* 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet: (32 commits)
Do not use sslname empty string for no ssl
Make scores of webserver related templates compile
Fix historical mirror apache template
make order a string
fix torrc-header tempate
fix rsync site module
if we do not have specific binds, we use the empty string to signal that
Fix stunnel template
Attempt to fix version comparisons
Fix munin::conf for new puppet
Fix schroot-buildd/fstab.erb template
Remove wheezy support in schroot files
Remove wheezy support in buildd files
Make concat::fragment order parameter be a string
buildd: fix lsbmajdistrelease calls
fix template
fix two templates
fix two templates
rename nfs-server to nfs_server
remove rng-tools without hwrandom
...
include grub
include multipath
include popcon
+ include portforwarder
+ include postgres
+
if $::lsbdistcodename == squeeze {
include roles::udldap::client
} else {
}
if $::hostname in [buxtehude,milanollo,lw01,lw02,lw03,lw04,senfter,gretchaninov] {
- include nfs-server
+ include nfs_server
}
if $::brokenhosts {
include hosts
}
- if $::portforwarder_user_exists {
- include portforwarder
- }
-
if $::samhain {
include samhain
}
include debian_org::radvd
}
- if ($::postgres) {
- include postgres
- }
-
if $::spamd {
munin::check { 'spamassassin': }
}
class acpi {
if ! ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
- if ($::lsbmajdistrelease >= '8') {
+ if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
package { 'acpid':
ensure => purged
}
apache2::module { 'mpm_prefork': ensure => absent }
apache2::module { 'mpm_worker': }
}
- if $::lsbmajdistrelease > '7' {
+ if versioncmp($::lsbmajdistrelease, '7') > 0 {
file { '/etc/apache2/mods-available/mpm_worker.conf':
content => template('apache2/mpm_worker.erb'),
}
}
}
- if $::lsbmajdistrelease <= '7' {
+ if versioncmp($::lsbmajdistrelease, '7') <= 0 {
$symlink = "/etc/apache2/sites-enabled/${name}"
} else {
$symlink = "/etc/apache2/sites-enabled/${name}.conf"
CustomLog /var/log/apache2/access.log privacy
DocumentRoot /srv/www/default.debian.org/htdocs
- <% if @lsbmajdistrelease > '7' -%>
+ <% if scope.call_function('versioncmp', [@lsbmajdistrelease, '7']) > 0 -%>
<Directory /srv/www/default.debian.org/htdocs>
Require all granted
</Directory>
# this is a list that seems suitable as of 2014-10, when running wheezy. It
# probably requires re-visiting regularly.
- <% if @lsbmajdistrelease <= '7' -%>
+ <% if scope.call_function('versioncmp', [@lsbmajdistrelease, '7']) <= 0 -%>
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS
<% else -%>
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS
<% end -%>
- <%- if has_variable?("apache2deb9") && @apache2deb9 == "true" -%>
+ <%- if has_variable?("apache2deb9") && @apache2deb9 -%>
SSLUseStapling On
# the default size is 32k, but we make it 1M.
require => Package['bacula-fd'],
notify => Service['bacula-fd'],
}
- if ($::lsbmajdistrelease >= '9' and $systemd) {
+ if (versioncmp($::lsbmajdistrelease, '9') >= 0 and $systemd) {
file { '/etc/systemd/system/bacula-fd.service.d':
ensure => directory,
mode => '0755',
+++ /dev/null
-#!/usr/bin/python
-
-# kills aptitude processes that eat an excessive amount of resources
-
-# Copyright 2013 Peter Palfrader
-#
-# Permission is hereby granted, free of charge, to any person obtaining
-# a copy of this software and associated documentation files (the
-# "Software"), to deal in the Software without restriction, including
-# without limitation the rights to use, copy, modify, merge, publish,
-# distribute, sublicense, and/or sell copies of the Software, and to
-# permit persons to whom the Software is furnished to do so, subject to
-# the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-import os
-import errno
-import sys
-try:
- import psutil
-except OSError, e:
- # XXX: This is a hack, but since we are run from cron, it's
- # better to handle this on the next run than to send mail.
- if e.errno == errno.ENOENT:
- sys.exit(0)
-
-total_mem = psutil.phymem_usage().total
-cutoff_time = 60*10
-
-for p in psutil.process_iter():
- try:
- if p.name != 'aptitude': continue
- parent = p.parent
- if parent is None: continue
- if parent.name != 'schroot': continue
- #
- try:
- rootdir = os.readlink('/proc/%d/root'%(p.pid,))
- except OSError as e:
- if e.errno == errno.ENOENT:
- continue
- else:
- raise e
- if not rootdir.startswith('/var/lib/schroot/mount'): continue
- #
- used = p.get_memory_info().vms
- if used < total_mem: continue
- #
- cputime = p.get_cpu_times().user
- if cputime < cutoff_time: continue
- #
- p.kill()
- except psutil.error.NoSuchProcess:
- pass
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-1;
source => 'puppet:///modules/buildd/buildd.conf',
require => Package['buildd'],
}
- if ($::lsbmajdistrelease >= 8) {
- file { '/etc/sbuild/sbuild.conf':
- source => 'puppet:///modules/buildd/sbuild.conf',
- require => Package['sbuild'],
- }
- } else {
- file { '/etc/sbuild/sbuild.conf':
- source => 'puppet:///modules/buildd/sbuild.conf.wheezy',
- require => Package['sbuild'],
- }
+ file { '/etc/sbuild/sbuild.conf':
+ source => 'puppet:///modules/buildd/sbuild.conf',
+ require => Package['sbuild'],
}
include ferm::ftp_conntrack
}
package { 'python-psutil':
ensure => installed,
}
- if ($::lsbmajdistrelease >= 8) {
- file { '/usr/local/sbin/buildd-schroot-aptitude-kill':
- source => 'puppet:///modules/buildd/buildd-schroot-aptitude-kill',
