diff options
165 files changed, 1389 insertions, 576 deletions
diff --git a/deployment/access_classes/manifests/committers.pp b/deployment/access_classes/manifests/committers.pp index cf73f373..37c0e266 100644 --- a/deployment/access_classes/manifests/committers.pp +++ b/deployment/access_classes/manifests/committers.pp @@ -5,7 +5,7 @@ class access_classes::committers { # user, and erase the password ( see pam_auth.c in openssh code, # seek badpw ) # so the file must exist - # permission to use svn, git, etc must be added separatly + # permission to use svn, git, etc must be added separately class { 'pam::multiple_ldap_access': access_classes => ['mga-shell_access'], diff --git a/deployment/common/manifests/default_ssh_root_key.pp b/deployment/common/manifests/default_ssh_root_key.pp index 65c38fa4..b2d55a7c 100644 --- a/deployment/common/manifests/default_ssh_root_key.pp +++ b/deployment/common/manifests/default_ssh_root_key.pp @@ -83,4 +83,8 @@ class common::default_ssh_root_key { key => 'AAAAB3NzaC1yc2EAAAABIwAAAQEAsB/PAEQJE/M5c3keyef6rKQvCtTk5cdw6ujXl6n8G7D7Q6h4IgIccd5mYcBU7ij2S5N3lfOQmKJqf2Pa5pByLfXlQnhCLzsgL9X45WJmpsoVK1MzjDY8iY+aL/74tj3wiMzuzAAwwpE3EftyfscxhSwf2e11B3qDzVRmNnxPVKlm85nTygnrZ0ag4nOC6O4yC3Hh1ULhKGtNAsGNF2yRGs7IcN9ytcVhGF3WGJfRI2c2kIuKW/lXxeE04sWWb+k019ys4ah0iQoLja6xVSHgxbVlm3oDz+mGGsPtoSvtoWpvF3q9FKqGclJpboWRMo3jyP6yDRVcTMXUSONmq3N8uw==', } + ssh_authorized_key { 'ssh_key_danf': + type => 'ssh-rsa', + key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCgWFg4EsUkZ5uh34ScVbfwhVdP7kTLRwsojeF+DgmwXSPbM9NUxiCmyFrHuh3m6bxG3BPMwrDskqUrQ3z/5WX6dB/CzSP/j03EkslzaE7eTzIpGt/vKIuZHR+4Z9FZcY1pyoI44rdgW5MVC+yBoJkvBerOkvNzfiRSfQ9R4eopPNTif3vb4MP/cFzFfa3o8NMqHxhgGFhF945NlzCUmnec13sNggx1wGNFHMpWttSaQ0izgvSdb61WSswNnCjBF5t3oyh7DgI80TN/XfXfDWZPjkQUzLrh9inuPollAWfreeInoCmF8ou268efaRoSfRMZ3qdRkJLDDy2Os8eL/d3d', + } } diff --git a/deployment/common/manifests/i18n.pp b/deployment/common/manifests/i18n.pp index 7df46089..43b1fc3a 100644 --- a/deployment/common/manifests/i18n.pp +++ b/deployment/common/manifests/i18n.pp @@ -1,7 +1,7 @@ class common::i18n { package { 'locales-en': } - # push the locale everywhere, as it affect facter + # push the locale everywhere, as it affects facter file { '/etc/sysconfig/i18n': content => template('common/i18n'), } diff --git a/deployment/dns/templates/2.1.0.0.0.0.0.1.b.0.e.0.1.0.a.2.ip6.arpa.zone b/deployment/dns/templates/2.1.0.0.0.0.0.1.b.0.e.0.1.0.a.2.ip6.arpa.zone index 166408b4..8ab67138 100644 --- a/deployment/dns/templates/2.1.0.0.0.0.0.1.b.0.e.0.1.0.a.2.ip6.arpa.zone +++ b/deployment/dns/templates/2.1.0.0.0.0.0.1.b.0.e.0.1.0.a.2.ip6.arpa.zone @@ -1,10 +1,10 @@ $TTL 3D @ IN SOA ns0.mageia.org. root.mageia.org. ( - 2012110200 ; Serial + 2024090202 ; Serial 3600 ; Refresh 3600 ; Retry - 2419200 ; Expire - 86400 ; Minimum TTL + 3600000 ; Expire + 3600 ; Minimum TTL ) ; nameservers diff --git a/deployment/dns/templates/7.0.0.0.2.0.0.0.8.7.1.2.2.0.a.2.ip6.arpa.zone b/deployment/dns/templates/7.0.0.0.2.0.0.0.8.7.1.2.2.0.a.2.ip6.arpa.zone index 6dfee4ff..fdb83e63 100644 --- a/deployment/dns/templates/7.0.0.0.2.0.0.0.8.7.1.2.2.0.a.2.ip6.arpa.zone +++ b/deployment/dns/templates/7.0.0.0.2.0.0.0.8.7.1.2.2.0.a.2.ip6.arpa.zone @@ -1,10 +1,10 @@ $TTL 3D @ IN SOA ns0.mageia.org. root.mageia.org. ( - 2019070601 ; Serial + 2024090202 ; Serial 3600 ; Refresh 3600 ; Retry - 2419200 ; Expire - 86400 ; Minimum TTL + 3600000 ; Expire + 3600 ; Minimum TTL ) ; nameservers diff --git a/deployment/dns/templates/mageia.org.zone b/deployment/dns/templates/mageia.org.zone index ff8e31b6..cf3c7069 100644 --- a/deployment/dns/templates/mageia.org.zone +++ b/deployment/dns/templates/mageia.org.zone @@ -7,10 +7,10 @@ ; $Id$ $TTL 30m @ IN SOA ns0.mageia.org. root.mageia.org. ( - 2024040801 ; Serial + 2025062701 ; Serial 7200 ; Refresh 3600 ; Retry - 86400 ; Expire + 3600000 ; Expire 300 ; Minimum TTL ) @@ -21,6 +21,19 @@ $TTL 30m @ IN MX 10 sucuk.mageia.org. @ IN MX 20 neru.mageia.org. +; DKIM for mageia.org +sucuk._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGH25Jb2Al84XlTfSWuqZL8f6K6b+QhJjvV3zbF1/t31WmLwEt0So+p3FbFeKmaq/e0nJ+wKteTSVZsl3xwux+MaARKJDpEXslEgy+ojCedWqqpP6xLUjPuYPimGPljwkLwDoJxwvjiLa2POebec7C+R/nzaGm2nnTFwYQomqlvQIDAQAB" +sucuk._domainkey.group IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBRrdmAaYpDBHCtzkephaLX9LrMFJvgq84dS0ogTIb0xD32qxQF69FU/gEUlfTjzJooTJQC3PK7R3oLnfoWttMlbHCGg/llSfoSI0gD/4UolZokzWZY3qdqMz+zKi9+bfjz0y4Fwx5EPyda1ihHhVB6c+wq6cekhDNOH8PHhO74QIDAQAB" +sucuk._domainkey.duvel IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHYgFMZTHMYlymX0WJ17ZvgchABE+5O/c6np1gj5sBV2BPIJGs+h/i+Iq6jLYVhSOWEI+6wQKza/8r3Vr4ddi3/UPDzllfqMnKsbPHC/LscyIkQmpNiO2n0nIUhKbuVU1SsRC1B8svO9iNmEjg33/lrLiaV3DtDbGr0ozmBmeFVwIDAQAB" +sucuk._domainkey.fiona IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeFoY9MTeZD4Z3OnxUJvp6Nr5UF6+rBwCg0TwVWwe/17uCQ4M6ptDxPSGgVIMYJowg/VUcbqNLlt56kluC4mO/gVVUyPQe6EjYib+NV5PkvgHx2TOJfb27ANPiZ4f57eEFqmE3eD7SxqUqF9j2Vobt0J+XgFuyFUBzHZsRTNUpzQIDAQAB" +sucuk._domainkey.forums IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEVhhONroS/ayEPs+9fmom34EWsny7asKVxIuyJh8EzvPJmx6ODYtX/tN1ul++3xoFNHeAe5YSSGyK+7EgJ5E5wlhw6FwnHPnYp/eMsShDI2dyfYsQnS2Yc1VXkI9s83ZWaVTL9uPRDETMKDIF+QjljFQZAN+eaH55q9u3EZRrWwIDAQAB" +sucuk._domainkey.identity IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBv4aqFb9cQQkPB30zRfCtcquWKsP5G2Nhh3HSEdN0fFvOegQnGykuGq6lDED9iJuiNSVGO2cjtWtFTwX3+1/W1AW7pmaUD7U9HzPoZgxGPWtvFcJ/tZ1mjKNoGaPa5vLaVpXwxNKjPUCI+w2t5cM8JPnemW1Vm/LeEJ0XLE0InwIDAQAB" +sucuk._domainkey.madb IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI9WOO3aRQLLnXc08q9HP15VY79TQZR5GqdBcYu0H+jAiuR+OKz6NUSNoYdeNQ4FSvrz27elW6thNcKQg4wYNT4tsJ8d4OU5ScFcrPJszPucVyMpkl/ybCgVq0CmXgOh1yXYwl2YY4AfzUQ6skpTE5G2abIWBvPOvs8Q92vYJ1nwIDAQAB" +sucuk._domainkey.rabbit IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZYdG5dEd0CHAYGPRG+OXm2gJTDVpjmsKkn5+4BISToAOXXyogRcJN/P6oPySlG+CyUl5PW/2nBIiiUfHNKxVSa9gPO3vS0nlEppSHulkhth4deNu8YXRgJQp31IgaD0/Cbu7CKcDJbxTKGdnMV7XPKoIxB/Mjn0TxUS+WC2WY6QIDAQAB" +sucuk._domainkey.sucuk IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdzn4W4Tl4sJ0pfhktNVlWRYFXnIwaMENqmi2vgc/P8M/zVxysVuWPcEwhy+IiVT8tMleXMt9dreErzJS+8ZmMd8oTqRXM55ZzRuBtqiecKnbIrXpecYUhh+2o0BMouTRHZvrPK5PV6Y2PrXkXwLF8qOS/eslZDk7hLRk2XBVDWwIDAQAB" +sucuk._domainkey.ml IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4uPUsb1kvNCXT1AsEBldhU/9akmeRrRHOQtI8g60K+y2fRRur5l+TJDZ/+bnyVS69AMhyfeWEaWGhQytvmkKZBQyHZ6JzS2him+HT/x7xCYOHlQ5vixy0t4jYqbYZ04pdokJ4jcJ3pU7CFisgzk2Ln7HA4JDD1Dc+kCYbOvivtQIDAQAB" +sucuk._domainkey.neru IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4uPUsb1kvNCXT1AsEBldhU/9akmeRrRHOQtI8g60K+y2fRRur5l+TJDZ/+bnyVS69AMhyfeWEaWGhQytvmkKZBQyHZ6JzS2him+HT/x7xCYOHlQ5vixy0t4jYqbYZ04pdokJ4jcJ3pU7CFisgzk2Ln7HA4JDD1Dc+kCYbOvivtQIDAQAB" + ; TODO use a loop here ml IN MX 10 sucuk.mageia.org. ml IN MX 20 neru.mageia.org. @@ -65,7 +78,9 @@ mageia.org. IN A <%= nodes['neru']['ipv4'] %> mageia.org. IN AAAA <%= nodes['neru']['ipv6'] %> ; madb on mageia.madb.org -madb IN A 163.172.201.211 +;madb IN A 163.172.201.211 +; temporarily for hosting a redirect while the real madb is down +madb IN CNAME neru ; since we have a subdomain, we cannot use a CNAME ml IN A <%= nodes['sucuk']['ipv4'] %> @@ -105,6 +120,7 @@ epoll IN CNAME sucuk forums IN CNAME sucuk forum IN CNAME sucuk +send IN CNAME sucuk bugs IN CNAME sucuk check IN CNAME sucuk gitweb IN CNAME sucuk @@ -150,5 +166,8 @@ ociaa1-c IN CNAME ociaa1 ociaa2-a IN CNAME ociaa2 ociaa2-b IN CNAME ociaa2 ociaa2-c IN CNAME ociaa2 +ncaa1-a IN CNAME ncaa1 +ncaa1-b IN CNAME ncaa1 +ncaa1-c IN CNAME ncaa1 <%# vim: set filetype=bindzone : -%> diff --git a/deployment/lists/manifests/init.pp b/deployment/lists/manifests/init.pp index ea26557e..3f06aa1f 100755 --- a/deployment/lists/manifests/init.pp +++ b/deployment/lists/manifests/init.pp @@ -33,7 +33,8 @@ class lists { } sympa::list::public {'basesystem': - subject => 'Developement discussion list about mageia basesystem', + subject => 'Development discussion list about mageia basesystem', + sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'developers', } @@ -50,7 +51,7 @@ class lists { } sympa::list::public {'dev': - subject => 'Developement discussion list', + subject => 'Development discussion list', topics => 'developers', } @@ -60,7 +61,8 @@ class lists { } sympa::list::public {'gnome': - subject => 'Developement discussion list about mageia Gnome integration', + subject => 'Development discussion list about mageia Gnome integration', + sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'developers', } @@ -81,8 +83,8 @@ class lists { reply_to => "i18n-discuss@ml.${::domain}", sender_subscriber => true, sender_email => [ - 'r2d2@vargas.calenco.com', - "blog@${::domain}", + # 'r2d2@vargas.calenco.com', + # "blog@${::domain}", "root@${::domain}", "subversion_noreply@ml.${::domain}", ], @@ -177,42 +179,49 @@ class lists { } sympa::list::public {'isobuild': - subject => 'Developement discussion list about Mageia isos', + subject => 'Development discussion list about Mageia isos', topics => 'developers', } sympa::list::public {'java': - subject => 'Developement discussion list about Java', + subject => 'Development discussion list about Java', + sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'developers', } sympa::list::public {'kde': - subject => 'Developement discussion list about KDE', + subject => 'Development discussion list about KDE', + sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'developers', } sympa::list::public {'kernel': - subject => 'Developement discussion list about Kernel', + subject => 'Development discussion list about Kernel', + sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'developers', } sympa::list::public {'mageiatools': - subject => 'Developement discussion list about Mageiatools', + subject => 'Development discussion list about Mageiatools', + sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'developers', } sympa::list::public {'perl': - subject => 'Developement discussion list about Perl', + subject => 'Development discussion list about Perl', + sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'developers', } sympa::list::public {'php': - subject => 'Developement discussion list about Php', + subject => 'Development discussion list about Php', + sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'developers', } sympa::list::public {'python': - subject => 'Developement discussion list about Python', + subject => 'Development discussion list about Python', + sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'developers', } @@ -222,7 +231,7 @@ class lists { } sympa::list::public {'rpmstack': - subject => 'Developement discussion list about Mageia rpm stack', + subject => 'Development discussion list about Mageia rpm stack', topics => 'developers', } @@ -309,6 +318,7 @@ class lists { reply_to => "sysadmin-discuss@ml.${::domain}", sender_email => [ "bugzilla_noreply@ml.${::domain}" ], topics => 'sysadmin', + critical => true, } sympa::list::announce { 'soft-commits': diff --git a/deployment/main_mirror/files/mirror/mirror.readme b/deployment/main_mirror/files/mirror/mirror.readme index d5f78a1a..5846d12e 100644 --- a/deployment/main_mirror/files/mirror/mirror.readme +++ b/deployment/main_mirror/files/mirror/mirror.readme @@ -37,7 +37,7 @@ The servers below synchronise the tree directly from the Mageia rsync server. located in Curitiba (Brasil) o rsync://mirrors.kernel.org/mirrors/mageia/ located in USA and Europe - o rsync://ftp.acc.umu.se/mirror/mageia/ + o rsync://mirror.accum.se/mirror/mageia/ located in Umea (Sweden) o rsync://mirror.math.princeton.edu/pub/mageia/ located in Princeton (USA) diff --git a/deployment/main_mirror/templates/rsyncd.conf b/deployment/main_mirror/templates/rsyncd.conf index ca1b42fe..9fc93860 100644 --- a/deployment/main_mirror/templates/rsyncd.conf +++ b/deployment/main_mirror/templates/rsyncd.conf @@ -8,48 +8,24 @@ gid = nogroup comment = Mageia Mirror Tree hosts allow = \ 10.42.0.0/24 \ - rabbit.<%= domain %> \ - sucuk.<%= domain %> \ + 2a02:2178:2:7::/64 \ + rabbit.<%= @domain %> \ + sucuk.<%= @domain %> \ distrib-coffee.ipsl.jussieu.fr \ - distribipsl.aero.jussieu.fr \ + ftp.proxad.net \ jobbot0.ibiblio.org \ - 152.19.134.30 \ - 2610:28:3090:3000::bad:cafe:30 \ - sagres.c3sl.ufpr.br \ - 2801:82:80ff:8000::c \ - 2801:82:80ff:8000::2 \ - tiz-korg-mirror.kernel.org \ - sjc-korg-mirror.kernel.org \ - pao-korg-mirror.kernel.org \ - sfo-korg-mirror.kernel.org \ - mirrors.pdx.kernel.org \ - zeus1.kernel.org \ - zeus2.kernel.org \ - 2604:1380:45e3:2400::1 \ - 139.178.88.99 \ - 2604:1380:4601:e00::3 \ - 147.75.80.249 \ - 2001:4f8:8:10::/64 \ - 2001:4f8:1:10::/64 \ - 2001:4f8:4:6f:0:1994:3:14 \ - 2001:500:60:10::/64 \ - 2001:6b0:e:4017::/64 \ - churchill.acc.umu.se \ - 130.239.18.141 \ - 2001:6b0:e:2018::141 \ - poincare.acc.umu.se \ - 130.239.18.154 \ - 2001:6b0:e:2018::154 \ - 31.171.248.208 \ - 85.134.55.73 \ - ftp.proxad.net \ - ftp.free.fr \ - 212.27.60.27 \ - 2a01:e0c:1:1598::1 \ - mirror.math.princeton.edu \ - 147.75.69.246 + jobbot1.ibiblio.org \ + mirror.math.princeton.edu \ + poincare.accum.se \ + poincare.acc.umu.se \ + sagres.c3sl.ufpr.br \ + sv.mirrors.kernel.org \ + ny.mirrors.kernel.org \ + 147.75.69.246 \ + 2001:14ba:a417:eb00::1 \ + 2001:14ba:a417:eb00::2 [git] path = /git comment = Mageia Git repos - hosts allow = sucuk.<%= domain %> + hosts allow = sucuk.<%= @domain %> diff --git a/deployment/mga_buildsystem/manifests/config.pp b/deployment/mga_buildsystem/manifests/config.pp index 6b7ceb2b..2aeb6750 100644 --- a/deployment/mga_buildsystem/manifests/config.pp +++ b/deployment/mga_buildsystem/manifests/config.pp @@ -29,36 +29,18 @@ class mga_buildsystem::config { 'i586' => [ 'ecosse0', 'rabbit0', 'ecosse1', 'rabbit1', 'rabbit2' ], 'i686' => [ 'ecosse0', 'rabbit0', 'ecosse1', 'rabbit1', 'rabbit2' ], 'x86_64' => [ 'rabbit0', 'ecosse0', 'rabbit1', 'ecosse1', 'rabbit2' ], - 'armv7hl' => [ 'ociaa1-a', 'ociaa1-b'], - 'aarch64' => [ 'ociaa1-a', 'ociaa1-b'], + 'armv7hl' => [ 'ncaa1-a', 'ncaa1-b', 'ncaa1-c', 'ociaa1-a', 'ociaa1-b'], + 'aarch64' => [ 'ncaa1-a', 'ncaa1-b', 'ncaa1-c', 'ociaa1-a', 'ociaa1-b'], }, build_nodes_aliases => { 'ecosse0' => "ecosse.${::domain}", 'ecosse1' => "ecosse.${::domain}", 'rabbit0' => "rabbit.${::domain}", 'rabbit1' => "rabbit.${::domain}", - 'ec2aa1-a' => "ec2aa1.${::domain}", - 'ec2aa1-b' => "ec2aa1.${::domain}", - 'ec2aa2-a' => "ec2aa2.${::domain}", - 'ec2aa2-b' => "ec2aa2.${::domain}", - 'ec2aa3-a' => "ec2aa3.${::domain}", - 'ec2aa3-b' => "ec2aa3.${::domain}", - 'ec2x1-a' => "ec2x1.${::domain}", - 'ec2x1-b' => "ec2x1.${::domain}", - 'ec2x2-a' => "ec2x2.${::domain}", - 'ec2x2-b' => "ec2x2.${::domain}", - 'pktaa1-a' => "pktaa1.${::domain}", - 'pktaa1-b' => "pktaa1.${::domain}", - 'pktaa1-c' => "pktaa1.${::domain}", - 'pktaa1-d' => "pktaa1.${::domain}", - 'pktaa1-e' => "pktaa1.${::domain}", - 'pktaa1-f' => "pktaa1.${::domain}", + 'rabbit2' => "rabbit.${::domain}", 'ociaa1-a' => "ociaa1.${::domain}", 'ociaa1-b' => "ociaa1.${::domain}", 'ociaa1-c' => "ociaa1.${::domain}", - 'ociaa2-a' => "ociaa2.${::domain}", - 'ociaa2-b' => "ociaa2.${::domain}", - 'ociaa2-c' => "ociaa2.${::domain}", }, build_src_node => 'duvel', } @@ -191,6 +173,7 @@ class mga_buildsystem::config { '2001:bc8:628:1f00::1', # Oracle cloud VMs '2603:c026:c101:f00::/64', + $::nodes_ipaddr[ncaa1][ipv4], ] $repo_allow_from_domains = [ ".${::domain}", @@ -223,7 +206,6 @@ class mga_buildsystem::config { 'archive', 'mail', 'maintdb', - 'rebuild', ], 'posts' => [ 'genhdlist2_zstd', diff --git a/deployment/mgagit/files/git_multimail.py b/deployment/mgagit/files/git_multimail.py index 39aa1458..0c5c8d7b 100644 --- a/deployment/mgagit/files/git_multimail.py +++ b/deployment/mgagit/files/git_multimail.py @@ -2571,7 +2571,7 @@ class Environment(object): def get_default_ref_ignore_regex(self): # The commit messages of git notes are essentially meaningless - # and "filenames" in git notes commits are an implementational + # and "filenames" in git notes commits are an implementation # detail that might surprise users at first. As such, we # would need a completely different method for handling emails # of git notes in order for them to be of benefit for users, @@ -3097,7 +3097,7 @@ class ConfigRecipientsEnvironmentMixin( lines = config.get_all(name) if lines is not None: lines = [line.strip() for line in lines] - # Single "none" is a special value equivalen to empty string. + # Single "none" is a special value equivalence to empty string. if lines == ['none']: lines = [''] return ', '.join(lines) diff --git a/deployment/mgagit/templates/git-post-receive-hook b/deployment/mgagit/templates/git-post-receive-hook index b72094b3..68da3200 100755 --- a/deployment/mgagit/templates/git-post-receive-hook +++ b/deployment/mgagit/templates/git-post-receive-hook @@ -90,7 +90,7 @@ def repo_shortname(): return basename -# Override the Environment class to generate an apporpriate short name which is +# Override the Environment class to generate an appropriate short name which is # used in git links and as an email prefix class MageiaEnvironment(git_multimail.Environment): def get_repo_shortname(self): diff --git a/deployment/mgagit/templates/gitolite.rc b/deployment/mgagit/templates/gitolite.rc index 07bbc244..c4c925e6 100644 --- a/deployment/mgagit/templates/gitolite.rc +++ b/deployment/mgagit/templates/gitolite.rc @@ -83,7 +83,7 @@ # essential (unless you're using smart-http mode) 'ssh-authkeys', - # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz' + # creates git-config entities from gitolite.conf file entries like 'config foo.bar = baz' 'git-config', # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out diff --git a/deployment/releasekey/templates/sign_checksums b/deployment/releasekey/templates/sign_checksums index 9483a1c9..5edf7e57 100644 --- a/deployment/releasekey/templates/sign_checksums +++ b/deployment/releasekey/templates/sign_checksums @@ -7,5 +7,5 @@ fi directory=$1 cd "$directory" for chksum in *.md5 *.sha3 *.sha512; do - gpg --homedir "<%= sign_keydir %>" --yes --sign "$chksum" + gpg --homedir "<%= @sign_keydir %>" --yes --sign "$chksum" done diff --git a/deployment/reports/templates/socket.yaml b/deployment/reports/templates/socket.yaml index 075d7a9f..6b0a8b33 100644 --- a/deployment/reports/templates/socket.yaml +++ b/deployment/reports/templates/socket.yaml @@ -1,2 +1,2 @@ --- -socket_path: /var/lib/ii/<%= nick %>/<%= server %>/<%= channel %>/in +socket_path: /var/lib/ii/<%= @nick %>/<%= @server %>/<%= @channel %>/in diff --git a/deployment/tld_redirections/manifests/init.pp b/deployment/tld_redirections/manifests/init.pp index 9815367c..18db541c 100644 --- a/deployment/tld_redirections/manifests/init.pp +++ b/deployment/tld_redirections/manifests/init.pp @@ -18,7 +18,7 @@ class tld_redirections { } } - # domaine owned by Florin Catalin Russen + # domain owned by Florin Catalin Russen redirection { "ro": } # domain owned by the association diff --git a/deployment/websites/templates/vhost_meetbot.conf b/deployment/websites/templates/vhost_meetbot.conf index a6f812c5..40a0f92a 100644 --- a/deployment/websites/templates/vhost_meetbot.conf +++ b/deployment/websites/templates/vhost_meetbot.conf @@ -1,6 +1,6 @@ <VirtualHost *:80> ServerAdmin sysadm@mageia.org - ServerName meetbot.