Merge branch 'master' of https://bitbucket.org/tmakinen/puppet

2013-02-28 16:35:46 +01:00 · 2013-02-28 16:35:46 +01:00 · 2217bca3a1
commit 2217bca3a1
parent ed429d7183 f17eacf99a
42 changed files with 622 additions and 130 deletions
--- a/14
+++ b/14
@ -1,12 +1,16 @@
-
-MODULES = $(shell find */manifests/init.pp | sed -e 's/^\([^\/]*\).*/\1/')
-MANIFESTS = $(shell find . -name \*.pp)
+MODULES := $(shell find * -type d -prune)
+MANIFESTS := $(shell find . -name \*.pp)
+MODULESDIR := /etc/puppet/modules-$(shell date +%Y-%m-%d)
+TARFLAGS = --owner=root --group=root --mode g-w,o=g --exclude=.git --exclude=rdoc

 all: puppet-modules.tar.gz

 puppet-modules.tar.gz: $(MODULES) LICENSE CREDITS Makefile.inc
-	umask 022 ; tar zcvf $@ --owner=root --group=root \
-		--mode g-w,o=g --exclude=.git --exclude=rdoc $^
+	umask 022 ; tar zcvf $@ $(TARFLAGS) $^
+
+install: $(MODULES) LICENSE CREDITS Makefile.inc
+	@umask 022 ; mkdir -p $(MODULESDIR) && \
+		tar cf - $(TARFLAGS) $^ | tar xvf - -C $(MODULESDIR)

 check:
 	@which puppet > /dev/null 2>&1 || ( \
--- a/abusehelper/files/botnet.init
+++ b/abusehelper/files/botnet.init
@ -0,0 +1,81 @@
+#!/bin/sh
+
+# chkconfig: 2345 85 60
+# description: AbuseHelper botnets
+# processname: botnet
+
+### BEGIN INIT INFO
+# Provides: botnet
+# Required-Start: $local_fs $network $syslog
+# Should-Start:
+# Required-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: AbuseHelper botnets
+# Description: AbuseHelper botnets
+### END INIT INFO
+
+if [ $(id -u) != "0" ]; then
+    echo "This script must be run with root privileges." && exit 1
+fi
+
+if [ -s /etc/default/botnet ]; then
+    . /etc/default/botnet
+elif [ -s /etc/sysconfig/botnet ]; then
+    . /etc/sysconfig/botnet
+fi
+
+if [ -z "${BOTUSER}" ]; then
+    echo "$0: no BOTUSER defined"
+    exit 1
+fi
+
+if [ -z "${BOTNETS}" ]; then
+    echo "$0: no BOTNETS defined"
+    exit 1
+fi
+
+start_botnets() {
+    for botnet in ${BOTNETS}; do
+        echo -n "${botnet}: "
+        test -d ${botnet} || { echo "No such directory."; continue; }
+        su -s /bin/sh - ${BOTUSER} \
+            -c "umask 007 ; cd ${botnet} && botnet start ."
+    done
+}
+
+stop_botnets() {
+    for botnet in ${BOTNETS}; do
+        echo -n "${botnet}: "
+        test -d ${botnet} || { echo "No such directory."; continue; }
+        su -s /bin/sh - ${BOTUSER} \
+            -c "umask 007 ; cd ${botnet} && botnet stop ."
+    done
+}
+
+restart_botnets() {
+    for botnet in ${BOTNETS}; do
+        echo -n "${botnet}: "
+        test -d ${botnet} || { echo "No such directory."; continue; }
+        su -s /bin/sh - ${BOTUSER} \
+            -c "umask 007 ; cd ${botnet} && botnet restart ."
+    done
+}
+
+case "$1" in
+    start)
+        start_botnets
+        ;;
+    stop)
+        stop_botnets
+        ;;
+    restart)
+        restart_botnets
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart}"
+        exit 1
+        ;;
+esac
+
+exit 0
--- a/abusehelper/manifests/init.pp
+++ b/abusehelper/manifests/init.pp
@ -1,4 +1,12 @@
-# Install abusehelper from svn.
+# Install abusehelper.
+#
+# === Global variables
+#
+#   $abusehelper_botnets
+#       Array of botnet paths to start at boot.
+#
+#   $abusehelper_user
+#       User botnets run as. Defaults to 'abusehel'.
 #
 class abusehelper {

@ -105,4 +113,47 @@ class abusehelper {
        }
    }

+    if !$abusehelper_user {
+        $abusehelper_user = "abusehel"
+    }
+
+    if $abusehelper_botnets {
+        file { "/etc/sysconfig/botnet":
+            ensure  => present,
+            name    => $::operatingsystem ? {
+                "debian" => "/etc/default/botnet",
+                "ubuntu" => "/etc/default/botnet",
+                default  => "/etc/sysconfig/botnet",
+            },
+            mode    => "0644",
+            owner   => "root",
+            group   => "root",
+            content => template("abusehelper/botnet.sysconfig.erb"),
+            before  => Service["botnet"],
+        }
+
+        file { "/etc/init.d/botnet":
+            ensure => present,
+            mode   => "0755",
+            owner  => "root",
+            group  => "root",
+            source => "puppet:///modules/abusehelper/botnet.init",
+            notify => Exec["add-service-botnet"],
+        }
+        exec { "add-service-botnet":
+            path        => "/bin:/usr/bin:/sbin:/usr/sbin",
+            command     => $::operatingsystem ? {
+                "debian" => "update-rc.d botnet defaults",
+                "ubuntu" => "update-rc.d botnet defaults",
+                default  => "chkconfig --add botnet",
+            },
+            refreshonly => true,
+            before      => Service["botnet"],
+        }
+
+        service { "botnet":
+            enable => true,
+        }
+    }
+
 }
--- a/abusehelper/templates/botnet.sysconfig.erb
+++ b/abusehelper/templates/botnet.sysconfig.erb
@ -0,0 +1,2 @@
+BOTUSER="<%= abusehelper_user %>"
+BOTNETS="<%= abusehelper_botnets.join(" ") %>"
--- a/apache/files/mod_wsgi.conf
+++ b/apache/files/mod_wsgi.conf
@ -0,0 +1,2 @@
+LoadModule wsgi_module modules/mod_wsgi.so
+WSGISocketPrefix /var/run/mod_wsgi/wsgi
--- a/apache/manifests/debian.pp
+++ b/apache/manifests/debian.pp
@ -180,7 +180,8 @@ class apache::debian::sslserver inherits apache::debian::common {
 }


-define apache::debian::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) {
+define apache::debian::sslsite($first, $ipaddr, $root,
+                               $ssl_cert, $ssl_key, $ssl_chain) {

    if $name == "default" {
        $site_fqdn = $homename
@ -253,8 +254,13 @@ define apache::debian::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain)
        }
    }

