Peter Palfrader [Tue, 25 Oct 2016 08:18:10 +0000 (10:18 +0200)]
rename ubc-enc2b9 to ubc-enc2bl09
Peter Palfrader [Tue, 25 Oct 2016 08:11:38 +0000 (10:11 +0200)]
rename ubc-enc2b2 to ubc-enc2bl02
Peter Palfrader [Tue, 25 Oct 2016 07:53:49 +0000 (09:53 +0200)]
rename ubc-enc2b1 to ubc-enc2bl01
Julien Cristau [Mon, 24 Oct 2016 16:46:24 +0000 (18:46 +0200)]
No more ftpd on franck
Aurelien Jarno [Sat, 22 Oct 2016 20:21:30 +0000 (22:21 +0200)]
Add ftp.upload and ssh.upload roles to usper.d.o
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Sat, 22 Oct 2016 16:44:35 +0000 (18:44 +0200)]
Add usper.d.o
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Sat, 22 Oct 2016 12:32:57 +0000 (14:32 +0200)]
Add fasolo as ftp-master
Julien Cristau [Sat, 22 Oct 2016 12:18:57 +0000 (14:18 +0200)]
Get rid of "release" role
The web bits moved to static.d.o.
Peter Palfrader [Fri, 21 Oct 2016 11:21:23 +0000 (11:21 +0000)]
split out apt config into own class. use multi-suite site::aptrepo
Peter Palfrader [Fri, 21 Oct 2016 11:12:30 +0000 (11:12 +0000)]
support an array of mirrors for site::aptrepo
Peter Palfrader [Fri, 21 Oct 2016 07:02:32 +0000 (09:02 +0200)]
let dak signal buildd pool update
Peter Palfrader [Fri, 21 Oct 2016 06:02:38 +0000 (08:02 +0200)]
Export debian-security-buildd-pool
Peter Palfrader [Fri, 21 Oct 2016 05:04:59 +0000 (07:04 +0200)]
get backports from fastly as well
Julien Cristau [Thu, 20 Oct 2016 18:29:48 +0000 (20:29 +0200)]
Force type for *.debdiff.html.gz on release.d.o
Serve them as html rather than gzip.
Julien Cristau [Thu, 20 Oct 2016 17:47:00 +0000 (19:47 +0200)]
Fixup apache config syntax error
Julien Cristau [Thu, 20 Oct 2016 17:43:54 +0000 (19:43 +0200)]
Don't redirect on security for cloudfront and tor hidden service
Redirecting from https or .onion to plain http is probably a bad plan.
Peter Palfrader [Thu, 20 Oct 2016 07:41:41 +0000 (09:41 +0200)]
redirect linux updates to fastly
Peter Palfrader [Tue, 18 Oct 2016 19:13:10 +0000 (21:13 +0200)]
push ~/.selected_editor
Julien Cristau [Tue, 18 Oct 2016 17:40:52 +0000 (19:40 +0200)]
Add deb.debian.org https vhost
A bit special: no HPKP, and redirects are currently different from the
HTTP vhost.
Peter Palfrader [Sun, 16 Oct 2016 07:22:40 +0000 (09:22 +0200)]
move deprecated modulepath so it is only set on the master
Peter Palfrader [Sun, 16 Oct 2016 07:20:39 +0000 (09:20 +0200)]
Do not have production and staging section in puppet.conf on all clients
Aurelien Jarno [Sat, 15 Oct 2016 12:54:11 +0000 (14:54 +0200)]
Decommission jenko
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Peter Palfrader [Sat, 15 Oct 2016 08:38:29 +0000 (10:38 +0200)]
add acker
Peter Palfrader [Fri, 14 Oct 2016 18:36:48 +0000 (20:36 +0200)]
add aagaard
Peter Palfrader [Fri, 14 Oct 2016 06:14:50 +0000 (08:14 +0200)]
raise pin age to 3d
Luca Filipozzi [Thu, 13 Oct 2016 17:38:29 +0000 (17:38 +0000)]
add new host for luca
Peter Palfrader [Thu, 13 Oct 2016 07:06:39 +0000 (09:06 +0200)]
remove double slashes on metadata.ftp-debian.org
Peter Palfrader [Thu, 13 Oct 2016 06:58:53 +0000 (08:58 +0200)]
Revert "remove double slashes on metadata.ftp-debian.org"
This reverts commit
5d598f2a486bfb7619f294eeb606aa114f183349.
