From: Martin Zobel-Helas Date: Wed, 28 Jul 2010 20:42:32 +0000 (+0200) Subject: Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa... X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=fc8a2e887766e10b6c33a00c547049d6bf38801c;hp=0561366171545ce443bc6901460e523b504cfddb;p=dsa-puppet.git Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet --- diff --git a/manifests/site.pp b/manifests/site.pp index b073422a..d8a717ca 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -87,7 +87,7 @@ node default { } case $hostname { - cilea,luchesi,merikanto,paganini,rautavaara,sibelius,spohr: {} + cilea,luchesi,paganini,rautavaara,sibelius: {} default: { case $kernel { Linux: { @@ -98,6 +98,12 @@ node default { } include ferm::per-host + case $hostname { + beethoven,ravel,spohr: { + include nfs-server + } + } + case $brokenhosts { "true": { include hosts } } diff --git a/modules/debian-org/misc/local.yaml b/modules/debian-org/misc/local.yaml index 79c8cc18..7e7b28b8 100644 --- a/modules/debian-org/misc/local.yaml +++ b/modules/debian-org/misc/local.yaml @@ -1,11 +1,17 @@ --- nameinfo: + abel.debian.org: Carl Friedrich Abel (1723 - 1787) agnesi.debian.org: Maria Teresa Agnesi (October 17th, 1720 - January 19th, 1795) agricola.debian.org: Alexander Agricola (1445 or 1446 - August 15th, 1506) + alain.debian.org: Jehan Alain (1911 - 1940) albeniz.debian.org: Isaac Manuel Francisco Albéniz i Pascual (May 29th, 1860 - May 18th, 1909) + alwyn.debian.org: William Alwyn (1905 - 1985) ancina.debian.org: Giovanni Giovenale Ancina (October 19th, 1545 - August 30th, 1604) + antheil.debian.org: George Antheil (1900 - 1959) arcadelt.debian.org: Jacques Arcadelt (also Jacob Arcadelt) (?1507 - October 14th, 1568) argento.debian.org: Dominick Argento (b. October 27th, 1927) + arne.debian.org: Thomas Augustine Arne (1710 - 1778) + arnold.debian.org: Malcolm Henry Arnold (1921 - 2006) barber.debian.org: Samuel Barber (March 9th, 1910 - January 23rd, 1981) bartok.debian.org: Béla Viktor János Bartók (March 25th, 1881 - September 26th, 1945) beethoven.debian.org: Ludwig van Beethoven (December 16th, 1770 - March 26th, 1827) @@ -196,13 +202,19 @@ host_settings: - field.debian.org - finzi.debian.org smarthost: + abel.debian.org: mailout.debian.org agnesi.debian.org: mailout.debian.org agricola.debian.org: mailout.debian.org + alain.debian.org: mailout.debian.org albeniz.debian.org: mailout.debian.org alkman.debian.org: mailout.debian.org + alwyn.debian.org: mailout.debian.org ancina.debian.org: mailout.debian.org + antheil.debian.org: mailout.debian.org arcadelt.debian.org: mailout.debian.org argento.debian.org: mailout.debian.org + arne.debian.org: mailout.debian.org + arnold.debian.org: mailout.debian.org ball.debian.org: mailout.debian.org barber.debian.org: mailout.debian.org bartok.debian.org: mailout.debian.org diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp index 2d6c5bda..28a01897 100644 --- a/modules/ferm/manifests/per-host.pp +++ b/modules/ferm/manifests/per-host.pp @@ -6,7 +6,7 @@ class ferm::per-host { } } case $hostname { - franck,gluck,kaufmann,kassia,klecker,lobos,morricone,raff,ries,rietz,saens,schein,senfl,steffani,valente,villa,wieck: { + chopin,franck,gluck,kaufmann,kassia,klecker,lobos,merikanto,morricone,raff,ravel,ries,rietz,saens,schein,senfl,stabile,steffani,valente,villa,wieck: { include ferm::rsync } } @@ -17,12 +17,6 @@ class ferm::per-host { } } - case $hostname { - ravel: { - include ferm::nfs-server - } - } - case $hostname { piatti,samosa: { @ferm::rule { "dsa-udd-stunnel": @@ -31,6 +25,16 @@ class ferm::per-host { } } + paganini: { + @ferm::rule { "dsa-dhcp": + description => "Allow dhcp access", + rule => "&SERVICE(udp, 67)" + } + @ferm::rule { "dsa-tftp": + description => "Allow tftp access", + rule => "&SERVICE(udp, 69)" + } + } handel: { @ferm::rule { "dsa-puppet": description => "Allow puppet access", @@ -57,12 +61,6 @@ class ferm::per-host { rule => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))" } } - beethoven: { - @ferm::rule { "dsa-merikanto-beethoven": - description => "Allow merikanto", # for nfs, and that uses all kind of ports by default. - rule => "source 172.22.127.147 interface bond0 jump ACCEPT", - } - } heininen: { @ferm::rule { "dsa-syslog": description => "Allow syslog access", diff --git a/modules/nfs-server/files/lockd.local.modprobe b/modules/nfs-server/files/lockd.local.modprobe new file mode 100644 index 00000000..fc6f11fb --- /dev/null +++ b/modules/nfs-server/files/lockd.local.modprobe @@ -0,0 +1 @@ +options lockd nlm_udpport=10003 nlm_tcpport=10003 diff --git a/modules/nfs-server/files/nfs-common.default b/modules/nfs-server/files/nfs-common.default new file mode 100644 index 00000000..8e04ee37 --- /dev/null +++ b/modules/nfs-server/files/nfs-common.default @@ -0,0 +1,19 @@ +# If you do not set values for the NEED_ options, they will be attempted +# autodetected; this should be sufficient for most people. Valid alternatives +# for the NEED_ options are "yes" and "no". + +# Do you want to start the statd daemon? It is not needed for NFSv4. +NEED_STATD= + +# Options for rpc.statd. +# Should rpc.statd listen on a specific port? This is especially useful +# when you have a port-based firewall. To use a fixed port, set this +# this variable to a statd argument like: "--port 4000 --outgoing-port 4001". +# For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS +STATDOPTS='--port 10000 -o 10001' + +# Do you want to start the idmapd daemon? It is only needed for NFSv4. +NEED_IDMAPD= + +# Do you want to start the gssd daemon? It is required for Kerberos mounts. +NEED_GSSD= diff --git a/modules/nfs-server/files/nfs-kernel-server.default b/modules/nfs-server/files/nfs-kernel-server.default new file mode 100644 index 00000000..a6f2d420 --- /dev/null +++ b/modules/nfs-server/files/nfs-kernel-server.default @@ -0,0 +1,18 @@ +# Number of servers to start up +RPCNFSDCOUNT=8 + +# Runtime priority of server (see nice(1)) +RPCNFSDPRIORITY=0 + +# Options for rpc.mountd. +# If you have a port-based firewall, you might want to set up +# a fixed port here using the --port option. For more information, +# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS +RPCMOUNTDOPTS="-p 10002" + +# Do you want to start the svcgssd daemon? It is only required for Kerberos +# exports. Valid alternatives are "yes" and "no"; the default is "no". +NEED_SVCGSSD= + +# Options for rpc.svcgssd. +RPCSVCGSSDOPTS= diff --git a/modules/nfs-server/manifests/init.pp b/modules/nfs-server/manifests/init.pp new file mode 100644 index 00000000..9a2b92ff --- /dev/null +++ b/modules/nfs-server/manifests/init.pp @@ -0,0 +1,31 @@ +class nfs-server { + + include ferm::nfs-server + + package { + nfs-common: ensure => installed; + nfs-kernel-server: ensure => installed; + } + + file { + "/etc/default/nfs-common": + source => "puppet:///nfs-server/nfs-common.default", + require => Package["nfs-common"], + notify => Exec["nfs-common restart"]; + "/etc/default/nfs-kernel-server": + source => "puppet:///nfs-server/nfs-kernel-server.default", + require => Package["nfs-kernel-server"], + notify => Exec["nfs-kernel-server restart"]; + "/etc/modprobe.d/lockd.local": + source => "puppet:///nfs-server/lockd.local.modprobe"; + } + + exec { + "nfs-common restart": + path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", + refreshonly => true; + "nfs-kernel-server restart": + path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin", + refreshonly => true; + } +} diff --git a/modules/sudo/files/common/sudoers b/modules/sudo/files/common/sudoers index bd3cd93e..003d3b85 100644 --- a/modules/sudo/files/common/sudoers +++ b/modules/sudo/files/common/sudoers @@ -131,7 +131,7 @@ archvsync sibelius=(snapshot) NOPASSWD: /srv/2ndsnapshot/bin/update-trigger # security %security SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] -- * %sec_public SECHOSTS=(dak) NOPASSWD: /usr/local/bin/dak new-security-install -[AR] -- * -%sec_data SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/security/signal "" +%sec_public SECHOSTS=(dak) NOPASSWD: /home/dak/trigger_mirror dak SECHOSTS=(archvsync) NOPASSWD: /home/archvsync/signal_security # web stuff debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors @@ -144,6 +144,9 @@ debwww WEBHOSTS=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors # geodns may reload bind geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig +# fossology +%fossy vivaldi=(root) /etc/init.d/fossology +%fossy vivaldi=(fossy) ALL # Porter work %porter-alpha albeniz=(root) NOPASSWD: /usr/sbin/upgrade-porter-chroots, /usr/bin/apt-in-chroot diff --git a/templates/syslog-ng.conf.erb b/templates/syslog-ng.conf.erb index 6231a763..f60820d0 100644 --- a/templates/syslog-ng.conf.erb +++ b/templates/syslog-ng.conf.erb @@ -1,4 +1,4 @@ -<%- if defined? syslogversion && syslogversion.to_s == "3" -%> +<%- if has_variable?("syslogversion") and syslogversion.to_s == "3" -%> @version: 3.0 <%- end -%> ## @@ -102,7 +102,7 @@ source s_local { # function to send logs to) unix-stream("/dev/log"); # messages from the kernel -<%- if defined? syslogversion && syslogversion.to_s == "2" -%> +<%- if has_variable?("syslogversion") and syslogversion.to_s == "2" -%> file("/proc/kmsg" log_prefix("kernel: ")); <%- else -%> file("/proc/kmsg" program_override("kernel: ")); @@ -112,7 +112,7 @@ source s_local { # function to send logs to) unix-dgram("/var/run/log"); # messages from the kernel -<%- if defined? syslogversion && syslogversion.to_s == "2" -%> +<%- if has_variable?("syslogversion") and syslogversion.to_s == "2" -%> file("/dev/klog" log_prefix("kernel: ")); <%- else -%> file("/dev/klog" program_override("kernel: ")); @@ -404,7 +404,7 @@ log { <%- if hostname != "heininen" -%> - <%- if defined? syslogversion && syslogversion.to_s == "3" -%> + <%- if has_variable?("syslogversion") and syslogversion.to_s == "3" -%> destination loghost-heininen { tcp("heininen.debian.org" port (5140) tls( key_file("/etc/ssl/debian/keys/thishost.key")