-    $site_conf = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"
-    $site_confdir = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.d"
+    if $first == true {
+        $site_conf = "/etc/apache2/sites-enabled/00-${site_fqdn}-ssl.conf"
+        $site_confdir = "/etc/apache2/sites-enabled/00-${site_fqdn}-ssl.d"
+    } else {
+        $site_conf = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"
+        $site_confdir = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.d"
+    }

    file { $site_conf:
        ensure  => present,
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@ -81,9 +81,16 @@ class apache::common {
        group   => "root",
        seltype => "httpd_rotatelogs_exec_t",
    }
-    selinux::manage_fcontext { "/usr/local/sbin/www-logrotate.sh":
-        type   => "httpd_rotatelogs_exec_t",
-        before => File["/usr/local/sbin/www-logrotate.sh"],
+    if $::operatingsystem == "Fedora" and $::operatingsystemrelease > 17 {
+        selinux::manage_fcontext { "/usr/sbin/www-logrotate.sh":
+            type   => "httpd_rotatelogs_exec_t",
+            before => File["/usr/local/sbin/www-logrotate.sh"],
+        }
+    } else {
+        selinux::manage_fcontext { "/usr/local/sbin/www-logrotate.sh":
+            type   => "httpd_rotatelogs_exec_t",
+            before => File["/usr/local/sbin/www-logrotate.sh"],
+        }
    }

    cron { "www-logrotate":
@ -248,6 +255,9 @@ class apache::sslserver::listen {
 #
 #   $name:
 #       FQDN of virtual host.
+#   $first:
+#       Bool for whether this is the first (default) vhost
+#       when using NameVirtualHost. Defaults to false.
 #   $ipaddr:
 #       IP address of virtual host. Defaults to _default_.
 #   $root:
@ -267,7 +277,7 @@ class apache::sslserver::listen {
 #     ssl_key  => "puppet:///path/to/www.example.com.key",
 # }
 #
-define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {
+define apache::sslsite($first=false, $ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {

    include apache::sslserver::listen

@ -275,6 +285,7 @@ define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="",
        "debian","ubuntu": {
            $apache_ssldir = "/etc/ssl"
            apache::debian::sslsite { $name:
+                first     => $first,
                ipaddr    => $ipaddr,
                root      => $root,
                ssl_cert  => $ssl_cert,
@ -286,6 +297,7 @@ define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="",
        "centos","redhat","fedora": {
            $apache_ssldir = "/etc/pki/tls"
            apache::redhat::sslsite { $name:
+                first     => $first,
                ipaddr    => $ipaddr,
                root      => $root,
                ssl_cert  => $ssl_cert,
@ -674,8 +686,15 @@ class apache::mod::wsgi {
        }
        "centos","redhat","fedora": {
            apache::configfile { "wsgi.conf":
+                source  => "puppet:///modules/apache/mod_wsgi.conf",
                require => Package["mod_wsgi"],
            }
+            file { "/var/run/mod_wsgi":
+                ensure => directory,
+                mode   => "0755",
+                owner  => "root",
+                group  => "root",
+            }
        }
        default: {
            fail("Apache module not supported in ${::operatingsystem}.")
--- a/apache/manifests/redhat.pp
+++ b/apache/manifests/redhat.pp
@ -74,11 +74,12 @@ define apache::redhat::site($aliases, $root, $redirect) {
            }

            file { "/srv/www/log/http/${site_fqdn}":
-                ensure => directory,
-                mode   => "0755",
-                owner  => root,
-                group  => root,
-                before => File[$site_conf],
+                ensure  => directory,
+                mode    => "0755",
+                owner   => "root",
+                group   => "root",
+                seltype => "httpd_log_t",
+                before  => File[$site_conf],
            }
        }
    }
@ -176,7 +177,13 @@ class apache::redhat::sslserver {
                mode   => "0755",
                owner  => "root",
                group  => "root",
-                before => Service["httpsd"],
+                notify => Exec["chkconfig --add httpsd"],
+            }
+            exec { "chkconfig --add httpsd":
+                user        => "root",
+                path        => "/bin:/usr/bin:/sbin:/usr/sbin",
+                refreshonly => true,
+                before      => Service["httpsd"],
            }
        }
    }
@ -212,7 +219,8 @@ class apache::redhat::sslserver {
 }


-define apache::redhat::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) {
+define apache::redhat::sslsite($first, $ipaddr, $root,
+                               $ssl_cert, $ssl_key, $ssl_chain) {

    if $name == "default" {
        $site_fqdn = $homename
@ -286,8 +294,13 @@ define apache::redhat::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain)
        }
    }

-    $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf"
-    $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d"
+    if $first == true {
+        $site_conf = "/etc/httpd/site.https.d/00-${site_fqdn}.conf"
+        $site_confdir = "/etc/httpd/site.https.d/00-${site_fqdn}.d"
+    } else {
+        $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf"
+        $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d"
+    }

    file { $site_conf:
        ensure  => present,
--- a/apache/templates/httpsd.conf.erb
+++ b/apache/templates/httpsd.conf.erb
@ -145,6 +145,9 @@ MaxRequestsPerChild  0
 # Example:
 # LoadModule foo_module modules/mod_foo.so
 #
+<% if operatingsystem == 'Fedora' and operatingsystemrelease.to_i > 17 -%>
+Include conf.modules.d/*.conf
+<% else -%>
 LoadModule auth_basic_module modules/mod_auth_basic.so
 LoadModule auth_digest_module modules/mod_auth_digest.so
 LoadModule authn_file_module modules/mod_authn_file.so
@ -199,6 +202,7 @@ LoadModule mem_cache_module modules/mod_mem_cache.so
 <% end -%>
 LoadModule cgi_module modules/mod_cgi.so
 LoadModule version_module modules/mod_version.so
+<% end -%>

 #
 # The following modules are not loaded by default:
--- a/apache/templates/ssl.conf.erb
+++ b/apache/templates/ssl.conf.erb
@ -3,7 +3,7 @@ LoadModule ssl_module modules/mod_ssl.so
 </IfModule>

 Listen 443
-<% if ['CentOS','RedHat'].index(operatingsystem) or operatingsystem == 'Fedora' -%>
+<% if ['Fedora','CentOS','RedHat'].index(operatingsystem) -%>
 ##
 ##  SSL Global Context
 ##
@ -30,11 +30,13 @@ SSLPassPhraseDialog  builtin
 SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
 SSLSessionCacheTimeout  300

+<% unless operatingsystem == 'Fedora' and operatingsystemrelease.to_i > 17 -%>
 #   Semaphore:
 #   Configure the path to the mutual exclusion semaphore the
 #   SSL engine uses internally for inter-process synchronization. 
 SSLMutex default

