diff options
Diffstat (limited to 'modules')
119 files changed, 878 insertions, 470 deletions
diff --git a/modules/apache/manifests/base.pp b/modules/apache/manifests/base.pp index 4e1d6ed4..1fbbc28c 100644 --- a/modules/apache/manifests/base.pp +++ b/modules/apache/manifests/base.pp @@ -24,6 +24,8 @@ class apache::base { "${conf_d}/customization.conf": content => template('apache/customization.conf'), require => Package[$apache::var::pkg_conf]; + "${conf_d}/info.conf": + content => template('apache/info.conf'); '/etc/httpd/conf/vhosts.d/00_default_vhosts.conf': content => template('apache/00_default_vhosts.conf'), require => Package[$apache::var::pkg_conf]; diff --git a/modules/apache/manifests/cve-2011-3192.pp b/modules/apache/manifests/cve-2011-3192.pp deleted file mode 100644 index 1e39ac04..00000000 --- a/modules/apache/manifests/cve-2011-3192.pp +++ /dev/null @@ -1,9 +0,0 @@ -class apache::cve-2011-3192 { - include apache::base - # temporary protection against CVE-2011-3192 - # https://httpd.apache.org/security/CVE-2011-3192.txt - apache::config { - "${apache::base::conf_d}/CVE-2011-3192.conf": - content => template('apache/CVE-2011-3192.conf'), - } -} diff --git a/modules/apache/manifests/mod/fcgid.pp b/modules/apache/manifests/mod/fcgid.pp index 6c815681..b8186a64 100644 --- a/modules/apache/manifests/mod/fcgid.pp +++ b/modules/apache/manifests/mod/fcgid.pp @@ -1,4 +1,11 @@ class apache::mod::fcgid { include apache::base package { 'apache-mod_fcgid': } + + file { 'urlescape': + path => '/usr/local/bin/urlescape', + mode => '0755', + notify => Service['apache'], + content => template('apache/urlescape'), + } } diff --git a/modules/apache/manifests/vhost/base.pp b/modules/apache/manifests/vhost/base.pp index 27a19998..48dc240e 100644 --- a/modules/apache/manifests/vhost/base.pp +++ b/modules/apache/manifests/vhost/base.pp @@ -1,5 +1,5 @@ define apache::vhost::base ($content = '', - $location = '/dev/null', + $location = '/var/www/empty', $use_ssl = false, $vhost = false, $aliases = {}, diff --git a/modules/apache/manifests/vhost/catalyst_app.pp b/modules/apache/manifests/vhost/catalyst_app.pp index 1ce40747..1faab924 100644 --- a/modules/apache/manifests/vhost/catalyst_app.pp +++ b/modules/apache/manifests/vhost/catalyst_app.pp @@ -6,7 +6,9 @@ define apache::vhost::catalyst_app( $script, $vhost = false) { include apache::mod::fcgid if ($location) { - $aliases['/static'] = "${location}/root/static" + $allaliases = merge($aliases, {'/static' => "${location}/root/static"}) + } else { + $allaliases = $aliases } $script_aliases = { @@ -17,7 +19,7 @@ define apache::vhost::catalyst_app( $script, vhost => $vhost, use_ssl => $use_ssl, content => template('apache/vhost_fcgid.conf'), - aliases => $aliases, + aliases => $allaliases, } } diff --git a/modules/apache/templates/django.wsgi b/modules/apache/templates/django.wsgi index 2188e1e7..abbfecc5 100644 --- a/modules/apache/templates/django.wsgi +++ b/modules/apache/templates/django.wsgi @@ -1,6 +1,6 @@ #!/usr/bin/python import os, sys -<%- for m in module_path -%> +<%- for m in @module_path -%> path = '<%= m %>' if path not in sys.path: sys.path.append(path) diff --git a/modules/apache/templates/info.conf b/modules/apache/templates/info.conf new file mode 100644 index 00000000..1ca918ea --- /dev/null +++ b/modules/apache/templates/info.conf @@ -0,0 +1,38 @@ +# +# Get information about the requests being processed by the server +# and the configuration of the server. +# +# Required modules: mod_authz_core, mod_authz_host, +# mod_info (for the server-info handler), +# mod_status (for the server-status handler) + +# +# Allow server status reports generated by mod_status, +# with the URL of http://servername/server-status +# Allow access only from localhost + +<Location /server-status> + SetHandler server-status + Order deny,allow + Deny from all + Allow from 127 +</Location> + +# +# ExtendedStatus controls whether Apache will generate "full" status +# information (ExtendedStatus On) or just basic information (ExtendedStatus +# Off) when the "server-status" handler is called. The default is Off. +# +#ExtendedStatus On + +# +# Allow remote server configuration reports, with the URL of +# http://servername/server-info (requires that mod_info.c be loaded). +# Allow access only from localhost +# +<Location /server-info> + SetHandler server-info + Order deny,allow + Deny from all + Allow from 127 +</Location> diff --git a/modules/apache/templates/logrotate b/modules/apache/templates/logrotate index 4d90e47e..823989eb 100644 --- a/modules/apache/templates/logrotate +++ b/modules/apache/templates/logrotate @@ -4,7 +4,7 @@ daily <% elsif @hostname == 'friteuse' %> # The virtual disk is very small so keep log sizes down - rotate 52 + rotate 26 weekly <% elsif @hostname == 'sucuk' %> rotate 52 diff --git a/modules/apache/templates/urlescape b/modules/apache/templates/urlescape new file mode 100644 index 00000000..8feb7fa4 --- /dev/null +++ b/modules/apache/templates/urlescape @@ -0,0 +1,9 @@ +#!/usr/bin/python3 -u +# URL escape each path given on stdin +import sys +import urllib.parse +while True: + l = sys.stdin.readline() + if not l: + break + print(urllib.parse.quote(l.rstrip("\n"))) diff --git a/modules/apache/templates/vhost_fcgid.conf b/modules/apache/templates/vhost_fcgid.conf index 8fc8da5c..fefa4a49 100644 --- a/modules/apache/templates/vhost_fcgid.conf +++ b/modules/apache/templates/vhost_fcgid.conf @@ -4,29 +4,3 @@ AddHandler fcgid-script .pl <%- end -%> FcgidMinProcessesPerClass <%= @process %> FcgidIdleTimeout 30 - -# These robots were scraping the whole of svnweb in 2024-04, causing severe -# load, so they are banned. It's not clear whether they obey robots.txt or -# not (we didn't give them enough of a chance to find out), so we could -# consider giving them a chance to redeem themselves at some point in the -# future. -RewriteEngine on -RewriteCond %{HTTP_USER_AGENT} ClaudeBot|Amazonbot -RewriteRule . - [R=403,L] - -# Block expensive SVN operations on all common robots ("spider" covers a -# bunch). "Expensive" is considered to be most operations other than showing a -# directory or downloading a specific version of a file. -RewriteCond %{QUERY_STRING} pathrev=|annotate=|view=log|r1= -RewriteCond %{HTTP_USER_AGENT} "Googlebot|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider|iPod|Trident|Presto" -RewriteRule . - [R=403,L] - -# Block abusive spiders by IP address who don't identify themselves in the -# User-Agent: string -RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16'" -RewriteRule . - [R=403,L] - -RewriteCond %{QUERY_STRING} "sortby=.*view=(log|patch)" -RewriteRule . - [R=403,L] - -ErrorDocument 403 "<html><body>Impolite robots are not allowed</body></html>" diff --git a/modules/apache/templates/vhost_fcgid_norobot.conf b/modules/apache/templates/vhost_fcgid_norobot.conf new file mode 100644 index 00000000..1f354d6a --- /dev/null +++ b/modules/apache/templates/vhost_fcgid_norobot.conf @@ -0,0 +1,50 @@ +AddHandler fcgid-script .pl +<%- @script_aliases.keys.sort {|a,b| a.size <=> b.size }.reverse.each do |key| -%> + ScriptAlias <%= key %> <%= @script_aliases[key] %> +<%- end -%> +FcgidMinProcessesPerClass <%= @process %> +FcgidIdleTimeout 30 + +# These robots were scraping the whole of svnweb in 2024-04, causing severe +# load, so they are banned. It's not clear whether they obey robots.txt or +# not (we didn't give them enough of a chance to find out), so we could +# consider giving them a chance to redeem themselves at some point in the +# future. +RewriteEngine on +RewriteCond %{HTTP_USER_AGENT} ClaudeBot|Amazonbot +RewriteRule . - [R=403,L] + +# Block expensive SVN operations on all common robots ("spider" covers a +# bunch). "Expensive" is considered to be most operations other than showing a +# directory or downloading a specific version of a file. +# Note: eliminating view=log and annotate= doesn't make much difference to the +# CPU load when robots are hitting the server in real world operation. +#RewriteCond %{QUERY_STRING} pathrev=|r1= +# Treat anything other than a plain path as "expensive" +RewriteCond %{QUERY_STRING} . +RewriteCond %{HTTP_USER_AGENT} "Googlebot|GoogleOther|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider|iPod|Trident|Presto" +RewriteRule . - [R=403,L] + +# Maat December 2025 - New DDOS attack using GET http(s):// as url +RewriteEngine On +RewriteCond %{THE_REQUEST} ^[A-Z]{3,7}\shttps?:// [NC] +RewriteRule ^ - [F,L] + +# Only let expensive operations through when a cookie is set. If no cookie is +# set, redirect to a page where it will be set using JavaScript and redirect +# back. This will block requests from user agents that do not support +# JavaScript, which includes many robots. +RewriteMap urlescape prg:/usr/local/bin/urlescape +#RewriteCond %{QUERY_STRING} pathrev=|r1= +# Treat anything other than a plain path as "expensive" +RewriteCond %{QUERY_STRING} . +RewriteCond %{REQUEST_URI} !/_check +RewriteCond %{HTTP_COOKIE} !session=([^;]+) [novary] +RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?${urlescape:%{QUERY_STRING}} [R=302,L] + +# Block abusive spiders by IP address who don't identify themselves in the +# User-Agent: string +RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16' || -R '188.239.0.0/18' || -R '166.108.192.0/18' || -R '124.243.160.0/19' || -R '101.46.0.0/20'" +RewriteRule . - [R=403,L] + +ErrorDocument 403 "<html><body>Impolite robots are not allowed</body></html>" diff --git a/modules/auto_installation/templates/default b/modules/auto_installation/templates/default index a9ea8de3..50918e14 100644 --- a/modules/auto_installation/templates/default +++ b/modules/auto_installation/templates/default @@ -4,12 +4,12 @@ TIMEOUT 100 NOESCAPE 1 MENU SHIFTKEY 1 -MENU TITLE PXE Boot on <%= fqdn %> +MENU TITLE PXE Boot on <%= @fqdn %> LABEL local MENU LABEL Local localboot 0 -<% for m in menu_entries %> +<% for m in @menu_entries %> INCLUDE pxelinux.cfg/m/<%= m %> <% end %> diff --git a/modules/auto_installation/templates/menu b/modules/auto_installation/templates/menu index 3d0ce6fa..1b32ffb7 100644 --- a/modules/auto_installation/templates/menu +++ b/modules/auto_installation/templates/menu @@ -1,5 +1,5 @@ -LABEL <%= name %> +LABEL <%= @name %> MENU DEFAULT - MENU LABEL Install <%= label %> - kernel <%= kernel_path %> - append <%= append %> + MENU LABEL Install <%= @label %> + kernel <%= @kernel_path %> + append <%= @append %> diff --git a/modules/blog/manifests/init.pp b/modules/blog/manifests/init.pp index c89a8168..5d5337a7 100644 --- a/modules/blog/manifests/init.pp +++ b/modules/blog/manifests/init.pp @@ -15,7 +15,7 @@ class blog { } class files_bots inherits base { -if versioncmp($::lsbdistrelease, '9') < 0 { +if versioncmp($facts['lsbdistrelease'], '9') < 0 { package { ['php-mysqlnd', 'php-ldap', 'unzip', diff --git a/modules/blog/templates/backup_blog-db.sh b/modules/blog/templates/backup_blog-db.sh index c497cb8f..f238f472 100755 --- a/modules/blog/templates/backup_blog-db.sh +++ b/modules/blog/templates/backup_blog-db.sh @@ -1,7 +1,7 @@ #!/bin/sh # Initialization -PATH_TO_FILE=${PATH_TO_FILE:-<%= blog_db_backupdir %>} +PATH_TO_FILE=${PATH_TO_FILE:-<%= @blog_db_backupdir %>} [ ! -f $PATH_TO_FILE/count ] && echo 0 > $PATH_TO_FILE/count COUNT=$(cat "$PATH_TO_FILE/count") # Backup each locale DB diff --git a/modules/blog/templates/backup_blog-files.sh b/modules/blog/templates/backup_blog-files.sh index e268ad2b..b8639014 100755 --- a/modules/blog/templates/backup_blog-files.sh +++ b/modules/blog/templates/backup_blog-files.sh @@ -1,7 +1,7 @@ #!/bin/bash # Initialization -PATH_TO_FILE=${PATH_TO_FILE:-<%= blog_files_backupdir %>} +PATH_TO_FILE=${PATH_TO_FILE:-<%= @blog_files_backupdir %>} [ ! -f $PATH_TO_FILE/count ] && echo 0 > $PATH_TO_FILE/count COUNT=$(cat "$PATH_TO_FILE/count") # Backup each locale @@ -12,7 +12,7 @@ do /bin/mkdir $PATH_TO_FILE/$locale fi # use relative paths to avoid "Removing leading `/' from member names'" warning - tar -C / -Jcf "$PATH_TO_FILE/$locale/$locale-$COUNT.tar.xz" "$(sed s,^/,, <<< "<%= blog_location %>/$locale")" + tar -C / -Jcf "$PATH_TO_FILE/$locale/$locale-$COUNT.tar.xz" "$(sed s,^/,, <<< "<%= @blog_location %>/$locale")" done # Check count file to have a week of backup in the directory if [ $COUNT -ne 6 ] diff --git a/modules/blog/templates/blogs_vhosts.conf b/modules/blog/templates/blogs_vhosts.conf index ff3c792f..5c1868bb 100644 --- a/modules/blog/templates/blogs_vhosts.conf +++ b/modules/blog/templates/blogs_vhosts.conf @@ -1,4 +1,4 @@ -<Directory <%= blog_location %> > +<Directory <%= @blog_location %> > Order deny,allow Allow from All AllowOverride All diff --git a/modules/blog/templates/check_new-blog-post.sh b/modules/blog/templates/check_new-blog-post.sh index f2089a52..59181184 100755 --- a/modules/blog/templates/check_new-blog-post.sh +++ b/modules/blog/templates/check_new-blog-post.sh @@ -34,7 +34,7 @@ if [ "$tmp_old" = "$tmp_new" ] then # Modification on latest post echo "YES - Modification" >> $PATH_TO_FILE"/last_check" - echo -e "The latest blog post has been modified and needs to be checked!\n\nTitle:\t$last_title\nAuthor:\t$last_creator\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -r '<%= blog_newpost_email_from %>' -s "Modification of the latest entry on English Blog" <%= blog_newpost_email_to %> + echo -e "The latest blog post has been modified and needs to be checked!