* 'master' of ssh://handel.debian.org/srv/puppet.debian.org/git/dsa-puppet: (26 commits)
Another file that may be changed by puppet to ignore
Maybe we don't need the sleep
eh, duh. Need sudo for this.
Try a longer wait?
wait a moment after running reconfig, so that the reload works
more accurate error message
Move reject of localonly users to predata. This allows callouts to
We push this with a Makefile for now
Correct the name to samhain ignore
Move the config file snippet to the top
Fix the posthooks
Revert "we should also samhain ignore that file"
Revert "And it's directory"
Change path to geo file
Add my key
Some tightening up
Rename the views so I don't have to make code changes
Well, there's only one way to figure out if this will work
And allow the postcommand
Also autogenerate bind config snippets
...
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+# mount.defaults: static file system information for chroots.
+# Note that the mount point will be prefixed by the chroot path
+# (CHROOT_PATH)
+#
+# <file system> <mount point> <type> <options> <dump> <pass>
+proc /proc proc defaults 0 0
+/dev/pts /dev/pts none rw,bind 0 0
+tmpfs /dev/shm tmpfs defaults 0 0
notify => Exec["apt-get update"],
;
- "/etc/apt/trusted-keys.d/buildd.debian.org.asc":
- source => "puppet:///buildd/buildd.debian.org.asc",
- mode => 664,
- notify => Exec["apt-keys-update"],
- ;
+ "/etc/apt/trusted-keys.d/buildd.debian.org.asc":
+ source => "puppet:///buildd/buildd.debian.org.asc",
+ mode => 664,
+ notify => Exec["apt-keys-update"],
+ ;
+ "/etc/schroot/mount-defaults":
+ source => "puppet:///buildd/mount-defaults",
+ require => Package["sbuild"]
+ ;
}
}
---
nameinfo:
agnesi.debian.org: Maria Teresa Agnesi (October 17, 1720 - January 19, 1795)
+ agricola.debian.org: Alexander Agricola (1445 or 1446 - August 15, 1506)
albeniz.debian.org: Isaac Manuel Francisco Albéniz i Pascual (May 29, 1860 - May 18, 1909)
+ allegri.debian.org: Gregorio Allegri (1582 - 7 February 1652)
ancina.debian.org: Giovanni Giovenale Ancina (19 October 1545 - August 30, 1604)
arcadelt.debian.org: Jacques Arcadelt (also Jacob Arcadelt) (?1507 - October 14, 1568)
argento.debian.org: Dominick Argento (b. October 27, 1927)
klecker.debian.org: Dedicated to Joel 'Espy' Klecker (1979 - July 11, 2000)
lafayette.debian.org: Eugenie Lafayette
lebrun.debian.org: Francesca Lebrun (March 24, 1756 - May 14, 1791)
+ liszt.debian.org: Franz Liszt (October 22, 1811 - July 31, 1886)
mahler.debian.org: Gustav Mahler (7 July 1860 - 18 May 1911)
mayr.debian.org: Johann(es) Simon Mayr (June 14, 1763 - December 2, 1845)
merkel.debian.org: Gustav (Adolf) Merkel (November 12, 1827 - October 30, 1885)
strauss.debian.org: Johann Baptist Strauß (October 25, 1825 - June 3, 1899)
tartini.debian.org: Giuseppe Tartini (April 8, 1692 - February 26, 1770)
unger.debian.org: Caroline Unger (October 28, 1803 - March 23, 1877)
+ valente.debian.org: Vincenzo Valente (February 21, 1855 - September 6, 1921)
verdi.debian.org: Giuseppe Fortunino Francesco Verdi (October 9 or 10, 1813 - January 27, 1901)
voltaire.debian.org: François-Marie Arouet (Voltaire) (21 November 1694 - 30 May 1778)
wagner.debian.org: Wilhelm Richard Wagner (22 May 1813 - 13 February 1883)
gandi-discount
hostmaster
keyring-maint
-leader
lintian-maint
listarchives
mailer-daemon
end
out
%>
+acl_smtp_predata = acl_check_predata
# accept domain literal syntax in e-mail addresses. To actually make use of
# this a router is also required
######################################################################
begin acl
+acl_localonly:
+ accept local_parts = +local_only_users
+ domains = +local_domains
+ hosts = !+debianhosts
+
+ deny
+
check_helo:
warn set acl_c1 = 0
condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}}
message = no mail should ever come from <$sender_address>
- deny local_parts = +local_only_users
- domains = +local_domains
- hosts = !+debianhosts
- message = mail for $local_part is only accepted internally
