mirror/dsa-puppet.git
4 years agoInclude hiera classes
Peter Palfrader [Thu, 29 Aug 2019 15:35:10 +0000 (17:35 +0200)]
Include hiera classes

We want to be able to specify which puppet classes a node should include
using hiera.  Start by including hiera classes in the site manifest,
and move the site class so we include something using this mechanism.

Eventually we want to move all the include entries out of manifests/site.pp.

4 years agoupdate anonscm.map from formorer
Peter Palfrader [Wed, 28 Aug 2019 11:20:55 +0000 (13:20 +0200)]
update anonscm.map from formorer

4 years agoFix another typo
Aurelien Jarno [Wed, 28 Aug 2019 10:17:21 +0000 (12:17 +0200)]
Fix another typo

4 years agoFix typo in merged_usr fact
Aurelien Jarno [Wed, 28 Aug 2019 10:09:56 +0000 (12:09 +0200)]
Fix typo in merged_usr fact

4 years agosamhainrc: support merged usr layout
Aurelien Jarno [Wed, 28 Aug 2019 10:07:00 +0000 (12:07 +0200)]
samhainrc: support merged usr layout

4 years agoAdd a merged_usr fact
Aurelien Jarno [Wed, 28 Aug 2019 10:07:00 +0000 (12:07 +0200)]
Add a merged_usr fact

4 years agoFix CSAIL IPv6 subnet
Aurelien Jarno [Wed, 28 Aug 2019 08:46:44 +0000 (10:46 +0200)]
Fix CSAIL IPv6 subnet

4 years agoRemove debconf18 vhost from debussy
Julien Cristau [Wed, 28 Aug 2019 08:29:26 +0000 (10:29 +0200)]
Remove debconf18 vhost from debussy

It moved to static.

4 years agoferm: drop FREEBSD_SSH_ACCESS
Aurelien Jarno [Wed, 28 Aug 2019 08:04:45 +0000 (10:04 +0200)]
ferm: drop FREEBSD_SSH_ACCESS

4 years agoferm: add syncproxy.na.debian.org IPv6
Aurelien Jarno [Wed, 28 Aug 2019 08:03:33 +0000 (10:03 +0200)]
ferm: add syncproxy.na.debian.org IPv6

4 years agoAdd CSAIL IPv6 range
Aurelien Jarno [Wed, 28 Aug 2019 07:54:39 +0000 (09:54 +0200)]
Add CSAIL IPv6 range

4 years agoBump the language cookie expiry for visits during the expiry period
Paul Wise [Sun, 25 Aug 2019 03:48:59 +0000 (11:48 +0800)]
Bump the language cookie expiry for visits during the expiry period

This ensures that if the user continues to visit the website then
they don't have to manually set the cookie again until they
stop visiting the website for more than the expiry period.

4 years agoEnable linger for sreview user (RT#7917)
Julien Cristau [Thu, 22 Aug 2019 09:38:42 +0000 (11:38 +0200)]
Enable linger for sreview user (RT#7917)

4 years agofix ssl client path
Peter Palfrader [Thu, 22 Aug 2019 08:58:52 +0000 (10:58 +0200)]
fix ssl client path

4 years agostop hardcoding loghost names in syslog-ng template
Peter Palfrader [Thu, 22 Aug 2019 08:55:49 +0000 (10:55 +0200)]
stop hardcoding loghost names in syslog-ng template

4 years agomove syslog ferm into syslog role
Peter Palfrader [Thu, 22 Aug 2019 08:47:51 +0000 (10:47 +0200)]
move syslog ferm into syslog role

4 years agomake loghost into a role
Peter Palfrader [Thu, 22 Aug 2019 08:44:27 +0000 (10:44 +0200)]
make loghost into a role

4 years agoNo more sid/bullseye chroots for mips
Julien Cristau [Tue, 20 Aug 2019 14:16:17 +0000 (16:16 +0200)]
No more sid/bullseye chroots for mips

4 years agoRT#7893 Let wanna-build admins sudo to wbadm-web
Philipp Kern [Sun, 18 Aug 2019 09:10:55 +0000 (11:10 +0200)]
RT#7893 Let wanna-build admins sudo to wbadm-web

4 years agoRT#7862 Let the community team sudo to the community user
Tollef Fog Heen [Thu, 15 Aug 2019 19:14:58 +0000 (21:14 +0200)]
RT#7862 Let the community team sudo to the community user

4 years agoHandle ipv6 addresses in named.conf.options
Julien Cristau [Tue, 13 Aug 2019 14:53:47 +0000 (16:53 +0200)]
Handle ipv6 addresses in named.conf.options

4 years agoAdd mipsel-osuosl-02.debian.org
Aurelien Jarno [Tue, 13 Aug 2019 10:26:12 +0000 (12:26 +0200)]
Add mipsel-osuosl-02.debian.org

4 years agoRedirect unsetlang to the correct location
Paul Wise [Sun, 11 Aug 2019 09:31:09 +0000 (17:31 +0800)]
Redirect unsetlang to the correct location

The substitution was using the wrong match group.

Fixes: commit eef0d1229a8d2627ffc8663eda9bd2d68a0ef09c

4 years agoSet the cookie domain based on the HTTP domain.
Paul Wise [Sun, 11 Aug 2019 04:18:21 +0000 (12:18 +0800)]
Set the cookie domain based on the HTTP domain.

Avoids issues with setting cookies on www-staging.d.o or other mirrors.

Fixes: commit eef0d1229a8d2627ffc8663eda9bd2d68a0ef09c

4 years agoAdd basic support for influencing language selection via cookies.
Paul Wise [Sat, 3 Aug 2019 02:23:04 +0000 (10:23 +0800)]
Add basic support for influencing language selection via cookies.

The UI for language selection in browsers is rarely used or known about
by visitors so websites need to provide a way for visitors to influence
content negotiation using the website itself in addition to the browser.

Setting a cookie is the simplest option for us as the URLs don't change.

The GDPR does not apply and to satisfy the EU cookie law we can include
some explanatory text around the form that sets the cookie.

Visitors should not get their language cookie changed when other folks link
them to URLs for other languages and search engines should not set language
cookies at all. Using POST requests ensures each cookie is only set explictly.

Since Apache mod_rewrite cannot inspect POST data, we use URLs instead.

The default cookie lifetime is about one month (60*24*7*4 minutes).

<CAKTje6EzfE89jBqpLQu1_a3ybYkV7pPcquKzQb6Uz8uu=pGudA@mail.gmail.com>
<f849fde79a325422af9a9553f6672a96382ae262.camel@debian.org>
https://httpd.apache.org/docs/current/content-negotiation.html#exceptions

4 years agoAdd mipsel-osuosl-01.debian.org
Aurelien Jarno [Sat, 10 Aug 2019 07:45:01 +0000 (09:45 +0200)]
Add mipsel-osuosl-01.debian.org

4 years agoAdd sso_rp role on wuiet (RT#7892)
Julien Cristau [Fri, 9 Aug 2019 14:03:47 +0000 (16:03 +0200)]
Add sso_rp role on wuiet (RT#7892)

4 years agodebconf20.dc.o vhost
Stefano Rivera [Tue, 30 Jul 2019 14:50:06 +0000 (11:50 -0300)]
debconf20.dc.o vhost

4 years agoSwitch wafertest to dc20
Stefano Rivera [Tue, 30 Jul 2019 00:28:24 +0000 (21:28 -0300)]
Switch wafertest to dc20

4 years agosamhain: ignore /etc/exim4/conf.d
Aurelien Jarno [Fri, 26 Jul 2019 15:05:13 +0000 (17:05 +0200)]
samhain: ignore /etc/exim4/conf.d

This directory is removed by puppet

4 years agoEnable proxy module for wiki.debconf.org pass-thru rewrite
Paul Wise [Tue, 23 Jul 2019 23:46:37 +0000 (07:46 +0800)]
Enable proxy module for wiki.debconf.org pass-thru rewrite

