mirror/dsa-puppet.git
5 years agoget debian mirror for apt from hiera (not yet doing that for schroot)
Peter Palfrader [Tue, 10 Sep 2019 12:12:49 +0000 (14:12 +0200)]
get debian mirror for apt from hiera (not yet doing that for schroot)

5 years agouse correct tag for ssh authkeys @@ferm::rule
Peter Palfrader [Tue, 10 Sep 2019 12:03:52 +0000 (14:03 +0200)]
use correct tag for ssh authkeys @@ferm::rule

5 years agoremove retired hosters: carnet, freenet, helsinki, linaro, ugent, uni-karlsruhe,...
Peter Palfrader [Tue, 10 Sep 2019 11:49:52 +0000 (13:49 +0200)]
remove retired hosters: carnet, freenet, helsinki, linaro, ugent, uni-karlsruhe, xs4all

5 years agohoster: sort alphabetically
Peter Palfrader [Tue, 10 Sep 2019 11:47:15 +0000 (13:47 +0200)]
hoster: sort alphabetically

5 years agomove hoster hieradata into its own directory
Peter Palfrader [Tue, 10 Sep 2019 11:42:00 +0000 (13:42 +0200)]
move hoster hieradata into its own directory

5 years agoAdd a comment to hieradata/common.yaml/roles
Peter Palfrader [Tue, 10 Sep 2019 11:31:33 +0000 (13:31 +0200)]
Add a comment to hieradata/common.yaml/roles

5 years agodebian_org::apt: Retire some <= Debian8(jessie) codepaths
Peter Palfrader [Tue, 10 Sep 2019 11:27:16 +0000 (13:27 +0200)]
debian_org::apt: Retire some <= Debian8(jessie) codepaths

5 years agoretire rsync snapshot service for lw*
Peter Palfrader [Tue, 10 Sep 2019 08:10:36 +0000 (10:10 +0200)]
retire rsync snapshot service for lw*

5 years agorsync::site: remove unused variables, define parameter types
Peter Palfrader [Tue, 10 Sep 2019 08:09:40 +0000 (10:09 +0200)]
rsync::site: remove unused variables, define parameter types

5 years agomove rsync stunnels also to dsa_systemd::socket_service. This should be a nop
Peter Palfrader [Tue, 10 Sep 2019 08:00:00 +0000 (10:00 +0200)]
move rsync stunnels also to dsa_systemd::socket_service.  This should be a nop

5 years agofix a variable name
Peter Palfrader [Tue, 10 Sep 2019 07:55:59 +0000 (09:55 +0200)]
fix a variable name

5 years agomove rsync service/socket setup into a dsa_systemd::socket_service
Peter Palfrader [Tue, 10 Sep 2019 07:52:48 +0000 (09:52 +0200)]
move rsync service/socket setup into a dsa_systemd::socket_service

5 years agoRemove re-statement of default mode, owner, and group
Peter Palfrader [Tue, 10 Sep 2019 07:41:26 +0000 (09:41 +0200)]
Remove re-statement of default mode, owner, and group

5 years agorsync::site cleanup: try to fix ordering when we remove a service
Peter Palfrader [Tue, 10 Sep 2019 07:37:56 +0000 (09:37 +0200)]
rsync::site cleanup: try to fix ordering when we remove a service

5 years agorsync::site cleanup: move file and service names into variable
Peter Palfrader [Tue, 10 Sep 2019 07:34:29 +0000 (09:34 +0200)]
rsync::site cleanup: move file and service names into variable

5 years agorsync::site dependency cleanup, part 1
Peter Palfrader [Tue, 10 Sep 2019 07:31:27 +0000 (09:31 +0200)]
rsync::site dependency cleanup, part 1

We define three things: a .service file, a .socket file, and a service.

Previously, the service would require the two files, and the .socket
file would also notify the service.  Change that to the service
subscribing to the files, so it gets a) applied after the files, and
b) refreshed if either changes.

This seems cleaner.  The net change should be that the service gets
also notified if the .service file changes.

5 years agoRevert "rsync::site dependency cleanup, part 1"
Peter Palfrader [Tue, 10 Sep 2019 07:30:58 +0000 (09:30 +0200)]
Revert "rsync::site dependency cleanup, part 1"

This reverts commit e18adfd6c665a99d3e5cde12b9cac516c39bda6b.

The commit contained unrelated changes.  Will re-commit the relevant
ones soon.

5 years agorsync::site dependency cleanup, part 1
Peter Palfrader [Tue, 10 Sep 2019 07:25:51 +0000 (09:25 +0200)]
rsync::site dependency cleanup, part 1

We define three things: a .service file, a .socket file, and a service.

Previously, the service would require the two files, and the .socket
file would also notify the service.  Change that to the service
subscribing to the files, so it gets a) applied after the files, and
b) refreshed if either changes.

This seems cleaner.  The net change should be that the service gets
also notified if the .service file changes.

5 years agoremove snapshot rsync service on lw* snapshot storage nodes
Peter Palfrader [Tue, 10 Sep 2019 07:11:57 +0000 (09:11 +0200)]
remove snapshot rsync service on lw* snapshot storage nodes

This service was not published and it's unlikely to be useful in any
sane way these days.

5 years agorsync::site: typecheck $ensure parameter
Peter Palfrader [Tue, 10 Sep 2019 07:10:17 +0000 (09:10 +0200)]
rsync::site: typecheck $ensure parameter

5 years agorestrict,pty is a better way to get pty and disable everything else than listing...
Peter Palfrader [Tue, 10 Sep 2019 06:56:54 +0000 (08:56 +0200)]
restrict,pty is a better way to get pty and disable everything else than listing all the current else things now

5 years agoanarcat points out that maybe Optional[String] is better to use here
Peter Palfrader [Mon, 9 Sep 2019 20:35:32 +0000 (22:35 +0200)]
anarcat points out that maybe Optional[String] is better to use here

No idea if it works, but we'll find out eventually

5 years agothe dsa user on the draghi pushes compiled nagios config (nrpe) to the puppet master
Peter Palfrader [Mon, 9 Sep 2019 20:26:14 +0000 (22:26 +0200)]
the dsa user on the draghi pushes compiled nagios config (nrpe) to the puppet master

5 years agowhitespace change only
Peter Palfrader [Mon, 9 Sep 2019 20:25:00 +0000 (22:25 +0200)]
whitespace change only

5 years agoauthorized_key_add: allow undef value for key
Peter Palfrader [Mon, 9 Sep 2019 20:19:20 +0000 (22:19 +0200)]
authorized_key_add: allow undef value for key

5 years agothe letsencrypt user on the dns primary pushes certs to the puppet master
Peter Palfrader [Mon, 9 Sep 2019 20:16:39 +0000 (22:16 +0200)]
the letsencrypt user on the dns primary pushes certs to the puppet master

5 years agoroleaccounts: add dsa, letsencrypt
Peter Palfrader [Mon, 9 Sep 2019 20:00:56 +0000 (22:00 +0200)]
roleaccounts: add dsa, letsencrypt

5 years agoroleaccounts: reformat user list
Peter Palfrader [Mon, 9 Sep 2019 20:00:32 +0000 (22:00 +0200)]
roleaccounts: reformat user list

5 years agono pg on sibelius
Peter Palfrader [Mon, 9 Sep 2019 14:08:39 +0000 (16:08 +0200)]
no pg on sibelius

5 years agoganeti-reboot-cluster: describe what it does, and a license
Peter Palfrader [Mon, 9 Sep 2019 12:06:02 +0000 (14:06 +0200)]
ganeti-reboot-cluster: describe what it does, and a license

5 years agoDon't use versioned pg_basebackup
Julien Cristau [Mon, 9 Sep 2019 08:34:44 +0000 (10:34 +0200)]
Don't use versioned pg_basebackup

Use the latest so we know we can pass -X none.  -X fetch causes the
debsources backup to fail with a "requested WAL segment has already been
removed" error.

5 years agoLog exit code of make-one-base-backup
Peter Palfrader [Sun, 8 Sep 2019 19:05:59 +0000 (21:05 +0200)]
Log exit code of make-one-base-backup

5 years agono longer let thijs run tcpdump on klecker
Peter Palfrader [Sun, 8 Sep 2019 14:03:04 +0000 (16:03 +0200)]
no longer let thijs run tcpdump on klecker

5 years agoSplit out jenkins sudoers entries
Peter Palfrader [Sun, 8 Sep 2019 14:01:57 +0000 (16:01 +0200)]
Split out jenkins sudoers entries

5 years agowhitespace change only
Peter Palfrader [Sun, 8 Sep 2019 14:00:36 +0000 (16:00 +0200)]
whitespace change only

5 years agosudoers: include /etc/sudoers.d/
Peter Palfrader [Sun, 8 Sep 2019 13:58:19 +0000 (15:58 +0200)]
sudoers: include /etc/sudoers.d/

5 years agoCreate and own /etc/sudoers.d
Peter Palfrader [Sun, 8 Sep 2019 13:57:14 +0000 (15:57 +0200)]
Create and own /etc/sudoers.d

5 years agoInstall libpam-pwdfile
Peter Palfrader [Sun, 8 Sep 2019 13:55:55 +0000 (15:55 +0200)]
Install libpam-pwdfile

5 years agono longer try release-specific sudoers files
Peter Palfrader [Sun, 8 Sep 2019 13:54:58 +0000 (15:54 +0200)]
no longer try release-specific sudoers files

5 years agosudo: whitespace change only
Peter Palfrader [Sun, 8 Sep 2019 13:54:10 +0000 (15:54 +0200)]
sudo: whitespace change only

5 years agoMake jenkins a proper role
Peter Palfrader [Sun, 8 Sep 2019 13:53:00 +0000 (15:53 +0200)]
Make jenkins a proper role

5 years agomake a dsa_systemd::linger to enable or disable lingering consistently
Peter Palfrader [Sun, 8 Sep 2019 13:46:52 +0000 (15:46 +0200)]
make a dsa_systemd::linger to enable or disable lingering consistently

5 years agoEnable lingering for jenkins user for jenkins role
Aurelien Jarno [Sun, 8 Sep 2019 13:37:00 +0000 (15:37 +0200)]
Enable lingering for jenkins user for jenkins role

5 years agoignore old PG on snapshotdb-manda-01 until January. Hopefully we will have upgraded...
Peter Palfrader [Sun, 8 Sep 2019 13:36:05 +0000 (15:36 +0200)]
ignore old PG on snapshotdb-manda-01 until January.  Hopefully we will have upgraded by then

5 years agoswitch package{} in bacula::client to ensure_packages
Peter Palfrader [Sun, 8 Sep 2019 11:53:12 +0000 (13:53 +0200)]
switch package{} in bacula::client to ensure_packages

5 years agoswitch package{} in bacula::director to ensure_packages
Peter Palfrader [Sun, 8 Sep 2019 11:52:17 +0000 (13:52 +0200)]
switch package{} in bacula::director to ensure_packages

5 years agominor comments
Peter Palfrader [Sun, 8 Sep 2019 11:49:52 +0000 (13:49 +0200)]
minor comments

5 years agoMake all the settings parameters. the (unused) bacula_fd_port from hiera is now...
Peter Palfrader [Sun, 8 Sep 2019 11:42:15 +0000 (13:42 +0200)]
Make all the settings parameters.  the (unused) bacula_fd_port from hiera is now bacula::bacula_client_port

5 years agocleanup old, commented out hiera info
Peter Palfrader [Sun, 8 Sep 2019 11:39:24 +0000 (13:39 +0200)]
cleanup old, commented out hiera info

5 years agobacula directori and storage: whitespace change only
Peter Palfrader [Sun, 8 Sep 2019 11:31:22 +0000 (13:31 +0200)]
bacula directori and storage: whitespace change only

