From 116bfa50e03af6beb03e4acb45b6c62a5b0a0f29 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 28 May 2015 13:32:06 +0300 Subject: [PATCH 01/24] mirror: Add -n (dry-run) option to sync-mirrors script. --- mirror/files/sync-mirrors | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/mirror/files/sync-mirrors b/mirror/files/sync-mirrors index fa8c237..28a4d82 100755 --- a/mirror/files/sync-mirrors +++ b/mirror/files/sync-mirrors @@ -27,12 +27,13 @@ else fi VERBOSE=0 +NOOP="" EXTRA_OPTS="" -while getopts "vhl" c ; do +while getopts "vhln" c ; do case $c in v) VERBOSE=1 - EXTRA_OPTS="-v --progress" + EXTRA_OPTS="${EXTRA_OPTS} -v --progress" ;; h) usage @@ -45,6 +46,10 @@ while getopts "vhl" c ; do done exit 0 ;; + n) + NOOP=" (DRY RUN)" + EXTRA_OPTS="${EXTRA_OPTS} -n" + ;; esac done @@ -98,7 +103,7 @@ for mirror in ${SYNC} ; do echo "ERR: No SRC set for mirror ${mirror} ..." 1>&2 exit 1 fi - logmsg "Starting ${mirror} sync ..." + logmsg "Starting ${mirror} sync${NOOP}..." rsync -aH -4 ${EXTRA_OPTS} --numeric-ids --delete --delete-delay \ --delay-updates --no-motd ${RSYNCOPTS} --log-file=${LOGFILE} \ --exclude=.~tmp~/ ${SRC} /srv/mirrors/${mirror}/ @@ -106,7 +111,7 @@ for mirror in ${SYNC} ; do if [ ${STATUS} -ne 0 ]; then echo "WARN: Encountered errors on ${mirror} sync, see ${LOGFILE} for details" 1>&2 fi - logmsg "Finished ${mirror} sync with exit status ${STATUS} ..." + logmsg "Finished ${mirror} sync with exit status ${STATUS}${NOOP} ..." if [ "${POSTCMD}" != "" ]; then logmsg "Running post for ${mirror} ..." ${POSTCMD} 2>&1 | awk \ From 16b1b084e6b5eefc5f8155b52b47e0ab6d6b93ba Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 28 May 2015 13:34:35 +0300 Subject: [PATCH 02/24] mirror: Exit when invalid command line options are given to sync-mirrors. --- mirror/files/sync-mirrors | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mirror/files/sync-mirrors b/mirror/files/sync-mirrors index 28a4d82..87a7498 100755 --- a/mirror/files/sync-mirrors +++ b/mirror/files/sync-mirrors @@ -50,6 +50,10 @@ while getopts "vhln" c ; do NOOP=" (DRY RUN)" EXTRA_OPTS="${EXTRA_OPTS} -n" ;; + *) + usage + exit 1 + ;; esac done From 0dd12a0c20d21e73e003a98a23fad435657f8c25 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 18 May 2015 14:58:20 +0300 Subject: [PATCH 03/24] ejabberd: Manual merge from parameterize branch --- ejabberd/manifests/init.pp | 302 ++++++++++++------------- ejabberd/templates/ejabberd-backup.erb | 2 +- ejabberd/templates/ejabberd.cfg.erb | 61 +++-- 3 files changed, 180 insertions(+), 185 deletions(-) diff --git a/ejabberd/manifests/init.pp b/ejabberd/manifests/init.pp index 0ddc26a..5defe68 100644 --- a/ejabberd/manifests/init.pp +++ b/ejabberd/manifests/init.pp @@ -1,111 +1,175 @@ # Install ejabberd. # -# === Global variables +# === Parameters # -# $ejabberd_hosts: +# $collab: +# Boolean for enabling collab integration. Defaults to false. +# +# $package: +# Ejabberd package source. Required for collab integration. +# +# $hosts: # Array of domains serverd by ejabberd. Defaults to [ "$homename" ]. # -# $ejabberd_admin: +# $admins: # Array of users with admin privileges. # -# $ejabberd_ssl_key: -# Path to SSL private key. +# $webhosts: +# Array of BOSH virtual hosts. # -# $ejabberd_ssl_cert: -# Path to SSL certificate. -# -# $ejabberd_ssl_chain: -# Path to SSL certificate chain. -# -# $ejabberd_muclog_datadir: -# Path where to store chatroom logs. Disabled by default. -# -# $ejabberd_muclog_format: -# Chatroom log format. Valid values html or plaintext. -# -# $ejabberd_auth: +# $auth: # Authentication method or array of multiple methods. # Valid values internal, external or ldap. Defaults to internal. # -# $ejabberd_extauth: +# $extauth: # Path to external authentication command. # -# $ejabberd_ldap_server: +# $muclog_datadir: +# Path where to store chatroom logs. Disabled by default. +# +# $muclog_format: +# Chatroom log format. Valid values html or plaintext. +# +# $ssl_key: +# Path to SSL private key. +# +# $ssl_cert: +# Path to SSL certificate. +# +# $ssl_chain: +# Path to SSL certificate chain. +# +# $ldap_server: # Array of LDAP authentication servers. # -# $ejabberd_ldap_basedn: +# $ldap_basedn: # LDAP base dn. # -# $ejabberd_ldap_encrypt: +# $ldap_encrypt: # LDAP encryption. Defaults to "tls". # -# $ejabberd_ldap_port: +# $ldap_port: # LDAP port. Defaults to 636. # -# $ejabberd_ldap_uidattr: +# $ldap_uid: # LDAP UID attribute. Defaults to "uid". # -# $ejabberd_ldap_binddn: +# $ldap_rootdn: # Optional bind DN. # -# $ejabberd_ldap_bindpw: +# $ldap_password: # Bind DN password. # -class ejabberd { +class ejabberd( + $collab=false, + $package=undef, + $hosts=[$::homename], + $admins=[], + $webhosts=undef, + $auth="internal", + $extauth=undef, + $muclog_datadir=undef, + $muclog_format="plaintext", + $ssl_key="${::puppet_ssldir}/private_keys/${::homename}.pem", + $ssl_cert="${::puppet_ssldir}/certs/${::homename}.pem", + $ssl_chain=undef, + $ldap_server=undef, + $ldap_basedn=undef, + $ldap_encrypt="tls", + $ldap_port="636", + $ldap_uid="uid", + $ldap_rootdn=undef, + $ldap_password=undef +) { include user::system realize(User["ejabberd"], Group["ejabberd"]) - if !$ejabberd_hosts { - $ejabberd_hosts = [ $homename ] - } - if !$ejabberd_admin { - $ejabberd_admin = [] - } - if !$ejabberd_auth { - $ejabberd_auth = "internal" + if ! ($muclog_format in [ "html", "plaintext" ]) { + fail("Invalid value ${muclog_format} for muclog_format") } - if !$ejabberd_ldap_encrypt { - $ejabberd_ldap_encrypt = "tls" - } - if !$ejabberd_ldap_port { - $ejabberd_ldap_port = "636" - } - if !