Fixes: commit f33e5b0b7749df9e3bf60b7b816898f3d07ecc8b
Fixes: commit f3cf7b1e16b58065689c4ae0ded3e41d6782fb13
Requested-by: tumbleweed on #debian-admin
4 years agoEnable proxy module for wiki.debconf.org pass-thru rewrite
Paul Wise [Tue, 23 Jul 2019 23:40:11 +0000 (07:40 +0800)]
Enable proxy module for wiki.debconf.org pass-thru rewrite

Fixes: commit f33e5b0b7749df9e3bf60b7b816898f3d07ecc8b
Requested-by: tumbleweed on #debian-admin
4 years agoMerge branch 'pass-through-slash' of https://salsa.debian.org/stefanor/dsa-puppet
Tollef Fog Heen [Tue, 23 Jul 2019 20:12:25 +0000 (22:12 +0200)]
Merge branch 'pass-through-slash' of https://salsa.debian.org/stefanor/dsa-puppet

Signed-off-by: Tollef Fog Heen <tfheen@err.no>
4 years agoPassThrough / to /wiki/
Stefano Rivera [Tue, 23 Jul 2019 19:44:26 +0000 (16:44 -0300)]
PassThrough / to /wiki/

So that the response has a Content-Type header (via the ForceType on
/wiki/).

4 years agoBlock 198.108.67.48 from security mirrors for breaking rsync
Peter Palfrader [Fri, 19 Jul 2019 14:05:22 +0000 (16:05 +0200)]
Block 198.108.67.48 from security mirrors for breaking rsync

4 years agomove pg rule from veyepar to sreview
Peter Palfrader [Fri, 19 Jul 2019 11:01:39 +0000 (13:01 +0200)]
move pg rule from veyepar to sreview

4 years agoAllow DC19 access to the PG on vittoria, re: RT#7845
Peter Palfrader [Fri, 19 Jul 2019 10:06:13 +0000 (12:06 +0200)]
Allow DC19 access to the PG on vittoria, re: RT#7845

4 years agosreview is sreview.debian.net
Peter Palfrader [Fri, 19 Jul 2019 09:57:41 +0000 (11:57 +0200)]
sreview is sreview.debian.net

4 years agoMove veyepar and sreview into own manifests
Peter Palfrader [Fri, 19 Jul 2019 09:55:53 +0000 (11:55 +0200)]
Move veyepar and sreview into own manifests

4 years agowww.do: stop doing permanent redirects
Peter Palfrader [Thu, 18 Jul 2019 11:32:26 +0000 (13:32 +0200)]
www.do: stop doing permanent redirects

Permanent redirects may be cached permanently.  Don't do that.

4 years agoAdd redirects for all the /misc section, and group all the redirects related to ...
Laura Arjona Reina [Thu, 18 Jul 2019 11:10:43 +0000 (13:10 +0200)]
Add redirects for all the /misc section, and group all the redirects related to /misc

Signed-off-by: Peter Palfrader <peter@palfrader.org>
4 years agomanda: entropykey moved from czerny to manda-node04
Aurelien Jarno [Mon, 8 Jul 2019 19:28:05 +0000 (21:28 +0200)]
manda: entropykey moved from czerny to manda-node04

4 years agogive keyring the ability to reload bind9
Peter Palfrader [Sun, 7 Jul 2019 18:54:16 +0000 (20:54 +0200)]
give keyring the ability to reload bind9

4 years agoNotify on _openpgpkey.debian.org
Peter Palfrader [Sun, 7 Jul 2019 18:14:18 +0000 (20:14 +0200)]
Notify on _openpgpkey.debian.org

4 years agodo nsec3 via puppet
Peter Palfrader [Sun, 7 Jul 2019 18:12:11 +0000 (20:12 +0200)]
do nsec3 via puppet

4 years agoSign _openpgpkey.debian.org
Peter Palfrader [Sun, 7 Jul 2019 18:09:38 +0000 (20:09 +0200)]
Sign _openpgpkey.debian.org

4 years agoAdd a flag to the dns-helper tooling
Peter Palfrader [Sun, 7 Jul 2019 18:05:49 +0000 (20:05 +0200)]
Add a flag to the dns-helper tooling