<%= domain %> + ServerName meetbot.<%= @domain %> DocumentRoot <%= scope.lookupvar("websites::meetbot::vhostdir") %> CustomLog /var/log/httpd/access_meetbot_log combined @@ -17,7 +17,7 @@ <VirtualHost *:443> ServerAdmin sysadm@mageia.org - ServerName meetbot.<%= domain %> + ServerName meetbot.<%= @domain %> DocumentRoot <%= scope.lookupvar("websites::meetbot::vhostdir") %> CustomLog /var/log/httpd/access_meetbot_log combined diff --git a/deployment/websites/templates/vhost_static.conf b/deployment/websites/templates/vhost_static.conf index d250a712..fcadc425 100644 --- a/deployment/websites/templates/vhost_static.conf +++ b/deployment/websites/templates/vhost_static.conf @@ -1,5 +1,5 @@ <VirtualHost *:80> - ServerName static.<%= domain %> + ServerName static.<%= @domain %> DocumentRoot <%= scope.lookupvar("websites::static::vhostdir") %> CustomLog /var/log/httpd/static_log combined @@ -40,7 +40,7 @@ </VirtualHost> <VirtualHost *:443> - ServerName static.<%= domain %> + ServerName static.<%= @domain %> DocumentRoot <%= scope.lookupvar("websites::static::vhostdir") %> CustomLog /var/log/httpd/static_log combined diff --git a/deployment/websites/templates/vhost_www.conf b/deployment/websites/templates/vhost_www.conf index 79ac0ee1..399681be 100644 --- a/deployment/websites/templates/vhost_www.conf +++ b/deployment/websites/templates/vhost_www.conf @@ -1,6 +1,6 @@ Redirect /wiki https://wiki.mageia.org/# -# Everything under /g/ is static content to be served by a seconday host +# Everything under /g/ is static content to be served by a secondary host RewriteEngine On RewriteRule ^g/(.+)$ https://static.mageia.org/g/$1 [R,L,QSA] diff --git a/deployment/wikis/templates/wiki_settings b/deployment/wikis/templates/wiki_settings index 16d9245d..ec6e647d 100644 --- a/deployment/wikis/templates/wiki_settings +++ b/deployment/wikis/templates/wiki_settings @@ -13,7 +13,7 @@ $wgScriptPath = "/mw-$wgLanguageCode"; $wgArticlePath = "/$wgLanguageCode/$1"; $wgUsePathInfo = true; $wgStylePath = "$wgScriptPath/skins"; -$wgStyleDirectory = '<%= wikis_templates %>/skins'; +$wgStyleDirectory = '<%= @wikis_templates %>/skins'; $wgLogo = ""; $wgDefaultSkin = 'vector'; $wgFavicon = '/mw-en/skins/cavendish/favicon.png'; diff --git a/deployment/wikis/templates/wiki_vhost.conf b/deployment/wikis/templates/wiki_vhost.conf index d4e5e0a2..4e1355bc 100644 --- a/deployment/wikis/templates/wiki_vhost.conf +++ b/deployment/wikis/templates/wiki_vhost.conf @@ -1,17 +1,19 @@ -<Directory <%= wikis_root %>> +<Directory <%= @wikis_root %>> Options +FollowSymLinks </Directory> RewriteEngine On RewriteRule ^/?$ /en/ [R] +Alias /robots.txt <%= @wikis_root %>/robots.txt + <%- for lang in wiki_languages -%> -<Directory <%= wikis_root %>/<%= lang %>/images> +<Directory <%= @wikis_root %>/<%= lang %>/images> SetHandler default-handler </Directory> -Alias /<%= lang %> <%= wikis_root %>/<%= lang %>/index.php -Alias /mw-<%= lang %> <%= wikis_root %>/<%= lang %> +Alias /<%= lang %> <%= @wikis_root %>/<%= lang %>/index.php +Alias /mw-<%= lang %> <%= @wikis_root %>/<%= lang %> <%- end -%> diff --git a/external/concat/manifests/init.pp b/external/concat/manifests/init.pp index e7b2f4b1..c2039349 100644 --- a/external/concat/manifests/init.pp +++ b/external/concat/manifests/init.pp @@ -86,7 +86,7 @@ # # ALIASES: # - The exec can notified using Exec["concat_/path/to/file"] or Exec["concat_/path/to/directory"] -# - The final file can be referened as File["/path/to/file"] or File["concat_/path/to/file"] +# - The final file can be referenced as File["/path/to/file"] or File["concat_/path/to/file"] define concat($mode = 0644, $owner = "root", $group = "root", $warn = "false", $force = "false", $backup = "puppet") { $safe_name = regsubst($name, '/', '_', 'G') $concatdir = $concat::setup::concatdir diff --git a/external/sshkeys/README.rst b/external/sshkeys/README.rst index f770e4bf..73b136d6 100644 --- a/external/sshkeys/README.rst +++ b/external/sshkeys/README.rst @@ -25,13 +25,13 @@ the `sshkeys::keymaster` class on the puppet master node:: include sshkeys::keymaster Before installing the key, we need to create it. This is done with the -`create_key` ressource, on the puppet master node. We can create the key +`create_key` resource, on the puppet master node. We can create the key `key1`:: sshkeys::create_key{key1: } If we want to install the `key1` key pair for user `user1`, we can use -the `set_client_key_pair` ressource:: +the `set_client_key_pair` resource:: sshkeys::set_client_key_pair{'key1-for-user1': keyname => 'key1', @@ -40,10 +40,10 @@ the `set_client_key_pair` ressource:: } The `key1` private and public keys should now be installed for user -`user1` on the node on which we created this ressource. +`user1` on the node on which we created this resource. If we want to allow the key `key1` to connect to the `user2` account, -we use the `set_authorized_keys` ressource:: +we use the `set_authorized_keys` resource:: sshkeys::set_authorized_keys{'key1-to-user2': keyname => 'key1', diff --git a/manifests/defaults.pp b/manifests/defaults.pp index 762cd146..85f3f31c 100644 --- a/manifests/defaults.pp +++ b/manifests/defaults.pp @@ -30,8 +30,6 @@ Service { ensure => running, } -if versioncmp($::lsbdistrelease, '2') >= 0 { - Service { - provider => systemd, - } +Service { + provider => systemd, } diff --git a/manifests/nodes/duvel.pp b/manifests/nodes/duvel.pp index 70bbb242..772e43dc 100644 --- a/manifests/nodes/duvel.pp +++ b/manifests/nodes/duvel.pp @@ -13,7 +13,7 @@ node duvel { include subversion::client include subversion::server include puppet::master - include reports::ii + #include reports::ii include sshkeys::keymaster include mga_buildsystem::mainnode diff --git a/manifests/nodes/friteuse.pp b/manifests/nodes/friteuse.pp index 9c0fdde1..b096021e 100644 --- a/manifests/nodes/friteuse.pp +++ b/manifests/nodes/friteuse.pp @@ -1,5 +1,5 @@ node friteuse { -# Location: VM hosted by nfrance (toulouse) +# Location: VM hosted on sucuk # include common::default_mageia_server timezone::timezone { 'Europe/Paris': } diff --git a/manifests/nodes/ncaa1.pp b/manifests/nodes/ncaa1.pp new file mode 100644 index 00000000..b512939a --- /dev/null +++ b/manifests/nodes/ncaa1.pp @@ -0,0 +1,7 @@ +node ncaa1 { +# Location: Netcup, Vienna +# + include common::default_mageia_server + include mga_buildsystem::buildnode + timezone::timezone { 'Europe/Paris': } +} diff --git a/manifests/nodes/neru.pp b/manifests/nodes/neru.pp index 8af61124..66958059 100644 --- a/manifests/nodes/neru.pp +++ b/manifests/nodes/neru.pp @@ -24,6 +24,16 @@ node neru { include access_classes::web include openssh::ssh_keys_from_ldap + # temporary redirects for madb (2024-11) until it gets hosted on Mageia infra + apache::vhost_redirect { "madb.${::domain}": + url => "https://madb.mageialinux-online.org/", + } + apache::vhost_redirect { "ssl_madb.${::domain}": + use_ssl => true, + vhost => "madb.${::domain}", + url => "https://madb.mageialinux-online.org/", + } + openldap::slave_instance { '1': rid => 1, } diff --git a/manifests/nodes/ociaa1.pp b/manifests/nodes/ociaa1.pp new file mode 100644 index 00000000..ce476665 --- /dev/null +++ b/manifests/nodes/ociaa1.pp @@ -0,0 +1,7 @@ +node ociaa1 { +# Location: ? +# + include common::default_mageia_server + include mga_buildsystem::buildnode + timezone::timezone { 'Europe/Paris': } +} diff --git a/manifests/nodes/rabbit.pp b/manifests/nodes/rabbit.pp index ae4d4b08..2436219b 100644 --- a/manifests/nodes/rabbit.pp +++ b/manifests/nodes/rabbit.pp @@ -21,8 +21,8 @@ node rabbit { } youri-check::check {'check_cauldron': version => 'cauldron', - hour => '*/2', - minute => 10 + hour => '1-23/2', + minute => 30 } # for testing iso quickly diff --git a/manifests/nodes/sucuk.pp b/manifests/nodes/sucuk.pp index c13d11cf..e56fd113 100644 --- a/manifests/nodes/sucuk.pp +++ b/manifests/nodes/sucuk.pp @@ -4,6 +4,7 @@ node sucuk { include common::default_mageia_server_no_smtp timezone::timezone { 'Europe/Paris': } + include openssh::ssh_keys_from_ldap include access_classes::admin include postgresql::server diff --git a/manifests/nodes_ip.pp b/manifests/nodes_ip.pp index ca395ac0..28c85316 100644 --- a/manifests/nodes_ip.pp +++ b/manifests/nodes_ip.pp @@ -60,6 +60,9 @@ $nodes_ipaddr = { }, ociaa2 => { ipv6 => '2603:c026:c101:f00::1:2', + }, + ncaa1 => { + ipv4 => '89.58.19.166', } } diff --git a/modules/amavis/templates/amavisd.conf b/modules/amavis/templates/amavisd.conf index def495a9..84a44944 100644 --- a/modules/amavis/templates/amavisd.conf +++ b/modules/amavis/templates/amavisd.conf @@ -22,10 +22,7 @@ $daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g # a convenient default for other settings could be localhost.localdomain # or change this as your needs -<% if scope.function_versioncmp([lsbdistrelease, '6']) >= 0 -%> -$MYHOME = '/run/amavis'; -<% end %> -# $MYHOME = '/var/lib/amavis'; # a convenient default for other settings, -H +$MYHOME = '/run/amavis'; # a convenient default for other settings, -H $TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T $ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. $QUARANTINEDIR = '/var/spool/amavis/virusmails'; # -Q @@ -444,7 +441,7 @@ $banned_filename_re = new_RE( # qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, # ], # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, - # currupted or protected archives are to be handled + # corrupted or protected archives are to be handled ### http://www.kaspersky.com/ # ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], diff --git a/modules/apache/manifests/base.pp b/modules/apache/manifests/base.pp index b24b740e..4e1d6ed4 100644 --- a/modules/apache/manifests/base.pp +++ b/modules/apache/manifests/base.pp @@ -1,25 +1,12 @@ class apache::base { include apache::var - # apache-mpm-prefork is merged from mga3 up - $apache_server = $lsbdistrelease ? { - /1|2/ => 'apache-mpm-prefork', - default => 'apache', - } + $conf_d = '/etc/httpd/conf/conf.d' - package { $apache_server: + package { 'apache': alias => 'apache-server', } - if versioncmp($::lsbdistrelease, '2') <= 0 { - $conf_d = '/etc/httpd/conf.d' - - # only needed on mga1 and mga2 - package { $apache::var::pkg_conf: } - } else { - $conf_d = '/etc/httpd/conf/conf.d' - } - service { 'httpd': alias => 'apache', subscribe => [ Package['apache-server'] ], @@ -40,6 +27,8 @@ class apache::base { '/etc/httpd/conf/vhosts.d/00_default_vhosts.conf': content => template('apache/00_default_vhosts.conf'), require => Package[$apache::var::pkg_conf]; + '/etc/httpd/conf/modules.d/50_mod_deflate.conf': + content => template('apache/50_mod_deflate.conf'); } file { '/etc/logrotate.d/httpd': diff --git a/modules/apache/manifests/mod/fcgid.pp b/modules/apache/manifests/mod/fcgid.pp index 6c815681..b8186a64 100644 --- a/modules/apache/manifests/mod/fcgid.pp +++ b/modules/apache/manifests/mod/fcgid.pp @@ -1,4 +1,11 @@ class apache::mod::fcgid { include apache::base package { 'apache-mod_fcgid': } + + file { 'urlescape': + path => '/usr/local/bin/urlescape', + mode => '0755', + notify => Service['apache'], + content => template('apache/urlescape'), + } } diff --git a/modules/apache/manifests/var.pp b/modules/apache/manifests/var.pp index 2c33a23f..4a6d68eb 100644 --- a/modules/apache/manifests/var.pp +++ b/modules/apache/manifests/var.pp @@ -8,9 +8,5 @@ class apache::var( $apache_group = 'apache', $default_vhost_redirect = '' ) { - if ($::lsbdistrelease == '1') or ($::lsbdistid == 'MandrivaLinux') { - $pkg_conf = 'apache-conf' - } else { - $pkg_conf = 'apache' - } + $pkg_conf = 'apache' } diff --git a/modules/apache/templates/01_default_ssl_vhost.conf b/modules/apache/templates/01_default_ssl_vhost.conf index c9cdcfcd..323bf145 100644 --- a/modules/apache/templates/01_default_ssl_vhost.conf +++ b/modules/apache/templates/01_default_ssl_vhost.conf @@ -15,7 +15,7 @@ # General setup for the virtual host DocumentRoot "/var/www/html" #ServerName localhost:443 -ServerAdmin root@<%= domain %> +ServerAdmin root@<%= @domain %> ErrorLog logs/ssl_error_log <IfModule mod_log_config.c> @@ -38,10 +38,10 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC # connect. Disable SSLv2/v3 access by default: SSLProtocol ALL -SSLv2 -SSLv3 -<%- if wildcard_sslcert == 'true' then -%> -SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt -SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key -SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem +<%- if @wildcard_sslcert == 'true' then -%> +SSLCertificateFile /etc/ssl/wildcard.<%= @domain %>.crt +SSLCertificateKeyFile /etc/ssl/wildcard.<%= @domain %>.key +SSLCACertificateFile /etc/ssl/wildcard.<%= @domain %>.pem SSLVerifyClient None <%- else -%> SSLCertificateFile /etc/ssl/apache/localhost.pem diff --git a/modules/apache/templates/50_mod_deflate.conf b/modules/apache/templates/50_mod_deflate.conf new file mode 100644 index 00000000..5192bf6e --- /dev/null +++ b/modules/apache/templates/50_mod_deflate.conf @@ -0,0 +1,36 @@ +<IfModule mod_deflate.c> + # Compress HTML, CSS, JavaScript, JSON, Text, XML and fonts + AddOutputFilterByType DEFLATE application/javascript + AddOutputFilterByType DEFLATE application/json + AddOutputFilterByType DEFLATE application/rss+xml + AddOutputFilterByType DEFLATE application/vnd.ms-fontobject + AddOutputFilterByType DEFLATE application/x-font + AddOutputFilterByType DEFLATE application/x-font-opentype + AddOutputFilterByType DEFLATE application/x-font-otf + AddOutputFilterByType DEFLATE application/x-font-truetype + AddOutputFilterByType DEFLATE application/x-font-ttf + AddOutputFilterByType DEFLATE application/x-javascript + AddOutputFilterByType DEFLATE application/xhtml+xml + AddOutputFilterByType DEFLATE application/xml + AddOutputFilterByType DEFLATE font/opentype + AddOutputFilterByType DEFLATE font/otf + AddOutputFilterByType DEFLATE font/ttf + AddOutputFilterByType DEFLATE image/svg+xml + AddOutputFilterByType DEFLATE image/x-icon + AddOutputFilterByType DEFLATE text/css + AddOutputFilterByType DEFLATE text/html + AddOutputFilterByType DEFLATE text/javascript + AddOutputFilterByType DEFLATE text/plain + AddOutputFilterByType DEFLATE text/xml + + # Level of compression (9=highest compression level) + DeflateCompressionLevel 1 + + # Do not compress certain file types + SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|heif|heic|webp|mp4|mov|mpg|webm|avi)$ no-gzip dont-vary + SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|xz|zst|lzo|lzma|sit|rar|cab|rpm)$ no-gzip dont-vary + SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary + + # Make sure proxies don't deliver the wrong content + Header append Vary User-Agent env=!dont-vary +</IfModule> diff --git a/modules/apache/templates/django.wsgi b/modules/apache/templates/django.wsgi index aa0b82c8..2188e1e7 100644 --- a/modules/apache/templates/django.wsgi +++ b/modules/apache/templates/django.wsgi @@ -6,8 +6,8 @@ if path not in sys.path: sys.path.append(path) <%- end -%> -<%- if django_module -%> -os.environ['DJANGO_SETTINGS_MODULE'] = '<%= django_module %>.settings' +<%- if @django_module -%> +os.environ['DJANGO_SETTINGS_MODULE'] = '<%= @django_module %>.settings' <%- else -%> os.environ['DJANGO_SETTINGS_MODULE'] = 'settings' <%- end -%> diff --git a/modules/apache/templates/logrotate b/modules/apache/templates/logrotate index 0ae57120..4d90e47e 100644 --- a/modules/apache/templates/logrotate +++ b/modules/apache/templates/logrotate @@ -1,7 +1,14 @@ /var/log/httpd/*_log /var/log/httpd/apache_runtime_status /var/log/httpd/ssl_mutex { -<% if @hostname == 'duvel' then %> +<% if @hostname == 'duvel' %> rotate 60 daily +<% elsif @hostname == 'friteuse' %> + # The virtual disk is very small so keep log sizes down + rotate 52 + weekly +<% elsif @hostname == 'sucuk' %> + rotate 52 + weekly <% else %> rotate <%= scope.lookupvar('apache::var::httpdlogs_rotate') %> monthly diff --git a/modules/apache/templates/mod/php.conf b/modules/apache/templates/mod/php.conf index 6d64ffb8..8bc20078 100644 --- a/modules/apache/templates/mod/php.conf +++ b/modules/apache/templates/mod/php.conf @@ -1,5 +1,5 @@ # as php insist to have this value set, let's # look on the system for him -php_value date.timezone "<%= php_date_timezone %>" -php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f root@<%= domain %>" +php_value date.timezone "<%= @php_date_timezone %>" +php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f root@<%= @domain %>" diff --git a/modules/apache/templates/mod/wsgi.conf b/modules/apache/templates/mod/wsgi.conf index 347affc6..18678bc6 100644 --- a/modules/apache/templates/mod/wsgi.conf +++ b/modules/apache/templates/mod/wsgi.conf @@ -7,6 +7,6 @@ WSGIRestrictStdout Off # WSGIRestrictSignal Off # reenabled, as this prevent apache from restarting properly -# make sure transifex client work fine, as we need wsgi to pass autorisation +# make sure transifex client work fine, as we need wsgi to pass authorisation # header to django ( otherwise, this just show error 401 ) WSGIPassAuthorization On diff --git a/modules/apache/templates/urlescape b/modules/apache/templates/urlescape new file mode 100644 index 00000000..8feb7fa4 --- /dev/null +++ b/modules/apache/templates/urlescape @@ -0,0 +1,9 @@ +#!