--- /dev/null
+Facter.add("brokenhosts") do
+ confine :kernel => :linux
+ brokenhosts = "true"
+ if FileTest.exist?("/etc/hosts")
+ IO.foreach("/etc/hosts") do |x|
+ x.split.each do |y|
+ if y == Facter.value("fqdn")
+ brokenhosts = "false"
+ break
+ end
+ end
+ end
+ end
+ setcode do
+ brokenhosts == "true"
+ end
+end
+
+
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##
-deb http://debian.sil.at/backports.org/ lenny-backports main
+#deb http://debian.sil.at/backports.org/ lenny-backports main
+deb http://mirror.netcologne.de/debian-backports/ lenny-backports main
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE dc=example,dc=com
+#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT 12
+#TIMELIMIT 15
+#DEREF never
+
+URI ldap://db.debian.org
+BASE dc=debian,dc=org
+
+TLS_CACERT /etc/ssl/certs/spi-cacert-2008.pem
+TLS_REQCERT hard
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
/var/log/auth.log {
rotate 4
missingok
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive). The default is pam_unix.
+#
+session required pam_unix.so
+session optional pam_mkhomedir.so skel=/etc/skel umask=0022
{ include geodns }
default: {}
}
-}
-
-node penalosa inherits default {
- include hosts
+ case $brokenhosts {
+ "true": { include hosts }
+ default: {}
+ }
}
source => "puppet:///files/etc/cron.d/dsa-puppet-stuff",
require => Package["cron"]
;
+ "/etc/ldap/ldap.conf":
+ source => "puppet:///files/etc/ldap/ldap.conf",
+ ;
+ "/etc/pam.d/common-session":
+ source => "puppet:///files/etc/pam.d/common-session",
+ ;
}
case $hostname {
handel: {
brahms.debian.org: Johannes Brahms (May 7, 1833 - April 3, 1897)
carver.debian.org: Robert Carver (ca.1485 - ca.1570)
chopin.debian.org: Frédéric Chopin (1 March 1810 - 17 October 1849)
+ cimarosa.debian.org: Domenico Cimarosa (17 December 1749 - 11 January 1801)
dijkstra.debian.org: Lowell Dijkstra (b.1952)
draghi.debian.org: Antonio Draghi (1635 - 16 January 1700)
duarte.debian.org: Leonora Duarte (28 July 1610 - 1678)
- klecker.debian.org
- powell.debian.org
apache2_defaultconfig:
+ - bellini.debian.org
- carver.debian.org
- draghi.debian.org
- duarte.debian.org
+ - kaufmann.debian.org
+ - klecker.debian.org
- piatti.debian.org
+ - raff.debian.org
+ - ravel.debian.org
- rore.debian.org
- saens.debian.org
- samosa.debian.org
- senfl.debian.org
- gluck.debian.org
+ - spohr.debian.org
- tartini.debian.org
buildd:
- ancina.debian.org
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# rcpthosts - recipient hosts or relay domains. This is a list of
-# all hosts that we mail exchange for. All domains that list
-# this host in their MX records should be listed here. Wildcards
-# are permitted.
-*.debian.net
# us. This is primarily only usefull for emergancy 'queue
# flushing' operations, but should be populated with a list
# of trusted machines. Wildcards are not permitted
+# bsmtp_domains - Domains that we deliver locally via bsmtp
<%=
out = ""
if nodeinfo['mailrelay']
domainlist submission_domains = ${if exists {/etc/exim4/submission-domains}{/etc/exim4/submission-domains}{}}
-domainlist handled_domains = +local_domains : +virtual_domains
+domainlist bsmtp_domains = ${if exists {/etc/exim4/bsmtp}{partial-lsearch;/etc/exim4/bsmtp}{}}
+
+domainlist handled_domains = +local_domains : +virtual_domains : +bsmtp_domains
localpartlist local_only_users = lsearch;/etc/exim4/localusers
message_size_limit = 100M
message_logs = false
-smtp_accept_max = 300
smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}}
+<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %>
+smtp_accept_max = 300
smtp_accept_queue = 200
smtp_accept_queue_per_connection = 50
+<% else %>
+smtp_accept_max = 30
+smtp_accept_queue = 20
+smtp_accept_queue_per_connection = 10
+<% end %>
smtp_accept_reserve = 25
smtp_reserve_hosts = +debianhosts
delay_warning =
+<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %>
queue_run_max = 50
deliver_queue_load_max = 50
queue_only_load = 15
+<% else %>
+queue_run_max = 5
+deliver_queue_load_max = 10
+queue_only_load = 5
+<% end %>
queue_list_requires_admin = false
<%= out = ""
out
%>
<%=
+out = ''
+if nodeinfo['packagesmaster']
+ out = '
+ warn domains = packages.debian.org
+ set acl_m_rprf = PackagesMail
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+'
+end
+out
+%>
+<%=
+out = ''
if nodeinfo['packagesqamaster']
out='
warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org
end
out
%>
-
+<%=
+out=''
+if nodeinfo['packagesmaster']
+ out='
+ warn condition = ${if eq {$acl_m_prf}{PackagesMail}}
+ condition = ${if eq {$sender_address}{$local_part@$domain}}
+ message = X-Packages-FromTo-Same: yes
+'
+end
+out
+%>
deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
!verify = sender
defer !hosts = +debianhosts
- condition = ${if >{${eval:$acl_c_scr}}{0}}
+ condition = ${if >{${eval:$acl_c_scr+0}}{0}}
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
<%=
!verify = header_sender
message = No valid sender found in the From:, Sender: and Reply-to: headers
+<%=
+out = ""
+if nodeinfo['packagesmaster']
+ out = '
+ deny message = Congratulations, you scored $spam_score points.