4 years agoAdd a flag to the dns-helper tooling
Peter Palfrader [Sun, 7 Jul 2019 18:04:05 +0000 (20:04 +0200)]
Add a flag to the dns-helper tooling

4 years agogeo ferm
Peter Palfrader [Sun, 7 Jul 2019 10:16:27 +0000 (12:16 +0200)]
geo ferm

4 years agogeo ferm
Peter Palfrader [Sun, 7 Jul 2019 10:15:26 +0000 (12:15 +0200)]
geo ferm

4 years agofw on kaufmann
Peter Palfrader [Sun, 7 Jul 2019 10:13:50 +0000 (12:13 +0200)]
fw on kaufmann

4 years agofw on kaufmann
Peter Palfrader [Sun, 7 Jul 2019 10:09:22 +0000 (12:09 +0200)]
fw on kaufmann

4 years agofw on kaufmann
Peter Palfrader [Sun, 7 Jul 2019 10:07:32 +0000 (12:07 +0200)]
fw on kaufmann

4 years agofw on kaufmann
Peter Palfrader [Sun, 7 Jul 2019 10:06:39 +0000 (12:06 +0200)]
fw on kaufmann

4 years agonotify bind9
Peter Palfrader [Sun, 7 Jul 2019 10:04:33 +0000 (12:04 +0200)]
notify bind9

4 years agoSet masters
Peter Palfrader [Sun, 7 Jul 2019 10:04:09 +0000 (12:04 +0200)]
Set masters

4 years agoFetch openpgpkey zone to denis
Peter Palfrader [Sun, 7 Jul 2019 10:01:30 +0000 (12:01 +0200)]
Fetch openpgpkey zone to denis

4 years agoreindent
Peter Palfrader [Sun, 7 Jul 2019 10:01:23 +0000 (12:01 +0200)]
reindent

4 years agoWe no longer have secondaries for the debian zones
Peter Palfrader [Sun, 7 Jul 2019 09:56:49 +0000 (11:56 +0200)]
We no longer have secondaries for the debian zones

4 years agoadd a ;
Peter Palfrader [Sun, 7 Jul 2019 09:42:39 +0000 (11:42 +0200)]
add a ;

4 years agoTry to add openpgpkey zone
Peter Palfrader [Sun, 7 Jul 2019 09:38:16 +0000 (11:38 +0200)]
Try to add openpgpkey zone

4 years agofix array
Peter Palfrader [Sun, 7 Jul 2019 09:31:36 +0000 (11:31 +0200)]
fix array

4 years agoset up a shared keypair between kaufmann and denis
Peter Palfrader [Sun, 7 Jul 2019 09:31:15 +0000 (11:31 +0200)]
set up a shared keypair between kaufmann and denis

4 years agoreorder ACLs and shared keys on primary
Peter Palfrader [Sun, 7 Jul 2019 09:29:48 +0000 (11:29 +0200)]
reorder ACLs and shared keys on primary

4 years agoInclude local shared keys on primary
Peter Palfrader [Sun, 7 Jul 2019 09:26:59 +0000 (11:26 +0200)]
Include local shared keys on primary

4 years agomove ACLs for 3rd party things from the named.conf.options template to named.conf...
Peter Palfrader [Sun, 7 Jul 2019 09:23:19 +0000 (11:23 +0200)]
move ACLs for 3rd party things from the named.conf.options template to named.conf.puppet-misc

4 years agoAdd a named.conf.puppet-misc
Peter Palfrader [Sun, 7 Jul 2019 09:10:42 +0000 (11:10 +0200)]
Add a named.conf.puppet-misc

4 years agounify query log
Peter Palfrader [Sun, 7 Jul 2019 09:10:32 +0000 (11:10 +0200)]
unify query log

4 years agoMove creation of /etc/bind/named.conf.options from ::geodns and ::primary to parent
Peter Palfrader [Sun, 7 Jul 2019 09:08:30 +0000 (11:08 +0200)]
Move creation of /etc/bind/named.conf.options from ::geodns and ::primary to parent

4 years agomove named.conf.debian-zones.erb from authoritative to primary
Peter Palfrader [Sun, 7 Jul 2019 09:00:55 +0000 (11:00 +0200)]
move named.conf.debian-zones.erb from authoritative to primary