+<% end -%>
 #   Pseudo Random Number Generator (PRNG):
 #   Configure one or more sources to seed the PRNG of the 
 #   SSL library. The seed data should be of good random quality.
--- a/dns/files/named.conf.options
+++ b/dns/files/named.conf.options
@ -1,7 +1,7 @@

 options {
    listen-on { any; };
-    listen-on-v6 { none; };
+    listen-on-v6 { any; };

    allow-query { any; };
    allow-recursion { trusted; };
--- a/dns/manifests/init.pp
+++ b/dns/manifests/init.pp
@ -360,17 +360,21 @@ define dns::zone($role = "master", $master = "", $slaves = [], $forwarders = [],
    if $zonedir != "" {
        if !defined(File["${dns::server::chroot}${zonedir}"]) {
            file { "${dns::server::chroot}${zonedir}":
-                ensure => directory,
-                mode   => $role ? {
+                ensure  => directory,
+                mode    => $role ? {
                    "master" => "0750",
                    default  => "0770",
                },
-                owner  => "root",
-                group  => $dns::server::group,
-                before => $role ? {
+                owner   => "root",
+                group   => $dns::server::group,
+                before  => $role ? {
                    "master" => File["${dns::server::chroot}${zonedir}/db.${zonefile}"],
                    default  => undef,
                },
+                require => $::operatingsystem ? {
+                    "openbsd" => undef,
+                    default   => Package["bind"],
+                },
            }
        }
    }
--- a/etherpadlite/README.CentOS
+++ b/etherpadlite/README.CentOS
@ -0,0 +1,6 @@
+yum install v8-devel openssl-devel zlib-devel
+mkdir /usr/local/src/nodejs && cd /usr/local/src/nodejs
+wget http://nodejs.org/dist/node-latest.tar.gz
+tar xzvf node-latest.tar.gz && cd node-v*
+./configure --shared-v8 --shared-openssl --shared-zlib
+make install
--- a/firewall/manifests/init.pp
+++ b/firewall/manifests/init.pp
@ -111,6 +111,17 @@ class firewall::common::iptables {
    }
    $ip6states = versioncmp($::kernelversion, "2.6.20")

+    if $::operatingsystem == "Fedora" and $::operatingsystemrelease > 17 {
+        package { "firewall-config":
+            ensure => absent,
+            before => Package["firewalld"],
+        }
+        package { "firewalld":
+            ensure => absent,
+            before => Package["iptables"],
+        }
+    }
+
    package { "iptables":
        ensure => installed,
        name   => $::operatingsystem ? {
@ -119,7 +130,8 @@ class firewall::common::iptables {
            "debian" => [ "iptables", "iptables-persistent" ],
            "fedora" => $::operatingsystemrelease ? {
                /^1[0-5]/ => [ "iptables", "iptables-ipv6" ],
-                default   => "iptables",
+                /^1[6-7]/ => "iptables",
+                default   => [ "iptables", "iptables-services" ],
            },
            "ubuntu" => [ "iptables", "iptables-persistent" ],
        },
--- a/git/manifests/init.pp
+++ b/git/manifests/init.pp
@ -33,10 +33,11 @@ class git::server {

    if $git_datadir {
        file { $git_datadir:
-            ensure => directory,
-            mode   => "0755",
-            owner  => "root",
-            group  => "root",
+            ensure  => directory,
+            mode    => "0755",
+            owner   => "root",
+            seltype => "git_system_content_t",
+            group   => "root",
        }
        file { "/srv/git":
            ensure  => link,
@ -49,20 +50,13 @@ class git::server {
            mode    => "0755",
            owner   => "root",
            group   => "root",
-            seltype => "httpd_sys_content_t",
        }
    }

-    if "${selinux}" == "true" {
-        selinux::manage_fcontext { "/srv/git(/.*)?":
-            type   => "httpd_sys_content_t",
-            before => File["/srv/git"],
-        }
-        if $git_datadir {
-            selinux::manage_fcontext { "${git_datadir}(/.*)?":
-                type   => "httpd_sys_content_t",
-                before => File[$git_datadir],
-            }
+    if $git_datadir {
+        selinux::manage_fcontext { "${git_datadir}(/.*)?":
+            type   => "git_system_content_t",
+            before => File[$git_datadir],
        }
    }

--- a/kerberos/manifests/init.pp
+++ b/kerberos/manifests/init.pp
@ -74,6 +74,8 @@ class kerberos::client {
 #
 class kerberos::auth {

+    include pam::common
+
    include kerberos::client
    $kdclist = inline_template('<%= kerberos_kdc.join(" ") -%>')

@ -86,7 +88,7 @@ class kerberos::auth {
                path    => "/bin:/usr/bin:/sbin:/usr/sbin",
                unless  => "egrep '^USEKERBEROS=yes\$' /etc/sysconfig/authconfig",
                before  => Class["kerberos::client"],
-                require => Package["pam_krb5"],
+                require => Package["authconfig", "pam_krb5"],
            }
        }
        default: {
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@ -14,6 +14,8 @@
 #
 class ldap::auth inherits ldap::client {

+    include pam::common
+
    tag("bootstrap")

    $ldap_uri = inline_template('<%= ldap_server.join(" ") -%>')
@ -31,7 +33,7 @@ class ldap::auth inherits ldap::client {
                        before  => [ Augeas["nslcd-conf"],
                                     Augeas["pam-ldap-conf"],
                                     File["/etc/openldap/ldap.conf"], ],
-                        require => Package["nss-pam-ldapd"],
+                        require => Package["authconfig", "nss-pam-ldapd"],
                    }
                    augeas { "nslcd-conf":
                        changes => [ "set pagesize 500",
@ -69,7 +71,7 @@ class ldap::auth inherits ldap::client {
                        unless  => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
                        before  => [ Augeas["pam-ldap-conf"],
                                     File["/etc/openldap/ldap.conf"], ],
-                        require => Package["nss_ldap"],
+                        require => Package["authconfig", "nss_ldap"],
                    }
                    augeas { "pam-ldap-conf":
                        context  => "/files/etc/ldap.conf",
@ -100,7 +102,7 @@ class ldap::auth inherits ldap::client {
                path    => "/bin:/usr/bin:/sbin:/usr/sbin",
                unless  => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
                before  => Augeas["sssd-conf"],
-                require => [ Package["sssd"], Package["pam_ldap"], ],
+                require => Package["authconfig", "sssd", "pam_ldap"],
            }
            augeas { "sssd-conf":
                changes => [
@ -363,7 +365,7 @@ class ldap::server {
                command => "usermod -a -G ssl-cert openldap",
                unless  => "id -n -G openldap | grep '\\bssl-cert\\b'",
                require => Package["openldap-server"],
-                before  => Service["slapd"],
+                before  => Exec["slaptest"],
            }
        }
        "fedora": {
@ -422,7 +424,7 @@ class ldap::server {
            default   => "root",
        },
        require => Package["openldap-server"],
-        notify  => Service["slapd"],
+        notify  => Exec["slaptest"],
    }
    file { "${ssl::private}/slapd.key":
        ensure  => present,
@ -431,7 +433,7 @@ class ldap::server {
        owner   => "root",
        group   => $group,
        require => Package["openldap-server"],
-        notify  => Service["slapd"],
+        notify  => Exec["slaptest"],
    }

    file { "slapd.conf":
@ -441,7 +443,7 @@ class ldap::server {
        mode    => "0640",
        owner   => "root",
        group   => $group,
-        notify  => Service["slapd"],
+        notify  => Exec["slaptest"],
        require => Package["openldap-server"],
    }
    file { "${config}/slapd.conf.d":
@ -466,7 +468,7 @@ class ldap::server {
                    mode    => "0644",
                    owner   => "root",
                    group   => "root",
-                    notify  => Service["slapd"],
+                    notify  => Exec["slaptest"],
                    require => Package["openldap-server"],
                }
            }
@ -477,12 +479,20 @@ class ldap::server {
                mode    => "0644",
                owner   => "root",
                group   => "root",
-                notify  => Service["slapd"],
+                notify  => Exec["slaptest"],
                require => Package["openldap-server"],
            }
        }
    }