\n\nTitle:\t$last_title\nAuthor:\t$last_creator\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -r '<%= @blog_newpost_email_from %>' -s "Modification of the latest entry on English Blog" <%= @blog_newpost_email_to %> echo $DATE else echo "NO" >> $PATH_TO_FILE"/last_check" @@ -42,7 +42,7 @@ if [ "$tmp_old" = "$tmp_new" ] else # New post to translate echo "YES - New entry" >> $PATH_TO_FILE"/last_check" - echo -e "A new blog post is waiting for translation:\n\nTitle:\t$last_title\nAuthor:\t$last_creator\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -r '<%= blog_newpost_email_from %>' -s "New entry on English Blog" <%= blog_newpost_email_to %> + echo -e "A new blog post is waiting for translation:\n\nTitle:\t$last_title\nAuthor:\t$last_creator\n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -r '<%= @blog_newpost_email_from %>' -s "New entry on English Blog" <%= @blog_newpost_email_to %> echo $DATE fi diff --git a/modules/bugzilla/manifests/init.pp b/modules/bugzilla/manifests/init.pp index 5da26c07..e66ddf0e 100755 --- a/modules/bugzilla/manifests/init.pp +++ b/modules/bugzilla/manifests/init.pp @@ -178,12 +178,13 @@ class bugzilla { mode => '0750', } - cron { 'collectstats': - command => "cd $bugzilla_location && ./collectstats.pl", - user => 'apache', - hour => 2, - minute => 30, - } +# Improper file permissions makes this fail, and nobody seems to care +# cron { 'collectstats': +# command => "cd $bugzilla_location && ./collectstats.pl", +# user => 'apache', +# hour => 2, +# minute => 30, +# } cron { 'clean-bug-user-last-visit': command => "cd $bugzilla_location && ./clean-bug-user-last-visit.pl", diff --git a/modules/bugzilla/templates/localconfig b/modules/bugzilla/templates/localconfig index 61935552..3f5b4a7e 100644 --- a/modules/bugzilla/templates/localconfig +++ b/modules/bugzilla/templates/localconfig @@ -64,7 +64,7 @@ $db_user = 'bugs'; # If you use apostrophe (') or a backslash (\) in your password, you'll # need to escape it by preceding it with a '\' character. (\') or (\) # (It is far simpler to just not use those characters.) -$db_pass = '<%= pgsql_password %>'; +$db_pass = '<%= @pgsql_password %>'; # Sometimes the database server is running on a non-standard port. If that's # the case for your database server, set this to the port number that your @@ -124,4 +124,4 @@ $diffpath = '/usr/bin'; # security features in Bugzilla, to protect against certain types of attacks. # A random string is generated by default. It's very important that this key # is kept secret. It also must be very long. -$site_wide_secret = '<%= bugzilla_secret_key %>'; +$site_wide_secret = '<%= @bugzilla_secret_key %>'; diff --git a/modules/bugzilla/templates/params b/modules/bugzilla/templates/params index 2e71a39d..a2561d6a 100644 --- a/modules/bugzilla/templates/params +++ b/modules/bugzilla/templates/params @@ -1,9 +1,9 @@ %param = ( - 'LDAPBaseDN' => 'ou=People,<%= dc_suffix %>', - 'LDAPbinddn' => 'cn=bugzilla-alamut,ou=System Accounts,<%= dc_suffix %>:<%= ldap_password %>', + 'LDAPBaseDN' => 'ou=People,<%= @dc_suffix %>', + 'LDAPbinddn' => 'cn=bugzilla-alamut,ou=System Accounts,<%= @dc_suffix %>:<%= @ldap_password %>', 'LDAPfilter' => '', 'LDAPmailattribute' => 'mail', - 'LDAPserver' => 'ldap.<%= domain %>', + 'LDAPserver' => 'ldap.<%= @domain %>', 'LDAPstarttls' => '1', 'LDAPuidattribute' => 'uid', 'RADIUS_NAS_IP' => '', @@ -45,7 +45,7 @@ 'emailregexp' => '^[\\w\\.\\+\\-=]+@[\\w\\.\\-]+\\.[\\w\\-]+$', 'emailregexpdesc' => 'A legal address must contain exactly one \'@\', and at least one \'.\' after the @.', 'emailsuffix' => '', - 'globalwatchers' => 'bugs@ml.<%= domain %>', + 'globalwatchers' => 'bugs@ml.<%= @domain %>', 'inbound_proxies' => '', 'insidergroup' => 'secteam', 'letsubmitterchoosemilestone' => 1, @@ -53,8 +53,8 @@ 'lxr_root' => '', 'lxr_url' => '', 'mail_delivery_method' => 'SMTP', - 'mailfrom' => 'bugzilla_noreply@ml.<%= domain %>', - 'maintainer' => 'sysadmin@group.<%= domain %>', + 'mailfrom' => 'bugzilla_noreply@ml.<%= @domain %>', + 'maintainer' => 'sysadmin@group.<%= @domain %>', 'makeproductgroups' => 0, 'maxattachmentsize' => '1000', 'maxlocalattachment' => '0', @@ -88,11 +88,11 @@ 'smtpserver' => 'localhost', 'specific_search_allow_empty_words' => 1, 'ssl_redirect' => 1, - 'sslbase' => 'https://bugs.<%= domain %>/', + 'sslbase' => 'https://bugs.<%= @domain %>/', 'strict_isolation' => 0, 'timetrackinggroup' => '', 'upgrade_notification' => 'latest_stable_release', - 'urlbase' => 'https://bugs.<%= domain %>/', + 'urlbase' => 'https://bugs.<%= @domain %>/', 'use_mailer_queue' => 0, 'use_see_also' => 1, 'usebugaliases' => 0, diff --git a/modules/bugzilla/templates/params.json b/modules/bugzilla/templates/params.json index 05325bc7..892d6400 100644 --- a/modules/bugzilla/templates/params.json +++ b/modules/bugzilla/templates/params.json @@ -1,9 +1,9 @@ { - "LDAPBaseDN" : "ou=People,<%= dc_suffix %>", - "LDAPbinddn" : "cn=bugzilla-alamut,ou=System Accounts,<%= dc_suffix %>:<%= ldap_password %>", + "LDAPBaseDN" : "ou=People,<%= @dc_suffix %>", + "LDAPbinddn" : "cn=bugzilla-alamut,ou=System Accounts,<%= @dc_suffix %>:<%= @ldap_password %>", "LDAPfilter" : "", "LDAPmailattribute" : "mail", - "LDAPserver" : "ldap.<%= domain %>", + "LDAPserver" : "ldap.<%= @domain %>", "LDAPstarttls" : "1", "LDAPuidattribute" : "uid", "RADIUS_NAS_IP" : "", @@ -49,8 +49,8 @@ "letsubmitterchoosemilestone" : "1", "letsubmitterchoosepriority" : "1", "mail_delivery_method" : "SMTP", - "mailfrom" : "bugzilla_noreply@ml.<%= domain %>", - "maintainer" : "sysadmin@group.<%= domain %>", + "mailfrom" : "bugzilla_noreply@ml.<%= @domain %>", + "maintainer" : "sysadmin@group.<%= @domain %>", "makeproductgroups" : "0", "max_search_results" : "10000", "maxattachmentsize" : "1000", @@ -81,12 +81,12 @@ "smtp_username" : "", "smtpserver" : "localhost", "ssl_redirect" : "1", - "sslbase" : "https://bugs.<%= domain %>/", + "sslbase" : "https://bugs.<%= @domain %>/", "strict_isolation" : "0", "strict_transport_security" : "off", "timetrackinggroup" : "", "upgrade_notification" : "latest_stable_release", - "urlbase" : "https://bugs.<%= domain %>/", + "urlbase" : "https://bugs.<%= @domain %>/", "use_mailer_queue" : "0", "use_see_also" : "1", "useclassification" : "0", diff --git a/modules/bugzilla-dev/manifests/init.pp b/modules/bugzilla_dev/manifests/init.pp index c6623872..530f9a65 100755 --- a/modules/bugzilla-dev/manifests/init.pp +++ b/modules/bugzilla_dev/manifests/init.pp @@ -1,4 +1,4 @@ -class bugzilla-dev { +class bugzilla_dev { $bugzilla_dev_location = '/usr/share/bugzilla/' @@ -27,18 +27,18 @@ class bugzilla-dev { file { '/usr/share/bugzilla/localconfig': group => 'apache', mode => '0640', - content => template('bugzilla-dev/localconfig') + content => template('bugzilla_dev/localconfig') } file { '/usr/share/bugzilla/data/params.json': group => 'apache', mode => '0640', - content => template('bugzilla-dev/params.json') + content => template('bugzilla_dev/params.json') } apache::webapp_other { 'bugzilla-dev': - webapp_file => 'bugzilla-dev/webapp_bugzilla.conf', + webapp_file => 'bugzilla_dev/webapp_bugzilla.conf', } $bugs_vhost = "bugs-dev.${::domain}" @@ -47,7 +47,7 @@ class bugzilla-dev { apache::vhost::redirect_ssl { $bugs_vhost: } apache::vhost::base { $bugs_vhost: - content => template('bugzilla-dev/vhost.conf'), + content => template('bugzilla_dev/vhost.conf'), aliases => { '/bugzilla/' => $vhost_root }, use_ssl => true, location => $vhost_root, @@ -69,7 +69,7 @@ class bugzilla-dev { file { '/usr/share/bugzilla/robots.txt': group => 'apache', mode => '0640', - content => template('bugzilla-dev/robots.txt') + content => template('bugzilla_dev/robots.txt') } cron { 'collectstats': diff --git a/modules/bugzilla-dev/templates/localconfig b/modules/bugzilla_dev/templates/localconfig index 2b7d6035..7e9925a5 100755 --- a/modules/bugzilla-dev/templates/localconfig +++ b/modules/bugzilla_dev/templates/localconfig @@ -64,7 +64,7 @@ $db_user = 'bugs'; # If you use apostrophe (') or a backslash (\) in your password, you'll # need to escape it by preceding it with a '\' character. (\') or (\) # (It is far simpler to just not use those characters.) -$db_pass = '<%= pgsql_password %>'; +$db_pass = '<%= @pgsql_password %>'; # Sometimes the database server is running on a non-standard port. If that's # the case for your database server, set this to the port number that your diff --git a/modules/bugzilla-dev/templates/params.json b/modules/bugzilla_dev/templates/params.json index b51b4c00..f6b00aa9 100644 --- a/modules/bugzilla-dev/templates/params.json +++ b/modules/bugzilla_dev/templates/params.json @@ -1,9 +1,9 @@ { - "LDAPBaseDN" : "ou=People,<%= dc_suffix %>", - "LDAPbinddn" : "cn=bugzilla-alamut,ou=System Accounts,<%= dc_suffix %>:<%= ldap_password %>", + "LDAPBaseDN" : "ou=People,<%= @dc_suffix %>", + "LDAPbinddn" : "cn=bugzilla-alamut,ou=System Accounts,<%= @dc_suffix %>:<%= @ldap_password %>", "LDAPfilter" : "", "LDAPmailattribute" : "mail", - "LDAPserver" : "ldap.<%= domain %>", + "LDAPserver" : "ldap.<%= @domain %>", "LDAPstarttls" : "1", "LDAPuidattribute" : "uid", "RADIUS_NAS_IP" : "", @@ -49,8 +49,8 @@ "letsubmitterchoosemilestone" : "1", "letsubmitterchoosepriority" : "1", "mail_delivery_method" : "SMTP", - "mailfrom" : "bugzilla-daemon@<%= domain %>", - "maintainer" : "sysadmin@group.<%= domain %>", + "mailfrom" : "bugzilla-daemon@<%= @domain %>", + "maintainer" : "sysadmin@group.<%= @domain %>", "makeproductgroups" : "0", "max_search_results" : "10000", "maxattachmentsize" : "1000", @@ -81,12 +81,12 @@ "smtp_username" : "", "smtpserver" : "localhost", "ssl_redirect" : "1", - "sslbase" : "https://bugs-dev.<%= domain %>/", + "sslbase" : "https://bugs-dev.<%= @domain %>/", "strict_isolation" : "0", "strict_transport_security" : "off", "timetrackinggroup" : "", "upgrade_notification" : "latest_stable_release", - "urlbase" : "http://bugs-dev.<%= domain %>/", + "urlbase" : "http://bugs-dev.<%= @domain %>/", "use_mailer_queue" : "0", "use_see_also" : "1", "useclassification" : "0", diff --git a/modules/bugzilla-dev/templates/robots.txt b/modules/bugzilla_dev/templates/robots.txt index 63639f02..63639f02 100755 --- a/modules/bugzilla-dev/templates/robots.txt +++ b/modules/bugzilla_dev/templates/robots.txt diff --git a/modules/bugzilla-dev/templates/vhost.conf b/modules/bugzilla_dev/templates/vhost.conf index 79eab9fb..79eab9fb 100755 --- a/modules/bugzilla-dev/templates/vhost.conf +++ b/modules/bugzilla_dev/templates/vhost.conf diff --git a/modules/bugzilla-dev/templates/webapp_bugzilla.conf b/modules/bugzilla_dev/templates/webapp_bugzilla.conf index a8f37a00..a8f37a00 100755 --- a/modules/bugzilla-dev/templates/webapp_bugzilla.conf +++ b/modules/bugzilla_dev/templates/webapp_bugzilla.conf diff --git a/modules/buildsystem/manifests/binrepo.pp b/modules/buildsystem/manifests/binrepo.pp index 5bf16b53..0e48363a 100644 --- a/modules/buildsystem/manifests/binrepo.pp +++ b/modules/buildsystem/manifests/binrepo.pp @@ -4,7 +4,7 @@ class buildsystem::binrepo { include sudo # upload-bin script uses the mailx command provided by nail -if versioncmp($::lsbdistrelease, '9') < 0 { +if versioncmp($facts['lsbdistrelease'], '9') < 0 { package { 'nail': ensure => installed, } diff --git a/modules/buildsystem/manifests/iurt/config.pp b/modules/buildsystem/manifests/iurt/config.pp index be440e39..6586edee 100644 --- a/modules/buildsystem/manifests/iurt/config.pp +++ b/modules/buildsystem/manifests/iurt/config.pp @@ -9,6 +9,7 @@ define buildsystem::iurt::config() { $build_timeout = { 'default' => 36000, 'atlas' => 57600, + 'blender' => 57600, 'chromium-browser-stable' => 172800, 'clang' => 172800, 'cross-gcc' => 115200, @@ -20,9 +21,9 @@ define buildsystem::iurt::config() { 'java-latest-openjdk' => 172800, 'kernel' => 115200, 'libreoffice' => 432000, - 'llvm' => 86400, - 'llvm17-suite' => 86400, - 'llvm19-suite' => 86400, + 'llvm' => 115200, + 'llvm17-suite' => 115200, + 'llvm19-suite' => 115200, 'openfoam' => 115200, 'paraview' => 115200, 'qgis' => 57600, @@ -32,13 +33,12 @@ define buildsystem::iurt::config() { 'salome' => 57600, 'vtk' => 57600, 'webkit' => 57600, - 'webkit2' => 115200, + 'webkit2' => 172800, 'wrapitk' => 115200, 'rocm-llvm' => 70000, } $allow_network_access = [ - 'libguestfs', # Needs access to the configured mirrors ] file { "/etc/iurt/build/${distribution}.conf": diff --git a/modules/buildsystem/templates/iurt.conf b/modules/buildsystem/templates/iurt.conf index 2dd8bf0e..92591b11 100644 --- a/modules/buildsystem/templates/iurt.conf +++ b/modules/buildsystem/templates/iurt.conf @@ -11,8 +11,8 @@ distribution => '<%= distro['macros']['distribution'] %>', vendor => '<%= distro['macros']['vendor'] %>', base_media => [ '<%= distro['base_media'].join("', '") %>' ], - upload => '<%= build_login %>@pkgsubmit:~/uploads/', - upload_queue => '<%= build_login %>@pkgsubmit:~/uploads/queue/', + upload => '<%= @build_login %>@pkgsubmit:~/uploads/', + upload_queue => '<%= @build_login %>@pkgsubmit:~/uploads/queue/', unwanted_packages => '^monotone-', repository => 'http://<%= scope.lookupvar('buildsystem::var::repository::hostname') %>/<%= scope.lookupvar('buildsystem::var::repository::distribdir') %>/', log_url => 'https://<%= scope.lookupvar('buildsystem::var::webstatus::hostname') %>/queue/build/', @@ -21,17 +21,18 @@ sendmail => 0, log_size_limit => '600M', build_timeout => { -<%- build_timeout.keys.sort.each{|package| -%> - '<%= package %>' => <%= (build_timeout[package].to_f * scope.lookupvar('buildsystem::var::iurt::timeout_multiplier').to_f).to_i %>, +<%- @build_timeout.keys.sort.each{|package| -%> + '<%= package %>' => <%= (@build_timeout[package].to_f * scope.lookupvar('buildsystem::var::iurt::timeout_multiplier').to_f).to_i %>, <%- } -%> }, use_netns => { 'default' => 1, -<%- allow_network_access.sort.each{|package| -%> +<%- @allow_network_access.sort.each{|package| -%> '<%= package %>' => 0, <%- } -%> }, + urpmi_options => '--noclean', } diff --git a/modules/buildsystem/templates/mgarepo.conf b/modules/buildsystem/templates/mgarepo.conf index fbe5109c..e6e8fd1a 100644 --- a/modules/buildsystem/templates/mgarepo.conf +++ b/modules/buildsystem/templates/mgarepo.conf @@ -6,7 +6,7 @@ verbose = no default_parent = <%= scope.lookupvar('buildsystem::var::mgarepo::svn_root_packages') %>/<%= default_distro %> #url-map = svn\+ssh://svn\.mageia\.org/(.