4 years agoauthoritative bin on keyring host
Peter Palfrader [Sun, 7 Jul 2019 08:58:05 +0000 (10:58 +0200)]
authoritative bin on keyring host

4 years agounify v4 and v6 rules in named::primary
Peter Palfrader [Sun, 7 Jul 2019 08:56:32 +0000 (10:56 +0200)]
unify v4 and v6 rules in named::primary

4 years agoMove DNS things from named to named::primary and named::geodns
Peter Palfrader [Sun, 7 Jul 2019 08:53:16 +0000 (10:53 +0200)]
Move DNS things from named to named::primary and named::geodns

4 years agoLoad named::geodns from roles/manifests/init.pp based on hiera instead of from site...
Peter Palfrader [Sun, 7 Jul 2019 08:51:39 +0000 (10:51 +0200)]
Load named::geodns from roles/manifests/init.pp based on hiera instead of from site manifest based on hostname

4 years agosetup-all-dchroots: add bullseye
Aurelien Jarno [Sat, 6 Jul 2019 11:52:41 +0000 (13:52 +0200)]
setup-all-dchroots: add bullseye

4 years agoPermanent redirects mean we can never, ever change them again as they might be cached...
Peter Palfrader [Fri, 5 Jul 2019 05:28:23 +0000 (07:28 +0200)]
Permanent redirects mean we can never, ever change them again as they might be cached.  Stop doing those.

4 years agoRedirect / of openpgpkey to keyring.d.o
Peter Palfrader [Fri, 5 Jul 2019 05:27:04 +0000 (07:27 +0200)]
Redirect / of openpgpkey to keyring.d.o

4 years agoadd robots.txt to sources.d.o
Matthieu Caneill [Thu, 4 Jul 2019 13:14:15 +0000 (15:14 +0200)]
add robots.txt to sources.d.o

Signed-off-by: Julien Cristau <jcristau@debian.org>
4 years agoForce HiddenServiceVersion 2 as that is the only thing onionbalance understands, II
Peter Palfrader [Wed, 3 Jul 2019 06:09:59 +0000 (08:09 +0200)]
Force HiddenServiceVersion 2 as that is the only thing onionbalance understands, II

4 years agoForce HiddenServiceVersion 2 as that is the only thing onionbalance understands
Peter Palfrader [Wed, 3 Jul 2019 06:08:08 +0000 (08:08 +0200)]
Force HiddenServiceVersion 2 as that is the only thing onionbalance understands

4 years agoLink https://dev.gnupg.org/T4603 with workaround
Peter Palfrader [Tue, 2 Jul 2019 13:51:11 +0000 (15:51 +0200)]
Link https://dev.gnupg.org/T4603 with workaround

4 years agowork around GnuPG being silly with redirects
Peter Palfrader [Tue, 2 Jul 2019 11:00:13 +0000 (13:00 +0200)]
work around GnuPG being silly with redirects

4 years agoredirect https://debian.org/.well-known/openpgpkey/ to openpgpkey.debian.org (re...
Peter Palfrader [Tue, 2 Jul 2019 09:39:29 +0000 (11:39 +0200)]
redirect https://debian.org/.well-known/openpgpkey/ to openpgpkey.debian.org (re: RT#7828)

4 years agoMake redirects from the various debian.* and www.debian.{!org} pages less permanent
Peter Palfrader [Tue, 2 Jul 2019 09:34:29 +0000 (11:34 +0200)]
Make redirects from the various debian.* and debian.{!org} pages less permanent

4 years agoFix openpgpkey dir
Peter Palfrader [Tue, 2 Jul 2019 09:21:29 +0000 (11:21 +0200)]
Fix openpgpkey dir

4 years agoAnd make content appear under /.well-known/openpgpkey/ openpgpkey (re: #RT7828)
Peter Palfrader [Tue, 2 Jul 2019 09:18:47 +0000 (11:18 +0200)]
And make content appear under /.well-known/openpgpkey/ openpgpkey (re: #RT7828)

