Martin Zobel-Helas [Thu, 15 Feb 2018 07:39:47 +0000 (08:39 +0100)]
Merge branch 'zobel-salsa'
Julien Cristau [Thu, 15 Feb 2018 07:25:24 +0000 (08:25 +0100)]
Remove lobos from fastly security backends for now
We want to see how it does with 2 dedicated backends (villa and wieck).
Aurelien Jarno [Thu, 15 Feb 2018 07:11:16 +0000 (08:11 +0100)]
dupload.conf: fix a thinko in the security upload hostname
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 18:23:21 +0000 (19:23 +0100)]
buildd: do security uploads using SSH
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 16:33:17 +0000 (17:33 +0100)]
rsync-ssh-wrap: force the permissions of uploaded files
dupload calls rsync with -p, causing the uploaded files to be world
readable, despite the ACL of the upload directory (see bug#876900).
This is an issue for security uploads.
This has been fixed in sid, but not yet in stretch. In the meantime
force the permissions to 0640 at the wrapper level.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 11:49:38 +0000 (12:49 +0100)]
planet-d.o: fix a thinko in my previous commit
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 11:43:27 +0000 (12:43 +0100)]
planet-d.o: only allow access from localhost and local IP
This way it's possible to access planet-master.d.o using SSH as a socks
proxy. It requires to connect to planet-master.d.o aka philp.d.o instead
of any debian machine.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 13:33:55 +0000 (14:33 +0100)]
99builddsourceslist: access the security archive using https
Let's try again!
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Wed, 14 Feb 2018 09:52:25 +0000 (10:52 +0100)]
lintian.d.o: fix deflate output filter
It appears that AddOutputFilterByType options also apply to the
subdirectories. However this directive overwrites the default value or
the one defined in the parent directory.
Therefore we only want to add this directive to the root directory and
with all the mime types.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 21:18:25 +0000 (22:18 +0100)]
Merge branch 'lintian.d.o-tweaks' of https://salsa.debian.org/nthykier/dsa-puppet
Aurelien Jarno [Tue, 13 Feb 2018 21:16:29 +0000 (22:16 +0100)]
static_mirror: enable deflate and filter modules
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 20:30:52 +0000 (21:30 +0100)]
Install ca-certificates in the buildd chroots
This is need in addition of apt-transport-https.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Niels Thykier [Tue, 13 Feb 2018 19:25:41 +0000 (19:25 +0000)]
lintian.d.o: Move svg compression to the resources directory
It does not appear to propogate on its own, so move it from the root
to the "resources" directory section. There are no SVG images outside
that directory anyway.
Signed-off-by: Niels Thykier <niels@thykier.net>
Niels Thykier [Tue, 13 Feb 2018 19:25:02 +0000 (19:25 +0000)]
lintian.d.o: Remove redundant + incorrect IfModule mod_userdir
Signed-off-by: Niels Thykier <niels@thykier.net>
Aurelien Jarno [Tue, 13 Feb 2018 14:17:33 +0000 (15:17 +0100)]
Revert "99builddsourceslist: access the security archive using https"
This reverts commit
f77a22de23c38230527be61375482971dea55fef.