- mode => '0555',
- }
- } else {
- file { '/usr/local/sbin/buildd-schroot-aptitude-kill':
- source => 'puppet:///modules/buildd/buildd-schroot-aptitude-kill.wheezy',
- mode => '0555',
- }
+ file { '/usr/local/sbin/buildd-schroot-aptitude-kill':
+ source => 'puppet:///modules/buildd/buildd-schroot-aptitude-kill',
+ mode => '0555',
}
} else {
file { '/usr/local/sbin/buildd-schroot-aptitude-kill':
# Stuff common to all debian.org servers
#
class debian_org::apt {
- if $::lsbmajdistrelease <= '7' {
+ if versioncmp($::lsbmajdistrelease, '7') <= 0 {
$mungedcodename = $::lsbdistcodename
} elsif ($::debarchitecture in ['kfreebsd-amd64', 'kfreebsd-i386']) {
$mungedcodename = "${::lsbdistcodename}-kfreebsd"
$mungedcodename = $::lsbdistcodename
}
- if $::lsbmajdistrelease <= '8' {
+ if versioncmp($::lsbmajdistrelease, '8') <= 0 {
$fallbackmirror = 'http://cdn-fastly.deb.debian.org/debian/'
} else {
$fallbackmirror = 'http://deb.debian.org/debian/'
source => 'puppet:///modules/debian_org/basic-ssh_known_hosts'
}
- if ($::lsbmajdistrelease >= '8') {
+ if versioncmp($::lsbmajdistrelease, '8') >= 0 {
$rubyfs_package = 'ruby-filesystem'
} else {
$rubyfs_package = 'libfilesystem-ruby1.9'
}
file { '/etc/puppet/puppet.conf':
content => template('debian_org/puppet.conf.erb'),
- mode => 0440,
+ mode => '0440',
group => 'puppet',
}
file { '/etc/default/puppet':
}
file { '/etc/systemd':
ensure => directory,
- mode => 0755,
+ mode => '0755',
}
file { '/etc/systemd/system':
ensure => directory,
- mode => 0755,
+ mode => '0755',
}
file { '/etc/systemd/system/ud-replicated.service':
ensure => $servicefiles,
SHELL=/bin/bash
@hourly root [ ! -d /var/cache/dsa ] || touch /var/cache/dsa/cron.alive
-<% if @lsbmajdistrelease <= '7' -%>
+<% if scope.call_function('versioncmp', [@lsbmajdistrelease, '7']) <= 0 -%>
34 */4 * * * root if [ -x /usr/sbin/puppetd ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/sbin/puppetd -o --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
<% else -%>
34 */4 * * * root if [ -x /usr/bin/puppet ]; then sleep $(( $RANDOM \% 7200 )); if [ -x /usr/bin/timeout ]; then TO="timeout --kill-after=900 3600"; else TO=""; fi; tmp="$(tempfile)"; egrep -v '^(#|$)' /etc/dsa/cron.ignore.dsa-puppet-stuff > "$tmp" && $TO /usr/bin/puppet agent --onetime --no-daemonize 2>&1 | egrep --text -v -f "$tmp"; rm -f "$tmp"; fi
concat::fragment { 'virtual_domain_template':
target => '/etc/exim4/virtualdomains',
content => template('exim/virtualdomains.erb'),
- order => 05,
+ order => '05',
}
service { 'exim4':
concat::fragment { 'virtualdomains_header':
target => '/etc/exim4/virtualdomains',
source => 'puppet:///modules/exim/virtualdomains.header',
- order => 00,
+ order => '00',
}
}
<%- end -%>
queue_list_requires_admin = false
-<%- if has_variable?("clamd") && @clamd == "true" -%>
+<%- if has_variable?("clamd") && @clamd -%>
av_scanner = clamd:/var/run/clamav/clamd.ctl
<%- end -%>
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
-<%- if has_variable?("policydweight") && @policydweight == "true" -%>
+<%- if has_variable?("policydweight") && @policydweight -%>
# Check with policyd-weight - this only works with a version after etch's,
# sadly. etch's version attempts to hold the socket open, since that's what
# postfix expects. Exim, on the other hand, expects the remote side to close
<%- end -%>
-<%- if has_variable?("greylistd") && @greylistd == "true" -%>
+<%- if has_variable?("greylistd") && @greylistd -%>
defer
message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
log_message = greylisted.
$local_part@$domain}\
{5s}{}{false}}
-<%- elsif has_variable?("postgrey") && @postgrey == "true" -%>
+<%- elsif has_variable?("postgrey") && @postgrey -%>
# next three are greylisting, inspired by http://www.bebt.de/blog/debian/archives/2006/07/30/T06_12_27/index.html
# this adds acl_m_grey if there isn't one (so unique per message)
warn
condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
message = Your mailer is not RFC 2047 compliant: message rejected
-<%- if has_variable?("clamd") && @clamd == "true" -%>
+<%- if has_variable?("clamd") && @clamd -%>
discard condition = ${if eq {$acl_m_prf}{blackhole}}
demime = *
malware = */defer_ok
package { 'ferm':
ensure => installed
}
- if ($::lsbmajdistrelease >= '8') {
+ if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
package { 'ulogd2':
ensure => installed
}
content => template('ferm/interfaces.conf.erb'),
notify => Service['ferm'],
}
- if ($::lsbmajdistrelease >= '8') {
+ if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
augeas { 'logrotate_ulogd2':
context => '/files/etc/logrotate.d/ulogd2',
changes => [
@include 'conf.d/';
-<% if @lsbmajdistrelease >= '8' -%>
+<% if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) >= 0 -%>
domain (ip ip6) {
table filter {
chain log_and_reject {
if (nodeinfo['ldap'].has_key?('purpose')) then
nodeinfo['ldap']['purpose'].each do |purp|
if restricted_purposes.include?(purp) then
- restrict_ssh << hostname
+ restrict_ssh << @hostname
end
end
end
include hardware::raid::megactl
}
- if $::mptraid {
- include hardware::raid::raidmpt
- }
-
+ include hardware::raid::raidmpt
}
# include hardware::raid::raidmpt
#
class hardware::raid::raidmpt {
+ if $::mptraid {
+ package { 'mpt-status':
+ ensure => installed
+ }
- package { 'mpt-status':
- ensure => installed
- }
+ file { '/etc/default/mpt-statusd':
+ content => "# This file is under puppet control\nRUN_DAEMON=no\n",
+ notify => Exec['mpt-statusd-stop'],
+ }
- file { '/etc/default/mpt-statusd':
- content => "# This file is under puppet control\nRUN_DAEMON=no\n",
- notify => Exec['mpt-statusd-stop'],
- }
+ exec { 'mpt-statusd-stop':
+ command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"',
+ refreshonly => true,
+ }
+ } else {
+ package { 'mpt-status':
+ ensure => purged,
+ }
- exec { 'mpt-statusd-stop':
- command => 'pidfile=/var/run/mpt-statusd.pid; ! [ -e "$pidfile" ] || /sbin/start-stop-daemon --oknodo --stop --signal TERM --quiet --pidfile "$pidfile"; rm -f "$pidfile"; pkill -INT -P 1 -u 0 -f "/usr/bin/daemon /etc/init.d/mpt-statusd check_mpt"',
- refreshonly => true,
+ file { '/etc/default/mpt-statusd':
+ ensure => absent,
+ }
}
}
if $::hw_can_temp_sensors {
package { 'lm-sensors': ensure => installed, }
munin::check { 'sensors_temp': script => 'sensors_' }
+ } else {
+ package { 'lm-sensors': ensure => purged, }
+ munin::check { 'sensors_temp': ensure => absent }
}
}
# include monit
#
class monit {
- if $::lsbmajdistrelease <= '7' {
+ if versioncmp($::lsbmajdistrelease, '7') <= 0 {
package { 'monit':
ensure => installed
}
define munin::conf (
$ensure=present,
- $content='',
- $source=''
+ $content=false,
+ $source=false
) {
include munin
when /(storace|backuphost).debian.org/ then ignore << %w{postgresql-client-9.1}
end
-if @lsbmajdistrelease <= '8'
+if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) <= 0
case @fqdn
when /(acker|aagaard).debian.org/ then ignore << %w{qemu-efi}
end
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-options lockd nlm_udpport=10003 nlm_tcpport=10003
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# If you do not set values for the NEED_ options, they will be attempted
-# autodetected; this should be sufficient for most people. Valid alternatives
-# for the NEED_ options are "yes" and "no".
-
-# Do you want to start the statd daemon? It is not needed for NFSv4.
-NEED_STATD=
-
-# Options for rpc.statd.
-# Should rpc.statd listen on a specific port? This is especially useful
-# when you have a port-based firewall. To use a fixed port, set this
-# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
-# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
-STATDOPTS='--port 10000 -o 10001'
-
-# Do you want to start the idmapd daemon? It is only needed for NFSv4.
-NEED_IDMAPD=
-
-# Do you want to start the gssd daemon? It is required for Kerberos mounts.
-NEED_GSSD=
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# Number of servers to start up
-RPCNFSDCOUNT=8
-
-# Runtime priority of server (see nice(1))
-RPCNFSDPRIORITY=0
-
-# Options for rpc.mountd.
-# If you have a port-based firewall, you might want to set up
-# a fixed port here using the --port option. For more information,
-# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
-RPCMOUNTDOPTS="-p 10002"
-
-# Do you want to start the svcgssd daemon? It is only required for Kerberos
-# exports. Valid alternatives are "yes" and "no"; the default is "no".
-NEED_SVCGSSD=
-
-# Options for rpc.svcgssd.
-RPCSVCGSSDOPTS=
+++ /dev/null
-class nfs-server {
-
- package { [
- 'nfs-common',
- 'nfs-kernel-server'
- ]:
- ensure => installed
- }
-
- service { 'nfs-common':
- hasstatus => false,
- status => '/bin/true',
- }
- service { 'nfs-kernel-server':
- hasstatus => false,
- status => '/bin/true',
- }
-
- case $::hostname {
- lw01,lw02,lw03,lw04: {
- $client_range = '10.0.0.0/8'
- }
- milanollo,senfter: {
- $client_range = '172.29.122.0/24'
- }
- buxtehude: {
- $client_range = '(172.29.40.0/22 206.12.19.126/32)'
- }
- gretchaninov: {
- $client_range = '172.29.40.0/22'
- }
- default: {
- # Better than 0.0.0.0/0 - we really ought to configure a
- # client range for them all instead of exporting to the world.
- $client_range = '127.0.0.0/8'
- }
- }
-
- @ferm::rule { 'dsa-portmap':
- description => 'Allow portmap access',
- rule => "&TCP_UDP_SERVICE_RANGE(111, $client_range)"
- }
- @ferm::rule { 'dsa-nfs':
- description => 'Allow nfsd access',
- rule => "&TCP_UDP_SERVICE_RANGE(2049, $client_range)"
- }
- @ferm::rule { 'dsa-status':
- description => 'Allow statd access',
- rule => "&TCP_UDP_SERVICE_RANGE(10000, $client_range)"
- }
- @ferm::rule { 'dsa-mountd':
- description => 'Allow mountd access',
- rule => "&TCP_UDP_SERVICE_RANGE(10002, $client_range)"
- }
- @ferm::rule { 'dsa-lockd':
- description => 'Allow lockd access',
- rule => "&TCP_UDP_SERVICE_RANGE(10003, $client_range)"
- }
-
- file { '/etc/default/nfs-common':
- source => 'puppet:///modules/nfs-server/nfs-common.default',
- before => Package['nfs-common'],
- notify => Service['nfs-common'],
- }
- file { '/etc/default/nfs-kernel-server':
- source => 'puppet:///modules/nfs-server/nfs-kernel-server.default',
- before => Package['nfs-kernel-server'],
- notify => Service['nfs-kernel-server'],
- }
- file { '/etc/modprobe.d/lockd.local':
- source => 'puppet:///modules/nfs-server/lockd.local.modprobe',
- before => Package['nfs-common'],
- notify => Service['nfs-common'],
- }
-}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+options lockd nlm_udpport=10003 nlm_tcpport=10003
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# If you do not set values for the NEED_ options, they will be attempted
+# autodetected; this should be sufficient for most people. Valid alternatives
+# for the NEED_ options are "yes" and "no".
