2017 07:36:48 +0000 (08:36 +0100)]
Fix stunnel template
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Sat, 18 Mar 2017 22:16:30 +0000 (23:16 +0100)]
Attempt to fix version comparisons
Use versioncmp function instead of string comparison. Thanks olasd.
Julien Cristau [Sat, 18 Mar 2017 21:53:55 +0000 (22:53 +0100)]
Fix munin::conf for new puppet
Aurelien Jarno [Sat, 18 Mar 2017 21:43:27 +0000 (22:43 +0100)]
Fix schroot-buildd/fstab.erb template
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Sat, 18 Mar 2017 21:39:57 +0000 (22:39 +0100)]
Remove wheezy support in schroot files
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Sat, 18 Mar 2017 21:36:54 +0000 (22:36 +0100)]
Remove wheezy support in buildd files
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Sat, 18 Mar 2017 21:31:52 +0000 (22:31 +0100)]
Make concat::fragment order parameter be a string
Aurelien Jarno [Sat, 18 Mar 2017 21:31:35 +0000 (22:31 +0100)]
buildd: fix lsbmajdistrelease calls
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Peter Palfrader [Sat, 18 Mar 2017 21:05:58 +0000 (21:05 +0000)]
fix template
Peter Palfrader [Sat, 18 Mar 2017 20:39:21 +0000 (20:39 +0000)]
fix two templates
Peter Palfrader [Sat, 18 Mar 2017 20:36:51 +0000 (20:36 +0000)]
fix two templates
Peter Palfrader [Sat, 18 Mar 2017 20:36:43 +0000 (20:36 +0000)]
rename nfs-server to nfs_server
Peter Palfrader [Sat, 18 Mar 2017 19:37:29 +0000 (20:37 +0100)]
remove rng-tools without hwrandom
Peter Palfrader [Sat, 18 Mar 2017 19:33:38 +0000 (20:33 +0100)]
close quote
Peter Palfrader [Sat, 18 Mar 2017 19:31:55 +0000 (20:31 +0100)]
the hook is annoying
Peter Palfrader [Sat, 18 Mar 2017 19:30:57 +0000 (20:30 +0100)]
stringify file modes
projects / mirror / dsa-puppet.git / log