*) file:///\1 -tempdir = <%= sched_home_dir %>/repsys/tmp +tempdir = <%= @sched_home_dir %>/repsys/tmp trunk-dir = <%= default_distro %> <%- conf = scope.lookupvar('buildsystem::var::mgarepo::conf') @@ -33,7 +33,7 @@ ignore-string = SILENT path = /usr/share/mgarepo/default.chlog [users] -iurt = Mageia build bot <mageia-sysadm@<%= domain %>> +iurt = Mageia build bot <mageia-sysadm@<%= @domain %>> [submit] default = <%= default_distro %> @@ -44,7 +44,7 @@ host = <%= scope.lookupvar('buildsystem::var::mgarepo::submit_host') %> distro = distros[d] -%> [submit <%= d %>] -target = <%= sched_home_dir %>/repsys/srpms +target = <%= @sched_home_dir %>/repsys/srpms allowed = <%= distro['submit_allowed'] %> <%= distro['backports_allowed'] %> rpm-macros = global <%= d %> @@ -63,6 +63,9 @@ dist = %{?distsuffix:%distsuffix}%{?!distsuffix:.mga}%{?distro_release:%distro_r -%> [macros <%= d %>] distro_release = <%= distro['version'] %> +mageia = <%= distro['version'] %> +mgaver = <%= distro['version'] %> +mgaversion = <%= distro['version'] %> <%- distro['macros'].keys.sort.each{|macro| value = distro['macros'][macro] diff --git a/modules/buildsystem/templates/signbot/sudoers.signpackage b/modules/buildsystem/templates/signbot/sudoers.signpackage index 4ea30238..7a5ff7c2 100644 --- a/modules/buildsystem/templates/signbot/sudoers.signpackage +++ b/modules/buildsystem/templates/signbot/sudoers.signpackage @@ -1,2 +1,2 @@ -<%= sched_login %> ALL =(<%= scope.lookupvar('buildsystem::var::signbot::login') %>) NOPASSWD: /usr/local/bin/mga-signpackage -<%= sched_login %> ALL =(<%= scope.lookupvar('buildsystem::var::signbot::login') %>) NOPASSWD: /usr/local/bin/sign-check-package +<%= @sched_login %> ALL =(<%= scope.lookupvar('buildsystem::var::signbot::login') %>) NOPASSWD: /usr/local/bin/mga-signpackage +<%= @sched_login %> ALL =(<%= scope.lookupvar('buildsystem::var::signbot::login') %>) NOPASSWD: /usr/local/bin/sign-check-package diff --git a/modules/buildsystem/templates/upload.conf b/modules/buildsystem/templates/upload.conf index af610c92..0b2cb930 100644 --- a/modules/buildsystem/templates/upload.conf +++ b/modules/buildsystem/templates/upload.conf @@ -100,7 +100,7 @@ my $homedir = "<%= scope.lookupvar('buildsystem::var::iurt::homedir') %>"; admin => '<%= scope.lookupvar('buildsystem::var::scheduler::admin_mail') %>', http_queue => 'https://<%= scope.lookupvar('buildsystem::var::webstatus::hostname') %>/uploads', upload_user => '<%= scope.lookupvar('buildsystem::var::scheduler::login') %>', - email_domain => '<%= domain %>', + email_domain => '<%= @domain %>', arch => { <%- distros.keys.sort.each{|distroname| diff --git a/modules/draklive/templates/sudoers.draklive b/modules/draklive/templates/sudoers.draklive index 536e4e9f..8d546396 100644 --- a/modules/draklive/templates/sudoers.draklive +++ b/modules/draklive/templates/sudoers.draklive @@ -1,3 +1,3 @@ <%= @login %> ALL=(root) NOPASSWD: /usr/sbin/draklive <%= @login %> ALL=(root) NOPASSWD: /usr/bin/draklive2 -%<%= isomakers_group %> ALL=(<%= @login %>) SETENV: NOPASSWD: ALL +%<%= @isomakers_group %> ALL=(<%= @login %>) SETENV: NOPASSWD: ALL diff --git a/modules/gnupg/manifests/client.pp b/modules/gnupg/manifests/client.pp index 301e569a..4dfaeec4 100644 --- a/modules/gnupg/manifests/client.pp +++ b/modules/gnupg/manifests/client.pp @@ -1,5 +1,5 @@ class gnupg::client { -if versioncmp($::lsbdistrelease, '7') < 0 { +if versioncmp($facts['lsbdistrelease'], '7') < 0 { package {['gnupg', 'rng-utils']: } diff --git a/modules/mediawiki/manifests/instance.pp b/modules/mediawiki/manifests/instance.pp index c6906449..3385be74 100644 --- a/modules/mediawiki/manifests/instance.pp +++ b/modules/mediawiki/manifests/instance.pp @@ -1,4 +1,4 @@ -define mediawiki::instance( $title, +define mediawiki::instance( $site_title, $wiki_settings = '', $skinsdir = '/usr/share/mediawiki/skins') { diff --git a/modules/mediawiki/templates/LocalSettings.php b/modules/mediawiki/templates/LocalSettings.php index c340dfd9..246fe329 100644 --- a/modules/mediawiki/templates/LocalSettings.php +++ b/modules/mediawiki/templates/LocalSettings.php @@ -24,7 +24,7 @@ set_include_path( implode( PATH_SEPARATOR, $path ) . PATH_SEPARATOR . get_includ ## Uncomment this to disable output compression # $wgDisableOutputCompression = true; -$wgSitename = "<%= @title %>"; +$wgSitename = "<%= @site_title %>"; # $wgMetaNamespace = ""; # Defaults to $wgSitename ## The URL base path to the directory containing the wiki; diff --git a/modules/mga-advisories/manifests/init.pp b/modules/mga_advisories/manifests/init.pp index 1937bb62..194e4c7d 100644 --- a/modules/mga-advisories/manifests/init.pp +++ b/modules/mga_advisories/manifests/init.pp @@ -1,4 +1,4 @@ -class mga-advisories( +class mga_advisories( $advisories_svn = "svn://svn.${::domain}/svn/advisories", $vhost ){ @@ -31,7 +31,7 @@ class mga-advisories( owner => root, group => root, mode => '0644', - content => template('mga-advisories/mga-advisories.conf'), + content => template('mga_advisories/mga-advisories.conf'), require => Package['mga-advisories'], } @@ -71,7 +71,7 @@ class mga-advisories( owner => root, group => root, mode => '0755', - content => template('mga-advisories/update_script'), + content => template('mga_advisories/update_script'), } file { $move_wrapper_script: @@ -79,11 +79,11 @@ class mga-advisories( owner => root, group => root, mode => '0755', - content => template('mga-advisories/adv-move-pkg'), + content => template('mga_advisories/adv-move-pkg'), } sudo::sudoers_config { 'mga-adv-move-pkg': - content => template('mga-advisories/sudoers.adv-move-pkg') + content => template('mga_advisories/sudoers.adv-move-pkg') } # Disable for now... we may re-instate once it's been a little more tested. diff --git a/modules/mga-advisories/templates/adv-move-pkg b/modules/mga_advisories/templates/adv-move-pkg index 71e1880e..71e1880e 100644 --- a/modules/mga-advisories/templates/adv-move-pkg +++ b/modules/mga_advisories/templates/adv-move-pkg diff --git a/modules/mga-advisories/templates/mga-advisories.conf b/modules/mga_advisories/templates/mga-advisories.conf index 4dab1543..4dab1543 100644 --- a/modules/mga-advisories/templates/mga-advisories.conf +++ b/modules/mga_advisories/templates/mga-advisories.conf diff --git a/modules/mga-advisories/templates/sudoers.adv-move-pkg b/modules/mga_advisories/templates/sudoers.adv-move-pkg index 5d9618a9..5d9618a9 100644 --- a/modules/mga-advisories/templates/sudoers.adv-move-pkg +++ b/modules/mga_advisories/templates/sudoers.adv-move-pkg diff --git a/modules/mga-advisories/templates/update_script b/modules/mga_advisories/templates/update_script index 71d8d1d4..71d8d1d4 100644 --- a/modules/mga-advisories/templates/update_script +++ b/modules/mga_advisories/templates/update_script diff --git a/modules/mga-mirrors/files/check_mirrors_status b/modules/mga_mirrors/files/check_mirrors_status index 9c00ac8d..9c00ac8d 100755 --- a/modules/mga-mirrors/files/check_mirrors_status +++ b/modules/mga_mirrors/files/check_mirrors_status diff --git a/modules/mga-mirrors/manifests/init.pp b/modules/mga_mirrors/manifests/init.pp index 4b8b5552..8485f0d5 100644 --- a/modules/mga-mirrors/manifests/init.pp +++ b/modules/mga_mirrors/manifests/init.pp @@ -1,4 +1,4 @@ -class mga-mirrors { +class mga_mirrors { $vhost = "mirrors.${::domain}" $mirrors_dir = '/var/www/mirrors' @@ -33,12 +33,12 @@ class mga-mirrors { file { '/etc/mga-mirrors.ini': group => 'apache', mode => '0640', - content => template('mga-mirrors/mga-mirrors.ini'), + content => template('mga_mirrors/mga-mirrors.ini'), require => Package['mga-mirrors'] } file { '/etc/cron.d/check_mga_mirrors': - content => template('mga-mirrors/cron-mga_mirrors'), + content => template('mga_mirrors/cron-mga_mirrors'), require => Package['mga-mirrors'] } @@ -49,6 +49,6 @@ class mga-mirrors { file { '/usr/local/bin/check_mirrors_status': mode => '0755', - source => 'puppet:///modules/mga-mirrors/check_mirrors_status', + source => 'puppet:///modules/mga_mirrors/check_mirrors_status', } } diff --git a/modules/mga-mirrors/templates/cron-mga_mirrors b/modules/mga_mirrors/templates/cron-mga_mirrors index 7236be04..7236be04 100644 --- a/modules/mga-mirrors/templates/cron-mga_mirrors +++ b/modules/mga_mirrors/templates/cron-mga_mirrors diff --git a/modules/mga-mirrors/templates/mga-mirrors.ini b/modules/mga_mirrors/templates/mga-mirrors.ini index b438edd1..b438edd1 100644 --- a/modules/mga-mirrors/templates/mga-mirrors.ini +++ b/modules/mga_mirrors/templates/mga-mirrors.ini diff --git a/modules/mga-treasurer/manifests/init.pp b/modules/mga_treasurer/manifests/init.pp index d092e982..0902ee7d 100644 --- a/modules/mga-treasurer/manifests/init.pp +++ b/modules/mga_treasurer/manifests/init.pp @@ -1,4 +1,4 @@ -class mga-treasurer( +class mga_treasurer( $grisbi_git = "git://git.${::domain}/org/accounts", $grisbi_filename = 'mageia-accounts.gsb', $vhost, @@ -32,7 +32,7 @@ class mga-treasurer( owner => root, group => root, mode => '0644', - content => template('mga-treasurer/mga-treasurer.conf'), + content => template('mga_treasurer/mga-treasurer.conf'), require => Package['mga-treasurer'], } @@ -49,7 +49,7 @@ class mga-treasurer( "/${grisbi_filename}" => $grisbi_path, "/static" => '/usr/share/mga-treasurer/static', }, - content => template('mga-treasurer/vhost_mga-treasurer.conf'), + content => template('mga_treasurer/vhost_mga-treasurer.conf'), require => File[$vhostdir], } @@ -61,7 +61,7 @@ class mga-treasurer( "/${grisbi_filename}" => $grisbi_path, "/static" => '/usr/share/mga-treasurer/static', }, - content => template('mga-treasurer/vhost_mga-treasurer.conf'), + content => template('mga_treasurer/vhost_mga-treasurer.conf'), require => File[$vhostdir], } @@ -70,7 +70,7 @@ class mga-treasurer( owner => root, group => root, mode => '0755', - content => template('mga-treasurer/update_script'), + content => template('mga_treasurer/update_script'), } git::snapshot { $grisbi_dir: diff --git a/modules/mga-treasurer/templates/mga-treasurer.conf b/modules/mga_treasurer/templates/mga-treasurer.conf index 75ac180f..75ac180f 100644 --- a/modules/mga-treasurer/templates/mga-treasurer.conf +++ b/modules/mga_treasurer/templates/mga-treasurer.conf diff --git a/modules/mga-treasurer/templates/update_script b/modules/mga_treasurer/templates/update_script index 30fab72d..30fab72d 100644 --- a/modules/mga-treasurer/templates/update_script +++ b/modules/mga_treasurer/templates/update_script diff --git a/modules/mga-treasurer/templates/vhost_mga-treasurer.conf b/modules/mga_treasurer/templates/vhost_mga-treasurer.conf index 763cd87d..763cd87d 100644 --- a/modules/mga-treasurer/templates/vhost_mga-treasurer.conf +++ b/modules/mga_treasurer/templates/vhost_mga-treasurer.conf diff --git a/modules/ntp/manifests/init.pp b/modules/ntp/manifests/init.pp index f75310e7..03d8441c 100644 --- a/modules/ntp/manifests/init.pp +++ b/modules/ntp/manifests/init.pp @@ -1,5 +1,5 @@ class ntp { -if versioncmp($::lsbdistrelease, '9') < 0 { +if versioncmp($facts['lsbdistrelease'], '9') < 0 { $ntppkg = 'ntp' } else { $ntppkg = 'ntpsec' diff --git a/modules/ntp/templates/ntp.conf b/modules/ntp/templates/ntp.conf index 72f233c0..cfff232c 100644 --- a/modules/ntp/templates/ntp.conf +++ b/modules/ntp/templates/ntp.conf @@ -22,7 +22,7 @@ server fr.pool.ntp.org # it to the file. # driftfile /var/lib/ntp/drift -multicastclient # listen on default 224.0.1.1 +multicastclient 224.0.1.1 # listen on default 224.0.1.1 broadcastdelay 0.008 # https://www.kb.cert.org/vuls/id/348126 diff --git a/modules/opendkim/manifests/init.pp b/modules/opendkim/manifests/init.pp index 6e45345a..16d3d641 100644 --- a/modules/opendkim/manifests/init.pp +++ b/modules/opendkim/manifests/init.pp @@ -41,51 +41,6 @@ class opendkim ( ensure => present, } - case $::operatingsystem { - /^(Debian|Ubuntu)$/: { - package { 'opendkim-tools': - ensure => present, - } - # Debian/Ubuntu doesn't ship this directory in its package - file { $pathconf: - ensure => directory, - owner => 'root', - group => 'opendkim', - mode => '0755', - require => Package[$package_name], - } - file { "${pathconf}/keys": - ensure => directory, - owner => 'opendkim', - group => 'opendkim', - mode => '0750', - require => Package[$package_name], - } - file { "${pathconf}/KeyTable": - ensure => present, - owner => 'opendkim', - group => 'opendkim', - mode => '0640', - require => Package[$package_name], - } - file { "${pathconf}/SigningTable": - ensure => present, - owner => 'opendkim', - group => 'opendkim', - mode => '0640', - require => Package[$package_name], - } - file { "${pathconf}/TrustedHosts": - ensure => present, - owner => 'opendkim', - group => 'opendkim', - mode => '0644', - require => Package[$package_name], - } - } - default: {} - } - file {'/etc/opendkim.conf': ensure => file, owner => 'root', diff --git a/modules/openldap/templates/init_ldap.sh b/modules/openldap/templates/init_ldap.sh index dfcaf236..6b33926a 100644 --- a/modules/openldap/templates/init_ldap.sh +++ b/modules/openldap/templates/init_ldap.sh @@ -1,14 +1,14 @@ #!/bin/bash ldapadd -Y EXTERNAL -H ldapi:/// <<EOF -dn: <%= dc_suffix %> -dc: <%= dc_suffix.split(',')[0].split('=')[1] %> +dn: <%= @dc_suffix %> +dc: <%= @dc_suffix.split(',')[0].split('=')[1] %> objectClass: domain objectClass: domainRelatedObject -associatedDomain: <%= domain %> +associatedDomain: <%= @domain %> <% for g in ['People','Group','Hosts'] %> -dn: ou=<%= g%>,<%= dc_suffix %> +dn: ou=<%= g %>,<%= @dc_suffix %> ou: <%= g %> objectClass: organizationalUnit <% end %> @@ -16,12 +16,12 @@ objectClass: organizationalUnit <% gid = 5000 for g in ['packagers','web','sysadmin','packagers-committers','forum-developers'] %> -dn: cn=mga-<%= g %>,ou=Group,<%= dc_suffix %> +dn: cn=mga-<%= g %>,ou=Group,<%= @dc_suffix %> objectClass: groupOfNames objectClass: posixGroup cn: mga-<%= g %> gidNumber: <%= gid %> -member: cn=manager,<%= dc_suffix %> +member: cn=manager,<%= @dc_suffix %> <%- gid+=1 end -%> @@ -29,10 +29,10 @@ end -%> <% # FIXME automatically get the list of servers for g in ['duvel','alamut'] %> -dn: cn=<%= g%>.<%= domain %>,ou=Hosts,<%= dc_suffix %> +dn: cn=<%= g %>.<%= @domain %>,ou=Hosts,<%= @dc_suffix %> objectClass: device objectClass: simpleSecurityObject -cn: <%= g%>.<%= domain %> +cn: <%= g %>.