$ejabberd_ldap_uidattr { - $ejabberd_ldap_uidattr = "uid" + case $::operatingsystem { + "centos","redhat","fedora": { + $package_provider = "rpm" + package { ["erlang", "erlang-esasl"]: + ensure => installed, + before => Package["ejabberd"], + } + } + "debian","ubuntu": { + $package_provider = "dpkg" + package { ["erlang", "erlang-base"]: + ensure => installed, + before => Package["ejabberd"], + } + } + default: { } } - case $ejabberd_muclog_format { - "","html","plaintext": { } - default: { - fail("Invalid value ${ejabberd_muclog_format} for \$ejabberd_muclog_format.") + if $collab == true { + if ! $package { + fail("Must define package for collab integration") + } + + file { "/usr/local/src/${package}": + ensure => present, + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///files/packages/${package}", + before => Package["ejabberd"], + } + + Package["ejabberd"] { + provider => $package_provider, + source => "/usr/local/src/${package}", + } + + exec { "usermod-ejabberd": + path => "/bin:/usr/bin:/sbin:/usr/sbin", + command => "usermod -a -G collab ejabberd", + unless => "id -n -G ejabberd | grep '\\bcollab\\b'", + require => [ User["ejabberd"], Group["collab"] ], + notify => Service["ejabberd"], + } + + Service["ejabberd"] { + require => Class["wiki::collab"], + } + + if $muclog_datadir { + file { $muclog_datadir: + ensure => directory, + mode => "2770", + owner => "collab", + group => "collab", + require => User["collab"], + before => Service["ejabberd"], + } } } package { "ejabberd": - ensure => installed, + ensure => $collab ? { + true => latest, + default => installed, + }, require => [ User["ejabberd"], Group["ejabberd"] ], } service { "ejabberd": - ensure => running, - enable => true, - status => "ejabberdctl status >/dev/null", + ensure => running, + enable => true, + status => "ejabberdctl status >/dev/null", + restart => "ejabberdctl restart >/dev/null", } include ssl - if !$ejabberd_ssl_key { - $ejabberd_ssl_key = "${puppet_ssldir}/private_keys/${homename}.pem" - } - if !$ejabberd_ssl_cert { - $ejabberd_ssl_cert = "${puppet_ssldir}/certs/${homename}.pem" - } - file { "${ssl::private}/ejabberd.key": ensure => present, - source => $ejabberd_ssl_key, + source => $ssl_key, mode => "0600", owner => "root", group => "root", @@ -113,16 +177,16 @@ class ejabberd { } file { "${ssl::certs}/ejabberd.crt": ensure => present, - source => $ejabberd_ssl_cert, + source => $ssl_cert, mode => "0644", owner => "root", group => "root", notify => Exec["generate-ejabberd-pem"], } - if $ejabberd_ssl_chain { + if $ssl_chain { file { "${ssl::certs}/ejabberd.chain.crt": ensure => present, - source => $ejabberd_ssl_chain, + source => $ssl_chain, mode => "0644", owner => "root", group => "root", @@ -164,24 +228,17 @@ class ejabberd { "debian", "ubuntu": { augeas { "set-ejabberd-default": context => "/files/etc/default/ejabberd", - changes => [ "set POLL true", - "set SMP auto", ], + changes => [ "set POLL true", "set SMP auto" ], + require => Package["ejabberd"], notify => Service["ejabberd"], } } + default: { } } $htdocs = "/usr/share/ejabberd/htdocs" - define configwebhost($htdocs) { - file { "/srv/www/https/${name}/bosh": - ensure => link, - target => $htdocs, - require => File["/srv/www/https/${name}"], - } - } - - if $ejabberd_webhosts { + if $webhosts { include apache::mod::proxy include apache::mod::proxy_http include apache::mod::rewrite @@ -213,7 +270,7 @@ class ejabberd { proto => "tcp", } - configwebhost { $ejabberd_webhosts: + ejabberd::configwebhost { $webhosts: htdocs => $htdocs, } } @@ -221,68 +278,14 @@ class ejabberd { } -# Install ejabberd with collab customizations. +# Enable bosh on virtual host. # -# === Global variables -# -# $ejabberd_package: -# Name of ejabberd package with collab patches. -# -class ejabberd::collab inherits ejabberd { +define ejabberd::configwebhost($htdocs) { - if !$ejabberd_package { - fail("Must define \$ejabberd_package") - } - - exec { "usermod-ejabberd": - path => "/bin:/usr/bin:/sbin:/usr/sbin", - command => "usermod -a -G collab ejabberd", - unless => "id -n -G ejabberd | grep '\\bcollab\\b'", - require => [ User["ejabberd"], Group["collab"] ], - } - - case $::operatingsystem { - "centos","redhat","fedora": { - package { ["erlang", "erlang-esasl"]: - ensure => installed, - before => Package["ejabberd"], - } - } - "debian","ubuntu": { - package { ["erlang", "erlang-base"]: - ensure => installed, - before => Package["ejabberd"], - } - } - } - file { "/usr/local/src/${ejabberd_package}": - ensure => present, - mode => "0644", - owner => "root", - group => "root", - source => "puppet:///files/packages/${ejabberd_package}", - before => Package["ejabberd"], - } - Package["ejabberd"] { - provider => $::operatingsystem ? { - "centos" => "rpm", - "redhat" => "rpm", - "fedora" => "rpm", - "debian" => "dpkg", - "ubuntu" => "dpkg", - }, - source => "/usr/local/src/${ejabberd_package}", - } - - if $ejabberd_muclog_datadir { - file { $ejabberd_muclog_datadir: - ensure => directory, - mode => "2770", - owner => "collab", - group => "collab", - require => User["collab"], - before => Service["ejabberd"], - } + file { "/srv/www/https/${name}/bosh": + ensure => link, + target => $htdocs, + require => File["/srv/www/https/${name}"], } } @@ -290,40 +293,35 @@ class ejabberd::collab inherits ejabberd { # Install ejabberd backup cron script. # -# === Global variables +# === Parameters # -# $ejabberd_backup_datadir: -# Path where to store the backups. +# $datadir: +# Path where to store the backups. Defaults to "/srv/ejabberd-backup". # -class ejabberd::backup { +class ejabberd::backup($datadir="/srv/ejabberd-backup") { - if ! $ejabberd_backup_datadir { - $ejabberd_backup_datadir = "/srv/ejabberd-backup" - } - - file { $ejabberd_backup_datadir: - ensure => directory, - mode => "0700", - owner => "root", - group => "root", + file { $datadir: + ensure => directory, + mode => "0700", + owner => "root", + group => "root", } file { "/usr/local/sbin/ejabberd-backup": ensure => present, - content => template("ejabberd/ejabberd-backup.erb"), mode => "0755", owner => "root", group => "root", + content => template("ejabberd/ejabberd-backup.erb"), } cron { "ejabberd-backup": ensure => present, command => "/usr/local/sbin/ejabberd-backup", user => "root", - minute => 15, - hour => 21, - require => File[ $ejabberd_backup_datadir, - "/usr/local/sbin/ejabberd-backup" ], + minute => "15", + hour => "21", + require => File[$datadir, "/usr/local/sbin/ejabberd-backup"], } } diff --git a/ejabberd/templates/ejabberd-backup.erb b/ejabberd/templates/ejabberd-backup.erb index 62fc8cd..4173197 100755 --- a/ejabberd/templates/ejabberd-backup.erb +++ b/ejabberd/templates/ejabberd-backup.erb @@ -25,7 +25,7 @@ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -DESTDIR="<%= @ejabberd_backup_datadir %>" +DESTDIR="<%= @datadir %>" if [ ! -d ${DESTDIR} ]; then echo "ERR: ejabberd backup directory [${DESTDIR}] does not exist" 1>&2 diff --git a/ejabberd/templates/ejabberd.cfg.erb b/ejabberd/templates/ejabberd.cfg.erb index 67f7ab4..77d0979 100644 --- a/ejabberd/templates/ejabberd.cfg.erb +++ b/ejabberd/templates/ejabberd.cfg.erb @@ -89,8 +89,8 @@ override_acls. %% You can define one or several, for example: %% {hosts, ["example.net", "example.com", "example.org"]}. %% -<% @ejabberd_hosts.map! { |host| '"%s"' % host } -%> -{hosts, [<%= @ejabberd_hosts.join(", ") %>]}. +<% @hosts.map! { |host| '"%s"' % host } -%> +{hosts, [<%= @hosts.join(", ") %>]}. %% %% route_subdomains: Delegate subdomains to other XMPP servers. @@ -213,25 +213,25 @@ override_acls. %%%. ============== %%%' AUTHENTICATION -<% if @ejabberd_auth.is_a?(Array) -%> -{auth_method, [<%= @ejabberd_auth.join(", ") %>]}. +<% if @auth.is_a?(Array) -%> +{auth_method, [<%= @auth.join(", ") %>]}. <% else -%> -{auth_method, <%= @ejabberd_auth %>}. +{auth_method, <%= @auth %>}. <% end -%> -<% if @ejabberd_extauth -%> -{extauth_program, "<%= @ejabberd_extauth %>"}. +<% if @extauth -%> +{extauth_program, "<%= @extauth %>"}. <% end -%> -<% if @ejabberd_ldap_server -%> -<% @ejabberd_ldap_server.map! { |server| '"%s"' % server } -%> -{ldap_servers, [<%= @ejabberd_ldap_server.join(", ") %>]}. -{ldap_base, "<%= @ejabberd_ldap_basedn %>"}. -{ldap_encrypt, <%= @ejabberd_ldap_encrypt %>}. -{ldap_port, <%= @ejabberd_ldap_port %>}. -{ldap_uids, [{"<%= @ejabberd_ldap_uidattr %>", "%u"}]}. +<% if @ldap_server -%> +<% @ldap_server.map! { |server| '"%s"' % server } -%> +{ldap_servers, [<%= @ldap_server.join(", ") %>]}. +{ldap_base, "<%= @ldap_basedn %>"}. +{ldap_encrypt, <%= @ldap_encrypt %>}. +{ldap_port, <%= @ldap_port %>}. +{ldap_uids, [{"<%= @ldap_uid %>", "%u"}]}. {ldap_filter, "(!(loginShell=/sbin/nologin))"}. -<% if @ejabberd_ldap_binddn -%> -{ldap_rootdn, "<%= @ejabberd_ldap_binddn %>"}. -{ldap_password, "<%= @ejabberd_ldap_bindpw %>"}. +<% if @ldap_rootdn and @ldap_password -%> +{ldap_rootdn, "<%= @ldap_rootdn %>"}. +{ldap_password, "<%= @ldap_password %>"}. <% end -%> <% end -%> @@ -391,7 +391,7 @@ override_acls. %% %%{acl, admin, {user, "aleksey", "localhost"}}. %%{acl, admin, {user, "ermine", "example.org"}}. -<% @ejabberd_admin.each do |admin| +<% @admins.each do |admin| user, host = admin.split("@") -%> {acl, admin, {user, "<%= user %>", "<%= host %>"}}. <% end -%> @@ -429,7 +429,7 @@ user, host = admin.split("@") -%> %%%' ACCESS RULES %% Maximum number of simultaneous sessions allowed for a single user: -{access, max_user_sessions, [{100, all}]}. +{access, max_user_sessions, [{1000, all}]}. %% Maximum number of offline messages that users can have: {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. @@ -554,29 +554,26 @@ user, host = admin.split("@") -%> {max_users, 1000}, {max_user_conferences, 2500}, {default_room_options, - [ + [ {allow_user_invites, true}, {anonymous, false}, {public, false}, -<% if @ejabberd_muclog_datadir -%> - {logging, true} +<% if @muclog_datadir -%> + {logging, true}, <% else -%> - {logging, false} + {logging, false}, <% end -%> + {max_users, 1000} ] } ]}, %%{mod_muc_log,[]}, -<% if @ejabberd_muclog_datadir -%> +<% if @muclog_datadir -%> {mod_muc_log, [ - {access_log, muc}, - {outdir, "<%= @ejabberd_muclog_datadir %>"}, - {dirtype, subdirs}, -<% if @ejabberd_muclog_format -%> - {file_format, <%= @ejabberd_muclog_format %>}, -<% end -%> - {cssfile, false}, - {top_link, {"/jabber-logs/", "Back to Logs"}} + {access_log, muc_admin}, + {file_format, <%= @muclog_format %>}, + {outdir, "<%= @muclog_datadir %>"}, + {timezone, universal} ]}, <% end -%> {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, From 93b3fde101e93478ecec3f02029f29c6e1b978cc Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 18 May 2015 15:11:36 +0300 Subject: [PATCH 04/24] ejabberd: Move erlang installation into separate module --- ejabberd/manifests/init.pp | 14 +++++--------- erlang/manifests/init.pp | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+), 9 deletions(-) create mode 100644 erlang/manifests/init.pp diff --git a/ejabberd/manifests/init.pp b/ejabberd/manifests/init.pp index 5defe68..629023f 100644 --- a/ejabberd/manifests/init.pp +++ b/ejabberd/manifests/init.pp @@ -82,6 +82,8 @@ class ejabberd( $ldap_password=undef ) { + require erlang + include user::system realize(User["ejabberd"], Group["ejabberd"]) @@ -92,19 +94,13 @@ class ejabberd( case $::operatingsystem { "centos","redhat","fedora": { $package_provider = "rpm" - package { ["erlang", "erlang-esasl"]: - ensure => installed, - before => Package["ejabberd"], - } } "debian","ubuntu": { $package_provider = "dpkg" - package { ["erlang", "erlang-base"]: - ensure => installed, - before => Package["ejabberd"], - } } - default: { } + default: { + fail("ejabberd not supported on ${::operatingsystem}.") + } } if $collab == true { diff --git a/erlang/manifests/init.pp b/erlang/manifests/init.pp new file mode 100644 index 0000000..87bf7ca --- /dev/null +++ b/erlang/manifests/init.pp @@ -0,0 +1,21 @@ +# Install erlang. +# +class erlang { + + case $::operatingsystem { + 'centos','redhat','fedora': { + package { 'erlang': + ensure => installed, + } + } + 'debian','ubuntu': { + package { [ 'erlang', 'erlang-base' ]: + ensure => installed, + } + } + default: { + fail("erlang not supported on ${::operatingsystem}.") + } + } + +} From 6444c954605dfc5a7434d0bb39592f52d84b2eda Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 18 May 2015 16:10:55 +0300 Subject: [PATCH 05/24] ejabberd: Let init script handle restarting --- ejabberd/manifests/init.