This doesn't work, we also need ca-certificate in the chroot :-(
Aurelien Jarno [Tue, 13 Feb 2018 13:33:55 +0000 (14:33 +0100)]
99builddsourceslist: access the security archive using https
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 11:54:26 +0000 (12:54 +0100)]
Fully retire spontini.d.o
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 11:11:22 +0000 (12:11 +0100)]
Also drop security anycast-test mirrors
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Peter Palfrader [Tue, 13 Feb 2018 10:26:15 +0000 (11:26 +0100)]
snapshot storage nodes want the toolchain to build the snapshot fsck utility
Aurelien Jarno [Tue, 13 Feb 2018 09:30:53 +0000 (10:30 +0100)]
setup-dchroot: fix a typo
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 08:54:39 +0000 (09:54 +0100)]
Install apt-transport-https in the buildd chroots
This will be used to access the security archive in a more private way.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 08:44:03 +0000 (09:44 +0100)]
Drop anycast-test mirrors from apt
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 08:15:10 +0000 (09:15 +0100)]
More kfreebsd removal
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 13 Feb 2018 07:47:40 +0000 (08:47 +0100)]
setup-all-dchroots: get rid of kfreebsd and ppc64
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Peter Palfrader [Sun, 11 Feb 2018 10:20:27 +0000 (11:20 +0100)]
nagios: use dsa-check-systemd-services instead of systemctl is-system-running
Peter Palfrader [Sun, 11 Feb 2018 10:02:25 +0000 (11:02 +0100)]
Also systemctl reset-failed failed session-nnn.scope
Peter Palfrader [Sun, 11 Feb 2018 09:58:08 +0000 (10:58 +0100)]
Move failed rsync cleanup into systemd module
Martin Zobel-Helas [Sat, 10 Feb 2018 08:47:33 +0000 (09:47 +0100)]
octocatalog: add dummy file for LE service certs
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Sat, 10 Feb 2018 08:42:16 +0000 (09:42 +0100)]
Merge remote-tracking branch 'origin/master' into zobel-salsa
Julien Cristau [Sat, 10 Feb 2018 07:59:40 +0000 (08:59 +0100)]
Fixup local-mirror.cdbuilder sites-enabled symlink name
Julien Cristau [Sat, 10 Feb 2018 07:58:52 +0000 (08:58 +0100)]
Add {deb,security}.d.o aliases to local-mirror.cdbuilder
Peter Palfrader [Fri, 9 Feb 2018 20:23:28 +0000 (21:23 +0100)]
use ttyS1 for the serial console on casulana
Peter Palfrader [Fri, 9 Feb 2018 19:49:14 +0000 (20:49 +0100)]
Get trailing slashes right for aliases
Peter Palfrader [Fri, 9 Feb 2018 19:41:56 +0000 (20:41 +0100)]
First go at cdbuilder local mirror export (re: RT##7101)
Peter Palfrader [Fri, 9 Feb 2018 19:03:17 +0000 (20:03 +0100)]
Add a apache_not_public role where we do not add ferm allow rules and put casulana into it
Peter Palfrader [Fri, 9 Feb 2018 19:00:00 +0000 (20:00 +0100)]
no more experimental_apache (previously cgi-grnet-01, pejacevic, petrova)
Peter Palfrader [Fri, 9 Feb 2018 18:32:09 +0000 (19:32 +0100)]
Add cdbuilder-logs static component (re: RT##7101)
Peter Palfrader [Fri, 9 Feb 2018 18:27:21 +0000 (19:27 +0100)]
Add casulana as a static source for cdbuilder-logs (re: RT##7101)
Martin Zobel-Helas [Fri, 9 Feb 2018 17:25:45 +0000 (18:25 +0100)]
Merge branch 'master' into zobel-salsa
Martin Zobel-Helas [Fri, 9 Feb 2018 17:18:36 +0000 (18:18 +0100)]
RT#7092: Apache on godard adds an additional X-Xss-Protection