+
+# Do you want to start the statd daemon? It is not needed for NFSv4.
+NEED_STATD=
+
+# Options for rpc.statd.
+# Should rpc.statd listen on a specific port? This is especially useful
+# when you have a port-based firewall. To use a fixed port, set this
+# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
+# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
+STATDOPTS='--port 10000 -o 10001'
+
+# Do you want to start the idmapd daemon? It is only needed for NFSv4.
+NEED_IDMAPD=
+
+# Do you want to start the gssd daemon? It is required for Kerberos mounts.
+NEED_GSSD=
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# Number of servers to start up
+RPCNFSDCOUNT=8
+
+# Runtime priority of server (see nice(1))
+RPCNFSDPRIORITY=0
+
+# Options for rpc.mountd.
+# If you have a port-based firewall, you might want to set up
+# a fixed port here using the --port option. For more information,
+# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
+RPCMOUNTDOPTS="-p 10002"
+
+# Do you want to start the svcgssd daemon? It is only required for Kerberos
+# exports. Valid alternatives are "yes" and "no"; the default is "no".
+NEED_SVCGSSD=
+
+# Options for rpc.svcgssd.
+RPCSVCGSSDOPTS=
--- /dev/null
+class nfs_server {
+
+ package { [
+ 'nfs-common',
+ 'nfs-kernel-server'
+ ]:
+ ensure => installed
+ }
+
+ service { 'nfs-common':
+ hasstatus => false,
+ status => '/bin/true',
+ }
+ service { 'nfs-kernel-server':
+ hasstatus => false,
+ status => '/bin/true',
+ }
+
+ case $::hostname {
+ lw01,lw02,lw03,lw04: {
+ $client_range = '10.0.0.0/8'
+ }
+ milanollo,senfter: {
+ $client_range = '172.29.122.0/24'
+ }
+ buxtehude: {
+ $client_range = '(172.29.40.0/22 206.12.19.126/32)'
+ }
+ gretchaninov: {
+ $client_range = '172.29.40.0/22'
+ }
+ default: {
+ # Better than 0.0.0.0/0 - we really ought to configure a
+ # client range for them all instead of exporting to the world.
+ $client_range = '127.0.0.0/8'
+ }
+ }
+
+ @ferm::rule { 'dsa-portmap':
+ description => 'Allow portmap access',
+ rule => "&TCP_UDP_SERVICE_RANGE(111, $client_range)"
+ }
+ @ferm::rule { 'dsa-nfs':
+ description => 'Allow nfsd access',
+ rule => "&TCP_UDP_SERVICE_RANGE(2049, $client_range)"
+ }
+ @ferm::rule { 'dsa-status':
+ description => 'Allow statd access',
+ rule => "&TCP_UDP_SERVICE_RANGE(10000, $client_range)"
+ }
+ @ferm::rule { 'dsa-mountd':
+ description => 'Allow mountd access',
+ rule => "&TCP_UDP_SERVICE_RANGE(10002, $client_range)"
+ }
+ @ferm::rule { 'dsa-lockd':
+ description => 'Allow lockd access',
+ rule => "&TCP_UDP_SERVICE_RANGE(10003, $client_range)"
+ }
+
+ file { '/etc/default/nfs-common':
+ source => 'puppet:///modules/nfs_server/nfs-common.default',
+ before => Package['nfs-common'],
+ notify => Service['nfs-common'],
+ }
+ file { '/etc/default/nfs-kernel-server':
+ source => 'puppet:///modules/nfs_server/nfs-kernel-server.default',
+ before => Package['nfs-kernel-server'],
+ notify => Service['nfs-kernel-server'],
+ }
+ file { '/etc/modprobe.d/lockd.local':
+ source => 'puppet:///modules/nfs_server/lockd.local.modprobe',
+ before => Package['nfs-common'],
+ notify => Service['nfs-common'],
+ }
+}
concat::fragment { 'onion::torrc_control_header':
target => "/etc/tor/torrc",
- order => 10,
+ order => '10',
content => "ControlPort 9051\n\n",
}
}
concat::fragment { 'onion::torrc_header':
target => "/etc/tor/torrc",
- order => 05,
+ order => '05',
content => template("onion/torrc-header.erb"),
}
}
concat::fragment { "onion::torrc_onionservice::${name}":
target => "/etc/tor/torrc",
- order => 50,
+ order => '50',
content => "HiddenServiceDir /var/lib/tor/onion/${name}\nHiddenServicePort ${port} ${target_address}:${target_port}\n\n",
}
SocksPort 0
Log notice syslog
-<%- if has_variable?("tor_ge_0_2_9") && tor_ge_0_2_9 == "true" -%>
+<%- if has_variable?("tor_ge_0_2_9") && @tor_ge_0_2_9 -%>
#HiddenServiceSingleHopMode 1
#HiddenServiceNonAnonymousMode 1
<%- end -%>
# do not depend on xinetd, yet. it might uninstall other inetds
# for now this will have to be done manually
- if ! $::portforwarder_key {
- exec { 'create-portforwarder-key':
- command => '/bin/su - portforwarder -c \'mkdir -p -m 02700 .ssh && ssh-keygen -C "`whoami`@`hostname` (`date +%Y-%m-%d`)" -P "" -f .ssh/id_rsa -q\'',
- onlyif => '/usr/bin/getent passwd portforwarder > /dev/null && ! [ -e /home/portforwarder/.ssh/id_rsa ]'
+ if $::portforwarder_user_exists {
+ if ! $::portforwarder_key {
+ exec { 'create-portforwarder-key':
+ command => '/bin/su - portforwarder -c \'mkdir -p -m 02700 .ssh && ssh-keygen -C "`whoami`@`hostname` (`date +%Y-%m-%d`)" -P "" -f .ssh/id_rsa -q\'',
+ onlyif => '/usr/bin/getent passwd portforwarder > /dev/null && ! [ -e /home/portforwarder/.ssh/id_rsa ]'
+ }
}
- }
- file { '/etc/ssh/userkeys/portforwarder':
- content => template('portforwarder/authorized_keys.erb'),
- }
- file { '/etc/xinetd.d':
- ensure => directory,
- owner => root,
- group => root,
- mode => '0755',
- }