<%= @domain %> userPassword: x <% end %> diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf index 361d956b..e2602ee7 100644 --- a/modules/openldap/templates/mandriva-dit-access.conf +++ b/modules/openldap/templates/mandriva-dit-access.conf @@ -1,195 +1,195 @@ # mandriva-dit-access.conf -limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" +limits group="cn=LDAP Replicators,ou=System Groups,<%= @dc_suffix %>" limit size=unlimited limit time=unlimited -limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" +limits group="cn=LDAP Admins,ou=System Groups,<%= @dc_suffix %>" limit size=unlimited limit time=unlimited -limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" +limits group="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" limit size=unlimited limit time=unlimited # so we don't have to add these to every other acl down there -access to dn.subtree="<%= dc_suffix %>" - by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write - by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read +access to dn.subtree="<%= @dc_suffix %>" + by group.exact="cn=LDAP Admins,ou=System Groups,<%= @dc_suffix %>" write + by group.exact="cn=LDAP Replicators,ou=System Groups,<%= @dc_suffix %>" read by * break # userPassword access # Allow account registration to write userPassword of unprivileged users accounts -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))" attrs=userPassword - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= @dc_suffix %>" +w by * +0 break # shadowLastChange is here because it needs to be writable by the user because # of pam_ldap, which will update this attr whenever the password is changed. # And this is done with the user's credentials -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=shadowLastChange by self write - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users read -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=userPassword - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by self write by anonymous auth by * none # kerberos key access # "by auth" just in case... -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=krb5Key by self write - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by anonymous auth by * none # password policies -access to dn.subtree="ou=Password Policies,<%= dc_suffix %>" - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write +access to dn.subtree="ou=Password Policies,<%= @dc_suffix %>" + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # samba password attributes # by self not strictly necessary, because samba uses its own admin user to # change the password on the user's behalf # openldap also doesn't auth on these attributes, but maybe some day it will -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=sambaLMPassword,sambaNTPassword - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by anonymous auth by self write by * none # password history attribute # pwdHistory is read-only, but ACL is simpler with it here -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=sambaPasswordHistory,pwdHistory by self read - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by * none # pwdReset, so the admin can force an user to change a password -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=pwdReset,pwdAccountLockedTime - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by self read # group owner can add/remove/edit members to groups -access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" +access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= @dc_suffix %>$" attrs=member,owner by dnattr=owner write - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users +scrx -access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" +access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= @dc_suffix %>$" attrs=cn,description,objectClass,gidNumber - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # registration - allow registrar group to create basic unprivileged accounts -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" attrs="objectClass" val="inetOrgperson" - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= @dc_suffix %>" =asrx by * +0 break -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" filter="(!(objectclass=posixAccount))" attrs=cn,sn,gn,mail,entry,children,preferredLanguage - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= @dc_suffix %>" =asrx by * +0 break # TODO maybe we should use a group instead of a user here -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" filter="(objectclass=posixAccount)" attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber - by dn.one="ou=Hosts,<%= dc_suffix %>" read + by dn.one="ou=Hosts,<%= @dc_suffix %>" read by * +0 break # let the user change some of his/her attributes -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey by self write by users read -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" attrs=memberOf by users read # create new accounts -access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$" +access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= @dc_suffix %>$" attrs=children,entry - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by * break # access to existing entries -access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$" - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write +access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= @dc_suffix %>$" + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by * break # sambaDomainName entry -access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$" +access to dn.regex="^(sambaDomainName=[^,]+,)?<%= @dc_suffix %>$" attrs=children,entry,@sambaDomain,@sambaUnixIdPool - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # samba ID mapping -access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$" +access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= @dc_suffix %>$" attrs=children,entry,@sambaIdmapEntry - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write - by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write + by group.exact="cn=IDMAP Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # global address book # XXX - which class(es) to use? -access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>" +access to dn.regex="^(.*,)?ou=Address Book,<%= @dc_suffix %>" attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList - by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Address Book Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # dhcp entries # XXX - open up read access to anybody? -access to dn.sub="ou=dhcp,<%= dc_suffix %>" +access to dn.sub="ou=dhcp,<%= @dc_suffix %>" attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog - by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write - by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read + by group.exact="cn=DHCP Admins,ou=System Groups,<%= @dc_suffix %>" write + by group.exact="cn=DHCP Readers,ou=System Groups,<%= @dc_suffix %>" read by * read # sudoers -access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$" +access to dn.regex="^([^,]+,)?ou=sudoers,<%= @dc_suffix %>$" attrs=children,entry,@sudoRole - by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Sudo Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # dns -access to dn="ou=dns,<%= dc_suffix %>" +access to dn="ou=dns,<%= @dc_suffix %>" attrs=entry,@extensibleObject - by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=DNS Admins,ou=System Groups,<%= @dc_suffix %>" write by users read -access to dn.sub="ou=dns,<%= dc_suffix %>" +access to dn.sub="ou=dns,<%= @dc_suffix %>" attrs=children,entry,@dNSZone - by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write - by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read + by group.exact="cn=DNS Admins,ou=System Groups,<%= @dc_suffix %>" write + by group.exact="cn=DNS Readers,ou=System Groups,<%= @dc_suffix %>" read by * none # MTA # XXX - what else can we add here? Virtual Domains? With which schema? -access to dn.one="ou=People,<%= dc_suffix %>" +access to dn.one="ou=People,<%= @dc_suffix %>" attrs=@inetLocalMailRecipient,mail - by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=MTA Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # KDE Configuration -access to dn.sub="ou=KDEConfig,<%= dc_suffix %>" - by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write +access to dn.sub="ou=KDEConfig,<%= @dc_suffix %>" + by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= @dc_suffix %>" write by * read # last one -access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn +access to dn.subtree="<%= @dc_suffix %>" attrs=entry,uid,cn by users read diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf index d82fe088..a7d11214 100644 --- a/modules/openldap/templates/slapd.conf +++ b/modules/openldap/templates/slapd.conf @@ -29,7 +29,7 @@ include /usr/share/openldap/schema/openssh-lpk_openldap.schema pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args -modulepath <%= lib_dir %>/openldap +modulepath <%= @lib_dir %>/openldap <% if @hostname == 'duvel' then %> moduleload back_bdb.la <% else %> @@ -44,9 +44,9 @@ moduleload unique.la moduleload dynlist.la moduleload constraint.la -TLSCertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem -TLSCertificateKeyFile /etc/ssl/openldap/ldap.<%= domain %>.pem -TLSCACertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem +TLSCertificateFile /etc/ssl/openldap/ldap.<%= @domain %>.pem +TLSCertificateKeyFile /etc/ssl/openldap/ldap.<%= @domain %>.pem +TLSCACertificateFile /etc/ssl/openldap/ldap.<%= @domain %>.pem # Give ldapi connection some security localSSF 56 @@ -60,8 +60,8 @@ loglevel 256 database monitor access to dn.subtree="cn=Monitor" - by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read - by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read + by group.exact="cn=LDAP Monitors,ou=System Groups,<%= @dc_suffix %>" read + by group.exact="cn=LDAP Admins,ou=System Groups,<%= @dc_suffix %>" read by * none <% if @hostname == 'duvel' then %> @@ -71,9 +71,9 @@ database mdb # mdb defaults to 10MB max DB, so we need to hardcode some better value :( maxsize 500000000 <% end %> -suffix "<%= dc_suffix %>" +suffix "<%= @dc_suffix %>" directory /var/lib/ldap -rootdn "cn=manager,<%= dc_suffix %>" +rootdn "cn=manager,<%= @dc_suffix %>" checkpoint 256 5 <% if @hostname == 'duvel' then %> @@ -105,7 +105,7 @@ syncprov-checkpoint 100 10 syncprov-sessionlog 100 overlay ppolicy -ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>" +ppolicy_default "cn=default,ou=Password Policies,<%= @dc_suffix %>" ppolicy_hash_cleartext yes ppolicy_use_lockout yes @@ -126,10 +126,10 @@ constraint_attribute sshPublicKey regex "^ssh-(rsa|dss|ed25519) [[:graph:]]+ [[: #refint_attributes member #refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com" -<% if environment == "test" %> +<% if @environment == "test" %> authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" - "cn=manager,<%= dc_suffix %>" -authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %> + "cn=manager,<%= @dc_suffix %>" +authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= @dc_suffix %> <% end %> include /etc/openldap/mandriva-dit-access.conf diff --git a/modules/openldap/templates/slapd.syncrepl.conf b/modules/openldap/templates/slapd.syncrepl.conf index 2bfe7d50..4c69a56e 100644 --- a/modules/openldap/templates/slapd.syncrepl.conf +++ b/modules/openldap/templates/slapd.syncrepl.conf @@ -1,11 +1,11 @@ -syncrepl rid=<%= rid %> - provider=ldaps://ldap-master.<%= domain %>:636 +syncrepl rid=<%= @rid %> + provider=ldaps://ldap-master.<%= @domain %>:636 type=refreshAndPersist - searchbase="<%= dc_suffix %>" + searchbase="<%= @dc_suffix %>" schemachecking=off bindmethod=simple - binddn="cn=syncuser-<%= hostname%>,ou=System Accounts,<%= dc_suffix %>" - credentials=<%= sync_password %> + binddn="cn=syncuser-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %>" + credentials=<%= @sync_password %> tls_reqcert=never -updateref ldaps://ldap-master.<%= domain %>:636 +updateref ldaps://ldap-master.<%= @domain %>:636 diff --git a/modules/openldap/templates/slapd.test.conf b/modules/openldap/templates/slapd.test.conf index 8befa55a..a492acd7 100644 --- a/modules/openldap/templates/slapd.test.conf +++ b/modules/openldap/templates/slapd.test.conf @@ -2,7 +2,7 @@ database bdb suffix "dc=test_ldap" directory /var/lib/ldap/test rootdn "cn=manager,dc=test_ldap" -rootpw "<%= ldap_test_password %>" +rootpw "<%= @ldap_test_password %>" authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=manager,dc=test_ldap" # force ssl diff --git a/modules/openssh/manifests/ssh_keys_from_ldap.pp b/modules/openssh/manifests/ssh_keys_from_ldap.pp index 9ea6c139..893b2656 100644 --- a/modules/openssh/manifests/ssh_keys_from_ldap.pp +++ b/modules/openssh/manifests/ssh_keys_from_ldap.pp @@ -10,7 +10,7 @@ class openssh::ssh_keys_from_ldap inherits server { } cron { 'sshkey2file': - command => '/bin/bash -c "/usr/local/bin/ldap-sshkey2file.py && ( [[ -f /usr/bin/mgagit && -d /var/lib/git/.gitolite ]] && /bin/su -c \'/usr/bin/mgagit glrun\' - git ) ||:"', + command => '/usr/local/bin/ldap-sshkey2file.py', hour => '*', minute => '*/10', user => 'root', diff --git a/modules/pam/templates/ldap.conf b/modules/pam/templates/ldap.conf index 235a6aac..0e8495df 100644 --- a/modules/pam/templates/ldap.conf +++ b/modules/pam/templates/ldap.conf @@ -1,18 +1,18 @@ -rootbinddn cn=<%= fqdn %>,ou=Hosts,<%= dc_suffix %> +rootbinddn cn=<%= @fqdn %>,ou=Hosts,<%= @dc_suffix %> -uri ldaps://ldap.<%= domain %> -base <%= dc_suffix %> +uri ldaps://ldap.<%= @domain %> +base <%= @dc_suffix %> timelimit 4 bind_timelimit 4 pam_lookup_policy yes pam_password exop -nss_base_passwd ou=People,<%= dc_suffix %>?one -nss_base_shadow ou=People,<%= dc_suffix %>?one -nss_base_group ou=Group,<%= dc_suffix %>?one +nss_base_passwd ou=People,<%= @dc_suffix %>?one +nss_base_shadow ou=People,<%= @dc_suffix %>?one +nss_base_group ou=Group,<%= @dc_suffix %>?one nss_schema rfc2307bis nss_map_attribute uniqueMember member -sudoers_base ou=sudoers,<%= dc_suffix %> +sudoers_base ou=sudoers,<%= @dc_suffix %> #sudoers_debug 2 <%- diff --git a/modules/pam/templates/openldap.ldap.conf b/modules/pam/templates/openldap.ldap.conf index cd6ee640..a2a3efab 100644 --- a/modules/pam/templates/openldap.ldap.conf +++ b/modules/pam/templates/openldap.ldap.conf @@ -18,7 +18,7 @@ TLS_REQCERT allow # Use the default self-signed cert generated by openldap-server postinstall # by default #TLS_CACERT /etc/pki/tls/certs/ldap.pem -#TLS_CACERT /etc/ssl/openldap/ldap.<%= domain %>.pem +#TLS_CACERT /etc/ssl/openldap/ldap.<%= @domain %>.pem # If requiring support for certificates signed by all CAs (noting risks # pam_ldap if doing DNS-based suffix lookup etc. diff --git a/modules/phpbb/templates/config.php b/modules/phpbb/templates/config.php index 5d878235..a713adda 100644 --- a/modules/phpbb/templates/config.php +++ b/modules/phpbb/templates/config.php @@ -2,11 +2,11 @@ // phpBB 3.0.x auto-generated configuration file // // Do not change anything in this file! $dbms = 'postgres'; -$dbhost = 'pg.<%= domain %>'; +$dbhost = 'pg.