+ warn condition = ${if eq{$acl_m6}{}}
+ acl = acl_localonly
+ set acl_m6 = localonly
+ set acl_m7 = ${if eq{$acl_m7}{}{$local_part@$domain}{$acl_m7, $local_part@$domain}}
+
+ warn condition = ${if eq{$acl_m6}{}}
+ !acl = acl_localonly
+ set acl_m6 = normal
+
+ defer condition = ${if eq{$acl_m6}{localonly}}
+ !acl = acl_localonly
+ log_message = Only one profile at a time, please
+
+ defer condition = ${if eq{$acl_m6}{normal}}
+ acl = acl_localonly
+ log_message = Only one profile at a time, please
<%=
out=''
out
%>
+acl_check_predata:
+ deny condition = ${if eq{$acl_m6}{localonly}}
+ message = mail for $acl_m7 is only accepted internally
+
+ accept
+
+
#!!# ACL that is used after the DATA command
check_message:
require verify = header_syntax
# USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
#
from="82.195.75.106,2001:41b8:202:deb:216:36ff:fe40:3906",command="/etc/bind/geodns/recvconf /etc/bind/geodns/recvconf.files",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2cJCkmggW6TD0UPJP9lelDno8qbYGXPeYE4+QmkqJv8mslcHxmx5tA2TvpJ9qbAUMPOdZf9ihomwPmFzz9UNZH4eDA8F126UUP5DXsh7FC7yVGSBUNdJdYS7m2wtVs8ddhrVdI+8c39D7NVGGjtUCJCWA/3fE65O183Gm+vER65SYR6LfHlEiC2FBROs6qwnjQ0yw194MnU7Jxl/GsTdZ72ArkmcPjuWsVHWtkSTt0hPfgBOyL4vSfBgl2p2eQBXCEPOaPTa1Yr5qfur1+Cj+iwadEmPfRap6rBO3wfIjbXt/KncM2uFrCXuF1TOqQxrs5LSe8dz16vf9Ckf9Ae5wQ== geodnssync@draghi (20090527)
+from="91.103.132.25,2001:4b10:100b::dead:f00d",command="/etc/bind/geodns/recvconf /etc/bind/geodns/recvconf.files",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApBLc4ZoGTtXDJ1UhgA7NEPdwqibg5BSXZfKPgfM9wn0mZooAlYzVYwNfe08UmDwrGkSjeNphmzpiDFQA27WGLCgAw8SIjunojWKvJwJcDwx2W4OPLByZaVg/wcEivC2h0+xlRc9jFqKL5cOsTnKBuD4nC7r8qnNcWxyeEEJGP4PVb2zgrGhf8UK3bAqYPuQp0pBFo4EPdorxsgThshEWg9eqB94ph7s+YXoccoWh4NlH2TaO9QdjtsWCId6uhfpcrxjhwKRkqdjofKiOhBB3vqHE+Cpe95nKHZAP5JDgqFH/L+pzyOiRqfTeYh2ivaEBl6m5F7C/QlDBOFrOZkEtXQ== geodnssync key for sgran
};
// Africa
-acl Africa {
+acl AF {
country_AO;
country_BF;
country_BI;
};
// Asia
-acl Asia {
+acl AS {
country_AE;
country_AF;
country_AM;
};
// Europe
-acl Europe {
+acl EU {
country_AD;
country_AL;
country_AT;
};
// North America
-acl NorthAmerica {
+acl NA {
country_AG;
country_AI;
country_AN;
};
// South America
-acl SouthAmerica {
+acl SA {
country_AR;
country_BO;
country_BR;
};
// Oceania
-acl Oceania {
+acl OC {
country_AS;
country_AU;
country_CK;
};
// Antarctica
-acl Antarctica {
+acl AN {
country_AQ;
country_BV;
country_GS;
+++ /dev/null
-//
-// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-//
-
-view "Africa" {
- match-clients {
- Africa;
- };
- zone "security.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.AF";
- notify no;
- };
- zone "security.geo.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.AF";
- notify no;
- };
-};
-
-view "Asia" {
- match-clients {
- Asia;
- };
- zone "security.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.AS";
- notify no;
- };
- zone "security.geo.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.AS";
- notify no;
- };
-};
-
-view "Europe" {
- match-clients {
- Europe;
- };
- zone "security.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.EU";
- notify no;
- };
- zone "security.geo.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.EU";
- notify no;
- };
-};
-
-view "NorthAmerica" {
- match-clients {
- NorthAmerica;
- };
- zone "security.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.NA";
- notify no;
- };
- zone "security.geo.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.NA";
- notify no;
- };
-};
-view "SouthAmerica" {
- match-clients {
- SouthAmerica;
- };
- zone "security.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.SA";
- notify no;
- };
- zone "security.geo.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.SA";
- notify no;
- };
-};
-view "Oceania" {
- match-clients {
- Oceania;
- };
- zone "security.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.OC";
- notify no;
- };
- zone "security.geo.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.OC";
