mirror/dsa-puppet.git
5 years agosecurity_master has an apache
Peter Palfrader [Sun, 22 Sep 2019 21:33:59 +0000 (23:33 +0200)]
security_master has an apache

5 years agostatic_mirror_web includes apache
Peter Palfrader [Sun, 22 Sep 2019 21:32:55 +0000 (23:32 +0200)]
static_mirror_web includes apache

5 years agoupdate hardcoded ferm IPs
Aurelien Jarno [Sun, 22 Sep 2019 21:20:02 +0000 (23:20 +0200)]
update hardcoded ferm IPs

5 years agoremove old mirror-health files in roles
Peter Palfrader [Sun, 22 Sep 2019 21:19:53 +0000 (23:19 +0200)]
remove old mirror-health files in roles

5 years agosecurity_mirror -> hiera role; part 2; also make security apache bind to the security...
Peter Palfrader [Sun, 22 Sep 2019 21:16:36 +0000 (23:16 +0200)]
security_mirror -> hiera role; part 2; also make security apache bind to the security specific addresses

5 years agosecurity_mirror -> hiera role; part 1
Peter Palfrader [Sun, 22 Sep 2019 20:58:38 +0000 (22:58 +0200)]
security_mirror -> hiera role; part 1

5 years agoprefix donizetti volumes with OLD-
Aurelien Jarno [Sun, 22 Sep 2019 19:40:40 +0000 (21:40 +0200)]
prefix donizetti volumes with OLD-

5 years agowhitespace change
Peter Palfrader [Sun, 22 Sep 2019 19:29:30 +0000 (21:29 +0200)]
whitespace change

5 years agoon farmsync target collect ssh keys with the right tag
Peter Palfrader [Sun, 22 Sep 2019 19:23:12 +0000 (21:23 +0200)]
on farmsync target collect ssh keys with the right tag

5 years agoavoid duplicate ssh keygen for snapshot
Peter Palfrader [Sun, 22 Sep 2019 19:19:25 +0000 (21:19 +0200)]
avoid duplicate ssh keygen for snapshot

5 years agoavoid duplicate ssh keygen for snapshot
Peter Palfrader [Sun, 22 Sep 2019 19:18:12 +0000 (21:18 +0200)]
avoid duplicate ssh keygen for snapshot

5 years agoSet up ssh between snapshot nodes
Peter Palfrader [Sun, 22 Sep 2019 19:12:20 +0000 (21:12 +0200)]
Set up ssh between snapshot nodes

5 years agomake lint happy
Peter Palfrader [Sun, 22 Sep 2019 19:11:00 +0000 (21:11 +0200)]
make lint happy

5 years agowhitespace change
Peter Palfrader [Sun, 22 Sep 2019 19:00:53 +0000 (21:00 +0200)]
whitespace change

5 years agoPut lw01,lw02,lw03,lw04,lw09,lw10 into a snapshot_base class and include that also...
Peter Palfrader [Sun, 22 Sep 2019 18:59:57 +0000 (20:59 +0200)]
Put lw01,lw02,lw03,lw04,lw09,lw10 into a snapshot_base class and include that also from _web and _shell

5 years agodanzi: merge dsa-postgres2-danzi and dsa-postgres2-danzi6
Aurelien Jarno [Sun, 22 Sep 2019 19:05:55 +0000 (21:05 +0200)]
danzi: merge dsa-postgres2-danzi and dsa-postgres2-danzi6

Use a single rule for both. Also rename the rule and improve the
description to make it clear that it concerns the debconf cluster. Only
allow access from debussy instead of the whole subnet.

5 years agodanzi: merge dsa-postgres-danzi and dsa-postgres-danzi6
Aurelien Jarno [Sun, 22 Sep 2019 18:59:47 +0000 (20:59 +0200)]
danzi: merge dsa-postgres-danzi and dsa-postgres-danzi6

Use a single rule for both. Also rename the rule and improve the
description to make it clear that it concerns the main cluster. Drop the
old IP addresses of wuiet and the old UBC subnet. Ideally we should have
a least of host there, but that's already an improvement.