<%= @domain %>'; $dbport = ''; -$dbname = '<%= database %>'; -$dbuser = '<%= user %>'; -$dbpasswd = '<%= pgsql_password %>'; +$dbname = '<%= @database %>'; +$dbuser = '<%= @user %>'; +$dbpasswd = '<%= @pgsql_password %>'; $table_prefix = 'phpbb_'; $acm_type = 'apc'; $load_extensions = ''; diff --git a/modules/phpbb/templates/forums_redirect.conf b/modules/phpbb/templates/forums_redirect.conf index 24747b4c..0dcfec53 100644 --- a/modules/phpbb/templates/forums_redirect.conf +++ b/modules/phpbb/templates/forums_redirect.conf @@ -1,2 +1,2 @@ -Redirect /<%= lang %> <%= url %> -Redirect /<%= lang %>/ <%= url %> +Redirect /<%= @lang %> <%= @url %> +Redirect /<%= @lang %>/ <%= @url %> diff --git a/modules/phpbb/templates/forums_vhost.conf b/modules/phpbb/templates/forums_vhost.conf index 440dad1f..66826203 100644 --- a/modules/phpbb/templates/forums_vhost.conf +++ b/modules/phpbb/templates/forums_vhost.conf @@ -13,11 +13,11 @@ RewriteRule ^/$ /en/ [R] RewriteRule ^/(..)$ /$1/ [R] - Alias /robots.txt <%= forums_dir %>/robots.txt + Alias /robots.txt <%= @forums_dir %>/robots.txt - AliasMatch ^/(..)/(.*) <%= forums_dir %>/$1/phpBB/$2 + AliasMatch ^/(..)/(.*) <%= @forums_dir %>/$1/phpBB/$2 - <Directory ~ "<%= forums_dir %>/.*/phpBB/"> + <Directory ~ "<%= @forums_dir %>/.*/phpBB/"> <IfModule mod_authz_core.c> # Apache 2.4 Require all granted @@ -47,7 +47,7 @@ forbidden = ['install', ] for f in forbidden -%> - <Directory <%= forums_dir %>/.*/phpBB/<%= f %>/ > + <Directory <%= @forums_dir %>/.*/phpBB/<%= f %>/ > <IfModule mod_authz_core.c> # Apache 2.4 Require all denied diff --git a/modules/planet/templates/backup_planet-files.sh b/modules/planet/templates/backup_planet-files.sh index 8cab8d1e..47916370 100755 --- a/modules/planet/templates/backup_planet-files.sh +++ b/modules/planet/templates/backup_planet-files.sh @@ -11,7 +11,7 @@ do then /bin/mkdir $PATH_TO_FILE/$locale fi - rsync -aHP --delete <%= location %>/$locale $PATH_TO_FILE/$locale/$locale-$COUNT + rsync -aHP --delete <%= @location %>/$locale $PATH_TO_FILE/$locale/$locale-$COUNT done # Check count file to have a week of backup in the directory if [ $COUNT -ne 6 ] diff --git a/modules/planet/templates/deploy_new-planet.sh b/modules/planet/templates/deploy_new-planet.sh index b3889d31..41557fcc 100755 --- a/modules/planet/templates/deploy_new-planet.sh +++ b/modules/planet/templates/deploy_new-planet.sh @@ -2,7 +2,7 @@ # Initialization PATH_TO_FILE=${PATH_TO_FILE:-/var/lib/planet} -PATH_TO_PLANET=${PATH_TO_PLANET:-<%= location %>} +PATH_TO_PLANET=${PATH_TO_PLANET:-<%= @location %>} #Ask for new locale name echo -n "Locale name: " @@ -33,7 +33,7 @@ then /bin/mkdir $FILE"cache" /bin/chown -R planet:apache $FILE /bin/chmod g+w $FILE"custom" $FILE"custom/people.opml" $FILE"admin/inc/pwd.inc.php" $FILE"cache" - echo -e "Info: a new Planet had been deployed.\nThe locale is: \"$locale\" - https://planet.<%= domain %>/$locale \n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -s "New planet Mageia deployed" mageia-webteam@<%= domain %> mageia-marketing@<%= domain %> + echo -e "Info: a new Planet had been deployed.\nThe locale is: \"$locale\" - https://planet.<%= @domain %>/$locale \n-- \nMail sent by the script '$0' on `hostname`" | /bin/mail -s "New planet Mageia deployed" mageia-webteam@<%= @domain %> mageia-marketing@<%= @domain %> fi else echo "Aborted, please try again." diff --git a/modules/planet/templates/planet_vhosts.conf b/modules/planet/templates/planet_vhosts.conf index b3a07ab9..652a69e7 100644 --- a/modules/planet/templates/planet_vhosts.conf +++ b/modules/planet/templates/planet_vhosts.conf @@ -1,4 +1,4 @@ -<Directory <%= location %> > +<Directory <%= @location %> > Order deny,allow Allow from All AllowOverride All diff --git a/modules/postfix/manifests/server/primary.pp b/modules/postfix/manifests/server/primary.pp index c14a8606..00e2df1e 100644 --- a/modules/postfix/manifests/server/primary.pp +++ b/modules/postfix/manifests/server/primary.pp @@ -2,7 +2,7 @@ class postfix::server::primary inherits postfix::server { # Adding DKIM server include opendkim - opendkim::domain{['mageia.org', 'sucuk.mageia.org', 'duvel.mageia.org', 'forums.mageia.org', 'madb.mageia.org','rabbit.mageia.org', 'fiona.mageia.org','identity.mageia.org', 'group.mageia.org', 'neru.mageia.org']:} + opendkim::domain{['mageia.org', 'sucuk.mageia.org', 'duvel.mageia.org', 'forums.mageia.org', 'madb.mageia.org','rabbit.mageia.org', 'garcimore.mageia.org', 'webb.mageia.org', 'melies.mageia.org', 'mandrake.mageia.org', 'houdini.mageia.org','identity.mageia.org', 'group.mageia.org', 'neru.mageia.org']:} opendkim::trusted{['127.0.0.0/8', '212.85.158.0/24']:} package { ['postfix-ldap', 'sqlite3-tools', 'dovecot-plugins-sqlite','rspamd']: } diff --git a/modules/postfix/templates/group_aliases.conf b/modules/postfix/templates/group_aliases.conf index eac16dab..a4ad9e51 100644 --- a/modules/postfix/templates/group_aliases.conf +++ b/modules/postfix/templates/group_aliases.conf @@ -2,14 +2,14 @@ ldap = ldap_servers.map { |l| "ldaps://#{l}:636" } -%> server_host = <%= ldap.join(' ') %> -search_base = <%= dc_suffix %> +search_base = <%= @dc_suffix %> query_filter = (&(cn=mga-%u)(objectClass=groupOfNames)) result_attribute = mail special_result_attribute = member bind = yes -bind_dn = cn=postfix-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> -bind_pw = <%= ldap_password %> +bind_dn = cn=postfix-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %> +bind_pw = <%= @ldap_password %> # postfix complain on url # warning: dict_ldap_open: URL scheme ldaps requires protocol version 3 version = 3 -domain = group.<%= domain %> +domain = group.<%= @domain %> diff --git a/modules/postfix/templates/ldap_aliases.conf b/modules/postfix/templates/ldap_aliases.conf index 40d7da13..3bc50197 100644 --- a/modules/postfix/templates/ldap_aliases.conf +++ b/modules/postfix/templates/ldap_aliases.conf @@ -8,13 +8,13 @@ end ldap = ldap_servers.map { |l| "ldaps://#{l}:636" } -%> server_host = <%= ldap.join(' ') %> -search_base = <%= dc_suffix %> +search_base = <%= @dc_suffix %> query_filter = (&(uid=%u)(|<%= query_string %>)) result_attribute = mail bind = yes -bind_dn = cn=postfix-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> -bind_pw = <%= ldap_password %> +bind_dn = cn=postfix-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %> +bind_pw = <%= @ldap_password %> # postfix complain on url # warning: dict_ldap_open: URL scheme ldaps requires protocol version 3 version = 3 -domain = <%= domain %> +domain = <%= @domain %> diff --git a/modules/postfix/templates/main.cf b/modules/postfix/templates/main.cf index 6b42a4de..d3f6b50f 100644 --- a/modules/postfix/templates/main.cf +++ b/modules/postfix/templates/main.cf @@ -21,7 +21,7 @@ mailq_path = /usr/bin/mailq queue_directory = /var/spool/postfix mail_owner = postfix <% if all_tags.include?('postfix::simple_relay') || all_tags.include?('postfix::server::secondary') %> -relayhost = sucuk.<%= domain %> +relayhost = sucuk.<%= @domain %> <%- end -%> # User configurable parameters @@ -40,23 +40,23 @@ smtp_address_preference = ipv4 # FIXME Do not hardcode this mynetworks = 212.85.158.144/28 [2a02:2178:2:7::]/64 127.0.0.0/16 163.172.148.228 [2001:bc8:4400:2800::4115] -myhostname = <%= fqdn %> -mydomain = <%= domain %> +myhostname = <%= @fqdn %> +mydomain = <%= @domain %> <%- if all_tags.include?('postfix::server::secondary') -%> -relay_domains = <%= domain %>, - ml.<%= domain %>, - group.<%= domain %> +relay_domains = <%= @domain %>, + ml.<%= @domain %>, + group.<%= @domain %> <%- end -%> -mydestination = <%= fqdn %> +mydestination = <%= @fqdn %> <%- if all_tags.include?('postfix::server::primary') -%> - ml.<%= domain %> + ml.<%= @domain %> <%- end -%> <%- if all_tags.include?('postfix::server::primary') -%> -virtual_mailbox_domains = <%= domain %>, - group.<%= domain %> +virtual_mailbox_domains = <%= @domain %>, + group.<%= @domain %> # postfix complain if not set # Mar 22 23:51:20 alamut postfix/virtual[22952]: fatal: bad string length 0 < 1: virtual_mailbox_base = @@ -113,7 +113,7 @@ sympabounce_destination_recipient_limit = 1 <%- end -%> #delay_warning_time = 4h -smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (<%= lsbdistid %>) +smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (<%= @lsbdistid %>) unknown_local_recipient_reject_code = 450 smtp-filter_destination_concurrency_limit = 2 lmtp-filter_destination_concurrency_limit = 2 diff --git a/modules/postfix/templates/simple_relay_main.cf b/modules/postfix/templates/simple_relay_main.cf index e0c116a7..331166c2 100644 --- a/modules/postfix/templates/simple_relay_main.cf +++ b/modules/postfix/templates/simple_relay_main.cf @@ -20,8 +20,8 @@ mail_owner = postfix # User configurable parameters -myhostname = <%= fqdn %> -mydomain = <%= domain %> +myhostname = <%= @fqdn %> +mydomain = <%= @domain %> inet_protocols = all mynetworks_style = host #delay_warning_time = 4h @@ -38,7 +38,7 @@ smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt local_recipient_maps = fallback_transport_maps = regexp:/etc/postfix/transport_regexp transport_maps = regexp:/etc/postfix/transport_regexp -mydestination = ml.<%= domain %> +mydestination = ml.<%= @domain %> sympa_destination_recipient_limit = 1 sympabounce_destination_recipient_limit = 1 virtual_alias_maps = regexp:/etc/postfix/sympa_aliases diff --git a/modules/postfix/templates/sympa_aliases b/modules/postfix/templates/sympa_aliases index 436e7a28..e2c4cdf4 100644 --- a/modules/postfix/templates/sympa_aliases +++ b/modules/postfix/templates/sympa_aliases @@ -1,8 +1,8 @@ # everything is handled with transports in postfix, # but according to https://www.sympa.org/faq/postfix, we also need this one <% escaped_domain = ( 'ml.' + domain ).sub('.','\.') %> -/^(.*)-owner\@<%= escaped_domain %>$/ $1+owner@ml.<%= domain %> +/^(.*)-owner\@<%= escaped_domain %>$/ $1+owner@ml.<%= @domain %> # redirect the mail from the ml domain to sysadmin -/^listmaster\@<%= escaped_domain %>$/ listmaster@<%= domain %> +/^listmaster\@<%= escaped_domain %>$/ listmaster@<%= @domain %> # errors are sent there, so that should also be redirected -/^sympa-request\@<%= escaped_domain %>$/ listmaster@<%= domain %> +/^sympa-request\@<%= escaped_domain %>$/ listmaster@<%= @domain %> diff --git a/modules/postfix/templates/virtual_aliases b/modules/postfix/templates/virtual_aliases index 861e79c6..bca60907 100644 --- a/modules/postfix/templates/virtual_aliases +++ b/modules/postfix/templates/virtual_aliases @@ -1,32 +1,37 @@ # do not forget to add $domain or it will not work # do not hardcode the domain, or it will be harvested by bot -treasurer@<%= domain %> treasurer@group.<%= domain %> -president@<%= domain %> ennael@<%= domain %> -secretary@<%= domain %> obgr_seneca@<%= domain %> +president@<%= @domain %> jibz@<%= @domain %> +secretary@<%= @domain %> papoteur@<%= @domain %> +tresorier@<%= @domain %> maat@<%= @domain %> -contact@<%= domain %> council@group.<%= domain %> -press@<%= domain %> council@group.<%= domain %> +treasurer@<%= @domain %> treasurer@group.<%= @domain %> + +executive@<%= @domain %> president@<%= @domain %>, secretary@<%= @domain %>, tresorier@<%= @domain %> +admin@<%= @domain %> maat@<%= @domain %> + +contact@<%= @domain %> council@group.<%= @domain %> +press@<%= @domain %> council@group.<%= @domain %> # later switch to a team alias -root@<%= domain %> sysadmin@group.<%= domain %> +root@<%= @domain %> sysadmin@group.<%= @domain %> -security@<%= domain %> security@group.<%= domain %> +security@<%= @domain %> security@group.<%= @domain %> # Temporary(?) alias until there is a real board-commits@ list -board-commits@ml.<%= domain %> board-public@ml.<%= domain %> +board-commits@ml.<%= @domain %> board-public@ml.<%= @domain %> # TODO see https://www.ietf.org/rfc/rfc2142.txt <% ['postmaster','hostmaster','abuse','noc','listmaster','MAILER-DAEMON'].each { |a| %> -<%= a %>@<%= domain %> root@<%= domain %> +<%= a %>@<%= @domain %> root@<%= @domain %> <% } ['webmaster','www'].each { |a| %> -<%= a %>@<%= domain %> web@group.<%= domain %> +<%= a %>@<%= @domain %> web@group.<%= @domain %> <% } %> # TODO : diff --git a/modules/postgresql/templates/pg_hba.conf b/modules/postgresql/templates/pg_hba.conf index e4232a4e..379a1ee7 100644 --- a/modules/postgresql/templates/pg_hba.conf +++ b/modules/postgresql/templates/pg_hba.conf @@ -94,7 +94,7 @@ for i in db %> host <%= i %> <%= i %> 127.0.0.1/32 md5 host <%= i %> <%= i %> ::1/128 md5 -hostssl <%= i %> <%= i %> <%= ipaddress %>/32 md5 +hostssl <%= i %> <%= i %> <%= @ipaddress %>/32 md5 hostssl <%= i %> <%= i %> 2a02:2178:2:7::2/128 md5 <% end @@ -106,7 +106,7 @@ for l in lang %> host phpbb_<%= l %> phpbb 127.0.0.1/32 md5 host phpbb_<%= l %> phpbb ::1/128 md5 -hostssl phpbb_<%= l %> phpbb <%= ipaddress %>/32 md5 +hostssl phpbb_<%= l %> phpbb <%= @ipaddress %>/32 md5 hostssl phpbb_<%= l %> phpbb 2a02:2178:2:7::2/128 md5 # temporary, for the forum on friteuse vm hostssl phpbb_<%= l %> phpbb 192.168.122.0/24 md5 diff --git a/modules/postgrey/templates/whitelist_clients.local b/modules/postgrey/templates/whitelist_clients.local index 8c87b88c..a2118a54 100644 --- a/modules/postgrey/templates/whitelist_clients.local +++ b/modules/postgrey/templates/whitelist_clients.local @@ -1,2 +1,2 @@ # mageia -<%= domain %> +<%= @domain %> diff --git a/modules/puppet/templates/apache_proxy_vhost.conf b/modules/puppet/templates/apache_proxy_vhost.conf index 89157fc2..f0e4388c 100644 --- a/modules/puppet/templates/apache_proxy_vhost.conf +++ b/modules/puppet/templates/apache_proxy_vhost.conf @@ -9,15 +9,15 @@ ProxyRequests Off <VirtualHost *:8140> SSLEngine on - ServerName puppet.<%= domain %> + ServerName puppet.<%= @domain %> - ErrorLog /var/log/httpd/puppet_proxy.<%= domain %>.error.log - CustomLog /var/log/httpd/puppet_proxy.<%= domain %>.access.log + ErrorLog /var/log/httpd/puppet_proxy.<%= @domain %>.error.log + CustomLog /var/log/httpd/puppet_proxy.<%= @domain %>.access.log SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA - SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.<%= domain %>.pem - SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.<%= domain %>.pem + SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.<%= @domain %>.pem + SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.<%= @domain %>.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem diff --git a/modules/puppet/templates/config.ru b/modules/puppet/templates/config.ru index aba07857..b3fc037d 100644 --- a/modules/puppet/templates/config.ru +++ b/modules/puppet/templates/config.ru @@ -4,7 +4,7 @@ # if puppet is not in your RUBYLIB: # $:.unshift('/opt/puppet/lib') -$0 = '<%= service_name %>' +$0 = '<%= @service_name %>' # if you want debugging: # ARGV << "--debug" diff --git a/modules/puppet/templates/db_config.erb b/modules/puppet/templates/db_config.erb index 337a5043..cbcd42b0 100644 --- a/modules/puppet/templates/db_config.erb +++ b/modules/puppet/templates/db_config.erb @@ -1,10 +1,10 @@ -<%- if database == 'sqlite3' -%> +<%- if @database == 'sqlite3' -%> dbadapter = sqlite3 dblocation = /var/lib/puppet/storeconfigs.db <%- else -%> dbadapter = postgresql dbuser = puppet - dbpassword = <%= pgsql_password %> - dbserver = pgsql.