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ejabberd/manifests/init.pp b/ejabberd/manifests/init.pp index 629023f..7c5a2c2 100644 --- a/ejabberd/manifests/init.pp +++ b/ejabberd/manifests/init.pp @@ -155,10 +155,9 @@ class ejabberd( } service { "ejabberd": - ensure => running, - enable => true, - status => "ejabberdctl status >/dev/null", - restart => "ejabberdctl restart >/dev/null", + ensure => running, + enable => true, + status => "ejabberdctl status >/dev/null", } include ssl From a509469be118c2694b33543ee8daff9d9bf406e0 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Wed, 20 May 2015 09:26:27 +0300 Subject: [PATCH 06/24] smtpd: Add support for custom config file --- smtpd/manifests/init.pp | 51 ++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/smtpd/manifests/init.pp b/smtpd/manifests/init.pp index 49c6117..c03b6dc 100644 --- a/smtpd/manifests/init.pp +++ b/smtpd/manifests/init.pp @@ -18,6 +18,9 @@ # $maildir: # Directory in user home for INBOX. Defaults to "Mail". # +# $config: +# Path to custom configuration file. +# # $custom: # Array of custom accept/reject rules. # @@ -39,6 +42,7 @@ class smtpd( $listen=false, $gecos=true, $maildir="Mail", + $config=undef, $custom=undef, $domains=undef, $virtuals=undef, @@ -130,6 +134,15 @@ class smtpd( include ssl + if $config { + $content = undef + } else { + $content = $listen ? { + true => template("smtpd/server.conf.erb"), + default => template("smtpd/client.conf.erb"), + } + } + file { "${confdir}/smtpd.conf": ensure => present, mode => "0644", @@ -138,10 +151,8 @@ class smtpd( "openbsd" => "wheel", default => "root", }, - content => $listen ? { - true => template("smtpd/server.conf.erb"), - default => template("smtpd/client.conf.erb"), - }, + source => $config, + content => $content, notify => Service[$service], } @@ -154,21 +165,7 @@ class smtpd( }, } - if $listen == true { - include procmail - - procmail::rc { "00-default.rc": - content => "MAILDIR=\$HOME/${maildir}\nDEFAULT=\$MAILDIR/INBOX\n", - } - - file { [ "/root/${maildir}", "/etc/skel/${maildir}" ]: - ensure => directory, - mode => "0700", - owner => "root", - group => "wheel", - before => Service["smtpd"], - } - + if $listen == true or $config { file { "${ssl::private}/smtpd.key": ensure => present, mode => "0600", @@ -185,6 +182,22 @@ class smtpd( source => $ssl_cert, notify => Service["smtpd"], } + } + + if $listen == true { + include procmail + + procmail::rc { "00-default.rc": + content => "MAILDIR=\$HOME/${maildir}\nDEFAULT=\$MAILDIR/INBOX\n", + } + + file { [ "/root/${maildir}", "/etc/skel/${maildir}" ]: + ensure => directory, + mode => "0700", + owner => "root", + group => "wheel", + before => Service["smtpd"], + } if $gecos == true { file { "/usr/local/sbin/generate-smtpd-gecos.sh": From 85a37f8624b3692b90db83cbe6e3b88758147426 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Wed, 20 May 2015 09:41:05 +0300 Subject: [PATCH 07/24] apache: Add option to set the MaxClients directive --- apache/manifests/init.pp | 6 +++++- apache/templates/apache2.conf.erb | 4 ++-- apache/templates/httpd.conf.erb | 4 ++-- apache/templates/httpsd.conf.erb | 4 ++-- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp index e400d29..d55842a 100644 --- a/apache/manifests/init.pp +++ b/apache/manifests/init.pp @@ -23,6 +23,10 @@ class apache::common { } } + if ! $apache_maxclients { + $apache_maxclients = "256" + } + if $apache_datadir { file { $apache_datadir: ensure => directory, @@ -227,7 +231,7 @@ define apache::site($aliases="", $root="", $redirect="", $proxy="") { class apache::sslserver inherits apache::common { include user::system - + case $::operatingsystem { "debian","ubuntu": { include apache::debian::sslserver diff --git a/apache/templates/apache2.conf.erb b/apache/templates/apache2.conf.erb index 67d4583..e228886 100644 --- a/apache/templates/apache2.conf.erb +++ b/apache/templates/apache2.conf.erb @@ -104,8 +104,8 @@ KeepAliveTimeout 15 StartServers 8 MinSpareServers 5 MaxSpareServers 20 - ServerLimit 256 - MaxClients 256 + ServerLimit <%= @apache_maxclients %> + MaxClients <%= @apache_maxclients %> MaxRequestsPerChild 4000 diff --git a/apache/templates/httpd.conf.erb b/apache/templates/httpd.conf.erb index 58df853..4633362 100644 --- a/apache/templates/httpd.conf.erb +++ b/apache/templates/httpd.conf.erb @@ -103,8 +103,8 @@ KeepAliveTimeout 15 StartServers 8 MinSpareServers 5 MaxSpareServers 20 -ServerLimit 256 -MaxClients 256 +ServerLimit <%= @apache_maxclients %> +MaxClients <%= @apache_maxclients %> MaxRequestsPerChild 4000 diff --git a/apache/templates/httpsd.conf.erb b/apache/templates/httpsd.conf.erb index 79a5049..0e6956a 100644 --- a/apache/templates/httpsd.conf.erb +++ b/apache/templates/httpsd.conf.erb @@ -103,8 +103,8 @@ KeepAliveTimeout 15 StartServers 8 MinSpareServers 5 MaxSpareServers 20 -ServerLimit 256 -MaxClients 256 +ServerLimit <%= @apache_maxclients %> +MaxClients <%= @apache_maxclients %> MaxRequestsPerChild 4000 From dc87bed6595738141bd7881508fa63053c888466 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 8 Jun 2015 12:57:50 +0300 Subject: [PATCH 08/24] abusesa: Fix path in the vsroom -> live redirect --- abusesa/files/vsroom-httpd.conf | 2 +- abusesa/manifests/live.pp | 9 ++++++++- abusesa/manifests/search.pp | 7 +++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/abusesa/files/vsroom-httpd.conf b/abusesa/files/vsroom-httpd.conf index b74a1ba..d8a0d32 100644 --- a/abusesa/files/vsroom-httpd.conf +++ b/abusesa/files/vsroom-httpd.conf @@ -1,3 +1,3 @@ - AllowOverride All + AllowOverride FileInfo diff --git a/abusesa/manifests/live.pp b/abusesa/manifests/live.pp index 8ce30e6..6635e84 100644 --- a/abusesa/manifests/live.pp +++ b/abusesa/manifests/live.pp @@ -92,6 +92,13 @@ define abusesa::live::configwebhost($htdocs) { owner => 'root', group => 'root', } + file { "/srv/www/https/${name}/abusesa/index.html": + ensure => present, + mode => '0644', + owner => 'root', + group => 'root', + content => '', + } } file { "/srv/www/https/${name}/abusesa/live": @@ -111,7 +118,7 @@ define abusesa::live::configwebhost($htdocs) { mode => '0644', owner => 'root', group => 'root', - content => "Redirect permanent /vsroom/ /abusesa/live/\n", + content => "Redirect permanent /vsroom/overview/ /abusesa/live/\n", } } diff --git a/abusesa/manifests/search.pp b/abusesa/manifests/search.pp index 83adfff..c2da79f 100644 --- a/abusesa/manifests/search.pp +++ b/abusesa/manifests/search.pp @@ -143,6 +143,13 @@ define abusesa::search::configwebhost($htdocs) { owner => 'root', group => 'root', } + file { "/srv/www/https/${name}/abusesa/index.html": + ensure => present, + mode => '0644', + owner => 'root', + group => 'root', + content => '', + } } file { "/srv/www/https/${name}/abusesa/search": From 29b570ca6b6d50be12ff4727b75e7e1e296f0a73 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 8 Jun 2015 13:06:43 +0300 Subject: [PATCH 09/24] ejabberd: Disable DirectoryIndex in bosh path for Apache 2.4 See https://bz.apache.org/bugzilla/show_bug.cgi?id=53929 --- ejabberd/manifests/init.pp | 8 +++----- ejabberd/{files/htaccess => templates/htaccess.erb} | 3 +++ 2 files changed, 6 insertions(+), 5 deletions(-) rename ejabberd/{files/htaccess => templates/htaccess.erb} (57%) diff --git a/ejabberd/manifests/init.pp b/ejabberd/manifests/init.pp index 7c5a2c2..a8f185b 100644 --- a/ejabberd/manifests/init.pp +++ b/ejabberd/manifests/init.pp @@ -251,8 +251,7 @@ class ejabberd( mode => "0644", owner => "root", group => "root", - source => "puppet:///modules/ejabberd/htaccess", - require => File[$htdocs], + content => template("ejabberd/htaccess.erb"), } apache::configfile { "ejabberd.conf": @@ -278,9 +277,8 @@ class ejabberd( define ejabberd::configwebhost($htdocs) { file { "/srv/www/https/${name}/bosh": - ensure => link, - target => $htdocs, - require => File["/srv/www/https/${name}"], + ensure => link, + target => $htdocs, } } diff --git a/ejabberd/files/htaccess b/ejabberd/templates/htaccess.erb similarity index 57% rename from ejabberd/files/htaccess rename to ejabberd/templates/htaccess.erb index c6801cf..5cff781 100644 --- a/ejabberd/files/htaccess +++ b/ejabberd/templates/htaccess.erb @@ -1,3 +1,6 @@ +<% if scope.lookupvar('apache::version') == '2.4' -%> +DirectoryIndex disabled +<% end -%> RewriteEngine On RewriteRule ^(.*)$ http://localhost:5280/http-bind/$1 [P,L] From 9923a1c676b629ed712560f9462785ad47906e14 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 9 Jun 2015 15:02:14 +0300 Subject: [PATCH 10/24] cups: Fixed system-config-printer installation for Ubuntu. --- cups/manifests/init.pp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/cups/manifests/init.pp b/cups/manifests/init.pp index 59b21ac..b54ae9a 100644 --- a/cups/manifests/init.pp +++ b/cups/manifests/init.pp @@ -76,7 +76,14 @@ class cups::server($admin_group=undef, $manager_group=undef, require ssl - package { [ "ghostscript", "system-config-printer" ]: + package { "system-config-printer": + ensure => installed, + name => $::operatingsystem ? { + "ubuntu" => "system-config-printer-gnome", + default => "system-config-printer", + }, + } + package { "ghostscript": ensure => installed, } From dfaa47495bab6a4bfb418d39e5de944c727920a7 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 9 Jun 2015 17:08:10 +0300 Subject: [PATCH 11/24] abusesa::live: Strip index.html from redirected vsroom links --- abusesa/manifests/live.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/abusesa/manifests/live.pp b/abusesa/manifests/live.pp index 6635e84..0ace808 100644 --- a/abusesa/manifests/live.pp +++ b/abusesa/manifests/live.pp @@ -118,7 +118,7 @@ define abusesa::live::configwebhost($htdocs) { mode => '0644', owner => 'root', group => 'root', - content => "Redirect permanent /vsroom/overview/ /abusesa/live/\n", + content => "RedirectMatch permanent /vsroom/overview/(index\.html)? /abusesa/live/", } } From 6ac876465478444171691edb4a09f08fd978a73c Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Wed, 10 Jun 2015 12:25:55 +0300 Subject: [PATCH 12/24] abusesa::live: Add missing newline --- abusesa/manifests/live.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/abusesa/manifests/live.pp b/abusesa/manifests/live.pp index 0ace808..a37ea93 100644 --- a/abusesa/manifests/live.pp +++ b/abusesa/manifests/live.pp @@ -118,7 +118,7 @@ define abusesa::live::configwebhost($htdocs) { mode => '0644', owner => 'root', group => 'root', - content => "RedirectMatch permanent /vsroom/overview/(index\.html)? /abusesa/live/", + content => "RedirectMatch permanent /vsroom/overview/(index\.html)? /abusesa/live/\n", } } From b0c84b61ad4dc20cf6544bb232543cec090c68b7 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Wed, 10 Jun 2015 14:40:51 +0300 Subject: [PATCH 13/24] ejabberd: Add support for the new YAML config --- ejabberd/manifests/init.pp | 10 +- ejabberd/templates/ejabberd.yml.erb | 183 ++++++++++++++++++++++++++++ 2 files changed, 191 insertions(+), 2 deletions(-) create mode 100644 ejabberd/templates/ejabberd.yml.erb diff --git a/ejabberd/manifests/init.pp b/ejabberd/manifests/init.pp index a8f185b..7db63d9 100644 --- a/ejabberd/manifests/init.pp +++ b/ejabberd/manifests/init.pp @@ -103,6 +103,12 @@ class ejabberd( } } + if $package and versioncmp($package, "ejabberd-13.10") >= 0 { + $config = "ejabberd.yml" + } else { + $config = "ejabberd.cfg" + } + if $collab == true { if ! $package { fail("Must define package for collab integration") @@ -209,12 +215,12 @@ class ejabberd( require => Package["ejabberd"], } - file { "/etc/ejabberd/ejabberd.cfg": + file { "/etc/ejabberd/${config}": ensure => present, mode => "0640", owner => "root", group => "ejabberd", - content => template("ejabberd/ejabberd.cfg.erb"), + content => template("ejabberd/${config}.erb"), require => Package["ejabberd"], notify => Service["ejabberd"], } diff --git a/ejabberd/templates/ejabberd.yml.erb b/ejabberd/templates/ejabberd.yml.erb new file mode 100644 index 0000000..28d9968 --- /dev/null +++ b/ejabberd/templates/ejabberd.yml.erb @@ -0,0 +1,183 @@ +loglevel: 4 + +hosts: +<% @hosts.each do |host| -%> + - "<%= host %>" +<% end -%> + +listen: + - + port: 5222 + module: ejabberd_c2s + max_stanza_size: 655360 + shaper: c2s_shaper + access: c2s + starttls_required: true + certfile: "/etc/ejabberd/ejabberd.pem" + - + port: 5223 + module: ejabberd_c2s + max_stanza_size: 655360 + shaper: c2s_shaper + access: c2s + tls: true + certfile: "/etc/ejabberd/ejabberd.pem" + - + port: 5269 + module: ejabberd_s2s_in + max_stanza_size: 1310720 + shaper: s2s_shaper + - + port: 5280 + module: ejabberd_http + web_admin: true + http_poll: true + http_bind: true + +s2s_access: s2s +s2s_certfile: "/etc/ejabberd/ejabberd.pem" +s2s_use_starttls: required + +<% if @auth.is_a?