4 years agodisable indexing on openpgpkey (re: #RT7828)
Peter Palfrader [Tue, 2 Jul 2019 09:15:40 +0000 (11:15 +0200)]
disable indexing on openpgpkey (re: #RT7828)

4 years agostatic component for openpgpkey (re: #RT7828)
Peter Palfrader [Tue, 2 Jul 2019 09:04:43 +0000 (11:04 +0200)]
static component for openpgpkey (re: #RT7828)

4 years agokaufmann as saticsource (re: #RT7828)
Peter Palfrader [Tue, 2 Jul 2019 09:00:09 +0000 (11:00 +0200)]
kaufmann as saticsource (re: #RT7828)

4 years agolvm-osuosl-ganeti2.conf: only look for /dev/sda to workaround multipath issues
Aurelien Jarno [Sun, 23 Jun 2019 12:13:08 +0000 (14:13 +0200)]
lvm-osuosl-ganeti2.conf: only look for /dev/sda to workaround multipath issues

multipath doesn't work properly on pieta. Workaround the issue by only
looking at /dev/sda.

4 years ago010-security.debian.org.conf: explicitly bind to localhost
Aurelien Jarno [Sat, 22 Jun 2019 19:02:45 +0000 (21:02 +0200)]
010-security.debian.org.conf: explicitly bind to localhost

On hosts having services on different IP addresses, *:80 is not enough
to run the security vhost on localhost, as other services might also
explicitly bind to localhost. This breaks mirror-health check.

For example on schmelzer.d.o:

010-archive.debian.org.conf
  <VirtualHost 217.196.149.234:80 [2a02:16a8:dc41:100::234]:80>

010-debug.mirrors.debian.org.conf
  <VirtualHost 217.196.149.232:80 [2a02:16a8:dc41:100::232]:80 127.0.0.1:80 [::1]:80 >

010-ftp.debian.org.conf
  <VirtualHost 217.196.149.232:80 [2a02:16a8:dc41:100::232]:80 127.0.0.1:80 [::1]:80 >

010-security.debian.org.conf
  <VirtualHost *:80>

Without this fix, it means that a request to security.backend.mirrors.d.o
on localhost ends up in the debug.mirrors.d.o vhost, and is thus
answered as 404.

4 years agoMore cleanup following the apt.buildd.debian.org removal
Aurelien Jarno [Sat, 22 Jun 2019 15:39:46 +0000 (17:39 +0200)]
More cleanup following the apt.buildd.debian.org removal

4 years agoDrop apt.buildd.debian.org
Aurelien Jarno [Sat, 22 Jun 2019 12:24:25 +0000 (14:24 +0200)]
Drop apt.buildd.debian.org

We do not use it since none of our buildds are running jessie

4 years agoAll our buildds are running at least stretch, drop jessie specific code
Aurelien Jarno [Sat, 22 Jun 2019 12:19:31 +0000 (14:19 +0200)]
All our buildds are running at least stretch, drop jessie specific code

4 years agoDecommission binet
Aurelien Jarno [Tue, 18 Jun 2019 19:37:52 +0000 (21:37 +0200)]
Decommission binet

4 years agoAdd x86-ubc-02.d.o
Aurelien Jarno [Mon, 17 Jun 2019 20:57:39 +0000 (22:57 +0200)]
Add x86-ubc-02.d.o

4 years agodecomission x86-bm-01
Aurelien Jarno [Sun, 16 Jun 2019 19:48:36 +0000 (21:48 +0200)]
decomission x86-bm-01

4 years agoAdd x86-grnet-02.debian.org
Aurelien Jarno [Sun, 16 Jun 2019 14:05:50 +0000 (16:05 +0200)]
Add x86-grnet-02.debian.org

4 years agoRegen manda-node04 NTP key
Aurelien Jarno [Sat, 15 Jun 2019 20:30:22 +0000 (22:30 +0200)]
Regen manda-node04 NTP key

It needs to be generated with -T

4 years agoMove timeserver from clementi to manda-node04 (missing part)
Aurelien Jarno [Sat, 15 Jun 2019 20:22:58 +0000 (22:22 +0200)]
Move timeserver from clementi to manda-node04 (missing part)