5 years agoAllow access to the tracker db @ danzi from ticharich
Aurelien Jarno [Sun, 22 Sep 2019 18:48:01 +0000 (20:48 +0200)]
Allow access to the tracker db @ danzi from ticharich

5 years agodonizetti is now at ubc
Aurelien Jarno [Sun, 22 Sep 2019 16:56:09 +0000 (18:56 +0200)]
donizetti is now at ubc

5 years agoNo longer allow nagios to recurse on our binds
Peter Palfrader [Sun, 22 Sep 2019 18:53:33 +0000 (20:53 +0200)]
No longer allow nagios to recurse on our binds

5 years agonagiosmaster -> hiera role; bind acls still not converted
Peter Palfrader [Sun, 22 Sep 2019 17:39:20 +0000 (19:39 +0200)]
nagiosmaster -> hiera role; bind acls still not converted

5 years agomerge SSH_SOURCES and SSH_V6_SOURCES
Peter Palfrader [Sun, 22 Sep 2019 17:32:28 +0000 (19:32 +0200)]
merge SSH_SOURCES and SSH_V6_SOURCES

5 years agoOur (DSA) home networks do not need to access rabbitmq services
Peter Palfrader [Sun, 22 Sep 2019 17:23:11 +0000 (19:23 +0200)]
Our (DSA) home networks do not need to access rabbitmq services

5 years agoMove archvsync ferm sshs from the input chain to the new ssh chain
Peter Palfrader [Sun, 22 Sep 2019 16:48:40 +0000 (18:48 +0200)]
Move archvsync ferm sshs from the input chain to the new ssh chain

5 years agoAllow nagios to ssh to our hosts
Peter Palfrader [Sun, 22 Sep 2019 16:47:44 +0000 (18:47 +0200)]
Allow nagios to ssh to our hosts

5 years agoavoid top-scope variable being used without an explicit namespace
Peter Palfrader [Sun, 22 Sep 2019 16:41:12 +0000 (18:41 +0200)]
avoid top-scope variable being used without an explicit namespace

5 years agowhitespace change
Peter Palfrader [Sun, 22 Sep 2019 16:40:23 +0000 (18:40 +0200)]
whitespace change

5 years agoMake an explicit iptables ssh chain
Peter Palfrader [Sun, 22 Sep 2019 16:39:56 +0000 (18:39 +0200)]
Make an explicit iptables ssh chain

5 years agoadd donizetti volumes at ubc
Aurelien Jarno [Sun, 22 Sep 2019 16:35:09 +0000 (18:35 +0200)]
add donizetti volumes at ubc

5 years agoprefix ticharich volumes with OLD-
Aurelien Jarno [Sun, 22 Sep 2019 16:19:27 +0000 (18:19 +0200)]
prefix ticharich volumes with OLD-

5 years agoRemove empty ferm::zivit
Peter Palfrader [Sun, 22 Sep 2019 16:13:38 +0000 (18:13 +0200)]
Remove empty ferm::zivit

5 years agoiptables -vnL on zelenka suggests that zivit no longer does rrdcollect and zabbix...
Peter Palfrader [Sun, 22 Sep 2019 16:12:52 +0000 (18:12 +0200)]
iptables -vnL on zelenka suggests that zivit no longer does rrdcollect and zabbix against our machine

5 years agoApparently we no longer monitor the time service on zivit hosts
Peter Palfrader [Sun, 22 Sep 2019 16:11:45 +0000 (18:11 +0200)]
Apparently we no longer monitor the time service on zivit hosts

5 years agofix param name
Peter Palfrader [Sun, 22 Sep 2019 15:22:19 +0000 (17:22 +0200)]
fix param name

5 years agobgp -> hiera role
Peter Palfrader [Sun, 22 Sep 2019 15:21:29 +0000 (17:21 +0200)]
bgp -> hiera role

5 years agoMerge branch 'debianmirrorrole'
Peter Palfrader [Sun, 22 Sep 2019 15:14:50 +0000 (17:14 +0200)]
Merge branch 'debianmirrorrole'

* debianmirrorrole:
  Do not ship sbin/mirror-health from the roles version while we migrate
  debian_mirror -> hiera role

5 years agoDo not ship sbin/mirror-health from the roles version while we migrate
Peter Palfrader [Sun, 22 Sep 2019 15:13:31 +0000 (17:13 +0200)]
Do not ship sbin/mirror-health from the roles version while we migrate

5 years agodebian_mirror -> hiera role
Peter Palfrader [Sun, 22 Sep 2019 15:07:38 +0000 (17:07 +0200)]
debian_mirror -> hiera role

5 years agoMove allow-all smtp from the mta class to the exim and the lists class
Peter Palfrader [Sun, 22 Sep 2019 14:59:25 +0000 (16:59 +0200)]
Move allow-all smtp from the mta class to the exim and the lists class

We have some hosts that get their @host mail from the smarthost,
but that still accept mail from the internet.