+    exec { "slaptest":
+        command     => "slaptest",
+        path        => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
+        refreshonly => true,
+        require     => File["${config}/slapd.conf.d"],
+        notify      => Service["slapd"],
+    }
+
    service { "slapd":
        name    => $service_name,
        start   => $::operatingsystem ? {
@ -491,7 +501,7 @@ class ldap::server {
        },
        ensure  => running,
        enable  => true,
-        require => Package ["openldap-server"]
+        require => Package["openldap-server"]
    }

    if $ldap_datadir {
@ -560,7 +570,7 @@ class ldap::server {
        path        => "/bin:/usr/bin:/sbin:/usr/sbin",
        refreshonly => true,
        require     => File["${config}/slapd.conf.d"],
-        notify      => Service["slapd"],
+        notify      => Exec["slaptest"],
    }
    ldap::server::schema { [ "core", "cosine", "ppolicy", ]:
        idx => 10,
@ -572,13 +582,13 @@ class ldap::server {
        owner   => "root",
        group   => $group,
        require => Exec["generate-slapd-database-config"],
-        notify  => Service["slapd"],
+        notify  => Exec["slaptest"],
    }
    exec { "generate-slapd-database-config":
        command     => "find ${config}/slapd.conf.d/db.*.conf -exec echo 'include {}' \\; > ${config}/slapd.conf.d/database.conf",
        path        => "/bin:/usr/bin:/sbin:/usr/sbin",
        refreshonly => true,
-        notify      => Service["slapd"],
+        notify      => Exec["slaptest"],
    }

 }
@ -601,6 +611,9 @@ class ldap::server {
 #       Password for uid=replicator,cn=config,${name} user on master.
 #       Only needed for slave databases.
 #
+#   $rid:
+#       Replica ID. Must be unique per replica per database.
+#
 #   $moduleoptions:
 #       Options for overlay modules.
 #
@ -610,10 +623,16 @@ class ldap::server {
 #     moduleoptions => [ "smbkrb5pwd-enable=samba", ]
 # }
 #
-define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $moduleoptions = []) {
+define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $rid = "", $moduleoptions = []) {

    include ldap::server

+    if $rid == "" {
+        $rid_real = fqdn_rand(999)
+    } else {
+        $rid_real = $rid
+    }
+
    file { "${ldap::server::config}/slapd.conf.d/db.${name}.conf":
        ensure  => present,
        content => template("ldap/slapd-database.conf.erb"),
@ -636,7 +655,7 @@ define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $modu
        mode    => "0640",
        owner   => "root",
        group   => $ldap::server::group,
-        notify  => Service["slapd"],
+        notify  => Exec["slaptest"],
    }

    file { "${ldap::server::config}/slapd.conf.d/index.${name}.conf":
@ -647,7 +666,7 @@ define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $modu
        mode    => "0640",
        owner   => "root",
        group   => $ldap::server::group,
-        notify  => Service["slapd"],
+        notify  => Exec["slaptest"],
    }

    file { "/srv/ldap/${name}":
@ -672,7 +691,7 @@ define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $modu
        },
        seltype => "slapd_db_t",
        require => File["/srv/ldap/${name}"],
-        before  => Service["slapd"],
+        before  => Exec["slaptest"],
    }

 }
--- a/ldap/templates/slapd-database.conf.erb
+++ b/ldap/templates/slapd-database.conf.erb
@ -29,18 +29,18 @@ overlay				syncprov
 syncprov-checkpoint		100 10
 syncprov-sessionlog		100

-# The database directory MUST exist prior to running slapd AND 
+# The database directory MUST exist prior to running slapd AND
 # should only be accessible by the slapd and slap tools.
 # Mode 700 recommended.
 directory	/srv/ldap/<%= name %>

 <% if master != "" -%>
 # replication
-syncrepl rid=2
+syncrepl rid=<%= rid_real %>
         provider=<%= master %>
         type=refreshAndPersist
         retry="10 10 60 +"
-         searchbase="<%= ldap_basedn %>"
+         searchbase="<%= name %>"
         filter="(objectClass=*)"
         scope="sub"
         sizelimit=500000
@ -48,7 +48,7 @@ syncrepl rid=2
         schemachecking="off"
         bindmethod="simple"
         tls_reqcert="never"
-         binddn="uid=replicator,cn=config,<%= ldap_basedn %>"
+         binddn="uid=replicator,cn=config,<%= name %>"
         credentials="<%= syncpw %>"
 updateref <%= master %>
 <% end -%>
--- a/ldap/templates/slapd.conf.erb
+++ b/ldap/templates/slapd.conf.erb
@ -42,7 +42,7 @@ moduleload <%= name %>.la
 TLSCertificateFile	<%= scope.lookupvar('ssl::certs') %>/slapd.crt
 TLSCertificateKeyFile	<%= scope.lookupvar('ssl::private') %>/slapd.key
 TLSCACertificatePath	<%= scope.lookupvar('ldap::server::config') %>/cacerts
-TLSVerifyClient		never
+TLSVerifyClient		try

 # include database configs
 include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/database.conf
--- a/logwatch/manifests/init.pp
+++ b/logwatch/manifests/init.pp
@ -0,0 +1,16 @@
+# Install logwatch.
+#
+class logwatch {
+
+    case $::kernel {
+        "linux": {
+            package { "logwatch":
+                ensure => installed,
+            }
+        }
+        default: {
+            fail("logwatch not supported on ${::kernel}")
+        }
+    }
+
+}
--- a/motd/files/empty
+++ b/motd/files/empty
--- a/motd/manifests/init.pp
+++ b/motd/manifests/init.pp
@ -0,0 +1,29 @@
+
+# Deploy motd file to server
+#
+class motd {
+
+    case $::operatingsystem {
+        "ubuntu": {
+            package { "update-motd":
+                ensure => absent,
+            }
+        }
+    }
+
+    file { "/etc/motd":
+        ensure => present,
+        source => [
+          "puppet:///files/motd/motd.${::homename}",
+          "puppet:///files/motd/motd",
+          "puppet:///modules/motd/empty",
+        ],
+        mode   => "0644",
+        owner  => "root",
+        group  => $::operatingsystem ? {
+            "openbsd" => "wheel",
+            default   => "root",
+        },
+    }
+
+}
--- a/munin/files/munin-node.logrotate
+++ b/munin/files/munin-node.logrotate
@ -0,0 +1,9 @@
+/var/log/munin-node/munin-node.log {
+	daily
+	missingok
+	rotate 7
+	compress
+	copytruncate
+	notifempty
+	create 644 root root
+}
--- a/munin/manifests/init.pp
+++ b/munin/manifests/init.pp
@ -61,6 +61,19 @@ class munin::node {
        notify      => Service["munin-node"],
    }