Peter Palfrader [Thu, 13 Oct 2016 06:56:39 +0000 (08:56 +0200)]
remove double slashes on metadata.ftp-debian.org
Peter Palfrader [Wed, 12 Oct 2016 13:04:30 +0000 (15:04 +0200)]
raise pin age to 1d
Peter Palfrader [Wed, 12 Oct 2016 13:01:57 +0000 (15:01 +0200)]
LE cert for buildd
Peter Palfrader [Wed, 12 Oct 2016 13:00:20 +0000 (15:00 +0200)]
LE cert for ftp-master
Peter Palfrader [Wed, 12 Oct 2016 12:43:29 +0000 (14:43 +0200)]
LE cert for munin
Peter Palfrader [Wed, 12 Oct 2016 12:41:01 +0000 (14:41 +0200)]
LE cert for nagios
Peter Palfrader [Wed, 12 Oct 2016 12:37:14 +0000 (14:37 +0200)]
LE cert for nm, contributors
Peter Palfrader [Wed, 12 Oct 2016 12:29:49 +0000 (14:29 +0200)]
LE cert for rt
Peter Palfrader [Wed, 12 Oct 2016 12:28:03 +0000 (14:28 +0200)]
LE cert for security-tracker
Peter Palfrader [Wed, 12 Oct 2016 12:24:31 +0000 (14:24 +0200)]
LE cert for sso
Peter Palfrader [Wed, 12 Oct 2016 12:23:35 +0000 (14:23 +0200)]
LE cert for vote
Peter Palfrader [Wed, 12 Oct 2016 07:23:48 +0000 (09:23 +0200)]
set TLSA port to 0 in preparation of cert roll for buildd, contributors, ftp-master, munin, nagios, nm, rt, security-tracker, sso, vote
Julien Cristau [Sun, 9 Oct 2016 16:14:27 +0000 (18:14 +0200)]
Move udd.d.o cert to letsencrypt
Julien Cristau [Sun, 9 Oct 2016 16:07:43 +0000 (18:07 +0200)]
Switch lists.d.o to letsencrypt
Signed-off-by: Julien Cristau <jcristau@debian.org>
Julien Cristau [Sun, 9 Oct 2016 15:43:55 +0000 (17:43 +0200)]
Switch to letsencrypt for api.ftp-master.d.o
Peter Palfrader [Sun, 9 Oct 2016 11:31:21 +0000 (13:31 +0200)]
disable TLSA for api.ftp-master, lists, and udd
Peter Palfrader [Sun, 9 Oct 2016 11:12:07 +0000 (13:12 +0200)]
HPKP for dgit
Peter Palfrader [Sun, 9 Oct 2016 11:09:58 +0000 (13:09 +0200)]
HPKP for debtags
Peter Palfrader [Sun, 9 Oct 2016 11:03:30 +0000 (13:03 +0200)]
Enable HTTP PKP for syncproxy vhosts
Peter Palfrader [Sun, 9 Oct 2016 07:15:00 +0000 (09:15 +0200)]
raise life-time of HPKP to 3hrs
Luca Filipozzi [Fri, 7 Oct 2016 06:47:00 +0000 (06:47 +0000)]
remove fubar.emyr.net from luca's list of hosts
Julien Cristau [Thu, 6 Oct 2016 18:06:14 +0000 (20:06 +0200)]
Decommission pkgmirror-1and1
Luca Filipozzi [Wed, 5 Oct 2016 04:00:14 +0000 (04:00 +0000)]
add IPv4 address for luca's new jumphost
Julien Cristau [Tue, 4 Oct 2016 18:28:12 +0000 (20:28 +0200)]
Restrict vsftpd to the security.d.o IPs on mirror-anu
Peter Palfrader [Tue, 4 Oct 2016 06:35:52 +0000 (08:35 +0200)]
raise max-age for HTTP Public Key Pins from 5 min to 1 hour
Martin Zobel-Helas [Mon, 3 Oct 2016 09:58:59 +0000 (11:58 +0200)]
add addresses to blacklist
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Julien Cristau [Wed, 28 Sep 2016 17:13:30 +0000 (19:13 +0200)]
rsync on gretchaninov
Julien Cristau [Wed, 28 Sep 2016 16:52:50 +0000 (18:52 +0200)]
HPKP for jenkins
Julien Cristau [Tue, 27 Sep 2016 21:05:16 +0000 (23:05 +0200)]
Switch to LE cert for jenkins
Peter Palfrader [Tue, 27 Sep 2016 12:07:41 +0000 (14:07 +0200)]
no need to ignore these maskings
Peter Palfrader [Tue, 27 Sep 2016 06:44:46 +0000 (08:44 +0200)]
Mask proc-sys-fs-binfmt_misc.automount
Julien Cristau [Tue, 27 Sep 2016 06:10:29 +0000 (08:10 +0200)]
Temporarily disable tlsa for jenkins
Peter Palfrader [Mon, 26 Sep 2016 20:08:54 +0000 (22:08 +0200)]
samhain: also accept changes in etc/apache2/conf-available
Peter Palfrader [Mon, 26 Sep 2016 17:50:11 +0000 (19:50 +0200)]
ubc autofs update
Peter Palfrader [Mon, 26 Sep 2016 17:44:05 +0000 (19:44 +0200)]
It appears we do not use nameserver or searchpath info from hoster.yaml
Peter Palfrader [Mon, 26 Sep 2016 17:42:35 +0000 (19:42 +0200)]
Fix ubc searchpath: use priv.ubc instead of ubc.priv
Peter Palfrader [Mon, 26 Sep 2016 17:40:42 +0000 (19:40 +0200)]
Revert "why do we have two places for hosters?"
This reverts commit
8c754dd0bea9537082a5a71dcbb1367a45af4a94.
Peter Palfrader [Mon, 26 Sep 2016 17:38:59 +0000 (19:38 +0200)]
retire brainfood as hoster
Peter Palfrader [Mon, 26 Sep 2016 17:37:24 +0000 (19:37 +0200)]
why do we have two places for hosters?
Peter Palfrader [Mon, 26 Sep 2016 17:35:17 +0000 (19:35 +0200)]
replace ubc bl[268] with ubc-enc2bl{2,9,10} as recursors
Peter Palfrader [Mon, 26 Sep 2016 17:33:30 +0000 (19:33 +0200)]
remove ubcece as a hoster - the definition is identical to ubc
Peter Palfrader [Mon, 26 Sep 2016 17:13:58 +0000 (19:13 +0200)]
add ubc autofs rules
Peter Palfrader [Mon, 26 Sep 2016 17:07:53 +0000 (19:07 +0200)]
make pin macros conditional on mod_macro being present
Luca Filipozzi [Mon, 26 Sep 2016 01:40:10 +0000 (01:40 +0000)]
new cable modem
Aurelien Jarno [Sat, 24 Sep 2016 19:39:28 +0000 (21:39 +0200)]
Update buxtehude IP on sonntag firewall
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Sat, 24 Sep 2016 19:17:11 +0000 (21:17 +0200)]
Update ullmann IPs on bmdb1 firewall
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Sat, 24 Sep 2016 17:07:39 +0000 (19:07 +0200)]
Remove extra .conf from apache config file
apache2::config already adds .conf to the file name.