/usr/bin/python3 -u +# URL escape each path given on stdin +import sys +import urllib.parse +while True: + l = sys.stdin.readline() + if not l: + break + print(urllib.parse.quote(l.rstrip("\n"))) diff --git a/modules/apache/templates/vhost_base.conf b/modules/apache/templates/vhost_base.conf index 84c8f918..da26b683 100644 --- a/modules/apache/templates/vhost_base.conf +++ b/modules/apache/templates/vhost_base.conf @@ -1,4 +1,4 @@ -<%- if use_ssl then +<%- if @use_ssl then port = 443 else port = 80 @@ -6,19 +6,19 @@ end -%> <VirtualHost *:<%= port %>> -<%- if use_ssl then -%> +<%- if @use_ssl then -%> <%= scope.function_template(["apache/vhost_ssl.conf"]) %> <%- end -%> - ServerName <%= real_vhost %> -<%- server_aliases.each do |key| -%> + ServerName <%= @real_vhost %> +<%- @server_aliases.each do |key| -%> ServerAlias <%= key %> <%- end -%> - DocumentRoot <%= location %> + DocumentRoot <%= @location %> - CustomLog <%= real_access_logfile %> combined - ErrorLog <%= real_error_logfile %> + CustomLog <%= @real_access_logfile %> combined + ErrorLog <%= @real_error_logfile %> -<%- if enable_public_html -%> +<%- if @enable_public_html -%> #TODO add the rest UserDir public_html <%- else -%> @@ -27,19 +27,19 @@ end </IfModule> <%- end -%> -<%- aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> - Alias <%= key %> <%= aliases[key] %> +<%- @aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> + Alias <%= key %> <%= @aliases[key] %> <%- end -%> - <%= content %> + <%= @content %> -<%- if options.length > 0 -%> - <Directory <%= location %>> - Options <%= options.join(" ") %> +<%- if @options.length > 0 -%> + <Directory <%= @location %>> + Options <%= @options.join(" ") %> </Directory> <%- end -%> -<%- if enable_location -%> +<%- if @enable_location -%> <Location /> <IfModule mod_authz_core.c> Require all granted diff --git a/modules/apache/templates/vhost_django_app.conf b/modules/apache/templates/vhost_django_app.conf index 3310045e..d85cf7a9 100644 --- a/modules/apache/templates/vhost_django_app.conf +++ b/modules/apache/templates/vhost_django_app.conf @@ -1 +1 @@ -WSGIScriptAlias / /usr/local/lib/wsgi/<%= name %>.wsgi +WSGIScriptAlias / /usr/local/lib/wsgi/<%= @name %>.wsgi diff --git a/modules/apache/templates/vhost_fcgid.conf b/modules/apache/templates/vhost_fcgid.conf index 17b2bb06..f137c866 100644 --- a/modules/apache/templates/vhost_fcgid.conf +++ b/modules/apache/templates/vhost_fcgid.conf @@ -1,8 +1,8 @@ AddHandler fcgid-script .pl -<%- script_aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> - ScriptAlias <%= key %> <%= script_aliases[key] %> +<%- @script_aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> + ScriptAlias <%= key %> <%= @script_aliases[key] %> <%- end -%> -FcgidMinProcessesPerClass <%= process %> +FcgidMinProcessesPerClass <%= @process %> FcgidIdleTimeout 30 # These robots were scraping the whole of svnweb in 2024-04, causing severe @@ -13,4 +13,29 @@ FcgidIdleTimeout 30 RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ClaudeBot|Amazonbot RewriteRule . - [R=403,L] + +# Block expensive SVN operations on all common robots ("spider" covers a +# bunch). "Expensive" is considered to be most operations other than showing a +# directory or downloading a specific version of a file. +# Note: eliminating view=log and annotate= doesn't make much difference to the +# CPU load when robots are hitting the server in real world operation. +RewriteCond %{QUERY_STRING} pathrev=|r1= +RewriteCond %{HTTP_USER_AGENT} "Googlebot|GoogleOther|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider|iPod|Trident|Presto" +RewriteRule . - [R=403,L] + +# Only let expensive operations through when a cookie is set. If no cookie is +# set, redirect to a page where it will be set using JavaScript and redirect +# back. This will block requests from user agents that do not support +# JavaScript, which includes many robots. +RewriteMap urlescape prg:/usr/local/bin/urlescape +RewriteCond %{QUERY_STRING} pathrev=|r1= +RewriteCond %{REQUEST_URI} !/_check +RewriteCond %{HTTP_COOKIE} !session=([^;]+) [novary] +RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?${urlescape:%{QUERY_STRING}} [R=302,L] + +# Block abusive spiders by IP address who don't identify themselves in the +# User-Agent: string +RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16' || -R '188.239.0.0/18' || -R '166.108.192.0/18' || -R '124.243.160.0/19' || -R '101.46.0.0/20'" +RewriteRule . - [R=403,L] + ErrorDocument 403 "<html><body>Impolite robots are not allowed</body></html>" diff --git a/modules/apache/templates/vhost_redirect.conf b/modules/apache/templates/vhost_redirect.conf index 0f256881..c787311e 100644 --- a/modules/apache/templates/vhost_redirect.conf +++ b/modules/apache/templates/vhost_redirect.conf @@ -1,2 +1,2 @@ -Redirect / <%= url %> +Redirect / <%= @url %> diff --git a/modules/apache/templates/vhost_reverse_proxy.conf b/modules/apache/templates/vhost_reverse_proxy.conf index 1488c682..4859bda3 100644 --- a/modules/apache/templates/vhost_reverse_proxy.conf +++ b/modules/apache/templates/vhost_reverse_proxy.conf @@ -1,4 +1,4 @@ -<%= content %> +<%= @content %> ProxyRequests Off ProxyPreserveHost On @@ -7,9 +7,9 @@ Order deny,allow Allow from all </Proxy> -<%- if url =~ /^https/ -%> +<%- if @url =~ /^https/ -%> SSLProxyEngine On <%- end -%> - ProxyPass / <%= url %> - ProxyPassReverse / <%= url %> + ProxyPass / <%= @url %> + ProxyPassReverse / <%= @url %> diff --git a/modules/apache/templates/vhost_simple.conf b/modules/apache/templates/vhost_simple.conf index afc443de..77b55287 100644 --- a/modules/apache/templates/vhost_simple.conf +++ b/modules/apache/templates/vhost_simple.conf @@ -1,6 +1,6 @@ <VirtualHost *:80> - ServerName <%= name %> - DocumentRoot <%= location %> + ServerName <%= @name %> + DocumentRoot <%= @location %> <Location /> <IfModule mod_authz_core.c> diff --git a/modules/apache/templates/vhost_ssl.conf b/modules/apache/templates/vhost_ssl.conf index e39e6820..0cb52eca 100644 --- a/modules/apache/templates/vhost_ssl.conf +++ b/modules/apache/templates/vhost_ssl.conf @@ -2,12 +2,12 @@ SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS - <%- if wildcard_sslcert == 'true' then -%> - SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt - SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key - SSLCACertificateFile /etc/ssl/wildcard.<%= domain %>.pem + <%- if @wildcard_sslcert == 'true' then -%> + SSLCertificateFile /etc/ssl/wildcard.<%= @domain %>.crt + SSLCertificateKeyFile /etc/ssl/wildcard.<%= @domain %>.key + SSLCACertificateFile /etc/ssl/wildcard.<%= @domain %>.pem SSLVerifyClient None <%- else -%> - SSLCertificateFile /etc/ssl/apache/<%= real_vhost %>.pem - SSLCertificateKeyFile /etc/ssl/apache/<%= real_vhost %>.pem + SSLCertificateFile /etc/ssl/apache/<%= @real_vhost %>.pem + SSLCertificateKeyFile /etc/ssl/apache/<%= @real_vhost %>.pem <%- end -%> diff --git a/modules/apache/templates/vhost_ssl_redirect.conf b/modules/apache/templates/vhost_ssl_redirect.conf index d13c3093..23a7eabe 100644 --- a/modules/apache/templates/vhost_ssl_redirect.conf +++ b/modules/apache/templates/vhost_ssl_redirect.conf @@ -1 +1 @@ -Redirect / https://<%= name %>/ +Redirect / https://<%= @name %>/ diff --git a/modules/apache/templates/vhost_wsgi.conf b/modules/apache/templates/vhost_wsgi.conf index 34926411..2f1ba585 100644 --- a/modules/apache/templates/vhost_wsgi.conf +++ b/modules/apache/templates/vhost_wsgi.conf @@ -1,3 +1,3 @@ -WSGIScriptAlias / <%= wsgi_path %> +WSGIScriptAlias / <%= @wsgi_path %> diff --git a/modules/auto_installation/manifests/init.pp b/modules/auto_installation/manifests/init.pp index 062f7f4e..642cddfd 100644 --- a/modules/auto_installation/manifests/init.pp +++ b/modules/auto_installation/manifests/init.pp @@ -5,7 +5,7 @@ # - others ? ( for testing package ? ) # install a server -# - by name, with a valstart clone +# - by name, with a valstar clone class auto_installation { class variables { @@ -39,7 +39,7 @@ class auto_installation { file { "${pxe_dir}/pxelinux.cfg": ensure => directory, } - # m for menu, there is some limitation on the path lenght so I + # m for menu, there is some limitation on the path length so I # prefer to file { "${pxe_menu_dir}": ensure => directory, @@ -47,7 +47,7 @@ class auto_installation { # TODO make it tag aware $menu_entries = list_exported_ressources('Auto_installation::Pxe_menu_base') - # default file should have exported ressources + # default file should have exported resources file { "${pxe_dir}/pxelinux.cfg/default": ensure => present, content => template('auto_installation/default'), diff --git a/modules/bcd/templates/sudoers.bcd b/modules/bcd/templates/sudoers.bcd index c597fe5c..c462bffd 100644 --- a/modules/bcd/templates/sudoers.bcd +++ b/modules/bcd/templates/sudoers.bcd @@ -7,4 +7,4 @@ /usr/bin/urpmq, \ /bin/rm -%<%= isomakers_group %> ALL=(<%= scope.lookupvar('bcd::login') %>) SETENV: NOPASSWD: ALL +%<%= @isomakers_group %> ALL=(<%= scope.lookupvar('bcd::login') %>) SETENV: NOPASSWD: ALL diff --git a/modules/bcd/templates/vhost_bcd.conf b/modules/bcd/templates/vhost_bcd.conf index 78528e48..c89955e2 100644 --- a/modules/bcd/templates/vhost_bcd.conf +++ b/modules/bcd/templates/vhost_bcd.conf @@ -1,8 +1,8 @@ -<Directory <%= location %>> +<Directory <%= @location %>> AuthUserFile <%= scope.lookupvar('bcd::home') %>/htpasswd AuthGroupFile /dev/null AuthName "QA test isos, restricted access" - ErrorDocument 403 "For the password, please contact the QA team ( https://wiki.<%= domain %>/en/QA_Team )" + ErrorDocument 403 "For the password, please contact the QA team ( https://wiki.<%= @domain %>/en/QA_Team )" AuthType Basic require valid-user diff --git a/modules/bind/templates/named_base.conf b/modules/bind/templates/named_base.conf index 941cf196..5adba9f3 100644 --- a/modules/bind/templates/named_base.conf +++ b/modules/bind/templates/named_base.conf @@ -32,9 +32,6 @@ options { version ""; directory "/var/named"; dump-file "/var/tmp/named_dump.db"; -<% if scope.function_versioncmp([lsbdistrelease, '3']) < 0 -%> - pid-file "/var/run/named.pid"; -<% end -%> statistics-file "/var/tmp/named.stats"; zone-statistics yes; // datasize 256M; @@ -103,67 +100,31 @@ zone "." IN { zone "localdomain" IN { type master; -<% if scope.function_versioncmp([lsbdistrelease, '3']) >= 0 -%> file "named.localhost"; -<% else -%> - file "master/localdomain.zone"; -<% end -%> allow-update { none; }; }; zone "localhost" IN { type master; -<% if scope.function_versioncmp([lsbdistrelease, '3']) >= 0 -%> file "named.localhost"; -<% else -%> - file "master/localhost.zone"; -<% end -%> allow-update { none; }; }; -<% if scope.function_versioncmp([lsbdistrelease, '3']) >= 0 -%> zone "1.0.0.127.in-addr.arpa" IN { -<% else -%> -zone "0.0.127.in-addr.arpa" IN { -<% end -%> type master; -<% if scope.function_versioncmp([lsbdistrelease, '3']) >= 0 -%> file "named.loopback"; -<% else -%> - file "reverse/named.local"; -<% end -%> allow-update { none; }; }; -<% if scope.function_versioncmp([lsbdistrelease, '3']) >= 0 -%> zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { -<% else -%> -zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { -<% end -%> type master; -<% if scope.function_versioncmp([lsbdistrelease, '3']) >= 0 -%> file "named.loopback"; -<% else -%> - file "reverse/named.ip6.local"; -<% end -%> allow-update { none; }; }; -<% if scope.function_versioncmp([lsbdistrelease, '3']) < 0 -%> -zone "255.in-addr.arpa" IN { - type master; - file "reverse/named.broadcast"; - allow-update { none; }; -}; - -<% end -%> zone "0.in-addr.arpa" IN { type master; -<% if scope.function_versioncmp([lsbdistrelease, '3']) >= 0 -%> file "named.empty"; -<% else -%> - file "reverse/named.zero"; -<% end -%> allow-update { none; }; }; diff --git a/modules/blog/manifests/init.pp b/modules/blog/manifests/init.pp index acd4516f..c89a8168 100644 --- a/modules/blog/manifests/init.pp +++ b/modules/blog/manifests/init.pp @@ -15,14 +15,16 @@ class blog { } class files_bots inherits base { -if versioncmp($::lsbdistrelease, '7') < 0 { - package { ['php-mysql', +if versioncmp($::lsbdistrelease, '9') < 0 { + package { ['php-mysqlnd', 'php-ldap', - 'unzip']: } + 'unzip', + 'nail']: } } else { package { ['php-mysqlnd', 'php-ldap', - 'unzip']: } + 'unzip', + 's-nail']: } } mga_common::local_script { 'check_new-blog-post.sh': diff --git a/modules/blog/templates/check_new-blog-post.sh b/modules/blog/templates/check_new-blog-post.sh index 50bc082d..f2089a52 100755 --- a/modules/blog/templates/check_new-blog-post.sh +++ b/modules/blog/templates/check_new-blog-post.sh @@ -32,9 +32,9 @@ if [ "$tmp_old" = "$tmp_new" ] tmp_old=$(cat $PATH_TO_FILE"/last_entry" | sed -n '2p') if [ "$tmp_old" != "$tmp_new" ] then - # Modification on lastest post + # Modification on latest post echo "YES - Modification" >> $PATH_TO_FILE"/last_check" - echo -e "The latest blog post has been modified and needs to be checked!\n\nTitle:\t$last_title\nAuthor:\t$last_creator\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -r '<%= blog_newpost_email_from %>' -s "Modification of the lastest entry on English Blog" <%= blog_newpost_email_to %> + echo -e "The latest blog post has been modified and needs to be checked!\n\nTitle:\t$last_title\nAuthor:\t$last_creator\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -r '<%= blog_newpost_email_from %>' -s "Modification of the latest entry on English Blog" <%= blog_newpost_email_to %> echo $DATE else echo "NO" >> $PATH_TO_FILE"/last_check" diff --git a/modules/bugzilla/manifests/init.pp b/modules/bugzilla/manifests/init.pp index c03b1a6a..e66ddf0e 100755 --- a/modules/bugzilla/manifests/init.pp +++ b/modules/bugzilla/manifests/init.pp @@ -83,7 +83,8 @@ class bugzilla { require => Git::Snapshot[$bugzilla_location], } - file { "$bugzilla_location/data": + file { ["$bugzilla_location/data", + "$bugzilla_location/data/mining"]: ensure => directory, owner => 'apache', group => 'apache', @@ -99,8 +100,7 @@ class bugzilla { file { "$bugzilla_location/robots.txt": group => 'apache', - mode => '0640', - content => template('bugzilla/robots.txt') + mode => '0640' } file { "$bugzilla_location/data/bugzilla-update.xml": @@ -109,7 +109,6 @@ class bugzilla { mode => '0640' } - file { [ "$bugzilla_location/admin.cgi", "$bugzilla_location/attachment.cgi", @@ -179,12 +178,13 @@ class bugzilla { mode => '0750', } - cron { 'collectstats': - command => "cd $bugzilla_location && ./collectstats.pl", - user => 'apache', - hour => 2, - minute => 30, - } +# Improper file permissions makes this fail, and nobody seems to care +# cron { 'collectstats': +# command => "cd $bugzilla_location && ./collectstats.pl", +# user => 'apache', +# hour => 2, +# minute => 30, +# } cron { 'clean-bug-user-last-visit': command => "cd $bugzilla_location && ./clean-bug-user-last-visit.pl", diff --git a/modules/bugzilla/templates/robots.txt b/modules/bugzilla/templates/robots.txt deleted file mode 100644 index 50eeb279..00000000 --- a/modules/bugzilla/templates/robots.txt +++ /dev/null @@ -1,9 +0,0 @@ -User-agent: * -Disallow: / -Allow: /*index.cgi -Allow: /*page.cgi -Allow: /*show_bug.cgi -Allow: /*describecomponents.cgi -Disallow: /*show_bug.cgi*ctype=* -Disallow: /*show_bug.cgi*format=multiple* -Disallow: /*page.cgi*id=voting* diff --git a/modules/buildsystem/manifests/binrepo.pp b/modules/buildsystem/manifests/binrepo.pp index f2f529c0..5bf16b53 100644 --- a/modules/buildsystem/manifests/binrepo.pp +++ b/modules/buildsystem/manifests/binrepo.pp @@ -3,10 +3,16 @@ class buildsystem::binrepo { include buildsystem::var::groups include sudo - # upload-bin script use the mailx command provided by nail + # upload-bin script uses the mailx command provided by nail +if versioncmp($::lsbdistrelease, '9') < 0 { package { 'nail': ensure => installed, } +} else { + package { 's-nail': + ensure => installed, + } +} user { $buildsystem::var::binrepo::login: home => $buildsystem::var::binrepo::homedir, diff --git a/modules/buildsystem/manifests/iurt/config.pp b/modules/buildsystem/manifests/iurt/config.pp index 3334df76..b8be373e 100644 --- a/modules/buildsystem/manifests/iurt/config.pp +++ b/modules/buildsystem/manifests/iurt/config.pp @@ -20,8 +20,9 @@ define buildsystem::iurt::config() { 'java-latest-openjdk' => 172800, 'kernel' => 115200, 'libreoffice' => 432000, - 'llvm' => 57600, - 'llvm17-suite' => 60000, + 'llvm' => 115200, + 'llvm17-suite' => 115200, + 'llvm19-suite' => 115200, 'openfoam' => 115200, 'paraview' => 115200, 'qgis' => 57600, diff --git a/modules/buildsystem/manifests/mgarepo.pp b/modules/buildsystem/manifests/mgarepo.pp index 2b314d3d..14e11e1a 100644 --- a/modules/buildsystem/manifests/mgarepo.pp +++ b/modules/buildsystem/manifests/mgarepo.pp @@ -27,7 +27,7 @@ class buildsystem::mgarepo { require => File["${sched_home_dir}/repsys"], } - # FIXME: disabled temporarly as upload dir is a symlink to /var/lib/repsys/uploads + # FIXME: disabled temporarily as upload dir is a symlink to /var/lib/repsys/uploads #file { "${sched_home_dir}/uploads": # ensure => "directory", # owner => $sched_login, diff --git a/modules/buildsystem/manifests/scheduler.pp b/modules/buildsystem/manifests/scheduler.pp index 7c186a19..53b248fc 100644 --- a/modules/buildsystem/manifests/scheduler.pp +++ b/modules/buildsystem/manifests/scheduler.pp @@ -1,5 +1,5 @@ class buildsystem::scheduler { - # until ulri is splitted from main iurt rpm + # until ulri is split from main iurt rpm include buildsystem::iurt::packages include buildsystem::iurt::upload include buildsystem::var::scheduler diff --git a/modules/buildsystem/manifests/var/distros.pp b/modules/buildsystem/manifests/var/distros.pp index 0299c87c..9e45e2c2 100644 --- a/modules/buildsystem/manifests/var/distros.pp +++ b/modules/buildsystem/manifests/var/distros.pp @@ -5,7 +5,7 @@ # list of IP or domains allowed to access the repository. If you don't want to # filter allowed IPs, don't those values. # $distros: -# a hash variable containing distributions informations indexed by +# a hash variable containing distributions information indexed by # distribution name. Each distribution is itself an hash containing # the following infos: # { diff --git a/modules/buildsystem/manifests/var/youri.pp b/modules/buildsystem/manifests/var/youri.pp index fa8a3a1d..f20b6c7b 100644 --- a/modules/buildsystem/manifests/var/youri.pp +++ b/modules/buildsystem/manifests/var/youri.pp @@ -1,7 +1,7 @@ -# The youri configuration files are created using informations from 3 +# The youri configuration files are created using information from 3 # different hash variables : # - the $youri_conf_default variable defined in this class, containing -# the default configuration for youri. It contais the repository +# the default configuration for youri. It contains the repository # configuration, and the definitions of the checks, actions and posts. # - the $youri_conf parameter passed to this class. The values defined # in this hash override the values defined in the default configuration. @@ -17,7 +17,7 @@ # # Parameters : # $tmpl_youri_upload_conf: -# template file for youri submi-upload.conf +# template file for youri submit-upload.conf # $tmpl_youri_todo_conf: # template file for youri submit-todo.conf # $packages_archivedir: diff --git a/modules/buildsystem/templates/cleaner.rb b/modules/buildsystem/templates/cleaner.rb index 78bd64c3..fa0d08ca 100755 --- a/modules/buildsystem/templates/cleaner.rb +++ b/modules/buildsystem/templates/cleaner.rb @@ -120,7 +120,7 @@ def take_upload_lock(path) until has_lock while File.exists?