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Bastian Blank [Fri, 9 Feb 2018 13:02:52 +0000 (14:02 +0100)]
Test with Puppet 4.8
Bastian Blank [Fri, 9 Feb 2018 12:58:29 +0000 (13:58 +0100)]
Update facts
Bastian Blank [Fri, 9 Feb 2018 12:49:13 +0000 (13:49 +0100)]
Move nagios stuff
Bastian Blank [Fri, 9 Feb 2018 12:45:03 +0000 (13:45 +0100)]
Move generated cert files to new location
Bastian Blank [Fri, 9 Feb 2018 12:28:28 +0000 (13:28 +0100)]
Update octocatalog job
Bastian Blank [Fri, 9 Feb 2018 13:02:52 +0000 (14:02 +0100)]
Test with Puppet 4.8
Bastian Blank [Fri, 9 Feb 2018 12:58:29 +0000 (13:58 +0100)]
Update facts
Bastian Blank [Fri, 9 Feb 2018 12:49:13 +0000 (13:49 +0100)]
Move nagios stuff
Bastian Blank [Fri, 9 Feb 2018 12:45:03 +0000 (13:45 +0100)]
Move generated cert files to new location
Bastian Blank [Fri, 9 Feb 2018 12:28:28 +0000 (13:28 +0100)]
Update octocatalog job
Peter Palfrader [Fri, 9 Feb 2018 09:19:26 +0000 (10:19 +0100)]
rsync on lw09,lw10
Peter Palfrader [Fri, 9 Feb 2018 08:38:23 +0000 (09:38 +0100)]
update lw autotab
Peter Palfrader [Fri, 9 Feb 2018 08:28:27 +0000 (09:28 +0100)]
update lw autotab
Peter Palfrader [Fri, 9 Feb 2018 08:11:24 +0000 (09:11 +0100)]
do nfs server setup on lw09/lw10
Peter Palfrader [Fri, 9 Feb 2018 08:10:57 +0000 (09:10 +0100)]
no more 10/8 network at leaseweb
Martin Zobel-Helas [Thu, 8 Feb 2018 16:26:48 +0000 (17:26 +0100)]
remove sgran from root keys
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Thu, 8 Feb 2018 16:25:54 +0000 (17:25 +0100)]
remove sgran IP range. he can hop via master if needed
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Martin Zobel-Helas [Thu, 8 Feb 2018 16:24:00 +0000 (17:24 +0100)]
puppet does not have any mail config in /srv/puppet.debian.org/mail
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
Peter Palfrader [Thu, 8 Feb 2018 15:09:27 +0000 (16:09 +0100)]
backgrounding does not really work remotely
Peter Palfrader [Thu, 8 Feb 2018 14:47:32 +0000 (15:47 +0100)]
dsa-restart-all-idle-postgres: only restart pg instances that show up in dsa-check-libs
Peter Palfrader [Thu, 8 Feb 2018 14:34:10 +0000 (15:34 +0100)]
dsa-restart-all-idle-postgres: and do not keep fds open
Peter Palfrader [Thu, 8 Feb 2018 14:30:06 +0000 (15:30 +0100)]
dsa-restart-all-idle-postgres: disown background jobs instead of waiting for them
Peter Palfrader [Thu, 8 Feb 2018 12:41:55 +0000 (13:41 +0100)]
in practice make the sleep longer
Peter Palfrader [Thu, 8 Feb 2018 12:39:46 +0000 (13:39 +0100)]
fix filename
Peter Palfrader [Thu, 8 Feb 2018 12:38:53 +0000 (13:38 +0100)]
Add script to restart postgres clusters
Peter Palfrader [Thu, 8 Feb 2018 12:01:00 +0000 (13:01 +0100)]
ignore wb-buildd.more on buildd_master role hosts
Peter Palfrader [Tue, 6 Feb 2018 09:15:04 +0000 (10:15 +0100)]
samhain ignore /etc/ssh/userkeys/buildd-uploader on ssh upload hosts
Julien Cristau [Mon, 5 Feb 2018 16:29:31 +0000 (17:29 +0100)]
Use "restrict" key option for buildd access to upload hosts
Julien Cristau [Mon, 5 Feb 2018 16:28:21 +0000 (17:28 +0100)]
Use "restrict" key option for buildd access to wanna-build
Julien Cristau [Mon, 5 Feb 2018 16:27:10 +0000 (17:27 +0100)]
Use "restrict" key option for storace's da-backup keys
Julien Cristau [Mon, 5 Feb 2018 16:18:50 +0000 (17:18 +0100)]
Use "restrict" key option in debbackup authorized_keys
