fastly-backend: false
lobos.debian.org:
service-hostname: lobos.security.backend.mirrors.debian.org
- fastly-backend: true
+ fastly-backend: false
onion_v4_address: 212.211.132.250
santoro.debian.org:
fastly-backend: false
if $::kernel == 'Linux' {
include linux
include acpi
- } elsif $::kernel == 'GNU/kFreeBSD' {
- include kfreebsd
}
if $::mta == 'exim4' {
class acpi {
- if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
- if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
- package { 'acpid':
- ensure => purged
- }
+ if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
+ package { 'acpid':
+ ensure => purged
+ }
- package { 'acpi-support-base':
- ensure => purged
- }
- } elsif ($::kvmdomain) {
- package { 'acpid':
- ensure => installed
- }
+ package { 'acpi-support-base':
+ ensure => purged
+ }
+ } elsif ($::kvmdomain) {
+ package { 'acpid':
+ ensure => installed
+ }
- service { 'acpid':
- ensure => running,
- require => Package['acpid'],
- }
+ service { 'acpid':
+ ensure => running,
+ require => Package['acpid'],
+ }
- package { 'acpi-support-base':
- ensure => installed
- }
+ package { 'acpi-support-base':
+ ensure => installed
}
}
}
ENABLED="yes"
# Additional start arguments can be provided here
-# ARGS=""
-<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
-ARGS=""
-<% else -%>
ARGS="-u bacula -k"
-<% end -%>
# Default config file can be changed here
# CONFIG="/etc/bacula/bacula-fd.conf"
},
{
dupload_local_queue_dir => "upload-security",
- dupload_archive_name => "security",
+ dupload_archive_name => "rsync-security",
}
];
$cfg{'rsync-security'} = {
method => "rsync",
login => "buildd-uploader",
- fqdn => "ssh.upload.security.debian.org",
+ fqdn => "ssh.security.upload.debian.org",
incoming => "/srv/security.upload.debian.org/SecurityUploadQueue/",
# files pass on to dinstall on ftp-master which sends emails itself
dinstall_runs => 1,
soriano.debian.org: Francesco Soriano (1548 or 1549 - July 19th, 1621)
storace.debian.org: Stephen Storace (April 4th, 1762 - March 19th, 1796)
suchon.debian.org: Eugen Suchoň (September 25, 1908 - August 5, 1993)
- spontini.debian.org: Gaspare Luigi Pacifico Spontini (November 14th, 1774 - January 24th, 1851)
tate.debian.org: Phyllis Tate (April 6th, 1911 - May 29th, 1987)
tchaikovsky.debian.org: Pyotr Ilyich Tchaikovsky (Пётр Ильич Чайковский) (May 7th, 1840 - November 6th, 1893)
ticharich.debian.org: Zdenka Ticharich (September 26th, 1900 - February 15th, 1979)
- powerpc-unicamp-01.debian.org
- ppc64el-osuosl-01.debian.org
- ppc64el-unicamp-01.debian.org
- - spontini.debian.org
- x86-grnet-01.debian.org
- zandonai.debian.org
- zani.debian.org
# Stuff common to all debian.org servers
#
class debian_org::apt {
- if versioncmp($::lsbmajdistrelease, '7') <= 0 {
- $mungedcodename = $::lsbdistcodename
- } elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
- $mungedcodename = "${::lsbdistcodename}-kfreebsd"
- } else {
- $mungedcodename = $::lsbdistcodename
- }
-
if versioncmp($::lsbmajdistrelease, '8') <= 0 {
$fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/'
} else {
}
if getfromhash($site::nodeinfo, 'hoster', 'mirror-debian') {
- $mirror = [ getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'), $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
+ $mirror = [ getfromhash($site::nodeinfo, 'hoster', 'mirror-debian'), $fallbackmirror ]
} else {
- $mirror = [ $fallbackmirror, 'http://debian.anycast-test.mirrors.debian.org/debian/' ]
+ $mirror = [ $fallbackmirror ]
}
site::aptrepo { 'debian':
url => $mirror,
- suite => [ $mungedcodename, "${::lsbdistcodename}-backports", "${::lsbdistcodename}-updates" ],
+ suite => [ $::lsbdistcodename, "${::lsbdistcodename}-backports", "${::lsbdistcodename}-updates" ],
components => ['main','contrib','non-free']
}
}
} else {
site::aptrepo { 'security':
- url => [ 'http://security-cdn.debian.org/', 'http://security.anycast-test.mirrors.debian.org/debian-security/', 'http://security.debian.org/' ],