(path) if Time.new - start_time > 2*3600.0 - puts "Could not aquire upload lock for more than 2h, giving up" + puts "Could not acquire upload lock for more than 2h, giving up" end sleep(5) end diff --git a/modules/buildsystem/templates/maintdb/sudoers.maintdb b/modules/buildsystem/templates/maintdb/sudoers.maintdb index c4bef4cb..91c88e47 100644 --- a/modules/buildsystem/templates/maintdb/sudoers.maintdb +++ b/modules/buildsystem/templates/maintdb/sudoers.maintdb @@ -1,2 +1,4 @@ -%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> -<%= scope.lookupvar('buildsystem::var::scheduler::login') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> +%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* get +%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* [gs]et [a-zA-Z0-9]* +%<%= scope.lookupvar('buildsystem::var::groups::packagers') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* set [a-zA-Z0-9]* [a-z]* +<%= scope.lookupvar('buildsystem::var::scheduler::login') %> ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* new [a-zA-Z0-9]* [a-z]* diff --git a/modules/buildsystem/templates/maintdb/wrapper.maintdb b/modules/buildsystem/templates/maintdb/wrapper.maintdb index 2adddd1e..fcf69dab 100644 --- a/modules/buildsystem/templates/maintdb/wrapper.maintdb +++ b/modules/buildsystem/templates/maintdb/wrapper.maintdb @@ -22,5 +22,4 @@ then exit 1 fi -sudo -u "$maintdbuser" "$maintdbpath" $(whoami) $@ - +sudo -u "$maintdbuser" "$maintdbpath" $(whoami) "$@" diff --git a/modules/catdap/templates/catdap_local.yml b/modules/catdap/templates/catdap_local.yml index b23ee46c..d982b40b 100644 --- a/modules/catdap/templates/catdap_local.yml +++ b/modules/catdap/templates/catdap_local.yml @@ -6,15 +6,15 @@ ldap_account = "cn=catdap-#{hostname},ou=System Accounts,#{dc_suffix}" organisation: Mageia apptitle: Mageia Identity Management -emailfrom: noreply@<%= domain %> +emailfrom: noreply@<%= @domain %> Model::Proxy: - base: ou=People,<%= dc_suffix %> + base: ou=People,<%= @dc_suffix %> dn: <%= ldap_account %> password: <%= scope.lookupvar("catdap::ldap_password") %> Model::User: - base: <%= dc_suffix %> + base: <%= @dc_suffix %> host: <%= ldap_server %> start_tls: 1 @@ -26,8 +26,8 @@ authentication: ldap_server: <%= ldap_server %> binddn: <%= ldap_account %> bindpw: <%= scope.lookupvar("catdap::ldap_password") %> - user_basedn: ou=People,<%= dc_suffix %> - role_basedn: <%= dc_suffix %> + user_basedn: ou=People,<%= @dc_suffix %> + role_basedn: <%= @dc_suffix %> register: login_regex: ^[a-z][a-z0-9]*$ diff --git a/modules/cgit/templates/cgitrc b/modules/cgit/templates/cgitrc index d063e4f6..1e1a399c 100644 --- a/modules/cgit/templates/cgitrc +++ b/modules/cgit/templates/cgitrc @@ -85,7 +85,7 @@ mimetype.png=image/png mimetype.svg=image/svg+xml -# Highlight source code with python pygments-based highligher +# Highlight source code with python pygments-based highlighter source-filter=/usr/libexec/cgit/filters/syntax-highlighting.sh # Format markdown, restructuredtext, manpages, text files, and html files @@ -108,7 +108,7 @@ readme=:INSTALL.html readme=:INSTALL.txt readme=:INSTALL -# Special Case mainly for initscrpipts git repo where we cannot write to master +# Special Case mainly for initscripts git repo where we cannot write to master readme=distro/mga:README.md ## diff --git a/modules/cgit/templates/vhost.conf b/modules/cgit/templates/vhost.conf index d2385084..5c1d99e7 100644 --- a/modules/cgit/templates/vhost.conf +++ b/modules/cgit/templates/vhost.conf @@ -1,4 +1,5 @@ Alias /cgit-data /usr/share/cgit +Alias /robots.txt /usr/share/cgit/robots.txt ScriptAliasMatch ^(.*) /var/www/cgi-bin/cgit$1 <Directory /usr/share/cgit> diff --git a/modules/dashboard/templates/make_report b/modules/dashboard/templates/make_report index 25c2f316..5da59617 100644 --- a/modules/dashboard/templates/make_report +++ b/modules/dashboard/templates/make_report @@ -1,7 +1,7 @@ #!/bin/sh -dashboard_dir='<%= dashboard_dir %>' -dashboard_wwwdir='<%= dashboard_wwwdir %>' +dashboard_dir='<%= @dashboard_dir %>' +dashboard_wwwdir='<%= @dashboard_wwwdir %>' cd "$dashboard_dir" /usr/bin/php ./make_report.php > "$dashboard_wwwdir/index.html" diff --git a/modules/django_application/manifests/init.pp b/modules/django_application/manifests/init.pp index 2f209a54..f56f73ef 100644 --- a/modules/django_application/manifests/init.pp +++ b/modules/django_application/manifests/init.pp @@ -1,5 +1,5 @@ # this class hold the common stuff for all django applications -# as we cannot declare the same ressource twice ( ie, +# as we cannot declare the same resource twice ( ie, # python-psycopg2 for example ) # it is required to place this in a common class class django_application { diff --git a/modules/draklive/templates/sudoers.draklive b/modules/draklive/templates/sudoers.draklive index 25cea69e..536e4e9f 100644 --- a/modules/draklive/templates/sudoers.draklive +++ b/modules/draklive/templates/sudoers.draklive @@ -1,3 +1,3 @@ -<%= login %> ALL=(root) NOPASSWD: /usr/sbin/draklive -<%= login %> ALL=(root) NOPASSWD: /usr/bin/draklive2 -%<%= isomakers_group %> ALL=(<%= login %>) SETENV: NOPASSWD: ALL +<%= @login %> ALL=(root) NOPASSWD: /usr/sbin/draklive +<%= @login %> ALL=(root) NOPASSWD: /usr/bin/draklive2 +%<%= isomakers_group %> ALL=(<%= @login %>) SETENV: NOPASSWD: ALL diff --git a/modules/git/manifests/snapshot.pp b/modules/git/manifests/snapshot.pp index 1156928e..06473efe 100644 --- a/modules/git/manifests/snapshot.pp +++ b/modules/git/manifests/snapshot.pp @@ -6,7 +6,7 @@ define git::snapshot( $source, #TODO # should handle branch -> clone -n + branch + checkout # create a script - # Idealy, should be handled by vcsrepo + # Ideally, should be handled by vcsrepo # https://github.com/bruce/puppet-vcsrepo # once it is merged in puppet exec { "/usr/bin/git clone -b ${branch} ${source} ${name}": diff --git a/modules/git/templates/xinetd b/modules/git/templates/xinetd index 2cbf78e3..654ae2be 100644 --- a/modules/git/templates/xinetd +++ b/modules/git/templates/xinetd @@ -4,10 +4,10 @@ service git type = UNLISTED port = 9418 socket_type = stream - server = <%= lib_dir %>/git-core/git-daemon + server = <%= @lib_dir %>/git-core/git-daemon wait = no user = nobody - server_args = --inetd --verbose --export-all --base-path=<%= git_base_path %> + server_args = --inetd --verbose --export-all --base-path=<%= @git_base_path %> log_on_failure += HOST flags = IPv6 } diff --git a/modules/gitmirror/files/on-the-pull b/modules/gitmirror/files/on-the-pull index ec2f979b..416b75a4 100755 --- a/modules/gitmirror/files/on-the-pull +++ b/modules/gitmirror/files/on-the-pull @@ -176,7 +176,7 @@ class GitUpdater(Thread): raise Exception(f"Clone folder '{clonefolder}' appears to be a file :s") if changed and self.cmd: - # Udate the info/web/last-modified file as used by cgit + # Update the info/web/last-modified file as used by cgit os.chdir(clonefolder) command = [self.cmd, repo] if treeish: @@ -320,7 +320,7 @@ e.g. curl --header 'Content-Type: x-git/repo' --data 'my/repo/name' http://local help="The branch to track on clone. If you pass '--mirror' (the default) as the branch name we will clone as a bare mirror") parser.add_option("-c", "--cmd", type="string", dest="cmd", default="", - help="Third party command to exectue after updates. It will execute in the " + help="Third party command to execute after updates. It will execute in the " "folder of the repo and if we're not in mirror mode, a treeish will be " "passed as the only argument containing the refs that changed otherwise " "the command will be run without any arguments") diff --git a/modules/gnupg/templates/batch b/modules/gnupg/templates/batch index f4be84d9..d55bdd52 100644 --- a/modules/gnupg/templates/batch +++ b/modules/gnupg/templates/batch @@ -1,8 +1,8 @@ %echo Generating a standard key -Key-Type: <%= key_type %> -Key-Length: <%= key_length %> -Name-Real: <%= key_name %> -Name-Email: <%= email %> -Expire-Date: <%= expire_date %> +Key-Type: <%= @key_type %> +Key-Length: <%= @key_length %> +Name-Real: <%= @key_name %> +Name-Email: <%= @email %> +Expire-Date: <%= @expire_date %> %commit %echo done diff --git a/modules/icecream/templates/sysconfig b/modules/icecream/templates/sysconfig index a3ae80c8..8a5bc92c 100644 --- a/modules/icecream/templates/sysconfig +++ b/modules/icecream/templates/sysconfig @@ -12,7 +12,7 @@ ICECREAM_NICE_LEVEL="5" # ## Type: string ## Path: Applications/icecream -## Defaut: /var/log/iceccd +## Default: /var/log/iceccd # # icecream daemon log file # @@ -21,7 +21,7 @@ ICECREAM_LOG_FILE="/var/log/icecream.log" # ## Type: string ## Path: Applications/icecream -## Defaut: no +## Default: no # # Start also the scheduler? # @@ -30,7 +30,7 @@ ICECREAM_RUN_SCHEDULER="no" # ## Type: string ## Path: Applications/icecream -## Defaut: /var/log/icecc_scheduler +## Default: /var/log/icecc_scheduler # # icecream scheduler log file # @@ -39,7 +39,7 @@ ICECREAM_SCHEDULER_LOG_FILE="/var/log/scheduler.log" # ## Type: string ## Path: Applications/icecream -## Defaut: "" +## Default: "" # # Identification for the network the scheduler and daemon run on. # You can have several distinct icecream networks in the same LAN @@ -50,17 +50,17 @@ ICECREAM_NETNAME="" # ## Type: string ## Path: Applications/icecream -## Defaut: "" +## Default: "" # # If the daemon can't find the scheduler by broadcast (e.g. because # of a firewall) you can specify it. # -ICECREAM_SCHEDULER_HOST="<%= host %>" +ICECREAM_SCHEDULER_HOST="<%= @host %>" # ## Type: string ## Path: Applications/icecream -## Defaut: "" +## Default: "" ## Type: integer # # You can overwrite here the number of jobs to run in parallel. Per diff --git a/modules/ii/manifests/init.pp b/modules/ii/manifests/init.pp index 9f58b785..2947c75d 100644 --- a/modules/ii/manifests/init.pp +++ b/modules/ii/manifests/init.pp @@ -15,7 +15,7 @@ class ii { $nick = $name include ii::base - # a custom wrappper is needed since ii do not fork in the + # a custom wrapper is needed since ii does not fork in the # background, and bash is not able to properly do it mga_common::local_script { "ii_${nick}": content => template('ii/ii_wrapper.pl'), diff --git a/modules/ii/templates/ii_wrapper.pl b/modules/ii/templates/ii_wrapper.pl index 5e5cc65e..68128314 100644 --- a/modules/ii/templates/ii_wrapper.pl +++ b/modules/ii/templates/ii_wrapper.pl @@ -3,8 +3,8 @@ use warnings; use strict; use POSIX; use Proc::Daemon; -my $nick = "<%= nick %>"; -my $server = "<%= server %>"; +my $nick = "<%= @nick %>"; +my $server = "<%= @server %>"; Proc::Daemon::Init(); diff --git a/modules/libvirtd/templates/50-template-libvirt-remote-access.pkla b/modules/libvirtd/templates/50-template-libvirt-remote-access.pkla index 201e89a0..8806e3cb 100644 --- a/modules/libvirtd/templates/50-template-libvirt-remote-access.pkla +++ b/modules/libvirtd/templates/50-template-libvirt-remote-access.pkla @@ -1,5 +1,5 @@ [Remote libvirt SSH access] -Identity=unix-user:root;unix-group:<%= name %> +Identity=unix-user:root;unix-group:<%= @name %> Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes diff --git a/modules/mediawiki/files/robots.txt b/modules/mediawiki/files/robots.txt new file mode 100644 index 00000000..a58c6199 --- /dev/null +++ b/modules/mediawiki/files/robots.txt @@ -0,0 +1,4 @@ +User-agent: * +Disallow: /mw-*/index.php? +Disallow: /*/Special: +Crawl-delay: 30 diff --git a/modules/mediawiki/manifests/base.pp b/modules/mediawiki/manifests/base.pp index 2685d2b3..76c8625b 100644 --- a/modules/mediawiki/manifests/base.pp +++ b/modules/mediawiki/manifests/base.pp @@ -9,6 +9,16 @@ class mediawiki::base { ensure => directory, } + $wiki_root = $mediawiki::config::root + $robotsfile = "$wiki_root/robots.txt" + file { $robotsfile: + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/mediawiki/robots.txt', + } + # file { '/usr/local/bin/init_wiki.php': # mode => '0755', # source => 'puppet:///modules/mediawiki/init_wiki.php', diff --git a/modules/mediawiki/templates/LocalSettings.php b/modules/mediawiki/templates/LocalSettings.php index 39e749f6..c340dfd9 100644 --- a/modules/mediawiki/templates/LocalSettings.php +++ b/modules/mediawiki/templates/LocalSettings.php @@ -24,7 +24,7 @@ set_include_path( implode( PATH_SEPARATOR, $path ) . PATH_SEPARATOR . get_includ ## Uncomment this to disable output compression # $wgDisableOutputCompression = true; -$wgSitename = "<%= title %>"; +$wgSitename = "<%= @title %>"; # $wgMetaNamespace = ""; # Defaults to $wgSitename ## The URL base path to the directory containing the wiki; @@ -32,7 +32,7 @@ $wgSitename = "<%= title %>"; ## For more information on customizing the URLs ## (like /w/index.php/Page_title to /wiki/Page_title) please see: ## https://www.mediawiki.org/wiki/Manual:Short_URL -$wgScriptPath = "/<%= path %>"; +$wgScriptPath = "/<%= @path %>"; ## The protocol and server name to use in fully-qualified URLs $wgServer = "https://wiki.mageia.org"; @@ -52,8 +52,8 @@ $wgLogo = "$wgStylePath/common/images/wiki_mga.png"; $wgEnableEmail = true; $wgEnableUserEmail = true; # UPO -$wgEmergencyContact = "root@<%= domain %>"; -$wgPasswordSender = "wiki_noreply@ml.<%= domain %>"; +$wgEmergencyContact = "root@<%= @domain %>"; +$wgPasswordSender = "wiki_noreply@ml.<%= @domain %>"; $wgEnotifUserTalk = true; # UPO $wgEnotifWatchlist = true; # UPO @@ -61,10 +61,10 @@ $wgEmailAuthentication = true; ## Database settings $wgDBtype = "postgres"; -$wgDBserver = "pg.<%= domain %>"; -$wgDBname = "<%= db_name %>"; -$wgDBuser = "<%= db_user %>"; -$wgDBpassword = "<%= db_password %>"; +$wgDBserver = "pg.<%= @domain %>"; +$wgDBname = "<%= @db_name %>"; +$wgDBuser = "<%= @db_user %>"; +$wgDBpassword = "<%= @db_password %>"; # Postgres specific settings $wgDBport = "5432"; @@ -93,26 +93,26 @@ $wgShellLocale = "en_US.UTF-8"; ## Set $wgCacheDirectory to a writable directory on the web server ## to make your wiki go slightly faster. The directory should not -## be publically accessible from the web. +## be publicly accessible from the web. # This seems actually mandatory to get the Vector skin to work properly # https://serverfault.com/a/744059 # FIXME: Dehardcode that path (maybe via ${wiki_root} if exposed?) -$wgCacheDirectory = "/srv/wiki/<%= path %>/cache"; +$wgCacheDirectory = "/srv/wiki/<%= @path %>/cache"; -$wgUploadDirectory = "/srv/wiki/<%= path %>/images"; +$wgUploadDirectory = "/srv/wiki/<%= @path %>/images"; # This seems mandatory to get the Vector skin to work properly # https://phabricator.wikimedia.org/T119934 # FIXME: Dehardcode that path (maybe via ${wiki_root} if exposed?) -$wgTmpDirectory = "/srv/wiki/<%= path %>/tmp"; +$wgTmpDirectory = "/srv/wiki/<%= @path %>/tmp"; # Array of interwiki prefixes for current wiki. $wgLocalInterwikis = array( strtolower( $wgSitename ) ); # Site language code, should be one of the list in ./languages/data/Names.php -$wgLanguageCode = "<%= lang %>"; +$wgLanguageCode = "<%= @lang %>"; -$wgSecretKey = "<%= secret_key %>"; +$wgSecretKey = "<%= @secret_key %>"; # Changing this will log out all existing sessions. $wgAuthenticationTokenVersion = "1"; @@ -180,19 +180,19 @@ $wgLDAPUseLocal = false; $wgLDAPDomainNames = array( 'ldap' ); # TODO make it workable with more than one server -$wgLDAPServerNames = array( 'ldap' => 'ldap.<%= domain %>' ); +$wgLDAPServerNames = array( 'ldap' => 'ldap.