<%= domain %> + dbpassword = <%= @pgsql_password %> + dbserver = pgsql.<%= @domain %> dbname = puppet <%- end -%> diff --git a/modules/puppet/templates/puppet.agent.conf b/modules/puppet/templates/puppet.agent.conf index 44dfedb7..8379fd0a 100644 --- a/modules/puppet/templates/puppet.agent.conf +++ b/modules/puppet/templates/puppet.agent.conf @@ -1,5 +1,5 @@ [agent] - server = puppet.<%= domain %> + server = puppet.<%= @domain %> pluginsync = true @@ -11,8 +11,8 @@ report = true graph = true -<% if environment %> - environment = <%= environment %> +<% if @environment %> + environment = <%= @environment %> <% end %> # The file in which puppetd stores a list of the classes # associated with the retrieved configuration. Can be loaded in diff --git a/modules/puppet/templates/puppet.master.conf b/modules/puppet/templates/puppet.master.conf index 0180fc2a..f35cec31 100644 --- a/modules/puppet/templates/puppet.master.conf +++ b/modules/puppet/templates/puppet.master.conf @@ -1,14 +1,17 @@ <% db_config = scope.lookupvar('puppet::stored_config::db_config') %> [master] - certname = puppet.<%= domain %> + certname = puppet.<%= @domain %> # tagmail should be kept last, until this bug is fixed # https://projects.puppetlabs.com/issues/5018 reports = store,socket,tagmail - reportfrom = root@<%= domain %> + reportfrom = root@<%= @domain %> # Never remove this: # Store config is used to populate others configs storeconfigs = true async_storeconfigs = true + + # Enable $facts, it is disabled by default before Puppet 4.0 + trusted_node_data = true <%= db_config %> diff --git a/modules/puppet/templates/tagmail.conf b/modules/puppet/templates/tagmail.conf index 96b034aa..bda12256 100644 --- a/modules/puppet/templates/tagmail.conf +++ b/modules/puppet/templates/tagmail.conf @@ -1 +1 @@ -err: sysadmin-reports@ml.<%= domain %> +err: sysadmin-reports@ml.<%= @domain %> diff --git a/modules/rsnapshot/templates/cron_file b/modules/rsnapshot/templates/cron_file index 43ca9e1b..39804cbf 100644 --- a/modules/rsnapshot/templates/cron_file +++ b/modules/rsnapshot/templates/cron_file @@ -1,5 +1,5 @@ #!/bin/sh <%- for conf in @rsnapshot_conf -%> -/usr/bin/rsnapshot -c <%= conf %> <%= rsnapshot_arg %> +/usr/bin/rsnapshot -c <%= conf %> <%= @rsnapshot_arg %> <%- end -%> diff --git a/modules/spec-tree-reports/manifests/init.pp b/modules/spec_tree_reports/manifests/init.pp index dc78ea72..4cda4822 100644 --- a/modules/spec-tree-reports/manifests/init.pp +++ b/modules/spec_tree_reports/manifests/init.pp @@ -2,7 +2,7 @@ # in the repository versus the versions created by the latest spec files and # shows those that don't match. -class spec-tree-reports( +class spec_tree_reports( $report = '/var/www/bs/spec-rpm-mismatch.html', $srpms = 'file:///distrib/bootstrap/distrib/{version}/SRPMS/{media}/{section}/', $release = "mga${buildsystem::var::distros::distros['cauldron']['version']}", @@ -36,7 +36,7 @@ class spec-tree-reports( } mga_common::local_script { 'generate-spec-rpm-mismatch-report': - content => template('spec-tree-reports/generate-spec-rpm-mismatch-report'), + content => template('spec_tree_reports/generate-spec-rpm-mismatch-report'), } cron { "rpm_mismatch_report": diff --git a/modules/spec-tree-reports/templates/generate-spec-rpm-mismatch-report b/modules/spec_tree_reports/templates/generate-spec-rpm-mismatch-report index 4bc2db65..4bc2db65 100644 --- a/modules/spec-tree-reports/templates/generate-spec-rpm-mismatch-report +++ b/modules/spec_tree_reports/templates/generate-spec-rpm-mismatch-report diff --git a/modules/subversion/manifests/client.pp b/modules/subversion/manifests/client.pp index 083a58da..eb098eaa 100644 --- a/modules/subversion/manifests/client.pp +++ b/modules/subversion/manifests/client.pp @@ -4,7 +4,7 @@ class subversion::client { # without it, # https://mail-index.netbsd.org/pkgsrc-users/2008/11/23/msg008706.html # - $sasl2_package = $::architecture ? { + $sasl2_package = $facts['architecture'] ? { x86_64 => 'lib64sasl2-plug-anonymous', default => 'libsasl2-plug-anonymous' } diff --git a/modules/subversion/manifests/repository.pp b/modules/subversion/manifests/repository.pp index b223e6ae..927ecfa1 100644 --- a/modules/subversion/manifests/repository.pp +++ b/modules/subversion/manifests/repository.pp @@ -22,7 +22,8 @@ define subversion::repository($group = 'svn', $no_binary = false, $restricted_to_user = false, $syntax_check = '', - $extract_dir = '') { + $extract_dir = '', + $nonmaintainer_mail = false) { # check permissions # https://svnbook.red-bean.com/nightly/fr/svn.serverconfig.multimethod.html # $name ==> directory of the repo @@ -108,16 +109,26 @@ define subversion::repository($group = 'svn', } } - if $extract_dir { - subversion::hook::post_commit {"${name}|extract_dir": - content => template('subversion/hook_extract.pl'), - require => [Package['perl-SVN-Notify-Mirror']], - } - } else { - file { "${name}/hooks/post-commit.d/extract_dir": - ensure => absent, - } + if $extract_dir { + subversion::hook::post_commit {"${name}|extract_dir": + content => template('subversion/hook_extract.pl'), + require => [Package['perl-SVN-Notify-Mirror']], } + } else { + file { "${name}/hooks/post-commit.d/extract_dir": + ensure => absent, + } + } + + if $nonmaintainer_mail { + subversion::hook::post_commit { "${name}|nonmaintainer_mail": + content => template('subversion/nonmaintainer_notify.sh'), + } + } else { + file { "${name}/hooks/post-commit.d/nonmaintainer_mail": + ensure => absent, + } + } pre_commit_link { "${name}/hooks/pre-commit.d/no_empty_message": } diff --git a/modules/subversion/templates/hook_extract.pl b/modules/subversion/templates/hook_extract.pl index bf1fc545..12be78b8 100644 --- a/modules/subversion/templates/hook_extract.pl +++ b/modules/subversion/templates/hook_extract.pl @@ -1,6 +1,6 @@ #!/usr/bin/perl -MSVN::Notify::Config=$0 --- #YAML:1.0 -<%- extract_dir.each do |src,dest| -%> +<%- @extract_dir.each do |src,dest| -%> '<%= src %>': PATH: "/usr/bin:/usr/local/bin" handler: Mirror diff --git a/modules/subversion/templates/hook_irker b/modules/subversion/templates/hook_irker index 8fd7a874..8f6ea431 100644 --- a/modules/subversion/templates/hook_irker +++ b/modules/subversion/templates/hook_irker @@ -1,4 +1,4 @@ #!/bin/sh REPO=$1 REV=$2 -<%= irkerhook_path %> --repository=$REPO $REV +<%= @irkerhook_path %> --repository=$REPO $REV diff --git a/modules/subversion/templates/hook_sendmail.pl b/modules/subversion/templates/hook_sendmail.pl index cf3be6a4..a5870c72 100644 --- a/modules/subversion/templates/hook_sendmail.pl +++ b/modules/subversion/templates/hook_sendmail.pl @@ -16,7 +16,7 @@ <%- commit_mail.each do |mail| -%> - <%= mail %> <%- end -%> -<%- if i18n_mail != '' -%> +<%- if @i18n_mail != '' -%> '.*\.pot$': PATH: "/usr/bin:/usr/local/bin" handler: Alternative @@ -28,5 +28,5 @@ revision-url: "https://svnweb.mageia.org/packages/?revision=%s&view=revision" subject_cx: 1 from: subversion_noreply@ml.<%= @domain %> - to: <%= i18n_mail %> + to: <%= @i18n_mail %> <%- end -%> diff --git a/modules/subversion/templates/nonmaintainer_notify.sh b/modules/subversion/templates/nonmaintainer_notify.sh new file mode 100644 index 00000000..46ca54e8 --- /dev/null +++ b/modules/subversion/templates/nonmaintainer_notify.sh @@ -0,0 +1,62 @@ +#!/bin/bash +# Send an e-mail to the maintainer of a package someone else has committed to. +# Exit on any error +set -e +set -o pipefail + +# Maximum number of packages changed in a single commit and still notify people +readonly MAXCHANGES=10 + +# Location of the maintdb database +readonly MAINTDB=/var/www/bs/data/maintdb.txt + +# Repository base directory +readonly REPOS="$1" + +# Revision of the change +readonly REV="$2" + +# Author of the commit +readonly AUTHOR="$(svnlook author -r "$REV" "$REPOS")" + +if [[ "$AUTHOR" == "schedbot" || "$AUTHOR" == "umeabot" ]]; then + # We don't send any e-mails from these automated committers + exit 0 +fi + +PKGSLIST="$(mktemp)" +trap 'rm -f "$PKGSLIST"' EXIT + +# Only look at changes in package files +svnlook changed -r "$REV" "$REPOS" | \ +sed 's/^....//' | \ +pcregrep -o1 -o2 '^(?:(?:cauldron|misc)/([-+._a-zA-Z0-9]+)/)|(?:(?:updates|backports)/(?:[^/ ]+)/([-+._a-zA-Z0-9]+))' | \ +sort -u > "$PKGSLIST" +if [[ "$(wc -l "$PKGSLIST" | awk '{print $1}')" -gt "$MAXCHANGES" ]]; then + # A bunch of directories were changed at once, possibly in some kind of + # bulk operation. Ignore these entirely to avoid spamming people. + echo Too many packages were changed. Not notifying the maintainers. 1>&2 + exit 0 +fi + +# Send up to one e-mail per package modified in the commit +for PACKAGE in $(cat "$PKGSLIST"); do + MAINTAINER="$(awk '{if ($1 == "'"$PACKAGE"'") {print $2; exit;}}' "$MAINTDB")" + # Only notify if the commit author is not the maintainer + if [[ -n "$MAINTAINER" && "$MAINTAINER" != "nobody" && "$MAINTAINER" != "$AUTHOR" ]]; then + + svnnotify \ + --repos-path "$REPOS" \ + --revision "$REV" \ + --subject-cx \ + --no-first-line \ + --handler Alternative \ + --alternative HTML::ColorDiff \ + --header "The user $AUTHOR has submitted a change to a package for which you ($MAINTAINER) are the registered maintainer." \ + --revision-url "https://svnweb.<%= @domain %>/packages/?revision=%s&view=revision" \ + --author-url "https://people.<%= @domain %>/u/%s.html" \ + --to "$MAINTAINER@<%= @domain %>" \ + --from "subversion_noreply@ml.<%= @domain %>" + + fi +done diff --git a/modules/subversion/templates/restricted_to_user b/modules/subversion/templates/restricted_to_user index 98297627..fcdfa38c 100644 --- a/modules/subversion/templates/restricted_to_user +++ b/modules/subversion/templates/restricted_to_user @@ -5,8 +5,8 @@ TXN="$2" author=$(svnlook author -t "$TXN" "$REP") -if [ "$author" != '<%= restricted_to_user %>' ]; then - echo "this repository is restricted to user <%= restricted_to_user %>" >&2 +if [ "$author" != '<%= @restricted_to_user %>' ]; then + echo "this repository is restricted to user <%= @restricted_to_user %>" >&2 exit 1 fi diff --git a/modules/subversion/templates/syntax_check.sh b/modules/subversion/templates/syntax_check.sh index 3960cdab..76141e54 100644 --- a/modules/subversion/templates/syntax_check.sh +++ b/modules/subversion/templates/syntax_check.sh @@ -6,13 +6,13 @@ export PATH="/bin/:/sbin/:/usr/bin/:/usr/sbin/:/usr/local/bin:/usr/local/sbin/" changed=`svnlook changed -t "$TXN" "$REPOS"` files=`echo $changed | awk '{print $2}'` -if echo $files | grep "<%= regexp_ext %>" +if echo $files | grep "<%= @regexp_ext %>" then - svnlook cat -t "$TXN" "$REPOS" "$files" | <%= check_cmd %> + svnlook cat -t "$TXN" "$REPOS" "$files" | <%= @check_cmd %> if [ $? -ne 0 ] then echo "Syntax error in $files." 1>&2 - echo "Check it with <%= check_cmd %>" 1>&2 + echo "Check it with <%= @check_cmd %>" 1>&2 exit 1 fi fi diff --git a/modules/subversion/templates/xinetd b/modules/subversion/templates/xinetd index 0919ae60..c0eaab2a 100644 --- a/modules/subversion/templates/xinetd +++ b/modules/subversion/templates/xinetd @@ -9,6 +9,6 @@ service svnserve wait = no user = svn server = /usr/bin/svnserve - server_args = -i -r <%= svn_base_path %> + server_args = -i -r <%= @svn_base_path %> flags = IPv6 } diff --git a/modules/sympa/manifests/datasource/ldap_group.pp b/modules/sympa/manifests/datasource/ldap_group.pp index 6060bec4..057be9cf 100644 --- a/modules/sympa/manifests/datasource/ldap_group.pp +++ b/modules/sympa/manifests/datasource/ldap_group.pp @@ -1,5 +1,8 @@ define sympa::datasource::ldap_group { file { "/etc/sympa/data_sources/${name}.incl": + owner => 'sympa', + group => 'sympa', + mode => '0640', content => template('sympa/data_sources/ldap_group.incl') } } diff --git a/modules/sympa/templates/auth.conf b/modules/sympa/templates/auth.conf index 854fdf9c..9c433690 100644 --- a/modules/sympa/templates/auth.conf +++ b/modules/sympa/templates/auth.conf @@ -1,7 +1,7 @@ ldap - host ldap.<%= domain %> + host ldap.<%= @domain %> timeout 30 - suffix <%= dc_suffix %> + suffix <%= @dc_suffix %> get_dn_by_uid_filter (uid=[sender]) get_dn_by_email_filter (|(mail=[sender])(mailalternateaddress=[sender])) email_attribute mail @@ -9,7 +9,7 @@ ldap use_tls ldaps ssl_version tlsv1_2 ca_verify none - bind_dn cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> + bind_dn cn=sympa-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %> bind_password <%= scope.lookupvar("sympa::server::ldap_password") %> - authentication_info_url <%= authentication_info_url %> + authentication_info_url <%= @authentication_info_url %> diff --git a/modules/sympa/templates/config b/modules/sympa/templates/config index 4262f3ca..40e4bc40 100644 --- a/modules/sympa/templates/config +++ b/modules/sympa/templates/config @@ -12,7 +12,7 @@ visibility noconceal digest 1,4 13:26 -<% if subscriber_ldap_group and not subscription_open %> +<% if @subscriber_ldap_group and not @subscription_open %> # TODO check scenari subscribe closed @@ -24,7 +24,7 @@ unsubscribe open_web_only_notify <% end %> editor -email listmaster@<%= domain %> +email listmaster@<%= @domain %> reception nomail gecos Moderator team visibility conceal @@ -34,9 +34,9 @@ reception nomail source mga-ml_moderators visibility conceal -subject <%= subject %> +subject <%= @subject %> -custom_subject <%= custom_subject %> +custom_subject <%= @custom_subject %> <%- if @critical -%> info conceal @@ -48,12 +48,12 @@ unsubscribe auth_notify invite owner <% end %> -lang <%= language %> +lang <%= @language %> owner gecos Sysadmin team reception nomail -email postmaster@<%= domain %> +email postmaster@<%= @domain %> visibility noconceal profile normal @@ -67,20 +67,20 @@ reception nomail <%- if @reply_to -%> reply_to_header value other_email -other_email <%= reply_to %> +other_email <%= @reply_to %> apply forced <%- end -%> review owner -<% if topics %> -topics <%= topics %> +<% if @topics %> +topics <%= @topics %> <% end %> send restricted_<%= @name %> -<% if subscriber_ldap_group %> +<% if @subscriber_ldap_group %> include_ldap_query timeout 10 scope one @@ -91,10 +91,10 @@ include_ldap_query attrs mail ssl_ciphers ALL passwd <%= scope.lookupvar("sympa::server::ldap_password") %> - user cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> - suffix ou=People,<%= dc_suffix %> - filter (memberOf=cn=<%= subscriber_ldap_group %>,ou=Group,<%= dc_suffix %>) - host ldap.