5 years agoticharich at ubc
Julien Cristau [Sun, 22 Sep 2019 14:23:09 +0000 (16:23 +0200)]
ticharich at ubc

5 years agoretire obsolete muninmaster entry from common.yaml
Peter Palfrader [Sun, 22 Sep 2019 13:58:19 +0000 (15:58 +0200)]
retire obsolete muninmaster entry from common.yaml

5 years agomirror_health: this_host_service_name is now optional
Peter Palfrader [Sun, 22 Sep 2019 13:56:45 +0000 (15:56 +0200)]
mirror_health: this_host_service_name is now optional

5 years agomunin/master_per_node: no longer needs to be backwards compatible
Peter Palfrader [Sun, 22 Sep 2019 13:35:04 +0000 (15:35 +0200)]
munin/master_per_node: no longer needs to be backwards compatible

5 years agomunin/master_per_node: try to be backwards compatible
Peter Palfrader [Sun, 22 Sep 2019 13:26:33 +0000 (15:26 +0200)]
munin/master_per_node: try to be backwards compatible

5 years agomuninmaster -> hiera role, new ssh store/collect, no more plain text munin fetching...
Peter Palfrader [Sun, 22 Sep 2019 13:23:54 +0000 (15:23 +0200)]
muninmaster -> hiera role, new ssh store/collect, no more plain text munin fetching firewall rules (it is all async via ssh these days)

5 years agoAll our munin is munin-async these days
Peter Palfrader [Sun, 22 Sep 2019 13:21:59 +0000 (15:21 +0200)]
All our munin is munin-async these days

5 years agomunin class cleanup
Peter Palfrader [Sun, 22 Sep 2019 13:11:13 +0000 (15:11 +0200)]
munin class cleanup

5 years agoAll our munin is munin-async these days
Peter Palfrader [Sun, 22 Sep 2019 13:01:28 +0000 (15:01 +0200)]
All our munin is munin-async these days

5 years agomirror_health: add param description
Julien Cristau [Sun, 22 Sep 2019 13:21:27 +0000 (15:21 +0200)]
mirror_health: add param description

5 years agoadd ticharich volumes at ubc
Julien Cristau [Sun, 22 Sep 2019 12:55:00 +0000 (14:55 +0200)]
add ticharich volumes at ubc

5 years agoUse variable correctly
Peter Palfrader [Sun, 22 Sep 2019 12:49:29 +0000 (14:49 +0200)]
Use variable correctly

5 years agoMove debug healthcheck info to hiera
Peter Palfrader [Sun, 22 Sep 2019 12:48:08 +0000 (14:48 +0200)]
Move debug healthcheck info to hiera

5 years agoMove debug to store/collect health checker
Peter Palfrader [Sun, 22 Sep 2019 12:42:17 +0000 (14:42 +0200)]
Move debug to store/collect health checker

5 years agoFix previous commit
Aurelien Jarno [Sun, 22 Sep 2019 11:42:47 +0000 (13:42 +0200)]
Fix previous commit

5 years agoThe klecker-ftp.d.o address has been moved to new-klecker
Aurelien Jarno [Sun, 22 Sep 2019 11:41:48 +0000 (13:41 +0200)]
The klecker-ftp.d.o address has been moved to new-klecker

Therefore:
- move the corresponding listen addresses to new-klecker
- drop the debian_mirror role from klecker

5 years agoAs debian.mirrors.d.o gets checked by the health checker, explicitly listen on localhost
Julien Cristau [Sun, 22 Sep 2019 11:35:07 +0000 (13:35 +0200)]
As debian.mirrors.d.o gets checked by the health checker, explicitly listen on localhost

5 years agoAs debug.mirrors.d.o gets checked by the health checker, explicitly listen on localhost
Peter Palfrader [Sun, 22 Sep 2019 11:28:14 +0000 (13:28 +0200)]
As debug.mirrors.d.o gets checked by the health checker, explicitly listen on localhost

5 years agodebug_mirror -> hiera role, first step
Peter Palfrader [Sun, 22 Sep 2019 11:19:47 +0000 (13:19 +0200)]
debug_mirror -> hiera role, first step

5 years agowhitespace change
Peter Palfrader [Sun, 22 Sep 2019 11:15:26 +0000 (13:15 +0200)]
whitespace change

5 years agoremove historical_mirror has_role call for inclusion; no longer needed
Peter Palfrader [Sun, 22 Sep 2019 11:07:52 +0000 (13:07 +0200)]
remove historical_mirror has_role call for inclusion; no longer needed

5 years agohistorical_mirror -> hiera role
Peter Palfrader [Sun, 22 Sep 2019 11:04:43 +0000 (13:04 +0200)]
historical_mirror -> hiera role

Since there are no onion mirrors right now, remove that code from the
role.