- file { '/etc/xinetd.d/dsa-portforwader':
- content => template('portforwarder/xinetd.erb'),
- notify => Exec['service xinetd reload']
- }
+ file { '/etc/ssh/userkeys/portforwarder':
+ content => template('portforwarder/authorized_keys.erb'),
+ }
+ file { '/etc/xinetd.d':
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => '0755',
+ }
+ file { '/etc/xinetd.d/dsa-portforwader':
+ content => template('portforwarder/xinetd.erb'),
+ notify => Exec['service xinetd reload']
+ }
- exec { 'service xinetd reload':
- refreshonly => true,
+ exec { 'service xinetd reload':
+ refreshonly => true,
+ }
+ } else {
+ file { [
+ '/etc/ssh/userkeys/portforwarder',
+ '/etc/xinetd.d/dsa-portforwader',
+ ]:
+ ensure => 'absent',
+ }
}
}
class postgres {
- munin::check { 'postgres_bgwriter': }
- munin::check { 'postgres_connections_db': }
+ $ensure = ($::postgres) ? {
+ true => 'ensure',
+ default => 'absent'
+ }
+
+ munin::check { 'postgres_bgwriter':
+ ensure => $ensure,
+ }
+ munin::check { 'postgres_connections_db':
+ ensure => $ensure,
+ }
munin::check { 'postgres_cache_ALL':
+ ensure => $ensure,
script => 'postgres_cache_'
}
munin::check { 'postgres_querylength_ALL':
+ ensure => $ensure,
script => 'postgres_querylength_'
}
munin::check { 'postgres_size_ALL':
+ ensure => $ensure,
script => 'postgres_size_'
}
file { '/etc/munin/plugin-conf.d/local-postgres':
+ ensure => $ensure,
source => 'puppet:///modules/postgres/plugin.conf',
}
}
end
nameservers += @ns
-if @unbound && @unbound == "true"
+if @unbound
nameservers = ['127.0.0.1']
end
ensure => running,
require => Package['rng-tools']
}
+ } else {
+ package { 'rng-tools':
+ ensure => purged
+ }
}
}
root => '/srv/ftp.debian.org/ftp.root',
}
- if $bind6 {
+ if $bind6 != '' {
vsftpd::site { 'ftp-v6':
banner => 'ftp.debian.org FTP server',
logfile => '/var/log/ftp/vsftpd-ftp.debian.org.log',
root => '/srv/upload.debian.org/ftp',
}
- if $bind6 {
+ if $bind6 != '' {
vsftpd::site { 'ftp-upload-v6':
banner => 'ftp.upload.debian.org FTP server',
logfile => '/var/log/ftp/vsftpd-ftp.upload.debian.org.log',
tlsaport => [],
}
} else {
- $sslname = ''
+ $sslname = undef
}
rsync::site_systemd { 'archive':
root => '/srv/ports-master.debian.org/ftp.upload',
}
- if $bind6 {
+ if $bind6 != '' {
vsftpd::site { 'ports-master-v6':
banner => 'ports-master.debian.org FTP server',
logfile => '/var/log/ftp/vsftpd-ports-master.debian.org.log',
class roles::postgresql_server {
file { "/usr/local/bin/pg-backup-file":
- mode => 555,
+ mode => '0555',
source => "puppet:///modules/roles/postgresql_server/pg-backup-file",
}
file { "/usr/local/bin/pg-receive-file-from-backup":
- mode => 555,
+ mode => '0555',
source => "puppet:///modules/roles/postgresql_server/pg-receive-file-from-backup",
}
file { "/etc/dsa/pg-backup-file.conf":
$exchange=dsa,
$username=$::fqdn,
$queue=undef,
- $order=00
+ $order='00'
){
include roles::pubsub::config::setup
root => '/srv/ftp.root/',
bind => $ftp_bind,
}
- if ($ftp_bind6) {
+ if ($ftp_bind6 != '') {
vsftpd::site { 'security6':
banner => 'security.debian.org FTP server (vsftpd)',
logfile => '/var/log/ftp/vsftpd-security6.debian.org.log',
file { '/etc/rsyncd/debian.secrets':
owner => 'root',
group => 'mirroradm',
- mode => 0660,
+ mode => '0660',
}
if $::apache2 and $syncproxy_name != 'unknown' {
##
<%
- if not binds.kind_of?(Array)
+ if not @binds.kind_of?(Array)
raise Puppet::Error, "binds variable is not an array"
end
- vhost_listen = binds.map{|x| x+":80" }.join(' ')
+ vhost_listen = @binds.map{|x| x+":80" }.join(' ')
%>
ServerAlias *.archive.backend.mirrors.debian.org
#RedirectMatch "^/$" /debian-archive/
- DocumentRoot <%= archive_root %>/
- Alias /debian-archive/ <%= archive_root %>/
+ DocumentRoot <%= @archive_root %>/
+ Alias /debian-archive/ <%= @archive_root %>/
ErrorLog /var/log/apache2/archive.debian.org-error.log
CustomLog /var/log/apache2/archive.debian.org-access.log privacy
- <Directory <%= archive_root %>>
+ <Directory <%= @archive_root %>>
Require all granted
Options +Indexes +FollowSymLinks
</Directory>
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerAdmin debian-admin@debian.org
ServerName debug.mirrors.debian.org
<% if scope.function_onion_global_service_hostname(['debug.mirrors.debian.org']) -%>
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
-<VirtualHost <%= vhost_listen %>>
+<VirtualHost <%= @vhost_listen %>>
ServerAdmin debian-admin@debian.org
ServerName ftp.debian.org
ServerAlias debian.anycast-test.mirrors.debian.org
ServerAlias *.debian.backend.mirrors.debian.org
RedirectMatch "^/$" /debian/
- Alias /debian/ <%= archive_root %>/
+ Alias /debian/ <%= @archive_root %>/
ErrorLog /var/log/apache2/ftp.debian.org-error.log
CustomLog /var/log/apache2/ftp.debian.org-access.log privacy
- Use ftp-archive <%= archive_root %>
+ Use ftp-archive <%= @archive_root %>
<IfModule mod_userdir.c>
UserDir disabled
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerAdmin debian-admin@debian.org