+    # Temporary fix for broken config
+    case $::operatingsystem {
+        "centos","fedora","redhat": {
+            file { "/etc/logrotate.d/munin-node":
+                ensure => present,
+                mode   => "0644",
+                owner  => "root",
+                group  => "root",
+                source => "puppet:///modules/munin/munin-node.logrotate",
+            }
+        }
+    }
+
 }


@ -231,11 +244,11 @@ class munin::server {
        mode    => "0775",
        owner   => "munin",
        group   => $apache::sslserver::group,
-        seltype => "httpd_munin_rw_content_t",
+        seltype => "httpd_sys_rw_content_t",
        require => Package["munin"],
    }
    selinux::manage_fcontext { "/var/cache/munin(/.*)?":
-        type   => "httpd_munin_rw_content_t",
+        type   => "httpd_sys_rw_content_t",
        before => File["/var/cache/munin"],
    }
    mount { "/var/cache/munin":
@ -249,12 +262,11 @@ class munin::server {
        require => File["/var/cache/munin"],
    }

-    file { [ "/var/log/munin/munin-cgi-graph.log",
-             "/var/log/munin/munin-cgi-html.log", ]:
-        ensure  => present,
-        mode    => "0664",
-        owner   => "munin",
-        group   => $apache::sslserver::group,
+    file { "/var/log/munin":
+        ensure  => directory,
+        mode    => "0775",
+        owner   => $apache::sslserver::user,
+        group   => "munin",
        require => Package["munin"],
    }
    file { "/etc/logrotate.d/munin-cgi":
--- a/munin/templates/munin-cgi.logrotate.erb
+++ b/munin/templates/munin-cgi.logrotate.erb
@ -4,7 +4,7 @@
 	rotate 7
 	compress
 	notifempty
-	create 0664 munin <%= scope.lookupvar('apache::sslserver::group') %>
+	create 0640 <%= scope.lookupvar('apache::sslserver::user') %> munin
 }

 /var/log/munin/munin-cgi-html.log {
@ -13,5 +13,5 @@
 	rotate 7
 	compress
 	notifempty
-	create 0664 munin <%= scope.lookupvar('apache::sslserver::group') %>
+	create 0640 <%= scope.lookupvar('apache::sslserver::user') %> munin
 }
--- a/munin/templates/munin-node.conf.erb
+++ b/munin/templates/munin-node.conf.erb
@ -3,11 +3,15 @@
 #

 log_level 4
+<% if ['CentOS','Fedora','RedHat'].index(operatingsystem) -%>
+log_file /var/log/munin-node/munin-node.log
+<% else -%>
 log_file /var/log/munin/munin-node.log
+<% end -%>
 pid_file /var/run/munin/munin-node.pid

 background 1
-setseid 1
+setsid 1

 user root
 <% if operatingsystem == "OpenBSD" -%>
@ -15,10 +19,8 @@ group wheel
 <% else -%>
 group root
 <% end -%>
-setsid yes

 # Regexps for files to ignore
-
 ignore_file ~$
 ignore_file \.bak$
 ignore_file %$
@ -29,7 +31,6 @@ ignore_file \.pod$
 # Set this if the client doesn't report the correct hostname when
 # telnetting to localhost, port 4949
 #
-#host_name ppc3.fedora.redhat.com
 host_name <%= homename %>

 # A list of addresses that are allowed to connect.  This must be a
@ -41,8 +42,6 @@ allow <%= munin_allow %>

 # Which address to bind to;
 host <%= ipaddress %>
-# host 127.0.0.1

 # And which port
 port 4949
-
--- a/netcat/manifests/init.pp
+++ b/netcat/manifests/init.pp
@ -7,6 +7,10 @@ class netcat {
        package { "netcat":
            name   => $::operatingsystem ? {
                "ubuntu" => "netcat",
+                "fedora" => $::operatingsystemrelease ? {
+                    /^1[0-7]/ => "nc",
+                    default   => "nmap-ncat",
+                },
                default  => "nc",
            },
            ensure => present,
--- a/network/manifests/init.pp
+++ b/network/manifests/init.pp
@ -73,7 +73,23 @@ class network::hostname {
                group   => "root",
            }
        }
-        "centos","redhat","fedora": {
+        "fedora": {
+            if $::operatingsystemrelease > 17 {
+                file { "/etc/hostname":
+                    ensure  => present,
+                    content => "${homename}\n",
+                    mode    => "0644",
+                    owner   => "root",
+                    group   => "root",
+                }
+            } else {
+                augeas { "set-hostname":
+                    context => "/files/etc/sysconfig/network",
+                    changes => "set HOSTNAME ${homename}",
+                }
+            }
+        }
+        "centos","redhat": {
            augeas { "set-hostname":
                context => "/files/etc/sysconfig/network",
                changes => "set HOSTNAME ${homename}",
--- a/pam/manifests/init.pp
+++ b/pam/manifests/init.pp
@ -4,6 +4,11 @@
 class pam::common {

    case $::operatingsystem {
+        "centos","redhat","fedora": {
+            package { "authconfig":
+                ensure => installed,
+            }
+        }
        "ubuntu": {
            package { "libpam-runtime":
                ensure => installed,
@ -28,8 +33,9 @@ class pam::mkhomedir {
    case $::operatingsystem {
        "centos","redhat","fedora": {
            exec { "authconfig --enablemkhomedir --update":
-                path   => "/bin:/usr/bin:/sbin:/usr/sbin",
-                unless => "egrep '^USEMKHOMEDIR=yes\$' /etc/sysconfig/authconfig",
+                path    => "/bin:/usr/bin:/sbin:/usr/sbin",
+                unless  => "egrep '^USEMKHOMEDIR=yes\$' /etc/sysconfig/authconfig",
+                require => Package["authconfig"],
            }
        }
        "ubuntu": {
--- a/ruby/manifests/init.pp
+++ b/ruby/manifests/init.pp
@ -52,7 +52,7 @@ class ruby::rails {
            } else {
                require ruby::rubygems
                package { "rubygem-rails":
-                    ensure   => "2.3.15",
+                    ensure   => "2.3.17",
                    name     => "rails",
                    provider => "gem",
                }
--- a/sasl/manifests/init.pp
+++ b/sasl/manifests/init.pp
@ -8,10 +8,14 @@ class sasl::client {
            "ubuntu" => "sasl2-bin",
            default  => "cyrus-sasl",
        },
+        flavor => $::operatingsystem ? {
+            "openbsd" => "ldap",
+            default   => undef,
+        },
        ensure => installed,
    }