Julien Cristau [Mon, 5 Feb 2018 15:03:51 +0000 (16:03 +0100)]
Simplify portforwarder authorized_keys options
Replace "no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding" with
"restrict" since all hosts using this module are on stretch with new enough
sshd
Peter Palfrader [Mon, 5 Feb 2018 13:34:57 +0000 (14:34 +0100)]
Put ganeti VMs into their own systemd scope
Peter Palfrader [Mon, 5 Feb 2018 11:57:07 +0000 (12:57 +0100)]
modules/postgres/manifests/backup_source: add a comment re docs
Peter Palfrader [Mon, 5 Feb 2018 09:32:00 +0000 (10:32 +0100)]
Add a comment header to /etc/ssh/userkeys/debbackup
Peter Palfrader [Sun, 4 Feb 2018 23:51:28 +0000 (00:51 +0100)]
Do samhain checks only half as often
Julien Cristau [Sun, 4 Feb 2018 18:10:56 +0000 (19:10 +0100)]
Update private IP range at leaseweb
Julien Cristau [Sun, 4 Feb 2018 17:48:02 +0000 (18:48 +0100)]
Add debconf18.debconf.org config on debussy (rt#7089)
Peter Palfrader [Sun, 4 Feb 2018 12:14:39 +0000 (13:14 +0100)]
update sudo for new dsa-check-libs call
Peter Palfrader [Sun, 4 Feb 2018 12:07:56 +0000 (13:07 +0100)]
Clean up failed rsyncs every few minutes
Peter Palfrader [Sun, 4 Feb 2018 11:35:49 +0000 (12:35 +0100)]
ignore salsa fd leak in sidekiq for dsa-check-lib purposes
Peter Palfrader [Sun, 4 Feb 2018 10:50:42 +0000 (11:50 +0100)]
and log checksums correctly
Peter Palfrader [Sun, 4 Feb 2018 10:49:20 +0000 (11:49 +0100)]
also log failed target
Peter Palfrader [Sun, 4 Feb 2018 10:25:59 +0000 (11:25 +0100)]
pg-backup-file: continue after failures and only report at the end
Aurelien Jarno [Fri, 2 Feb 2018 16:49:37 +0000 (17:49 +0100)]
Decommission fano and finzi
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Tollef Fog Heen [Fri, 2 Feb 2018 15:40:55 +0000 (16:40 +0100)]
mirror-anu should not actually have an onion address
Aurelien Jarno [Fri, 2 Feb 2018 14:47:33 +0000 (15:47 +0100)]
Improve kpartx rule
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Fri, 2 Feb 2018 14:39:13 +0000 (15:39 +0100)]
Disable default kpartx udev rule
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Tollef Fog Heen [Fri, 2 Feb 2018 10:56:10 +0000 (11:56 +0100)]
Get rid of obsolete vsftpd::site→absent resources
Tollef Fog Heen [Fri, 2 Feb 2018 10:54:23 +0000 (11:54 +0100)]
No more conntrackd in bm, so drop firewall opening
Tollef Fog Heen [Fri, 2 Feb 2018 10:54:04 +0000 (11:54 +0100)]
Retire ftp.d.o role, it is unused
Tollef Fog Heen [Fri, 2 Feb 2018 10:27:18 +0000 (11:27 +0100)]
Clean up debugging foo
Peter Palfrader [Fri, 2 Feb 2018 10:36:39 +0000 (11:36 +0100)]
steve probably does not care about samhain mails very much
Tollef Fog Heen [Fri, 2 Feb 2018 10:17:11 +0000 (11:17 +0100)]
Get rid of unused role
Tollef Fog Heen [Fri, 2 Feb 2018 10:14:29 +0000 (11:14 +0100)]
Get rid of some intermediate variables
Tollef Fog Heen [Fri, 2 Feb 2018 10:10:26 +0000 (11:10 +0100)]
Move onion IP addresses into hiera
Tollef Fog Heen [Fri, 2 Feb 2018 10:06:08 +0000 (11:06 +0100)]
Simplify debian_mirror for hiera-hash
Tollef Fog Heen [Fri, 2 Feb 2018 10:03:17 +0000 (11:03 +0100)]
Whitespace
Tollef Fog Heen [Fri, 2 Feb 2018 10:01:55 +0000 (11:01 +0100)]
Move debian_mirror over to being a hash
Tollef Fog Heen [Fri, 2 Feb 2018 09:57:12 +0000 (10:57 +0100)]
Use .dig to dig into hiera structs
projects / mirror / dsa-puppet.git / log