+ log_message = spam: $spam_score points.
+ condition = ${if eq {$acl_m_prf}{PackagesMail}}
+ !authenticated = *
+ !verify = certificate
+ !hosts = +debianhosts
+ condition = ${if <{$message_size}{256000}}
+ spam = pkg_user : true
+ condition = ${if >{$spam_score_int}{59}}
+'
+end
+out
+%>
accept
bsmtp:
debug_print = "R: bsmtp for $local_part@$domain"
driver = manualroute
- domains = !+local_domains
+ domains = +bsmtp_domains
require_files = /etc/exim4/bsmtp
route_list = * ${extract{file}{\
${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\
begin retry
debian.org * F,2h,10m; G,16h,2h,1.5; F,14d,8h
-* * senders=: F,2h,10m
* rcpt_4xx F,2h,5m; F,4h,10m; F,4d,15m
* * F,2h,15m; G,16h,2h,1.5; F,4d,8h
when "draghi.debian.org" then "db.debian.org: user=mail_db group=nogroup directory=/srv/db.debian.org/mail"
- when "gluck.debian.org" then "popcon.debian.org: user=popcon group=popcon directory=/org/popcon.debian.org/mail/
-debian.com: user=nobody group=Debian directory=/org/misc/star.debian.org/
-debian.net: user=nobody group=Debian directory=/org/misc/star.debian.org/"
-
when "handel.debian.org" then "puppet.debian.org: user=sgran group=Debian directory=/srv/puppet.debian.org/mail"
when "klecker.debian.org" then "security.debian.org: user=mail_security group=nogroup directory=/org/security.debian.org/mail/
when "master.debian.org" then "vote.debian.org: user=secretary group=debvote directory=/org/vote.debian.org/mail
packages.qa.debian.org: user=qa group=qa directory=/org/packages.qa.debian.org/mail
-bugs.qa.debian.org: user=cjwatson group=qa directory=/org/bugs.qa.debian.org/mail"
+bugs.qa.debian.org: user=cjwatson group=qa directory=/org/bugs.qa.debian.org/mail
+debian.com: user=nobody group=Debian directory=/org/star.debian.star/
+debian.net: user=nobody group=Debian directory=/org/star.debian.star/"
when "merkel.debian.org" then "qa.debian.org: user=qa group=qa directory=/org/qa.debian.org/mail/
bugs.qa.debian.org: user=nobody group=nogroup directory=/org/bugs.qa.debian.org/mail/
--- /dev/null
+view "AF" {
+ match-clients {
+ AF;
+ };
+ zone "www.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.AF";
+ notify no;
+ };
+ zone "www.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.AF";
+ notify no;
+ };
+ zone "security.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.AF";
+ notify no;
+ };
+ zone "security.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.AF";
+ notify no;
+ };
+};
+
+view "AN" {
+ match-clients {
+ AN;
+ };
+ zone "www.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.AN";
+ notify no;
+ };
+ zone "www.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.AN";
+ notify no;
+ };
+ zone "security.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.AN";
+ notify no;
+ };
+ zone "security.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.AN";
+ notify no;
+ };
+};
+
+view "AS" {
+ match-clients {
+ AS;
+ };
+ zone "www.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.AS";
+ notify no;
+ };
+ zone "www.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.AS";
+ notify no;
+ };
+ zone "security.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.AS";
+ notify no;
+ };
+ zone "security.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.AS";
+ notify no;
+ };
+};
+
+view "EU" {
+ match-clients {
+ EU;
+ };
+ zone "www.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.EU";
+ notify no;
+ };
+ zone "www.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.EU";
+ notify no;
+ };
+ zone "security.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.EU";
+ notify no;
+ };
+ zone "security.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.EU";
+ notify no;
+ };
+};
+
+view "NA" {
+ match-clients {
+ NA;
+ };