5 years agoretire not-bacula-client local.yaml "role"
Peter Palfrader [Sun, 8 Sep 2019 11:10:05 +0000 (13:10 +0200)]
retire not-bacula-client local.yaml "role"

5 years agoturn buildd into a real role
Peter Palfrader [Sun, 8 Sep 2019 11:08:01 +0000 (13:08 +0200)]
turn buildd into a real role

5 years agomake motd check for no-backups depend on bacula::not_a_client class rather than local...
Peter Palfrader [Sun, 8 Sep 2019 10:52:32 +0000 (12:52 +0200)]
make motd check for no-backups depend on bacula::not_a_client class rather than local.yaml

5 years agono longer necessary to list porterboxes explicitly in local.yaml not-bacula-client
Peter Palfrader [Sun, 8 Sep 2019 10:50:49 +0000 (12:50 +0200)]
no longer necessary to list porterboxes explicitly in local.yaml not-bacula-client

5 years agoDo not backup porterboxes
Peter Palfrader [Sun, 8 Sep 2019 10:50:13 +0000 (12:50 +0200)]
Do not backup porterboxes

5 years agodo bacula backups iff we do not include the bacula::not_a_client class, 2
Peter Palfrader [Sun, 8 Sep 2019 10:49:55 +0000 (12:49 +0200)]
do bacula backups iff we do not include the bacula::not_a_client class, 2

5 years agodo bacula backups iff we do not include the bacula::not_a_client class
Peter Palfrader [Sun, 8 Sep 2019 10:48:59 +0000 (12:48 +0200)]
do bacula backups iff we do not include the bacula::not_a_client class

5 years agobacula::client -- support present/absent
Peter Palfrader [Sun, 8 Sep 2019 10:44:00 +0000 (12:44 +0200)]
bacula::client -- support present/absent

5 years agofix a spacing in also-used in motd
Peter Palfrader [Sun, 8 Sep 2019 10:30:19 +0000 (12:30 +0200)]
fix a spacing in also-used in motd

5 years agoremove porterbox purpose when we add the porterbox blurb to the motd
Peter Palfrader [Sun, 8 Sep 2019 10:30:11 +0000 (12:30 +0200)]
remove porterbox purpose when we add the porterbox blurb to the motd

5 years agoturn porterbox into a real role
Peter Palfrader [Sun, 8 Sep 2019 10:28:15 +0000 (12:28 +0200)]
turn porterbox into a real role

5 years agoMask openipmi service on dell hosts
Julien Cristau [Sun, 8 Sep 2019 09:43:45 +0000 (11:43 +0200)]
Mask openipmi service on dell hosts

5 years agoSwitch the wb-buildd ssh keys to collected snippets
Peter Palfrader [Sun, 8 Sep 2019 08:51:56 +0000 (10:51 +0200)]
Switch the wb-buildd ssh keys to collected snippets

5 years agoroles/manifests/buildd_master: whitespace change only
Peter Palfrader [Sun, 8 Sep 2019 08:45:44 +0000 (10:45 +0200)]
roles/manifests/buildd_master: whitespace change only

5 years agoUpgrade some notifies to warnings
Peter Palfrader [Sun, 8 Sep 2019 08:44:57 +0000 (10:44 +0200)]
Upgrade some notifies to warnings

5 years agoRemove temporary DC19 rules for roles::sreview
Peter Palfrader [Sun, 8 Sep 2019 08:43:23 +0000 (10:43 +0200)]
Remove temporary DC19 rules for roles::sreview

5 years agoFinish migrating to /etc/ssh/puppetkeys/ for exported ssh authkeys
Peter Palfrader [Sun, 8 Sep 2019 08:41:16 +0000 (10:41 +0200)]
Finish migrating to /etc/ssh/puppetkeys/ for exported ssh authkeys