-    if $kerberos_realm {
+    if $kerberos_realm and $::operatingsystem != "OpenBSD" {
        package { "cyrus-sasl-gssapi":
            name   => $::operatingsystem ? {
                "ubuntu" => "libsasl2-modules-gssapi-mit",
@ -32,7 +36,7 @@ class sasl::client {
 #       default. Supported mechanisms include pam, ldap and kerberos5.
 #
 #       For ldap authentication, see ldap::client for required global variables.
-#  
+#
 class sasl::saslauthd {

    require sasl::client
@ -41,27 +45,48 @@ class sasl::saslauthd {
        "","pam": { }
        "ldap": {
            include ldap::client
-            
-            augeas { "set-saslauthd-mech":
-                context => "/files/etc/sysconfig/saslauthd",
-                changes => "set MECH ldap",
-                notify  => Service["saslauthd"],
+
+            case $::operatingsystem {
+                "centos","fedora","redhat": {
+                    augeas { "set-saslauthd-mech":
+                        context => "/files/etc/sysconfig/saslauthd",
+                        changes => "set MECH ldap",
+                        notify  => Service["saslauthd"],
+                    }
+                }
+                "openbsd": {
+                    Service["saslauthd"] {
+                        start => "/usr/local/sbin/saslauthd -a ldap",
+                    }
+                }
            }
-            
+
            file { "/etc/saslauthd.conf":
                ensure => present,
-                mode => 0644,
-                owner => "root",
-                group => "root",
+                mode    => "0644",
+                owner   => "root",
+                group   => $::operatingsystem ? {
+                    "openbsd" => "wheel",
+                    default   => "root",
+                },
                content => template("sasl/saslauthd.conf.ldap.erb"),
-                notify  => Service["saslauthd"],                
+                notify  => Service["saslauthd"],
            }
        }
        "kerberos5": {
-            augeas { "set-saslauthd-mech":
-                context => "/files/etc/sysconfig/saslauthd",
-                changes => "set MECH kerberos5",
-                notify  => Service["saslauthd"],
+            case $::operatingsystem {
+                "centos","fedora","redhat": {
+                    augeas { "set-saslauthd-mech":
+                        context => "/files/etc/sysconfig/saslauthd",
+                        changes => "set MECH kerberos5",
+                        notify  => Service["saslauthd"],
+                    }
+                }
+                "openbsd": {
+                    Service["saslauthd"] {
+                        start => "/usr/local/sbin/saslauthd -a kerberos5",
+                    }
+                }
            }
        }
        default: {
@ -78,13 +103,16 @@ class sasl::saslauthd {
        ensure  => present,
        mode    => "0644",
        owner   => "root",
-        group   => "root",
+        group   => $::operatingsystem ? {
+            "openbsd" => "wheel",
+            default   => "root",
+        },
        require => Exec["generate-sasldb2"],
        before  => Service["saslauthd"],
    }
    exec { "generate-sasldb2":
        command => "saslpasswd2 -d foobar ; true",
-        path    => "/bin:/usr/bin:/sbin:/usr/sbin",
+        path    => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
        creates => "/etc/sasldb2",
    }

@ -104,10 +132,20 @@ class sasl::saslauthd {
 #
 define sasl::saslauthd::service() {

-    case $architecture {
-        "i386":   { $libdir = "/usr/lib/sasl2" }
-        "x86_64": { $libdir = "/usr/lib64/sasl2" }
-        default:  { fail("Unknown architecture ${architecture}") }
+    case $::operatingsystem {
+        "centos","fedora","redhat": {
+            case $::architecture {
+                "i386":   { $libdir = "/usr/lib/sasl2" }
+                "x86_64": { $libdir = "/usr/lib64/sasl2" }
+                default:  { fail("Unknown architecture ${::architecture}") }
+            }
+        }
+        "openbsd": {
+            $libdir = "/usr/local/lib/sasl2"
+        }
+        default: {
+            fail("sasl not supported on ${::operatingsystem}")
+        }
    }

    file { "${libdir}/${name}.conf":
@ -118,7 +156,10 @@ define sasl::saslauthd::service() {
                     "puppet:///modules/sasl/service.conf", ],
        mode    => "0644",
        owner   => "root",
-        group   => "root",
+        group   => $::operatingsystem ? {
+            "openbsd" => "wheel",
+            default   => "root",
+        },
        require => Service["saslauthd"],
    }

--- a/selinux/files/restorecond.conf
+++ b/selinux/files/restorecond.conf
@ -0,0 +1,8 @@
+/etc/services
+/etc/resolv.conf
+/etc/samba/secrets.tdb
+/etc/mtab
+/var/run/utmp
+/var/log/wtmp
+/root/*
+/root/.ssh/*
--- a/selinux/manifests/init.pp
+++ b/selinux/manifests/init.pp
@ -92,6 +92,34 @@ class selinux::tools {
 }


+# Enable restorecond service.
+#
+class selinux::restorecond {
+
+    if $::selinux == "true" {
+        file { "/etc/selinux/restorecond.conf":
+            ensure  => present,
+            mode    => "0644",
+            owner   => "root",
+            group   => "root",
+            seltype => "selinux_config_t",
+            source  => [
+                "puppet:///files/selinux/restorecond.conf.${homename}",
+                "puppet:///files/selinux/restorecond.conf",
+                "puppet:///modules/selinux/restorecond.conf",
+            ],
+            notify  => Service["restorecond"],
+        }
+
+        service { "restorecond":
+            ensure => running,
+            enable => true,
+        }
+    }
+
+}
+
+
 # Set SELinux boolean value
 #
 # === Parameters
--- a/sendmail/manifests/init.pp
+++ b/sendmail/manifests/init.pp
@ -263,6 +263,7 @@ class sendmail::server inherits sendmail::common {
            default   => "/etc/aliases",
        },
        source  => [
+          "puppet:///files/mail/aliases.${fqdn}",
          "puppet:///files/mail/aliases",
          "puppet:///modules/sendmail/aliases",
        ],
@ -279,6 +280,7 @@ class sendmail::server inherits sendmail::common {
    file { "/etc/mail/access":
        ensure => present,
        source => [
+          "puppet:///files/mail/access.${fqdn}",
          "puppet:///files/mail/access",
          "puppet:///modules/sendmail/empty",
        ],
@ -297,6 +299,7 @@ class sendmail::server inherits sendmail::common {
    file { "/etc/mail/genericstable":
        ensure => present,
        source => [
+          "puppet:///files/mail/genericstable.${fqdn}",
          "puppet:///files/mail/genericstable",
          "puppet:///modules/sendmail/empty",
        ],
@ -315,6 +318,7 @@ class sendmail::server inherits sendmail::common {
    file { "/etc/mail/mailertable":
        ensure => present,
        source => [
+          "puppet:///files/mail/mailertable.${fqdn}",
          "puppet:///files/mail/mailertable",
          "puppet:///modules/sendmail/empty",
        ],
@ -333,6 +337,7 @@ class sendmail::server inherits sendmail::common {
    file { "/etc/mail/virtusertable":
        ensure => present,
        source => [
+          "puppet:///files/mail/virtusertable.${fqdn}",
          "puppet:///files/mail/virtusertable",
          "puppet:///modules/sendmail/empty",
        ],
@ -351,8 +356,9 @@ class sendmail::server inherits sendmail::common {
    file { "/etc/mail/local-host-names":
        ensure => present,
        source => [
+          "puppet:///files/mail/local-host-names.${fqdn}",
          "puppet:///files/mail/local-host-names",
-          "puppet:///modules/sendmail/local-host-names",
+          "puppet:///modules/sendmail/empty",
        ],
        mode   => "0644",
        owner  => "root",
--- a/ssh/manifests/init.pp
+++ b/ssh/manifests/init.pp
@ -12,11 +12,16 @@ class ssh::known_hosts {
        },
    }