- suite => "${mungedcodename}/updates",
+ url => [ 'http://security-cdn.debian.org/', 'http://security.debian.org/' ],
+ suite => "${::lsbdistcodename}/updates",
components => ['main','contrib','non-free']
}
}
key => 'puppet:///modules/debian_org/db.debian.org.gpg',
}
- if ($::hostname in [] or $::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
+ if ($::hostname in []) {
site::aptrepo { 'proposed-updates':
url => $mirror,
- suite => "${mungedcodename}-proposed-updates",
+ suite => "${::lsbdistcodename}-proposed-updates",
components => ['main','contrib','non-free']
}
} else {
mkswap /dev/dasdc1 && swapon -p 30 /dev/dasdc1
fi
<%- end -%>
-<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
- ( sleep 120;
- service syslog-ng restart;
- sleep 5;
- init q
- ) & disown
-<%- end -%>
if [ -e /proc/sys/kernel/modules_disabled ]; then
( sleep 60;
+++ /dev/null
-class kfreebsd {
-
- file { '/etc/cron.d/dsa-killruby':
- source => 'puppet:///modules/kfreebsd/dsa-killruby',
- }
-
- file { '/etc/sysctl.d/':
- ensure => directory,
- mode => '0755'
- }
-
- file { '/etc/init.d/procps':
- source => 'puppet:///modules/kfreebsd/procps.init',
- mode => '0555',
- before => Service['procps'],
- notify => Exec['update-rc.d procps defaults']
- }
-
- site::sysctl { 'maxfiles':
- key => 'kern.maxfiles',
- value => 65536,
- target => 'GNU/kFreeBSD',
- }
- site::sysctl { 'accept_ra':
- key => 'net.inet6.ip6.accept_rtadv',
- value => 0,
- target => 'GNU/kFreeBSD',
- }
-
- exec { 'update-rc.d procps defaults':
- path => '/usr/bin:/usr/sbin:/bin:/sbin',
- refreshonly => true,
- }
-}
# filter out all the short-lived filesystems for df*:
[df*]
env.exclude_re ^/dev$ ^/run/.*$ ^/srv/piuparts-workspace/tmp.*$ ^/sys/.*$ ^/var/lib/schroot/mount/.*$
-
-<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
-# Workaround for https://bugs.debian.org/767102
-[df*]
-env.exclude devfs fdescfs linprocfs sysfs noprocfs linsysfs nfs nullfs
-<% end %>
+++ /dev/null
-Use common-debian-service-https-redirect * planet-master.debian.org
-<VirtualHost *:443>
- ServerName planet-master.debian.org
- ServerAdmin debian-admin@lists.debian.org
-
- Use common-debian-service-ssl planet-master.debian.org
- Use common-ssl-HSTS
-
- <IfModule mod_userdir.c>
- UserDir disabled
- </IfModule>
- ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log
- CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy
- ServerSignature On
-
- DocumentRoot /srv/planet.debian.org/www
- <Directory /srv/planet.debian.org/www>
- Use DebianHostList
- </Directory>
-</VirtualHost>
allowed="${allowed_rsyncs[$cmd_idx]}"
if [ "$*" = "$allowed" ]; then
info "Running for host $remote_host: rsync $*"
- exec rsync "$@"
+ exec rsync --chmod=F640 "$@"
croak "Exec failed"
fi
done
class roles::planet_master {
include apache2::ssl
apache2::config { 'puppet-debianhosts':
- content => template('roles/conf-debianhostlist.erb'),
+ ensure => 'absent',
}
apache2::site { 'planet-master.debian.org':
- source => 'puppet:///modules/roles/planet_master/planet-master.debian.org',
+ content => template('roles/planet_master/planet-master.debian.org.erb')
}
ssl::service { 'planet-master.debian.org':
notify => Exec['service apache2 reload'],
rsync::site { 'snapshot-farm':
content => template('roles/snapshot/rsyncd.conf.erb'),
}
+
+ ensure_packages ( ["build-essential", "python-dev", "libssl-dev"], { ensure => 'installed' })
}
include apache2::ssl
apache2::module { 'include': }
apache2::module { 'geoip': require => [Package['libapache2-mod-geoip'], Package['geoip-database']]; }
+ apache2::module { 'deflate': }
+ apache2::module { 'filter': }
file { '/usr/local/bin/static-mirror-run':
source => 'puppet:///modules/roles/static-mirroring/static-mirror-run',
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+Use common-debian-service-https-redirect * planet-master.debian.org
+<VirtualHost *:443>
+ ServerName planet-master.debian.org
+ ServerAdmin debian-admin@lists.debian.org
+
+ Use common-debian-service-ssl planet-master.debian.org
+ Use common-ssl-HSTS
+
+ <IfModule mod_userdir.c>
+ UserDir disabled
+ </IfModule>
+ ErrorLog ${APACHE_LOG_DIR}/planet-master.debian.org-error.log
+ CustomLog ${APACHE_LOG_DIR}/planet-master.debian.org-access.log privacy
+ ServerSignature On
+
+ DocumentRoot /srv/planet.debian.org/www
+ <Directory /srv/planet.debian.org/www>
+ # Localhost
+ Require ip ::1
+ Require ip 127.0.0.1
+<%=
+ lines = []
+ roles = scope.lookupvar('site::roles')
+ roles['planet_master'].each do |node|
+ lines << "\t\t# #{scope.lookupvar('site::allnodeinfo')[node]['hostname'][0]}"
+ scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr|
+ lines << "\t\tRequire ip #{addr}"
+ end
+ end
+ lines.join("\n")
+# vim:set et:
+# vim:set sts=2 ts=2:
+# vim:set shiftwidth=2:
+%>
+ </Directory>
+</VirtualHost>
AddEncoding x-gzip .gz
AddType text/plain .log
- <IfModule mod_userdir.c>
- AddOutputFilterByType DEFLATE image/svg+xml
- AddOutputFilterByType DEFLATE text/plain
- </IfModule>
+ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css image/svg+xml
</Directory>
<Directory /srv/static.debian.org/mirrors/lintian.debian.org/cur/resources>
+++ /dev/null
-#!/bin/bash
-
-# if a client goes away on socket activated connections before systemd launches
-# the process, things go sad and result in failed services.
-#
-# cf. https://github.com/systemd/systemd/issues/7172
-#
-# should be fixed in buster and newer, but for now clean those up.
-
-systemctl --failed --no-legend | awk '{print $1}' | \
- while read service; do
- if [[ $service =~ ^rsyncd-[a-z]*@.*\.service$ ]]; then
- systemctl reset-failed "$service"
- fi
-done
}
file { '/usr/local/sbin/systemd-cleanup-failed-rsyncs':
- source => 'puppet:///modules/rsync/systemd-cleanup-failed-rsyncs',
- mode => '0555',
- }
- file { '/etc/cron.d/puppet-crazy-multipath-restart': ensure => absent, }
- concat::fragment { 'dsa-puppet-stuff--systemd-cleanup-failed-rsyncs':
- target => '/etc/cron.d/dsa-puppet-stuff',
- content => @("EOF"),
- */10 * * * * root /usr/local/sbin/systemd-cleanup-failed-rsyncs
- | EOF
+ ensure => absent,
}
}
[ -n "${debian_mirror}" ] && domirror "${debian_mirror} ${SUITE_BASE} COMPONENT" ${APT_LIST}
domirror "http://ftp.debian.org/debian ${SUITE_BASE} COMPONENT" ${APT_LIST}
[ -n "${security_mirror}" ] && domirror "${security_mirror} ${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
- domirror "http://security-master.debian.org/debian-security ${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
- domirror "http://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
+ domirror "https://security-master.debian.org/debian-security ${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
+ domirror "https://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates COMPONENT" ${APT_LIST}
elif [ "${SUITE_VARIANT%%-sloppy}" = 'backports' ]; then
# Hack: for kfreebsd-* the base suite for jessie-backports and jessie-backports-sloppy is jessie-kfreebsd (and not jessie)
echo deb ${security_mirror} ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
echo deb-src ${security_mirror} ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
fi
- echo deb http://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
- echo deb-src http://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
- echo deb http://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
- echo deb-src http://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
+ echo deb https://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
+ echo deb-src https://security-master.debian.org/debian-security ${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
+ echo deb https://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
+ echo deb-src https://security-master.debian.org/debian-security-buildd buildd-${SUITE_BASE}/updates main contrib >> ${APT_LIST_AUTO}
