fastly-backend: false
lobos.debian.org:
service-hostname: lobos.security.backend.mirrors.debian.org
- fastly-backend: true
+ fastly-backend: false
onion_v4_address: 212.211.132.250
santoro.debian.org:
fastly-backend: false
},
{
dupload_local_queue_dir => "upload-security",
- dupload_archive_name => "security",
+ dupload_archive_name => "rsync-security",
}
];
$cfg{'rsync-security'} = {
method => "rsync",
login => "buildd-uploader",
- fqdn => "ssh.upload.security.debian.org",
+ fqdn => "ssh.security.upload.debian.org",
incoming => "/srv/security.upload.debian.org/SecurityUploadQueue/",
# files pass on to dinstall on ftp-master which sends emails itself
dinstall_runs => 1,
+++ /dev/null
-Use common-debian-service-https-redirect * planet-master.debian.org
-<VirtualHost *:443>
- ServerName planet-master.debian.org
- ServerAdmin debian-admin@lists.debian.org
-
- Use common-debian-service-ssl planet-master.debian.org
- Use common-ssl-HSTS
-
- <IfModule mod_userdir.c>
- UserDir disabled
- </IfModule>
- ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log
- CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy
- ServerSignature On
-
- DocumentRoot /srv/planet.debian.org/www
- <Directory /srv/planet.debian.org/www>
- Use DebianHostList
- </Directory>
-</VirtualHost>
allowed="${allowed_rsyncs[$cmd_idx]}"
if [ "$*" = "$allowed" ]; then
info "Running for host $remote_host: rsync $*"
- exec rsync "$@"
+ exec rsync --chmod=F640 "$@"
croak "Exec failed"
fi
done
class roles::planet_master {
include apache2::ssl
apache2::config { 'puppet-debianhosts':
- content => template('roles/conf-debianhostlist.erb'),
+ ensure => 'absent',
}
apache2::site { 'planet-master.debian.org':
- source => 'puppet:///modules/roles/planet_master/planet-master.debian.org',
+ content => template('roles/planet_master/planet-master.debian.org.erb')
}
ssl::service { 'planet-master.debian.org':
notify => Exec['service apache2 reload'],
include apache2::ssl
apache2::module { 'include': }
apache2::module { 'geoip': require => [Package['libapache2-mod-geoip'], Package['geoip-database']]; }
+ apache2::module { 'deflate': }
+ apache2::module { 'filter': }
file { '/usr/local/bin/static-mirror-run':
source => 'puppet:///modules/roles/static-mirroring/static-mirror-run',
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+Use common-debian-service-https-redirect * planet-master.debian.org
+<VirtualHost *:443>
+ ServerName planet-master.debian.org
+ ServerAdmin debian-admin@lists.debian.org
+
+ Use common-debian-service-ssl planet-master.debian.org
+ Use common-ssl-HSTS
+
+ <IfModule mod_userdir.c>
+ UserDir disabled
+ </IfModule>
+ ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log
+ CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy
+ ServerSignature On
+
+ DocumentRoot /srv/planet.debian.org/www
+ <Directory /srv/planet.debian.org/www>
+ # Localhost
+ Require ip ::1
+ Require ip 127.0.0.1
+<%=
+ lines = []
+ roles = scope.lookupvar('site::roles')
+ roles['planet_master'].each do |node|
+ lines << "\t\t# #{scope.lookupvar('site::allnodeinfo')[node]['hostname'][0]}"
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr|
+ lines << "\t\tRequire ip #{addr}"
+ end
+ end
+ lines.join("\n")
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
+%>
+ </Directory>
+</VirtualHost>
AddEncoding x-gzip .gz
AddType text/plain .log
- <IfModule mod_userdir.c>
- AddOutputFilterByType DEFLATE image/svg+xml
- AddOutputFilterByType DEFLATE text/plain
- </IfModule>
+ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css image/svg+xml
</Directory>
<Directory /srv/static.debian.org/mirrors/lintian.debian.org/cur/resources>
[ -n "${debian_mirror}" ] && domirror "${debian_mirror} ${SUITE_BASE} COMPONENT" ${APT_LIST}
domirror "http://ftp.debian.org/debian ${SUITE_BASE} COMPONENT" ${APT_LIST}
[ -n "${security_mirror}" ] && domirror "${security_mirror} ${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
- domirror "http://security-master.debian.org/debian-security ${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
- domirror "http://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
+ domirror "https://security-master.debian.org/debian-security ${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
+ domirror "https://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
elif [ "${SUITE_VARIANT%%-sloppy}" = 'backports' ]; then
# Hack: for kfreebsd-* the base suite for jessie-backports and jessie-backports-sloppy is jessie-kfreebsd (and not jessie)
echo deb ${security_mirror} ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
echo deb-src ${security_mirror} ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
fi
- echo deb http://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
- echo deb-src http://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
- echo deb http://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
- echo deb-src http://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
+ echo deb https://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
+ echo deb-src https://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
+ echo deb https://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
+ echo deb-src https://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
elif [ ${SUITE_VARIANT%%-sloppy} = 'backports' ]; then
: > ${APT_LIST_AUTO}
if [ -n "${debian_mirror}" ]; then
if [ -n "$buildd" ] ; then
case "$suite" in
wheezy|jessie|stretch)
- chroot "$rootdir" apt-get install -y --no-install-recommends apt-transport-https
+ chroot "$rootdir" apt-get install -y --no-install-recommends apt-transport-https ca-certificates
;;
*)
- # Nothing to do, https support is part of the apt package
+ chroot "$rootdir" apt-get install -y --no-install-recommends ca-certificates
;;
esac
fi