5 years agoContinue migrating to /etc/ssh/puppetkeys/ for exported ssh authkeys
Peter Palfrader [Sun, 8 Sep 2019 08:36:45 +0000 (10:36 +0200)]
Continue migrating to /etc/ssh/puppetkeys/ for exported ssh authkeys

5 years agoStart migrating to /etc/ssh/puppetkeys/ for exported ssh authkeys
Peter Palfrader [Sun, 8 Sep 2019 08:28:35 +0000 (10:28 +0200)]
Start migrating to /etc/ssh/puppetkeys/ for exported ssh authkeys

5 years agoMake an /etc/ssh/puppetkeys for future use, and have sshd read keys from there already
Peter Palfrader [Sun, 8 Sep 2019 08:24:41 +0000 (10:24 +0200)]
Make an /etc/ssh/puppetkeys for future use, and have sshd read keys from there already

5 years agoSwitch /etc/ssh/userkeys/buildd-uploader to collected snippets
Peter Palfrader [Sun, 8 Sep 2019 08:17:06 +0000 (10:17 +0200)]
Switch /etc/ssh/userkeys/buildd-uploader to collected snippets

5 years agoroles/manifests/ssh_upload: whitespace change only
Peter Palfrader [Sun, 8 Sep 2019 08:15:42 +0000 (10:15 +0200)]
roles/manifests/ssh_upload: whitespace change only

5 years agomasters also talk to themselves
Peter Palfrader [Sun, 8 Sep 2019 07:33:56 +0000 (09:33 +0200)]
masters also talk to themselves

5 years agoOnly setup ssh in static_source if we are not also a static_master
Peter Palfrader [Sun, 8 Sep 2019 07:29:00 +0000 (09:29 +0200)]
Only setup ssh in static_source if we are not also a static_master

5 years agorename a file correctly
Peter Palfrader [Sun, 8 Sep 2019 07:21:27 +0000 (09:21 +0200)]
rename a file correctly

5 years agoAttempt to partition staticsync ssh setup
Peter Palfrader [Sun, 8 Sep 2019 07:17:15 +0000 (09:17 +0200)]
Attempt to partition staticsync ssh setup

In the old setup, every host that is involved with staticsync can ssh to
every other host.

In this new setup:
 - sources can only reach masters (not mirrors),
 - mirrors can only reach masters (not sources), and
 - masters still can talk to all other sources and mirrors
   (but not other masters).

5 years agoMove the non-roles static_base and static_srvdir to static/<foo>
Peter Palfrader [Sun, 8 Sep 2019 07:11:05 +0000 (09:11 +0200)]
Move the non-roles static_base and static_srvdir to static/<foo>

5 years agoAllow providing multiple tags to authorized_key_add
Peter Palfrader [Sun, 8 Sep 2019 07:07:57 +0000 (09:07 +0200)]
Allow providing multiple tags to authorized_key_add

5 years agoOf course just restoring the default symlink is not sufficient -- we also have to...
Peter Palfrader [Sun, 8 Sep 2019 06:47:06 +0000 (08:47 +0200)]
Of course just restoring the default symlink is not sufficient -- we also have to retire our own

5 years agoRevert "want systemd-timesyncd from multi-user.target"
Peter Palfrader [Sun, 8 Sep 2019 06:43:23 +0000 (08:43 +0200)]
Revert "want systemd-timesyncd from multi-user.target"

This reverts commit 443aa81b256b615c55d4fe987a556c663ad4589d.

By default, systemd-timesyncd.service is installed/wanted-by
sysinit.target.  We changed that to multi-user.target about three
years ago, but it's not clear why we did that.

Revert to the defaults and see if it blows up.  If yes, we have a chance
to find out exactly why we moved it.  If not, we have one less thing
that gets messed with at every point release.