+ zone "www.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.NA";
+ notify no;
+ };
+ zone "www.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.NA";
+ notify no;
+ };
+ zone "security.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.NA";
+ notify no;
+ };
+ zone "security.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.NA";
+ notify no;
+ };
+};
+
+view "OC" {
+ match-clients {
+ OC;
+ };
+ zone "www.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.OC";
+ notify no;
+ };
+ zone "www.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.OC";
+ notify no;
+ };
+ zone "security.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.OC";
+ notify no;
+ };
+ zone "security.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.OC";
+ notify no;
+ };
+};
+
+view "SA" {
+ match-clients {
+ SA;
+ };
+ zone "www.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.SA";
+ notify no;
+ };
+ zone "www.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org.SA";
+ notify no;
+ };
+ zone "security.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.SA";
+ notify no;
+ };
+ zone "security.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org.SA";
+ notify no;
+ };
+};
+
+view "default" {
+ match-clients {
+ any;
+ };
+ zone "www.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org";
+ notify no;
+ };
+ zone "www.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.www.debian.org";
+ notify no;
+ };
+ zone "security.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org";
+ notify no;
+ };
+ zone "security.geo.debian.org" {
+ type master;
+ file "/etc/bind/geodns/db.security.debian.org";
+ notify no;
+ };
+};
+
//
include "/etc/bind/named.conf.acl";
-include "/etc/bind/geodns/named.conf.geo.security.debian.org";
+include "/etc/bind/geodns/named.conf.geo";
group geodnssync
precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail security.debian.org etc/bind/geodns/db.security.debian.org.SA
postcommand sudo /etc/init.d/bind9 reload
+file etc/bind/geodns/named.conf.geo.www.debian.org
+ perms 0644
+ user geodnssync
+ group geodnssync
+ postcommand /usr/sbin/named-checkconf /etc/bind/named.conf && sudo /usr/sbin/rndc reconfig
+file etc/bind/geodns/db.www.debian.org
+ perms 0644
+ user geodnssync
+ group geodnssync
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org
+ postcommand sudo /etc/init.d/bind9 reload
+file etc/bind/geodns/db.www.debian.org.AF
+ perms 0644
+ user geodnssync
+ group geodnssync
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org.AF
+ postcommand sudo /etc/init.d/bind9 reload
+file etc/bind/geodns/db.www.debian.org.AN
+ perms 0644
+ user geodnssync
+ group geodnssync
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org.AN
+ postcommand sudo /etc/init.d/bind9 reload
+file etc/bind/geodns/db.www.debian.org.AS
+ perms 0644
+ user geodnssync
+ group geodnssync
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org.AS
+ postcommand sudo /etc/init.d/bind9 reload
+file etc/bind/geodns/db.www.debian.org.EU
+ perms 0644
+ user geodnssync
+ group geodnssync
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org.EU
+ postcommand sudo /etc/init.d/bind9 reload
+file etc/bind/geodns/db.www.debian.org.NA
+ perms 0644
+ user geodnssync
+ group geodnssync
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org.NA
+ postcommand sudo /etc/init.d/bind9 reload
+file etc/bind/geodns/db.www.debian.org.OC
+ perms 0644
+ user geodnssync
+ group geodnssync
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org.OC
+ postcommand sudo /etc/init.d/bind9 reload
+file etc/bind/geodns/db.www.debian.org.SA
+ perms 0644
+ user geodnssync
+ group geodnssync
+ precommand /usr/sbin/named-checkzone -q -k fail -n fail -S fail -i full -m fail -M fail www.debian.org etc/bind/geodns/db.www.debian.org.SA