(Array) -%> +auth_method: +<% @auth.each do |method| -%> + - <%= method %> +<% end -%> +<% else -%> +auth_method: <%= @auth %> +<% end -%> +<% if @extauth -%> +extauth_program: "<%= @extauth %>" +<% end -%> +<% if @ldap_server -%> +ldap_base: "<%= @ldap_basedn %>" +ldap_encrypt: <%= @ldap_encrypt %> +ldap_filter: "(!(loginShell=/sbin/nologin))" +ldap_port: <%= @ldap_port %> +ldap_servers: +<% @ldap_server.each do |server| -%> + - "<%= server %>" +<% end -%> +ldap_uids: + - "<%= @ldap_uid %>": "%u" +<% if @ldap_rootdn and @ldap_password -%> +ldap_rootdn: "<%= @ldap_rootdn %>" +ldap_password: "<%= @ldap_password %>" +<% end -%> +<% end -%> + +shaper: + c2s: 655360 + s2s: 1310720 + +max_fsm_queue: 10000 + +acl: +<% if @admins -%> + admin: + user: +<% @admins.each do |admin| + user, host = admin.split("@") -%> + - "<%= user %>": "<%= host %>" +<% end -%> +<% end -%> + local: + user_regexp: "" + loopback: + ip: + - "127.0.0.0/8" + +access: + announce: + admin: allow + c2s: + all: allow + c2s_shaper: + all: c2s + configure: + admin: allow + local: + local: allow + max_user_offline_messages: + admin: 1000 + all: 100 + max_user_sessions: + all: 1000 + muc: + local: allow + muc_admin: + admin: allow + muc_create: + local: allow + pubsub_createnode: + local: allow + register: + all: deny + s2s: + all: allow + s2s_shaper: + all: s2s + trusted_network: + loopback: allow + +language: "en" + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_blocking: {} + mod_caps: {} + mod_carboncopy: {} + mod_configure: {} + mod_disco: {} + mod_http_bind: {} + mod_last: {} + mod_muc: + access: muc + access_admin: muc_admin + access_create: muc_create + access_persistent: muc_create + history_size: 100 + max_users: 1000 + max_user_conferences: 2000 + default_room_options: + allow_user_invites: true + anonymous: false +<% if @muclog_datadir -%> + logging: true +<% else -%> + logging: false +<% end -%> + max_users: 1000 + members_by_default: false + members_only: true + public: false + public_list: false +<% if @muclog_datadir -%> + mod_muc_log: + access_log: muc_admin + file_format: <%= @muclog_format %> + outdir: "<%= @muclog_datadir %>" + timezone: universal +<% end -%> + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_pubsub: + access_createnode: pubsub_createnode + ignore_pep_from_offline: true + last_item_cache: false + plugins: + - "flat" + - "hometree" + - "pep" + mod_roster: {} + mod_shared_roster: {} + mod_stats: {} + mod_time: {} + mod_vcard: {} + mod_version: {} From 026cb64b99a1980b45e0568765d3afd79d078f4f Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 15 Jun 2015 01:11:10 +0300 Subject: [PATCH 14/24] murmur: Update version to 1.2.9 --- murmur/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/murmur/Makefile b/murmur/Makefile index 41116ae..567026b 100644 --- a/murmur/Makefile +++ b/murmur/Makefile @@ -1,6 +1,6 @@ include $(CURDIR)/../Makefile.inc -VERSION = 1.2.4 +VERSION = 1.2.9 TARGET = murmur-static_x86-$(VERSION).tar.bz2 SOURCE = http://downloads.sourceforge.net/project/mumble/Mumble/$(VERSION)/murmur-static_x86-$(VERSION).tar.bz2 From 63bc23b2102a843245a3d9e0aca4513ef594698b Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 15 Jun 2015 01:24:58 +0300 Subject: [PATCH 15/24] murmur: Also update download URL --- murmur/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/murmur/Makefile b/murmur/Makefile index 567026b..f9a971e 100644 --- a/murmur/Makefile +++ b/murmur/Makefile @@ -3,7 +3,7 @@ include $(CURDIR)/../Makefile.inc VERSION = 1.2.9 TARGET = murmur-static_x86-$(VERSION).tar.bz2 -SOURCE = http://downloads.sourceforge.net/project/mumble/Mumble/$(VERSION)/murmur-static_x86-$(VERSION).tar.bz2 +SOURCE = https://github.com/mumble-voip/mumble/releases/download/$(VERSION)/murmur-static_x86-$(VERSION).tar.bz2 all: download manifest download: $(PACKAGES)/$(TARGET) From a9b7e9a72ef36ff11f1c1de72afec33fd49d08f4 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 15 Jun 2015 16:01:03 +0300 Subject: [PATCH 16/24] abusesa: Clean up common code in webhost handling --- abusesa/manifests/init.pp | 23 +++++++++++++++++++++++ abusesa/manifests/live.pp | 16 +--------------- abusesa/manifests/search.pp | 16 +--------------- 3 files changed, 25 insertions(+), 30 deletions(-) diff --git a/abusesa/manifests/init.pp b/abusesa/manifests/init.pp index 6a8279b..4a17e62 100644 --- a/abusesa/manifests/init.pp +++ b/abusesa/manifests/init.pp @@ -87,3 +87,26 @@ class abusesa( } } + + +# Create AbuseSA htdocs root. +# +define abusesa::configwebhost() { + + if ! defined(File["/srv/www/https/${name}/abusesa"]) { + file { "/srv/www/https/${name}/abusesa": + ensure => directory, + mode => '0755', + owner => 'root', + group => 'root', + } + file { "/srv/www/https/${name}/abusesa/index.html": + ensure => present, + mode => '0644', + owner => 'root', + group => 'root', + content => '', + } + } + +} diff --git a/abusesa/manifests/live.pp b/abusesa/manifests/live.pp index a37ea93..3db9b05 100644 --- a/abusesa/manifests/live.pp +++ b/abusesa/manifests/live.pp @@ -85,21 +85,7 @@ class abusesa::live( # define abusesa::live::configwebhost($htdocs) { - if ! defined(File["/srv/www/https/${name}/abusesa"]) { - file { "/srv/www/https/${name}/abusesa": - ensure => directory, - mode => '0755', - owner => 'root', - group => 'root', - } - file { "/srv/www/https/${name}/abusesa/index.html": - ensure => present, - mode => '0644', - owner => 'root', - group => 'root', - content => '', - } - } + abusesa::configwebhost { $name: } file { "/srv/www/https/${name}/abusesa/live": ensure => link, diff --git a/abusesa/manifests/search.pp b/abusesa/manifests/search.pp index c2da79f..159023a 100644 --- a/abusesa/manifests/search.pp +++ b/abusesa/manifests/search.pp @@ -136,21 +136,7 @@ class abusesa::search( # define abusesa::search::configwebhost($htdocs) { - if ! defined(File["/srv/www/https/${name}/abusesa"]) { - file { "/srv/www/https/${name}/abusesa": - ensure => directory, - mode => '0755', - owner => 'root', - group => 'root', - } - file { "/srv/www/https/${name}/abusesa/index.html": - ensure => present, - mode => '0644', - owner => 'root', - group => 'root', - content => '', - } - } + abusesa::configwebhost { $name: } file { "/srv/www/https/${name}/abusesa/search": ensure => link, From 4d7fcc9e65d8d47f8745db317b3756d54bc5e89d Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 16 Jun 2015 12:17:32 +0300 Subject: [PATCH 17/24] nginx: Add default error and access logs --- nginx/manifests/init.pp | 2 ++ nginx/templates/nginx.conf.erb | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/nginx/manifests/init.pp b/nginx/manifests/init.pp index faed91b..a80280e 100644 --- a/nginx/manifests/init.pp +++ b/nginx/manifests/init.pp @@ -13,10 +13,12 @@ class nginx( $user = '_nginx' $group = '_nginx' } + $logdir = '/var/www/logs' } default: { $user = 'nginx' $group = 'nginx' + $logdir = '/var/log/nginx' } } diff --git a/nginx/templates/nginx.conf.erb b/nginx/templates/nginx.conf.erb index 6f2bb90..6d235f9 100644 --- a/nginx/templates/nginx.conf.erb +++ b/nginx/templates/nginx.conf.erb @@ -2,6 +2,8 @@ user <%= @user %>; worker_processes <%= @workers %>; worker_rlimit_nofile 1024; +error_log <%= @logdir %>/error.log; + events { worker_connections 1024; } @@ -10,6 +12,8 @@ http { include mime.types; default_type application/octet-stream; + access_log <%= @logdir %>/access.log combined; + server_tokens off; include conf.d/*.conf; From b77decaf8aa51700eb1637b730b459ed34d68bdf Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 16 Jun 2015 12:39:43 +0300 Subject: [PATCH 18/24] apache: Add support for configuring SSLProxy with key authentication --- apache/manifests/init.pp | 35 ++++++++++++++++++++++++++++++ apache/templates/sslproxy.conf.erb | 4 ++++ 2 files changed, 39 insertions(+) create mode 100644 apache/templates/sslproxy.conf.erb diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp index d55842a..3f56f11 100644 --- a/apache/manifests/init.pp +++ b/apache/manifests/init.pp @@ -495,6 +495,41 @@ class apache::proxy($port="8080", } +# Configure Apache SSLProxy with key authentication. +# +class apache::sslproxy( + $ssl_key="${::puppet_ssldir}/private_keys/${::homename}.pem", + $ssl_cert="${::puppet_ssldir}/certs/${::homename}.pem", + $ssl_ca="${::puppet_ssldir}/certs/ca.pem", +) { + + include ssl + + $ssl_bundle = "${ssl::private}/apache-sslproxy.pem" + + exec { 'generate-sslproxy-pem': + path => '/bin:/usr/bin:/sbin:/usr/sbin', + command => "/bin/sh -c 'umask 077 ; cat ${ssl_key} ${ssl_cert} > ${ssl_bundle}'", + creates => $ssl_bundle, + } + + file { $ssl_bundle: + ensure => present, + mode => '0600', + owner => 'root', + group => 'root', + require => Exec['generate-sslproxy-pem'], + } + + apache::configfile { 'sslproxy.conf': + http => false, + content => template('apache/sslproxy.conf'), + require => File[$ssl_bundle], + } + +} + + # Install mod_auth_kerb. # class apache::mod::auth_kerb($servicename=undef) { diff --git a/apache/templates/sslproxy.conf.erb b/apache/templates/sslproxy.conf.erb new file mode 100644 index 0000000..877ffd5 --- /dev/null +++ b/apache/templates/sslproxy.conf.erb @@ -0,0 +1,4 @@ +SSLProxyEngine on +SSLProxyMachineCertificateFile <%= @ssl_bundle %> +SSLProxyCACertificateFile <%= @ssl_ca %> +SSLProxyVerify require From 73c505981ac85d0cb958f0f8c8e0f8078dd36ac2 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 16 Jun 2015 12:41:51 +0300 Subject: [PATCH 19/24] abusesa: Add support for AbuseSA services --- abusesa/manifests/services.pp | 54 +++++++++++++++++++++++ abusesa/templates/services/nginx.conf.erb | 33 ++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 abusesa/manifests/services.pp create mode 100644 abusesa/templates/services/nginx.conf.erb diff --git a/abusesa/manifests/services.pp b/abusesa/manifests/services.pp new file mode 100644 index 0000000..19e5882 --- /dev/null +++ b/abusesa/manifests/services.pp @@ -0,0 +1,54 @@ +# Configure AbuseSA services. +# +class abusesa::services( + $services=[], + $socketdir="/var/lib/abuserv/run", +) { + + include user::system + realize(User['abuserv'], Group['abuserv']) + + exec { 'usermod-abusesa-abuserv': + path => '/bin:/usr/bin:/sbin:/usr/sbin', + command => 'usermod -a -G abuserv abusesa', + unless => 'id -n -G abusesa | grep \'\babuserv\b\'', + require => [ + User['abusesa'], + Group['abuserv'], + ], + } + + exec { 'usermod-nginx-abuserv': + path => '/bin:/usr/bin:/sbin:/usr/sbin', + command => 'usermod -a -G abuserv nginx', + unless => 'id -n -G nginx | grep \'\babuserv\b\'', + require => [ + Class['nginx'], + Group['abuserv'], + ], + } + + file { [ + '/var/lib/abuserv', + '/var/lib/abuserv/run', + ]: + ensure => directory, + mode => '2770', + owner => 'abuserv', + group => 'abuserv', + } + + file { '/var/lib/abuserv/.profile': + ensure => present, + mode => '0600', + owner => 'abuserv', + group => 'abuserv', + content => "umask 007\n", + } + + include nginx + nginx::config { 'abusesa.conf': + content => template('abusesa/services/nginx.conf.erb'), + } + +} diff --git a/abusesa/templates/services/nginx.conf.erb b/abusesa/templates/services/nginx.conf.erb new file mode 100644 index 0000000..f0486b4 --- /dev/null +++ b/abusesa/templates/services/nginx.conf.erb @@ -0,0 +1,33 @@ +log_format abusesa '$remote_addr - $http_x_remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + +server { + listen 8443; + + access_log <%= scope.lookupvar('nginx::logdir') %>/abusesa.log abusesa; + + ssl on; + ssl_verify_client on; + ssl_certificate <%= @puppet_ssldir %>/certs/<%= @homename %>.pem; + ssl_certificate_key <%= @puppet_ssldir %>/private_keys/<%= @homename %>.pem; + ssl_client_certificate <%= @puppet_ssldir %>/certs/ca.pem; + + proxy_buffering off; + +<% @services.each do |service| + dir, sep, sock = service.rpartition('/') + dir = @socketdir if dir.empty? + sockpath = File.join(dir, sock) + location = sock.gsub('.', '/') +-%> + location /<%= location %>/ { + proxy_pass http://unix:<%= sockpath %>:/; + } + +<% end -%> + location / { + deny all; + } + +} From b3f7b92e016934375037972c7e9c7c7c1a34da01 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 16 Jun 2015 13:03:40 +0300 Subject: [PATCH 20/24] apache: Typofix --- apache/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp index 3f56f11..e6d7ff5 100644 --- a/apache/manifests/init.pp +++ b/apache/manifests/init.pp @@ -523,7 +523,7 @@ class apache::sslproxy( apache::configfile { 'sslproxy.conf': http => false, - content => template('apache/sslproxy.conf'), + content => template('apache/sslproxy.conf.erb'), require => File[$ssl_bundle], } From afce28f5cdc5afe5e3b04f331a356071d9d5d6f9 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 16 Jun 2015 15:19:32 +0300 Subject: [PATCH 21/24] abusesa: Fix duplicate declaration --- abusesa/manifests/init.pp | 26 ++++++++++++-------------- abusesa/manifests/live.pp | 4 +++- abusesa/manifests/search.pp | 4 +++- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/abusesa/manifests/init.pp b/abusesa/manifests/init.pp index 4a17e62..9bf2cb1 100644 --- a/abusesa/manifests/init.pp +++ b/abusesa/manifests/init.pp @@ -93,20 +93,18 @@ class abusesa( # define abusesa::configwebhost() { - if ! defined(File["/srv/www/https/${name}/abusesa"]) { - file { "/srv/www/https/${name}/abusesa": - ensure => directory, - mode => '0755', - owner => 'root', - group => 'root', - } - file { "/srv/www/https/${name}/abusesa/index.html": - ensure => present, - mode => '0644', - owner => 'root', - group => 'root', - content => '', - } + file { "/srv/www/https/${name}/abusesa": + ensure => directory, + mode => '0755', + owner => 'root', + group => 'root', + } + file { "/srv/www/https/${name}/abusesa/index.html": + ensure => present, + mode => '0644', + owner => 'root', + group => 'root', + content => '', } } diff --git a/abusesa/manifests/live.pp b/abusesa/manifests/live.pp index 3db9b05..7c72d79 100644 --- a/abusesa/manifests/live.pp +++ b/abusesa/manifests/live.pp @@ -85,7 +85,9 @@ class abusesa::live( # define abusesa::live::configwebhost($htdocs) { - abusesa::configwebhost { $name: } + if ! defined(Abusesa::Configwebhost[$name]) { + abusesa::configwebhost { $name: } + } file { "/srv/www/https/${name}/abusesa/live": ensure => link, diff --git a/abusesa/manifests/search.pp b/abusesa/manifests/search.pp index 159023a..d4edd87 100644 --- a/abusesa/manifests/search.pp +++ b/abusesa/manifests/search.pp @@ -136,7 +136,9 @@ class abusesa::search( # define abusesa::search::configwebhost($htdocs) { - abusesa::configwebhost { $name: } + if ! defined(Abusesa::Configwebhost[$name]) { + abusesa::configwebhost { $name: } + } file { "/srv/www/https/${name}/abusesa/search": ensure => link, From 23a980236377998ac89b1dbb5c7b736419c8e968 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 16 Jun 2015 15:55:06 +0300 Subject: [PATCH 22/24] abusesa: Lint fix --- abusesa/manifests/services.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/abusesa/manifests/services.pp b/abusesa/manifests/services.pp index 19e5882..96269b8 100644 --- a/abusesa/manifests/services.pp +++ b/abusesa/manifests/services.pp @@ -2,7 +2,7 @@ # class abusesa::services( $services=[], - $socketdir="/var/lib/abuserv/run", + $socketdir='/var/lib/abuserv/run', ) { include user::system From 0cc9f98ab48a4eddcbc7c9f3ff065d0e604fe601 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Mon, 22 Jun 2015 13:23:22 +0300 Subject: [PATCH 23/24] abusesa::services: Allow restricting access based on client certificate DN --- abusesa/manifests/services.pp | 1 + abusesa/templates/services/nginx.conf.erb | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/abusesa/manifests/services.pp b/abusesa/manifests/services.pp index 96269b8..1109d16 100644 --- a/abusesa/manifests/services.pp +++ b/abusesa/manifests/services.pp @@ -1,6 +1,7 @@ # Configure AbuseSA services. # class abusesa::services( + $allow_dn=undef, $services=[], $socketdir='/var/lib/abuserv/run', ) { diff --git a/abusesa/templates/services/nginx.conf.erb b/abusesa/templates/services/nginx.conf.erb index f0486b4..227bd1a 100644 --- a/abusesa/templates/services/nginx.conf.erb +++ b/abusesa/templates/services/nginx.conf.erb @@ -1,6 +1,6 @@ log_format abusesa '$remote_addr - $http_x_remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; + '"$http_referer" "$http_user_agent" "$ssl_client_s_dn"'; server { listen 8443; @@ -15,6 +15,12 @@ server { proxy_buffering off; +<% if @allow_dn -%> + if ($ssl_client_s_dn != "<%= @allow_dn %>") { + return 403; + } + +<% end -%> <% @services.each do |service| dir, sep, sock = service.rpartition('/') dir = @socketdir if dir.empty? From 0d1594a4362ed2a2d4be6856404ddc47b7bd24a8 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Tue, 23 Jun 2015 15:42:01 +0300 Subject: [PATCH 24/24] gnu: Lint fix --- gnu/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnu/manifests/init.pp b/gnu/manifests/init.pp index 054d02f..8034755 100644 --- a/gnu/manifests/init.pp +++ b/gnu/manifests/init.pp @@ -13,8 +13,8 @@ class gnu::gcc { case $::operatingsystem { 'debian', 'ubuntu': { package { "kernel-headers": - name => "linux-libc-dev", ensure => installed, + name => "linux-libc-dev", } } default: {