<%= @domain %>' ); -$wgLDAPSearchStrings = array( 'ldap' => 'uid=USER-NAME,ou=People,<%= dc_suffix %>' ); +$wgLDAPSearchStrings = array( 'ldap' => 'uid=USER-NAME,ou=People,<%= @dc_suffix %>' ); $wgLDAPEncryptionType = array( 'ldap' => 'tls' ); -$wgLDAPBaseDNs = array( 'ldap' => '<%= dc_suffix %>' ); -$wgLDAPUserBaseDNs = array( 'ldap' => 'ou=People,<%= dc_suffix %>' ); -$wgLDAPGroupBaseDNs = array ( 'ldap' => 'ou=Group,<%= dc_suffix %>' ); +$wgLDAPBaseDNs = array( 'ldap' => '<%= @dc_suffix %>' ); +$wgLDAPUserBaseDNs = array( 'ldap' => 'ou=People,<%= @dc_suffix %>' ); +$wgLDAPGroupBaseDNs = array ( 'ldap' => 'ou=Group,<%= @dc_suffix %>' ); -$wgLDAPProxyAgent = array( 'ldap' => 'cn=mediawiki-alamut,ou=System Accounts,<%= dc_suffix %>' ); +$wgLDAPProxyAgent = array( 'ldap' => 'cn=mediawiki-alamut,ou=System Accounts,<%= @dc_suffix %>' ); -$wgLDAPProxyAgentPassword = array( 'ldap' => '<%= ldap_password %>' ); +$wgLDAPProxyAgentPassword = array( 'ldap' => '<%= @ldap_password %>' ); $wgLDAPUseLDAPGroups = array( 'ldap' => true ); $wgLDAPGroupNameAttribute = array( 'ldap' => 'cn' ); @@ -205,4 +205,4 @@ $wgLDAPLowerCaseUsername = array( 'ldap' => true ); $wgLDAPPreferences = array( 'ldap' => array( 'email'=>'mail','realname'=>'cn','nickname'=>'uid','language'=>'preferredlanguage') ); -<%= wiki_settings %> +<%= @wiki_settings %> diff --git a/modules/mediawiki/templates/wiki_vhost.conf b/modules/mediawiki/templates/wiki_vhost.conf index 3fe038c3..1ae3492d 100644 --- a/modules/mediawiki/templates/wiki_vhost.conf +++ b/modules/mediawiki/templates/wiki_vhost.conf @@ -1,9 +1,9 @@ # heavily used by the wiki farm stuff -<Directory <%= root %>> +<Directory <%= @root %>> Options +FollowSymLinks </Directory> -<Directory <%= root %>/images> +<Directory <%= @root %>/images> SetHandler default-handler </Directory> diff --git a/modules/mga-mirrors/files/check_mirrors_status b/modules/mga-mirrors/files/check_mirrors_status index 11145e0e..9c00ac8d 100755 --- a/modules/mga-mirrors/files/check_mirrors_status +++ b/modules/mga-mirrors/files/check_mirrors_status @@ -71,8 +71,8 @@ def fetch_url(url, redirect_limit = 3) else uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) - http.open_timeout = 9 - http.read_timeout = 9 + http.open_timeout = 30 + http.read_timeout = 30 if uri.scheme == 'https' then http.use_ssl = true end @@ -140,7 +140,7 @@ def format_age(ref_time, time) end def print_output(archs_per_distro, mirrors, ref_times, times) - puts "<html><head><title>Mageia Mirror Status #{Time.now.strftime("%F")}</title> + puts "<html><head><title>Mageia Mirror Status #{Time.now.utc.strftime("%F")}</title> <link rel=\"icon\" type=\"image/png\" href=\"//www.mageia.org/g/favicon.png\"> <style> td.broken {background-color:#FF0033;} @@ -158,7 +158,7 @@ th {background-color:#EEEEEE;} </style> </head> <body>" - puts "Last checked on #{Time.now.strftime("%F %R %Z")}<br/>" + puts "Last checked on #{Time.now.utc.strftime("%F %R %Z")}<br/>" puts "<table class='legend'><tr><td class='ok'>Up to date</td><td class='almost'>Less than 12h old</td><td class='bad'>Less than 2 days old</td><td class='broken'>Old or broken</td></tr></table>" puts "<table><thead>" puts "<tr><td/>" @@ -210,8 +210,7 @@ end ref = 'http://repository.mageia.org/' archs_per_distro = { 'cauldron' => ['i686', 'x86_64', 'armv7hl', 'aarch64'], - '9' => ['i586', 'x86_64', 'armv7hl', 'aarch64'], - '8' => ['i586', 'x86_64', 'armv7hl', 'aarch64'] + '9' => ['i586', 'x86_64', 'armv7hl', 'aarch64'] } parallel = 8 diff --git a/modules/mga-mirrors/templates/mga-mirrors.ini b/modules/mga-mirrors/templates/mga-mirrors.ini index b0703f28..b438edd1 100644 --- a/modules/mga-mirrors/templates/mga-mirrors.ini +++ b/modules/mga-mirrors/templates/mga-mirrors.ini @@ -1,4 +1,4 @@ [db] -pgconn=host=pg.<%= domain %>;dbname=mirrors +pgconn=host=pg.<%= @domain %>;dbname=mirrors user=mirrors -password=<%= pgsql_password %> +password=<%= @pgsql_password %> diff --git a/modules/mgasoft/templates/mgasoft.conf b/modules/mgasoft/templates/mgasoft.conf index eaf6e416..81cce013 100644 --- a/modules/mgasoft/templates/mgasoft.conf +++ b/modules/mgasoft/templates/mgasoft.conf @@ -1,5 +1,5 @@ svn_soft=svn+ssh://svn.mageia.org/svn/soft -anonsvn_soft=<%= anonsvn_soft %> -svn_soft_publish=<%= svn_soft_publish %> -pubinfodir=<%= pubinfodir %> -pubmirrordir=<%= pubmirrordir %> +anonsvn_soft=<%= @anonsvn_soft %> +svn_soft_publish=<%= @svn_soft_publish %> +pubinfodir=<%= @pubinfodir %> +pubmirrordir=<%= @pubmirrordir %> diff --git a/modules/mirror/templates/mirrordir b/modules/mirror/templates/mirrordir index b8bf9fb6..9cf09650 100644 --- a/modules/mirror/templates/mirrordir +++ b/modules/mirror/templates/mirrordir @@ -1,9 +1,9 @@ #!/bin/sh -remoteurl="<%= remoteurl%>" -localdir="<%= localdir %>" -rsync_options="<%= rsync_options %>" -lockfile="<%= lockfile %>" +remoteurl="<%= @remoteurl%>" +localdir="<%= @localdir %>" +rsync_options="<%= @rsync_options %>" +lockfile="<%= @lockfile %>" if [ -f "$lockfile" ]; then # show error message when run from command line diff --git a/modules/mirror/templates/update_timestamp b/modules/mirror/templates/update_timestamp index a037d10d..1f7711c6 100644 --- a/modules/mirror/templates/update_timestamp +++ b/modules/mirror/templates/update_timestamp @@ -2,4 +2,4 @@ # $id$ -date +%s%n%c > /distrib/mirror/mageia_timestamp +LC_ALL=C.UTF-8 date -u '+%s%n%c %Z' > /distrib/mirror/mageia_timestamp diff --git a/modules/mirrorbrain/templates/mirrorbrain.conf b/modules/mirrorbrain/templates/mirrorbrain.conf index 9f7002d1..94bef340 100644 --- a/modules/mirrorbrain/templates/mirrorbrain.conf +++ b/modules/mirrorbrain/templates/mirrorbrain.conf @@ -3,9 +3,9 @@ instances = main [main] dbuser = mirrorbrain -dbpass = <%= mb_pgsql_pw %> +dbpass = <%= @mb_pgsql_pw %> dbdriver = postgresql -dbhost = pgsql.<%= domain %> +dbhost = pgsql.<%= @domain %> # optional: dbport = ... dbname = mirrorbrain diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp index a647925f..f75310e7 100644 --- a/modules/ntp/manifests/init.pp +++ b/modules/ntp/manifests/init.pp @@ -1,12 +1,17 @@ class ntp { - package { 'ntp': } +if versioncmp($::lsbdistrelease, '9') < 0 { + $ntppkg = 'ntp' +} else { + $ntppkg = 'ntpsec' +} + package { $ntppkg: } service { 'ntpd': - subscribe => [Package['ntp'], File['/etc/ntp.conf']], + subscribe => [Package[$ntppkg], File['/etc/ntp.conf']], } file { '/etc/ntp.conf': - require => Package['ntp'], + require => Package[$ntppkg], content => template('ntp/ntp.conf'), } } diff --git a/modules/opendkim/Gemfile b/modules/opendkim/Gemfile new file mode 100644 index 00000000..68ba397d --- /dev/null +++ b/modules/opendkim/Gemfile @@ -0,0 +1,19 @@ +source 'https://rubygems.org' + +puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 3.3'] +gem 'puppet', puppetversion +gem 'puppetlabs_spec_helper', '>= 0.1.0' +gem 'facter', '>= 1.7.0' + +gem 'puppet-lint', '>= 0.3.2' +gem 'rspec-puppet' +gem "metadata-json-lint" +gem 'beaker-rspec' +gem "travis" +gem "travis-lint" +gem "puppet-blacksmith" +gem "guard-rake" + +gem 'test-kitchen', '>= 1.4.0' +gem 'kitchen-docker', '>= 2.1.0' +gem 'kitchen-puppet', '>= 0.0.27' diff --git a/modules/opendkim/LICENSE b/modules/opendkim/LICENSE new file mode 100644 index 00000000..8f71f43f --- /dev/null +++ b/modules/opendkim/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/modules/opendkim/Modulefile b/modules/opendkim/Modulefile new file mode 100644 index 00000000..7790c510 --- /dev/null +++ b/modules/opendkim/Modulefile @@ -0,0 +1,8 @@ + name "bi4o4ek-opendkim" + version "0.0.7" + author "Vladimir Bykanov" + summary "Configures OpenDKIM" + license "Apache-2.0" + source "https://github.com/bi4o4ek/puppet-opendkim" + project_page "https://github.com/bi4o4ek/puppet-opendkim" + diff --git a/modules/opendkim/Puppetfile b/modules/opendkim/Puppetfile new file mode 100644 index 00000000..177adf16 --- /dev/null +++ b/modules/opendkim/Puppetfile @@ -0,0 +1,7 @@ +#!/usr/bin/env ruby +#^syntax detection + +forge "https://forgeapi.puppetlabs.com" + +# use dependencies defined in metadata.json +metadata diff --git a/modules/opendkim/README.md b/modules/opendkim/README.md new file mode 100644 index 00000000..13c40bde --- /dev/null +++ b/modules/opendkim/README.md @@ -0,0 +1,98 @@ +[](https://travis-ci.org/bi4o4ek/puppet-opendkim) + +# opendkim + +#### Table of Contents + +1. [Overview](#overview) +2. [Module Description](#module-description) +3. [Setup - The basics of getting started with opendkim](#setup) + * [Beginning with opendkim](#beginning-with-opendkim) + * [Add domains for signing](#add-domains-for-signing) + * [Add allowed hosts](#add-allowed-hosts) +4. [Usage - Configuration options and additional functionality](#usage) +5. [Reference - An under-the-hood peek at what the module is doing and how](#reference) +5. [Limitations - OS compatibility, etc.](#limitations) +6. [Development - Guide for contributing to the module](#development) + +## Overview + +The opendkim module allows you to set up mail signing and manage DKIM services with minimal effort. + +## Module Description + +OpenDKIM is a widely-used DKIM service, and this module provides a simplified way of creating configurations to manage your infrastructure. +This includes the ability to configure and manage a range of different domain, as well as a streamlined way to install and configure OpenDKIM service. + +## Setup + +### What opendkim affects + +* configuration files and directories (created and written to) +* package/service/configuration files for OpenDKIM +* signing domains list +* trusted hosts list + +### Beginning with opendkim + +To install OpenDKIM with the default parameters + + include opendkim + +### Add domains for signing + + opendkim::domain{['example.com', 'example.org']:} + + +### Add allowed hosts + + opendkim::trusted{['10.0.0.0/8', '203.0.113.0/24']:} + +## Usage + +For example. +There is internal ip 10.3.3.80 and external ip 203.0.113.100 on our mail-relay host with OpenDKIM. +This host signs all mails for domains example.com and example.org. + + # Postfix-relay + class{ 'postfix::server': + inet_interfaces => '10.3.3.80, localhost', + mynetworks => '10.0.0.0/8, 203.0.113.0/24', + smtpd_recipient_restrictions => 'permit_mynetworks, reject_unauth_destination', + smtpd_client_restrictions => 'permit_mynetworks, reject', + mydestination => '$myhostname', + myhostname => 'relay-site.example.com', + smtpd_banner => 'Hello', + extra_main_parameters => { + smtp_bind_address => '203.0.113.100', + smtpd_milters => 'inet:127.0.0.1:8891', + non_smtpd_milters => '$smtpd_milters', + milter_default_action => 'accept', + milter_protocol => '2', + }, + } + + # OpenDKIM + include opendkim + opendkim::domain{['example.com', 'example.org']:} + opendkim::trusted{['10.0.0.0/8', '203.0.113.0/24']:} + +After puppet-run you need to copy contents of /etc/opendkim/keys/example.com/relay-site.txt and paste into corresponding DNS-zone as TXT. +Then repeat this action for example.org + +Puppet module for postfix in this example is [thias/postfix](https://forge.puppetlabs.com/thias/postfix) v0.3.3 +## Reference + +Puppetlabs are working on automating this section. + +## Limitations + +This module is tested on: +* CentOS 6 +* Ubuntu 12.04 +* Ubuntu 14.04 + +## Development + +Fork me on github and make pull request. + diff --git a/modules/opendkim/Rakefile b/modules/opendkim/Rakefile new file mode 100644 index 00000000..312b2952 --- /dev/null +++ b/modules/opendkim/Rakefile @@ -0,0 +1,12 @@ +require 'rubygems' +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-lint/tasks/puppet-lint' + +PuppetLint.configuration.fail_on_warnings = true +PuppetLint.configuration.send('relative') +PuppetLint.configuration.send('disable_80chars') +PuppetLint.configuration.send('disable_class_inherits_from_params_class') +PuppetLint.configuration.send('disable_documentation') +PuppetLint.configuration.send('disable_single_quote_string_with_variables') +PuppetLint.configuration.send('disable_only_variable_string') +PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"] diff --git a/modules/opendkim/manifests/domain.pp b/modules/opendkim/manifests/domain.pp new file mode 100644 index 00000000..c708ad08 --- /dev/null +++ b/modules/opendkim/manifests/domain.pp @@ -0,0 +1,46 @@ +define opendkim::domain ( + $domain = $name, + $selector = $hostname, + $pathkeys = '/etc/opendkim/keys', + $keytable = 'KeyTable', + $signing_table = 'SigningTable', +) { + # $pathConf and $pathKeys must be without trailing '/'. + # For example, '/etc/opendkim/keys' + + Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] } + + # Create directory for domain + file { "${pathkeys}/${domain}": + ensure => directory, + owner => $opendkim::owner, + group => $opendkim::group, + mode => '0755', + notify => Service[$opendkim::service_name], + require => Package[$opendkim::package_name], + } + + # Generate dkim-keys + exec { "opendkim-genkey -D ${pathkeys}/${domain}/ -d ${domain} -s ${selector}": + unless => "/usr/bin/test -f ${pathkeys}/${domain}/${selector}.private && /usr/bin/test -f ${pathkeys}/${domain}/${selector}.txt", + user => $opendkim::owner, + notify => Service[$opendkim::service_name], + require => [ Package[$opendkim::package_name], File["${pathkeys}/${domain}"], ], + } + + # Add line into KeyTable + file_line { "${opendkim::pathconf}/${keytable}_${domain}": + path => "${opendkim::pathconf}/${keytable}", + line => "${selector}._domainkey.${domain} ${domain}:${selector}:${pathkeys}/${domain}/${selector}.private", + notify => Service[$opendkim::service_name], + require => Package[$opendkim::package_name], + } + + # Add line into SigningTable + file_line { "${opendkim::pathconf}/${signing_table}_${domain}": + path => "${opendkim::pathconf}/${signing_table}", + line => "*@${domain} ${selector}._domainkey.${domain}", + notify => Service[$opendkim::service_name], + require => Package[$opendkim::package_name], + } +} diff --git a/modules/opendkim/manifests/init.pp b/modules/opendkim/manifests/init.pp new file mode 100644 index 00000000..6e45345a --- /dev/null +++ b/modules/opendkim/manifests/init.pp @@ -0,0 +1,105 @@ +# == Class: opendkim +# +# === Examples +# +# class { 'opendkim':} +# +# === Authors +# +# Vladimir Bykanov <vladimir@bykanov.ru> +# +# === Copyright +# +# Copyright 2015 Vladimir Bykanov +# +class opendkim ( + $autorestart = 'Yes', + $autorestart_rate = '10/1h', + $log_why = 'Yes', + $syslog = 'Yes', + $syslog_success = 'Yes', + $mode = 's', + $canonicalization = 'relaxed/simple', + $external_ignore_list = 'refile:/etc/opendkim/TrustedHosts', + $internal_hosts = 'refile:/etc/opendkim/TrustedHosts', + $keytable = 'refile:/etc/opendkim/KeyTable', + $signing_table = 'refile:/etc/opendkim/SigningTable', + $signature_algorithm = 'rsa-sha256', + $socket = 'inet:8891@localhost', + $pidfile = '/var/run/opendkim/opendkim.pid', + $umask = '022', + $userid = 'opendkim:opendkim', + $temporary_directory = '/var/tmp', + $package_name = 'opendkim', + $service_name = 'opendkim', + $pathconf = '/etc/opendkim', + $owner = 'opendkim', + $group = 'opendkim', +) { + + package { $package_name: + ensure => present, + } + + case $::operatingsystem { + /^(Debian|Ubuntu)$/: { + package { 'opendkim-tools': + ensure => present, + } + # Debian/Ubuntu doesn't ship this directory in its package + file { $pathconf: + ensure => directory, + owner => 'root', + group => 'opendkim', + mode => '0755', + require => Package[$package_name], + } + file { "${pathconf}/keys": + ensure => directory, + owner => 'opendkim', + group => 'opendkim', + mode => '0750', + require => Package[$package_name], + } + file { "${pathconf}/KeyTable": + ensure => present, + owner => 'opendkim', + group => 'opendkim', + mode => '0640', + require => Package[$package_name], + } + file { "${pathconf}/SigningTable": + ensure => present, + owner => 'opendkim', + group => 'opendkim', + mode => '0640', + require => Package[$package_name], + } + file { "${pathconf}/TrustedHosts": + ensure => present, + owner => 'opendkim', + group => 'opendkim', + mode => '0644', + require => Package[$package_name], + } + } + default: {} + } + + file {'/etc/opendkim.conf': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => template('opendkim/opendkim.conf'), + notify => Service[$service_name], + require => Package[$package_name], + } + + service { $service_name: + ensure => running, + enable => true, + require => Package[$package_name], + } +} + diff --git a/modules/opendkim/manifests/trusted.pp b/modules/opendkim/manifests/trusted.pp new file mode 100644 index 00000000..dcf0f8b8 --- /dev/null +++ b/modules/opendkim/manifests/trusted.pp @@ -0,0 +1,13 @@ +define opendkim::trusted ( + $host = $name, + $trusted_hosts = 'TrustedHosts', + +) { + # Add line into KeyTable + file_line { "${opendkim::pathconf}/${trusted_hosts}_${host}": + path => "${opendkim::pathconf}/${trusted_hosts}", + line => $host, + notify => Service[$opendkim::service_name], + require => Package[$opendkim::package_name], + } +} diff --git a/modules/opendkim/metadata.json b/modules/opendkim/metadata.json new file mode 100644 index 00000000..81b2f70d --- /dev/null +++ b/modules/opendkim/metadata.json @@ -0,0 +1,60 @@ +{ + "name": "bi4o4ek-opendkim", + "version": "0.0.7", + "author": "Vladimir Bykanov", + "summary": "Configures OpenDKIM", + "license": "Apache-2.0", + "source": "https://github.com/bi4o4ek/puppet-opendkim", + "project_page": "https://github.com/bi4o4ek/puppet-opendkim", + "issues_url": "https://github.com/bi4o4ek/puppet-opendkim/issues", + "operatingsystem_support": [ + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "5", + "6", + "7" + ] + }, + { + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "5", + "6", + "7" + ] + }, + { + "operatingsystem": "Mageia", + "operatingsystemrelease": [ + "7", + "8", + "9" + ] + } + ], + "dependencies": [ + { + } + ], + "description": "UNKNOWN", + "types": [ + + ], + "checksums": { + "Gemfile": "19456e851851a3bd7aa6729108429dde", + "LICENSE": "fa818a259cbed7ce8bc2a22d35a464fc", + "Modulefile": "9a3b46c73c1ae7309fe2d35c5e6fa549", + "Puppetfile": "607001b25e4f9d020b2ce4444174a654", + "README.md": "0764cc9bb9de221c97bce2664ba99657", + "Rakefile": "a162d9397ed53fa8fa49c57609feedcb", + "manifests/domain.pp": "61f78cbd4376e58a7b26f1298f38804b", + "manifests/init.pp": "4987dcd9ebc88e7ea0de3b74c9af6d9c", + "manifests/trusted.pp": "bcc132622e2c2e39bcbc3116c7788c8b", + "spec/classes/init_spec.rb": "0451831b29191c21b2cdc045c94a2243", + "spec/classes/opendkim_spec.rb": "9f06a3f005344875a0fb5753ab43cb34", + "spec/spec_helper.rb": "0db89c9a486df193c0e40095422e19dc", + "templates/opendkim.conf": "047e76e4c2a0a15754101f2da32ab2fe", + "tests/init.pp": "8c9ab8c85cd89dae1ad97cbe949a7e6e" + } +} diff --git a/modules/opendkim/spec/classes/init_spec.rb b/modules/opendkim/spec/classes/init_spec.rb new file mode 100644 index 00000000..5ce0a75d --- /dev/null +++ b/modules/opendkim/spec/classes/init_spec.rb @@ -0,0 +1,7 @@ +require 'spec_helper' +describe 'opendkim' do + + context 'with defaults for all parameters' do + it { should contain_class('opendkim') } + end +end diff --git a/modules/opendkim/spec/classes/opendkim_spec.rb b/modules/opendkim/spec/classes/opendkim_spec.rb new file mode 100644 index 00000000..1901c1c0 --- /dev/null +++ b/modules/opendkim/spec/classes/opendkim_spec.rb @@ -0,0 +1,13 @@ +require 'spec_helper' + +describe 'opendkim', :type => :class do + + describe "Opendkim class with no parameters, basic test" do + let(:params) { { } } + + it { + should contain_package('opendkim') + should contain_service('opendkim') + } + end +end diff --git a/modules/opendkim/spec/spec_helper.rb b/modules/opendkim/spec/spec_helper.rb new file mode 100644 index 00000000..2c6f5664 --- /dev/null +++ b/modules/opendkim/spec/spec_helper.rb @@ -0,0 +1 @@ +require 'puppetlabs_spec_helper/module_spec_helper' diff --git a/modules/opendkim/templates/opendkim.conf b/modules/opendkim/templates/opendkim.conf new file mode 100644 index 00000000..5dc61aa6 --- /dev/null +++ b/modules/opendkim/templates/opendkim.conf @@ -0,0 +1,52 @@ +<%- if @autorestart -%> +AutoRestart <%= @autorestart %> +<%- end -%> +<%- if @autorestart_rate -%> +AutoRestartRate <%= @autorestart_rate %> +<%- end -%> +<%- if @log_why -%> +LogWhy <%= @log_why %> +<%- end -%> +<%- if @syslog -%> +Syslog <%= @syslog %> +<%- end -%> +<%- if @syslog_success -%> +SyslogSuccess <%= @syslog_success %> +<%- end -%> +<%- if @mode -%> +Mode <%= @mode %> +<%- end -%> +<%- if @canonicalization -%> +Canonicalization <%= @canonicalization %> +<%- end -%> +<%- if @external_ignore_list -%> +ExternalIgnoreList <%= @external_ignore_list %> +<%- end -%> +<%- if @internal_hosts -%> +InternalHosts <%= @internal_hosts %> +<%- end -%> +<%- if @keytable -%> +KeyTable <%= @keytable %> +<%- end -%> +<%- if @signing_table -%> +SigningTable <%= @signing_table %> +<%- end -%> +<%- if @signature_algorithm -%> +SignatureAlgorithm <%= @signature_algorithm %> +<%- end -%> +<%- if @socket -%> +Socket <%= @socket %> +<%- end -%> +<%- if @pidfile -%> +PidFile <%= @pidfile %> +<%- end -%> +<%- if @umask -%> +UMask <%= @umask %> +<%- end -%> +<%- if @userid -%> +UserID <%= @userid %> +<%- end -%> +<%- if @temporary_directory -%> +TemporaryDirectory <%= @temporary_directory %> +<%- end -%> + diff --git a/modules/opendkim/tests/init.pp b/modules/opendkim/tests/init.pp new file mode 100644 index 00000000..ff3d3b06 --- /dev/null +++ b/modules/opendkim/tests/init.pp @@ -0,0 +1,15 @@ +# The baseline for module testing used by Puppet Labs is that each manifest +# should have a corresponding test manifest that declares that class or defined +# type. +# +# Tests are then run by using puppet apply --noop (to check for compilation +# errors and view a log of events) or by fully applying the test in a virtual +# environment (to compare the resulting system state to the desired state). +# +# Learn more about module testing here: +# http://docs.puppetlabs.com/guides/tests_smoke.html +# +Class['epel'] -> Class['opendkim'] + +include epel +include opendkim diff --git a/modules/openldap/manifests/config.pp b/modules/openldap/manifests/config.pp index ee8a3187..336f8a23 100644 --- a/modules/openldap/manifests/config.pp +++ b/modules/openldap/manifests/config.pp @@ -2,6 +2,6 @@ define openldap::config($content) { file { $name: require => Package['openldap-servers'], content => $content, - notify => Exec["/etc/init.d/${openldap::var::service} check"], + notify => Exec["slaptest"], } } diff --git a/modules/openldap/manifests/init.pp b/modules/openldap/manifests/init.pp index 7f97aa59..34a214a2 100644 --- a/modules/openldap/manifests/init.pp +++ b/modules/openldap/manifests/init.pp @@ -8,7 +8,7 @@ class openldap { require => Openssl::Self_signed_cert["ldap.${::domain}"], } - exec { "/etc/init.d/${openldap::var::service} check": + exec { "slaptest": refreshonly => true, notify => Service[$openldap::var::service], } diff --git a/modules/openldap/manifests/slave_instance.pp b/modules/openldap/manifests/slave_instance.pp index 0d66d607..fbf998c6 100644 --- a/modules/openldap/manifests/slave_instance.pp +++ b/modules/openldap/manifests/slave_instance.pp @@ -1,5 +1,5 @@ # TODO create the user for sync in ldap -# this define is mainly syntaxic sugar +# this define is mainly syntactic sugar define openldap::slave_instance($rid) { include openldap class { 'openldap::slave': diff --git a/modules/openldap/manifests/var.pp b/modules/openldap/manifests/var.pp index 772ac22b..d6947eb8 100644 --- a/modules/openldap/manifests/var.pp +++ b/modules/openldap/manifests/var.pp @@ -1,7 +1,3 @@ class openldap::var { - if versioncmp($::lsbdistrelease, '4') < 0 { - $service = 'ldap' - } else { - $service = 'slapd' - } + $service = 'slapd' } diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf index f9b7a98d..361d956b 100644 --- a/modules/openldap/templates/mandriva-dit-access.conf +++ b/modules/openldap/templates/mandriva-dit-access.conf @@ -66,7 +66,7 @@ access to dn.subtree="<%= dc_suffix %>" by self write by * none # password history attribute -# pwdHistory is read-only, but ACL is simplier with it here +# pwdHistory is read-only, but ACL is simpler with it here access to dn.subtree="<%= dc_suffix %>" attrs=sambaPasswordHistory,pwdHistory by self read diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf index 20ecc944..d82fe088 100644 --- a/modules/openldap/templates/slapd.conf +++ b/modules/openldap/templates/slapd.conf @@ -68,7 +68,7 @@ access to dn.subtree="cn=Monitor" database bdb <% else %> database mdb -# mdb defaults to 10MB max DB, so we need to hardocde some better value :( +# mdb defaults to 10MB max DB, so we need to hardcode some better value :( maxsize 500000000 <% end %> suffix "<%= dc_suffix %>" diff --git a/modules/openssh/templates/ldap-sshkey2file.py b/modules/openssh/templates/ldap-sshkey2file.py index 6718b053..934e2865 100755 --- a/modules/openssh/templates/ldap-sshkey2file.py +++ b/modules/openssh/templates/ldap-sshkey2file.py @@ -15,7 +15,7 @@ except ImportError: print("Please install python-ldap before running this program") sys.exit(1) -basedn = "<%= dc_suffix %>" +basedn = "<%= @dc_suffix %>" peopledn = f"ou=people,{basedn}" <%- ldap_servers.map! { |l| "'ldaps://#{l}'" } @@ -24,9 +24,9 @@ uris = [<%= ldap_servers.join(", ") %>] random.shuffle(uris) uri = " ".join(uris) timeout = 5 -binddn = f"cn=<%= fqdn %>,ou=Hosts,{basedn}" -ldap_secret_file = "<%= ldap_pwfile %>" -nslcd_conf_file = "<%= nslcd_conf_file %>" +binddn = f"cn=<%= @fqdn %>,ou=Hosts,{basedn}" +ldap_secret_file = "<%= @ldap_pwfile %>" +nslcd_conf_file = "<%= @nslcd_conf_file %>" # filter out disabled accounts also # too bad uidNumber doesn't support >= filters objfilter = "(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*))" diff --git a/modules/openssh/templates/sshd_config b/modules/openssh/templates/sshd_config index 43c3f9c5..56ddd725 100644 --- a/modules/openssh/templates/sshd_config +++ b/modules/openssh/templates/sshd_config @@ -18,18 +18,10 @@ # The default requires explicit activation of protocol 1 #Protocol 2 -<% if scope.function_versioncmp([lsbdistrelease, '6']) < 0 -%> -# HostKey for protocol version 1 -HostKey /etc/ssh/ssh_host_key -<% end %> # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -<% if scope.function_versioncmp([lsbdistrelease, '6']) < 0 -%> -HostKey /etc/ssh/ssh_host_dsa_key -<% else %> HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key -<% end %> # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h @@ -106,9 +98,6 @@ X11Forwarding yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -<% if scope.function_versioncmp([lsbdistrelease, '6']) < 0 -%> -UsePrivilegeSeparation yes -<% end %> #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -123,11 +112,7 @@ UsePrivilegeSeparation yes #Banner none # override default of no subsystems -<% if scope.function_versioncmp([lsbdistrelease, '6']) < 0 -%> -Subsystem sftp <%= path_to_sftp %>/sftp-server -<% else %> Subsystem sftp /usr/libexec/openssh/sftp-server -<% end %> # Example of overriding settings on a per-user basis #Match User anoncvs diff --git a/modules/pam/manifests/base.pp b/modules/pam/manifests/base.pp index cfeff23d..e29c8555 100644 --- a/modules/pam/manifests/base.pp +++ b/modules/pam/manifests/base.pp @@ -1,11 +1,12 @@ class pam::base { include pam::multiple_ldap_access - package { ['nscd']: } + package { ['nscd', 'nss-pam-ldapd']: } - if versioncmp($::lsbdistrelease, '2') < 0 { - package { ['pam_ldap','nss_ldap']: } - } else { - package { ['nss-pam-ldapd']: } + # This needs configuration or it generates an error every hour. + # If it's ever enabled, make sure restrict permissions on + # /var/db/passwd.db and /var/db/group.db at the same time. + package { 'nss_updatedb': + ensure => 'absent', } service { 'nscd': diff --git a/modules/phpbb/files/robots.txt b/modules/phpbb/files/robots.txt new file mode 100644 index 00000000..1c335a73 --- /dev/null +++ b/modules/phpbb/files/robots.txt @@ -0,0 +1,7 @@ +User-agent: * +Disallow: /*/faq.php? +Disallow: /*/memberlist.php? +Disallow: /*/posting.php? +Disallow: /*/search.php? +Disallow: /*/ucp.php? +Crawl-delay: 30 diff --git a/modules/phpbb/manifests/base.pp b/modules/phpbb/manifests/base.pp index 82340c7d..9f676cb4 100644 --- a/modules/phpbb/manifests/base.pp +++ b/modules/phpbb/manifests/base.pp @@ -29,6 +29,15 @@ class phpbb::base { ensure => directory, } + $robotsfile = "$forums_dir/robots.txt" + file { $robotsfile: + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/phpbb/robots.txt', + } + # TODO check that everything is locked down apache::vhost::base { "forums.${::domain}": content => template('phpbb/forums_vhost.conf'), diff --git a/modules/phpbb/manifests/instance.pp b/modules/phpbb/manifests/instance.pp index d688b019..e300d9e0 100644 --- a/modules/phpbb/manifests/instance.pp +++ b/modules/phpbb/manifests/instance.pp @@ -18,7 +18,7 @@ define phpbb::instance() { } # remove this or the forum will not work ( 'board disabled' ) - # maybe it would be better to move this elsehwere, I + # maybe it would be better to move this elsewhere, I # am not sure ( and in any case, that's still in git ) exec { "rm_install ${lang}": command => "rm -Rf ${forums_dir}/${lang}/phpBB/install", diff --git a/modules/phpbb/templates/forums_vhost.conf b/modules/phpbb/templates/forums_vhost.conf index 2a8234e6..440dad1f 100644 --- a/modules/phpbb/templates/forums_vhost.conf +++ b/modules/phpbb/templates/forums_vhost.conf @@ -4,12 +4,17 @@ # for locale redirection Include conf/vhosts.d/forums.d/*.conf + # Prevent including forum site in tier iframe + Header set X-Frame-Options DENY + # using Redirect create a loop, so we use mod_rewrite here RewriteEngine On RewriteRule ^/$ /en/ [R] RewriteRule ^/(..)$ /$1/ [R] + Alias /robots.txt <%= forums_dir %>/robots.txt + AliasMatch ^/(..)/(.*) <%= forums_dir %>/$1/phpBB/$2 <Directory ~ "<%= forums_dir %>/.*/phpBB/"> diff --git a/modules/postfix/manifests/server/primary.pp b/modules/postfix/manifests/server/primary.pp index 45b8fda6..c14a8606 100644 --- a/modules/postfix/manifests/server/primary.pp +++ b/modules/postfix/manifests/server/primary.pp @@ -1,11 +1,16 @@ class postfix::server::primary inherits postfix::server { - package { 'postfix-ldap': } + # Adding DKIM server + include opendkim + opendkim::domain{['mageia.org', 'sucuk.mageia.org', 'duvel.mageia.org', 'forums.mageia.org', 'madb.mageia.org','rabbit.mageia.org', 'fiona.mageia.org','identity.mageia.org', 'group.mageia.org', 'neru.mageia.org']:} + opendkim::trusted{['127.0.0.0/8', '212.85.158.0/24']:} + + package { ['postfix-ldap', 'sqlite3-tools', 'dovecot-plugins-sqlite','rspamd']: } # council is here until we fully decide who has aliases in com team, # see https://bugs.mageia.org/show_bug.cgi?id=1345 - # alumini is a special group for tracking previous members of + # alumni is a special group for tracking previous members of # the project, so they keep their aliases for a time $aliases_group = ['mga-founders', 'mga-packagers', diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf index 7fe0f073..6b42a4de 100644 --- a/modules/postfix/templates/main.cf +++ b/modules/postfix/templates/main.cf @@ -27,7 +27,7 @@ relayhost = sucuk.<%= domain %> # User configurable parameters <% if all_tags.include?('postfix::simple_relay') %> -inet_interfaces = localhost +inet_interfaces = localhost, 127.0.0.1 <% else %> inet_interfaces = all <% end %> @@ -39,7 +39,7 @@ smtp_address_preference = ipv4 <%- end -%> # FIXME Do not hardcode this -mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.1 163.172.148.228 [2001:bc8:4400:2800::4115] +mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.0/16 163.172.148.228 [2001:bc8:4400:2800::4115] myhostname = <%= fqdn %> mydomain = <%= domain %> <%- if all_tags.include?('postfix::server::secondary') -%> @@ -49,7 +49,9 @@ relay_domains = <%= domain %>, <%- end -%> mydestination = <%= fqdn %> +<%- if all_tags.include?('postfix::server::primary') -%> ml.<%= domain %> +<%- end -%> <%- if all_tags.include?('postfix::server::primary') -%> @@ -86,6 +88,19 @@ virtual_alias_maps = regexp:/etc/postfix/sympa_aliases <%- end -%> <%- end -%> +<%- if all_tags.include?('postfix::server::primary') -%> +# Adding DKIM Miler for primaryserver (sucuk) +smtpd_milters = inet:127.0.0.1:8891 +non_smtpd_milters = $smtpd_milters +milter_default_action = accept +milter_protocol = 2 + +# Adding Sender Rewriting Scheme +sender_canonical_maps = socketmap:inet:localhost:10003:forward +sender_canonical_classes = envelope_sender +recipient_canonical_maps = socketmap:inet:localhost:10003:reverse +recipient_canonical_classes= envelope_recipient,header_recipient +<%- end -%> <%- if all_tags.include?('postfix::server') -%> transport_maps = regexp:/etc/postfix/transport_regexp @@ -121,17 +136,24 @@ smtpd_data_restrictions = permit_mynetworks reject_unauth_pipelining reject_multi_recipient_bounce -smtpd_recipient_restrictions = reject_non_fqdn_recipient - reject_non_fqdn_sender +smtpd_recipient_restrictions = permit_mynetworks # not done yet, not sure if we need to offer this kind of service # permit_sasl_authenticated - permit_mynetworks - reject_unauth_destination reject_non_fqdn_helo_hostname + reject_non_fqdn_recipient + reject_non_fqdn_sender + check_sender_access hash:/etc/postfix/access + reject_rhsbl_helo sbl.spamhaus.org + reject_rhsbl_reverse_client sbl.spamhaus.org + reject_rhsbl_sender sbl.spamhaus.org + reject_rbl_client sbl.spamhaus.org + reject_unauth_destination reject_unknown_sender_domain reject_unknown_client <%- if classes.include?