ServerName ftp.ports.debian.org
<% if scope.function_onion_global_service_hostname(['ftp.ports.debian.org']) -%>
##
# Need to turn on negotiation_module
-<Directory <%= wwwdo_document_root %>/>
+<Directory <%= @wwwdo_document_root %>/>
Options +MultiViews +FollowSymLinks +Indexes
AddHandler type-map var
# Make sure that the srm.conf directive is commented out.
ServerAlias www.debian.de
ServerAlias newwww.deb.at
- DocumentRoot <%= wwwdo_document_root %>/
+ DocumentRoot <%= @wwwdo_document_root %>/
LogFormat "0.0.0.0 - %u %{[%d/%b/%Y:00:00:00 %z]}t \"%r\" %>s %b \"%{Referer}i\" \"-\" %V" privacy+host
ErrorLog /var/log/apache2/www-other.debian.org-error.log
CustomLog /var/log/apache2/www-other.debian.org-access.log privacy+host
ServerAlias <%= scope.function_onion_global_service_hostname(['www.debian.org']) %>
<% end %>
- DocumentRoot <%= wwwdo_document_root %>/
+ DocumentRoot <%= @wwwdo_document_root %>/
# CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each
# document that was negotiated on the basis of content. This asks proxy
RewriteRule ^/devel/debian-volatile/.* /volatile/ [R=301]
# Offer a Redirect to DSA without knowing year #474730
- RewriteMap dsa txt:<%= wwwdo_document_root %>/security/map-dsa.txt
+ RewriteMap dsa txt:<%= @wwwdo_document_root %>/security/map-dsa.txt
RewriteRule ^/security/dsa-(\d+)(\..*)? /security/${dsa:$1}$2 [R=301]
# Compatibility after SGML -> DocBook
# Debian Reference #624239
- RewriteMap reference txt:<%= wwwdo_document_root %>/doc/map-reference.txt
+ RewriteMap reference txt:<%= @wwwdo_document_root %>/doc/map-reference.txt
RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/ch-support$1 !-f
RewriteRule ^/doc/manuals/debian-reference/ch-support(.*) /support$1 [L,R=301]
RewriteCond %{DOCUMENT_ROOT}/doc/manuals/debian-reference/${reference:$1}$2 -f
</Macro>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ErrorLog /var/log/apache2/www.debian.org-error.log
CustomLog /var/log/apache2/www.debian.org-access.log privacy
Use common-www.d.o
</VirtualHost>
-<VirtualHost <%= vhost_listen_443 %> >
+<VirtualHost <%= @vhost_listen_443 %> >
ErrorLog /var/log/apache2/www.debian.org-error.log
CustomLog /var/log/apache2/www.debian.org-access.log privacyssl
</VirtualHost>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
Use common-www-other.d.o
ErrorLog /var/log/apache2/www-other.debian.org-error.log
Redirect permanent / http://www.debian.org/
</VirtualHost>
-<VirtualHost <%= vhost_listen_443 %> >
+<VirtualHost <%= @vhost_listen_443 %> >
Use common-www-other.d.o
CustomLog /var/log/apache2/www-other-access.log privacyssl
Use common-debian-service-ssl debian.org
Use common-ssl-HSTS
</VirtualHost>
+# vim:set syn=apache:
-<%- if hostname == "sibelius" then -%>
+<%- if @hostname == "sibelius" then -%>
# use ipv4
ssh_options="-oAddressFamily=inet"
<%- end %>
# puppet maintained
<Macro common-dsa-vhost-https-redirect $name>
- <VirtualHost <%= vhost_listen %> >
+ <VirtualHost <%= @vhost_listen %> >
ServerName $name
ServerAdmin debian-admin@lists.debian.org
Require all granted
</Directory>
- Header set Surrogate-Key <%= hostname %>
+ Header set Surrogate-Key <%= @hostname %>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
</Macro>
<Macro static-vhost-plain-$name>
- <VirtualHost <%= vhost_listen %>>
+ <VirtualHost <%= @vhost_listen %>>
ServerName $name
ErrorLog /var/log/apache2/$name-error.log
</Macro>
<Macro static-vhost-onion-$name $onion>
- <VirtualHost <%= vhost_listen %>>
+ <VirtualHost <%= @vhost_listen %>>
ServerName $onion
ErrorLog /var/log/apache2/$name-error.log
</Macro>
<Macro static-vhost-ssl-$name>
- <VirtualHost <%= vhost_listen_443 %>>
+ <VirtualHost <%= @vhost_listen_443 %>>
ServerName $name
ErrorLog /var/log/apache2/$name-error.log
<% if scope.function_has_static_component(['planet.debian.org']) -%>
-<Virtualhost <%= vhost_listen %> >
+<Virtualhost <%= @vhost_listen %> >
ServerName planet.debian.org
ServerAlias planet.debian.net planeta.debian.net planet-backend.debian.org planet-fastly.debian.org planet-maxcdn.debian.org
<% if scope.function_onion_global_service_hostname(['planet.debian.org']) -%>
Redirect /debian-security/ http://cdn-fastly.deb.debian.org/debian-security/
</Macro>
-<VirtualHost <%= vhost_listen_443 %> >
+<VirtualHost <%= @vhost_listen_443 %> >
ServerName deb.debian.org
ErrorLog /var/log/apache2/deb.debian.org-error.log
Require all granted
</Directory>
- Header set Surrogate-Key <%= hostname %>
+ Header set Surrogate-Key <%= @hostname %>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