elif [ ${SUITE_VARIANT%%-sloppy} = 'backports' ]; then
: > ${APT_LIST_AUTO}
if [ -n "${debian_mirror}" ]; then
amd64|i386|armel|armhf)
echo "sid buster stretch jessie wheezy"
;;
- kfreebsd-*)
- echo "sid jessie"
- ;;
mips64el)
echo "sid buster stretch"
;;
powerpc)
echo "sid jessie"
;;
- ppc64)
- echo "sid"
- ;;
*)
echo "sid buster stretch jessie"
;;
[ -z "$bare" ] && [ -z "$ubuntu" ] && chroot "$rootdir" apt-get install -y --no-install-recommends locales-all
chroot "$rootdir" apt-get install -y --no-install-recommends build-essential
[ -z "$bare" ] && chroot "$rootdir" apt-get install -y --no-install-recommends zsh less vim fakeroot devscripts gdb
+if [ -n "$buildd" ] ; then
+ case "$suite" in
+ wheezy|jessie|stretch)
+ chroot "$rootdir" apt-get install -y --no-install-recommends apt-transport-https ca-certificates
+ ;;
+ *)
+ chroot "$rootdir" apt-get install -y --no-install-recommends ca-certificates
+ ;;
+ esac
+fi
rm -f "$rootdir/etc/apt/sources.list" "$rootdir/etc/apt/sources.list.d/*"
chroot "$rootdir" apt-get clean
umount "$rootdir/dev" 2>/dev/null || true
#
# <file system> <mount point> <type> <options> <dump> <pass>
-<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
-# kFreeBSD version
-proc /proc linprocfs defaults 0 0
-dev /dev devfs rw 0 0
-dev /dev/fd fdescfs rw 0 0
-
-/srv/build-trees /build nullfs rw 0 0
-<% else -%>
# Linux version
/proc /proc none rw,bind 0 0
/sys /sys none rw,bind 0 0
<%- if has_variable?("has_srv_build_trees") && @has_srv_build_trees -%>
/srv/build-trees /build none rw,bind 0 0
-
-<% end %>
<% end %>
#
# <file system> <mount point> <type> <options> <dump> <pass>
-<% if scope.lookupvar('site::nodeinfo')['ldap'].has_key?('architecture') and scope.lookupvar('site::nodeinfo')['ldap']['architecture'][0].start_with?('kfreebsd') -%>
-# kFreeBSD version
-proc /proc linprocfs defaults 0 0
-dev /dev devfs rw 0 0
-dev /dev/fd fdescfs rw 0 0
-/home /home nullfs rw 0 0
-/tmp /tmp nullfs rw 0 0
-
-<% else -%>
# Linux version
/proc /proc none rw,bind 0 0
/sys /sys none rw,bind 0 0
/home /home none rw,bind 0 0
/tmp /tmp none rw,bind 0 0
tmpfs-shm /dev/shm tmpfs defaults,size=64m 0 0
-
-<% end %>
%zivit-admins ZIVITHOSTS=(ALL) NOPASSWD: ALL
# nagios
-nagios ALL=(ALL) NOPASSWD: /bin/systemctl is-system-running
nagios MQ_HOSTS=(rabbitmq) NOPASSWD: /usr/sbin/rabbitmqctl list_queues -p dsa name messages consumers
nagios ALL=(ALL) NOPASSWD: /usr/sbin/service ekeyd-egd-linux restart
nagios ALL=(ALL) NOPASSWD: /usr/sbin/service samhain restart
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-filesystems ""
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-libs --ignore-younger=1h
nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-stunnel-sanity ""
+nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-systemd-services ""
nagios handel=(puppet) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-cert-expire /var/lib/puppet/ssl/certs/ca.pem
# with smartarray controllers
nagios ALL=(ALL) NOPASSWD: /sbin/hpasmcli ""
--- /dev/null
+#!/bin/bash
+
+# if a client goes away on socket activated connections before systemd launches
+# the process, things go sad and result in failed services.
+#
+# cf. https://github.com/systemd/systemd/issues/7172
+#
+# should be fixed in buster and newer, but for now clean those up.
+
+systemctl --failed --no-legend | awk '{print $1}' | \
+ while read service; do
+ if [[ $service =~ ^rsyncd-[a-z]*@.*\.service$ ]] ||
+ [[ $service =~ ^session-[0-9]+\.scope$ ]]; then
+ systemctl reset-failed "$service"
+ fi
+done
}
}
+ file { '/usr/local/sbin/systemd-cleanup-failed':
+ source => 'puppet:///modules/systemd/systemd-cleanup-failed',
+ mode => '0555',
+ }
+ concat::fragment { 'dsa-puppet-stuff--systemd-cleanup-failed':
+ target => '/etc/cron.d/dsa-puppet-stuff',
+ content => @("EOF"),
+ */10 * * * * root /usr/local/sbin/systemd-cleanup-failed
+ | EOF
+ }
}