Merge branch 'master' of git+ssh://puppet.debian.org/srv/puppet.debian.org/git/dsa...

author Martin Zobel-Helas <zobel@debian.org>

Sun, 16 May 2010 16:20:32 +0000 (18:20 +0200)

committer Martin Zobel-Helas <zobel@debian.org>

Sun, 16 May 2010 16:20:32 +0000 (18:20 +0200)
author Martin Zobel-Helas <zobel@debian.org>
Sun, 16 May 2010 16:20:32 +0000 (18:20 +0200)
committer Martin Zobel-Helas <zobel@debian.org>
Sun, 16 May 2010 16:20:32 +0000 (18:20 +0200)
diff --git a/manifests/site.pp b/manifests/site.pp

index a5d96b4deafd518e53f67ce2086ad09f1bb37e1b..3b384e73fec6a76a591c27e96dff1f5e8aaeb236 100644 (file)
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -91,7 +91,7 @@ node default {
      }
  
      case $hostname {
-        logtest01,geo1,geo2,geo3,bartok,senfl,beethoven,piatti,saens,villa,lobos,raff,gluck,schein,wieck,steffani,ball,handel,tchaikovsky: { include ferm }
+        powell,logtest01,geo1,geo2,geo3,bartok,senfl,beethoven,piatti,saens,villa,lobos,raff,gluck,schein,wieck,steffani,ball,handel,tchaikovsky: { include ferm }
      }
      case $hostname {
          zandonai,zelenka: {
@@ -146,6 +146,21 @@ node default {
                     rule            => "&SERVICE_RANGE(tcp, 8140, \$HOST_DEBIAN_V6)"
            }
          }
+       powell: {
+          @ferm::rule { "dsa-powell-v6-tunnel":
+                   description     => "Allow powell to use V6 tunnel broker",
+                   rule            => "proto ipv6 saddr 212.227.117.6 jump ACCEPT"
+          }
+          @ferm::rule { "dsa-powell-btseed":
+                    domain          => "(ip ip6)",
+                   description     => "Allow powell to seed BT",
+                   rule            => "proto tcp dport 8000:8100 jump ACCEPT"
+          }
+           @ferm::rule { "dsa-powell-rsync":
+                    description     => "Hoster wants to sync from here, and why not",
+                    rule            => "&SERVICE_RANGE(tcp, rsync, ( 195.20.242.90 192.25.206.33 82.195.75.106 206.12.19.118 ))"
+           }
+       }
         beethoven: {
            @ferm::rule { "dsa-merikanto-beethoven":
                     description     => "Allow merikanto",  # for nfs, and that uses all kind of ports by default.
diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp

index 4098660c1400260dd8eb3271769a1461ddcfc89d..22a210790e536bdae8554d0d3f98cea845dd4500 100644 (file)
--- a/modules/apache2/manifests/init.pp
+++ b/modules/apache2/manifests/init.pp
@@ -152,10 +152,15 @@ class apache2 {
          description     => "slow yahoo spider",
          rule            => "chain 'limit_yahoo' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }"
      }
+    @ferm::rule { "dsa-http-bing":
+        prio            => "21",
+        description     => "slow bing spider",
+        rule            => "chain 'limit_bing' { mod connlimit connlimit-above 2 connlimit-mask 16 jump DROP; jump http_limit; }"
+    }
      @ferm::rule { "dsa-http-rules":
          prio            => "22",
          description     => "http subchain",
-        rule            => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }"
+        rule            => "chain 'http' { saddr ( 74.6.22.182 74.6.18.240 ) jump limit_yahoo; saddr 124.115.0.0/21 jump limit_sosospider; saddr (65.52.0.0/14 207.46.0.0/16) jump limit_bing; mod recent name HTTPDOS update seconds 1800 jump log_or_drop; mod hashlimit hashlimit-name HTTPDOS hashlimit-mode srcip hashlimit-burst 600 hashlimit 30/minute jump ACCEPT; mod recent name HTTPDOS set jump log_or_drop; }"
      }
      @ferm::rule { "dsa-http":
          prio            => "23",
diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb

index ca1210f516b974f75e59e3fd3e701c9e8d092442..945c25a116cce5ce8da0fdaa63b7fbb653faa8e8 100644 (file)
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -117,7 +117,7 @@ domainlist handled_domains = +local_domains : +virtual_domains : +bsmtp_domains
  
  localpartlist local_only_users = lsearch;/etc/exim4/localusers
  
-localpartlist postmasterish = postmaster : abuse : hostmaster : root
+localpartlist postmasterish = postmaster : abuse : hostmaster
  
  hostlist debianhosts = 127.0.0.1 : /var/lib/misc/thishost/debianhosts
  
diff --git a/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb b/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb

index d8031b775fdb2f92331edeaafd43312088b7efa8..863c2477788262388dda2e5c33f4c9417e7d4c47 100644 (file)
--- a/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb
+++ b/modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb
@@ -6,18 +6,18 @@
  <%=
  ignore = []
  case fqdn
-when /(bellini|cimarosa).debian.org/: ignore << "mcelog"
-when "busoni.debian.org":             ignore << %w{libthreads-perl libthreads-shared-perl}
-when /draghi.debian.org/:             ignore << %w{userdir-ldap libnet-dns-perl libnet-dns-sec-perl libnet-dns-zone-parser-perl libdns-ruby1.8}
-when /geo[123].debian.org/:           ignore << %w{geoip-database libgeoip1 geoip-bin}
-when /liszt.debian.org/:              ignore << "amavisd-new"
-when /stabile.debian.org/:            ignore << "xfsprogs"
-when /(zandonai|zelenka).debian.org/: ignore << %w{zabbix-agent rrdcollect}
+when /(bellini|cimarosa).debian.org/:   ignore << "mcelog"
+when "busoni.debian.org":               ignore << %w{libthreads-perl libthreads-shared-perl}
+when /draghi.debian.org/:               ignore << %w{userdir-ldap libnet-dns-perl libnet-dns-sec-perl libnet-dns-zone-parser-perl libdns-ruby1.8}
+when /geo[123].debian.org/:             ignore << %w{geoip-database libgeoip1 geoip-bin}
+when /liszt.debian.org/:                ignore << "amavisd-new"
+when /stabile.debian.org/:              ignore << "xfsprogs"
+when /(zandonai|zelenka).debian.org/:   ignore << %w{zabbix-agent rrdcollect}
  when /(dijkstra|unger|luchesi|schumann).debian.org/: ignore << "qemu-kvm"
-when /(lebrun|schroeder).debian.org/: ignore << "firmware-linux-nonfree"
-when /(peri|penalosa).debian.org/:    ignore << "linux-base"
-when "powell.debian.org":             ignore << %w{e2fslibs e2fsprogs libblkid1 libcomerr2 libss2 libuuid1 uuid-runtime}
-when "zee.debian.org":                ignore << %w{dpkg-dev dpkg}
+when /(lebrun|schroeder).debian.org/:   ignore << "firmware-linux-nonfree"
+when /(paer|peri|penalosa).debian.org/: ignore << "linux-base"
+when "powell.debian.org":               ignore << %w{e2fslibs e2fsprogs libblkid1 libcomerr2 libss2 libuuid1 uuid-runtime}
+when "zee.debian.org":                  ignore << %w{dpkg-dev dpkg}
  end
  
  case fqdn
author	Martin Zobel-Helas <zobel@debian.org>
	Sun, 16 May 2010 16:20:32 +0000 (18:20 +0200)
committer	Martin Zobel-Helas <zobel@debian.org>
	Sun, 16 May 2010 16:20:32 +0000 (18:20 +0200)
manifests/site.pp		patch \| blob \| history
modules/apache2/manifests/init.pp		patch \| blob \| history
modules/exim/templates/eximconf.erb		patch \| blob \| history
modules/nagios/templates/obsolete-packages-ignore.d-hostspecific.erb		patch \| blob \| history