+ postcommand sudo /etc/init.d/bind9 reload
group => geodnssync,
mode => 775,
;
+ "/etc/bind/geodns/named.conf.geo":
+ source => [ "puppet:///geodns/per-host/$fqdn/named.conf.geo",
+ "puppet:///geodns/common/named.conf.geo" ],
+ require => Package["bind9"],
+ notify => Exec["bind9 restart"],
+ owner => root,
+ group => root,
+ ;
"/etc/bind/geodns/recvconf":
source => [ "puppet:///geodns/per-host/$fqdn/recvconf",
"puppet:///geodns/common/recvconf" ],
mode => 444,
;
+ "/usr/share/GeoIP/GeoIPv6.dat":
+ source => [ "puppet:///geodns/per-host/$fqdn/GeoIPv6.dat",
+ "puppet:///geodns/common/GeoIPv6.dat" ],
+ owner => root,
+ group => root,
+ mode => 444,
+ ;
+
"/etc/ssh/userkeys/geodnssync":
source => [ "puppet:///geodns/per-host/$fqdn/authorized_keys",
"puppet:///geodns/common/authorized_keys" ],
class hosts {
file {
- "/etc/hosts": content => template("etc-hosts.erb");
+ "/etc/hosts": content => template("hosts/etc-hosts.erb");
}
}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+127.0.0.1 localhost
+<%= ipaddress %> <%= fqdn %> <%= hostname %>
+
+# The following lines are desirable for IPv6 capable hosts
+::1 localhost ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
if timestamp > 90 minutes for 9 cycles then exec "/etc/init.d/puppet stop"
depends on puppetd
-check process cron with pidfile /var/run/crond.pid
- start program = "/etc/init.d/cron start"
- stop program = "/etc/init.d/cron stop"
- if 5 restarts within 5 cycles then timeout
-
check file cronalive
with path /var/cache/dsa/cron.alive
- if timestamp > 120 minutes for 5 cycles then exec "/etc/init.d/cron stop"
- depends on cron
+ # a cycle is 5 minutes, 24 cycles is thus 2 hours
+ if timestamp > 120 minutes for 24 cycles then exec "/etc/init.d/cron restart"
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-postgresql-client-common
-postgresql-client-8.4
-postgresql-server-dev-8.4
-postgresql-8.4
-libpq5
-postgresql-common
-libpq-dev
-postgresql-8.4-debversion
<% if hostname == "geo1" || hostname == "geo2" || hostname == "geo3" -%>
file=/etc/bind/named.conf.acl
file=/etc/bind/named.conf.options
-file=/etc/bind/geodns/named.conf.geo.security.debian.org
+file=/etc/bind/named.conf.local
+file=/etc/bind/geodns/named.conf.geo
file=/etc/bind/geodns/recvconf.files
+file=/etc/bind/geodns/db.www.debian.org.SA
+file=/etc/bind/geodns/db.www.debian.org.OC
+file=/etc/bind/geodns/db.www.debian.org.NA
+file=/etc/bind/geodns/db.www.debian.org.EU
+file=/etc/bind/geodns/db.www.debian.org.AS
+file=/etc/bind/geodns/db.www.debian.org.AN
+file=/etc/bind/geodns/db.www.debian.org.AF
+file=/etc/bind/geodns/db.www.debian.org
file=/etc/bind/geodns/db.security.debian.org.SA
file=/etc/bind/geodns/db.security.debian.org.OC
file=/etc/bind/geodns/db.security.debian.org.NA
nagios master=(ALL) NOPASSWD: /usr/sbin/mpt-status -s
nagios powell=(ALL) NOPASSWD: /usr/local/sbin/areca-cli vsf info
nagios puccini=(ALL) NOPASSWD: /usr/local/bin/tw_cli info c0 u0 status
+nagios bellini,cimarosa=(ALL) NOPASSWD: /usr/local/bin/arcconf GETCONFIG 1 LD, /usr/local/bin/arcconf GETCONFIG 1 AD
# groups and their role accounts
%buildd ALL=(buildd) ALL
# geodns may reload bind
geodnssync geo1,geo2,geo3=(root) NOPASSWD: /etc/init.d/bind9 reload
geodnssync geo1,geo2,geo3=(root) NOPASSWD: /usr/sbin/rndc reconfig
+# archvsync triggers snapshot
+archvsync stabile=(snapshot) NOPASSWD: /srv/snapshot.debian.org/bin/update-trigger
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-127.0.0.1 localhost
-<%= ipaddress %> <%= fqdn %> <%= hostname %>
-
-# The following lines are desirable for IPv6 capable hosts
-::1 localhost ip6-localhost ip6-loopback
-fe00::0 ip6-localnet
-ff00::0 ip6-mcastprefix
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
-ff02::3 ip6-allhosts