5 years agohistorical_master -> hiera role
Peter Palfrader [Sun, 22 Sep 2019 10:51:28 +0000 (12:51 +0200)]
historical_master -> hiera role

5 years agoports_master -> hiera role
Peter Palfrader [Sun, 22 Sep 2019 10:47:52 +0000 (12:47 +0200)]
ports_master -> hiera role

5 years agoftp_master -> hiera role
Peter Palfrader [Sun, 22 Sep 2019 10:46:24 +0000 (12:46 +0200)]
ftp_master -> hiera role

5 years agoinclude signing from the ftp_master role
Peter Palfrader [Sun, 22 Sep 2019 10:45:13 +0000 (12:45 +0200)]
include signing from the ftp_master role

5 years agowhitespace/quoting: modules/roles/manifests/signing (make lint happy)
Peter Palfrader [Sun, 22 Sep 2019 10:44:48 +0000 (12:44 +0200)]
whitespace/quoting: modules/roles/manifests/signing (make lint happy)

5 years agomake ftp-master include dakmaster directly
Peter Palfrader [Sun, 22 Sep 2019 10:44:21 +0000 (12:44 +0200)]
make ftp-master include dakmaster directly

5 years agowhitespace/quoting: modules/roles/manifests/dakmaster (make lint happy)
Peter Palfrader [Sun, 22 Sep 2019 10:43:40 +0000 (12:43 +0200)]
whitespace/quoting: modules/roles/manifests/dakmaster (make lint happy)

5 years agosecurity_master -> hiera role
Peter Palfrader [Sun, 22 Sep 2019 10:42:11 +0000 (12:42 +0200)]
security_master -> hiera role

5 years agoretire old HOST_MAILRELAY ferm variable
Peter Palfrader [Sun, 22 Sep 2019 10:33:38 +0000 (12:33 +0200)]
retire old HOST_MAILRELAY ferm variable

5 years agoretire mail_port config from local.yaml
Peter Palfrader [Sun, 22 Sep 2019 10:32:09 +0000 (12:32 +0200)]
retire mail_port config from local.yaml

5 years agoMerge virtualdomains setup into exim/init
Peter Palfrader [Sun, 22 Sep 2019 10:28:42 +0000 (12:28 +0200)]
Merge virtualdomains setup into exim/init

5 years agomove the remaining virtualdomains to the mailrelay class
Peter Palfrader [Sun, 22 Sep 2019 10:26:01 +0000 (12:26 +0200)]
move the remaining virtualdomains to the mailrelay class

5 years agoremove manualroute cleanup; it has run everywhere
Peter Palfrader [Sun, 22 Sep 2019 10:22:36 +0000 (12:22 +0200)]
remove manualroute cleanup; it has run everywhere

5 years agoAnd fix name in manualroute.pp
Peter Palfrader [Sun, 22 Sep 2019 10:15:00 +0000 (12:15 +0200)]
And fix name in manualroute.pp

5 years agoUse correct variable scope in manualroute.pp
Peter Palfrader [Sun, 22 Sep 2019 10:10:49 +0000 (12:10 +0200)]
Use correct variable scope in manualroute.pp

5 years agoMove to collected manualroute
Peter Palfrader [Sun, 22 Sep 2019 10:08:43 +0000 (12:08 +0200)]
Move to collected manualroute

5 years agoRegister manualroutes from the service class for the three services that had it hardc...
Peter Palfrader [Sun, 22 Sep 2019 10:04:57 +0000 (12:04 +0200)]
Register manualroutes from the service class for the three services that had it hardcoded in the exim class; and make a roles::salsa

5 years agoCreate an exim::manualroute define
Peter Palfrader [Sun, 22 Sep 2019 10:04:15 +0000 (12:04 +0200)]
Create an exim::manualroute define

5 years agoSwitch to the hiera optional mail_port
Peter Palfrader [Sun, 22 Sep 2019 09:51:44 +0000 (11:51 +0200)]
Switch to the hiera optional mail_port

5 years agoremove smtp_sources from ferm's me.conf, retire old-style heavy_{exim,postfix} roles
Peter Palfrader [Sun, 22 Sep 2019 09:46:44 +0000 (11:46 +0200)]
remove smtp_sources from ferm's me.conf, retire old-style heavy_{exim,postfix} roles

5 years agoMove TLSA for submission port from exim::mx role to the mailrelay role
Peter Palfrader [Sun, 22 Sep 2019 09:43:35 +0000 (11:43 +0200)]
Move TLSA for submission port from exim::mx role to the mailrelay role