('postgrey') -%> check_policy_service unix:extern/postgrey/socket <%- end -%> - check_sender_access hash:/etc/postfix/access <%- end -%> + +# Needed for buggy clients +always_add_missing_headers = yes diff --git a/modules/postgresql/manifests/database.pp b/modules/postgresql/manifests/database.pp index e984c145..34cee2a6 100644 --- a/modules/postgresql/manifests/database.pp +++ b/modules/postgresql/manifests/database.pp @@ -12,7 +12,7 @@ define postgresql::database($description = '', # this is fetched by the manifest asking the database creation, # once the db have been created # FIXME proper ordering ? - # FIXME In puppet >3.0 word 'tag' is reserved, so it have to berenamed + # FIXME In puppet >3.0 word 'tag' is reserved, so it has to be renamed @@postgresql::database_callback { $name: tag => $name, callback_notify => $callback_notify, diff --git a/modules/postgresql/manifests/remote_database.pp b/modules/postgresql/manifests/remote_database.pp index a9fb1a59..15b54651 100644 --- a/modules/postgresql/manifests/remote_database.pp +++ b/modules/postgresql/manifests/remote_database.pp @@ -1,4 +1,4 @@ -# FIXME: In puppet >3.0 word 'tag' is reserved, so it have to berenamed +# FIXME: In puppet >3.0 word 'tag' is reserved, so it has to be renamed define postgresql::remote_database($description = '', $user = 'postgresql', $callback_notify = '', diff --git a/modules/postgresql/manifests/remote_db_and_user.pp b/modules/postgresql/manifests/remote_db_and_user.pp index eedeaa17..07e3ea23 100644 --- a/modules/postgresql/manifests/remote_db_and_user.pp +++ b/modules/postgresql/manifests/remote_db_and_user.pp @@ -11,7 +11,7 @@ define postgresql::remote_db_and_user($password, password => $password, } - # fetch the exported ressources that should have been exported + # fetch the exported resources that should have been exported # once the db was created, and trigger a notify to the object # passed as callback_notify Postgresql::Database_callback <<| tag == $name |>> diff --git a/modules/postgresql/manifests/var.pp b/modules/postgresql/manifests/var.pp index bda15cf6..b31c7ffe 100644 --- a/modules/postgresql/manifests/var.pp +++ b/modules/postgresql/manifests/var.pp @@ -1,13 +1,7 @@ class postgresql::var { $pgsql_data = '/var/lib/pgsql/data/' - - if versioncmp($::lsbdistrelease, '5') < 0 { - $pg_version = '9.0' - } else { - $pg_version = '9.6' - } - + $pg_version = '9.6' $hba_file = "${pgsql_data}/pg_hba.conf" } # vim: sw=2 diff --git a/modules/postgresql/templates/pg_hba.conf b/modules/postgresql/templates/pg_hba.conf index 4305c2c1..e4232a4e 100644 --- a/modules/postgresql/templates/pg_hba.conf +++ b/modules/postgresql/templates/pg_hba.conf @@ -120,7 +120,7 @@ host template1 bugs ::1/128 md5 hostssl template1 bugs 212.85.158.146/32 md5 hostssl template1 bugs 2a02:2178:2:7::2/128 md5 -# Allow youri-ckeck on rabbit to access the results db +# Allow youri-check on rabbit to access the results db hostssl youri_check youri 88.190.12.224/32 md5 # Allow local access too hostssl youri_check youri 212.85.158.151/32 md5 diff --git a/modules/postgresql/templates/postgresql.conf b/modules/postgresql/templates/postgresql.conf index 6f210636..c1e7c994 100644 --- a/modules/postgresql/templates/postgresql.conf +++ b/modules/postgresql/templates/postgresql.conf @@ -113,7 +113,7 @@ ssl = on # - Memory - -shared_buffers = 24MB # min 128kB +shared_buffers = 2048MB # min 128kB # (change requires restart) #temp_buffers = 8MB # min 800kB #max_prepared_transactions = 0 # zero disables the feature @@ -122,8 +122,8 @@ shared_buffers = 24MB # min 128kB # per transaction slot, plus lock space (see max_locks_per_transaction). # It is not advisable to set max_prepared_transactions nonzero unless you # actively intend to use prepared transactions. -#work_mem = 1MB # min 64kB -#maintenance_work_mem = 16MB # min 1MB +work_mem = 64MB # min 64kB +maintenance_work_mem = 512MB # min 1MB #max_stack_depth = 2MB # min 100kB # - Kernel Resource Usage - @@ -144,7 +144,7 @@ shared_buffers = 24MB # min 128kB #bgwriter_delay = 200ms # 10-10000ms between rounds #bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round -#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round # - Asynchronous Behavior - @@ -235,7 +235,7 @@ shared_buffers = 24MB # min 128kB #cpu_tuple_cost = 0.01 # same scale as above #cpu_index_tuple_cost = 0.005 # same scale as above #cpu_operator_cost = 0.0025 # same scale as above -#effective_cache_size = 128MB +effective_cache_size = 4096MB # - Genetic Query Optimizer - diff --git a/modules/puppet/manifests/hiera.pp b/modules/puppet/manifests/hiera.pp index 338b67e1..02900cd7 100644 --- a/modules/puppet/manifests/hiera.pp +++ b/modules/puppet/manifests/hiera.pp @@ -1,19 +1,6 @@ class puppet::hiera { package { ['ruby-hiera']: } - if versioncmp($::lsbdistrelease, '4') < 0 { - package { ['ruby-hiera-puppet']: } - # ugly hack for puppet 2.7, since hiera has been integrated - # from puppet 3 only (Mageia 4) - file { '/etc/puppet/external/hiera': - ensure => link, - # this should be /usr/share/ruby/gems/gems/hiera-puppet-1.0.0 - # on Mageia 3, but we do not have any infra hosts running mga3 - target => '/usr/lib/ruby/gems/1.8/gems/hiera-puppet-0.3.0/', - require => Package['ruby-hiera-puppet'], - } - } - # ease the use fo the command line tool # who use a different location for the config file file { '/etc/hiera.yaml': diff --git a/modules/puppet/manifests/stored_config.pp b/modules/puppet/manifests/stored_config.pp index 9b19702b..51820d83 100644 --- a/modules/puppet/manifests/stored_config.pp +++ b/modules/puppet/manifests/stored_config.pp @@ -9,7 +9,7 @@ class puppet::stored_config { # # if ($::environment == 'production') { # # FIXME not really elegant, but we do not have much choice -# # this make servers not bootstrapable for now +# # this make servers not bootstrappable for now # $pgsql_password = extlookup('puppet_pgsql','x') # # postgresql::remote_db_and_user { 'bugs': diff --git a/modules/puppet/templates/apache_proxy_vhost.conf b/modules/puppet/templates/apache_proxy_vhost.conf index 607998c4..89157fc2 100644 --- a/modules/puppet/templates/apache_proxy_vhost.conf +++ b/modules/puppet/templates/apache_proxy_vhost.conf @@ -1,7 +1,7 @@ ProxyRequests Off <Proxy balancer://puppet> -# TODO dynamically ajust that with a variable +# TODO dynamically adjust that with a variable BalancerMember http://127.0.0.1:18140 BalancerMember http://127.0.0.1:18141 BalancerMember http://127.0.0.1:18142 diff --git a/modules/puppet/templates/puppet.agent.conf b/modules/puppet/templates/puppet.agent.conf index b08a903b..44dfedb7 100644 --- a/modules/puppet/templates/puppet.agent.conf +++ b/modules/puppet/templates/puppet.agent.conf @@ -15,7 +15,7 @@ environment = <%= environment %> <% end %> # The file in which puppetd stores a list of the classes - # associated with the retrieved configuratiion. Can be loaded in + # associated with the retrieved configuration. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$confdir/classes.txt'. diff --git a/modules/rsnapshot/templates/rsnapshot.conf b/modules/rsnapshot/templates/rsnapshot.conf index 2ec5edcf..4eeee4d0 100644 --- a/modules/rsnapshot/templates/rsnapshot.conf +++ b/modules/rsnapshot/templates/rsnapshot.conf @@ -24,7 +24,7 @@ config_version 1.2 # All snapshots will be stored under this root directory. # -snapshot_root <%= snapshot_root %> +snapshot_root <%= @snapshot_root %> # If no_create_root is enabled, rsnapshot will not automatically create the # snapshot_root directory. This is particularly useful if you are backing diff --git a/modules/rsyncd/templates/xinetd b/modules/rsyncd/templates/xinetd index 3359ca84..b477e413 100644 --- a/modules/rsyncd/templates/xinetd +++ b/modules/rsyncd/templates/xinetd @@ -8,8 +8,8 @@ service rsync server_args = --daemon log_on_failure += USERID flags = IPv6 - # some mirorrs do not seems to use lock when downloading from - # us and try to download the same stuff 15 time in a row + # some mirrors do not seems to use locks when downloading from + # us and try to download the same stuff 15 times in a row per_source = 4 } diff --git a/modules/spec-tree-reports/templates/generate-spec-rpm-mismatch-report b/modules/spec-tree-reports/templates/generate-spec-rpm-mismatch-report index 966d6946..4bc2db65 100644 --- a/modules/spec-tree-reports/templates/generate-spec-rpm-mismatch-report +++ b/modules/spec-tree-reports/templates/generate-spec-rpm-mismatch-report @@ -5,6 +5,6 @@ trap 'test "$?" -ne 0 && echo Error in script' EXIT cd "$HOME" test -e errors.log && mv -f errors.log errors.log.1 -/usr/bin/generate-mismatch-report --srpm_source <%= scope.function_shellquote([scope.lookupvar('srpms')]) -%> --release <%= scope.function_shellquote([scope.lookupvar('release')]) %> +/usr/share/doc/spec-tree/examples/generate-mismatch-report --srpm_source <%= scope.function_shellquote([scope.lookupvar('srpms')]) -%> --release <%= scope.function_shellquote([scope.lookupvar('release')]) %> cp report.html <%= scope.function_shellquote([scope.lookupvar('report')]) %> rm -f report.html diff --git a/modules/ssmtp/templates/ssmtp.conf b/modules/ssmtp/templates/ssmtp.conf index b535bc29..d7a9125f 100644 --- a/modules/ssmtp/templates/ssmtp.conf +++ b/modules/ssmtp/templates/ssmtp.conf @@ -1,9 +1,9 @@ -root=mageia-sysadm@<%= domain %> +root=mageia-sysadm@<%= @domain %> -mailhub=mx.<%= domain %> +mailhub=mx.<%= @domain %> rewriteDomain= # The full hostname -hostname=<%= fqdn %> +hostname=<%= @fqdn %> diff --git a/modules/subversion/manifests/repository.pp b/modules/subversion/manifests/repository.pp index 77b32765..b223e6ae 100644 --- a/modules/subversion/manifests/repository.pp +++ b/modules/subversion/manifests/repository.pp @@ -28,7 +28,7 @@ define subversion::repository($group = 'svn', # $name ==> directory of the repo include subversion::server # TODO set umask -> requires puppet 2.7.0 - # unfortunatly, umask is required + # unfortunately, umask is required # https://projects.puppetlabs.com/issues/4424 exec { "/usr/local/bin/create_svn_repo.sh ${name}": user => 'root', diff --git a/modules/subversion/templates/hook_sendmail.pl b/modules/subversion/templates/hook_sendmail.pl index 81b786d2..cf3be6a4 100644 --- a/modules/subversion/templates/hook_sendmail.pl +++ b/modules/subversion/templates/hook_sendmail.pl @@ -8,7 +8,7 @@ with-diff: 1 max_diff_length: 20000 ticket_map: - '\bmga#(\d+)\b': 'https://bugs.mageia.org/show_bug.cgi?id=%s' + '(\bmga#(\d+)\b)': 'https://bugs.mageia.org/show_bug.cgi?id=%s' revision-url: "https://svnweb.mageia.org/packages/?revision=%s&view=revision" subject_cx: 1 from: subversion_noreply@ml.<%= @domain %> @@ -24,7 +24,7 @@ with-diff: 1 max_diff_length: 20000 ticket_map: - '\bmga#(\d+)\b': 'https://bugs.mageia.org/show_bug.cgi?id=%s' + '(\bmga#(\d+)\b)': 'https://bugs.mageia.org/show_bug.cgi?id=%s' revision-url: "https://svnweb.mageia.org/packages/?revision=%s&view=revision" subject_cx: 1 from: subversion_noreply@ml.<%= @domain %> diff --git a/modules/subversion/templates/no_binary b/modules/subversion/templates/no_binary index a7f2eb94..284642e5 100644 --- a/modules/subversion/templates/no_binary +++ b/modules/subversion/templates/no_binary @@ -3,7 +3,7 @@ REP="$1" TXN="$2" -# Filter some binary files based on common filename extentions. +# Filter some binary files based on common filename extensions. # It does not fully prevent commit of binary files, this script is only # here to avoid simple mistakes if svnlook changed -t "$TXN" "$REP" | grep -qi '\.\(gz\|bz2\|xz\|lzma\|Z\|7z\|tar\|tgz\|zip\|jpg\|gif\|png\|ogg\|mp3\|wav\|rar\|pdf\)$' diff --git a/modules/subversion/templates/restricted_to_user b/modules/subversion/templates/restricted_to_user index 5c70132e..98297627 100644 --- a/modules/subversion/templates/restricted_to_user +++ b/modules/subversion/templates/restricted_to_user @@ -6,7 +6,7 @@ TXN="$2" author=$(svnlook author -t "$TXN" "$REP") if [ "$author" != '<%= restricted_to_user %>' ]; then - echo "this repository is restrected to user <%= restricted_to_user %>" >&2 + echo "this repository is restricted to user <%= restricted_to_user %>" >&2 exit 1 fi diff --git a/modules/sympa/manifests/list.pp b/modules/sympa/manifests/list.pp index c45355f0..205d2719 100644 --- a/modules/sympa/manifests/list.pp +++ b/modules/sympa/manifests/list.pp @@ -7,7 +7,8 @@ define sympa::list( $subject, $sender_ldap_group = false, $subscriber_ldap_group = false, $public_archive = true, - $subscription_open = false) { + $subscription_open = false, + $critical = false) { include sympa::variable $ldap_password = extlookup('sympa_ldap','x') diff --git a/modules/sympa/manifests/list/announce.pp b/modules/sympa/manifests/list/announce.pp index 05445ff5..2dd1c647 100644 --- a/modules/sympa/manifests/list/announce.pp +++ b/modules/sympa/manifests/list/announce.pp @@ -6,7 +6,8 @@ define sympa::list::announce($subject, $sender_ldap_group = false, $subscriber_ldap_group = false, $language = 'en', - $topics = false) { + $topics = false, + $critical = false) { list { $name: subject => $subject, language => $language, @@ -15,5 +16,6 @@ define sympa::list::announce($subject, sender_email => $sender_email, sender_ldap_group => $sender_ldap_group, subscriber_ldap_group => $subscriber_ldap_group, + critical => $critical } } diff --git a/modules/sympa/manifests/list/public.pp b/modules/sympa/manifests/list/public.pp index f0062665..7b97534a 100644 --- a/modules/sympa/manifests/list/public.pp +++ b/modules/sympa/manifests/list/public.pp @@ -2,12 +2,14 @@ # reply_to is set to the list define sympa::list::public($subject, $language = 'en', - $topics = false) { + $topics = false, + $sender_email = false) { include sympa::variable list { $name: subject => $subject, language => $language, topics => $topics, + sender_email => $sender_email, sender_subscriber => true, reply_to => "${name}@${sympa::variable::vhost}", } diff --git a/modules/sympa/manifests/server.pp b/modules/sympa/manifests/server.pp index b43e1077..bcdda789 100644 --- a/modules/sympa/manifests/server.pp +++ b/modules/sympa/manifests/server.pp @@ -10,12 +10,17 @@ class sympa::server( 'perl-CGI-Fast', 'perl-Socket6']: } - # sympa script start 5 differents script, I am not + # sympa script starts 5 different scripts; I am not # sure that puppet will correctly handle this service { 'sympa': subscribe => [ Package['sympa'], File['/etc/sympa/sympa.conf']] } + service { 'sympa-outgoing': + ensure => running, + require => Service['sympa'] + } + $pgsql_password = extlookup('sympa_pgsql','x') $ldap_password = extlookup('sympa_ldap','x') @@ -30,8 +35,8 @@ class sympa::server( $vhost = $sympa::variable::vhost file { '/etc/sympa/sympa.conf': - # should be cleaner to have it root owned, but puppet do not support acl - # and in any case, config will be reset if it change + # should be cleaner to have it root owned, but puppet does not support acls + # and in any case, config will be reset if it changes owner => 'sympa', group => 'apache', mode => '0640', diff --git a/modules/sympa/templates/config b/modules/sympa/templates/config index ccf2fff9..4262f3ca 100644 --- a/modules/sympa/templates/config +++ b/modules/sympa/templates/config @@ -2,7 +2,7 @@ archive period month mail_access owner -<%- if public_archive -%> +<%- if public_archive and not @critical -%> web_access public <%- else -%> web_access private @@ -38,6 +38,16 @@ subject <%= subject %> custom_subject <%= custom_subject %> +<%- if @critical -%> +info conceal + +subscribe auth owner + +unsubscribe auth_notify + +invite owner +<% end %> + lang <%= language %> owner diff --git a/modules/sympa/templates/sympa.conf b/modules/sympa/templates/sympa.conf index eff7749b..edfaba15 100644 --- a/modules/sympa/templates/sympa.conf +++ b/modules/sympa/templates/sympa.conf @@ -409,7 +409,7 @@ bounce_path /var/lib/sympa/bounce ## prevented. arc_path /var/lib/sympa/arc -###\\\\ Miscelaneous ////### +###\\\\ Miscellaneous ////### ## Local part of Sympa email address ## Local part (the part preceding the "@" sign) of the address by which mail @@ -496,7 +496,7 @@ review_page_size 25 ## page. viewlogs_page_size 25 -###\\\\ Web interface parameters: Miscelaneous ////### +###\\\\ Web interface parameters: Miscellaneous ////### ## HTTP cookies validity domain ## If beginning with a dot ("."), the cookie is available within the specified diff --git a/modules/transifex/templates/20-engines.conf b/modules/transifex/templates/20-engines.conf index 6523dfd4..620a9556 100644 --- a/modules/transifex/templates/20-engines.conf +++ b/modules/transifex/templates/20-engines.conf @@ -9,8 +9,8 @@ DATABASE_ENGINE = 'postgresql_psycopg2' DATABASE_NAME = 'transifex' # The following are not used for sqlite3 DATABASE_USER = 'transifex' -DATABASE_PASSWORD = '<%= pgsql_password %>' -DATABASE_HOST = 'pgsql.<%= domain %>' # Set to empty string for local socket +DATABASE_PASSWORD = '<%= @pgsql_password %>' +DATABASE_HOST = 'pgsql.<%= @domain %>' # Set to empty string for local socket DATABASE_PORT = '' # Set to empty string for default ## Caching (optional) diff --git a/modules/transifex/templates/30-site.conf b/modules/transifex/templates/30-site.conf index 4d4e9e4c..3c386354 100644 --- a/modules/transifex/templates/30-site.conf +++ b/modules/transifex/templates/30-site.conf @@ -1,7 +1,7 @@ # Sites SITE_ID = 1 # Your site's domain. This is used only in this file. -SITE_DOMAIN = '<%= domain %>' +SITE_DOMAIN = '<%= @domain %>' ADMINS = ( # ('Your Name', 'your_email@domain.com'), diff --git a/modules/transifex/templates/45-ldap.conf b/modules/transifex/templates/45-ldap.conf index dd215dc9..2532edf5 100644 --- a/modules/transifex/templates/45-ldap.conf +++ b/modules/transifex/templates/45-ldap.conf @@ -17,16 +17,16 @@ from django_auth_ldap.config import LDAPSearch, GroupOfNamesType # Baseline configuration. -AUTH_LDAP_SERVER_URI = "ldap://ldap.<%= domain %> ldap://ldap-slave-1.<%= domain %>" +AUTH_LDAP_SERVER_URI = "ldap://ldap.<%= @domain %> ldap://ldap-slave-1.<%= @domain %>" -AUTH_LDAP_BIND_DN = "cn=transifex-<%= hostname %>,ou=System Accounts,<%= dc_suffix %>" -AUTH_LDAP_BIND_PASSWORD = "<%= ldap_password %>" +AUTH_LDAP_BIND_DN = "cn=transifex-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %>" +AUTH_LDAP_BIND_PASSWORD = "<%= @ldap_password %>" -AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=People,<%= dc_suffix %> ", +AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=People,<%= @dc_suffix %> ", ldap.SCOPE_SUBTREE, "(|(uid=%(user)s)(mail=%(user)s))") # Set up the basic group parameters. -AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=Group,<%= dc_suffix %>", +AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=Group,<%= @dc_suffix %>", ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)" ) AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn") @@ -42,7 +42,7 @@ AUTH_LDAP_USER_ATTR_MAP = { } AUTH_LDAP_USER_FLAGS_BY_GROUP = { - "is_active": "cn=mga-i18n,ou=Group,<%= dc_suffix %>", - "is_staff": "cn=mga-i18n-committers,ou=Group,<%= dc_suffix %>", - "is_superuser": "cn=mga-sysadmin,ou=Group,<%= dc_suffix %>" + "is_active": "cn=mga-i18n,ou=Group,<%= @dc_suffix %>", + "is_staff": "cn=mga-i18n-committers,ou=Group,<%= @dc_suffix %>", + "is_superuser": "cn=mga-sysadmin,ou=Group,<%= @dc_suffix %>" } diff --git a/modules/transifex/templates/50-project.conf b/modules/transifex/templates/50-project.conf index 17281d9a..013741b2 100644 --- a/modules/transifex/templates/50-project.conf +++ b/modules/transifex/templates/50-project.conf @@ -40,7 +40,7 @@ MIDDLEWARE_CLASSES = [ ROOT_URLCONF = 'urls' TEMPLATE_DIRS = [ - '<%= templates_dir %>', + '<%= @templates_dir %>', os.path.join(TX_ROOT, 'templates'), ] diff --git a/modules/viewvc/files/robots.txt b/modules/viewvc/files/robots.txt index 416168b6..dbb13834 100644 --- a/modules/viewvc/files/robots.txt +++ b/modules/viewvc/files/robots.txt @@ -8,6 +8,7 @@ User-agent: ClaudeBot User-agent: Amazonbot User-agent: PetalBot User-agent: Bytespider +User-agent: facebookexternalhit Disallow: /*/tags/ Disallow: *?view=annotate* Disallow: *?annotate=* diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html new file mode 100644 index 00000000..fe98b9dc --- /dev/null +++ b/modules/viewvc/files/setcookieredirect.