+    $aliases = merge(inline_template("<%= homename.split('.')[0] %>"),
+                     $::ipaddress,
+                     $::ipaddress6,
+                     $::ec2_public_ipv4)
+
    @@sshkey { $homename:
        ensure       => present,
        type         => rsa,
        key          => $sshrsakey,
-        host_aliases => inline_template("<%= homename.split('.')[0] %>"),
+        host_aliases => $aliases,
        require      => File["/etc/ssh/ssh_known_hosts"],
    }

--- a/syslog/manifests/init.pp
+++ b/syslog/manifests/init.pp
@ -175,16 +175,20 @@ class syslog::client::rsyslog {
    }

    service { "rsyslog":
-        ensure  => running,
-        enable  => true,
-        start   => $::operatingsystem ? {
+        ensure     => running,
+        enable     => true,
+        start      => $::operatingsystem ? {
            "openbsd" => $::operatingsystemrelease ? {
                /4\.[1-8]/ => "pkill syslogd; /usr/local/sbin/rsyslogd -c 4 -x -i /var/run/syslog.pid",
                default    => undef,
            },
            default   => undef,
        },
-        require => File["/var/log/all.log"],
+        hasrestart => $::operatingsystem ? {
+            "fedora" => true,
+            default  => false,
+        },
+        require    => File["/var/log/all.log"],
    }

    if $::operatingsystem == "OpenBSD" and $::operatingsystemrelease !~ /4\.[1-8]/ {
--- a/tftp/manifests/init.pp
+++ b/tftp/manifests/init.pp
@ -39,24 +39,31 @@ class tftp::server {
    }

    case $::operatingsystem {
-        debian,fedora,ubuntu: {
-            file { "/var/lib/tftpboot":
-                ensure  => link,
-                target  => "/srv/tftpboot",
-                force   => true,
-                require => File["/srv/tftpboot"],
+        "debian","fedora","ubuntu": {
+            $tftpdir = "/var/lib/tftpboot"
+        }
+        "centos","redhat": {
+            case $::operatingsystemrelease {
+                /^[45]\./: {
+                    $tftpdir = "/tftpboot"
+                }
+                default: {
+                    $tftpdir = "/var/lib/tftpboot"
+                }
            }
        }
        default: {
-            file { "/tftpboot":
-                ensure  => link,
-                target  => "/srv/tftpboot",
-                force   => true,
-                require => File["/srv/tftpboot"],
-            }
+            $tftpdir = "/tftpboot"
        }
    }

+    file { $tftpdir:
+        ensure  => link,
+        target  => "/srv/tftpboot",
+        force   => true,
+        require => File["/srv/tftpboot"],
+    }
+
    if "${selinux}" == "true" {
        selinux::manage_fcontext { "/srv/tftpboot(/.*)?":
            type   => "tftpdir_t",
--- a/util/lib/puppet/parser/functions/merge.rb
+++ b/util/lib/puppet/parser/functions/merge.rb
@ -0,0 +1,20 @@
+module Puppet::Parser::Functions
+    newfunction(:merge, :type => :rvalue) do |args|
+
+        if args.length < 2
+            raise Puppet::ParseError, ("merge(): wrong number of arguments (#{args.length}; must be at least 2)")
+        end
+
+        ret = []
+        args.each do |arg|
+            next if arg == ""
+            if arg.is_a?(Array)
+                ret.concat(arg)
+            else
+                ret.concat([arg])
+            end
+        end
+        ret
+
+    end
+end
--- a/vsroom/manifests/init.pp
+++ b/vsroom/manifests/init.pp
@ -40,6 +40,7 @@ class vsroom::collab {
        mode    => "0660",
        owner   => "collab",
        group   => "collab",
+        seltype => "httpd_sys_rw_content_t",
        source  => "${vsroom::common::htdocs}/common/auth_credentials.php",
        require => [
          File["/srv/wikis/collab/htdocs"],
--- a/wiki/Makefile
+++ b/wiki/Makefile
@ -4,7 +4,7 @@ GWIKIBRANCH = default
 GWIKISOURCE = https://bitbucket.org/clarifiednetworks/graphingwiki/get/$(GWIKIBRANCH).tar.gz
 GWIKITARGET = graphingwiki-$(GWIKIBRANCH)-$(TIMESTAMP).tar.gz

-MOINVERSION = 1.9.4
+MOINVERSION = 1.9.6
 MOINSOURCE = http://static.moinmo.in/files/moin-$(MOINVERSION).tar.gz
 MOINTARGET = moin-$(MOINVERSION).tar.gz