- notify no;
- };
-};
-view "Antarctica" {
- match-clients {
- Antarctica;
- };
- zone "security.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.AN";
- notify no;
- };
- zone "security.geo.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org.AN";
- notify no;
- };
-};
-view "other" {
- match-clients { any; };
- zone "security.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org";
- notify no;
- };
- zone "security.geo.debian.org" {
- type master;
- file "/etc/bind/db.security.debian.org";
- notify no;
- };
-};
//
include "/etc/bind/named.conf.acl";
-include "/etc/bind/named.conf.geo";
+include "/etc/bind/geodns/named.conf.geo.security.debian.org";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
+ allow-query { any; };
+ allow-update { none; };
+ allow-transfer { none; };
allow-recursion { Nagios; };
};
# USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
#
+file etc/bind/geodns/named.conf.geo.security.debian.org
+ perms 0644
+ user geodnssync
+ group geodnssync
+ postcommand /usr/sbin/named-checkconf /etc/bind/named.conf && sudo /usr/sbin/rndc reconfig
file etc/bind/geodns/db.security.debian.org
perms 0644
user geodnssync
group geodnssync
- postcommand /etc/init.d/bind9 reload
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org
+ postcommand sudo /etc/init.d/bind9 reload
file etc/bind/geodns/db.security.debian.org.AF
perms 0644
user geodnssync
group geodnssync
- postcommand /etc/init.d/bind9 reload
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.AF
+ postcommand sudo /etc/init.d/bind9 reload
file etc/bind/geodns/db.security.debian.org.AN
perms 0644
user geodnssync
group geodnssync
- postcommand /etc/init.d/bind9 reload
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.AN
+ postcommand sudo /etc/init.d/bind9 reload
file etc/bind/geodns/db.security.debian.org.AS
perms 0644
user geodnssync
group geodnssync
- postcommand /etc/init.d/bind9 reload
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.AS
+ postcommand sudo /etc/init.d/bind9 reload
file etc/bind/geodns/db.security.debian.org.EU
perms 0644
user geodnssync
group geodnssync
- postcommand /etc/init.d/bind9 reload
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.EU
+ postcommand sudo /etc/init.d/bind9 reload
file etc/bind/geodns/db.security.debian.org.NA
perms 0644
user geodnssync
group geodnssync
- postcommand /etc/init.d/bind9 reload
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.NA
+ postcommand sudo /etc/init.d/bind9 reload
file etc/bind/geodns/db.security.debian.org.OC
perms 0644
user geodnssync
group geodnssync
- postcommand /etc/init.d/bind9 reload
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.OC
+ postcommand sudo /etc/init.d/bind9 reload
file etc/bind/geodns/db.security.debian.org.SA
perms 0644
user geodnssync
group geodnssync
- postcommand /etc/init.d/bind9 reload
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.SA
+ postcommand sudo /etc/init.d/bind9 reload
owner => root,
group => root,
;
- "/etc/bind/named.conf.geo":
- source => [ "puppet:///geodns/per-host/$fqdn/named.conf.geo",
- "puppet:///geodns/common/named.conf.geo" ],
- require => Package["bind9"],
- notify => Exec["bind9 restart"],
- owner => root,
- group => root,
- ;
"/etc/bind/named.conf.acl":
source => [ "puppet:///geodns/per-host/$fqdn/named.conf.acl",
"puppet:///geodns/common/named.conf.acl" ],
file=/etc/bind/zones/db.debian.net
file=/etc/exim4/bsmtp
<% if hostname == "geo1" || hostname == "geo2" || hostname == "geo3" -%>
-file=/etc/bind/named.conf.geo
file=/etc/bind/named.conf.acl
file=/etc/bind/named.conf.options
+file=/etc/bind/geodns/named.conf.geo.security.debian.org
+file=/etc/bind/geodns/recvconf.files
file=/etc/bind/geodns/db.security.debian.org.SA
file=/etc/bind/geodns/db.security.debian.org.OC
file=/etc/bind/geodns/db.security.debian.org.NA
%list liszt=(amavis) ALL
# geodns may reload bind
geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload
+geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig