From: Martin Zobel-Helas Date: Sat, 20 Apr 2013 13:13:03 +0000 (+0200) Subject: Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa... X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=919f094764925064a0affdf8df08697ae016c4eb;hp=ea3494b0c30921cece607deefb89105a6756151b;p=dsa-puppet.git Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet * 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet: secure 29.172.in-addr.arpa By default unbound answers queries for ASN112 networks on its own. Teach it to behave. Forward reverse lookups to our nameservers s/org/srv/ pick up some other useful rules this should make picconi handle mail 1&1 cleanup \%, not %% qa-core sudo to qa-web-rolex %%, not %& Use %%, not % in cron.d file --- diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index 3533856f..492823da 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -81,7 +81,7 @@ class apache2 { } } - if $::hostname in [busoni,holter,lindberg,master,beach,buxtehude] { + if $::hostname in [busoni,holter,lindberg,master,beach,buxtehude,picconi] { include apache2::dynamic } else { @ferm::rule { 'dsa-http': diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml index 4f008738..dcfbfe2a 100644 --- a/modules/debian-org/misc/local.yaml +++ b/modules/debian-org/misc/local.yaml @@ -179,7 +179,7 @@ services: nagiosmaster: tchaikovsky.debian.org extranrpeclient: - orff.debian.org - #packagesmaster: powell.debian.org + packagesmaster: picconi.debian.org packagesqamaster: quantz.debian.org puppetmaster: handel.debian.org rtmaster: @@ -207,6 +207,7 @@ host_settings: - morricone.debian.org - muffat.debian.org - nono.debian.org + - picconi.debian.org - popov.debian.org - quantz.debian.org - ravel.debian.org diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 9aef9459..5c9f8bb2 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -1321,11 +1321,11 @@ packages: file_transport = address_file pipe_transport = address_pipe domains = packages.debian.org - require_files = /org/packages.debian.org/conf/maintainer - data = ${lookup{$local_part}cdb{/org/packages.debian.org/conf/maintainer.cdb}} + require_files = /srv/packages.debian.org/conf/maintainer + data = ${lookup{$local_part}cdb{/srv/packages.debian.org/conf/maintainer.cdb}} headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}" - transport_home_directory = /org/packages.debian.org/mail - transport_current_directory = /org/packages.debian.org/mail + transport_home_directory = /srv/packages.debian.org/mail + transport_current_directory = /srv/packages.debian.org/mail check_ancestor retry_use_local_part no_more diff --git a/modules/exim/templates/virtualdomains.erb b/modules/exim/templates/virtualdomains.erb index 8a5bd1fd..627db680 100644 --- a/modules/exim/templates/virtualdomains.erb +++ b/modules/exim/templates/virtualdomains.erb @@ -47,6 +47,8 @@ debian.eu: user=nobody group=Debian directory=/srv/star.debian.star/" when "nono.debian.org" then "nm.debian.org: user=nm group=nm directory=/srv/nm.debian.org/mail/" + when "picconi.debian.org" then "packages.debian.org: user=pkg_user group=Debian directory=/srv/packages.debian.org/mail/" + when "popov.debian.org" then "popcon.debian.org: user=popcon group=popcon directory=/srv/popcon.debian.org/mail/" when "quantz.debian.org" then "qa.debian.org: user=qa group=qa directory=/srv/qa.debian.org/mail/ diff --git a/modules/roles/manifests/weblog_provider.pp b/modules/roles/manifests/weblog_provider.pp index 94a9ef7a..a63c1c2f 100644 --- a/modules/roles/manifests/weblog_provider.pp +++ b/modules/roles/manifests/weblog_provider.pp @@ -6,7 +6,7 @@ class roles::weblog_provider { } } else { file { '/etc/cron.d/puppet-weblog-provider': - content => "SHELL=/bin/bash\n\n0 */4 * * * weblogsync sleep $((RANDOM % 1800)); rsync -a --delete-excluded --include '*-public-access.log-*gz' --exclude '**' /var/log/apache2/. weblogsync@ravel:-weblogs-incoming-\n", + content => "SHELL=/bin/bash\n\n0 */4 * * * weblogsync sleep $((RANDOM \% 1800)); rsync -a --delete-excluded --include '*-public-access.log-*gz' --exclude '**' /var/log/apache2/. weblogsync@ravel:-weblogs-incoming-\n", } } } diff --git a/modules/ssh/templates/authorized_keys.erb b/modules/ssh/templates/authorized_keys.erb index 25083be0..9c81654c 100644 --- a/modules/ssh/templates/authorized_keys.erb +++ b/modules/ssh/templates/authorized_keys.erb @@ -10,7 +10,6 @@ hosterkeys when "mahler.debian.org" then "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1bAZGQUdVBdX5N8985OG25yYO6wybV0HmL0jeyun8qOmyi15RlkP8XiWXkvBLE98Nh9Ji2UgMZog7geT65zf+bE2crxu9LmAIbNiMgh+Yk6JFCy8ZFiKmCngHLlkWlD3Z4YTYdSxiETXkE4EB1arXi3wt9h7Iq/h7ZmpVL3njaqPGhdZmo9r+c8eZnwD77VIk+pcCB5Yqh3Nu/RaNAMr9hrHfvd62NnYRG3vcdj9aQo3Cshh8tTqzw10B8lCUKrHSbtL8aFzUrZqFilcNWs36mGVnzcLya/TM1uID9z41O47ZDOfZvLkSmGPb44Jwcdt1DK8r60OBdGoHBOa337N7w== noahm@crystalline-entity" when "pergolesi.debian.org" then "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA71vh3lytStDCr6df5u2tyzk45L7i8QoNysP51+ga6+v8kwMva30zw5fUD6BHYwNfwo1UZzUtsGLE5HTxKuBlfXs+myWjqpjbF3xSpPjbxKZYiLKMpJ5CVC0Mp6f2kSQ5sSC6Ue/etlAqs9D4rgbexo00QlOtBVof+Zolr3SyR6Y/Coo4UCHeFIAf8KQmhKhYEfPsIgsm+IsnpHglqZ8krOm60Fzo/K5xwb2raoVyg73cvBpaST3VGqqlT2+iTKLHUTaWSOvIj99KV6mYBdD4V8CCs3FWrKfM7wlXwBm/LVmr406Ho0QUo1zHZckvUITHtFQW0QwHpaR717fWB5lBz0d9VlQMz2JR7WfzX+iJqTAnVljjFYJIIHBQR8Xr0Z2rkSEjpi1Ar4iPQbYswMMnBQSGhITMPysHqZb75WYg17cubUbDwpiKPCdmDc5/iNoRFOLOW7vwcBISynUweRDDgeZI7sSFydEnIVK+hrLLmI/XZe4ekhZZXQYCc/tllc9kt2qpU8EWlFs0zSnUD/Lj0WOcgiSOJ3pzQWBBN2EHpM2FfdFa+qUhReSbIrWDgqLe9pkJ2emHFDRhBT4r2f85dw9BSUSVpxpA69fYCyZprJUs214Cq+nTZCSzKFfvflJR7VdCmEu0d5Wavf740OQ4gVipQHqydQVW5m4tYDQHR/s= hb@freenet-rz.de aka holger.baust@freenet-ag.de" when "pettersson.debian.org" then "from=\"nixon.acc.umu.se\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwDw56/XK0/uQB+ZIOZIfZ3vpz9zLRuv6G0U4eU4VavqvaL0dXSNhGJLBDLlfpxtJYwYf/mSoK4WZasbbfHxz8jtIxK9c9aGkVA0GKT+xiHWB3J1SlwJaA7S7Ed8nNcG5PNOVd30BD5LimkS53Nz841e+MgZRuL9SfLALq7er03U= root@nixon" - when "powell.debian.org", "puccini.debian.org" then "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAvii/FxkFUlSmn4rIuz1AX6B2INlxYmGo4KW9a1qfXk/foZqO8Igaz/c0nULmaC4KTmwOjzoCp1ujeWlTbQhQTTJb/yMc+SjpPCev70OwigCmyfZrpLienlCDQfPHG69QKXgebydkQK7JkVKNT/mBYDeGYG7K23aCNVu9kLanL/4sDbpdPRBleRlUGV+pzgwSbtwlTyKrkPbr4LzNxkVJbkGPMzWxlALCtrH8jgfnbRqnLn36wJzuIWPuWxARr0D7kBOIQTxxH5TkmXk+XVjDDRsbKuRSOi4qKCknmIDGJyx8xEv1fErpAVgzsE6RLWCSVYoBgfaaIJsH0B4xp9ZPUKjvVbUPHM60zwYZcblsdbx5D6RJ04pihHEf58cfALoqLlHwes62aeqeTsEMmm5OK66tGroFoCmm+301i6QBNX4JrDdHODZixV945Q+X345Nth3kathcDCQB1jXvrXKkFRoMff6QQs+HxXlwAHsR+hkSv0YHbcptcGPZFTXpfsiyQTyPHpJOXZsYqCFz0387z4ldSH+Fmq98g1CVgQkNRF8TYHWNp1+pHnrq+gcT8hqv7JDLQ2X6joGmGBpdWkGBmSrRCVQmWmWK0BiDMxb6Z1ysAdLH6mzEwTg3gh4S0BDVmbRb5YNNVI9y5kBNcbX9c7yuiC7IOEKKV5gZOQ5Jv/0= joerg - debianla, 2010-01-15" when "rem.debian.org" then "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAnHlDow0vUPDbi6OXKAkIV2zFi3xcDQAPLLmWJRY25HKvTLxkHlmXZH6CHrgx5deX4EogK6xWOvjUHdi/RD/BRU9DKFt6mepfGQvJQNeHK44S/yDrmPPWJq/bsCVu1ulOiLxGD4I2ei/4cDhWE5WypRC5Mn9+NOmNZp2kk9IL0UQChOQCXsPsVsch4wsuHns135TSzhH68X2iJK6GkqBeTvMs5DFqf2IbB4iLKASTxQITP1O3HYF4I5hVW9RGQD6i61TPAFKHkeruaMR0c4H7+f+jur9uo3URSTAidylspCST0/qg5xpDAcwDcfLItAtBuILQHyA6NSpBKEWA3zFzemJTDB3E/QEMMRInKJZFIhi08gtnETNxERG1+onss62lVCVn21SMYJQqHNW7GYmVqUlZLUKKUmTaualx0MHO8ODVJg2xzk/X0LWeE/0Nht/cg/DuqqA5DtSqXsw22kNAd+bTMnn0i+gahyCeLVswAhBVKjuLtU9SQXA4GsTxAvDd8rPRtusDI146fvPwgJCXMLStnZvs/22oXVdmMwwWbo5u5qUBqX51AjGI2i3b+JYQJrtBRnR0iNJV1VDiuRhsy48C4wUNRGX+DM78fldpKin5XMsSyEludyh9R7vFFtZMQFCqJelxfgDP5pU+jrxhFKY9rVcHTT0BqgWmpwPHkPs= rmurray@cyberhq ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAt3g97cGfOA9DnAKF6h8RlFDppPtyKfjlyvG4f+gTTYAkJVxeC8aCab4rSlhxNKho6r7OoZRj408J0/rr0INtbA4FnepQBZlvWwrV3vZRafVMq6rwXF3hh22d8iDv+g2HTDiGIlgANwaRlQP56gM9C8sF7gGw4PyaU7qG8+AAn3U= flo@paradigm ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwbRijHuvIC6cZUZwUfqLT5t/4GRvqiBBmYXkRRhwMajTOBeaR6vRx9mZ+UdTAUKno8LuMNvFoovvwXBqqwH7yMa/SHgpA0wXl+bcYUbtoRbOVQEXwX/70Yoo0HLMGwoeuddjUICYZQomLYYLlkrWt1in9g4AGzqtmyCcDrxaneGYOvwJIm4sBhhJfns3j8AK7wIAaOA5fU9azR6JofX8g7QhqVrTlww0yOTlHsqheGUnLVzqPTzcJTPLDWKs9DOZT8a+IOc1R5TS2k07IFZk4TjCodW+iLCKHdudqpS8MKOY9EtfDaANl7JeCNa0NUZRVeXX9H4jtPIJ5/naa6m1XQ== Florian.Lohoff(flo,mW-N,RSA,2048)" diff --git a/modules/sudo/files/sudoers b/modules/sudo/files/sudoers index a5e22000..af44dcbf 100644 --- a/modules/sudo/files/sudoers +++ b/modules/sudo/files/sudoers @@ -112,7 +112,7 @@ nagios beethoven=(debbackup) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backup %wbadm ALL=(wbadm) ALL %mujeres ALL=(women) ALL %wikiadm ALL=(wiki,wikiweb) ALL -%qa-core QAHOSTS=(qa) ALL +%qa-core QAHOSTS=(qa,qa-web-rolex) ALL %gobby gombert=(gobby) ALL # the dak user gets to run stuff as dak-unpriv (for things like lintian checks) diff --git a/modules/unbound/files/29.172.in-addr.arpa.key b/modules/unbound/files/29.172.in-addr.arpa.key new file mode 100644 index 00000000..1ff6a292 --- /dev/null +++ b/modules/unbound/files/29.172.in-addr.arpa.key @@ -0,0 +1,3 @@ +; DS record, April 2013' +29.172.in-addr.arpa. IN DS 29088 7 2 BAD9990C3107B7D30AB51ECEF6976CB1ABD4FF2060B641C9FCF11F4CF7459C4F + diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp index bb48f644..3a0eeb34 100644 --- a/modules/unbound/manifests/init.pp +++ b/modules/unbound/manifests/init.pp @@ -46,6 +46,14 @@ class unbound { mode => '0644', source => 'puppet:///modules/unbound/debian.org.key' } + file { '/var/lib/unbound/29.172.in-addr.arpa.key': + ensure => present, + replace => false, + owner => unbound, + group => unbound, + mode => '0644', + source => 'puppet:///modules/unbound/29.172.in-addr.arpa.key' + } file { '/etc/unbound/unbound.conf': content => template('unbound/unbound.conf.erb'), require => [ diff --git a/modules/unbound/templates/unbound.conf.erb b/modules/unbound/templates/unbound.conf.erb index d6b3436e..080bf951 100644 --- a/modules/unbound/templates/unbound.conf.erb +++ b/modules/unbound/templates/unbound.conf.erb @@ -43,6 +43,7 @@ server: # auto-trust-anchor-file: "" auto-trust-anchor-file: "/var/lib/unbound/root.key" auto-trust-anchor-file: "/var/lib/unbound/debian.org.key" + auto-trust-anchor-file: "/var/lib/unbound/29.172.in-addr.arpa.key" # recursive: <%= @is_recursor ? "y" : "n" %> <% if not @is_recursor -%> @@ -51,6 +52,16 @@ forward-zone: <% @ns.to_a.flatten.each do |nms| -%> forward-addr: <%= nms %> <% end -%> +# XXX : we probably ought to forward 172.29 reverse queries to our nameserver +# if our forwarders are not ours. +<% else -%> +local-zone: "29.172.in-addr.arpa" nodefault +forward-zone: + name: "29.172.in-addr.arpa" + forward-host: ns1.debian.org + forward-host: ns2.debian.org + forward-host: ns3.debian.org + forward-host: ns4.debian.com <% end -%> <% if hostname == "zappa" -%> edns-buffer-size: 512