5 years agoremove default firewall accept to port submission on the MXes
Peter Palfrader [Sun, 22 Sep 2019 09:42:28 +0000 (11:42 +0200)]
remove default firewall accept to port submission on the MXes

5 years agoRetire debian_org::mail_incoming_port which did the default firewalling for the mail...
Peter Palfrader [Sun, 22 Sep 2019 09:40:55 +0000 (11:40 +0200)]
Retire debian_org::mail_incoming_port which did the default firewalling for the mail ports

5 years agoMove tlsa setup from mail_incoming_port to mta role
Peter Palfrader [Sun, 22 Sep 2019 09:39:51 +0000 (11:39 +0200)]
Move tlsa setup from mail_incoming_port to mta role

5 years agoMake the manualroute explicitly send to port 25 by default as that simplifies the...
Peter Palfrader [Sun, 22 Sep 2019 09:39:09 +0000 (11:39 +0200)]
Make the manualroute explicitly send to port 25 by default as that simplifies the logic here

5 years agoTry to add firewalling to enable mail satellites to connect to the submission port...
Peter Palfrader [Sun, 22 Sep 2019 09:35:31 +0000 (11:35 +0200)]
Try to add firewalling to enable mail satellites to connect to the submission port on the mail relays

5 years agobugs_master: allow incoming mail to the submission port from the role
Peter Palfrader [Sun, 22 Sep 2019 09:25:40 +0000 (11:25 +0200)]
bugs_master: allow incoming mail to the submission port from the role

5 years agoHave the nagios-server export an smtp-allow rule to the mail satellites
Peter Palfrader [Sun, 22 Sep 2019 09:18:09 +0000 (11:18 +0200)]
Have the nagios-server export an smtp-allow rule to the mail satellites

5 years agoRe-tag the store/collect ferm rule for mailrelays to satelliltes from smtp::server...
Peter Palfrader [Sun, 22 Sep 2019 09:17:45 +0000 (11:17 +0200)]
Re-tag the store/collect ferm rule for mailrelays to satelliltes from smtp::server::from::mailrelay to smtp::server::to::mail-satellite

5 years agoOn non-satellites, allow smtp from the world
Peter Palfrader [Sun, 22 Sep 2019 09:17:13 +0000 (11:17 +0200)]
On non-satellites, allow smtp from the world

5 years agoFail if we are not an MX and do not have set MX to the mail relays
Peter Palfrader [Sun, 22 Sep 2019 09:06:05 +0000 (11:06 +0200)]
Fail if we are not an MX and do not have set MX to the mail relays

5 years agoalso remove tye from the old heavy-exim role. that should probably be cleaned up...
Peter Palfrader [Sun, 22 Sep 2019 09:01:30 +0000 (11:01 +0200)]
also remove tye from the old heavy-exim role.  that should probably be cleaned up next

5 years agoretire i18n.debian.org mail setup
Peter Palfrader [Sun, 22 Sep 2019 08:53:57 +0000 (10:53 +0200)]
retire i18n.debian.org mail setup

After discussion on #debian-admin, it seems @i18n.debian.org is not used
these days.

As such, remove tye from the heavy-exim roles and remove the virtual
email domain.  the mx stuff on tye will be cleaned up manually.

5 years agoHave the www-master role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:49:23 +0000 (10:49 +0200)]
Have the www-master role declare its exim virtualdomain

5 years agoHave the rt role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:46:29 +0000 (10:46 +0200)]
Have the rt role declare its exim virtualdomain

5 years agoQuantz should have the packagesqamaster role
Peter Palfrader [Sun, 22 Sep 2019 08:22:35 +0000 (10:22 +0200)]
Quantz should have the packagesqamaster role

It already did, but that was lost a few days ago in
4dcb0bb6ab00da402d5939588bf5793a917f8b02 when we introduced the
dedicated manifest for the role.

5 years agoHave the qa and packages.qa roles declare their exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:18:19 +0000 (10:18 +0200)]
Have the qa and packages.qa roles declare their exim virtualdomain

5 years agoHave the popcon role declare its exim virtualdomain
Peter Palfrader [Sun, 22 Sep 2019 08:14:58 +0000 (10:14 +0200)]
Have the popcon role declare its exim virtualdomain

5 years agonote that there is role specific exim config for bugs and packages
Peter Palfrader [Sun, 22 Sep 2019 08:13:20 +0000 (10:13 +0200)]
note that there is role specific exim config for bugs and packages