<%= domain %> + user cn=sympa-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %> + suffix ou=People,<%= @dc_suffix %> + filter (memberOf=cn=<%= @subscriber_ldap_group %>,ou=Group,<%= @dc_suffix %>) + host ldap.<%= @domain %> <% end %> diff --git a/modules/sympa/templates/data_sources/ldap_group.incl b/modules/sympa/templates/data_sources/ldap_group.incl index 609a7e42..c8c5d9e4 100644 --- a/modules/sympa/templates/data_sources/ldap_group.incl +++ b/modules/sympa/templates/data_sources/ldap_group.incl @@ -1,13 +1,13 @@ include_ldap_2level_query - host ldap.<%= domain %> + host ldap.<%= @domain %> use_tls ldaps ssl_version tlsv1_2 ca_verify none - user cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> + user cn=sympa-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %> passwd <%= scope.lookupvar("sympa::server::ldap_password") %> - suffix1 ou=Group,<%= dc_suffix %> + suffix1 ou=Group,<%= @dc_suffix %> scope1 one - filter1 (&(objectClass=groupOfNames)(cn=<%= name %>)) + filter1 (&(objectClass=groupOfNames)(cn=<%= @name %>)) attrs1 member select1 all suffix2 [attrs1] diff --git a/modules/sympa/templates/list.xml b/modules/sympa/templates/list.xml index 74e4f07f..b5e8b4c2 100644 --- a/modules/sympa/templates/list.xml +++ b/modules/sympa/templates/list.xml @@ -1,16 +1,16 @@ <?xml version="1.0" ?> <list> - <listname><%= name %></listname> + <listname><%= @name %></listname> <type>discussion_list</type> - <subject><%= subject %></subject> + <subject><%= @subject %></subject> <description/> <status>open</status> - <language><%= language %></language> + <language><%= @language %></language> <owner_include multiple="1"> <source>mga-sysadmin</source> </owner_include> <editor_include multiple="1"> <source>mga-ml_moderators</source> </editor_include> - <topic><%= topics %></topic> + <topic><%= @topics %></topic> </list> diff --git a/modules/sympa/templates/scenari/sender.restricted b/modules/sympa/templates/scenari/sender.restricted index 66139e6c..2c82268a 100644 --- a/modules/sympa/templates/scenari/sender.restricted +++ b/modules/sympa/templates/scenari/sender.restricted @@ -8,7 +8,7 @@ search(<%= @ldap_group %>.ldap) smtp,md5,smime -> do_it equal([sender], '<%= e %>') smtp,md5,smime -> do_it <%- end -%> <%- end -%> -<%- if allow_subscriber -%> +<%- if @allow_subscriber -%> equal([sender], 'sysadmin@group.mageia.org') smtp,smime,md5 -> do_it match([sender], /@mageia\.org$/) smtp,smime,md5 -> do_it is_subscriber([listname],[sender]) smtp,smime,md5 -> do_it diff --git a/modules/sympa/templates/search_filters/group.ldap b/modules/sympa/templates/search_filters/group.ldap index 884e0db1..2dadf3c2 100644 --- a/modules/sympa/templates/search_filters/group.ldap +++ b/modules/sympa/templates/search_filters/group.ldap @@ -1,9 +1,9 @@ -host ldap.<%= domain %>:636 -bind_dn cn=sympa-<%= hostname %>,ou=System Accounts,<%= dc_suffix %> +host ldap.<%= @domain %>:636 +bind_dn cn=sympa-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %> bind_password <%= scope.lookupvar("sympa::server::ldap_password") %> use_tls ldaps ssl_version tlsv1_2 ca_verify none -suffix ou=People,<%= dc_suffix %> -filter (&(mail=[sender])(memberOf=cn=<%= name %>,ou=Group,<%= dc_suffix %>)) +suffix ou=People,<%= @dc_suffix %> +filter (&(mail=[sender])(memberOf=cn=<%= @name %>,ou=Group,<%= @dc_suffix %>)) scope sub diff --git a/modules/sympa/templates/sympa.conf b/modules/sympa/templates/sympa.conf index edfaba15..e32fa88a 100644 --- a/modules/sympa/templates/sympa.conf +++ b/modules/sympa/templates/sympa.conf @@ -1,14 +1,14 @@ ###\\\\ Service description ////### ## Primary mail domain name -domain <%= vhost %> +domain <%= @vhost %> ## Email addresses of listmasters ## Email addresses of the listmasters (users authorized to perform global ## server commands). Some error reports may also be sent to these addresses. ## Listmasters can be defined for each virtual host, however, the default ## listmasters will have privileges to manage all virtual hosts. -listmaster listmaster@<%= vhost %> +listmaster listmaster@<%= @vhost %> ## Default language ## This is the default language used by Sympa. One of supported languages @@ -47,7 +47,7 @@ db_type PostgreSQL ## Hostname of the database server ## With PostgreSQL, you can also use the path to Unix Socket Directory, e.g. ## "/var/run/postgresql" for connection with Unix domain socket. -db_host pg.<%= domain %> +db_host pg.<%= @domain %> ## Port of the database server db_port 5432/tcp @@ -455,7 +455,7 @@ umask 027 ## URL prefix of web interface ## This is used to construct URLs of web interface. -wwsympa_url https://<%= vhost %>/l +wwsympa_url https://<%= @vhost %>/l ## URL prefix of WWSympa behind proxy #http_host http://domain.tld @@ -503,7 +503,7 @@ viewlogs_page_size 25 ## Internet domain. Otherwise, for the specified host. The only reason for ## replacing the default value would be where WWSympa's authentication process ## is shared with an application running on another host. -cookie_domain <%= vhost %> +cookie_domain <%= @vhost %> ## HTTP cookies lifetime ## This is the default value when not set explicitly by users. "0" means the @@ -573,7 +573,7 @@ dkim_add_signature_to robot,list ## The "d=" tag as defined in rfc 4871 ## The DKIM "d=" tag, is the domain of the signing entity. Default is virtual ## host domain name -dkim_signer_domain <%= vhost %> +dkim_signer_domain <%= @vhost %> ## Rewrite header for DKIM signed messages and DMARC rejecting domains dmarc_protection_mode dkim_signature,dmarc_reject diff --git a/modules/sympa/templates/vhost_ml.conf b/modules/sympa/templates/vhost_ml.conf index 11aa7ae5..eb24736e 100644 --- a/modules/sympa/templates/vhost_ml.conf +++ b/modules/sympa/templates/vhost_ml.conf @@ -3,7 +3,7 @@ RewriteRule ^/l$ /l/ RewriteRule ^/l/(.*)$ /wwsympa-wrapper.fcgi/$1 - DocumentRoot <%= lib_dir + "/sympa/cgi" %> + DocumentRoot <%= @lib_dir + "/sympa/cgi" %> Alias /static-sympa /var/lib/sympa/static_content diff --git a/modules/sympa/templates/webapp_sympa.conf b/modules/sympa/templates/webapp_sympa.conf index 1a508199..a85f383a 100644 --- a/modules/sympa/templates/webapp_sympa.conf +++ b/modules/sympa/templates/webapp_sympa.conf @@ -1,4 +1,4 @@ -<Directory <%= lib_dir + "/sympa/cgi" %> > +<Directory <%= @lib_dir + "/sympa/cgi" %> > SetHandler fcgid-script Options +ExecCGI AddHandler cgi-script .fcgi diff --git a/modules/viewvc/files/robots.txt b/modules/viewvc/files/robots.txt index dbb13834..e4534898 100644 --- a/modules/viewvc/files/robots.txt +++ b/modules/viewvc/files/robots.txt @@ -9,6 +9,11 @@ User-agent: Amazonbot User-agent: PetalBot User-agent: Bytespider User-agent: facebookexternalhit +User-agent: DataForSeoBot +User-agent: SemrushBot +User-agent: Applebot +User-agent: GPTBot +User-agent: SeznamBot Disallow: /*/tags/ Disallow: *?view=annotate* Disallow: *?annotate=* diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html new file mode 100644 index 00000000..fe98b9dc --- /dev/null +++ b/modules/viewvc/files/setcookieredirect.html @@ -0,0 +1,28 @@ +<!DOCTYPE html> +<html> + <head> + <title>User check</title> + <script type="text/javascript" defer> + const randomValue = "6436"; // Chosen by fair dice roll. Guaranteed to be random. + document.cookie = `session=${randomValue}; path=/; expires=${new Date(Date.now() + 24*3600*1000).toUTCString()}`; + const params = new Proxy(new URLSearchParams(window.location.search), { + get: (searchParams, prop) => searchParams.get(prop), + }); + let path = params.to; + // Sanitize redirect path to avoid malicious arbitrary redirects + if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(decodeURIComponent(path))) { + const current = new URL(window.location.toLocaleString()); + window.location.href = encodeURI(current.origin + decodeURIComponent(path)); + } else { + window.onload = function() { + document.getElementById('error').innerHTML = 'Error! Bad redirect location!'; + } + } + </script> + </head> + <body> + Redirecting back... + <br> + <p id="error"><!-- space for error message --></p> + </body> +</html> diff --git a/modules/viewvc/manifests/init.pp b/modules/viewvc/manifests/init.pp index 99acec90..bd676f29 100644 --- a/modules/viewvc/manifests/init.pp +++ b/modules/viewvc/manifests/init.pp @@ -40,9 +40,18 @@ class viewvc { source => 'puppet:///modules/viewvc/robots.txt', } + file { "$viewvc_docroot/setcookieredirect.html": + ensure => present, + mode => '0644', + owner => root, + group => root, + source => 'puppet:///modules/viewvc/setcookieredirect.html', + } + $vhost_aliases = { '/viewvc' => $viewvc_docroot, '/robots.txt' => $robotsfile, + '/_check' => "$viewvc_docroot/setcookieredirect.html", } $script_aliases = { @@ -53,13 +62,13 @@ class viewvc { apache::vhost::base { $viewvc::var::hostname: aliases => $vhost_aliases, - content => template('apache/vhost_fcgid.conf'), + content => template('apache/vhost_fcgid_norobot.conf'), } apache::vhost::base { "ssl_${viewvc::var::hostname}": vhost => $viewvc::var::hostname, use_ssl => true, aliases => $vhost_aliases, - content => template('apache/vhost_fcgid.conf'), + content => template('apache/vhost_fcgid_norobot.conf'), } } diff --git a/modules/xymon/templates/bb-hosts b/modules/xymon/templates/bb-hosts index 140932b5..333adea5 100644 --- a/modules/xymon/templates/bb-hosts +++ b/modules/xymon/templates/bb-hosts @@ -13,35 +13,43 @@ # You need to define at least the Xymon server itself here. page visible Visible Services -0.0.0.0 blog.<%= domain %> # sni https://blog.<%= domain %>/en/ -0.0.0.0 identity.<%= domain %> # https://identity.<%= domain %> -0.0.0.0 bugs.<%= domain %> # https://bugs.<%= domain %> -0.0.0.0 ml.<%= domain %> # https://ml.<%= domain %> -0.0.0.0 www.<%= domain %> # https://www.<%= domain %> -0.0.0.0 svnweb.<%= domain %> # https://svnweb.<%= domain %> -0.0.0.0 epoll.<%= domain %> # https://epoll.<%= domain %> -0.0.0.0 planet.<%= domain %> # sni https://planet.<%= domain %>/en/ +0.0.0.0 blog.<%= @domain %> # sni https://blog.<%= @domain %>/en/ +0.0.0.0 identity.<%= @domain %> # https://identity.<%= @domain %> +0.0.0.0 bugs.<%= @domain %> # https://bugs.<%= @domain %> +0.0.0.0 ml.<%= @domain %> # https://ml.<%= @domain %> +0.0.0.0 www.<%= @domain %> # https://www.<%= @domain %> +0.0.0.0 svnweb.<%= @domain %> # https://svnweb.<%= @domain %> +0.0.0.0 epoll.<%= @domain %> # https://epoll.<%= @domain %> +0.0.0.0 planet.<%= @domain %> # sni https://planet.<%= @domain %>/en/ # This checks the public reverse proxy -0.0.0.0 forums.<%= domain %> # sni https://forums.<%= domain %>=<%= @nodes_ipaddr['sucuk']['ipv4'] %>/ -0.0.0.0 check.<%= domain %> # https://check.<%= domain %> -0.0.0.0 madb.<%= domain %> # https://madb.mageia.org -0.0.0.0 pkgsubmit.<%= domain %> # sni https://pkgsubmit.<%= domain %> -#0.0.0.0 bcd.<%= domain %> # http://bcd.<%= domain %> -0.0.0.0 hugs.<%= domain %> # http://hugs.<%= domain %> -0.0.0.0 dashboard.<%= domain %> # http://dashboard.<%= domain %> -0.0.0.0 meetbot.<%= domain %> # sni https://meetbot.<%= domain %> +0.0.0.0 forums.<%= @domain %> # sni https://forums.<%= @domain %>=<%= @nodes_ipaddr['sucuk']['ipv4'] %>/ +0.0.0.0 check.<%= @domain %> # https://check.<%= @domain %> +0.0.0.0 madb.<%= @domain %> # https://madb.mageia.org +0.0.0.0 pkgsubmit.<%= @domain %> # sni https://pkgsubmit.<%= @domain %> +#0.0.0.0 bcd.<%= @domain %> # http://bcd.<%= @domain %> +0.0.0.0 hugs.<%= @domain %> # http://hugs.<%= @domain %> +0.0.0.0 dashboard.<%= @domain %> # http://dashboard.<%= @domain %> +0.0.0.0 meetbot.<%= @domain %> # sni https://meetbot.<%= @domain %> page servers Servers group-compress Marseille -212.85.158.151 sucuk.<%= domain %> # testip bbd dns smtp ssh CLIENT:xymon.<%= domain %> http://xymon.<%= domain %> -212.85.158.148 ecosse.<%= domain %> # testip ssh -212.85.158.150 fiona.<%= domain %> # testip ssh -212.85.158.152 rabbit.<%= domain %> # testip ssh -212.85.158.153 duvel.<%= domain %> # testip ssh rsync svn git ldapssl ldap +212.85.158.151 sucuk.<%= @domain %> # testip bbd dns smtp ssh CLIENT:xymon.<%= @domain %> http://xymon.<%= @domain %> +212.85.158.148 ecosse.<%= @domain %> # testip ssh +212.85.158.152 rabbit.<%= @domain %> # testip ssh +212.85.158.153 duvel.<%= @domain %> # testip ssh rsync svn git ldapssl ldap +212.85.158.154 garcimore.<%= @domain %> # testip ssh +212.85.158.155 houdini.<%= @domain %> # testip ssh +212.85.158.156 mandrake.<%= @domain %> # testip ssh +212.85.158.157 webb.<%= @domain %> # testip ssh +212.85.158.158 melies.<%= @domain %> # testip ssh group-compress VM Sucuk -192.168.122.131 friteuse.<%= domain %> # testip ssh http://forums.<%= domain %>=<%= @nodes_ipaddr['friteuse']['ipv4'] %>/ %>/ +192.168.122.131 friteuse.<%= @domain %> # testip ssh http://forums.<%= @domain %>=<%= @nodes_ipaddr['friteuse']['ipv4'] %>/ %>/ + +group-compress Hetzner +49.13.82.246 lavand.<%= @domain %> # testip +128.140.83.19 majax.<%= @domain %> # testip group-compress Scaleway 163.172.148.228 neru.mageia.org # testip ssh dns ldap ldapssl smtp @@ -49,4 +57,4 @@ group-compress Scaleway # NOTE: lines with IPv6 addresses are ignored in xymon versions before 4.4 or 5.0 group-compress Oracle cloud -2603:c026:c101:f00::1:1 ociaa1.<%= domain %> # testip ssh +2603:c026:c101:f00::1:1 ociaa1.<%= @domain %> # testip ssh diff --git a/modules/xymon/templates/hobbit-alerts.cfg b/modules/xymon/templates/hobbit-alerts.cfg index 763e253d..d40126d8 100644 --- a/modules/xymon/templates/hobbit-alerts.cfg +++ b/modules/xymon/templates/hobbit-alerts.cfg @@ -122,7 +122,7 @@ builder = ['ecosse','rabbit'] builders = builder.map{|x| x + "." + domain }.join(',') %> HOST=<%= builders %> SERVICE=cpu - MAIL=sysadmin-reports@ml.<%= domain %> DURATION>6h RECOVERED NOTICE REPEAT=3h STOP + MAIL=sysadmin-reports@ml.<%= @domain %> DURATION>6h RECOVERED NOTICE REPEAT=3h STOP -HOST=%.*.<%= domain %> - MAIL=sysadmin-reports@ml.<%= domain %> DURATION>5 RECOVERED NOTICE REPEAT=3h +HOST=%.*.<%= @domain %> + MAIL=sysadmin-reports@ml.<%= @domain %> DURATION>5 RECOVERED NOTICE REPEAT=3h diff --git a/modules/xymon/templates/hobbit-clients.cfg b/modules/xymon/templates/hobbit-clients.cfg index ff010681..2acf94fe 100644 --- a/modules/xymon/templates/hobbit-clients.cfg +++ b/modules/xymon/templates/hobbit-clients.cfg @@ -346,19 +346,19 @@ # The special DEFAULT section can modify the built-in defaults - this must # be placed at the end of the file. -HOST=rabbit.