Peter Palfrader [Sat, 24 Sep 2016 09:52:51 +0000 (11:52 +0200)]
Enable HPKP for all static sites
Peter Palfrader [Sat, 24 Sep 2016 09:42:04 +0000 (11:42 +0200)]
ship keys for d-i, dsa, and rtc
Peter Palfrader [Sat, 24 Sep 2016 09:19:27 +0000 (11:19 +0200)]
replace certs for d-i, dsa, and rtc with LE
Peter Palfrader [Sat, 24 Sep 2016 09:05:22 +0000 (09:05 +0000)]
change pin thing
Peter Palfrader [Fri, 23 Sep 2016 20:42:53 +0000 (22:42 +0200)]
ignore changes to /etc/apache2/conf-available/puppet-ssl-key-pins.conf
Peter Palfrader [Fri, 23 Sep 2016 20:40:10 +0000 (20:40 +0000)]
set pins always
Peter Palfrader [Fri, 23 Sep 2016 20:37:27 +0000 (20:37 +0000)]
ship pin set for people.debian.org
Peter Palfrader [Fri, 23 Sep 2016 20:36:54 +0000 (20:36 +0000)]
reload apache2 on pinset change
Peter Palfrader [Fri, 23 Sep 2016 20:35:09 +0000 (20:35 +0000)]
A gen_hpkp_pin function
Peter Palfrader [Fri, 23 Sep 2016 20:33:37 +0000 (20:33 +0000)]
reload apache2 on pinset change
Peter Palfrader [Fri, 23 Sep 2016 19:59:14 +0000 (21:59 +0200)]
concat does not like empty things
Peter Palfrader [Fri, 23 Sep 2016 19:57:30 +0000 (21:57 +0200)]
puppet-ssl-key-pins.conf is a concat, cannot set it as source/content
Peter Palfrader [Fri, 23 Sep 2016 19:54:11 +0000 (21:54 +0200)]
puppet-ssl-key-pins.conf
Peter Palfrader [Fri, 23 Sep 2016 19:53:00 +0000 (21:53 +0200)]
Support nocontentok for apache2::config
Peter Palfrader [Fri, 23 Sep 2016 19:51:17 +0000 (21:51 +0200)]
Dedicated block for absent case
Peter Palfrader [Fri, 23 Sep 2016 19:48:52 +0000 (21:48 +0200)]
We have no lsbmajdistrelease <= 7 hosts anymore
Aurelien Jarno [Fri, 23 Sep 2016 14:31:04 +0000 (16:31 +0200)]
We don't need tftpd on jenko.d.o anymore
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 22 Sep 2016 22:14:19 +0000 (00:14 +0200)]
Update buxtehude and glinka NFS firewall
Now that buxtehude is also on the private network, we can use it instead
of the public IP. For that split the buxtehude and glinka configuration.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 22 Sep 2016 20:04:58 +0000 (22:04 +0200)]
Add volumes for buxtehude on ganeti2.ubc.d.o
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 22 Sep 2016 19:45:31 +0000 (21:45 +0200)]
Temporarily allow NFS to buxtehude and glinka from ullmann
Until we move buxtehude and glinka to the new UBC network where buxtehude,
glinka and ullmann can talk through the private network.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 22 Sep 2016 15:18:36 +0000 (17:18 +0200)]
Drop multipath mappings for tye.d.o on ganeti2.d.o
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 22 Sep 2016 14:56:53 +0000 (16:56 +0200)]
Temporarily allow NFS to glinka from tye
Until we move glinka to the new UBC network where glinka and tye can
talk through the private network.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Thu, 22 Sep 2016 12:43:55 +0000 (14:43 +0200)]
Add volumes for tye and ullmann on ganeti2.ubc.d.o
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Thu, 22 Sep 2016 11:32:31 +0000 (13:32 +0200)]
nfs-server on gretchaninov
Julien Cristau [Thu, 22 Sep 2016 10:11:27 +0000 (12:11 +0200)]
Add gretchaninov
projects / mirror / dsa-puppet.git / log