# www.backports.org is the historical place for the backports
# website and archive. It is now a CNAME to backports.debian.org:
# redirect http requests.
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName www.backports.org
ServerAlias lists.backports.org
ServerAdmin debian-admin@debian.org
</VirtualHost>
######################
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName www.debian-ports.org
ServerAlias debian-ports.org
ServerAdmin debian-admin@debian.org
RedirectPermanent / https://www.ports.debian.org/
</VirtualHost>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName ports.debian.org
ServerAlias ports.debian.net
ServerAdmin debian-admin@debian.org
RedirectPermanent / https://www.ports.debian.org/
</VirtualHost>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName incoming.debian-ports.org
ServerAdmin debian-admin@debian.org
RedirectPermanent / http://incoming.ports.debian.org/
</VirtualHost>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName ftp.debian-ports.org
ServerAdmin debian-admin@debian.org
RedirectPermanent /archive http://www.ports.debian.org
RedirectPermanent / http://ftp.ports.debian.org/
</VirtualHost>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName video.debian.net
ServerAdmin debian-admin@debian.org
Redirect / http://meetings-archive.debian.net/pub/debian-meetings/
# historical sites
##################
# now only redirects remain
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName women.debian.org
ServerAdmin debian-admin@debian.org
RedirectPermanent /profiles/ http://www.debian.org/women/profiles/
</VirtualHost>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName volatile.debian.org
ServerAlias volatile-master.debian.org
ServerAdmin debian-admin@debian.org
RedirectPermanent / http://www.debian.org/volatile/
</VirtualHost>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName ftp-master.metadata.debian.org
ServerAdmin debian-admin@debian.org
RedirectPermanent / http://metadata.ftp-master.debian.org/
</VirtualHost>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName backports-master.debian.org
ServerAdmin debian-admin@debian.org
RedirectPermanent / https://backports.debian.org/
</VirtualHost>
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
ServerName manpages.debian.net
ServerAdmin debian-admin@debian.org
Redirect / https://manpages.debian.org/
[debian]
path = /srv/mirrors/debian/
-<%- unless has_variable?("has_srv_mirrors_debian") && has_srv_mirrors_debian == "true" -%>
+<%- unless has_variable?("has_srv_mirrors_debian") && @has_srv_mirrors_debian -%>
list = no
<%- end -%>
comment = Debian archive (contact mirrors@debian.org for access; see https://www.debian.org/mirror/size for size)
[debian-debug]
path = /srv/mirrors/debian-debug/
-<%- unless has_variable?("has_srv_mirrors_debian_debug") && has_srv_mirrors_debian_debug == "true" -%>
+<%- unless has_variable?("has_srv_mirrors_debian_debug") && @has_srv_mirrors_debian_debug -%>
list = no
<%- end -%>
comment = Debug packages for Debian archive (contact mirrors@debian.org for access)
[debian-ports]
path = /srv/mirrors/debian-ports/
-<%- unless has_variable?("has_srv_mirrors_debian_debug") && has_srv_mirrors_debian_debug == "true" -%>
+<%- unless has_variable?("has_srv_mirrors_debian_debug") && @has_srv_mirrors_debian_debug -%>
list = no
<%- end -%>
comment = Debian ports archive (contact mirrors@debian.org for access)
[debian-security]
path = /srv/mirrors/debian-security/
-<%- unless has_variable?("has_srv_mirrors_debian_security") && has_srv_mirrors_debian_security == "true" -%>
+<%- unless has_variable?("has_srv_mirrors_debian_security") && @has_srv_mirrors_debian_security -%>
list = no
<%- end -%>
comment = Debian security archive (contact mirrors@debian.org for access)
##
<%
- vhost_listen = [ (bind != '') ? "#{bind}" : "*", (bind6 != '') ? "#{bind6}" : "*"].uniq
- vhost_listen_443 = [ (bind != '') ? "#{bind}:443" : "*:443", (bind6 != '') ? "[#{bind6}]:443" : "*:443"].uniq
+ vhost_listen = [ (@bind != '') ? "#{@bind}" : "*", (@bind6 != '') ? "#{@bind6}" : "*"].uniq
+ vhost_listen_443 = [ (@bind != '') ? "#{@bind}:443" : "*:443", (@bind6 != '') ? "[#{@bind6}]:443" : "*:443"].uniq
%>
<%=
lines = []
vhost_listen.each do |bind|
- lines << "Use common-debian-service-https-redirect \"#{bind}\" \"#{syncproxy_name}\""
+ lines << "Use common-debian-service-https-redirect \"#{bind}\" \"#{@syncproxy_name}\""
end
lines.join("\n")
%>
<Virtualhost <%= vhost_listen_443.join(' ') %> >
- ServerName <%= syncproxy_name %>
+ ServerName <%= @syncproxy_name %>
DocumentRoot /srv/www/syncproxy.debian.org/htdocs
- Use common-debian-service-ssl <%= syncproxy_name %>
+ Use common-debian-service-ssl <%= @syncproxy_name %>
Use common-ssl-HSTS
- Use http-pkp-<%= syncproxy_name %>
+ Use http-pkp-<%= @syncproxy_name %>
<Directory /srv/www/syncproxy.debian.org/htdocs>
Require all granted
lines = []
%w{debian debian-debug debian-ports debian-security}.each do |archive|
varname = 'has_srv_mirrors_' + archive.gsub(/[\/-]/,'_')
- if has_variable?(varname) and (eval(varname)) == 'true'
+ if has_variable?(varname) and (eval("@"+varname))
lines << " Alias /#{archive}/project/trace/ /srv/mirrors/#{archive}/project/trace/"
lines << " <Directory /srv/mirrors/#{archive}/project/trace/>"
lines << " Require all granted"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
- <TITLE>Welcome to <%= syncproxy_name %>!</TITLE>
+ <TITLE>Welcome to <%= @syncproxy_name %>!</TITLE>
</HEAD>
<BODY>
-<H1>Welcome to <%= syncproxy_name %>!</H1>
+<H1>Welcome to <%= @syncproxy_name %>!</H1>
-This is <%= syncproxy_name %>, a syncproxy run by and for the <a
+This is <%= @syncproxy_name %>, a syncproxy run by and for the <a
href="https://www.debian.org/">Debian Project</a> to aid in mirroring
our software. Consult <a href="https://www.debian.org/mirror/">the
mirrors section of the Debian website</a> for more information.