--- a/yum/files/keys/rpmfusion-free-fedora-18.key
+++ b/yum/files/keys/rpmfusion-free-fedora-18.key
@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.18 (GNU/Linux)
+
+mQINBE80KI8BEADWbPfx0Ql0Rip3+SZ3k+/Yw/gXBH7GdwLhnwwFjEDJfBHdUFkR
+1GHQtKH7qtdyqASkPRfGQqBoDY49jssrgv4FIh9nrE8u1HpN5YhVNT0zbvGORKiS
+01U75N7FjgKR+8/deUo1MBFdy7vsfvL2obW6FE5y1Lr9QRaLfVN+C9rPDB6ITcak
+VIqvL2jKa//YzIZ0JYlYumbGyhuV0fDrSmkOTruXBgtATO1DtwlCsMshp9sMT+8L
+W2BAURtR1yVEnXy1YEVhdkdDuX/DAbZhWdz5swAQaPEr6GVByXfwDB8Fe8D/0RUo
+BQG2KBc8JqQF5HSDz5rdlKZ20U6VyR1Ihl9G3l26CWdF1iTljUHl8FIDRv+WefbJ
+rvBO76mAilBnl0NCHM2AR4npvIlN8/Dd84q1Ti0OW/QugKMECelMO0ykYVYVUmwr
+JUGKuSe3wxuW813N3VEaYOmhx6P+x5X3yKuKo8O1+duJZGPDV94veY6f3JijgA2j
+s0pgxIjUzJ8C09z0P+vLKwtVo4VMPqhBhxk1bcrUT4t8QGtQHuS7IwXYQqd32xTM
+kBrbFqegPO7dOzOLmw52o9fgHwRxL1owgYzn3uYXCzgnQYKdGgzX9QrlkuhgqLY8
+G7SR6FDdONGFE1s+looZpV/bHf2MKKLUQEUPkdIS46oRxKUNsxyAn5QZDwARAQAB
+tFNSUE0gRnVzaW9uIGZyZWUgcmVwb3NpdG9yeSBmb3IgRmVkb3JhICgxOCkgPHJw
+bWZ1c2lvbi1idWlsZHN5c0BsaXN0cy5ycG1mdXNpb24ub3JnPokCOAQTAQIAIgUC
+TzQojwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQNjOZFJguCnyGBxAA
+x4hWU52Si0/bx9TzCCjsPmuMXb6b+0wUtqRfKtsCmRmOPUok2d1/XkyX7hJ7XHV7
+bkV+pab0ohL7DWj1Y9mRJeG6X9yRi45vP52DoWkOpoMOV9LDivsQ3BfYwxb7NriF
+cI8Gq5Qec7M8JqLVk91Fve4h97rOSZlNIZfoybVOC0lpFeT6n3J/YYb1HMUtn/cu
+YwOCpvWrn6/FS6bO7jCGEidogAZkGkEAKUBOD9PbiWe+Od439a7j/PzxU795nvPt
+nfDab52zXxv4dCHBxcP3cyjC83+23QvMlkJkPF3J74atIP78jEcb45e8SuCTL/4W
+gQBaW3RqDr5CvIuksb6dDeWGzq8+214lvrCI4kQH3RWgbS4xi+a9OdicPWtnFF68
+/ORsbFMIvMXFT5Zmhpx28OlALryiYTL9jkwqMP1S0q3JgfT4adrruc4/C/MrN1aQ
+xh3wbfqT7xB0/GWKojjgRpsZ56fMUmaB2AwwlwBSpxqHTqCSkJOl1jQuvv+pNMAz
+/qNooUzu9Z1kPDKtDYl0dK9kUHw5vkXn2MjOXFGLBMoXbDxxzbgJMR45/L/jCK3Q
+8Cko+IaW14lSoiyQVoAikCfizAnAV+08dp/a4UK2haZd+/Xl7dKDpNSnQhOTQCoL
+BpbgafmDVWWbv10cPHFCfq29RBpAaQwck2WFNF39nR8=
+=53Ne
+-----END PGP PUBLIC KEY BLOCK-----
--- a/yum/files/keys/rpmfusion-nonfree-fedora-18.key
+++ b/yum/files/keys/rpmfusion-nonfree-fedora-18.key
@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.18 (GNU/Linux)
+
+mQINBE80KM8BEADL982y29MH1JB8tjaglrY1H08bHAZqkeg+fsrPnk5PokXuNiK8
+9i5iMRklyHTlLJRFen8OupJ+laXAnIhzH3CBaSU4vBw0PvvhdvtTEkVe5nEIiWON
+ptkAYsXzFMT6ZD0tM1ef3DB2l00g+rf9ySEqBpRhP1ccLwtVFSRJk3vMWgs1SAi8
+M7gdrEm07d1rNK4umB4UkOvJMe87Hd63sMF6PCfSkXDPEF9Pe+tltNNvPdA/dWO3
+3QY1o4NU4m0Dwh2NWNj9YKxjSGkYzOmDslSccXkeJJKySWYmHPwiIvt5nMuSXlOi
+F9eNSXqMQb0qLcKJWMBovTgJWMR9CTgEtU7lAXafzZ4ePJY5uNFJ4F86slFkjgpN
+DZZGFJNhDUz6TpixwxrYPV8hiUqLUlatcFrpn5vjTZpsw8gELSGCjeojI7R0qkmq
+T6atgrZbLn3aJAPtOV4aVJgO2s1ATSrZWGVUAzQ+98dZM9Ys/N9EFxip6jeabwri
+3AivulncY6k6XhKroQp2DTtupXB+nN+aGxaz+o2InuTJ83YaB1Zz6uU924gsHiyj
+/VU7hJ4RTJq1DEhTZJ9YYqPT3fkQgA5UIebpwQhMMkWq4/YO/d/QdUAhXNJr8eDP
+1VsJe13Wu8Q9I4Nlr8kWZczDnUcDipu2hpuSPDtSuEuMdO6nRyXMw9XTWQARAQAB
+tFZSUE0gRnVzaW9uIG5vbmZyZWUgcmVwb3NpdG9yeSBmb3IgRmVkb3JhICgxOCkg
+PHJwbWZ1c2lvbi1idWlsZHN5c0BsaXN0cy5ycG1mdXNpb24ub3JnPokCOAQTAQIA
+IgUCTzQozwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQkM4JS+MbMMok
+oA//TC+/0+qslxOVmGdWtZoDvndwRTnCATWiH4UoKLlyCG9DaWZMjle3Pt85bEzZ
+/cWaIzy6zZHxuYKZ8rHElhloBx8WARVPl+DRNcV4AFXMuNNckKu82YKE3Ti/G/PL
+42RpT/qgR7bgdAeru3KGMBd6Qq8iroUmqzshlEdYF4i+jXOQiD629XuzsqDw4IxZ
+zN6/NPgFduy6z9t4NN4lu329H+JBQHfb7TR4lh3liqcKInF0y9XOKFxzgUXahr23
+WWeSKboebHsdRtmoySYk6zAV45LOck+frzqD9qEiVysGeuw1eSFHjRMT+0TVsAoH
+Bot5RoyYkF/zw9bUikCJQJ+c+gOs6EXIQO1HVdgpNRjJj3901dvaBcDpI6OX6eQP
+IBLqbN6Es/uZhB4yclpHyuHQcKDnawyh5fe+5BEm4jPB9AcbvawBLrMxZMAoQVjq
+zqnCkAoo66/OYeBEZYtSXRxw8VV2p0yMkZcR1IpRNYBNcnLDqFZLLJeRCYMR2UDa
+hoYgIX/6t9UD0HjjBRQUlHtq9NDR3LOspmbaX39yd3dPlLbrgV5ALGD11NYvB8YG
+bDI/13D5K6Ti2VgArxZqv4HOWkHwkOlUl4KnkVXTdUZDefzo6ix5sObV54l9zbaJ
+FNy46lt3bTn8oI9PEsxrxC7VUXgOH3kg2G07IytyWy0FJB8=
+=+k17
+-----END PGP PUBLIC KEY BLOCK-----