5 years agostaticsync requires a pty
Peter Palfrader [Sat, 7 Sep 2019 23:21:27 +0000 (01:21 +0200)]
staticsync requires a pty

5 years agocollect staticsync ssh authkeys
Peter Palfrader [Sat, 7 Sep 2019 23:14:37 +0000 (01:14 +0200)]
collect staticsync ssh authkeys

5 years agobase::public_addresses: handle v4 only hosts like fasolo
Peter Palfrader [Sat, 7 Sep 2019 23:13:59 +0000 (01:13 +0200)]
base::public_addresses: handle v4 only hosts like fasolo

5 years agoexport staticsync ssh keys, but do not yet collect
Peter Palfrader [Sat, 7 Sep 2019 23:08:23 +0000 (01:08 +0200)]
export staticsync ssh keys, but do not yet collect

5 years agostatic: whitespace changes and turn double quotes into single quotes if they have...
Peter Palfrader [Sat, 7 Sep 2019 22:54:54 +0000 (00:54 +0200)]
static: whitespace changes and turn double quotes into single quotes if they have no variables to expand

5 years agostore ssh auth key snippets for buildd wb and upload access, but do not collect just yet
Peter Palfrader [Sat, 7 Sep 2019 22:39:59 +0000 (00:39 +0200)]
store ssh auth key snippets for buildd wb and upload access, but do not collect just yet

5 years agofix class names
Peter Palfrader [Sat, 7 Sep 2019 22:32:26 +0000 (00:32 +0200)]
fix class names

5 years agoSplit buildd class into small pieces
Peter Palfrader [Sat, 7 Sep 2019 22:30:43 +0000 (00:30 +0200)]
Split buildd class into small pieces

5 years agoremove long dead and commented out code in munin
Peter Palfrader [Sat, 7 Sep 2019 22:16:03 +0000 (00:16 +0200)]
remove long dead and commented out code in munin

5 years agoadd a comment saying which host a key comes from
Peter Palfrader [Sat, 7 Sep 2019 22:12:21 +0000 (00:12 +0200)]
add a comment saying which host a key comes from

5 years agossh setup for weblog sync
Peter Palfrader [Sat, 7 Sep 2019 22:06:34 +0000 (00:06 +0200)]
ssh setup for weblog sync

5 years agoswitch ssh-keygens to ssh::keygen
Peter Palfrader [Sat, 7 Sep 2019 22:01:04 +0000 (00:01 +0200)]
switch ssh-keygens to ssh::keygen

5 years agossh authkeys: Put hostname in exported ferm rule
Peter Palfrader [Sat, 7 Sep 2019 21:54:40 +0000 (23:54 +0200)]
ssh authkeys: Put hostname in exported ferm rule

5 years agoAnd maintain the geodnssync authkeys file on the primary in puppet too
Peter Palfrader [Sat, 7 Sep 2019 21:52:16 +0000 (23:52 +0200)]
And maintain the geodnssync authkeys file on the primary in puppet too

5 years agostop using virtual resources for ferm::rule
Peter Palfrader [Sat, 7 Sep 2019 21:47:46 +0000 (23:47 +0200)]
stop using virtual resources for ferm::rule

They serve no purpose and make it needlessly difficult to properly
deploy exported firewall rules, as they then realize where they
shouldn't.

5 years agoput collect tag into ferm rule name
Peter Palfrader [Sat, 7 Sep 2019 21:29:45 +0000 (23:29 +0200)]
put collect tag into ferm rule name

5 years agodo not hardcode dns primary ssh key for syncing to secondaries
Peter Palfrader [Sat, 7 Sep 2019 21:25:24 +0000 (23:25 +0200)]
do not hardcode dns primary ssh key for syncing to secondaries

5 years agossh::authorized_key_add: warn if the key does not exist
Peter Palfrader [Sat, 7 Sep 2019 21:22:37 +0000 (23:22 +0200)]
ssh::authorized_key_add: warn if the key does not exist

5 years agoMake a roles::dns_geodns
Peter Palfrader [Sat, 7 Sep 2019 21:19:34 +0000 (23:19 +0200)]
Make a roles::dns_geodns

5 years agoAdd sshkey for dnsadm
Peter Palfrader [Sat, 7 Sep 2019 21:11:54 +0000 (23:11 +0200)]
Add sshkey for dnsadm