<%= domain %> +HOST=rabbit.<%= @domain %> DISK %.*stage2$ IGNORE # ecosse has 24 cores, is a builder, and we try to use them all -HOST=ecosse.<%= domain %> +HOST=ecosse.<%= @domain %> LOAD 36.0 48.0 # rabbit has 12 cores and mksquashfs uses all of them -HOST=rabbit.<%= domain %> +HOST=rabbit.<%= @domain %> LOAD 18.0 24.0 # duvel has 24 cores, dont trigger alarms too soon -HOST=duvel.<%= domain %> +HOST=duvel.<%= @domain %> LOAD 18.0 24.0 DISK /var/lib/binrepo 95 98 DISK /var/www 95 98 diff --git a/modules/xymon/templates/hobbitserver.cfg b/modules/xymon/templates/hobbitserver.cfg index a5a7aacf..f2da8a6a 100644 --- a/modules/xymon/templates/hobbitserver.cfg +++ b/modules/xymon/templates/hobbitserver.cfg @@ -1,15 +1,15 @@ # NB : Even though it might look like a shell-script, it is NOT. # -BBSERVERROOT="<%= lib_dir %>/xymon" # Where Xymon is installed - holds the server and bbvar sub-dirs. +BBSERVERROOT="<%= @lib_dir %>/xymon" # Where Xymon is installed - holds the server and bbvar sub-dirs. BBSERVERLOGS="/var/log/xymon" # Directory for server logs. The hobbit user must have write-access here. -HOBBITCLIENTHOME="<%= lib_dir %>/xymon/client" # BBHOME directory for the client +HOBBITCLIENTHOME="<%= @lib_dir %>/xymon/client" # BBHOME directory for the client -BBSERVERHOSTNAME="sucuk.<%= domain %>" # The hostname of your server -BBSERVERIP="<%= ipaddress %>" # The IP-address of your server. Use the real one, not 127.0.0.1 . +BBSERVERHOSTNAME="sucuk.<%= @domain %>" # The hostname of your server +BBSERVERIP="<%= @ipaddress %>" # The IP-address of your server. Use the real one, not 127.0.0.1 . BBSERVEROS="linux" # The operating system of your server. linux,freebsd,solaris,hpux,aix,osf -BBSERVERWWWNAME="xymon.<%= domain %>" # The name used for this hosts' webserver +BBSERVERWWWNAME="xymon.<%= @domain %>" # The name used for this hosts' webserver BBSERVERWWWURL="/xymon" # The top URL for the Xymon webpages BBSERVERCGIURL="/xymon-cgi" # The URL for the Xymon CGI scripts. BBSERVERSECURECGIURL="/xymon-seccgi" # The URL for the secured Xymon CGI scripts. @@ -73,7 +73,7 @@ CGIBINURL="$BBSERVERCGIURL" # URL prefix for the Xymon CGI-scripts - /cgi-bin SECURECGIBINURL="$BBSERVERSECURECGIURL" # URL prefix for the secured Xymon CGI-scripts - /cgi-secure # Locations of system-wide files and directories -BBHOME="<%= lib_dir %>/xymon/server" # The Xymon server directory, where programs and configurations go. +BBHOME="<%= @lib_dir %>/xymon/server" # The Xymon server directory, where programs and configurations go. BBTMP="$BBHOME/tmp" # Directory used for temporary files. BBHOSTS="$BBHOME/etc/bb-hosts" # The bb-hosts file BB="$BBHOME/bin/bb" # The 'bb' client program @@ -99,7 +99,7 @@ BBHOSTHISTLOG="TRUE" # Save a log of all events for a host (not used by any t SAVESTATUSLOG="TRUE" # Save the detailed status log each time the status changes. # For the hobbitd_alert module -FROM="root@<%= domain %>" +FROM="root@<%= @domain %>" MAILC="mail -r $FROM" # Command used to send an e-mail with no subject MAIL="$MAILC -s" # Command used to send an e-mail with a subject SVCCODES="disk:100,cpu:200,procs:300,svcs:350,msgs:400,conn:500,http:600,dns:800,smtp:725,telnet:723,ftp:721,pop:810,pop3:810,pop-3:810,ssh:722,imap:843,ssh1:722,ssh2:722,imap2:843,imap3:843,imap4:843,pop2:809,pop-2:809,nntp:819,test:901" diff --git a/modules/xymon/templates/xymon-client b/modules/xymon/templates/xymon-client index e846d2a5..8413c8b8 100644 --- a/modules/xymon/templates/xymon-client +++ b/modules/xymon/templates/xymon-client @@ -9,7 +9,7 @@ # HOBBITSERVERS="192.168.1.1" # or (multiple servers) # HOBBITSERVERS="10.0.0.1 192.168.1.1" -XYMONSERVERS="<%= server %>" +XYMONSERVERS="<%= @server %>" # The defaults usually suffice for the rest of this file, # but you can tweak the hostname that the client reports diff --git a/modules/youri-check/templates/vhost_check.conf b/modules/youri-check/templates/vhost_check.conf deleted file mode 100644 index 2cf598b5..00000000 --- a/modules/youri-check/templates/vhost_check.conf +++ /dev/null @@ -1,2 +0,0 @@ -Header set Access-Control-Allow-Origin "http://pkgsubmit.<%= domain %>" -Header set Access-Control-Allow-Origin "https://pkgsubmit.<%= domain %>" env=HTTPS diff --git a/modules/youri-check/manifests/init.pp b/modules/youri_check/manifests/init.pp index aef33d17..98a0c95e 100644 --- a/modules/youri-check/manifests/init.pp +++ b/modules/youri_check/manifests/init.pp @@ -1,4 +1,4 @@ -class youri-check { +class youri_check { class base { $vhost = "check.${::domain}" $user = 'youri' @@ -32,7 +32,7 @@ class youri-check { define config($version) { include stdlib - include youri-check::base + include youri_check::base $config = "/etc/youri/${version}.conf" $outdir = "/var/www/youri-check/${version}" @@ -40,26 +40,26 @@ class youri-check { $pgsql_server = $base::pgsql_server $pgsql_user = "youri${version}" $pgsql_password = extlookup('youri_pgsql','x') - # We want to alert to packages older than last mass rebuild - # 1646092800 is 2022-03-01 (get it with "TZ=UTC date -d2022-03-01 +%s") - $max_days = (time() - 1646092800)/(24*3600) + # We want to alert for packages older than the cut-off for latest mass rebuild + # 1745539200 is 2025-04-25 + $max_days = (time() - 1745539200)/(24*3600) file { "${config}": ensure => present, owner => $base::user, mode => '0640', - content => template("youri-check/${version}.conf"), + content => template("youri_check/${version}.conf"), require => User[$base::user], } } define createdb_user($version) { - $pgsql_db = "youri_check_${version}" - $pgsql_user = "youri${version}" - $pgsql_password = extlookup('youri_pgsql','x') + $pgsql_db = "youri_check_${version}" + $pgsql_user = "youri${version}" + $pgsql_password = extlookup('youri_pgsql','x') - postgresql::remote_user { $pgsql_user: + postgresql::remote_user { $pgsql_user: password => $base::pgsql_password, } @@ -70,7 +70,7 @@ class youri-check { } define check($version, $hour = "*", $minute = 0) { - include youri-check::base + include youri_check::base $config = "/etc/youri/${version}.conf" $pgsql_server = $base::pgsql_server $pgsql_db = "youri_check_${version}" @@ -86,7 +86,7 @@ class youri-check { user => $pgsql_user, } cron { "check_${version}": - command => "youri-check -c ${config} test", + command => "youri-check -c ${config} --parallel test", hour => $hour, minute => $minute, user => $base::user, @@ -96,22 +96,22 @@ class youri-check { } define report_www { - include youri-check::base + include youri_check::base $outdir = "/var/www/youri-check/" apache::vhost::base { $base::vhost: location => $outdir, - content => template('youri-check/vhost_check.conf'), + content => template('youri_check/vhost_check.conf'), } apache::vhost::base { "ssl_${base::vhost}": vhost => $base::vhost, use_ssl => true, location => $outdir, - content => template('youri-check/vhost_check.conf'), + content => template('youri_check/vhost_check.conf'), } } define report($version, $hour = "*", $minute = 20) { - include youri-check::base + include youri_check::base $config = "/etc/youri/${version}.conf" diff --git a/modules/youri_check/templates/10.conf b/modules/youri_check/templates/10.conf new file mode 100644 index 00000000..7c6e9860 --- /dev/null +++ b/modules/youri_check/templates/10.conf @@ -0,0 +1,241 @@ +# vim:ft=yaml:et:sw=4 + +# helper variables +mirror: http://repository.mageia.org/distrib/10 +mirror_i686: ${mirror}/i686/media +mirror_x86_64: ${mirror}/x86_64/media + +# resultset definition +resultset: + class: Youri::Check::Resultset::DBI + options: + driver: Pg + host: <%= @pgsql_server %>;sslmode=require + base: <%= @pgsql_db %> + user: <%= @pgsql_user %> + pass: <%= @pgsql_password %> + +resolver: + class: Youri::Check::Maintainer::Resolver::CGI + options: + url: https://pkgsubmit.<%= @domain %>/data/maintdb.txt + exceptions: + - nobody + + +# checks definitions +tests: + dependencies: + class: Youri::Check::Test::Dependencies + + missing: + class: Youri::Check::Test::Missing + +# reports definitions +reports: + file: + class: Youri::Check::Report::File + options: + to: <%= @outdir %> + global: 1 + individual: 1 + formats: + html: + class: Youri::Check::Report::Format::HTML + text: + class: Youri::Check::Report::Format::Text + rss: + class: Youri::Check::Report::Format::RSS + +# media definitions +medias: + core.i686: + class: Youri::Media::URPM + options: + name: core + type: binary + hdlist: ${mirror_i686}/media_info/hdlist_core.cz + options: + dependencies: + allowed: + - core.i686 + missing: + allowed: + - core.sources + + core_updates.i686: + class: Youri::Media::URPM + options: + name: core_updates + type: binary + hdlist: ${mirror_i686}/media_info/hdlist_core_updates.cz + options: + dependencies: + allowed: + - core.i686 + - core_updates.i686 + missing: + allowed: + - core.sources + - core_updates.sources + + core_updates_testing.i686: + class: Youri::Media::URPM + options: + name: core_updates_testing + type: binary + hdlist: ${mirror_i686}/media_info/hdlist_core_updates_testing.cz + options: + dependencies: + allowed: + - core.i686 + - core_updates.i686 + - core_updates_testing.i686 + missing: + allowed: + - core.sources + - core_updates.sources + - core_updates_testing.sources + + core.x86_64: + class: Youri::Media::URPM + options: + name: core + type: binary + hdlist: ${mirror_x86_64}/media_info/hdlist_core.cz + options: + dependencies: + allowed: + - core.x86_64 + - core.i686 + missing: + allowed: + - core.sources + + core_updates.x86_64: + class: Youri::Media::URPM + options: + name: core_updates + type: binary + hdlist: ${mirror_x86_64}/media_info/hdlist_core_updates.cz + options: + dependencies: + allowed: + - core.i686 + - core_updates.i686 + - core.x86_64 + - core_updates.x86_64 + missing: + allowed: + - core.sources + - core_updates.sources + + core_updates_testing.x86_64: + class: Youri::Media::URPM + options: + name: core_updates_testing + type: binary + hdlist: ${mirror_x86_64}/media_info/hdlist_core_updates_testing.cz + options: + dependencies: + allowed: + - core.x86_64 + - core_updates.x86_64 + - core_updates_testing.x86_64 + - core.i686 + - core_updates.i686 + - core_updates_testing.i686 + missing: + allowed: + - core.sources + - core_updates.sources + - core_updates_testing.sources + + core.sources: + class: Youri::Media::URPM + options: + name: core + type: source + hdlist: ${mirror_i686}/media_info/hdlist_core.src.cz + options: + dependencies: + allowed: + - core.x86_64 + - core.i686 + + core_updates.sources: + class: Youri::Media::URPM + options: + name: core_updates + type: source + hdlist: ${mirror_i686}/media_info/hdlist_core_updates.src.cz + options: + dependencies: + allowed: + - core.x86_64 + - core_updates.x86_64 + - core.i686 + - core_updates.i686 + + core_updates_testing.sources: + class: Youri::Media::URPM + options: + name: core_updates_testing + type: source + hdlist: ${mirror_i686}/media_info/hdlist_core_updates_testing.src.cz + options: + dependencies: + allowed: + - core.x86_64 + - core_updates.x86_64 + - core_updates_testing.x86_64 + - core.i686 + - core_updates.i686 + - core_updates_testing.i686 + + nonfree.i686: + class: Youri::Media::URPM + options: + name: nonfree + type: binary + hdlist: ${mirror_i686}/media_info/hdlist_nonfree_release.cz + options: + dependencies: + allowed: + - core.i686 + - nonfree.i686 + missing: + allowed: + - nonfree.sources + + nonfree.x86_64: + class: Youri::Media::URPM + options: + name: nonfree + type: binary + hdlist: ${mirror_x86_64}/media_info/hdlist_nonfree_release.cz + options: + dependencies: + allowed: + - core.x86_64 + - core.i686 + - nonfree.x86_64 + - nonfree.i686 + missing: + allowed: + - nonfree.sources + + + nonfree.sources: + class: Youri::Media::URPM + options: + name: nonfree + type: source + hdlist: ${mirror_i686}/media_info/hdlist_nonfree_release.src.cz + options: + dependencies: + allowed: + - core.x86_64 + - nonfree.x86_64 + - core.i686 + - nonfree.i686 diff --git a/modules/youri-check/templates/9.conf b/modules/youri_check/templates/9.conf index 28028080..c2a97970 100644 --- a/modules/youri-check/templates/9.conf +++ b/modules/youri_check/templates/9.conf @@ -10,15 +10,15 @@ resultset: class: Youri::Check::Resultset::DBI options: driver: Pg - host: <%= pgsql_server %>;sslmode=require - base: <%= pgsql_db %> - user: <%= pgsql_user %> - pass: <%= pgsql_password %> + host: <%= @pgsql_server %>;sslmode=require + base: <%= @pgsql_db %> + user: <%= @pgsql_user %> + pass: <%= @pgsql_password %> resolver: class: Youri::Check::Maintainer::Resolver::CGI options: - url: https://pkgsubmit.<%= domain %>/data/maintdb.txt + url: https://pkgsubmit.<%= @domain %>/data/maintdb.txt exceptions: - nobody @@ -36,7 +36,7 @@ reports: file: class: Youri::Check::Report::File options: - to: <%= outdir %> + to: <%= @outdir %> global: 1 individual: 1 formats: diff --git a/modules/youri-check/templates/cauldron.conf b/modules/youri_check/templates/cauldron.conf index aeace447..5b600d45 100644 --- a/modules/youri-check/templates/cauldron.conf +++ b/modules/youri_check/templates/cauldron.conf @@ -12,15 +12,15 @@ resultset: class: Youri::Check::Resultset::DBI options: driver: Pg - host: <%= pgsql_server %>;sslmode=require - base: <%= pgsql_db %> - user: <%= pgsql_user %> - pass: <%= pgsql_password %> + host: <%= @pgsql_server %>;sslmode=require + base: <%= @pgsql_db %> + user: <%= @pgsql_user %> + pass: <%= @pgsql_password %> resolver: class: Youri::Check::Maintainer::Resolver::CGI options: - url: https://pkgsubmit.<%= domain %>/data/maintdb.txt + url: https://pkgsubmit.<%= @domain %>/data/maintdb.txt exceptions: - nobody @@ -319,7 +319,7 @@ tests: age: class: Youri::Check::Test::Age options: - max: <%= max_days %> days + max: <%= @max_days %> days pattern: "%d days" # reports definitions @@ -327,7 +327,7 @@ reports: file: class: Youri::Check::Report::File options: - to: <%= outdir %> + to: <%= @outdir %> global: 1 individual: 1 formats: diff --git a/modules/youri_check/templates/vhost_check.conf b/modules/youri_check/templates/vhost_check.conf new file mode 100644 index 00000000..c3edca69 --- /dev/null +++ b/modules/youri_check/templates/vhost_check.conf @@ -0,0 +1,2 @@ +Header set Access-Control-Allow-Origin "http://pkgsubmit.<%= @domain %>" +Header set Access-Control-Allow-Origin "https://pkgsubmit.<%= @domain %>" env=HTTPS |