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html> + <head> + <title>User check</title> + <script type="text/javascript" defer> + const randomValue = "6436"; // Chosen by fair dice roll. Guaranteed to be random. + document.cookie = `session=${randomValue}; path=/; expires=${new Date(Date.now() + 24*3600*1000).toUTCString()}`; + const params = new Proxy(new URLSearchParams(window.location.search), { + get: (searchParams, prop) => searchParams.get(prop), + }); + let path = params.to; + // Sanitize redirect path to avoid malicious arbitrary redirects + if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(decodeURIComponent(path))) { + const current = new URL(window.location.toLocaleString()); + window.location.href = encodeURI(current.origin + decodeURIComponent(path)); + } else { + window.onload = function() { + document.getElementById('error').innerHTML = 'Error! Bad redirect location!'; + } + } + </script> + </head> + <body> + Redirecting back... + <br> + <p id="error"><!-- space for error message --></p> + </body> +</html> diff --git a/modules/viewvc/manifests/init.pp b/modules/viewvc/manifests/init.pp index 99acec90..e1d336c9 100644 --- a/modules/viewvc/manifests/init.pp +++ b/modules/viewvc/manifests/init.pp @@ -40,9 +40,18 @@ class viewvc { source => 'puppet:///modules/viewvc/robots.txt', } + file { "$viewvc_docroot/setcookieredirect.html": + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/viewvc/setcookieredirect.html', + } + $vhost_aliases = { '/viewvc' => $viewvc_docroot, '/robots.txt' => $robotsfile, + '/_check' => "$viewvc_docroot/setcookieredirect.html", } $script_aliases = { diff --git a/modules/viewvc/templates/viewvc.conf b/modules/viewvc/templates/viewvc.conf index 920aa9ed..dec74771 100644 --- a/modules/viewvc/templates/viewvc.conf +++ b/modules/viewvc/templates/viewvc.conf @@ -113,7 +113,7 @@ ## repositories may reside. Rather than force you to add a new entry ## to 'cvs_roots' or 'svn_roots' each time you create a new repository, ## ViewVC rewards you for organising all your repositories under a few -## parent directories by allowing you to simply specifiy just those +## parent directories by allowing you to simply specify just those ## parent directories. ViewVC will then notice each repository in that ## directory as a new root whose name is the subdirectory of the parent ## path in which that repository lives. @@ -326,7 +326,7 @@ mime_types_files = /etc/viewvc/mimetypes.conf, /etc/httpd/conf/mime.types #checkout_magic = 0 ## allowed_views: List the ViewVC views which are enabled. Views not -## in this comma-delited list will not be served (or, will return an +## in this comma-delimited list will not be served (or, will return an ## error on attempted access). ## Possible values: "annotate", "co", "diff", "markup", "roots", "tar" ## @@ -484,7 +484,7 @@ http_expiration_time = 600 ## #hr_funout = 0 -## hr_ignore_white: Ignore whitespace (indendation and stuff) for human +## hr_ignore_white: Ignore whitespace (indentation and stuff) for human ## readable diffs. ## ('-w' option to diff) ## @@ -650,7 +650,7 @@ log_pagesize = 100 ## directory specified by the "template_dir" configuration option (see ## the documentation for that option for details). But if you want to ## use a different template for a particular view, simply uncomment the -## appropriate option below and specify the currect location of the EZT +## appropriate option below and specify the correct location of the EZT ## template file you wish to use for that view. ## ## Templates are specified relative to the configured template diff --git a/modules/xinetd/templates/port_forward b/modules/xinetd/templates/port_forward index 1b76b0e1..99518dcd 100644 --- a/modules/xinetd/templates/port_forward +++ b/modules/xinetd/templates/port_forward @@ -1,15 +1,15 @@ -service <%= name %> +service <%= @name %> { disable = no type = UNLISTED -<%- if proto == 'tcp' -%> +<%- if @proto == 'tcp' -%> socket_type = stream <%- else -%> socket_type = dgram <%- end -%> - protocol = <%= proto %> + protocol = <%= @proto %> user = nobody wait = no - redirect = <%= target_ip %> <%= target_port %> - port = <%= port %> + redirect = <%= @target_ip %> <%= @target_port %> + port = <%= @port %> } diff --git a/modules/xymon/manifests/client.pp b/modules/xymon/manifests/client.pp index 890430c6..cfde8134 100644 --- a/modules/xymon/manifests/client.pp +++ b/modules/xymon/manifests/client.pp @@ -1,11 +1,7 @@ class xymon::client { package { 'xymon-client': } - if versioncmp($::lsbdistrelease, '5') < 0 { - $service = 'xymon-client' - } else { - $service = 'xymon' - } + $service = 'xymon' service { $service: hasstatus => false, @@ -13,7 +9,7 @@ class xymon::client { require => Package['xymon-client'], } - # TODO replace with a exported ressource + # TODO replace with a exported resource $server = extlookup('hobbit_server','x') file { '/etc/sysconfig/xymon-client': content => template('xymon/xymon-client'), diff --git a/modules/xymon/manifests/server.pp b/modules/xymon/manifests/server.pp index dff50430..b6c269cf 100644 --- a/modules/xymon/manifests/server.pp +++ b/modules/xymon/manifests/server.pp @@ -1,36 +1,18 @@ class xymon::server { package { ['xymon','fping']: } - if versioncmp($::lsbdistrelease, '5') < 0 { - service { 'xymon': - hasstatus => false, - status => "su xymon -c '${::lib_dir}/xymon/server/hobbit.sh status'", - require => Package['xymon'], - } - } - File { group => 'xymon', require => Package['xymon'], notify => Exec['service xymon reload'], } - if versioncmp($::lsbdistrelease, '5') < 0 { - file { - # Define hosts and web view layout, and lists tests to be run against - # host by e.g. network tests from xymon server - '/etc/xymon/bb-hosts': - content => template('xymon/bb-hosts'); - } - } else { - file { - # Define hosts and web view layout, and lists tests to be run against - # host by e.g. network tests from xymon server - '/etc/xymon/hosts.cfg': - content => template('xymon/bb-hosts'); - } - } file { + # Define hosts and web view layout, and lists tests to be run against + # host by e.g. network tests from xymon server + '/etc/xymon/hosts.cfg': + content => template('xymon/bb-hosts'); + # Environment variables user by hobbitd,hobbitlaunch,hobbitd_rrd,CGIs # and bbgen (which generates the static html pages) # hobbitlaunch (started by init script) may need to be restarted for diff --git a/modules/xymon/templates/bb-hosts b/modules/xymon/templates/bb-hosts index 7a3489dc..140932b5 100644 --- a/modules/xymon/templates/bb-hosts +++ b/modules/xymon/templates/bb-hosts @@ -13,22 +13,23 @@ # You need to define at least the Xymon server itself here. page visible Visible Services -0.0.0.0 blog.<%= domain %> # http://blog.<%= domain %> +0.0.0.0 blog.<%= domain %> # sni https://blog.<%= domain %>/en/ 0.0.0.0 identity.<%= domain %> # https://identity.<%= domain %> 0.0.0.0 bugs.<%= domain %> # https://bugs.<%= domain %> 0.0.0.0 ml.<%= domain %> # https://ml.<%= domain %> -0.0.0.0 www.<%= domain %> # http://www.<%= domain %> -0.0.0.0 svnweb.<%= domain %> # http://svnweb.<%= domain %> +0.0.0.0 www.<%= domain %> # https://www.<%= domain %> +0.0.0.0 svnweb.<%= domain %> # https://svnweb.<%= domain %> 0.0.0.0 epoll.<%= domain %> # https://epoll.<%= domain %> -0.0.0.0 planet.<%= domain %> # http://planet.<%= domain %> +0.0.0.0 planet.<%= domain %> # sni https://planet.<%= domain %>/en/ # This checks the public reverse proxy 0.0.0.0 forums.<%= domain %> # sni https://forums.<%= domain %>=<%= @nodes_ipaddr['sucuk']['ipv4'] %>/ -0.0.0.0 check.<%= domain %> # http://check.<%= domain %> -0.0.0.0 pkgsubmit.<%= domain %> # http://pkgsubmit.<%= domain %> -0.0.0.0 bcd.<%= domain %> # http://bcd.<%= domain %> +0.0.0.0 check.<%= domain %> # https://check.<%= domain %> +0.0.0.0 madb.<%= domain %> # https://madb.mageia.org +0.0.0.0 pkgsubmit.<%= domain %> # sni https://pkgsubmit.<%= domain %> +#0.0.0.0 bcd.<%= domain %> # http://bcd.<%= domain %> 0.0.0.0 hugs.<%= domain %> # http://hugs.<%= domain %> 0.0.0.0 dashboard.<%= domain %> # http://dashboard.<%= domain %> -0.0.0.0 meetbot.<%= domain %> # http://meetbot.<%= domain %> +0.0.0.0 meetbot.<%= domain %> # sni https://meetbot.<%= domain %> page servers Servers @@ -44,3 +45,8 @@ group-compress VM Sucuk group-compress Scaleway 163.172.148.228 neru.mageia.org # testip ssh dns ldap ldapssl smtp +163.172.201.211 madb.mageia.org # testip + +# NOTE: lines with IPv6 addresses are ignored in xymon versions before 4.4 or 5.0 +group-compress Oracle cloud +2603:c026:c101:f00::1:1 ociaa1.<%= domain %> # testip ssh diff --git a/modules/xymon/templates/hobbit-alerts.cfg b/modules/xymon/templates/hobbit-alerts.cfg index 10906fe8..763e253d 100644 --- a/modules/xymon/templates/hobbit-alerts.cfg +++ b/modules/xymon/templates/hobbit-alerts.cfg @@ -74,10 +74,10 @@ # TIME - rule matching an alert by the time-of-day. This # is specified as the DOWNTIME timespecification # in the bb-hosts file (see bb-hosts(5)). -# DURATION - Rule matcing an alert if the event has lasted +# DURATION - Rule matching an alert if the event has lasted # longer/shorter than the given duration. E.g. # DURATION>10 (lasted longer than 10 minutes) or -# DURARION<30 (only sends alerts the first 30 minutes). +# DURATION<30 (only sends alerts the first 30 minutes). # RECOVERED - Rule matches if the alert has recovered from an # alert state. # NOTICE - Rule matches if the message is a "notify" message diff --git a/modules/xymon/templates/hobbit-clients.cfg b/modules/xymon/templates/hobbit-clients.cfg index 8460280d..ff010681 100644 --- a/modules/xymon/templates/hobbit-clients.cfg +++ b/modules/xymon/templates/hobbit-clients.cfg @@ -102,7 +102,7 @@ # show up in the "ps" listing as a command. The scanner will find # a ps-listing of e.g. "/usr/sbin/cron" if you only specify "processname" # as "cron". -# "processname" can also be a Perl-compatiable regular expression, e.g. +# "processname" can also be a Perl-compatible regular expression, e.g. # "%java.*inst[0123]" can be used to find entries in the ps-listing for # "java -Xmx512m inst2" and "java -Xmx256 inst3". In that case, # "processname" must begin with "%" followed by the reg.expression. @@ -253,7 +253,7 @@ # the output from netstat. This is typically "10.0.0.1:80" for the IP # 10.0.0.1, port 80. Or "*:80" for any local address, port 80. # NB: The Xymon clients normally report only the numeric data for -# IP-adresses and port-numbers, so you must specify the port +# IP-addresses and port-numbers, so you must specify the port # number (e.g. "80") instead of the service name ("www"). # "state" causes only the sockets in the specified state to be included; # it is usually LISTEN or ESTABLISHED. @@ -265,7 +265,7 @@ # # "addr" and "state" can be a simple strings, in which case these string must # show up in the "netstat" at the appropriate column. -# "addr" and "state" can also be a Perl-compatiable regular expression, e.g. +# "addr" and "state" can also be a Perl-compatible regular expression, e.g. # "LOCAL=%(:80|:443)" can be used to find entries in the netstat local port for # both http (port 80) and https (port 443). In that case, portname or state must # begin with "%" followed by the reg.expression. diff --git a/modules/xymon/templates/xymon-client b/modules/xymon/templates/xymon-client index 6bbdd836..e846d2a5 100644 --- a/modules/xymon/templates/xymon-client +++ b/modules/xymon/templates/xymon-client @@ -2,23 +2,18 @@ # You MUST set the list of Hobbit servers that this # client reports to. -# It is good to use IP-adresses here instead of DNS +# It is good to use IP-addresses here instead of DNS # names - DNS might not work if there's a problem. # # E.g. (a single Hobbit server) -# HOBBITSERVERS="192.168.1.1" +# HOBBITSERVERS="192.168.1.1" # or (multiple servers) -# HOBBITSERVERS="10.0.0.1 192.168.1.1" - -<% if scope.function_versioncmp([lsbdistrelease, '5']) >= 0 %> +# HOBBITSERVERS="10.0.0.1 192.168.1.1" XYMONSERVERS="<%= server %>" -<% else %> -HOBBITSERVERS="<%= server %>" -<% end %> -# The defaults usually suffice for the rest of this file, -# but you can tweak the hostname that the client reports -# data with, and the OS name used (typically needed only on +# The defaults usually suffice for the rest of this file, +# but you can tweak the hostname that the client reports +# data with, and the OS name used (typically needed only on # RHEL or RHAS servers). # CLIENTHOSTNAME="" diff --git a/modules/youri-check/manifests/init.pp b/modules/youri-check/manifests/init.pp index aef33d17..d83ba1a6 100644 --- a/modules/youri-check/manifests/init.pp +++ b/modules/youri-check/manifests/init.pp @@ -40,9 +40,9 @@ class youri-check { $pgsql_server = $base::pgsql_server $pgsql_user = "youri${version}" $pgsql_password = extlookup('youri_pgsql','x') - # We want to alert to packages older than last mass rebuild - # 1646092800 is 2022-03-01 (get it with "TZ=UTC date -d2022-03-01 +%s") - $max_days = (time() - 1646092800)/(24*3600) + # We want to alert for packages older than the cut-off for latest mass rebuild + # 1745539200 is 2025-04-25 + $max_days = (time() - 1745539200)/(24*3600) file { "${config}": ensure => present, diff --git a/modules/youri-check/templates/cauldron.conf b/modules/youri-check/templates/cauldron.conf index 651da40c..aeace447 100644 --- a/modules/youri-check/templates/cauldron.conf +++ b/modules/youri-check/templates/cauldron.conf @@ -122,17 +122,27 @@ tests: options: aliases: authd: ~ + basesystem: ~ + bash: ~ + freetype: ~ + freetype2: freetype gle: ~ gtksourceview-sharp: ~ - sqlite: sqlite2 - OpenIPMI: OpenIPMI2 + modemmanager: ModemManager + netcat-openbsd: netcat + networkmanager: NetworkManager + networkmanager-applet: network-manager-applet + networkmanager-fortisslvpn: NetworkManager-fortisslvpn + networkmanager-l2tp: NetworkManager-l2tp + networkmanager-libreswan: NetworkManager-libreswan + networkmanager-openconnect: NetworkManager-openconnect + networkmanager-openvpn: NetworkManager-openvpn + networkmanager-pptp: NetworkManager-pptp + networkmanager-vpnc: NetworkManager-vpnc ocaml-lablgtk: ~ ocaml-lablgtk2: ocaml-lablgtk - netcat-openbsd: netcat - freetype: ~ - freetype2: freetype - bash: ~ - basesystem: ~ + OpenIPMI: OpenIPMI2 + sqlite: sqlite2 gentoo: order: 1 class: Youri::Check::Test::Updates::Source::Gentoo @@ -166,31 +176,43 @@ tests: gnome: order: 1 class: Youri::Check::Test::Updates::Source::GNOME - url: https://download.gnome.org/sources/ options: + url: https://download.gnome.org/sources/ aliases: + acme: ~ GConf: ~ GConf2: GConf + gcr: ~ + gcr4: gcr + gdk-pixbuf2.0: gdk-pixbuf glib: ~ glib2.0: glib - glibmm: ~ - glibmm2.4: glibmm - gnome-desktop: ~ - gnome-desktop3: gnome-desktop - goocanvas: ~ - goocanvas2: goocanvas - gtkhtml: ~ - gtkhtml4: gtkhtml + glibmm2.4: ~ + goocanvas2: ~ + gtkmm-documentation3.0: ~ + gtkmm: ~ + gtkmm2.4: ~ + gtkmm3.0: ~ + gtkmm4.0: gtkmm + gtksourceviewmm3.0: ~ gtk: ~ gtk+2.0: ~ - gtk+3.0: gtk - libgda: ~ - libgda4.0: ~ - libgda5.0: libgda - libunique: ~ - libunique3: libunique - libwnck: ~ - libwnck3: libwnck + gtk+3.0: ~ + gtk4.0: gtk + modemmanager: ModemManager + networkmanager: NetworkManager + networkmanager-applet: network-manager-applet + networkmanager-fortisslvpn: NetworkManager-fortisslvpn + networkmanager-l2tp: NetworkManager-l2tp + networkmanager-libreswan: NetworkManager-libreswan + networkmanager-openconnect: NetworkManager-openconnect + networkmanager-openvpn: NetworkManager-openvpn + networkmanager-pptp: NetworkManager-pptp + networkmanager-vpnc: NetworkManager-vpnc + notify-sharp: ~ + notify-sharp3: notify-sharp + pango: ~ + pango2.0: pango netbsd: order: 1 class: Youri::Check::Test::Updates::Source::NetBSD @@ -217,18 +239,27 @@ tests: options: aliases: authd: ~ + basesystem: ~ + bash: ~ + freetype: ~ + freetype2: freetype gle: ~ gtksourceview-sharp: ~ - sqlite: sqlite2 - OpenIPMI: OpenIPMI2 + modemmanager: ModemManager + netcat-openbsd: netcat + networkmanager: NetworkManager + networkmanager-applet: network-manager-applet + networkmanager-fortisslvpn: NetworkManager-fortisslvpn + networkmanager-l2tp: NetworkManager-l2tp + networkmanager-libreswan: NetworkManager-libreswan + networkmanager-openconnect: NetworkManager-openconnect + networkmanager-openvpn: NetworkManager-openvpn + networkmanager-pptp: NetworkManager-pptp + networkmanager-vpnc: NetworkManager-vpnc ocaml-lablgtk: ~ ocaml-lablgtk2: ocaml-lablgtk - netcat-openbsd: netcat - freetype: ~ - freetype2: freetype - bash: ~ - basesystem: ~ - + OpenIPMI: OpenIPMI2 + sqlite: sqlite2 updates_gnome: class: Youri::Check::Test::Updates options: @@ -236,33 +267,43 @@ tests: gnome: order: 1 class: Youri::Check::Test::Updates::Source::GNOME - url: https://download.gnome.org/sources/ options: + url: https://download.gnome.org/sources/ aliases: + acme: ~ GConf: ~ GConf2: GConf + gcr: ~ + gcr4: gcr + gdk-pixbuf2.0: gdk-pixbuf glib: ~ glib2.0: glib - glibmm: ~ - glibmm2.4: glibmm - gnome-desktop: ~ - gnome-desktop3: gnome-desktop - goocanvas: ~ - goocanvas2: goocanvas - gtkhtml: ~ - gtkhtml4: gtkhtml + glibmm2.4: ~ + goocanvas2: ~ + gtkmm-documentation3.0: ~ + gtkmm: ~ + gtkmm2.4: ~ + gtkmm3.0: ~ + gtkmm4.0: gtkmm + gtksourceviewmm3.0: ~ gtk: ~ gtk+2.0: ~ - gtk+3.0: gtk - libgda: ~ - libgda4.0: ~ - libgda5.0: libgda - libunique: ~ - libunique3: libunique - libwnck: ~ - libwnck3: libwnck - vte: ~ - vte3: vte + gtk+3.0: ~ + gtk4.0: gtk + modemmanager: ModemManager + networkmanager: NetworkManager + networkmanager-applet: network-manager-applet + networkmanager-fortisslvpn: NetworkManager-fortisslvpn + networkmanager-l2tp: NetworkManager-l2tp + networkmanager-libreswan: NetworkManager-libreswan + networkmanager-openconnect: NetworkManager-openconnect + networkmanager-openvpn: NetworkManager-openvpn + networkmanager-pptp: NetworkManager-pptp + networkmanager-vpnc: NetworkManager-vpnc + notify-sharp: ~ + notify-sharp3: notify-sharp + pango: ~ + pango2.0: pango build: class: Youri::Check::Test::Build options: |