lines = []
%w{debian debian-debug debian-ports debian-security}.each do |archive|
varname = 'has_srv_mirrors_' + archive.gsub(/[\/-]/,'_')
- if has_variable?(varname) and (eval(varname)) == 'true'
+ if has_variable?(varname) and (eval("@"+varname))
lines << "<li>#{archive} [<a href=\"/#{archive}/project/trace/\">trace directory</a>]</li>"
end
end
define rsync::site (
$bind='',
$bind6='',
- $source='',
- $content='',
+ $source=undef,
+ $content=undef,
$max_clients=200,
$ensure=present,
- $sslname='',
+ $sslname=undef,
$sslport=1873
){
}
}
- if $sslname != '' {
+ if $sslname {
file { "/etc/rsyncd-${name}-stunnel.conf":
content => template('rsync/rsyncd-stunnel.conf.erb'),
require => File["/etc/ssl/debian/certs/${sslname}.crt-chained"],
-cert = /etc/ssl/debian/certs/<%= sslname %>.crt-chained
-key = /etc/ssl/private/<%= sslname %>.key
+cert = /etc/ssl/debian/certs/<%= @sslname %>.crt-chained
+key = /etc/ssl/private/<%= @sslname %>.key
debug = notice
socket = a:SO_KEEPALIVE=1
exec = /usr/bin/rsync
-execargs = rsync --daemon --config=/etc/rsyncd-<%= name %>.conf
+execargs = rsync --daemon --config=/etc/rsyncd-<%= @name %>.conf
#
# SetDefault = no
-<% if @lsbmajdistrelease >= '9' -%>
+<% if scope.call_function('versioncmp', [@lsbmajdistrelease, '9']) >= 0 -%>
[PortCheck]
PortCheckActive=0
<% end -%>
source => 'puppet:///modules/schroot/schroot-setup.d/99porterbox-extra-sources',
require => Package['schroot'],
}
- if ($::lsbmajdistrelease >= 8) {
- file { '/etc/schroot/setup.d/99builddsourceslist':
- mode => '0555',
- source => 'puppet:///modules/schroot/schroot-setup.d/99builddsourceslist',
- require => Package['schroot'],
- }
+ file { '/etc/schroot/setup.d/99builddsourceslist':
+ mode => '0555',
+ source => 'puppet:///modules/schroot/schroot-setup.d/99builddsourceslist',
+ require => Package['schroot'],
}
file { '/usr/local/sbin/setup-dchroot':
/dev/pts /dev/pts none rw,bind 0 0
tmpfs-shm /dev/shm tmpfs defaults,size=64m 0 0
-<%- if has_variable?("has_srv_build_trees") && has_srv_build_trees == "true" -%>
+<%- if has_variable?("has_srv_build_trees") && @has_srv_build_trees -%>
/srv/build-trees /build none rw,bind 0 0
<% end %>
content => template('ssh/authorized_keys.erb'),
}
- if ($::lsbmajdistrelease >= '8') {
+ if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
if ! $has_etc_ssh_ssh_host_ed25519_key {
exec { 'create-ed25519-host-key':
command => 'ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -q -P "" -t ed25519',
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
-<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key == "true" -%>
+<%- if has_variable?("has_etc_ssh_ssh_host_ed25519_key") && @has_etc_ssh_ssh_host_ed25519_key -%>
HostKey /etc/ssh/ssh_host_ed25519_key
<% end %>
#Privilege Separation is turned on for security
<%=
out = ""
- fn = "/etc/puppet/modules/ssl/files/servicecerts/#{name}.crt"
+ fn = "/etc/puppet/modules/ssl/files/servicecerts/#{@name}.crt"
if File.exist?(fn) then
out = File.read(fn)
- chain = "/etc/puppet/modules/ssl/files/chains/#{name}.crt"
+ chain = "/etc/puppet/modules/ssl/files/chains/#{@name}.crt"
out += File.exist?(chain) ? ("\n" + File.read(chain)) : ''
else
- fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{name}.crt-chained"
+ fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{@name}.crt-chained"
out = File.read(fn)
end
out
<%=
out = ""
- fn = "/etc/puppet/modules/ssl/files/keys/#{name}.crt"
+ fn = "/etc/puppet/modules/ssl/files/keys/#{@name}.crt"
if File.exist?(fn) then
out = File.read(fn)
else
- fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{name}.key"
+ fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{@name}.key"
out = File.read(fn)
end
out
%>
<%=
out = ""
- fn = "/etc/puppet/modules/ssl/files/servicecerts/#{name}.crt"
+ fn = "/etc/puppet/modules/ssl/files/servicecerts/#{@name}.crt"
if File.exist?(fn) then
out = File.read(fn)
- chain = "/etc/puppet/modules/ssl/files/chains/#{name}.crt"
+ chain = "/etc/puppet/modules/ssl/files/chains/#{@name}.crt"
out += File.exist?(chain) ? ("\n" + File.read(chain)) : ''
else
- fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{name}.crt-chained"
+ fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{@name}.crt-chained"
out = File.read(fn)
end
out
socket = a:SO_KEEPALIVE=1
[<%= @name %>-server]
-accept = <%= @accept =~ /:/ ? @accept : ":::#{accept}" %>
+accept = <%= @accept =~ /:/ ? @accept : ":::#{@accept}" %>
connect = <%= @connect %>
<%- if @local -%>
local = <%= @local %>
#Servers=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
<%=
servers = []
- localtimeservers.each do |node|
+ @localtimeservers.each do |node|
scope.lookupvar('site::allnodeinfo')[node]['ipHostNumber'].each do |addr|
servers << addr
end